Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // UserAgentCache contains parsed user agents at runtime. UserAgentCache = make(map[string]*userAgent) // RegexGenericVersion is a regular expression for anything that could be a product / version indicator. RegexGenericVersion = regexp.MustCompile(`(?m)(?:^)(.*?)(\d+)\.(\d+)\.(\d+)(.*?)(?:$)`) )
var ( // Store SoftwareStore hold all connections. Store = &atomicSoftwareMap{ Items: make(map[string]*AtomicSoftware), } // UserAgentParserMutex ensures atomic access to the user agent parser. UserAgentParserMutex sync.Mutex // HashDBMap contains HASSH digests mapped to software products at runtime. HashDBMap map[string][]sshSoftware )
var CMSCookies = make(map[string]struct{})
CMSCookies contains the names of identifying cookies for CMSs and frontend frameworks nolint
var CMSHeaders = make(map[string]struct{})
CMSHeaders cmsHeadersList is the list of identifying headers for Content Management Systems and Web Servers. the header names will be loaded from the CMS JSON db this map is populated once at init and not supposed to change during runtime so it is safe for concurrent access. nolint
var Decoder = &decoder.AbstractDecoder{ Type: types.Type_NC_Software, Name: "Software", Description: "A software product that was observed on the network", PostInit: func(d *decoder.AbstractDecoder) error { var err error softwareLog, _, err = logger.InitZapLogger( decoderconfig.Instance.Out, "software", decoderconfig.Instance.Debug, ) if err != nil { return err } if errInitUAParser != nil { return errInitUAParser } data, err := ioutil.ReadFile(filepath.Join(resolvers.DataBaseFolderPath, "ja_3_3s.json")) if err != nil { return err } err = json.Unmarshal(data, &ja3db.Servers) if err != nil { return err } data, err = ioutil.ReadFile(filepath.Join(resolvers.DataBaseFolderPath, "hasshdb.json")) if err != nil { return err } err = json.Unmarshal(data, &hasshDB) if err != nil { return err } HashDBMap = make(map[string][]sshSoftware) for _, v := range hasshDB { HashDBMap[v.Hash] = v.Software } softwareLog.Info("loaded HASSH digests", zap.Int("total", len(HashDBMap))) err = loadCmsDB() if err != nil { return errors.Wrap(err, "failed to load CMS database") } softwareLog.Info("loaded CMS db", zap.Int("total", len(cmsDB))) indexName := filepath.Join(resolvers.DataBaseFolderPath, db.VulnerabilityDBName) db.VulnerabilitiesIndex, err = db.OpenBleve(indexName) if err != nil { db.VulnerabilitiesIndex = nil return errors.Wrap(err, "failed to open vulnerability bleve index at: "+indexName) } softwareLog.Info("loaded Ja3/ja3S database", zap.Int("total_records", len(ja3db.Servers))) return nil }, DeInit: func(e *decoder.AbstractDecoder) error { // flush writer var err error for _, item := range Store.Items { item.Lock() err = e.Writer.Write(item.Software) if err != nil { softwareLog.Error("failed to flush software audit record", zap.Error(err)) } atomic.AddInt64(&e.NumRecordsWritten, 1) item.Unlock() } db.CloseBleve(db.VulnerabilitiesIndex) return softwareLog.Sync() }, }
Decoder for protocol analysis and writing audit records to disk.
Functions ¶
func ParseUserAgent ¶
func ParseUserAgent(ua string) *userAgent
ParseUserAgent processes a raw user agent string and returned a structured instance.
func WriteSoftware ¶
func WriteSoftware(software []*AtomicSoftware, update func(s *AtomicSoftware))
WriteSoftware can be used to write software to the software audit record writer.
Types ¶
type AtomicSoftware ¶
AtomicSoftware wraps a types.Software to provide atomic access.
func WhatSoftwareHTTP ¶
func WhatSoftwareHTTP(flowIdent string, h *types.HTTP) (s []*AtomicSoftware)
WhatSoftwareHTTP TODO: pass in the device profile.