Documentation ¶
Index ¶
- Constants
- Variables
- func Clone(a, b interface{}) error
- func ConfigureLogger(clog *log.Logger) error
- func GetData(data []*DataSource, dataDir string) error
- func IP2Int(ip net.IP) uint32
- func Int2ip(nn uint32) net.IP
- func LastAddress(n *net.IPNet) net.IP
- func SetDefaultLoggerConfig(cfgMode string, cfgFolder string, cfgLevel log.Level) error
- type BanApplication
- type BanOrder
- type DataSet
- type DataSource
- type Event
- type EventSequence
- type ExtraField
- type GrokPattern
- type Line
- type Profile
- type RemediationProfile
- type SignalOccurence
- type Source
- type Whitelist
Constants ¶
const ( LOG = iota OVFLW )
Variables ¶
var LogOutput *lumberjack.Logger //io.Writer
Functions ¶
func ConfigureLogger ¶ added in v0.1.0
func GetData ¶ added in v0.1.0
func GetData(data []*DataSource, dataDir string) error
func LastAddress ¶
Stolen from : https://github.com/llimllib/ipaddress/ Return the final address of a net range. Convert to IPv4 if possible, otherwise return an ipv6
Types ¶
type BanApplication ¶
type BanApplication struct { gorm.Model `json:"-"` MeasureSource string /*api,local*/ MeasureType string /*ban,slow,captcha*/ MeasureExtra string /*in case we need extra info for the connector ?*/ Until time.Time /*expiration of ban*/ StartIp uint32 EndIp uint32 TargetCN string TargetAS int TargetASName string IpText string /*only for humans*/ Reason string /*long human reason of the ban 'ban AS1234' */ Scenario string /*the type of scenario that led to ban*/ //SignalOccurence *parser.SignalOccurence /*the signal occurence it's attached to */ SignalOccurenceID uint //so we can link local decision to actual overflow }
BanApplication is the in-db representation of a ban order. IPs/Ranges are represented as a integer interval. one BanOrder can lead to multiple BanApplication
func OrderToApplications ¶
func OrderToApplications(ordr *BanOrder) ([]BanApplication, error)
type BanOrder ¶
type BanOrder struct { MeasureSource string /*api,local*/ MeasureType string /*ban,slow,captcha*/ Scope string /*ip,multi_ip,as,country*/ TargetAS int /*if non-empty, applies to this AS*/ TargetASName string /*if non-empty, applies to this AS*/ TargetRange net.IPNet /*if non-empty, applies to this IP*/ TargetIP net.IP /*if non-empty, applies to this range*/ TargetCountry string Until time.Time /*when would the measure expire*/ TxtTarget string Reason string }
BanOrder is what is generated from a SignalOccurence : it describes what action to take it is in-memory only and never touches the DB. It will be turned into one or several "parser.BanApplication"
type DataSet ¶ added in v0.1.0
type DataSet struct {
Data []*DataSource `yaml:"data,omitempty"`
}
type DataSource ¶ added in v0.1.0
type Event ¶
type Event struct { /* is it a log or an overflow */ Type int `yaml:"Type,omitempty"` ExpectMode int `yaml:"ExpectMode,omitempty"` //how to buckets should handle event : leaky.TIMEMACHINE or leaky.LIVE Whitelisted bool `yaml:"Whitelisted,omitempty"` WhiteListReason string `json:"whitelist_reason,omitempty"` //should add whitelist reason ? /* the current stage of the line being parsed */ Stage string `yaml:"Stage,omitempty"` /* original line (produced by acquisition) */ Line Line `json:"Line" yaml:"Line,omitempty"` /* output of groks */ Parsed map[string]string `json:"Parsed,omitempty" yaml:"Parsed,omitempty"` /* output of enrichment */ Enriched map[string]string `json:"Enriched,omitempty" yaml:"Enriched,omitempty"` /* Overflow */ Overflow SignalOccurence `yaml:"Overflow,omitempty"` Time time.Time `json:"Time,omitempty"` //parsed time `json:"-"` “ StrTime string `yaml:"StrTime,omitempty"` MarshaledTime string `yaml:"MarshaledTime,omitempty"` Process bool `yaml:"Process,omitempty"` //can be set to false to avoid processing line /* Meta is the only part that will make it to the API - it should be normalized */ Meta map[string]string `json:"Meta,omitempty" yaml:"Meta,omitempty"` }
type EventSequence ¶
type EventSequence struct { gorm.Model `json:"-"` Time time.Time Source Source `json:"-"` /*for db only :/ */ Source_ip string Source_range string Source_AutonomousSystemNumber string Source_AutonomousSystemOrganization string Source_Country string /*stop db only */ SignalOccurenceID uint //unique ID for the hasMany relation Serialized string `gorm:"size:65535"` //the serialized dict }
EventSequence is used to represent the summarized version of events that lead to overflow
type ExtraField ¶
type ExtraField struct { //if the target is indicated by name Struct.Field etc, TargetByName string `yaml:"target,omitempty"` //if the target field is in Event map Parsed string `yaml:"parsed,omitempty"` //if the target field is in Meta map Meta string `yaml:"meta,omitempty"` //if the target field is in Enriched map Enriched string `yaml:"enriched,omitempty"` //the source is a static value Value string `yaml:"value,omitempty"` //or the result of an Expression ExpValue string `yaml:"expression,omitempty"` RunTimeValue *vm.Program `json:"-"` //the actual compiled filter //or an enrichment method Method string `yaml:"method,omitempty"` }
Used mostly for statics
type GrokPattern ¶
type GrokPattern struct { //the field to which regexp is going to apply TargetField string `yaml:"apply_on,omitempty"` //the grok/regexp by name (loaded from patterns/*) RegexpName string `yaml:"name,omitempty"` //a proper grok pattern RegexpValue string `yaml:"pattern,omitempty"` //the runtime form of regexpname / regexpvalue RunTimeRegexp *grokky.Pattern `json:"-"` //the actual regexp //a grok can contain statics that apply if pattern is successfull Statics []ExtraField `yaml:"statics,omitempty"` }
type RemediationProfile ¶
type RemediationProfile struct { Apply bool Ban bool Slow bool Captcha bool Duration string TimeDuration time.Duration }
Action profiles
type SignalOccurence ¶
type SignalOccurence struct { gorm.Model `json:"-"` // ID uint // `json:"-" gorm:"primary_key,AUTO_INCREMENT"` MapKey string //for Delete Scenario string `json:"scenario,omitempty"` //The unique name of the scenario, ie. ssh_bruteforce_multi-user Bucket_id string `json:"bucket_id,omitempty"` //The 'runtime' bucket-name (mostly for debug), ie. `sunny-flower` Alert_message string `json:"alert_message,omitempty"` //Human-friendly label (to be displayed) Events_count int `json:"events_count,omitempty" yaml:"Events_count,omitempty"` //Number of events between first occurence and ban Events_sequence []EventSequence `json:"-" gorm:"foreignkey:SignalOccurenceID;association_foreignkey:ID"` //When adapted, a unique list of string representing the individual events that lead to the overflow Start_at time.Time `json:"start_at,omitempty"` //first event (usually bucket creation time) BanApplications []BanApplication `json:"ban_applications,omitempty" gorm:"foreignkey:SignalOccurenceID;association_foreignkey:ID"` Stop_at time.Time `json:"stop_at,omitempty"` //last event (usually bucket overflow time) Source *Source `json:"source"` //`json:"source,omitempty"` /*for db*/ Source_ip string `yaml:"Source_ip,omitempty"` Source_range string Source_AutonomousSystemNumber string Source_AutonomousSystemOrganization string Source_Country string Source_Latitude float64 Source_Longitude float64 /*/for db*/ Sources map[string]Source `json:"sources,omitempty" gorm:"-"` // Source_ip string `json:"src_ip,omitempty"` //for now just the IP // Source_as string `json:"src_as,omitempty"` //for now just the as (AS number) // Source_country string `json:"src_country,omitempty"` //for now just the county (two-letter iso-code) Dest_ip string `json:"dst_ip,omitempty"` //for now just the destination IP //Policy string `json:"policy,omitempty"` //for now we forward it as well :) //bucket info Capacity int `json:"capacity,omitempty"` Leak_speed time.Duration `json:"leak_speed,omitempty"` Whitelisted bool `gorm:"-"` Simulation bool `gorm:"-"` Reprocess bool //Reprocess, when true, will make the overflow being processed again as a fresh log would Labels map[string]string `gorm:"-"` }
type Source ¶
type Source struct { gorm.Model `json:"-"` Ip net.IP Range net.IPNet AutonomousSystemNumber string AutonomousSystemOrganization string Country string Latitude float64 Longitude float64 Flags map[string]bool //a list of flags we can set }
Source is the generic representation of a source ip implicated in events / overflows. It contains both information extracted directly from logs and enrichment