types

package
v1.0.10 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 10, 2020 License: BSD-3-Clause Imports: 8 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// SuricataTimestampFormat is a Go time formatting string describing the
	// timestamp format used by Suricata's EVE JSON output.
	SuricataTimestampFormat = "2006-01-02T15:04:05.999999-0700"

	// EventTypeFlow is the EventType string for the flow type.
	EventTypeFlow = "flow"
	// EventTypeAlert is the EventType string for the alert type.
	EventTypeAlert = "alert"
)

Variables

View Source
var FlowEventFlags = map[string]uint16{
	"TCP": 1 << 0,
	"UDP": 1 << 1,
}

FlowEventFlags defines various flags for use in FlowEvent.Flags (e.g. the protocol).

Functions

This section is empty.

Types

type AlertEvent

type AlertEvent struct {
	Action      string `json:"action"`
	Gid         int    `json:"gid"`
	SignatureID int    `json:"signature_id"`
	Rev         int    `json:"rev"`
	Signature   string `json:"signature"`
	Category    string `json:"category"`
	Severity    int    `json:"severity"`
}

AlertEvent is am alert sub-object of an EVE entry.

type DNSAnswer

type DNSAnswer struct {
	DNSRRName string
	DNSRRType string
	DNSRCode  string
	DNSRData  string
	DNSType   string
}

DNSAnswer is a single DNS answer as observed by Suricata

type DNSEvent

type DNSEvent struct {
	Type   string `json:"type"`
	ID     int    `json:"id"`
	Rcode  string `json:"rcode"`
	Rrname string `json:"rrname"`
	Rrtype string `json:"rrtype"`
	TTL    int    `json:"ttl"`
	Rdata  string `json:"rdata"`
	TxID   int    `json:"tx_id"`
}

DNSEvent is a DNS sub-object of an EVE entry.

type Entry

type Entry struct {
	SrcIP         string
	SrcHosts      []string
	SrcPort       int64
	DestIP        string
	DestHosts     []string
	DestPort      int64
	Timestamp     string
	EventType     string
	Proto         string
	HTTPHost      string
	HTTPUrl       string
	HTTPMethod    string
	JSONLine      string
	DNSVersion    int64
	DNSRRName     string
	DNSRRType     string
	DNSRCode      string
	DNSRData      string
	DNSType       string
	DNSAnswers    []DNSAnswer
	TLSSni        string
	BytesToClient int64
	BytesToServer int64
	PktsToClient  int64
	PktsToServer  int64
	FlowID        string
}

Entry is a collection of data that needs to be parsed FAST from the entry

type EveEvent

type EveEvent struct {
	Timestamp        *SuriTime      `json:"timestamp"`
	EventType        string         `json:"event_type"`
	FlowID           int64          `json:"flow_id,omitempty"`
	InIface          string         `json:"in_iface,omitempty"`
	SrcIP            string         `json:"src_ip,omitempty"`
	SrcPort          int            `json:"src_port,omitempty"`
	SrcHost          []string       `json:"src_host,omitempty"`
	DestIP           string         `json:"dest_ip,omitempty"`
	DestPort         int            `json:"dest_port,omitempty"`
	DestHost         []string       `json:"dest_host,omitempty"`
	Proto            string         `json:"proto,omitempty"`
	AppProto         string         `json:"app_proto,omitempty"`
	TxID             int            `json:"tx_id,omitempty"`
	TCP              *tcpEvent      `json:"tcp,omitempty"`
	PacketInfo       *packetInfo    `json:"packet_info,omitempty"`
	Alert            *AlertEvent    `json:"alert,omitempty"`
	Payload          string         `json:"payload,omitempty"`
	PayloadPrintable string         `json:"payload_printable,omitempty"`
	Stream           int            `json:"stream,omitempty"`
	Packet           string         `json:"packet,omitempty"`
	SMTP             *smtpEvent     `json:"smtp,omitempty"`
	Email            *emailEvent    `json:"email,omitempty"`
	DNS              *DNSEvent      `json:"dns,omitempty"`
	HTTP             *HTTPEvent     `json:"http,omitempty"`
	Fileinfo         *fileinfoEvent `json:"fileinfo,omitempty"`
	Flow             *EveFlowEvent  `json:"flow,omitempty"`
	SSH              *sshEvent      `json:"ssh,omitempty"`
	TLS              *TLSEvent      `json:"tls,omitempty"`
	Stats            *statsEvent    `json:"stats,omitempty"`
	ExtraInfo        *ExtraInfo     `json:"_extra,omitempty"`
}

EveEvent is the huge struct which can contain a parsed suricata eve.json log event.

type EveFlowEvent added in v1.0.9

type EveFlowEvent struct {
	PktsToserver  int       `json:"pkts_toserver"`
	PktsToclient  int       `json:"pkts_toclient"`
	BytesToserver int       `json:"bytes_toserver"`
	BytesToclient int       `json:"bytes_toclient"`
	Start         *SuriTime `json:"start"`
	End           *SuriTime `json:"end"`
	Age           int       `json:"age"`
	State         string    `json:"state"`
	Reason        string    `json:"reason"`
}

EveFlowEvent is an Flow sub-object of an EVE entry.

type EveOutEvent added in v1.0.8

type EveOutEvent EveEvent

EveOutEvent is the version of EveEvent that we use to marshal the output for downstream consumption.

func (EveOutEvent) MarshalJSON added in v1.0.8

func (e EveOutEvent) MarshalJSON() ([]byte, error)

MarshalJSON for EveOutEvents ensures that FlowIDs are represented in JSON as a string. This is necessary to work around some arbitrary limitations such as syslog-ng's funny JSON parser implementation, which truncates large integers found in JSON values.

func (*EveOutEvent) UnmarshalJSON added in v1.0.8

func (e *EveOutEvent) UnmarshalJSON(d []byte) error

UnmarshalJSON implements filling an EveOutEvent from a byte slice, converting the string in the FlowID field back into a number. This is necessary to ensure that a round-trip (write+read) works.

type ExtraInfo added in v1.0.5

type ExtraInfo struct {
	BloomIOC     string      `json:"bloom-ioc,omitempty"`
	StenosisInfo interface{} `json:"stenosis-info,omitempty"`
}

ExtraInfo contains non-EVE-standard extra information

type FlowEvent

type FlowEvent struct {
	Timestamp     uint64
	Format        byte
	SrcIP         []byte
	DestIP        []byte
	SrcPort       uint16
	DestPort      uint16
	BytesToServer uint32
	BytesToClient uint32
	PktsToServer  uint32
	PktsToClient  uint32
	Flags         uint16
}

FlowEvent stores the meta-data of a flow event in a compact, binary form.

func (*FlowEvent) FromEntry

func (fe *FlowEvent) FromEntry(e *Entry) error

FromEntry populates a FlowEvent using an Entry

func (*FlowEvent) Marshal

func (fe *FlowEvent) Marshal(writer io.Writer) error

Marshal writes a FlowEvent to an io.Writer.

func (*FlowEvent) Unmarshal

func (fe *FlowEvent) Unmarshal(reader io.Reader) error

Unmarshal reads a FlowEvent from an io.Reader.

type HTTPEvent

type HTTPEvent struct {
	Hostname        string `json:"hostname"`
	URL             string `json:"url"`
	HTTPUserAgent   string `json:"http_user_agent"`
	HTTPContentType string `json:"http_content_type"`
	HTTPMethod      string `json:"http_method"`
	Protocol        string `json:"protocol"`
	Status          int    `json:"status"`
	Length          int    `json:"length"`
}

HTTPEvent is an HTTP sub-object of an EVE entry.

type SuriTime added in v1.0.9

type SuriTime struct{ time.Time }

SuriTime is a Suricata-formatted timestamp string.

func (*SuriTime) MarshalJSON added in v1.0.9

func (t *SuriTime) MarshalJSON() ([]byte, error)

MarshalJSON converts a SuriTime struct into a JSON byte slice.

func (*SuriTime) UnmarshalJSON added in v1.0.9

func (t *SuriTime) UnmarshalJSON(b []byte) error

UnmarshalJSON converts a JSON byte slice into a SuriTime struct.

type TLSEvent

type TLSEvent struct {
	Subject     string `json:"subject"`
	Issuerdn    string `json:"issuerdn"`
	Fingerprint string `json:"fingerprint"`
	Sni         string `json:"sni"`
	Version     string `json:"version"`
}

TLSEvent is a TLS sub-object of an EVE entry.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL