types

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 17, 2020 License: MIT Imports: 16 Imported by: 4

Documentation

Index

Constants

View Source
const (
	LOG = iota
	OVFLW
)

Variables

View Source
var LogOutput *lumberjack.Logger //io.Writer

Functions

func Clone added in v0.1.4

func Clone(a, b interface{}) error

func ConfigureLogger added in v0.1.0

func ConfigureLogger(clog *log.Logger) error

func GetData added in v0.1.0

func GetData(data []*DataSource, dataDir string) error

func IP2Int

func IP2Int(ip net.IP) uint32

func Int2ip

func Int2ip(nn uint32) net.IP

func LastAddress

func LastAddress(n *net.IPNet) net.IP

Stolen from : https://github.com/llimllib/ipaddress/ Return the final address of a net range. Convert to IPv4 if possible, otherwise return an ipv6

func SetDefaultLoggerConfig added in v0.1.0

func SetDefaultLoggerConfig(cfgMode string, cfgFolder string, cfgLevel log.Level) error

Types

type BanApplication

type BanApplication struct {
	gorm.Model `json:"-"`

	MeasureSource string    /*api,local*/
	MeasureType   string    /*ban,slow,captcha*/
	MeasureExtra  string    /*in case we need extra info for the connector ?*/
	Until         time.Time /*expiration of ban*/

	StartIp uint32
	EndIp   uint32

	TargetCN     string
	TargetAS     int
	TargetASName string

	IpText string /*only for humans*/

	Reason   string /*long human reason of the ban 'ban AS1234' */
	Scenario string /*the type of scenario that led to ban*/

	//SignalOccurence   *parser.SignalOccurence /*the signal occurence it's attached to */
	SignalOccurenceID uint //so we can link local decision to actual overflow

}

BanApplication is the in-db representation of a ban order. IPs/Ranges are represented as a integer interval. one BanOrder can lead to multiple BanApplication

func OrderToApplications

func OrderToApplications(ordr *BanOrder) ([]BanApplication, error)

type BanOrder

type BanOrder struct {
	MeasureSource string    /*api,local*/
	MeasureType   string    /*ban,slow,captcha*/
	Scope         string    /*ip,multi_ip,as,country*/
	TargetAS      int       /*if non-empty, applies to this AS*/
	TargetASName  string    /*if non-empty, applies to this AS*/
	TargetRange   net.IPNet /*if non-empty, applies to this IP*/
	TargetIP      net.IP    /*if non-empty, applies to this range*/
	TargetCountry string
	Until         time.Time /*when would the measure expire*/
	TxtTarget     string
	Reason        string
}

BanOrder is what is generated from a SignalOccurence : it describes what action to take it is in-memory only and never touches the DB. It will be turned into one or several "parser.BanApplication"

type DataSet added in v0.1.0

type DataSet struct {
	Data []*DataSource `yaml:"data,omitempty"`
}

type DataSource added in v0.1.0

type DataSource struct {
	SourceURL string `yaml:"source_url"`
	DestPath  string `yaml:"dest_file"`
	Type      string `yaml:"type"`
}

type Event

type Event struct {
	/* is it a log or an overflow */
	Type            int    `yaml:"Type,omitempty"`
	ExpectMode      int    `yaml:"ExpectMode,omitempty"` //how to buckets should handle event : leaky.TIMEMACHINE or leaky.LIVE
	Whitelisted     bool   `yaml:"Whitelisted,omitempty"`
	WhiteListReason string `json:"whitelist_reason,omitempty"`
	//should add whitelist reason ?
	/* the current stage of the line being parsed */
	Stage string `yaml:"Stage,omitempty"`
	/* original line (produced by acquisition) */
	Line Line `json:"Line" yaml:"Line,omitempty"`
	/* output of groks */
	Parsed map[string]string `json:"Parsed,omitempty" yaml:"Parsed,omitempty"`
	/* output of enrichment */
	Enriched map[string]string `json:"Enriched,omitempty" yaml:"Enriched,omitempty"`
	/* Overflow */
	Overflow      SignalOccurence `yaml:"Overflow,omitempty"`
	Time          time.Time       `json:"Time,omitempty"` //parsed time `json:"-"` “
	StrTime       string          `yaml:"StrTime,omitempty"`
	MarshaledTime string          `yaml:"MarshaledTime,omitempty"`
	Process       bool            `yaml:"Process,omitempty"` //can be set to false to avoid processing line
	/* Meta is the only part that will make it to the API - it should be normalized */
	Meta map[string]string `json:"Meta,omitempty" yaml:"Meta,omitempty"`
}

type EventSequence

type EventSequence struct {
	gorm.Model `json:"-"`
	Time       time.Time
	Source     Source `json:"-"`
	/*for db only :/ */
	Source_ip                           string
	Source_range                        string
	Source_AutonomousSystemNumber       string
	Source_AutonomousSystemOrganization string
	Source_Country                      string
	/*stop db only */
	SignalOccurenceID uint   //unique ID for the hasMany relation
	Serialized        string `gorm:"size:65535"` //the serialized dict
}

EventSequence is used to represent the summarized version of events that lead to overflow

type ExtraField

type ExtraField struct {
	//if the target is indicated by name Struct.Field etc,
	TargetByName string `yaml:"target,omitempty"`
	//if the target field is in Event map
	Parsed string `yaml:"parsed,omitempty"`
	//if the target field is in Meta map
	Meta string `yaml:"meta,omitempty"`
	//if the target field is in Enriched map
	Enriched string `yaml:"enriched,omitempty"`
	//the source is a static value
	Value string `yaml:"value,omitempty"`
	//or the result of an Expression
	ExpValue     string      `yaml:"expression,omitempty"`
	RunTimeValue *vm.Program `json:"-"` //the actual compiled filter
	//or an enrichment method
	Method string `yaml:"method,omitempty"`
}

Used mostly for statics

type GrokPattern

type GrokPattern struct {
	//the field to which regexp is going to apply
	TargetField string `yaml:"apply_on,omitempty"`
	//the grok/regexp by name (loaded from patterns/*)
	RegexpName string `yaml:"name,omitempty"`
	//a proper grok pattern
	RegexpValue string `yaml:"pattern,omitempty"`
	//the runtime form of regexpname / regexpvalue
	RunTimeRegexp *grokky.Pattern `json:"-"` //the actual regexp
	//a grok can contain statics that apply if pattern is successfull
	Statics []ExtraField `yaml:"statics,omitempty"`
}

type Line

type Line struct {
	Raw     string            `yaml:"Raw,omitempty"`
	Src     string            `yaml:"Src,omitempty"`
	Time    time.Time         //acquis time
	Labels  map[string]string `yaml:"Labels,omitempty"`
	Process bool
}

type Profile

type Profile struct {
	Profile       string             `yaml:"profile"`
	Filter        string             `yaml:"filter"`
	Remediation   RemediationProfile `yaml:"remediation"`
	RunTimeFilter *vm.Program
	ApiPush       *bool               `yaml:"api"`
	OutputConfigs []map[string]string `yaml:"outputs,omitempty"`
}

type RemediationProfile

type RemediationProfile struct {
	Apply        bool
	Ban          bool
	Slow         bool
	Captcha      bool
	Duration     string
	TimeDuration time.Duration
}

Action profiles

type SignalOccurence

type SignalOccurence struct {
	gorm.Model `json:"-"`
	//	ID              uint            //  `json:"-" gorm:"primary_key,AUTO_INCREMENT"`
	MapKey          string           //for Delete
	Scenario        string           `json:"scenario,omitempty"`                                              //The unique name of the scenario, ie. ssh_bruteforce_multi-user
	Bucket_id       string           `json:"bucket_id,omitempty"`                                             //The 'runtime' bucket-name (mostly for debug), ie. `sunny-flower`
	Alert_message   string           `json:"alert_message,omitempty"`                                         //Human-friendly label (to be displayed)
	Events_count    int              `json:"events_count,omitempty" yaml:"Events_count,omitempty"`            //Number of events between first occurence and ban
	Events_sequence []EventSequence  `json:"-" gorm:"foreignkey:SignalOccurenceID;association_foreignkey:ID"` //When adapted, a unique list of string representing the individual events that lead to the overflow
	Start_at        time.Time        `json:"start_at,omitempty"`                                              //first event (usually bucket creation time)
	BanApplications []BanApplication `json:"ban_applications,omitempty" gorm:"foreignkey:SignalOccurenceID;association_foreignkey:ID"`
	Stop_at         time.Time        `json:"stop_at,omitempty"` //last event (usually bucket overflow time)
	Source          *Source          `json:"source"`            //`json:"source,omitempty"`
	/*for db*/
	Source_ip                           string `yaml:"Source_ip,omitempty"`
	Source_range                        string
	Source_AutonomousSystemNumber       string
	Source_AutonomousSystemOrganization string
	Source_Country                      string
	Source_Latitude                     float64
	Source_Longitude                    float64
	/*/for db*/
	Sources map[string]Source `json:"sources,omitempty" gorm:"-"`
	// Source_ip       string          `json:"src_ip,omitempty"`                                                                        //for now just the IP
	// Source_as       string          `json:"src_as,omitempty"`                                                                        //for now just the as (AS number)
	// Source_country  string          `json:"src_country,omitempty"`                                                                   //for now just the county (two-letter iso-code)
	Dest_ip string `json:"dst_ip,omitempty"` //for now just the destination IP
	//Policy  string `json:"policy,omitempty"` //for now we forward it as well :)
	//bucket info
	Capacity    int               `json:"capacity,omitempty"`
	Leak_speed  time.Duration     `json:"leak_speed,omitempty"`
	Whitelisted bool              `gorm:"-"`
	Simulation  bool              `gorm:"-"`
	Reprocess   bool              //Reprocess, when true, will make the overflow being processed again as a fresh log would
	Labels      map[string]string `gorm:"-"`
}

type Source

type Source struct {
	gorm.Model                   `json:"-"`
	Ip                           net.IP
	Range                        net.IPNet
	AutonomousSystemNumber       string
	AutonomousSystemOrganization string
	Country                      string
	Latitude                     float64
	Longitude                    float64
	Flags                        map[string]bool //a list of flags we can set
}

Source is the generic representation of a source ip implicated in events / overflows. It contains both information extracted directly from logs and enrichment

type Whitelist

type Whitelist struct {
	Reason  string   `yaml:"reason,omitempty"`
	Ips     []string `yaml:"ip,omitempty"`
	B_Ips   []net.IP
	Cidrs   []string `yaml:"cidr,omitempty"`
	B_Cidrs []*net.IPNet
	Exprs   []string `yaml:"expression,omitempty"`
	B_Exprs []*vm.Program
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL