elastic

package
v0.0.0-...-bf86773 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 25, 2024 License: GPL-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

View Source 
const AUDIT_DOC_ID = "audit_doc_id"
View Source 
const DEFAULT_ASYNC_THRESHOLD = 10
View Source 
const DEFAULT_CACHE_MS = 86400000
View Source 
const DEFAULT_CASE_ASSOCIATIONS_MAX = 1000
View Source 
const DEFAULT_CASE_AUDIT_INDEX = "*:so-casehistory"
View Source 
const DEFAULT_CASE_INDEX = "*:so-case"
View Source 
const DEFAULT_CASE_SCHEMA_PREFIX = "so_"
View Source 
const DEFAULT_DURATION_MS = 1800000
View Source 
const DEFAULT_ES_SEARCH_OFFSET_MS = 1800000
View Source 
const DEFAULT_INDEX = "*:so-*"
View Source 
const DEFAULT_INTERVALS = 25
View Source 
const DEFAULT_MAX_LOG_LENGTH = 1024
View Source 
const DEFAULT_TIMEOUT_MS = 300000
View Source 
const DEFAULT_TIME_SHIFT_MS = 120000
View Source 
const LONG_STRING_MAX = 1000000
View Source 
const MAX_ARRAY_ELEMENTS = 50
View Source 
const MAX_ERROR_LENGTH = 4096
View Source 
const SHORT_STRING_MAX = 100

Variables

This section is empty.

Functions

func NewElasticTransport 

func NewElasticTransport(user string, pass string, timeoutMs time.Duration, verifyCert bool) http.RoundTripper

Types

type Elastic 

type Elastic struct {
	// contains filtered or unexported fields
}

func NewElastic 

func NewElastic(srv *server.Server) *Elastic

func (*Elastic) Init 

func (elastic *Elastic) Init(cfg module.ModuleConfig) error

func (*Elastic) IsRunning 

func (somodule *Elastic) IsRunning() bool

func (*Elastic) PrerequisiteModules 

func (elastic *Elastic) PrerequisiteModules() []string

func (*Elastic) Start 

func (elastic *Elastic) Start() error

func (*Elastic) Stop 

func (elastic *Elastic) Stop() error

type ElasticCasestore 

type ElasticCasestore struct {
	// contains filtered or unexported fields
}

func NewElasticCasestore 

func NewElasticCasestore(srv *server.Server) *ElasticCasestore

func (*ElasticCasestore) Create 

func (store *ElasticCasestore) Create(ctx context.Context, socCase *model.Case) (*model.Case, error)

func (*ElasticCasestore) CreateArtifact 

func (store *ElasticCasestore) CreateArtifact(ctx context.Context, artifact *model.Artifact) (*model.Artifact, error)

func (*ElasticCasestore) CreateArtifactStream 

func (store *ElasticCasestore) CreateArtifactStream(ctx context.Context, artifactstream *model.ArtifactStream) (string, error)

func (*ElasticCasestore) CreateComment 

func (store *ElasticCasestore) CreateComment(ctx context.Context, comment *model.Comment) (*model.Comment, error)

func (*ElasticCasestore) CreateRelatedEvent 

func (store *ElasticCasestore) CreateRelatedEvent(ctx context.Context, event *model.RelatedEvent) (*model.RelatedEvent, error)

func (*ElasticCasestore) DeleteArtifact 

func (store *ElasticCasestore) DeleteArtifact(ctx context.Context, id string) error

func (*ElasticCasestore) DeleteArtifactStream 

func (store *ElasticCasestore) DeleteArtifactStream(ctx context.Context, id string) error

func (*ElasticCasestore) DeleteComment 

func (store *ElasticCasestore) DeleteComment(ctx context.Context, id string) error

func (*ElasticCasestore) DeleteRelatedEvent 

func (store *ElasticCasestore) DeleteRelatedEvent(ctx context.Context, id string) error

func (*ElasticCasestore) GetArtifact 

func (store *ElasticCasestore) GetArtifact(ctx context.Context, id string) (*model.Artifact, error)

func (*ElasticCasestore) GetArtifactStream 

func (store *ElasticCasestore) GetArtifactStream(ctx context.Context, id string) (*model.ArtifactStream, error)

func (*ElasticCasestore) GetArtifacts 

func (store *ElasticCasestore) GetArtifacts(ctx context.Context, caseId string, groupType string, groupId string) ([]*model.Artifact, error)

func (*ElasticCasestore) GetCase 

func (store *ElasticCasestore) GetCase(ctx context.Context, id string) (*model.Case, error)

func (*ElasticCasestore) GetCaseHistory 

func (store *ElasticCasestore) GetCaseHistory(ctx context.Context, caseId string) ([]interface{}, error)

func (*ElasticCasestore) GetComment 

func (store *ElasticCasestore) GetComment(ctx context.Context, id string) (*model.Comment, error)

func (*ElasticCasestore) GetComments 

func (store *ElasticCasestore) GetComments(ctx context.Context, caseId string) ([]*model.Comment, error)

func (*ElasticCasestore) GetRelatedEvent 

func (store *ElasticCasestore) GetRelatedEvent(ctx context.Context, id string) (*model.RelatedEvent, error)

func (*ElasticCasestore) GetRelatedEvents 

func (store *ElasticCasestore) GetRelatedEvents(ctx context.Context, caseId string) ([]*model.RelatedEvent, error)

func (*ElasticCasestore) Init 

func (store *ElasticCasestore) Init(index string, auditIndex string, maxAssociations int, schemaPrefix string) error

func (*ElasticCasestore) Update 

func (store *ElasticCasestore) Update(ctx context.Context, socCase *model.Case) (*model.Case, error)

func (*ElasticCasestore) UpdateArtifact 

func (store *ElasticCasestore) UpdateArtifact(ctx context.Context, artifact *model.Artifact) (*model.Artifact, error)

func (*ElasticCasestore) UpdateComment 

func (store *ElasticCasestore) UpdateComment(ctx context.Context, comment *model.Comment) (*model.Comment, error)

type ElasticEventstore 

type ElasticEventstore struct {
	// contains filtered or unexported fields
}

func NewElasticEventstore 

func NewElasticEventstore(srv *server.Server) *ElasticEventstore

func (*ElasticEventstore) Acknowledge 

func (store *ElasticEventstore) Acknowledge(ctx context.Context, ackCriteria *model.EventAckCriteria) (*model.EventUpdateResults, error)

func (*ElasticEventstore) Delete 

func (store *ElasticEventstore) Delete(ctx context.Context, index string, id string) error

func (*ElasticEventstore) Index 

func (store *ElasticEventstore) Index(ctx context.Context, index string, document map[string]interface{}, id string) (*model.EventIndexResults, error)

func (*ElasticEventstore) Init 

func (store *ElasticEventstore) Init(hostUrl string,
	remoteHosts []string,
	user string,
	pass string,
	verifyCert bool,
	timeShiftMs int,
	defaultDurationMs int,
	esSearchOffsetMs int,
	timeoutMs int,
	cacheMs int,
	index string,
	asyncThreshold int,
	intervals int,
	maxLogLength int) error

func (*ElasticEventstore) PopulateJobFromDocQuery 

func (store *ElasticEventstore) PopulateJobFromDocQuery(ctx context.Context, idField string, idValue string, timestampStr string, job *model.Job) error
  • Fetch record via provided Elasticsearch document query.
  • If the record has a tunnel_parent, search for a UID=tunnel_parent[0]
  • - If found, discard original record and replace with the new record
  • If the record has source IP/port and destination IP/port, use it as the filter.
  • Else if the record has a Zeek x509 "ID" search for the first Zeek record with this ID.
  • Else if the record has a Zeek file "FUID" search for the first Zeek record with this FUID.
  • Search for the Zeek record with a matching log.id.uid equal to the UID from the previously found record
  • - If multiple UIDs exist in the record, use the first UID in the list.
  • Review the results from the Zeek search and find the record with the timestamp nearest to the original ES ID record and use the IP/port details as the filter.

func (*ElasticEventstore) Search 

func (store *ElasticEventstore) Search(ctx context.Context, criteria *model.EventSearchCriteria) (*model.EventSearchResults, error)

func (*ElasticEventstore) Update 

func (store *ElasticEventstore) Update(ctx context.Context, criteria *model.EventUpdateCriteria) (*model.EventUpdateResults, error)

type ElasticTransport 

type ElasticTransport struct {
	// contains filtered or unexported fields
}

func (*ElasticTransport) RoundTrip 

func (transport *ElasticTransport) RoundTrip(req *http.Request) (*http.Response, error)

type FieldDefinition 

type FieldDefinition struct {
	// contains filtered or unexported fields
}

type JobLookupHandler 

type JobLookupHandler struct {
	web.BaseHandler
	// contains filtered or unexported fields
}

func NewJobLookupHandler 

func NewJobLookupHandler(srv *server.Server, store *ElasticEventstore) *JobLookupHandler

func (*JobLookupHandler) HandleNow 

func (handler *JobLookupHandler) HandleNow(ctx context.Context, writer http.ResponseWriter, request *http.Request) (int, interface{}, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.