suricata

package
v1.2.5-sp1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 19, 2023 License: AGPL-3.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	TCP  = "tcp"
	UDP  = "udp"
	ICMP = "icmp"
	DNS  = "dns"
	HTTP = "http"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type AddressRule 

type AddressRule struct {
	// 这两个是修饰词
	Any      bool
	Negative bool

	IPv4CIDR string
	IPv6CIDR string

	SubRules []*AddressRule

	Env string
	// contains filtered or unexported fields
}

func (*AddressRule) GetLocalIPAddress 

func (r *AddressRule) GetLocalIPAddress() string

func (*AddressRule) Match added in v1.2.3 

func (a *AddressRule) Match(i string) bool

type ContentRule 

type ContentRule struct {
	Negative bool
	Content  []byte

	// payload config
	Nocase     bool // case insensitive
	Depth      *int
	Offset     *int
	StartsWith bool
	EndsWith   bool
	Distance   *int
	Within     *int
	// no effect
	RawBytes bool
	IsDataAt string
	BSize    string
	DSize    string
	// won't support
	ByteTest string
	// won't support
	ByteMath string
	// won't support
	ByteJump string
	// won't support
	ByteExtract string
	// won't support
	RPC string // sunrpc call
	// won't support
	Replace     []byte
	PCRE        string
	FastPattern bool

	// e.g set,bihinder3
	FlowBits     string
	FlowInt      string
	XBits        string
	NoAlert      bool
	Base64Decode string
	Base64Data   bool

	ExtraFlags []string

	Modifier Modifier
}

func (*ContentRule) PCREStringGenerator 

func (c *ContentRule) PCREStringGenerator(count int) []*ContentRule

type ContentRuleConfig 

type ContentRuleConfig struct {
	Flow *FlowRule

	Thresholding *ThresholdingConfig

	/* DNS Config*/
	DNS *DNSRule

	/* HTTP Config */
	HTTPConfig *HTTPConfig

	/* IP */
	IPConfig *IPLayerRule

	/* TCP */
	TcpConfig *TCPLayerRule

	/* UDP */
	UdpConfig *UDPLayerRule

	/* ICMP */
	IcmpConfig *ICMPLayerRule

	/* Payload Match */
	ContentRules []*ContentRule

	// PrefilterRule is a contentRuleConfig with no more than single config.
	// not implement yet
	PrefilterRule *ContentRuleConfig
}

type DNSRule 

type DNSRule struct {
	OpcodeNegative bool
	Opcode         int
}

type FlowRule 

type FlowRule struct {
	ToClient    bool
	Established bool
	ToServer    bool
}

type HTTPConfig added in v1.2.4 

type HTTPConfig struct {
	// deprecated and not implemented
	Uricontent string

	// not set 0
	// equal 1
	// bigger than 2
	// smaller than 3
	// between 4
	UrilenOp   int
	UrilenNum1 int
	UrilenNum2 int
}

type ICMPLayerRule 

type ICMPLayerRule struct {
	IType        string // itype
	ICode        string // icode
	ICMPId       int    //  icmp_id
	ICMPSeq      int
	ICMPv4Header bool
	ICMPv6Header bool
	ICMPv6MTU    string
}

type IPLayerRule 

type IPLayerRule struct {
	TTL int
	/*
		IP Option	Description
		rr	Record Route
		eol	End of List
		nop	No Op
		ts	Time Stamp
		sec	IP Security
		esec	IP Extended Security
		lsrr	Loose Source Routing
		ssrr	Strict Source Routing
		satid	Stream Identifier
		any	any IP options are set
	*/
	IPOpts     string
	Sameip     bool
	IPProto    string
	Id         int
	Geoip      string
	FragBits   string
	FragOffset string
	Tos        string
}

type Modifier added in v1.2.4 

type Modifier uint32
const (
	Default Modifier = iota

	// http req
	HTTPUri
	HTTPUriRaw
	HTTPMethod
	HTTPRequestLine
	HTTPRequestBody
	HTTPUserAgent
	HTTPHost
	HTTPHostRaw
	HTTPAccept
	HTTPAcceptLang
	HTTPAcceptEnc
	HTTPReferer

	// http resp
	HTTPStatMsg
	HTTPStatCode
	HTTPResponseLine
	HTTPResponseBody
	HTTPServer
	HTTPLocation

	// http common
	HTTPHeader
	HTTPHeaderRaw
	HTTPCookie
	HTTPConnection
	FileData
	HTTPContentType
	HTTPContentLen
	HTTPStart
	HTTPProtocol
	HTTPHeaderNames

	// DNS
	DNSQuery

	// IP
	IPv4HDR
	IPv6HDR
)

type PCRE added in v1.2.5 

type PCRE struct {
	// contains filtered or unexported fields
}

func ParsePCREStr added in v1.2.5 

func ParsePCREStr(pattern string) (*PCRE, error)

func (*PCRE) Match added in v1.2.5 

func (p *PCRE) Match(content []byte) []matched

type PortRule 

type PortRule struct {
	Any      bool
	Negative bool

	Ports []int

	Rules []*PortRule

	Env string
	// contains filtered or unexported fields
}

func (*PortRule) GetAvailablePort 

func (r *PortRule) GetAvailablePort() uint32

func (*PortRule) GetHighPort 

func (r *PortRule) GetHighPort() uint32

func (*PortRule) Match added in v1.2.3 

func (p *PortRule) Match(i int) bool

type Rule 

type Rule struct {
	Raw                string       `json:"raw"`
	Message            string       `json:"message"`
	Action             string       `json:"action"`
	Protocol           string       `json:"protocol"`
	SourceAddress      *AddressRule `json:"source_address"`
	DestinationAddress *AddressRule `json:"destination_address"`
	SourcePort         *PortRule    `json:"source_port"`
	DestinationPort    *PortRule    `json:"destination_port"`

	Sid       int
	Rev       int
	Gid       int
	ClassType string
	Reference map[string]string
	Priority  int
	Metadata  []string
	Target    string // src_ip/dest_ip

	ContentRuleConfig *ContentRuleConfig
}

func Parse 

func Parse(data string, envs ...string) ([]*Rule, error)

func (*Rule) Match added in v1.2.4 

func (r *Rule) Match(flow []byte) bool

Match flow with rule

type RuleSyntaxVisitor 

type RuleSyntaxVisitor struct {
	Raw    []byte
	Errors []error
	Rules  []*Rule

	// 设置环境变量规则
	Environment map[string]string
}

func (*RuleSyntaxVisitor) Errorf 

func (r *RuleSyntaxVisitor) Errorf(msg string, items ...interface{})

func (*RuleSyntaxVisitor) MergeErrors 

func (r *RuleSyntaxVisitor) MergeErrors() error

func (*RuleSyntaxVisitor) ShowErrors 

func (r *RuleSyntaxVisitor) ShowErrors()

func (*RuleSyntaxVisitor) VisitAddress 

func (v *RuleSyntaxVisitor) VisitAddress(i *parser.AddressContext) *AddressRule

func (*RuleSyntaxVisitor) VisitDstAddress 

func (v *RuleSyntaxVisitor) VisitDstAddress(i *parser.Dest_addressContext) *AddressRule

func (*RuleSyntaxVisitor) VisitDstPort 

func (v *RuleSyntaxVisitor) VisitDstPort(i *parser.Dest_portContext) *PortRule

func (*RuleSyntaxVisitor) VisitParams 

func (r *RuleSyntaxVisitor) VisitParams(i *parser.ParamsContext, rule *Rule)

func (*RuleSyntaxVisitor) VisitPortRule 

func (v *RuleSyntaxVisitor) VisitPortRule(i *parser.PortContext) *PortRule

func (*RuleSyntaxVisitor) VisitRule 

func (r *RuleSyntaxVisitor) VisitRule(rule *parser.RuleContext) interface{}

func (*RuleSyntaxVisitor) VisitRules 

func (r *RuleSyntaxVisitor) VisitRules(ctx *parser.RulesContext) interface{}

func (*RuleSyntaxVisitor) VisitSrcAddress 

func (v *RuleSyntaxVisitor) VisitSrcAddress(i *parser.Src_addressContext) *AddressRule

func (*RuleSyntaxVisitor) VisitSrcPort 

func (v *RuleSyntaxVisitor) VisitSrcPort(i *parser.Src_portContext) *PortRule

type TCPLayerRule 

type TCPLayerRule struct {
	Seq            int
	Ack            int
	NegativeWindow bool
	Window         int
	TCPMss         string
	TCPHeader      bool
	Flags          string
}

type ThresholdingConfig 

type ThresholdingConfig struct {
	ThresholdMode bool
	LimitMode     bool
	Count         int
	Seconds       int
	Track         string
}

func (*ThresholdingConfig) Repeat 

func (t *ThresholdingConfig) Repeat() int

type UDPLayerRule 

type UDPLayerRule struct {
	UDPHeader bool
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.