util

package
v1.3.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 27, 2023 License: BSD-3-Clause Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ToolName = "fever"

ToolName is a string containing the name of this software, lowercase.

View Source 
var ToolNameUpper = "FEVER"

ToolNameUpper is a string containing the name of this software, uppercase.

Functions

func EscapeJSON added in v1.0.10 

func EscapeJSON(i string) ([]byte, error)

EscapeJSON escapes a string as a quoted byte slice for direct use in jsonparser.Set().

func GenericGetAlertObjForIoc added in v1.0.12 

func GenericGetAlertObjForIoc(inputEvent types.Entry,
	prefix string, ioc string, msg string) ([]byte, error)

GenericGetAlertObjForIoc is a simple helper function that takes a format string with string ('%s') placeholders for the prefix and the IoC. It also sets basic other alert fields such as `category` and `action`.

func GetSensorID 

func GetSensorID() (string, error)

GetSensorID returns the machine ID of the system it is being run on, or the string "<no_machine_id>"" if the ID cannot be determined.

func MakeTLSConfig added in v1.0.9 

func MakeTLSConfig(certFile, keyFile string, rcas []string, skipVerify bool) (*tls.Config, error)

MakeTLSConfig returns a TLS configuration suitable for an endpoint with private key stored in keyFile and corresponding certificate stored in certFile. rcas defines a list of root CA filenames. If certFile and keyFile are empty, e.g., when configuring a tls-client endpoint w/o mutual authentication, only the RootCA pool is populated. Note: It appears as if ICAs have to be loaded via a chained server certificate file as the RootCAs pool in tls.Config appears to be referred to for RCAs only.

func ParseJSON 

func ParseJSON(json []byte) (e types.Entry, parseerr error)

ParseJSON extracts relevant fields from an EVE JSON entry into an Entry struct.

func PreprocessAddedFields added in v1.3.1 

func PreprocessAddedFields(fields map[string]string) (string, error)

PreprocessAddedFields preprocesses the added fields to be able to only use fast string operations to add them to JSON text later. This code progressively builds a JSON snippet by adding JSON key-value pairs for each added field, e.g. `, "foo":"bar"`.

func RndHexString added in v1.0.19 

func RndHexString(n int) string

RndHexString returns a Hex string of length n

func RndStringFromAlpha added in v1.0.19 

func RndStringFromAlpha(n int) string

RndStringFromAlpha returns a string of length n with randomly picked alphabetic characters

func RndStringFromBytes added in v1.0.19 

func RndStringFromBytes(fromBytes []byte, n int) string

RndStringFromBytes returns a string of length n with randomly picked bytes from fromBytes slice

func RndStringFromRunes added in v1.0.19 

func RndStringFromRunes(fromRunes []rune, n int) string

RndStringFromRunes returns a string of length n with randomly picked runes from fromRunes slice

func RndTLSFingerprint added in v1.0.19 

func RndTLSFingerprint() string

RndTLSFingerprint returns a random string in the form of a TLS fingerprint

Types

type AMQPBaseSubmitter added in v1.0.6 

type AMQPBaseSubmitter struct {
	URL              string
	Verbose          bool
	SensorID         string
	Conn             wabbit.Conn
	Channel          wabbit.Channel
	StopReconnection chan bool
	ErrorChan        chan wabbit.Error
	Logger           *log.Entry
	ChanMutex        sync.Mutex
	ConnMutex        sync.Mutex
	Reconnector      func(string) (wabbit.Conn, error)
	NofSubmitters    uint
}

AMQPBaseSubmitter is the base engine that sends reports to a RabbitMQ host and handles reconnection.

type AMQPSubmitter 

type AMQPSubmitter struct {
	Submitter *AMQPBaseSubmitter
	Target    string
	Compress  bool
}

AMQPSubmitter is a StatsSubmitter that sends reports to a RabbitMQ exchange.

func MakeAMQPSubmitter 

func MakeAMQPSubmitter(url string, target string, verbose bool) (*AMQPSubmitter, error)

MakeAMQPSubmitter creates a new submitter connected to a RabbitMQ server at the given URL.

func MakeAMQPSubmitterWithReconnector 

func MakeAMQPSubmitterWithReconnector(url string, target string, verbose bool,
	reconnector func(string) (wabbit.Conn, error)) (*AMQPSubmitter, error)

MakeAMQPSubmitterWithReconnector creates a new submitter connected to a RabbitMQ server at the given URL, using the reconnector function as a means to Dial() in order to obtain a Connection object.

func (*AMQPSubmitter) Finish 

func (s *AMQPSubmitter) Finish()

Finish cleans up the AMQP connection (reference counted).

func (*AMQPSubmitter) Submit 

func (s *AMQPSubmitter) Submit(rawData []byte, key string, contentType string)

Submit sends the rawData payload via the registered RabbitMQ connection.

func (*AMQPSubmitter) SubmitWithHeaders 

func (s *AMQPSubmitter) SubmitWithHeaders(rawData []byte, key string, contentType string, myHeaders map[string]string)

SubmitWithHeaders sends the rawData payload via the registered RabbitMQ connection, adding some extra key-value pairs to the header.

func (*AMQPSubmitter) UseCompression 

func (s *AMQPSubmitter) UseCompression()

UseCompression enables gzip compression of submitted payloads.

type AlertJSONProvider added in v1.0.12 

type AlertJSONProvider interface {
	// GetAlertJSON is a function that returns a byte slice containing the
	// JSON data for an `alert` EVE-JSON sub-object.
	GetAlertJSON(inputEvent types.Entry, prefix string, ioc string) ([]byte, error)
}

AlertJSONProvider is an interface describing a component that returns an `alert` JSON sub-object to use in an EVE-JSON event.

type AlertJSONProviderDNSReq added in v1.0.12 

type AlertJSONProviderDNSReq struct{}

AlertJSONProviderDNSReq is an AlertJSONProvider for DNS request matches.

func (AlertJSONProviderDNSReq) GetAlertJSON added in v1.0.12 

func (a AlertJSONProviderDNSReq) GetAlertJSON(inputEvent types.Entry,
	prefix string, ioc string) ([]byte, error)

GetAlertJSON returns the "alert" subobject for an alert EVE event.

type AlertJSONProviderDNSResp added in v1.0.12 

type AlertJSONProviderDNSResp struct{}

AlertJSONProviderDNSResp is an AlertJSONProvider for DNS response matches.

func (AlertJSONProviderDNSResp) GetAlertJSON added in v1.0.12 

func (a AlertJSONProviderDNSResp) GetAlertJSON(inputEvent types.Entry,
	prefix string, ioc string) ([]byte, error)

GetAlertJSON returns the "alert" subobject for an alert EVE event.

type AlertJSONProviderHTTPHost added in v1.0.12 

type AlertJSONProviderHTTPHost struct{}

AlertJSONProviderHTTPHost is an AlertJSONProvider for HTTP Host header matches.

func (AlertJSONProviderHTTPHost) GetAlertJSON added in v1.0.12 

func (a AlertJSONProviderHTTPHost) GetAlertJSON(inputEvent types.Entry,
	prefix string, ioc string) ([]byte, error)

GetAlertJSON returns the "alert" subobject for an alert EVE event.

type AlertJSONProviderHTTPURL added in v1.0.12 

type AlertJSONProviderHTTPURL struct{}

AlertJSONProviderHTTPURL is an AlertJSONProvider for HTTP URL matches.

func (AlertJSONProviderHTTPURL) GetAlertJSON added in v1.0.12 

func (a AlertJSONProviderHTTPURL) GetAlertJSON(inputEvent types.Entry,
	prefix string, ioc string) ([]byte, error)

GetAlertJSON returns the "alert" subobject for an alert EVE event.

type AlertJSONProviderTLSFingerprint added in v1.0.19 

type AlertJSONProviderTLSFingerprint struct{}

AlertJSONProviderTLSFingerprint is an AlertJSONProvider for TLS Fingerprint matches.

func (AlertJSONProviderTLSFingerprint) GetAlertJSON added in v1.0.19 

func (a AlertJSONProviderTLSFingerprint) GetAlertJSON(inputEvent types.Entry,
	prefix string, ioc string) ([]byte, error)

GetAlertJSON returns the "alert" subobject for an alert EVE event.

type AlertJSONProviderTLSSNI added in v1.0.12 

type AlertJSONProviderTLSSNI struct{}

AlertJSONProviderTLSSNI is an AlertJSONProvider for TLS SNI matches.

func (AlertJSONProviderTLSSNI) GetAlertJSON added in v1.0.12 

func (a AlertJSONProviderTLSSNI) GetAlertJSON(inputEvent types.Entry,
	prefix string, ioc string) ([]byte, error)

GetAlertJSON returns the "alert" subobject for an alert EVE event.

type Alertifier added in v1.0.12 

type Alertifier struct {
	// contains filtered or unexported fields
}

Alertifier is a component that creates EVE-JSON alerts from arbitrary EVE-JSON events. It does this by cloning the original event and adding alert-specific fields, depending on the given ExtraModifier and a set of AlertJSONProviders, selectable using a string tag.

func MakeAlertifier added in v1.0.12 

func MakeAlertifier(prefix string) *Alertifier

MakeAlertifier returns a new Alertifier, with no AlertJSONProviders set for any match types, but with the given alert prefix preconfigured. The alert prefix is a string that is prepended to all alert.signature values, as in "DCSO TIE-BLF" or "ETPRO CURRENT_EVENTS", etc.

func (*Alertifier) MakeAlert added in v1.0.12 

func (a *Alertifier) MakeAlert(inputEvent types.Entry, ioc string,
	matchType string) (*types.Entry, error)

MakeAlert generates a new Entry representing an `alert` event based on the given input metadata event. It uses the information from the Alertifier as well as the given IoC to craft an `alert` sub-object in the resulting alert, which is built by the AlertJSONProvider registered under the specified matchType.

func (*Alertifier) RegisterMatchType added in v1.0.12 

func (a *Alertifier) RegisterMatchType(matchTypeName string, mt AlertJSONProvider)

RegisterMatchType associates a given AlertJSONProvider with a match type tag. It makes it callable in the MakeAlert() function in this Alertifier.

func (*Alertifier) SetAddedFields added in v1.3.1 

func (a *Alertifier) SetAddedFields(fields map[string]string) error

SetAddedFields adds string key-value pairs to be added as extra JSON values.

func (*Alertifier) SetExtraModifier added in v1.0.12 

func (a *Alertifier) SetExtraModifier(em ExtraModifier)

SetExtraModifier sets the _extra modifier of the current Alertifier to the passed function. Set it to nil to disable modification of the _extra sub-object.

func (*Alertifier) SetPrefix added in v1.0.12 

func (a *Alertifier) SetPrefix(prefix string)

SetPrefix sets the signature prefix of the current Alertifier to the given string value.

type Consumer 

type Consumer struct {
	Callback func(wabbit.Delivery)
	// contains filtered or unexported fields
}

Consumer reads and processes messages from a fake RabbitMQ server.

func NewConsumer 

func NewConsumer(amqpURI, exchange, exchangeType, queueName, key, ctag string, callback func(wabbit.Delivery)) (*Consumer, error)

NewConsumer creates a new consumer with the given properties. The callback function is called for each delivery accepted from a consumer channel.

func (*Consumer) Shutdown 

func (c *Consumer) Shutdown() error

Shutdown shuts down a consumer, closing down its channels and connections.

type DummySubmitter 

type DummySubmitter struct {
	Logger   *log.Entry
	SensorID string
}

DummySubmitter is a StatsSubmitter that just logs submissions without sending them over the network.

func MakeDummySubmitter 

func MakeDummySubmitter() (*DummySubmitter, error)

MakeDummySubmitter creates a new submitter just logging to the default log target.

func (*DummySubmitter) Finish 

func (s *DummySubmitter) Finish()

Finish is a no-op in this implementation.

func (*DummySubmitter) Submit 

func (s *DummySubmitter) Submit(rawData []byte, key string, contentType string)

Submit logs the rawData payload.

func (*DummySubmitter) SubmitWithHeaders 

func (s *DummySubmitter) SubmitWithHeaders(rawData []byte, key string, contentType string, myHeaders map[string]string)

SubmitWithHeaders logs rawData payload, adding some extra key-value pairs to the header.

func (*DummySubmitter) UseCompression 

func (s *DummySubmitter) UseCompression()

UseCompression enables gzip compression of submitted payloads (not applicable in this implementation).

type ExtraModifier added in v1.0.12 

type ExtraModifier func(inputAlert *types.Entry, ioc string) error

ExtraModifier is a function type that describes a function that adds the appropriate `_extra` sub-object entries to a EVE-JSON event.

type HostNamer added in v1.0.6 

type HostNamer interface {
	GetHostname(ipAddr string) ([]string, error)
	Flush()
}

HostNamer is an interface specifying a component that provides cached hostnames for IP addresses passed as strings.

type HostNamerRDNS added in v1.0.10 

type HostNamerRDNS struct {
	// contains filtered or unexported fields
}

HostNamerRDNS is a component that provides cached hostnames for IP addresses passed as strings, determined via reverse DNS lookups.

func NewHostNamerRDNS added in v1.0.10 

func NewHostNamerRDNS(defaultExpiration, cleanupInterval time.Duration) *HostNamerRDNS

NewHostNamerRDNS returns a new HostNamer with the given default expiration time. Data entries will be purged after each cleanupInterval.

func (*HostNamerRDNS) Flush added in v1.0.10 

func (n *HostNamerRDNS) Flush()

Flush clears the cache of a HostNamerRDNS.

func (*HostNamerRDNS) GetHostname added in v1.0.10 

func (n *HostNamerRDNS) GetHostname(ipAddr string) ([]string, error)

GetHostname returns a list of host names for a given IP address.

type PerformanceStatsEncoder 

type PerformanceStatsEncoder struct {
	sync.RWMutex
	Encoder       *fluxline.Encoder
	Buffer        bytes.Buffer
	Logger        *log.Entry
	Tags          map[string]string
	Submitter     StatsSubmitter
	SubmitPeriod  time.Duration
	LastSubmitted time.Time
	DummyMode     bool
}

PerformanceStatsEncoder is a component to collect, encode and submit data to an InfluxDb via RabbitMQ.

func MakePerformanceStatsEncoder 

func MakePerformanceStatsEncoder(statsSubmitter StatsSubmitter,
	submitPeriod time.Duration, dummyMode bool) *PerformanceStatsEncoder

MakePerformanceStatsEncoder creates a new stats encoder, submitting via the given StatsSubmitter, with at least submitPeriod time between submissions. if dummyMode is set, then the result will be printed to stdout instead of submitting.

func (*PerformanceStatsEncoder) Submit 

func (a *PerformanceStatsEncoder) Submit(val interface{})

Submit encodes the data annotated with 'influx' tags in the passed struct and sends it to the configured submitter.

func (*PerformanceStatsEncoder) SubmitWithTags added in v1.2.0 

func (a *PerformanceStatsEncoder) SubmitWithTags(val interface{}, tags map[string]string)

SubmitWithTags encodes the data annotated with 'influx' tags in the passed struct and sends it to the configured submitter. This version also allows to add a set of user-defined tags as a key-value map.

type StatsSubmitter 

type StatsSubmitter interface {
	Submit(rawData []byte, key string, contentType string)
	SubmitWithHeaders(rawData []byte, key string, contentType string, myHeaders map[string]string)
	UseCompression()
	Finish()
}

StatsSubmitter is an interface for an entity that sends JSON data to an endpoint

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.