Documentation
¶
Index ¶
- Variables
- func CalculateEntropy(data []byte) float64
- func DecodeMessages(data []byte) ([][]Field, error)
- func DetectMessageType(fields []Field) string
- func DetectServiceName(srcPort, dstPort int32) string
- func IsPrintable(data []byte) bool
- func IsProtobufData(data []byte) bool
- func PopulateFields(fields []Field, out map[string]string, order *[]string)
- func ReadVarint(buf *bytes.Reader) (uint64, error)
- type Field
Constants ¶
This section is empty.
Variables ¶
var Decoder = &decoder.StreamDecoder{ Type: types.Type_NC_Protobuf, Name: "Protobuf", Description: "Generic Protocol Buffer wire format decoder for unknown protobuf traffic", PostInit: func(sd *decoder.StreamDecoder) error { var err error pbLog, _, err = logging.InitZapLogger( decoderconfig.Instance.Out, "protobuf", decoderconfig.Instance.Debug, ) return err }, CanDecode: func(client, server []byte) bool { return IsProtobufData(client) || IsProtobufData(server) }, DeInit: func(sd *decoder.StreamDecoder) error { return pbLog.Sync() }, Factory: &protobufReader{}, Typ: core.TCP, }
Decoder for generic Protocol Buffer wire format detection and analysis.
Functions ¶
func CalculateEntropy ¶
CalculateEntropy computes Shannon entropy of the data in bits.
func DecodeMessages ¶
DecodeMessages attempts to decode one or more protobuf messages from raw bytes.
func DetectMessageType ¶
DetectMessageType classifies a decoded message based on field patterns.
func DetectServiceName ¶
DetectServiceName guesses the service type from port numbers.
func IsPrintable ¶
IsPrintable returns true if all bytes are printable ASCII.
func IsProtobufData ¶
IsProtobufData uses heuristics to detect if data might be protobuf encoded. Checks for valid wire type distribution, varint continuation patterns, and sufficient entropy to distinguish from text protocols.
func PopulateFields ¶
PopulateFields converts ordered decoded fields into the audit record's Fields map (keyed as "type_fieldnum") and FieldOrder slice (preserving wire order).
Source Files