hidsevent

package

v1.3.7-beta4 Latest Latest Go to latest Published: Nov 1, 2024 License: AGPL-3.0 Imports: 11 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/yaklang/yaklang

Documentation ¶

Rendered for

Index ¶

Constants
func FsNotifyOpToString(i fsnotify.Op) string
func GetKeyAllValue(c *ssh_config.Config, alias, key string, spiStr string) string
func GetSSHConfigValue(filePath string, alias, key string) string
func GetSSHVersion(ctx context.Context) (string, error)
type BootSoftware
type BootSoftwareInfo
type ConnectionEvent
type ConnectionEventType
type ConnectionInfo
type ConnectionStat
type CrontabInfo
type CrontabNode
type FileChangeInfo
type HIDSConfig
type HIDSConfigBase
type HIDSConfigSSHFile
type HIDSConfigType
type HIDSConfigWatchFile
type HIDSEvent
type HIDSMessage
type HIDSSoftwareType
type HIDSTimestampType
type HostUserInfo
type HostUsers
type ProcessEvent
type ProcessEventType
type ProcessInfo
type ProcessMeta
type ReverseShellInfo
type RpcSleepRequest
type RpcSleepResponse
type SSHInfo
- func GetSSHInfo(ctx context.Context, filePath string) (*SSHInfo, error)
type Software
type SoftwareInfo
type UserLoginAttempt
type UserLoginFail
type UserLoginFailFileTooLarge
type UserLoginInfo
type UserLoginOK

Constants ¶

View Source

const (
	FsNotifyCreate = "create"
	FsNotifyWrite  = "write"
	FsNotifyRename = "rename"
	FsNotifyRemove = "remove"
	FsNotifyChmod  = "chmod"
	FsNotifyChange = "change"
	FsNotifyTouch  = "touch"
)

Variables ¶

This section is empty.

Functions ¶

func FsNotifyOpToString ¶

func FsNotifyOpToString(i fsnotify.Op) string

func GetKeyAllValue ¶

func GetKeyAllValue(c *ssh_config.Config, alias, key string, spiStr string) string

func GetSSHConfigValue ¶

func GetSSHConfigValue(filePath string, alias, key string) string

func GetSSHVersion ¶

func GetSSHVersion(ctx context.Context) (string, error)

Types ¶

type BootSoftware ¶

type BootSoftware struct {
	Exe  string `exe"`
	Name string `json:"name"`
}

type BootSoftwareInfo ¶

type BootSoftwareInfo struct {
	Software []BootSoftware `json:"software"`
}

type ConnectionEvent ¶

type ConnectionEvent struct {
	EventName  ConnectionEventType `json:"event_name"`
	Connection *ConnectionStat
}

type ConnectionEventType ¶

type ConnectionEventType string

const (
	ConnectionEventType_New       ConnectionEventType = "new"
	ConnectionEventType_Disappear ConnectionEventType = "disappear"
)

type ConnectionInfo ¶

type ConnectionInfo struct {
	Count            int
	EstablishedConns []*ConnectionStat `json:"established_conns"`
	ListenedConns    []*ConnectionStat `json:"listened_conns"`
	ExtraConns       []*ConnectionStat `json:"extra_conns"`
}

type ConnectionStat ¶

type ConnectionStat struct {
	Fd     uint32  `json:"fd"`
	Family string  `json:"family"`
	Type   string  `json:"type"`
	Laddr  string  `json:"localaddr"`
	Raddr  string  `json:"remoteaddr"`
	Status string  `json:"status"`
	Uids   []int32 `json:"uids"`
	Pid    int32   `json:"pid"`
}

type CrontabInfo ¶

type CrontabInfo struct {
	Info []CrontabNode `json:"info"`
}

type CrontabNode ¶

type CrontabNode struct {
	Cron     string `json:"cron"`
	Cmd      string `json:"cmd"`
	Software string `json:"software"`
}

type FileChangeInfo ¶

type FileChangeInfo struct {
	IsDir             bool        `json:"is_dir"`
	Path              string      `json:"path"`
	Name              string      `json:"name"`
	CurrentFileMode   os.FileMode `json:"current_file_mode"`
	OriginFileMode    os.FileMode `json:"origin_file_mode"`
	Op                string      `json:"op"`
	OriginData        []byte      `json:"origin_data"`
	CurrentData       []byte      `json:"current_data"`
	OriginModifyTime  time.Time   `json:"origin_modify_time"`
	CurrentModifyTime time.Time   `json:"current_modify_time"`
}

type HIDSConfig ¶

type HIDSConfig struct {
	Type    HIDSConfigType  `json:"config_type"`
	Content json.RawMessage `json:"content"`
}

type HIDSConfigBase ¶

type HIDSConfigBase struct {
	UpdatedTicket                 int32  `json:"updated_ticket" `
	ProcessMonitorIntervalSeconds int32  `json:"process_monitor_interval_seconds" `
	NetportMonitorIntervalSeconds int32  `json:"netport_monitor_interval_seconds" `
	UserLoginOkFilePath           string `json:"usr_login_ok_file_path" `
	UserLoginFailFilePath         string `json:"usr_login_fail_file_path" `
	UserLoginFailFileMaxSize      int32  `json:"user_login_fail_file_max_size" `
	UserLoginFailCheckInterval    int64  `json:"user_login_fail_check_nterval" `
	UserLoginFailMaxTicket        int64  `json:"user_login_fail_max_ticket" `
	AptSoftwareLogFilePath        string `json:"apt_software_log_file_path" `
	YumSoftwareLogFilePath        string `json:"yum_software_log_file_path" `
	CrontabFilePath               string `json:"crontab_file_path" `
	SSHFilePath                   string `json:"ssh_file_path" `
}

type HIDSConfigSSHFile ¶

type HIDSConfigSSHFile struct {
	SSHFile []string `json:"ssh_file"`
}

type HIDSConfigType ¶

type HIDSConfigType string

var (
	HIDSConfig_All             HIDSConfigType = "all_config"
	HIDSConfig_WatchFileChange HIDSConfigType = "watch_file_change"
	HIDSConfig_Base            HIDSConfigType = "base"
)

type HIDSConfigWatchFile ¶

type HIDSConfigWatchFile struct {
	WatchFileList []string `json:"watch_file_list"`
}

type HIDSEvent ¶

type HIDSEvent string

var (
	// 进程监控
	HIDSEvent_Proccessings     HIDSEvent = "proccessings"
	HIDSEvent_ProccessingEvent HIDSEvent = "processing-event"
	HIDSEvent_ProccessingTouch HIDSEvent = "processing-touch"

	// 网络连接情况
	// 谨慎处理:
	//    1. 注意服务器某些情况下会有很多从外对内的连接, 如果针对这种情况过分处理会导致资源消耗过大
	//    2. 可以参考 telegraf 对 gopsutil 的使用
	//    3. 如果有必要, 抄代码出来, 一定要避免 (1) 中造成的问题: 可以找找有没有分页/或者预筛选的办法
	// 需要处理以下连接:
	// 1. 本地监听端口 (Status 为 LISTEN 的状态的端口, 上报) (重点)
	// 2. 对外连接的端口 (估计不会太多, 这个必须处理) (重点)
	// 3. 尽量避免 HA/NGINX 这种过多的连接对监控的影响
	//
	HIDSEvent_Connections     HIDSEvent = "connections"
	HIDSEvent_ConnectionTouch HIDSEvent = "connections-touch"
	HIDSEvent_ConnectionEvent HIDSEvent = "connection-event"

	// nginx / apache 监控
	HIDSEvent_NginxFound   HIDSEvent = "nginx-found"
	HIDSEvent_NginxMissed  HIDSEvent = "nginx-missed"
	HIDSEvent_ApacheFound  HIDSEvent = "apache-found"
	HIDSEvent_ApacheMissed HIDSEvent = "apache-missed"

	// ssh 审计分析
	// 1. 获取 SSH 精确版本信息
	// 2. 配置文件, 公钥私钥监控
	// 3. 配置文件关键选项:
	//    1. 是否允许密码登录
	//    2. 是否允许空密码
	//    3. 密钥登录
	HIDSEvent_SSHAudit HIDSEvent = "ssh-audit"

	// 文件改变
	// 暂时默认监控 /etc /bin /usr/bin ~/.ssh 下的文件内容
	HIDSEvent_FileChanged HIDSEvent = `file-changed`

	// 监测到 webshell
	HIDSEvent_WebShell HIDSEvent = "webshell"

	// 节点被扫描 (NIDS 的功能, 可以选择性)
	HIDSEvent_Scanned HIDSEvent = "scanned"

	// 关键配置文件
	HIDSEvent_ConfigFile HIDSEvent = "config-file"

	// 漏洞信息
	HIDSEvent_VulnInfo HIDSEvent = "vuln-info"

	// 危险文件样本
	HIDSEvent_DangerousFileSample HIDSEvent = "dangerous-file-sample"

	// 攻击行为
	HIDSEvent_Attack HIDSEvent = "attack"

	HIDSEvent_ReverseShell HIDSEvent = "reverse-shell"

	//请求配置
	HIDSEvent_RequestConfig HIDSEvent = "request_config"

	//上报主机用户信息
	HIDSEvent_ReportHostUser HIDSEvent = "report_host_user"
	//上报所有登陆成功用户信息
	HIDSEvent_ReportAllUsrLoginOK HIDSEvent = "all_user_login_ok"
	//上报所有登陆失败用户信息
	HIDSEvent_ReportAllUsrLoginFail HIDSEvent = "all_user_login_fail"
	//上报所有登陆失败用户信息文件过大
	HIDSEvent_ReportAllUsrLoginFailFileTooLarge HIDSEvent = "all_user_login_fail_file_too_large"
	//用户账号暴力破击
	HIDSEvent_UserLoginAttempt HIDSEvent = "user_login_attempt"
	//软件信息上报
	HIDSEvent_ReportSoftwareVersion HIDSEvent = "report_software_version"
	//开启启动软件信息
	HIDSEvent_BootSoftware HIDSEvent = "boot_software"
	//定时任务
	HIDSEvent_Crontab HIDSEvent = "crontab"
)

var (
	HIDSEvent_Notify_Config HIDSEvent = "notify_config"
)

type HIDSMessage ¶

type HIDSMessage struct {
	Type    HIDSEvent       `json:"event"`
	Content json.RawMessage `json:"content"`
}

type HIDSSoftwareType ¶

type HIDSSoftwareType string

var (
	HIDSSoftwareType_APT HIDSSoftwareType = "apt"
	HIDSSoftwareType_YUM HIDSSoftwareType = "yum"
)

type HIDSTimestampType ¶

type HIDSTimestampType string

var (
	HIDSTimestampType_Last_Check_Login_Fail HIDSTimestampType = "last_check_login_fail"
)

type HostUserInfo ¶

type HostUserInfo struct {
	UserName     string `json:"user_name"`
	Uid          int32  `json:"uid"`
	Gid          int32  `json:"gid"`
	FullUserName string `json:"full_user_name"`
	HomeDir      string `json:"home_dir"`
	BashFile     string `json:"bash_file"`
}

type HostUsers ¶

type HostUsers struct {
	Users []HostUserInfo `json:"users"`
}

type ProcessEvent ¶

type ProcessEvent struct {
	EventName   ProcessEventType `json:"event_name"`
	ProcessMeta *ProcessMeta     `json:"process"`
}

type ProcessEventType ¶

type ProcessEventType string

const (
	ProcessEventType_New       ProcessEventType = "new"
	ProcessEventType_Disappear ProcessEventType = "disappear"
)

type ProcessInfo ¶

type ProcessInfo struct {
	Count     int            `json:"count"`
	Processes []*ProcessMeta `json:"processes"`
}

type ProcessMeta ¶

type ProcessMeta struct {
	Pid           int32   `json:"pid"`
	ProcessName   string  `json:"process_name"`
	CommandLine   string  `json:"command_line"`
	ChildrenPid   []int32 `json:"children_pid"`
	ParentPid     int32   `json:"parent_pid"`
	Status        string  `json:"status"`
	CPUPercent    float64 `json:"cpu_percent"`
	MemoryPercent float64 `json:"mem_percent"`
	Username      string  `json:"username"`
}

type ReverseShellInfo ¶

type ReverseShellInfo struct {
	Process       *ProcessMeta         `json:"process"`
	ParentProcess *ProcessMeta         `json:"parent_process"`
	Connections   []net.ConnectionStat `json:"connections"`
	VerboseReason string               `json:"verbose_reason"`
	Timestamp     int64                `json:"timestamp"`
}

type RpcSleepRequest ¶

type RpcSleepRequest struct {
	Seconds int `json:"seconds"`
}

type RpcSleepResponse ¶

type RpcSleepResponse struct {
	Ok bool `json:"ok"`
}

type SSHInfo ¶

type SSHInfo struct {
	Version                string `json:"version"`
	SSHV2                  bool   `json:"sshv2"`
	PermitEmptyPasswords   bool   `json:"permit_empty_passwords"`
	PasswordAuthentication bool   `json:"password_authentication"`
	HostKey                string `json:"host_key"`
}

func GetSSHInfo ¶

func GetSSHInfo(ctx context.Context, filePath string) (*SSHInfo, error)

type Software ¶

type Software struct {
	Name              string `json:"name"`
	Version           string `json:"version"`
	SoftwareTimestamp int64  `json:"timestamp"`
}

type SoftwareInfo ¶

type SoftwareInfo struct {
	SoftwareMgrType HIDSSoftwareType `json:"software_mgr_type"`
	InstallInfo     []Software       `json:"install_info"`
	RemoveInfo      []Software       `json:"remove_info"`
}

type UserLoginAttempt ¶

type UserLoginAttempt struct {
	TotalTicket int64            `json:"total_ticket"`
	Info        map[string]int64 `json:"info"`
}

type UserLoginFail ¶

type UserLoginFail struct {
	LoginActions []UserLoginInfo `json:"login_actions"`
}

type UserLoginFailFileTooLarge ¶

type UserLoginFailFileTooLarge struct {
	FilePath string `json:"file_path"`
	SizeM    int64  `json:"size_m"`
}

type UserLoginInfo ¶

type UserLoginInfo struct {
	UserName         string `json:"user_name"`
	EndpointType     string `json:"endpoint_type"`
	SourceEndpointIP string `json:"source_endpoint_ip"`
	LoginTimestamp   int32  `json:"login_timestamp"`
}

type UserLoginOK ¶

type UserLoginOK struct {
	LoginActions []UserLoginInfo `json:"login_actions"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL