software

package
v0.9.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 1, 2026 License: BSD-3-Clause, GPL-3.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	BehaviorServer  = "server"
	BehaviorClient  = "client"
	BehaviorProxy   = "proxy"
	BehaviorScanner = "scanner"
	BehaviorBot     = "bot"
	BehaviorCrawler = "crawler"
	BehaviorUnknown = "unknown"
)

Software behavioral profiles

View Source 
const (
	ConfidenceHigh   = "high"
	ConfidenceMedium = "medium"
	ConfidenceLow    = "low"
)

Detection confidence levels

View Source 
const (
	SupportActive      = "active"
	SupportMaintenance = "maintenance"
	SupportEOL         = "eol"
	SupportUnknown     = "unknown"
)

Support status values

Variables

View Source 
var (
	// UserAgentCache contains parsed user agents at runtime.
	UserAgentCache = make(map[string]*userAgent)

	// RegexGenericVersion is a regular expression for anything that could be a product / version indicator.
	RegexGenericVersion = regexp.MustCompile(`(?m)(?:^)(.*?)(\d+)\.(\d+)\.(\d+)(.*?)(?:$)`)
)
View Source 
var (
	// Store SoftwareStore hold all connections.
	Store = &atomicSoftwareMap{
		Items: make(map[string]*AtomicSoftware),
	}

	// UserAgentParserMutex ensures atomic access to the user agent parser.
	UserAgentParserMutex sync.Mutex

	// HashDBMap contains SSH fingerprint digests mapped to software products at runtime.
	HashDBMap map[string][]sshSoftware
)
View Source 
var CMSCookies = make(map[string]struct{})

CMSCookies contains the names of identifying cookies for CMSs and frontend frameworks nolint

View Source 
var CMSHeaders = make(map[string]struct{})

CMSHeaders cmsHeadersList is the list of identifying headers for Content Management Systems and Web Servers. the header names will be loaded from the CMS JSON db this map is populated once at init and not supposed to change during runtime so it is safe for concurrent access. nolint

View Source 
var Decoder = &decoder.AbstractDecoder{
	Type:        types.Type_NC_Software,
	Name:        "Software",
	Description: "A software product that was observed on the network",
	PostInit: func(d *decoder.AbstractDecoder) error {
		var err error
		softwareLog, _, err = logger.InitZapLogger(
			decoderconfig.Instance.Out,
			"software",
			decoderconfig.Instance.Debug,
		)
		if err != nil {
			return err
		}

		if errInitUAParser != nil {
			return errInitUAParser
		}

		data, err := ioutil.ReadFile(filepath.Join(resolvers.DataBaseFolderPath, "hasshdb.json"))
		if err != nil {
			return err
		}

		err = json.Unmarshal(data, &hasshDB)
		if err != nil {
			return err
		}

		HashDBMap = make(map[string][]sshSoftware)

		for _, v := range hasshDB {
			HashDBMap[v.Hash] = v.Software
		}

		softwareLog.Info("loaded SSH fingerprint digests", zap.Int("total", len(HashDBMap)))

		err = loadCmsDB()
		if err != nil {
			return errors.Wrap(err, "failed to load CMS database")
		}

		softwareLog.Info("loaded CMS db", zap.Int("total", len(cmsDB)))

		buildCMSHSIndex()

		indexName := filepath.Join(resolvers.DataBaseFolderPath, db.VulnerabilityDBName)
		db.VulnerabilitiesIndex, err = db.OpenBleve(indexName)
		if err != nil {

			db.VulnerabilitiesIndex = nil

			return errors.Wrap(err, "failed to open vulnerability bleve index at: "+indexName)
		}

		return nil
	},
	DeInit: func(e *decoder.AbstractDecoder) error {

		// flush writer
		var err error
		for _, item := range Store.Items {
			item.Lock()

			EnhanceSoftwareRecord(item.Software)

			item.Software.InstanceCount = int32(len(item.Software.Flows))

			err = e.Writer.Write(item.Software)
			if err != nil {
				softwareLog.Error("failed to flush software audit record", zap.Error(err))
			}

			atomic.AddInt64(&e.NumRecordsWritten, 1)
			item.Unlock()
		}

		db.CloseBleve(db.VulnerabilitiesIndex)

		return softwareLog.Sync()
	},
}

Decoder for protocol analysis and writing audit records to disk.

Functions

func CheckVulnerabilities added in v0.9.0 

func CheckVulnerabilities(s *types.Software, hasVulns bool)

CheckVulnerabilities sets the HasKnownVulnerabilities flag This should be called after vulnerability lookup

func EnhanceSoftwareRecord added in v0.9.0 

func EnhanceSoftwareRecord(s *types.Software)

EnhanceSoftwareRecord adds detection context and behavioral fields to a Software record

func ParseUserAgent 

func ParseUserAgent(ua string) *userAgent

ParseUserAgent processes a raw user agent string and returned a structured instance.

func ResetCaches added in v0.7.6 

func ResetCaches()

ResetCaches clears all global caches to prevent memory accumulation between multi-file processing runs. CRITICAL: This must be called between file processing to prevent unbounded memory growth.

func WriteSoftware 

func WriteSoftware(software []*AtomicSoftware, update func(s *AtomicSoftware))

WriteSoftware can be used to write software to the software audit record writer.

Types

type AtomicSoftware 

type AtomicSoftware struct {
	sync.Mutex
	*types.Software
}

AtomicSoftware wraps a types.Software to provide atomic access.

func WhatSoftwareHTTP 

func WhatSoftwareHTTP(flowIdent string, h *types.HTTP) (s []*AtomicSoftware)

WhatSoftwareHTTP TODO: pass in the device profile.

type CMSHyperscanBuildStats added in v0.9.1 

type CMSHyperscanBuildStats struct {
	HeaderPatterns          int `json:"header_patterns"`
	HeaderRejections        int `json:"header_rejections"`
	CookiePatterns          int `json:"cookie_patterns"`
	CookieRejections        int `json:"cookie_rejections"`
	HeaderProductCandidates int `json:"header_product_candidates"`
	CookieProductCandidates int `json:"cookie_product_candidates"`
}

CMSHyperscanBuildStats describes the outcome of buildCMSHSIndex.

Re-exported in stub builds so the web UI handler can render the same schema regardless of how netcap was compiled.

type CMSHyperscanStatus added in v0.9.1 

type CMSHyperscanStatus struct {
	Enabled       bool                   `json:"enabled"`
	LibVersion    string                 `json:"lib_version"`
	Build         CMSHyperscanBuildStats `json:"build"`
	BuildError    string                 `json:"build_error,omitempty"`
	HeaderScans   uint64                 `json:"header_scans"`
	HeaderMatches uint64                 `json:"header_matches"`
	HeaderErrors  uint64                 `json:"header_errors"`
	CookieScans   uint64                 `json:"cookie_scans"`
	CookieMatches uint64                 `json:"cookie_matches"`
	CookieErrors  uint64                 `json:"cookie_errors"`
	ScanFallbacks uint64                 `json:"scan_fallbacks"`
}

CMSHyperscanStatus is the JSON-friendly snapshot of the CMS Hyperscan integration. In stub builds, Enabled is false and counters are zero.

func GetCMSHyperscanStatus added in v0.9.1 

func GetCMSHyperscanStatus() CMSHyperscanStatus

GetCMSHyperscanStatus returns a "disabled" snapshot.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.