Documentation
¶
Index ¶
Constants ¶
View Source
const SuricataTimestampFormat = "2006-01-02T15:04:05.999999-0700"
SuricataTimestampFormat is a Go time formatting string describing the timestamp format used by Suricata's EVE JSON output.
Variables ¶
View Source
var FlowEventFlags = map[string]uint16{
"TCP": 1 << 0,
"UDP": 1 << 1,
}
FlowEventFlags defines various flags for use in FlowEvent.Flags (e.g. the protocol).
Functions ¶
This section is empty.
Types ¶
type AlertEvent ¶
type AlertEvent struct {
Action string `json:"action"`
Gid int `json:"gid"`
SignatureID int `json:"signature_id"`
Rev int `json:"rev"`
Signature string `json:"signature"`
Category string `json:"category"`
Severity int `json:"severity"`
}
AlertEvent is am alert sub-object of an EVE entry.
type DNSAnswer ¶
type DNSAnswer struct {
DNSRRName string
DNSRRType string
DNSRCode string
DNSRData string
DNSType string
}
DNSAnswer is a single DNS answer as observed by Suricata
type DNSEvent ¶
type DNSEvent struct {
Type string `json:"type"`
ID int `json:"id"`
Rcode string `json:"rcode"`
Rrname string `json:"rrname"`
Rrtype string `json:"rrtype"`
TTL int `json:"ttl"`
Rdata string `json:"rdata"`
TxID int `json:"tx_id"`
}
DNSEvent is a DNS sub-object of an EVE entry.
type Entry ¶
type Entry struct {
SrcIP string
SrcHosts []string
SrcPort int64
DestIP string
DestHosts []string
DestPort int64
Timestamp string
EventType string
Proto string
HTTPHost string
HTTPUrl string
HTTPMethod string
JSONLine string
DNSVersion int64
DNSRRName string
DNSRRType string
DNSRCode string
DNSRData string
DNSType string
DNSAnswers []DNSAnswer
TLSSni string
BytesToClient int64
BytesToServer int64
PktsToClient int64
PktsToServer int64
}
Entry is a collection of data that needs to be parsed FAST from the entry
type EveEvent ¶
type EveEvent struct {
Timestamp *suriTime `json:"timestamp"`
EventType string `json:"event_type"`
FlowID int64 `json:"flow_id,omitempty"`
InIface string `json:"in_iface,omitempty"`
SrcIP string `json:"src_ip,omitempty"`
SrcPort int `json:"src_port,omitempty"`
SrcHost []string `json:"src_host,omitempty"`
DestIP string `json:"dest_ip,omitempty"`
DestPort int `json:"dest_port,omitempty"`
DestHost []string `json:"dest_host,omitempty"`
Proto string `json:"proto,omitempty"`
AppProto string `json:"app_proto,omitempty"`
TxID int `json:"tx_id,omitempty"`
TCP *tcpEvent `json:"tcp,omitempty"`
PacketInfo *packetInfo `json:"packet_info,omitempty"`
Alert *AlertEvent `json:"alert,omitempty"`
Payload string `json:"payload,omitempty"`
PayloadPrintable string `json:"payload_printable,omitempty"`
Stream int `json:"stream,omitempty"`
Packet string `json:"packet,omitempty"`
SMTP *smtpEvent `json:"smtp,omitempty"`
Email *emailEvent `json:"email,omitempty"`
DNS *DNSEvent `json:"dns,omitempty"`
HTTP *HTTPEvent `json:"http,omitempty"`
Fileinfo *fileinfoEvent `json:"fileinfo,omitempty"`
Flow *flowEvent `json:"flow,omitempty"`
SSH *sshEvent `json:"ssh,omitempty"`
TLS *TLSEvent `json:"tls,omitempty"`
Stats *statsEvent `json:"stats,omitempty"`
ExtraInfo *ExtraInfo `json:"_extra,omitempty"`
}
EveEvent is the huge struct which can contain a parsed suricata eve.json log event.
type ExtraInfo ¶ added in v1.0.5
type ExtraInfo struct {
BloomIOC string `json:"bloom-ioc,omitempty"`
}
ExtraInfo contains non-EVE-standard extra information
type FlowEvent ¶
type FlowEvent struct {
Timestamp uint64
Format byte
SrcIP []byte
DestIP []byte
SrcPort uint16
DestPort uint16
BytesToServer uint32
BytesToClient uint32
PktsToServer uint32
PktsToClient uint32
Flags uint16
}
FlowEvent stores the meta-data of a flow event in a compact, binary form.
type HTTPEvent ¶
type HTTPEvent struct {
Hostname string `json:"hostname"`
URL string `json:"url"`
HTTPUserAgent string `json:"http_user_agent"`
HTTPContentType string `json:"http_content_type"`
HTTPMethod string `json:"http_method"`
Protocol string `json:"protocol"`
Status int `json:"status"`
Length int `json:"length"`
}
HTTPEvent is an HTTP sub-object of an EVE entry.
Source Files
Click to show internal directories.
Click to hide internal directories.