Documentation
¶
Index ¶
- Constants
- Variables
- func Clone(a, b interface{}) error
- func ConfigureLogger(clog *log.Logger) error
- func GetData(data []*DataSource, dataDir string) error
- func IP2Int(ip net.IP) uint32
- func Int2ip(nn uint32) net.IP
- func LastAddress(n *net.IPNet) net.IP
- func SetDefaultLoggerConfig(cfgMode string, cfgFolder string, cfgLevel log.Level) error
- type BanApplication
- type BanOrder
- type DataSet
- type DataSource
- type Event
- type EventSequence
- type ExtraField
- type GrokPattern
- type Line
- type Profile
- type RemediationProfile
- type SignalOccurence
- type Source
- type Whitelist
Constants ¶
View Source
const ( LOG = iota OVFLW )
Variables ¶
View Source
var LogOutput *lumberjack.Logger //io.Writer
Functions ¶
func ConfigureLogger ¶ added in v0.1.0
func GetData ¶ added in v0.1.0
func GetData(data []*DataSource, dataDir string) error
func LastAddress ¶
Stolen from : https://github.com/llimllib/ipaddress/ Return the final address of a net range. Convert to IPv4 if possible, otherwise return an ipv6
Types ¶
type BanApplication ¶
type BanApplication struct {
gorm.Model `json:"-"`
MeasureSource string /*api,local*/
MeasureType string /*ban,slow,captcha*/
MeasureExtra string /*in case we need extra info for the connector ?*/
Until time.Time /*expiration of ban*/
StartIp uint32
EndIp uint32
TargetCN string
TargetAS int
TargetASName string
IpText string /*only for humans*/
Reason string /*long human reason of the ban 'ban AS1234' */
Scenario string /*the type of scenario that led to ban*/
//SignalOccurence *parser.SignalOccurence /*the signal occurence it's attached to */
SignalOccurenceID uint //so we can link local decision to actual overflow
}
BanApplication is the in-db representation of a ban order. IPs/Ranges are represented as a integer interval. one BanOrder can lead to multiple BanApplication
func OrderToApplications ¶
func OrderToApplications(ordr *BanOrder) ([]BanApplication, error)
type BanOrder ¶
type BanOrder struct {
MeasureSource string /*api,local*/
MeasureType string /*ban,slow,captcha*/
Scope string /*ip,multi_ip,as,country*/
TargetAS int /*if non-empty, applies to this AS*/
TargetASName string /*if non-empty, applies to this AS*/
TargetRange net.IPNet /*if non-empty, applies to this IP*/
TargetIP net.IP /*if non-empty, applies to this range*/
TargetCountry string
Until time.Time /*when would the measure expire*/
TxtTarget string
Reason string
}
BanOrder is what is generated from a SignalOccurence : it describes what action to take it is in-memory only and never touches the DB. It will be turned into one or several "parser.BanApplication"
type DataSet ¶ added in v0.1.0
type DataSet struct {
Data []*DataSource `yaml:"data,omitempty"`
}
type DataSource ¶ added in v0.1.0
type Event ¶
type Event struct {
/* is it a log or an overflow */
Type int `yaml:"Type,omitempty"`
ExpectMode int `yaml:"ExpectMode,omitempty"` //how to buckets should handle event : leaky.TIMEMACHINE or leaky.LIVE
Whitelisted bool `yaml:"Whitelisted,omitempty"`
WhiteListReason string `json:"whitelist_reason,omitempty"`
//should add whitelist reason ?
/* the current stage of the line being parsed */
Stage string `yaml:"Stage,omitempty"`
/* original line (produced by acquisition) */
Line Line `json:"Line" yaml:"Line,omitempty"`
/* output of groks */
Parsed map[string]string `json:"Parsed,omitempty" yaml:"Parsed,omitempty"`
/* output of enrichment */
Enriched map[string]string `json:"Enriched,omitempty" yaml:"Enriched,omitempty"`
/* Overflow */
Overflow SignalOccurence `yaml:"Overflow,omitempty"`
Time time.Time `json:"Time,omitempty"` //parsed time `json:"-"` “
StrTime string `yaml:"StrTime,omitempty"`
MarshaledTime string `yaml:"MarshaledTime,omitempty"`
Process bool `yaml:"Process,omitempty"` //can be set to false to avoid processing line
/* Meta is the only part that will make it to the API - it should be normalized */
Meta map[string]string `json:"Meta,omitempty" yaml:"Meta,omitempty"`
}
type EventSequence ¶
type EventSequence struct {
gorm.Model `json:"-"`
Time time.Time
Source Source `json:"-"`
/*for db only :/ */
Source_ip string
Source_range string
Source_AutonomousSystemNumber string
Source_AutonomousSystemOrganization string
Source_Country string
/*stop db only */
SignalOccurenceID uint //unique ID for the hasMany relation
Serialized string //the serialized dict
}
EventSequence is used to represent the summarized version of events that lead to overflow
type ExtraField ¶
type ExtraField struct {
//if the target is indicated by name Struct.Field etc,
TargetByName string `yaml:"target,omitempty"`
//if the target field is in Event map
Parsed string `yaml:"parsed,omitempty"`
//if the target field is in Meta map
Meta string `yaml:"meta,omitempty"`
//if the target field is in Enriched map
Enriched string `yaml:"enriched,omitempty"`
//the source is a static value
Value string `yaml:"value,omitempty"`
//or the result of an Expression
ExpValue string `yaml:"expression,omitempty"`
RunTimeValue *vm.Program `json:"-"` //the actual compiled filter
//or an enrichment method
Method string `yaml:"method,omitempty"`
}
Used mostly for statics
type GrokPattern ¶
type GrokPattern struct {
//the field to which regexp is going to apply
TargetField string `yaml:"apply_on,omitempty"`
//the grok/regexp by name (loaded from patterns/*)
RegexpName string `yaml:"name,omitempty"`
//a proper grok pattern
RegexpValue string `yaml:"pattern,omitempty"`
//the runtime form of regexpname / regexpvalue
RunTimeRegexp *grokky.Pattern `json:"-"` //the actual regexp
//a grok can contain statics that apply if pattern is successfull
Statics []ExtraField `yaml:"statics,omitempty"`
}
type RemediationProfile ¶
type RemediationProfile struct {
Apply bool
Ban bool
Slow bool
Captcha bool
Duration string
TimeDuration time.Duration
}
Action profiles
type SignalOccurence ¶
type SignalOccurence struct {
gorm.Model `json:"-"`
// ID uint // `json:"-" gorm:"primary_key,AUTO_INCREMENT"`
MapKey string //for Delete
Scenario string `json:"scenario,omitempty"` //The unique name of the scenario, ie. ssh_bruteforce_multi-user
Bucket_id string `json:"bucket_id,omitempty"` //The 'runtime' bucket-name (mostly for debug), ie. `sunny-flower`
Alert_message string `json:"alert_message,omitempty"` //Human-friendly label (to be displayed)
Events_count int `json:"events_count,omitempty" yaml:"Events_count,omitempty"` //Number of events between first occurence and ban
Events_sequence []EventSequence `json:"-" gorm:"foreignkey:SignalOccurenceID;association_foreignkey:ID"` //When adapted, a unique list of string representing the individual events that lead to the overflow
Start_at time.Time `json:"start_at,omitempty"` //first event (usually bucket creation time)
BanApplications []BanApplication `json:"ban_applications,omitempty" gorm:"foreignkey:SignalOccurenceID;association_foreignkey:ID"`
Stop_at time.Time `json:"stop_at,omitempty"` //last event (usually bucket overflow time)
Source *Source `json:"source"` //`json:"source,omitempty"`
/*for db*/
Source_ip string `yaml:"Source_ip,omitempty"`
Source_range string
Source_AutonomousSystemNumber string
Source_AutonomousSystemOrganization string
Source_Country string
Source_Latitude float64
Source_Longitude float64
/*/for db*/
Sources map[string]Source `json:"sources,omitempty" gorm:"-"`
// Source_ip string `json:"src_ip,omitempty"` //for now just the IP
// Source_as string `json:"src_as,omitempty"` //for now just the as (AS number)
// Source_country string `json:"src_country,omitempty"` //for now just the county (two-letter iso-code)
Dest_ip string `json:"dst_ip,omitempty"` //for now just the destination IP
//Policy string `json:"policy,omitempty"` //for now we forward it as well :)
//bucket info
Capacity int `json:"capacity,omitempty"`
Leak_speed time.Duration `json:"leak_speed,omitempty"`
Whitelisted bool `gorm:"-"`
Reprocess bool //Reprocess, when true, will make the overflow being processed again as a fresh log would
Labels map[string]string `gorm:"-"`
}
type Source ¶
type Source struct {
gorm.Model `json:"-"`
Ip net.IP
Range net.IPNet
AutonomousSystemNumber string
AutonomousSystemOrganization string
Country string
Latitude float64
Longitude float64
Flags map[string]bool //a list of flags we can set
}
Source is the generic representation of a source ip implicated in events / overflows. It contains both information extracted directly from logs and enrichment
Source Files
Click to show internal directories.
Click to hide internal directories.