analyzer

Documentation

Index

• type Analyzer
• type CombinedPropMap
  • func (cm CombinedPropMap) Get(an string, key string) interface{}
• type Logger
• type PropMap
  • func (m PropMap) Get(key string) interface{}
• type PropUpdate
• type PropUpdateType
• type TCPAnalyzer
• type TCPInfo
• type TCPStream
• type UDPAnalyzer
• type UDPInfo
• type UDPStream

Types

type Analyzer

type Analyzer interface {
	// Name returns the name of the analyzer.
	Name() string
	// Limit returns the byte limit for this analyzer.
	// For example, an analyzer can return 1000 to indicate that it only ever needs
	// the first 1000 bytes of a stream to do its job. If the stream is still not
	// done after 1000 bytes, the engine will stop feeding it data and close it.
	// An analyzer can return 0 or a negative number to indicate that it does not
	// have a hard limit.
	// Note: for UDP streams, the engine always feeds entire packets, even if
	// the packet is larger than the remaining quota or the limit itself.
	Limit() int
}

type CombinedPropMap

type CombinedPropMap map[string]PropMap

func (CombinedPropMap) Get

func (cm CombinedPropMap) Get(an string, key string) interface{}

Get returns the value of the property with the given analyzer & key. The key can be a nested key, e.g. "foo.bar.baz". Returns nil if the key does not exist.

type Logger

type Logger interface {
	Debugf(format string, args ...interface{})
	Infof(format string, args ...interface{})
	Errorf(format string, args ...interface{})
}

type PropMap

type PropMap map[string]interface{}

func (PropMap) Get

func (m PropMap) Get(key string) interface{}

Get returns the value of the property with the given key. The key can be a nested key, e.g. "foo.bar.baz". Returns nil if the key does not exist.

type PropUpdate

type PropUpdate struct {
	Type PropUpdateType
	M    PropMap
}

type PropUpdateType

type PropUpdateType int

const (
	PropUpdateNone PropUpdateType = iota
	PropUpdateMerge
	PropUpdateReplace
	PropUpdateDelete
)

type TCPAnalyzer

type TCPAnalyzer interface {
	Analyzer
	// NewTCP returns a new TCPStream.
	NewTCP(TCPInfo, Logger) TCPStream
}

type TCPInfo

type TCPInfo struct {
	// SrcIP is the source IP address.
	SrcIP net.IP
	// DstIP is the destination IP address.
	DstIP net.IP
	// SrcPort is the source port.
	SrcPort uint16
	// DstPort is the destination port.
	DstPort uint16
}

type TCPStream

type TCPStream interface {
	// Feed feeds a chunk of reassembled data to the stream.
	// It returns a prop update containing the information extracted from the stream (can be nil),
	// and whether the analyzer is "done" with this stream (i.e. no more data should be fed).
	Feed(rev, start, end bool, skip int, data []byte) (u *PropUpdate, done bool)
	// Close indicates that the stream is closed.
	// Either the connection is closed, or the stream has reached its byte limit.
	// Like Feed, it optionally returns a prop update.
	Close(limited bool) *PropUpdate
}

type UDPAnalyzer

type UDPAnalyzer interface {
	Analyzer
	// NewUDP returns a new UDPStream.
	NewUDP(UDPInfo, Logger) UDPStream
}

type UDPInfo

type UDPInfo struct {
	// SrcIP is the source IP address.
	SrcIP net.IP
	// DstIP is the destination IP address.
	DstIP net.IP
	// SrcPort is the source port.
	SrcPort uint16
	// DstPort is the destination port.
	DstPort uint16
}

type UDPStream

type UDPStream interface {
	// Feed feeds a new packet to the stream.
	// It returns a prop update containing the information extracted from the stream (can be nil),
	// and whether the analyzer is "done" with this stream (i.e. no more data should be fed).
	Feed(rev bool, data []byte) (u *PropUpdate, done bool)
	// Close indicates that the stream is closed.
	// Either the connection is closed, or the stream has reached its byte limit.
	// Like Feed, it optionally returns a prop update.
	Close(limited bool) *PropUpdate
}