Documentation
¶
Index ¶
Constants ¶
const ( // SuricataTimestampFormat is a Go time formatting string describing the // timestamp format used by Suricata's EVE JSON output. SuricataTimestampFormat = "2006-01-02T15:04:05.999999-0700" // EventTypeFlow is the EventType string for the flow type. EventTypeFlow = "flow" // EventTypeAlert is the EventType string for the alert type. EventTypeAlert = "alert" )
Variables ¶
var FlowEventFlags = map[string]uint16{
"TCP": 1 << 0,
"UDP": 1 << 1,
}
FlowEventFlags defines various flags for use in FlowEvent.Flags (e.g. the protocol).
Functions ¶
This section is empty.
Types ¶
type AlertEvent ¶
type AlertEvent struct {
Action string `json:"action"`
Gid int `json:"gid"`
SignatureID int `json:"signature_id"`
Rev int `json:"rev"`
Signature string `json:"signature"`
Category string `json:"category"`
Severity int `json:"severity"`
}
AlertEvent is am alert sub-object of an EVE entry.
type DNSAnswer ¶
type DNSAnswer struct {
DNSRRName string
DNSRRType string
DNSRCode string
DNSRData string
DNSType string
}
DNSAnswer is a single DNS answer as observed by Suricata
type DNSEvent ¶
type DNSEvent struct {
Type string `json:"type"`
ID int `json:"id"`
Rcode string `json:"rcode"`
Rrname string `json:"rrname"`
Rrtype string `json:"rrtype"`
TTL int `json:"ttl"`
Rdata string `json:"rdata"`
TxID int `json:"tx_id"`
}
DNSEvent is a DNS sub-object of an EVE entry.
type Entry ¶
type Entry struct {
SrcIP string
SrcHosts []string
SrcPort int64
DestIP string
DestHosts []string
DestPort int64
Timestamp string
EventType string
Proto string
HTTPHost string
HTTPUrl string
HTTPMethod string
JSONLine string
DNSVersion int64
DNSRRName string
DNSRRType string
DNSRCode string
DNSRData string
DNSType string
DNSAnswers []DNSAnswer
TLSSNI string
BytesToClient int64
BytesToServer int64
PktsToClient int64
PktsToServer int64
FlowID string
Iface string
AppProto string
TLSFingerprint string
}
Entry is a collection of data that needs to be parsed FAST from the entry
type EveEvent ¶
type EveEvent struct {
Timestamp *SuriTime `json:"timestamp"`
EventType string `json:"event_type"`
FlowID int64 `json:"flow_id,omitempty"`
InIface string `json:"in_iface,omitempty"`
SrcIP string `json:"src_ip,omitempty"`
SrcPort int `json:"src_port,omitempty"`
SrcHost []string `json:"src_host,omitempty"`
DestIP string `json:"dest_ip,omitempty"`
DestPort int `json:"dest_port,omitempty"`
DestHost []string `json:"dest_host,omitempty"`
Proto string `json:"proto,omitempty"`
AppProto string `json:"app_proto,omitempty"`
TxID int `json:"tx_id,omitempty"`
TCP *tcpEvent `json:"tcp,omitempty"`
PacketInfo *packetInfo `json:"packet_info,omitempty"`
Alert *AlertEvent `json:"alert,omitempty"`
Payload string `json:"payload,omitempty"`
PayloadPrintable string `json:"payload_printable,omitempty"`
Stream int `json:"stream,omitempty"`
Packet string `json:"packet,omitempty"`
SMTP *smtpEvent `json:"smtp,omitempty"`
Email *emailEvent `json:"email,omitempty"`
DNS *DNSEvent `json:"dns,omitempty"`
HTTP *HTTPEvent `json:"http,omitempty"`
Fileinfo *fileinfoEvent `json:"fileinfo,omitempty"`
Flow *EveFlowEvent `json:"flow,omitempty"`
SSH *sshEvent `json:"ssh,omitempty"`
TLS *TLSEvent `json:"tls,omitempty"`
Stats *statsEvent `json:"stats,omitempty"`
ExtraInfo *ExtraInfo `json:"_extra,omitempty"`
}
EveEvent is the huge struct which can contain a parsed suricata eve.json log event.
type EveFlowEvent ¶ added in v1.0.9
type EveFlowEvent struct {
PktsToserver int `json:"pkts_toserver"`
PktsToclient int `json:"pkts_toclient"`
BytesToserver int `json:"bytes_toserver"`
BytesToclient int `json:"bytes_toclient"`
Start *SuriTime `json:"start"`
End *SuriTime `json:"end"`
Age int `json:"age"`
State string `json:"state"`
Reason string `json:"reason"`
}
EveFlowEvent is an Flow sub-object of an EVE entry.
type EveOutEvent ¶ added in v1.0.8
type EveOutEvent EveEvent
EveOutEvent is the version of EveEvent that we use to marshal the output for downstream consumption.
func (EveOutEvent) MarshalJSON ¶ added in v1.0.8
func (e EveOutEvent) MarshalJSON() ([]byte, error)
MarshalJSON for EveOutEvents ensures that FlowIDs are represented in JSON as a string. This is necessary to work around some arbitrary limitations such as syslog-ng's funny JSON parser implementation, which truncates large integers found in JSON values.
func (*EveOutEvent) UnmarshalJSON ¶ added in v1.0.8
func (e *EveOutEvent) UnmarshalJSON(d []byte) error
UnmarshalJSON implements filling an EveOutEvent from a byte slice, converting the string in the FlowID field back into a number. This is necessary to ensure that a round-trip (write+read) works.
type ExtraInfo ¶ added in v1.0.5
type ExtraInfo struct {
BloomIOC string `json:"bloom-ioc,omitempty"`
VastIOC string `json:"vast-ioc,omitempty"`
StenosisInfo interface{} `json:"stenosis-info,omitempty"`
}
ExtraInfo contains non-EVE-standard extra information
type FlowEvent ¶
type FlowEvent struct {
Timestamp uint64
Format byte
SrcIP []byte
DestIP []byte
SrcPort uint16
DestPort uint16
BytesToServer uint32
BytesToClient uint32
PktsToServer uint32
PktsToClient uint32
Flags uint16
}
FlowEvent stores the meta-data of a flow event in a compact, binary form.
type HTTPEvent ¶
type HTTPEvent struct {
Hostname string `json:"hostname"`
URL string `json:"url"`
HTTPUserAgent string `json:"http_user_agent"`
HTTPContentType string `json:"http_content_type"`
HTTPMethod string `json:"http_method"`
Protocol string `json:"protocol"`
Status int `json:"status"`
Length int `json:"length"`
}
HTTPEvent is an HTTP sub-object of an EVE entry.
type SuriTime ¶ added in v1.0.9
SuriTime is a Suricata-formatted timestamp string.
func (*SuriTime) MarshalJSON ¶ added in v1.0.9
MarshalJSON converts a SuriTime struct into a JSON byte slice.
func (*SuriTime) UnmarshalJSON ¶ added in v1.0.9
UnmarshalJSON converts a JSON byte slice into a SuriTime struct.
Source Files