Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type APIConfig ¶
type APIConfig struct {
// Transport specifies the underlying transport protocol for the API HTTP server.
Transport string `json:"api.transport" yaml:"api.transport"`
// Timeout determines the timeout for the API server responses
Timeout time.Duration `json:"api.timeout" yaml:"api.timeout"`
}
APIConfig contains API specific config options.
type Config ¶
type Config struct {
// Kstream stores different configuration options for fine tuning kstream consumer/controller settings.
Kstream KstreamConfig `json:"kstream" yaml:"kstream"`
// Filament contains filament settings
Filament FilamentConfig `json:"filament" yaml:"filament"`
// PE contains the settings that influences the behaviour of the PE (Portable Executable) reader.
PE pe.Config `json:"pe" yaml:"pe"`
// Output stores the currently active output config
Output outputs.Config
// InitHandleSnapshot indicates whether initial handle snapshot is built
InitHandleSnapshot bool `json:"init-handle-snapshot" yaml:"init-handle-snapshot"`
DebugPrivilege bool `json:"debug-privilege" yaml:"debug-privilege"`
KcapFile string
// API stores global HTTP API preferences
API APIConfig `json:"api" yaml:"api"`
// Yara contains configuration that influences the behaviour of the Yara engine
Yara yara.Config `json:"yara" yaml:"yara"`
// Aggregator stores event aggregator configuration
Aggregator aggregator.Config `json:"aggregator" yaml:"aggregator"`
// Log contains log-specific configuration options
Log log.Config `json:"logging" yaml:"logging"`
// Transformers stores transformer configurations
Transformers []transformers.Config
// Alertsenders stores alert sender configurations
Alertsenders []alertsender.Config
// Filters contains filter group definitions
Filters *Filters `json:"filters" yaml:"filters"`
// contains filtered or unexported fields
}
Config stores configuration options for fine tuning the behaviour of Fibratus.
func NewWithOpts ¶
NewWithOpts builds a new configuration store from a variety of sources such as configuration files, environment variables or command line flags.
func (Config) GetConfigFile ¶
GetConfigFile gets the path of the configuration file from Viper value.
func (*Config) MustViperize ¶
MustViperize adds the flag set to the Cobra command and binds them within the Viper flags.
func (*Config) TryLoadFile ¶
TryLoadFile attempts to load the configuration file from specified path on the file system.
type FilamentConfig ¶
FilamentConfig stores config parameters for tweaking the behaviour of the filament engine.
type FilterConfig ¶ added in v1.4.0
type FilterConfig struct {
Name string `json:"name" yaml:"name"`
Def string `json:"def" yaml:"def"`
Action string `json:"action" yaml:"action"`
}
FilterConfig is the descriptor of a single filter.
type FilterGroup ¶ added in v1.4.0
type FilterGroup struct {
Name string `json:"group" yaml:"group"`
Enabled bool `json:"enabled" yaml:"enabled"`
Selector FilterGroupSelector `json:"selector" yaml:"selector"`
Policy FilterGroupPolicy `json:"policy" yaml:"policy"`
Relation FilterGroupRelation `json:"relation" yaml:"relation"`
FromStrings []*FilterConfig `json:"from-strings" yaml:"from-strings"`
Tags []string `json:"tags" yaml:"tags"`
}
FilterGroup represents the container for filters.
type FilterGroupPolicy ¶ added in v1.4.0
type FilterGroupPolicy uint8
FilterGroupPolicy is the type alias for the filter group policy
const ( // IncludePolicy determines the policy type that allows for // filtering the matching events. IncludePolicy FilterGroupPolicy = iota // ExcludePolicy determines the policy that allows for filtering // out the matching events, that is, discarding them from the event // flow. ExcludePolicy // UnknownPolicy determines the unknown group policy type. UnknownPolicy )
func (FilterGroupPolicy) String ¶ added in v1.4.0
func (p FilterGroupPolicy) String() string
String yields human readable group policy.
func (*FilterGroupPolicy) UnmarshalYAML ¶ added in v1.4.0
func (p *FilterGroupPolicy) UnmarshalYAML(unmarshal func(interface{}) error) error
UnmarshalYAML converts the policy string to enum type.
type FilterGroupRelation ¶ added in v1.4.0
type FilterGroupRelation uint8
FilterGroupRelation is the type alias for the filter group relation
const ( // OrRelation is the group relation type that requires at // least one matching filter to evaluate successfully. OrRelation FilterGroupRelation = iota // AndRelation is the group relation type that requires that // all the filters to match in order to evaluate successfully. AndRelation // UnknownRelation determines the unknown group relation type. UnknownRelation )
func (FilterGroupRelation) String ¶ added in v1.4.0
func (r FilterGroupRelation) String() string
String yields human readable group relation.
func (*FilterGroupRelation) UnmarshalYAML ¶ added in v1.4.0
func (r *FilterGroupRelation) UnmarshalYAML(unmarshal func(interface{}) error) error
UnmarshalYAML converts the relation string to enum type.
type FilterGroupSelector ¶ added in v1.4.0
type FilterGroupSelector struct {
Type ktypes.Ktype `json:"type" yaml:"type"`
Category ktypes.Category `json:"category" yaml:"category"`
}
FilterGroupSelector permits specifying the events that will be captured by particular filter group. Only one of type or category selectors can be active at the same time.
type Filters ¶ added in v1.4.0
type Filters struct {
Rules Rules `json:"rules" yaml:"rules"`
}
Filters contains references to filter group definitions. Each filter group can contain multiple filter expressions. Filter expressions can reside in the filter group file or live in a separate file.
func (Filters) LoadGroups ¶ added in v1.4.0
func (f Filters) LoadGroups() ([]FilterGroup, error)
LoadGroups for each filter group file it decodes the groups and ensures the correctness of the yaml file.
type KstreamConfig ¶
type KstreamConfig struct {
// EnableThreadKevents indicates if thread kernel events are collected by the ETW provider.
EnableThreadKevents bool `json:"enable-thread" yaml:"enable-thread"`
// EnableRegistryKevents indicates if registry kernel events are collected by the ETW provider.
EnableRegistryKevents bool `json:"enable-registry" yaml:"enable-registry"`
// EnableNetKevents determines whether network (TCP/UDP) events are collected by the ETW provider.
EnableNetKevents bool `json:"enable-net" yaml:"enable-net"`
// EnableFileIOKevents indicates if file I/O kernel events are collected by the ETW provider.
EnableFileIOKevents bool `json:"enable-fileio" yaml:"enable-fileio"`
// EnableImageKevents indicates if image kernel events are collected by the ETW provider.
EnableImageKevents bool `json:"enable-image" yaml:"enable-image"`
// EnableHandleKevents indicates whether handle creation/disposal events are enabled.
EnableHandleKevents bool `json:"enable-handle" yaml:"enable-handle"`
// BufferSize represents the amount of memory allocated for each event tracing session buffer, in kilobytes.
// The buffer size affects the rate at which buffers fill and must be flushed (small buffer size requires
// less memory but it increases the rate at which buffers must be flushed).
BufferSize uint32 `json:"buffer-size" yaml:"buffer-size"`
// MinBuffers determines the minimum number of buffers allocated for the event tracing session's buffer pool.
MinBuffers uint32 `json:"min-buffers" yaml:"min-buffers"`
// MaxBuffers is the maximum number of buffers allocated for the event tracing session's buffer pool.
MaxBuffers uint32 `json:"max-buffers" yaml:"max-buffers"`
// FlushTimer specifies how often the trace buffers are forcibly flushed.
FlushTimer time.Duration `json:"flush-interval" yaml:"flush-interval"`
// BlacklistKevents are kernel event names that will be dropped from the kernel event stream.
BlacklistKevents []string `json:"blacklist.events" yaml:"blacklist.events"`
// BlacklistImages are process image names that will be rejected if they generate a kernel event.
BlacklistImages []string `json:"blacklist.images" yaml:"blacklist.images"`
}
KstreamConfig stores different configuration options for fine tuning kstream consumer/controller settings.
type Option ¶
type Option func(*Options)
Option is the type alias for the config option.
func WithCapture ¶
func WithCapture() Option
WithCapture determines the capture command is executed.
type Options ¶
type Options struct {
// contains filtered or unexported fields
}
Options determines which config flags are toggled depending on the command type.
type Rules ¶ added in v1.4.0
type Rules struct {
FromPaths []string `json:"from-paths" yaml:"from-paths"`
FromURLs []string `json:"from-urls" yaml:"from-urls"`
}
Rules contains attributes that describe the location of rule resources.
type TmplData ¶ added in v1.4.0
type TmplData struct {
Filter *FilterConfig
Group *FilterGroup
Kevt *kevent.Kevent
}
TmplData is the template data object. Some fields of this structure represent empty values, since we have to satisfy the presence of certain keys when executing the template.
Source Files