Documentation
¶
Index ¶
- Constants
- type AppsecEvent
- type Event
- type Field
- type Line
- type MatchedRule
- type MatchedRules
- func (w MatchedRules) ByAccuracy(accuracy string) MatchedRules
- func (w MatchedRules) ByDisruptiveness(is bool) MatchedRules
- func (w MatchedRules) ByID(id int) MatchedRules
- func (w MatchedRules) ByKind(kind string) MatchedRules
- func (w MatchedRules) BySeverity(severity string) MatchedRules
- func (w MatchedRules) ByTag(match string) MatchedRules
- func (w MatchedRules) ByTagRx(rx string) MatchedRules
- func (w MatchedRules) ByTags(match []string) MatchedRules
- func (w MatchedRules) GetField(field Field) []any
- func (w MatchedRules) GetHash() string
- func (w MatchedRules) GetHighestSeverity() cztypes.RuleSeverity
- func (w MatchedRules) GetMatchedZones() []string
- func (w MatchedRules) GetMethod() string
- func (w MatchedRules) GetName() string
- func (w MatchedRules) GetNames() []string
- func (w MatchedRules) GetRuleIDs() []int
- func (w MatchedRules) GetURI() string
- func (w MatchedRules) GetVersion() string
- func (w MatchedRules) Kinds() []string
- type Queue
- type RuntimeAlert
Constants ¶
View Source
const ( LIVE = iota TIMEMACHINE )
Leakybucket can be in mode LIVE or TIMEMACHINE
View Source
const ( LOG = iota OVFLW APPSEC )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AppsecEvent ¶
type AppsecEvent struct {
HasInBandMatches, HasOutBandMatches bool
MatchedRules
Vars map[string]string
}
func (AppsecEvent) GetVar ¶
func (w AppsecEvent) GetVar(varName string) string
type Event ¶
type Event struct {
/* is it a log or an overflow */
Type int `json:"Type,omitempty" yaml:"Type,omitempty"` // Can be types.LOG (0) or types.OVFLOW (1)
ExpectMode int `json:"ExpectMode,omitempty" yaml:"ExpectMode,omitempty"` // how to buckets should handle event : types.TIMEMACHINE or types.LIVE
Whitelisted bool `json:"Whitelisted,omitempty" yaml:"Whitelisted,omitempty"`
WhitelistReason string `json:"whitelist_reason,omitempty" yaml:"WhitelistReason,omitempty"`
// should add whitelist reason ?
/* the current stage of the line being parsed */
Stage string `json:"Stage,omitempty" yaml:"Stage,omitempty"`
/* original line (produced by acquisition) */
Line Line `json:"Line,omitempty" yaml:"Line,omitempty"`
/* output of groks */
Parsed map[string]string `json:"Parsed,omitempty" yaml:"Parsed,omitempty"`
/* output of enrichment */
Enriched map[string]string `json:"Enriched,omitempty" yaml:"Enriched,omitempty"`
/* output of Unmarshal */
Unmarshaled map[string]any `json:"Unmarshaled,omitempty" yaml:"Unmarshaled,omitempty"`
/* Overflow */
Overflow RuntimeAlert `json:"Alert,omitempty" yaml:"Overflow,omitempty"`
Time time.Time `json:"Time,omitempty" yaml:"Time,omitempty"` // parsed time `json:"-"` “
StrTime string `json:"StrTime,omitempty" yaml:"StrTime,omitempty"`
StrTimeFormat string `json:"StrTimeFormat,omitempty" yaml:"StrTimeFormat,omitempty"`
MarshaledTime string `json:"MarshaledTime,omitempty" yaml:"MarshaledTime,omitempty"`
Process bool `json:"Process,omitempty" yaml:"Process,omitempty"` // can be set to false to avoid processing line
Appsec AppsecEvent `json:"Appsec,omitempty" yaml:"Appsec,omitempty"`
/* Meta is the only part that will make it to the API - it should be normalized */
Meta map[string]string `json:"Meta,omitempty" yaml:"Meta,omitempty"`
}
Event is the structure representing a runtime event (log or overflow)
func (*Event) ParseIPSources ¶
type MatchedRule ¶
func NewMatchedRule ¶
func NewMatchedRule() *MatchedRule
type MatchedRules ¶
type MatchedRules []MatchedRule
func (MatchedRules) ByAccuracy ¶
func (w MatchedRules) ByAccuracy(accuracy string) MatchedRules
func (MatchedRules) ByDisruptiveness ¶
func (w MatchedRules) ByDisruptiveness(is bool) MatchedRules
func (MatchedRules) ByKind ¶
func (w MatchedRules) ByKind(kind string) MatchedRules
func (MatchedRules) BySeverity ¶
func (w MatchedRules) BySeverity(severity string) MatchedRules
func (MatchedRules) ByTag ¶
func (w MatchedRules) ByTag(match string) MatchedRules
func (MatchedRules) ByTagRx ¶
func (w MatchedRules) ByTagRx(rx string) MatchedRules
func (MatchedRules) ByTags ¶
func (w MatchedRules) ByTags(match []string) MatchedRules
func (MatchedRules) GetHash ¶
func (w MatchedRules) GetHash() string
func (MatchedRules) GetHighestSeverity ¶
func (w MatchedRules) GetHighestSeverity() cztypes.RuleSeverity
func (MatchedRules) GetMatchedZones ¶
func (w MatchedRules) GetMatchedZones() []string
func (MatchedRules) GetMethod ¶
func (w MatchedRules) GetMethod() string
func (MatchedRules) GetName ¶
func (w MatchedRules) GetName() string
func (MatchedRules) GetNames ¶
func (w MatchedRules) GetNames() []string
func (MatchedRules) GetRuleIDs ¶
func (w MatchedRules) GetRuleIDs() []int
func (MatchedRules) GetURI ¶
func (w MatchedRules) GetURI() string
func (MatchedRules) GetVersion ¶
func (w MatchedRules) GetVersion() string
func (MatchedRules) Kinds ¶
func (w MatchedRules) Kinds() []string
type Queue ¶
Queue holds a limited size queue
type RuntimeAlert ¶
type RuntimeAlert struct {
Mapkey string `json:"MapKey,omitempty" yaml:"MapKey,omitempty"`
BucketId string `json:"BucketId,omitempty" yaml:"BucketId,omitempty"`
Whitelisted bool `json:"Whitelisted,omitempty" yaml:"Whitelisted,omitempty"`
Reprocess bool `json:"Reprocess,omitempty" yaml:"Reprocess,omitempty"`
Sources map[string]models.Source `json:"Sources,omitempty" yaml:"Sources,omitempty"`
Alert *models.Alert `json:"Alert,omitempty" yaml:"Alert,omitempty"` // this one is a pointer to APIAlerts[0] for convenience.
// APIAlerts will be populated at the end when there is more than one source
APIAlerts []models.Alert `json:"APIAlerts,omitempty" yaml:"APIAlerts,omitempty"`
}
func (RuntimeAlert) GetSources ¶
func (r RuntimeAlert) GetSources() []string
Source Files
Click to show internal directories.
Click to hide internal directories.