analysis

type AnalysisResult struct {
	// Unique connections
	Hash                util.FixedString `ch:"hash"`
	Src                 net.IP           `ch:"src"`
	SrcNUID             uuid.UUID        `ch:"src_nuid"`
	Dst                 net.IP           `ch:"dst"`
	DstNUID             uuid.UUID        `ch:"dst_nuid"`
	FQDN                string           `ch:"fqdn"`
	BeaconType          string           `ch:"beacon_type"` // (sni, ip, dns)
	Count               uint64           `ch:"count"`
	ProxyCount          uint64           `ch:"proxy_count"`
	OpenCount           uint64           `ch:"open_count"`
	TSUnique            uint64           `ch:"ts_unique"` // number of unique timestamps
	TSList              []uint32         `ch:"ts_list"`
	TotalDuration       float64          `ch:"total_duration"`
	OpenTotalDuration   float64          `ch:"open_total_duration"`
	BytesList           []float64        `ch:"bytes"` //TODO: do we need to change this since bytes are now uint64?
	TotalBytes          uint64           `ch:"total_bytes"`
	PortProtoService    []string         `ch:"port_proto_service"`
	FirstSeenHistorical time.Time        `ch:"first_seen_historical"`
	LastSeen            time.Time        `ch:"last_seen"`
	ServerIPs           []net.IP         `ch:"server_ips"` // array of unique destination IPs for SNI conns
	ProxyIPs            []net.IP         `ch:"proxy_ips"`  // array of unique proxy (destination IPs) for SNI conns
	MissingHostCount    uint64           `ch:"missing_host_count"`

	// C2 OVER DNS Connection Info
	HasC2OverDNSDirectConnectionsModifier bool `ch:"has_c2_direct_conns_mod"`

	// Prevalence
	PrevalenceTotal uint64  `ch:"prevalence_total"`
	Prevalence      float64 `ch:"prevalence"`

	// C2 over DNS
	TLD            string `ch:"tld"`
	SubdomainCount uint64 `ch:"subdomain_count"`

	// Threat Intel
	OnThreatIntel bool `ch:"on_threat_intel"`
}

type Analyzer struct {
	Database        *database.DB
	ImportID        util.FixedString
	Config          *config.Config
	AnalysisWorkers int
	WriterWorkers   int
	UconnChan       chan AnalysisResult
	// contains filtered or unexported fields
}

type Beacon struct {
	BeaconType     string  `ch:"beacon_type"` // (sni, ip)
	Score          float64 `ch:"beacon_score"`
	TimestampScore float64 `ch:"ts_score"`
	DataSizeScore  float64 `ch:"ds_score"`
	HistogramScore float64 `ch:"hist_score"`
	DurationScore  float64 `ch:"dur_score"`

	TSIntervals      []int64 `ch:"ts_intervals"`
	TSIntervalCounts []int64 `ch:"ts_interval_counts"`
	DSSizes          []int64 `ch:"ds_sizes"`
	DSCounts         []int64 `ch:"ds_size_counts"`
}

type ThreatMixtape struct {
	AnalyzedAt time.Time        `ch:"analyzed_at"`
	ImportID   util.FixedString `ch:"import_id"`

	// Base connection details
	AnalysisResult

	FinalScore float64 `ch:"final_score"`
	// BEACONS
	Beacon
	BeaconThreatScore float64 `ch:"beacon_threat_score"` // bucketed beacon score
	BeaconType        string  `ch:"beacon_type"`

	//  LONG CONNECTIONS
	LongConnScore float64 `ch:"long_conn_score"`

	// Strobe
	Strobe      bool    `ch:"strobe"`
	StrobeScore float64 `ch:"strobe_score"`

	// C2 over DNS
	C2OverDNSScore           float64 `ch:"c2_over_dns_score"`
	C2OverDNSDirectConnScore float64 `ch:"c2_over_dns_direct_conn_score"`

	// Threat Intel
	ThreatIntel      bool    `ch:"threat_intel"`
	ThreatIntelScore float64 `ch:"threat_intel_score"`

	// **** MODIFIERS ****
	// for modifiers detected during the modifiers phase
	ModifierName  string  `ch:"modifier_name"`
	ModifierScore float64 `ch:"modifier_score"`
	ModifierValue string  `ch:"modifier_value"`

	// modifiers that are able to be added to the same row as the threat indicator scores
	// these are detected during the analysis phase (in the spagooper)
	PrevalenceScore          float64 `ch:"prevalence_score"`
	NetworkSize              uint64  `ch:"network_size"`
	FirstSeenScore           float64 `ch:"first_seen_score"`
	ThreatIntelDataSizeScore float64 `ch:"threat_intel_data_size_score"`
	MissingHostHeaderScore   float64 `ch:"missing_host_header_score"`
}