Documentation ¶
Index ¶
- Constants
- Variables
- func Addr2Ints(anyIP string) (int, int64, int64, int64, int64, error)
- func BoolPtr(b bool) *bool
- func CatchPanic(component string)
- func Clone(a, b interface{}) error
- func ConfigureLogger(clog *log.Logger) error
- func CopyFile(sourceSymLink, destinationFile string) (err error)
- func GetData(data []*DataSource, dataDir string) error
- func GetLineCountForFile(filepath string) int
- func GetOrigins() []string
- func IP2Ints(pip net.IP) (int, int64, int64, error)
- func InSlice(str string, slice []string) bool
- func Int32Ptr(i int32) *int32
- func IntPtr(i int) *int
- func LastAddress(n net.IPNet) net.IP
- func ParseDuration(d string) (time.Duration, error)
- func Range2Ints(network net.IPNet) (int, int64, int64, int64, int64, error)
- func SetDefaultLoggerConfig(cfgMode string, cfgFolder string, cfgLevel log.Level, maxSize int, ...) error
- func StrPtr(s string) *string
- func StripAnsiString(str string) string
- func UtcNow() time.Time
- func WriteStackTrace(iErr interface{}) string
- type DataCapture
- type DataSet
- type DataSource
- type Event
- type ExtraField
- type GrokPattern
- type Line
- type Profile
- type RemediationProfile
- type RuntimeAlert
- type ScopeType
Constants ¶
View Source
const ( LIVE = iota TIMEMACHINE )
Leakybucket can be in mode LIVE or TIMEMACHINE
View Source
const ( LOG = iota OVFLW )
View Source
const ( Undefined = "" Ip = "Ip" Range = "Range" Filter = "Filter" Country = "Country" AS = "AS" )
Move in leakybuckets
View Source
const ApiKeyAuthType = "api-key"
View Source
const CAPIBaseURL = "https://api.crowdsec.net/"
View Source
const CAPIOrigin = "CAPI"
View Source
const ConsoleOrigin = "console"
View Source
const CrowdSecOrigin = "crowdsec"
View Source
const CscliImportOrigin = "cscli-import"
View Source
const CscliOrigin = "cscli"
View Source
const DecisionTypeBan = "ban"
View Source
const ListOrigin = "lists"
View Source
const PAPIBaseURL = "https://papi.api.crowdsec.net/"
View Source
const PAPIPermissionsUrl = "/permissions"
View Source
const PAPIPollUrl = "/decisions/stream/poll"
View Source
const PAPIVersion = "v1"
View Source
const PasswordAuthType = "password"
View Source
const TlsAuthType = "tls"
Variables ¶
View Source
var LogOutput *lumberjack.Logger //io.Writer
Functions ¶
func CatchPanic ¶
func CatchPanic(component string)
CatchPanic is a util func that we should call from all go-routines to ensure proper stacktrace handling
func ConfigureLogger ¶
func GetData ¶
func GetData(data []*DataSource, dataDir string) error
func GetLineCountForFile ¶
func GetOrigins ¶
func GetOrigins() []string
func Range2Ints ¶
size (16|4), nw_start, suffix_start, nw_end, suffix_end, error
func SetDefaultLoggerConfig ¶
func StripAnsiString ¶
func WriteStackTrace ¶
func WriteStackTrace(iErr interface{}) string
Types ¶
type DataCapture ¶
type DataCapture struct { Name string `yaml:"name,omitempty"` Key string `yaml:"key,omitempty"` KeyExpression *vm.Program `yaml:"-"` Value string `yaml:"value,omitempty"` ValueExpression *vm.Program `yaml:"-"` TTL string `yaml:"ttl,omitempty"` TTLVal time.Duration `yaml:"-"` MaxMapSize int `yaml:"size,omitempty"` Strategy string `yaml:"strategy,omitempty"` }
type DataSet ¶
type DataSet struct {
Data []*DataSource `yaml:"data,omitempty"`
}
type DataSource ¶
type Event ¶
type Event struct { /* is it a log or an overflow */ Type int `yaml:"Type,omitempty" json:"Type,omitempty"` //Can be types.LOG (0) or types.OVFLOW (1) ExpectMode int `yaml:"ExpectMode,omitempty" json:"ExpectMode,omitempty"` //how to buckets should handle event : types.TIMEMACHINE or types.LIVE Whitelisted bool `yaml:"Whitelisted,omitempty" json:"Whitelisted,omitempty"` WhitelistReason string `yaml:"WhitelistReason,omitempty" json:"whitelist_reason,omitempty"` //should add whitelist reason ? /* the current stage of the line being parsed */ Stage string `yaml:"Stage,omitempty" json:"Stage,omitempty"` /* original line (produced by acquisition) */ Line Line `yaml:"Line,omitempty" json:"Line,omitempty"` /* output of groks */ Parsed map[string]string `yaml:"Parsed,omitempty" json:"Parsed,omitempty"` /* output of enrichment */ Enriched map[string]string `yaml:"Enriched,omitempty" json:"Enriched,omitempty"` /* output of Unmarshal */ Unmarshaled map[string]interface{} `yaml:"Unmarshaled,omitempty" json:"Unmarshaled,omitempty"` /* Overflow */ Overflow RuntimeAlert `yaml:"Overflow,omitempty" json:"Alert,omitempty"` Time time.Time `yaml:"Time,omitempty" json:"Time,omitempty"` //parsed time `json:"-"` “ StrTime string `yaml:"StrTime,omitempty" json:"StrTime,omitempty"` StrTimeFormat string `yaml:"StrTimeFormat,omitempty" json:"StrTimeFormat,omitempty"` MarshaledTime string `yaml:"MarshaledTime,omitempty" json:"MarshaledTime,omitempty"` Process bool `yaml:"Process,omitempty" json:"Process,omitempty"` //can be set to false to avoid processing line /* Meta is the only part that will make it to the API - it should be normalized */ Meta map[string]string `yaml:"Meta,omitempty" json:"Meta,omitempty"` }
Event is the structure representing a runtime event (log or overflow)
type ExtraField ¶
type ExtraField struct { //if the target is indicated by name Struct.Field etc, TargetByName string `yaml:"target,omitempty"` //if the target field is in Event map Parsed string `yaml:"parsed,omitempty"` //if the target field is in Meta map Meta string `yaml:"meta,omitempty"` //if the target field is in Enriched map Enriched string `yaml:"enriched,omitempty"` //the source is a static value Value string `yaml:"value,omitempty"` //or the result of an Expression ExpValue string `yaml:"expression,omitempty"` RunTimeValue *vm.Program `json:"-"` //the actual compiled filter //or an enrichment method Method string `yaml:"method,omitempty"` }
Used mostly for statics
type GrokPattern ¶
type GrokPattern struct { //the field to which regexp is going to apply TargetField string `yaml:"apply_on,omitempty"` //the grok/regexp by name (loaded from patterns/*) RegexpName string `yaml:"name,omitempty"` //a proper grok pattern RegexpValue string `yaml:"pattern,omitempty"` //the runtime form of regexpname / regexpvalue RunTimeRegexp grokky.Pattern `json:"-"` //the actual regexp //the output of the expression is going to be the source for regexp ExpValue string `yaml:"expression,omitempty"` RunTimeValue *vm.Program `json:"-"` //the actual compiled filter //a grok can contain statics that apply if pattern is successful Statics []ExtraField `yaml:"statics,omitempty"` }
type RemediationProfile ¶
type RemediationProfile struct { Apply bool Ban bool Slow bool Captcha bool Duration string TimeDuration time.Duration }
Action profiles
type RuntimeAlert ¶
type RuntimeAlert struct { Mapkey string `yaml:"MapKey,omitempty" json:"MapKey,omitempty"` BucketId string `yaml:"BucketId,omitempty" json:"BucketId,omitempty"` Whitelisted bool `yaml:"Whitelisted,omitempty" json:"Whitelisted,omitempty"` Reprocess bool `yaml:"Reprocess,omitempty" json:"Reprocess,omitempty"` Sources map[string]models.Source `yaml:"Sources,omitempty" json:"Sources,omitempty"` Alert *models.Alert `yaml:"Alert,omitempty" json:"Alert,omitempty"` //this one is a pointer to APIAlerts[0] for convenience. //APIAlerts will be populated at the end when there is more than one source APIAlerts []models.Alert `yaml:"APIAlerts,omitempty" json:"APIAlerts,omitempty"` }
func (RuntimeAlert) GetSources ¶
func (r RuntimeAlert) GetSources() []string
Click to show internal directories.
Click to hide internal directories.