l9format

package module
v2.0.0-alpha.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 1, 2022 License: MIT Imports: 12 Imported by: 0

README

l9format

l9format is a schema declaration targeted at interoperability between network recon tools used at LeakIX.

Golang

This repository includes the Golang headers used as library in our components.

Other languages

Check l9event.json can be used to derive classes for your favorite language ( python, php ect)

Documentation

Index

Constants

View Source
const SEVERITY_CRITICAL = "critical"
View Source
const SEVERITY_HIGH = "high"
View Source
const SEVERITY_INFO = "info"
View Source
const SEVERITY_LOW = "low"
View Source
const SEVERITY_MEDIUM = "medium"
View Source
const STAGE_EXFILTRATE = "exfiltrate"
View Source
const STAGE_EXPLORE = "explore"
View Source
const STAGE_OPEN = "open"

Variables

This section is empty.

Functions

This section is empty.

Types

type Certificate

type Certificate struct {
	CommonName  string    `json:"cn"`
	Domains     []string  `json:"domain"`
	Fingerprint string    `json:"fingerprint"`
	KeyAlgo     string    `json:"key_algo"`
	KeySize     int       `json:"key_size"`
	IssuerName  string    `json:"issuer_name"`
	NotBefore   time.Time `json:"not_before"`
	NotAfter    time.Time `json:"not_after"`
	Valid       bool      `json:"valid"`
}

type DatasetSummary

type DatasetSummary struct {
	Rows        int64    `json:"rows"`
	Files       int64    `json:"files"`
	Size        int64    `json:"size"`
	Collections int64    `json:"collections"`
	Infected    bool     `json:"infected"`
	RansomNotes []string `json:"ransom_notes"`
}

type GeoLocation

type GeoLocation struct {
	ContinentName  string   `json:"continent_name"`
	RegionISOCode  string   `json:"region_iso_code"`
	CityName       string   `json:"city_name"`
	CountryISOCode string   `json:"country_iso_code"`
	CountryName    string   `json:"country_name"`
	RegionName     string   `json:"region_name"`
	GeoPoint       GeoPoint `json:"location"`
}

type GeoPoint

type GeoPoint struct {
	Latitude  float64 `json:"lat"`
	Longitude float64 `json:"lon"`
}

type L9Event

type L9Event struct {
	EventType        string         `json:"event_type"`
	EventSource      string         `json:"event_source"`
	EventPipeline    []string       `json:"event_pipeline"`
	EventFingerprint string         `json:"event_fingerprint"`
	Ip               string         `json:"ip"`
	Host             string         `json:"host"`
	Reverse          string         `json:"reverse"`
	Port             string         `json:"port"`
	Mac              string         `json:"mac"`
	Vendor           string         `json:"vendor"`
	Transports       []string       `json:"transport"`
	Protocol         string         `json:"protocol"`
	Http             L9HttpEvent    `json:"http"`
	Summary          string         `json:"summary"`
	Time             time.Time      `json:"time"`
	SSL              L9SSLEvent     `json:"ssl"`
	SSH              L9SSHEvent     `json:"ssh"`
	Service          L9ServiceEvent `json:"service"`
	Leak             L9LeakEvent    `json:"leak"`
	Tags             []string       `json:"tags"`
	GeoIp            GeoLocation    `json:"geoip"`
	Network          Network        `json:"network"`
}

func (*L9Event) AddSource

func (event *L9Event) AddSource(source string)

func (*L9Event) AddTag

func (event *L9Event) AddTag(tag string)

func (*L9Event) HasSource

func (event *L9Event) HasSource(source string) bool

func (*L9Event) HasTag

func (event *L9Event) HasTag(tag string) bool

func (*L9Event) HasTransport

func (event *L9Event) HasTransport(transport string) bool

func (*L9Event) MatchServicePlugin

func (event *L9Event) MatchServicePlugin(plugin ServicePluginInterface) bool

func (*L9Event) RemoveTransport

func (event *L9Event) RemoveTransport(transportCheck string)

func (*L9Event) UpdateFingerprint

func (event *L9Event) UpdateFingerprint() error

func (*L9Event) Url

func (event *L9Event) Url() string

type L9HttpEvent

type L9HttpEvent struct {
	Root        string            `json:"root"`
	Url         string            `json:"url"`
	Status      int               `json:"status"`
	Length      int64             `json:"length"`
	Headers     map[string]string `json:"header"`
	Title       string            `json:"title"`
	FaviconHash string            `json:"favicon_hash"`
}

type L9LeakEvent

type L9LeakEvent struct {
	Stage    string         `json:"stage"`
	Type     string         `json:"type"`
	Severity string         `json:"severity"`
	Dataset  DatasetSummary `json:"dataset"`
}

type L9SSHEvent

type L9SSHEvent struct {
	Fingerprint string `json:"fingerprint"`
	Version     int    `json:"version"`
	Banner      string `json:"banner"`
	Motd        string `json:"motd"`
}

type L9SSLEvent

type L9SSLEvent struct {
	Detected    bool        `json:"detected"`
	Enabled     bool        `json:"enabled"`
	JARM        string      `json:"jarm"`
	CypherSuite string      `json:"cypher_suite"`
	Version     string      `json:"version"`
	Certificate Certificate `json:"certificate"`
}

type L9ServiceEvent

type L9ServiceEvent struct {
	Credentials ServiceCredentials `json:"credentials"`
	Software    Software           `json:"software"`
}

type Network

type Network struct {
	OrganisationName string `json:"organization_name"`
	ASN              int    `json:"asn"`
	NetworkCIDR      string `json:"network"`
}

type ServiceCredentials

type ServiceCredentials struct {
	NoAuth   bool   `json:"noauth"`
	Username string `json:"username"`
	Password string `json:"password"`
	Key      string `json:"key"`
	Raw      []byte `json:"raw"`
}

type ServicePluginBase

type ServicePluginBase struct {
}

func (ServicePluginBase) DialContext

func (plugin ServicePluginBase) DialContext(ctx context.Context, network string, addr string) (conn net.Conn, err error)

func (ServicePluginBase) GetHttpClient

func (plugin ServicePluginBase) GetHttpClient(ctx context.Context, ip string, port string) *http.Client

func (ServicePluginBase) GetL9NetworkConnection

func (plugin ServicePluginBase) GetL9NetworkConnection(event *L9Event) (conn net.Conn, err error)

func (ServicePluginBase) GetNetworkConnection

func (plugin ServicePluginBase) GetNetworkConnection(network string, addr string) (conn net.Conn, err error)

func (ServicePluginBase) GetReportDescription

func (plugin ServicePluginBase) GetReportDescription(event *L9Event) string

func (ServicePluginBase) GetReportTitle

func (plugin ServicePluginBase) GetReportTitle(event *L9Event) string

func (ServicePluginBase) IdentifyHttp

func (plugin ServicePluginBase) IdentifyHttp(_ *L9Event, _ string, _ *goquery.Document) bool

func (ServicePluginBase) IdentifyTcp

func (plugin ServicePluginBase) IdentifyTcp(_ *L9Event, _ []byte, _ []string) bool

func (ServicePluginBase) Init

func (plugin ServicePluginBase) Init() error

type ServicePluginInterface

type ServicePluginInterface interface {
	// GetVersion returns plugin version
	GetVersion() (int, int, int)
	// GetProtocols returns the protocol supported by the plugin
	GetProtocols() []string
	// GetName returns the plugin unique name
	GetName() string
	// GetStage returns the stage for the plugin :
	// - open
	// - explore
	// - .... (custom stages)
	GetStage() string
	// Run runs the plugin against the remote service
	Run(ctx context.Context, event *L9Event, options map[string]string) (hasLeak bool)
	// Init called once when loading plugins : optional
	Init() error
	// IdentifyHttp Used to check tcpid payloads and identify the software : optional
	IdentifyHttp(event *L9Event, body string, document *goquery.Document) bool
	// IdentifyTcp Used to check tcpid payloads and identify the software : optional
	IdentifyTcp(event *L9Event, bannerBytes []byte, bannerPrintables []string) bool
	// GetReportTitle gets a descriptive title based on event for report title
	GetReportTitle(event *L9Event) string
	// GetReportDescription gets a description based on event for report description. Markdown supported
	GetReportDescription(event *L9Event) string
}

type Software

type Software struct {
	Name            string           `json:"name"`
	Version         string           `json:"version"`
	OperatingSystem string           `json:"os"`
	Modules         []SoftwareModule `json:"modules"`
	Fingerprint     string           `json:"fingerprint"`
}

type SoftwareModule

type SoftwareModule struct {
	Name        string `json:"name"`
	Version     string `json:"version"`
	Fingerprint string `json:"fingerprint"`
}

type WebPluginInterface

type WebPluginInterface interface {
	GetVersion() (int, int, int)
	GetRequests() []WebPluginRequest
	GetName() string
	GetStage() string
	Verify(request WebPluginRequest, response WebPluginResponse, event *L9Event, options map[string]string) (hasLeak bool)
	// IdentifyHttp Used to check tcpid payloads and identify the software : optional
	IdentifyHttp(event *L9Event, body string, document *goquery.Document) bool
	// GetReportTitle gets a descriptive title based on event for report title
	GetReportTitle(event *L9Event) string
	// GetReportDescription gets a description based on event for report description. Markdown supported
	GetReportDescription(event *L9Event) string
}

type WebPluginRequest

type WebPluginRequest struct {
	Method  string
	Path    string
	Headers map[string]string
	Body    []byte

	Tags []string
	// contains filtered or unexported fields
}

func (*WebPluginRequest) AddTag

func (request *WebPluginRequest) AddTag(tag string)

func (*WebPluginRequest) AddTags

func (request *WebPluginRequest) AddTags(tags []string)

func (*WebPluginRequest) Equal

func (request *WebPluginRequest) Equal(testRequest WebPluginRequest) bool

func (*WebPluginRequest) EqualAny

func (request *WebPluginRequest) EqualAny(testRequests []WebPluginRequest) bool

func (*WebPluginRequest) GetHash

func (request *WebPluginRequest) GetHash() string

func (*WebPluginRequest) HasAnyTags

func (request *WebPluginRequest) HasAnyTags(tags []string) bool

func (*WebPluginRequest) HasTag

func (request *WebPluginRequest) HasTag(tag string) bool

type WebPluginResponse

type WebPluginResponse struct {
	Response *http.Response
	Body     []byte
	Document *goquery.Document
}

func (*WebPluginResponse) GetHash

func (resp *WebPluginResponse) GetHash() string

Directories

Path Synopsis
cmd

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL