config

package
v5.0.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 14, 2024 License: GPL-3.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	NONE_CATEGORY_SCORE   = 0.2
	LOW_CATEGORY_SCORE    = 0.4
	MEDIUM_CATEGORY_SCORE = 0.6
	HIGH_CATEGORY_SCORE   = 0.8

	CriticalThreat ImpactCategory = "critical"
	HighThreat     ImpactCategory = "high"
	MediumThreat   ImpactCategory = "medium"
	LowThreat      ImpactCategory = "low"
	NoneThreat     ImpactCategory = "none"
)
View Source 
const DefaultConfigPath = "./config.hjson"

Variables

View Source 
var Version string

Functions

func GetMandatoryNeverIncludeSubnets added in v5.0.5 

func GetMandatoryNeverIncludeSubnets() []string

func GetScoreFromImpactCategory 

func GetScoreFromImpactCategory(category ImpactCategory) (float32, error)

func ValidateImpactCategory 

func ValidateImpactCategory(value ImpactCategory) error

ValidateImpactCategory checks if the provided string is a valid impact value. this function is meant to parse the category from the value a user places in the config Since a score is only critical if its modifiers boost the score over the high category, we do not add the CriticalThreat category here

Types

type Beacon 

type Beacon struct {
	UniqueConnectionThreshold       int64           `json:"unique_connection_threshold"`
	TsWeight                        float64         `json:"timestamp_score_weight"`
	DsWeight                        float64         `json:"datasize_score_weight"`
	DurWeight                       float64         `json:"duration_score_weight"`
	HistWeight                      float64         `json:"histogram_score_weight"`
	DurMinHours                     int             `json:"duration_min_hours_seen"`
	DurIdealNumberOfConsistentHours int             `json:"duration_consistency_ideal_hours_seen"`
	HistModeSensitivity             float64         `json:"histogram_mode_sensitivity"`
	HistBimodalOutlierRemoval       int             `json:"histogram_bimodal_outlier_removal"`
	HistBimodalMinHours             int             `json:"histogram_bimodal_min_hours_seen"`
	ScoreThresholds                 ScoreThresholds `json:"score_thresholds"`
}

type Config 

type Config struct {
	DBConnection       string // set by .env file
	UpdateCheckEnabled bool   `json:"update_check_enabled"`
	Filter             Filter `json:"filtering"`

	HTTPExtensionsFilePath string `json:"http_extensions_file_path"`

	// writer
	BatchSize             int `json:"batch_size"`
	MaxQueryExecutionTime int `json:"max_query_execution_time"`

	// historical first seen
	MonthsToKeepHistoricalFirstSeen int `json:"months_to_keep_historical_first_seen"`

	Scoring Scoring `json:"scoring"`

	Modifiers Modifiers `json:"modifiers"`

	ThreatIntel ThreatIntel `json:"threat_intel"`
}

func GetDefaultConfig added in v5.0.5 

func GetDefaultConfig() (Config, error)

GetDefaultConfig returns a Config object with default values

func ReadFileConfig 

func ReadFileConfig(afs afero.Fs, path string) (*Config, error)

ReadFileConfig attempts to read the config file at the specified path and returns a config object, using the default config if the file was unable to be read.

func (*Config) ResetConfig 

func (cfg *Config) ResetConfig() error

ResetConfig resets the config values to default

func (*Config) UnmarshalJSON added in v5.0.6 

func (c *Config) UnmarshalJSON(bytes []byte) error

UnmarshalJSON unmarshals the JSON bytes into the config struct overrides the default unmarshalling method to allow for custom parsing

func (*Config) Validate 

func (cfg *Config) Validate() error

type Filter 

type Filter struct {
	InternalSubnetsJSON []string `json:"internal_subnets"`
	InternalSubnets     []*net.IPNet

	AlwaysIncludedSubnetsJSON []string `json:"always_included_subnets"`
	AlwaysIncludedSubnets     []*net.IPNet

	NeverIncludedSubnetsJSON []string `json:"never_included_subnets"`
	NeverIncludedSubnets     []*net.IPNet

	AlwaysIncludedDomains []string `json:"always_included_domains"`
	NeverIncludedDomains  []string `json:"never_included_domains"`

	FilterExternalToInternal bool `json:"filter_external_to_internal"`
}

Filter provides methods for excluding IP addresses, domains, and determining proxy servers during the import step based on the user configuration

func (*Filter) CheckIfInternal 

func (fs *Filter) CheckIfInternal(host net.IP) bool

func (*Filter) FilterConnPair 

func (fs *Filter) FilterConnPair(srcIP net.IP, dstIP net.IP) bool

filterConnPair returns true if a connection pair is filtered/excluded. This is determined by the following rules, in order:

  1. Not filtered if either IP is on the AlwaysInclude list
  2. Filtered if either IP is on the NeverInclude list
  3. Not filtered if InternalSubnets is empty
  4. Filtered if both IPs are internal or both are external
  5. Filtered if the source IP is external and the destination IP is internal and FilterExternalToInternal has been set in the configuration file
  6. Not filtered in all other cases

func (*Filter) FilterConnPairForHTTP 

func (fs *Filter) FilterConnPairForHTTP(srcIP net.IP, dstIP net.IP) bool

FilterConnPairForHTTP returns true if a connection pair is filtered based on criteria that should apply regardless of whether or not there is a proxy connection for it

func (*Filter) FilterDNSPair 

func (fs *Filter) FilterDNSPair(srcIP net.IP, dstIP net.IP) bool

filterDNSPair returns true if a DNS connection pair is filtered/excluded. DNS is treated specially since we need to capture internal -> internal DNS traffic in order to detect C2 over DNS with an internal resolver. This is determined by the following rules, in order:

  1. Not filtered if either IP is on the AlwaysInclude list
  2. Filtered if either IP is on the NeverInclude list
  3. Not filtered if InternalSubnets is empty
  4. Filtered if both IPs are external (this is different from filterConnPair which filters internal to internal connections)
  5. Filtered if the source IP is external and the destination IP is internal and FilterExternalToInternal has been set in the configuration file
  6. Not filtered in all other cases

func (*Filter) FilterDomain 

func (fs *Filter) FilterDomain(domain string) bool

FilterDomain returns true if a domain is filtered/excluded. This is determined by the following rules, in order:

  1. Not filtered if domain is on the AlwaysInclude list
  2. Filtered if domain is on the NeverInclude list
  3. Not filtered in all other cases

func (*Filter) FilterSNIPair 

func (fs *Filter) FilterSNIPair(srcIP net.IP) bool

FilterSNIPair returns true if a SNI connection pair is filtered/excluded.

func (*Filter) FilterSingleIP 

func (fs *Filter) FilterSingleIP(ip net.IP) bool

filterSingleIP returns true if an IP is filtered/excluded. This is determined by the following rules, in order:

  1. Not filtered IP is on the AlwaysInclude list
  2. Filtered IP is on the NeverInclude list
  3. Not filtered in all other cases

type ImpactCategory 

type ImpactCategory string

func GetImpactCategoryFromScore 

func GetImpactCategoryFromScore(score float32) ImpactCategory

type Modifiers 

type Modifiers struct {
	ThreatIntelScoreIncrease     float32 `json:"threat_intel_score_increase"`
	ThreatIntelDataSizeThreshold int64   `json:"threat_intel_datasize_threshold"`

	PrevalenceScoreIncrease     float32 `json:"prevalence_score_increase"`
	PrevalenceIncreaseThreshold float32 `json:"prevalence_increase_threshold"`
	PrevalenceScoreDecrease     float32 `json:"prevalence_score_decrease"`
	PrevalenceDecreaseThreshold float32 `json:"prevalence_decrease_threshold"`

	FirstSeenScoreIncrease     float32 `json:"first_seen_score_increase"`
	FirstSeenIncreaseThreshold float32 `json:"first_seen_increase_threshold"`
	FirstSeenScoreDecrease     float32 `json:"first_seen_score_decrease"`
	FirstSeenDecreaseThreshold float32 `json:"first_seen_decrease_threshold"`

	MissingHostCountScoreIncrease float32 `json:"missing_host_count_score_increase"`

	RareSignatureScoreIncrease float32 `json:"rare_signature_score_increase"`

	C2OverDNSDirectConnScoreIncrease float32 `json:"c2_over_dns_direct_conn_score_increase"`

	MIMETypeMismatchScoreIncrease float32 `json:"mime_type_mismatch_score_increase"`
}

type ScoreImpact 

type ScoreImpact struct {
	Category ImpactCategory `json:"category"`
	Score    float32
}

ScoreImpact is used for indicators that have a binary outcomes but still need to express the impact of being true on the overall score.

type ScoreThresholds 

type ScoreThresholds struct {
	Base int `json:"base"`
	Low  int `json:"low"`
	Med  int `json:"medium"`
	High int `json:"high"`
}

ScoreThresholds is used for indicators that have prorated (graduated) values rather than binary outcomes. This allows for the definition of the severity of an indicator by categorizing it into one of several buckets (Base, Low, Med, High), each representing a range of values

type Scoring 

type Scoring struct {
	Beacon Beacon `json:"beacon"`

	LongConnectionScoreThresholds ScoreThresholds `json:"long_connection_score_thresholds"`

	C2ScoreThresholds ScoreThresholds `json:"c2_score_thresholds"`

	StrobeImpact ScoreImpact `json:"strobe_impact"`

	ThreatIntelImpact ScoreImpact `json:"threat_intel_impact"`
}

type ThreatIntel 

type ThreatIntel struct {
	OnlineFeeds          []string `json:"online_feeds"`
	CustomFeedsDirectory string   `json:"custom_feeds_directory"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.