types

package
v1.5.6-rc6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 21, 2023 License: MIT Imports: 13 Imported by: 4

Documentation

Index

Constants

View Source
const (
	LIVE = iota
	TIMEMACHINE
)

Leakybucket can be in mode LIVE or TIMEMACHINE

View Source
const (
	LOG = iota
	OVFLW
	APPSEC
)
View Source
const (
	Undefined = ""
	Ip        = "Ip"
	Range     = "Range"
	Filter    = "Filter"
	Country   = "Country"
	AS        = "AS"
)

Move in leakybuckets

View Source
const ApiKeyAuthType = "api-key"
View Source
const CAPIBaseURL = "https://api.crowdsec.net/"
View Source
const CAPIOrigin = "CAPI"
View Source
const CommunityBlocklistPullSourceScope = "crowdsecurity/community-blocklist"
View Source
const ConsoleOrigin = "console"
View Source
const CrowdSecOrigin = "crowdsec"
View Source
const CscliImportOrigin = "cscli-import"
View Source
const CscliOrigin = "cscli"
View Source
const DecisionTypeBan = "ban"
View Source
const ListOrigin = "lists"
View Source
const PAPIBaseURL = "https://papi.api.crowdsec.net/"
View Source
const PAPIPermissionsUrl = "/permissions"
View Source
const PAPIPollUrl = "/decisions/stream/poll"
View Source
const PAPIVersion = "v1"
View Source
const PasswordAuthType = "password"
View Source
const TlsAuthType = "tls"

Variables

View Source
var LogOutput *lumberjack.Logger //io.Writer

Functions

func Addr2Ints added in v1.0.3

func Addr2Ints(anyIP string) (int, int64, int64, int64, int64, error)

returns a range for any ip or range

func ConfigureLogger added in v0.1.0

func ConfigureLogger(clog *log.Logger) error

func GetOrigins added in v1.5.0

func GetOrigins() []string

func IP2Ints added in v1.0.3

func IP2Ints(pip net.IP) (int, int64, int64, error)

size (16|4), network, suffix, error

func LastAddress

func LastAddress(n net.IPNet) net.IP

LastAddress returns the last address of a network

func Range2Ints added in v1.0.3

func Range2Ints(network net.IPNet) (int, int64, int64, int64, int64, error)

size (16|4), nw_start, suffix_start, nw_end, suffix_end, error

func SetDefaultLoggerConfig added in v0.1.0

func SetDefaultLoggerConfig(cfgMode string, cfgFolder string, cfgLevel log.Level, maxSize int, maxFiles int, maxAge int, compress *bool, forceColors bool) error

func UtcNow added in v1.3.0

func UtcNow() time.Time

Types

type AppsecEvent added in v1.6.0

type AppsecEvent struct {
	HasInBandMatches, HasOutBandMatches bool
	MatchedRules
	Vars map[string]string
}

func (AppsecEvent) GetVar added in v1.6.0

func (w AppsecEvent) GetVar(varName string) string

type DataSource added in v0.1.0

type DataSource struct {
	SourceURL string `yaml:"source_url"`
	DestPath  string `yaml:"dest_file"`
	Type      string `yaml:"type"`
	//Control cache strategy on expensive regexps
	Cache    *bool          `yaml:"cache"`
	Strategy *string        `yaml:"strategy"`
	Size     *int           `yaml:"size"`
	TTL      *time.Duration `yaml:"ttl"`
}

type Event

type Event struct {
	/* is it a log or an overflow */
	Type            int    `yaml:"Type,omitempty" json:"Type,omitempty"`             //Can be types.LOG (0) or types.OVFLOW (1)
	ExpectMode      int    `yaml:"ExpectMode,omitempty" json:"ExpectMode,omitempty"` //how to buckets should handle event : types.TIMEMACHINE or types.LIVE
	Whitelisted     bool   `yaml:"Whitelisted,omitempty" json:"Whitelisted,omitempty"`
	WhitelistReason string `yaml:"WhitelistReason,omitempty" json:"whitelist_reason,omitempty"`
	//should add whitelist reason ?
	/* the current stage of the line being parsed */
	Stage string `yaml:"Stage,omitempty" json:"Stage,omitempty"`
	/* original line (produced by acquisition) */
	Line Line `yaml:"Line,omitempty" json:"Line,omitempty"`
	/* output of groks */
	Parsed map[string]string `yaml:"Parsed,omitempty" json:"Parsed,omitempty"`
	/* output of enrichment */
	Enriched map[string]string `yaml:"Enriched,omitempty" json:"Enriched,omitempty"`
	/* output of Unmarshal */
	Unmarshaled map[string]interface{} `yaml:"Unmarshaled,omitempty" json:"Unmarshaled,omitempty"`
	/* Overflow */
	Overflow      RuntimeAlert `yaml:"Overflow,omitempty" json:"Alert,omitempty"`
	Time          time.Time    `yaml:"Time,omitempty" json:"Time,omitempty"` //parsed time `json:"-"` “
	StrTime       string       `yaml:"StrTime,omitempty" json:"StrTime,omitempty"`
	StrTimeFormat string       `yaml:"StrTimeFormat,omitempty" json:"StrTimeFormat,omitempty"`
	MarshaledTime string       `yaml:"MarshaledTime,omitempty" json:"MarshaledTime,omitempty"`
	Process       bool         `yaml:"Process,omitempty" json:"Process,omitempty"` //can be set to false to avoid processing line
	Appsec        AppsecEvent  `yaml:"Appsec,omitempty" json:"Appsec,omitempty"`
	/* Meta is the only part that will make it to the API - it should be normalized */
	Meta map[string]string `yaml:"Meta,omitempty" json:"Meta,omitempty"`
}

Event is the structure representing a runtime event (log or overflow)

func (*Event) GetMeta added in v1.4.2

func (e *Event) GetMeta(key string) string

func (*Event) GetType added in v1.0.0

func (e *Event) GetType() string

func (*Event) ParseIPSources added in v1.5.5

func (e *Event) ParseIPSources() []net.IP

type Field added in v1.6.0

type Field string
const (
	ID         Field = "id"
	RuleType   Field = "rule_type"
	Tags       Field = "tags"
	File       Field = "file"
	Confidence Field = "confidence"
	Revision   Field = "revision"
	SecMark    Field = "secmark"
	Accuracy   Field = "accuracy"
	Msg        Field = "msg"
	Severity   Field = "severity"
	Kind       Field = "kind"
)

func (Field) String added in v1.6.0

func (f Field) String() string

type Line

type Line struct {
	Raw     string            `yaml:"Raw,omitempty"`
	Src     string            `yaml:"Src,omitempty"`
	Time    time.Time         //acquis time
	Labels  map[string]string `yaml:"Labels,omitempty"`
	Process bool
	Module  string `yaml:"Module,omitempty"`
}

type MatchedRules added in v1.6.0

type MatchedRules []map[string]interface{}

func (MatchedRules) ByAccuracy added in v1.6.0

func (w MatchedRules) ByAccuracy(accuracy string) MatchedRules

func (MatchedRules) ByDisruptiveness added in v1.6.0

func (w MatchedRules) ByDisruptiveness(is bool) MatchedRules

func (MatchedRules) ByID added in v1.6.0

func (w MatchedRules) ByID(id int) MatchedRules

filters

func (MatchedRules) ByKind added in v1.6.0

func (w MatchedRules) ByKind(kind string) MatchedRules

func (MatchedRules) BySeverity added in v1.6.0

func (w MatchedRules) BySeverity(severity string) MatchedRules

func (MatchedRules) ByTag added in v1.6.0

func (w MatchedRules) ByTag(match string) MatchedRules

func (MatchedRules) ByTagRx added in v1.6.0

func (w MatchedRules) ByTagRx(rx string) MatchedRules

func (MatchedRules) ByTags added in v1.6.0

func (w MatchedRules) ByTags(match []string) MatchedRules

func (MatchedRules) GetField added in v1.6.0

func (w MatchedRules) GetField(field Field) []interface{}

getters

func (MatchedRules) GetHash added in v1.6.0

func (w MatchedRules) GetHash() string

func (MatchedRules) GetMatchedZones added in v1.6.0

func (w MatchedRules) GetMatchedZones() []string

func (MatchedRules) GetMethod added in v1.6.0

func (w MatchedRules) GetMethod() string

func (MatchedRules) GetName added in v1.6.0

func (w MatchedRules) GetName() string

func (MatchedRules) GetRuleIDs added in v1.6.0

func (w MatchedRules) GetRuleIDs() []int

func (MatchedRules) GetURI added in v1.6.0

func (w MatchedRules) GetURI() string

func (MatchedRules) GetVersion added in v1.6.0

func (w MatchedRules) GetVersion() string

func (MatchedRules) Kinds added in v1.6.0

func (w MatchedRules) Kinds() []string

type Queue added in v1.6.0

type Queue struct {
	Queue []Event
	L     int //capacity
}

Queue holds a limited size queue

func NewQueue added in v1.6.0

func NewQueue(l int) *Queue

NewQueue create a new queue with a size of l

func (*Queue) Add added in v1.6.0

func (q *Queue) Add(m Event)

Add an event in the queue. If it has already l elements, the first element is dropped before adding the new m element

func (*Queue) GetQueue added in v1.6.0

func (q *Queue) GetQueue() []Event

GetQueue returns the entire queue

type RuntimeAlert added in v1.0.0

type RuntimeAlert struct {
	Mapkey      string                   `yaml:"MapKey,omitempty" json:"MapKey,omitempty"`
	BucketId    string                   `yaml:"BucketId,omitempty" json:"BucketId,omitempty"`
	Whitelisted bool                     `yaml:"Whitelisted,omitempty" json:"Whitelisted,omitempty"`
	Reprocess   bool                     `yaml:"Reprocess,omitempty" json:"Reprocess,omitempty"`
	Sources     map[string]models.Source `yaml:"Sources,omitempty" json:"Sources,omitempty"`
	Alert       *models.Alert            `yaml:"Alert,omitempty" json:"Alert,omitempty"` //this one is a pointer to APIAlerts[0] for convenience.
	//APIAlerts will be populated at the end when there is more than one source
	APIAlerts []models.Alert `yaml:"APIAlerts,omitempty" json:"APIAlerts,omitempty"`
}

func (RuntimeAlert) GetSources added in v1.2.1

func (r RuntimeAlert) GetSources() []string

type ScopeType added in v1.0.0

type ScopeType struct {
	Scope         string `yaml:"type"`
	Filter        string `yaml:"expression"`
	RunTimeFilter *vm.Program
}

Move in leakybuckets

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL