The highest tagged major version is
README
¶
Usage example
go get -u github.com/ilyaglow/go-cortex
Analyze simple string type observable
package main
import (
"log"
"github.com/ilyaglow/go-cortex"
)
func main() {
// Create a client struct
client := cortex.NewClient("http://127.0.0.1:9000")
// Fill the Artifact struct
j := &cortex.Artifact{
Data: "8.8.8.8",
Attributes: cortex.ArtifactAttributes{
DataType: "ip",
TLP: 3,
},
}
// Run all analyzers over it with 1 minute timeout
reports, err := client.AnalyzeData(j, "1minute")
if err != nil {
panic(err)
}
// Iterate over channel with reports and get taxonomies
for m := range reports {
txs := m.Taxonomies()
for _, t := range txs {
log.Printf("\"%s:%s\"=\"%s\"", t.Namespace, t.Predicate, t.Value)
}
}
}
Analyze file type observable
Basically, any type that implements io.Reader could be analyzed.
package main
import (
"log"
"os"
"github.com/ilyaglow/go-cortex"
)
func main() {
client := cortex.NewClient("http://127.0.0.1:9000")
// Open the file
fname := "filename.exe"
f, err := os.Open(fname)
if err != nil {
panic(err)
}
defer f.Close()
freports, err := client.AnalyzeData(&cortex.FileArtifact{
FileArtifactMeta: cortex.FileArtifactMeta{
DataType: "file",
TLP: 3,
},
FileName: fname,
Reader: f,
}, "5minutes")
if err != nil {
panic(err)
}
for m := range freports {
if m.Status == "Failure" {
log.Printf("%s failed with an error: %s\n", m.AnalyzerID, m.Report.ErrorMessage)
continue
}
log.Println(m.Report.FullReport)
}
}
Documentation
¶
Overview ¶
Cortex API client
https://github.com/TheHive-Project/Cortex
Check out Cortex documentation:
Index ¶
- type Analyzer
- type Artifact
- type ArtifactAttributes
- type Client
- func (c *Client) AnalyzeData(obs Observable, timeout string) (<-chan *JobReport, error)
- func (c *Client) DeleteJob(id string) (bool, error)
- func (c *Client) GetAnalyzer(id string) (*Analyzer, error)
- func (c *Client) GetJob(id string) (*Job, error)
- func (c *Client) GetJobReport(id string) (*JobReport, error)
- func (c *Client) ListAnalyzers(datatype string) ([]Analyzer, error)
- func (c *Client) ListFilteredJobs(f *JobsFilter) ([]Job, error)
- func (c *Client) ListJobs() ([]Job, error)
- func (c *Client) RunAnalyzer(id string, obs Observable) (*Job, error)
- func (c *Client) RunAnalyzerThenGetReport(id string, obs Observable, timeout string) (*JobReport, error)
- func (c *Client) WaitForJob(id string, duration string) (*Job, error)
- type FileArtifact
- type FileArtifactMeta
- type Job
- type JobBody
- type JobInput
- type JobReport
- type JobsFilter
- type Observable
- type ReportBody
- type Taxonomy
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Analyzer ¶
type Analyzer struct {
ID string `json:"id"`
Name string `json:"name"`
Description string `json:"description"`
Version string `json:"version"`
DataTypeList []string `json:"dataTypeList"`
}
Analyzer defines a specific Cortex Analyzer
More info: https://github.com/CERT-BDF/CortexDocs/blob/master/api/get-analyzer.md
type Artifact ¶
type Artifact struct {
Attributes ArtifactAttributes `json:"attributes"`
Data string `json:"data,omitempty"`
}
Artifact represents a basic artifact which can be supplied for the analysis and retrieved from a job later
func (*Artifact) Description ¶
Description returns artifact data value
type ArtifactAttributes ¶
type ArtifactAttributes struct {
DataType string `json:"dataType"`
TLP int `json:"tlp,omitempty"`
ContentType string `json:"content-type,omitempty"`
Filename string `json:"filename,omitempty"`
}
ArtifactAttributes struct represents Artifact Attributes
type Client ¶
type Client struct {
Location string // Location is the Cortex base URL
Client *http.Client // Client is used to communicate with the API
Debug bool // Debug mode
}
Client is used to deal with the API location and basic auth (in the future)
func NewClient ¶
NewClient bootstraps a Client If there is a need to change the http.DefaultClient you should construct a Client struct by yourself
func (*Client) AnalyzeData ¶
func (c *Client) AnalyzeData(obs Observable, timeout string) (<-chan *JobReport, error)
AnalyzeData runs all analyzers suitable for a specified job and returns a channel with reports
func (*Client) GetAnalyzer ¶
GetAnalyzer retrieves an Analyzer by its' ID
func (*Client) GetJobReport ¶
GetJobReport retrieves a JobReport by Job ID
func (*Client) ListAnalyzers ¶
ListAnalyzers retrieves all analyzers that are available. Analyzers can be filtered by a datatype parameter. When "*" is used as a parameter, function returns all analyzers.
func (*Client) ListFilteredJobs ¶
func (c *Client) ListFilteredJobs(f *JobsFilter) ([]Job, error)
ListFilteredJobs shows available filtered jobs
func (*Client) RunAnalyzer ¶
func (c *Client) RunAnalyzer(id string, obs Observable) (*Job, error)
RunAnalyzer runs a selected analyzer for a specified job
func (*Client) RunAnalyzerThenGetReport ¶
func (c *Client) RunAnalyzerThenGetReport(id string, obs Observable, timeout string) (*JobReport, error)
RunAnalyzerThenGetReport is a helper function that combines multiple functions to return JobReport providing more clear API
type FileArtifact ¶
type FileArtifact struct {
FileArtifactMeta
Reader io.Reader // anything that implements io.Reader (os.File or http.Response.Body or whatever)
FileName string // could be filename or the URL
}
FileArtifact represents a file observable
func (*FileArtifact) Description ¶
func (f *FileArtifact) Description() string
Description returns file name or URL
func (*FileArtifact) Type ¶
func (f *FileArtifact) Type() string
Type implements observable function and should return "file"
type FileArtifactMeta ¶
FileArtifactMeta contains meta fields for FileArtifact
type Job ¶
type Job struct {
ID string `json:"id"`
AnalyzerID string `json:"analyzerId"`
Status string `json:"status"`
Date int64 `json:"date"`
Artifact Artifact `json:"artifact"`
}
Job defines an analysis job
type JobInput ¶
type JobInput struct {
ArtifactAttributes
File string `json:"file,omitempty"`
Config map[string]interface{} `json:"config,omitempty"`
}
JobInput is used to track failed jobs
type JobReport ¶
type JobReport struct {
Job
Report ReportBody `json:"report"`
}
JobReport represents a job response.
More info: https://github.com/CERT-BDF/CortexDocs/blob/master/api/get-job-report.md
func (*JobReport) Taxonomies ¶
Taxonomies retrieves all taxonomies from a JobReport
type JobsFilter ¶
type JobsFilter struct {
Analyzer string `url:"analyzerFilter,omitempty"`
DataType string `url:"dataTypeFilter,omitempty"`
Data string `url:"dataFilter,omitempty"`
// contains filtered or unexported fields
}
JobsFilter is used to filter ListJobs results
type Observable ¶
Observable is an interface for string type artifact and file type artifact
type ReportBody ¶
type ReportBody struct {
Artifacts []Artifact `json:"artifacts,omitempty"`
FullReport interface{} `json:"full,omitempty"`
Success bool `json:"success,omitempty"`
Summary summary `json:"summary,omitempty"`
ErrorMessage string `json:"errorMessage,omitempty"`
Input JobInput `json:"input,omitempty"`
}
ReportBody defines a report for a given job. FullReport and Summary are arbitrary objects.
Source Files