Documentation
¶
Index ¶
Constants ¶
View Source
const SuricataTimestampFormat = "2006-01-02T15:04:05.999999-0700"
SuricataTimestampFormat is a Go time formatting string describing the timestamp format used by Suricata's EVE JSON output.
Variables ¶
View Source
var FlowEventFlags = map[string]uint16{
"TCP": 1 << 0,
"UDP": 1 << 1,
}
FlowEventFlags defines various flags for use in FlowEvent.Flags (e.g. the protocol).
Functions ¶
This section is empty.
Types ¶
type AlertEvent ¶
type AlertEvent struct {
Action string `json:"action"`
Gid int `json:"gid"`
SignatureID int `json:"signature_id"`
Rev int `json:"rev"`
Signature string `json:"signature"`
Category string `json:"category"`
Severity int `json:"severity"`
}
AlertEvent is am alert sub-object of an EVE entry.
type DNSAnswer ¶
type DNSAnswer struct {
DNSRRName string
DNSRRType string
DNSRCode string
DNSRData string
DNSType string
}
DNSAnswer is a single DNS answer as observed by Suricata
type DNSEvent ¶
type DNSEvent struct {
Type string `json:"type"`
ID int `json:"id"`
Rcode string `json:"rcode"`
Rrname string `json:"rrname"`
Rrtype string `json:"rrtype"`
TTL int `json:"ttl"`
Rdata string `json:"rdata"`
TxID int `json:"tx_id"`
}
DNSEvent is a DNS sub-object of an EVE entry.
type Entry ¶
type Entry struct {
SrcIP string
SrcPort int64
DestIP string
DestPort int64
Timestamp string
EventType string
Proto string
HTTPHost string
HTTPUrl string
HTTPMethod string
JSONLine string
DNSVersion int64
DNSRRName string
DNSRRType string
DNSRCode string
DNSRData string
DNSType string
DNSAnswers []DNSAnswer
TLSSni string
BytesToClient int64
BytesToServer int64
PktsToClient int64
PktsToServer int64
}
Entry is a collection of data that needs to be parsed FAST from the entry
type EveEvent ¶
type EveEvent struct {
Timestamp *suriTime `json:"timestamp"`
EventType string `json:"event_type"`
FlowID int64 `json:"flow_id,omitempty"`
InIface string `json:"in_iface,omitempty"`
SrcIP string `json:"src_ip,omitempty"`
SrcPort int `json:"src_port,omitempty"`
DestIP string `json:"dest_ip,omitempty"`
DestPort int `json:"dest_port,omitempty"`
Proto string `json:"proto,omitempty"`
AppProto string `json:"app_proto,omitempty"`
TxID int `json:"tx_id,omitempty"`
TCP *tcpEvent `json:"tcp,omitempty"`
PacketInfo *packetInfo `json:"packet_info,omitempty"`
Alert *AlertEvent `json:"alert,omitempty"`
Payload string `json:"payload,omitempty"`
PayloadPrintable string `json:"payload_printable,omitempty"`
Stream int `json:"stream,omitempty"`
Packet string `json:"packet,omitempty"`
SMTP *smtpEvent `json:"smtp,omitempty"`
Email *emailEvent `json:"email,omitempty"`
DNS *DNSEvent `json:"dns,omitempty"`
HTTP *HTTPEvent `json:"http,omitempty"`
Fileinfo *fileinfoEvent `json:"fileinfo,omitempty"`
Flow *flowEvent `json:"flow,omitempty"`
SSH *sshEvent `json:"ssh,omitempty"`
TLS *TLSEvent `json:"tls,omitempty"`
Stats *statsEvent `json:"stats,omitempty"`
ExtraInfo *ExtraInfo `json:"_extra,omitempty"`
}
EveEvent is the huge struct which can contain a parsed suricata eve.json log event.
type ExtraInfo ¶ added in v1.0.5
type ExtraInfo struct {
BloomIOC string `json:"bloom-ioc,omitempty"`
}
ExtraInfo contains non-EVE-standard extra information
type FlowEvent ¶
type FlowEvent struct {
Timestamp uint64
Format byte
SrcIP []byte
DestIP []byte
SrcPort uint16
DestPort uint16
BytesToServer uint32
BytesToClient uint32
PktsToServer uint32
PktsToClient uint32
Flags uint16
}
FlowEvent stores the meta-data of a flow event in a compact, binary form.
type HTTPEvent ¶
type HTTPEvent struct {
Hostname string `json:"hostname"`
URL string `json:"url"`
HTTPUserAgent string `json:"http_user_agent"`
HTTPContentType string `json:"http_content_type"`
HTTPMethod string `json:"http_method"`
Protocol string `json:"protocol"`
Status int `json:"status"`
Length int `json:"length"`
}
HTTPEvent is an HTTP sub-object of an EVE entry.
Source Files
Click to show internal directories.
Click to hide internal directories.