Documentation ¶
Index ¶
- Variables
- func EscapeJSON(i string) ([]byte, error)
- func GenericGetAlertObjForIoc(inputEvent types.Entry, prefix string, ioc string, msg string) ([]byte, error)
- func GetSensorID() (string, error)
- func MakeTLSConfig(certFile, keyFile string, rcas []string, skipVerify bool) (*tls.Config, error)
- func ParseJSON(json []byte) (e types.Entry, parseerr error)
- func PreprocessAddedFields(fields map[string]string) (string, error)
- func RndHexString(n int) string
- func RndStringFromAlpha(n int) string
- func RndStringFromBytes(fromBytes []byte, n int) string
- func RndStringFromRunes(fromRunes []rune, n int) string
- func RndTLSFingerprint() string
- type AMQPBaseSubmitter
- type AMQPSubmitter
- type AlertJSONProvider
- type AlertJSONProviderDNSReq
- type AlertJSONProviderDNSResp
- type AlertJSONProviderHTTPHost
- type AlertJSONProviderHTTPURL
- type AlertJSONProviderTLSFingerprint
- type AlertJSONProviderTLSSNI
- type Alertifier
- func (a *Alertifier) MakeAlert(inputEvent types.Entry, ioc string, matchType string) (*types.Entry, error)
- func (a *Alertifier) RegisterMatchType(matchTypeName string, mt AlertJSONProvider)
- func (a *Alertifier) SetAddedFields(fields map[string]string) error
- func (a *Alertifier) SetExtraModifier(em ExtraModifier)
- func (a *Alertifier) SetPrefix(prefix string)
- type Consumer
- type DummySubmitter
- type ExtraModifier
- type HostNamer
- type HostNamerRDNS
- type PerformanceStatsEncoder
- type StatsSubmitter
Constants ¶
This section is empty.
Variables ¶
var ToolName = "fever"
ToolName is a string containing the name of this software, lowercase.
var ToolNameUpper = "FEVER"
ToolNameUpper is a string containing the name of this software, uppercase.
Functions ¶
func EscapeJSON ¶ added in v1.0.10
EscapeJSON escapes a string as a quoted byte slice for direct use in jsonparser.Set().
func GenericGetAlertObjForIoc ¶ added in v1.0.12
func GenericGetAlertObjForIoc(inputEvent types.Entry, prefix string, ioc string, msg string) ([]byte, error)
GenericGetAlertObjForIoc is a simple helper function that takes a format string with string ('%s') placeholders for the prefix and the IoC. It also sets basic other alert fields such as `category` and `action`.
func GetSensorID ¶
GetSensorID returns the machine ID of the system it is being run on, or the string "<no_machine_id>"" if the ID cannot be determined.
func MakeTLSConfig ¶ added in v1.0.9
MakeTLSConfig returns a TLS configuration suitable for an endpoint with private key stored in keyFile and corresponding certificate stored in certFile. rcas defines a list of root CA filenames. If certFile and keyFile are empty, e.g., when configuring a tls-client endpoint w/o mutual authentication, only the RootCA pool is populated. Note: It appears as if ICAs have to be loaded via a chained server certificate file as the RootCAs pool in tls.Config appears to be referred to for RCAs only.
func PreprocessAddedFields ¶ added in v1.3.1
PreprocessAddedFields preprocesses the added fields to be able to only use fast string operations to add them to JSON text later. This code progressively builds a JSON snippet by adding JSON key-value pairs for each added field, e.g. `, "foo":"bar"`.
func RndHexString ¶ added in v1.0.19
RndHexString returns a Hex string of length n
func RndStringFromAlpha ¶ added in v1.0.19
RndStringFromAlpha returns a string of length n with randomly picked alphabetic characters
func RndStringFromBytes ¶ added in v1.0.19
RndStringFromBytes returns a string of length n with randomly picked bytes from fromBytes slice
func RndStringFromRunes ¶ added in v1.0.19
RndStringFromRunes returns a string of length n with randomly picked runes from fromRunes slice
func RndTLSFingerprint ¶ added in v1.0.19
func RndTLSFingerprint() string
RndTLSFingerprint returns a random string in the form of a TLS fingerprint
Types ¶
type AMQPBaseSubmitter ¶ added in v1.0.6
type AMQPBaseSubmitter struct { URL string Verbose bool SensorID string Conn wabbit.Conn Channel wabbit.Channel StopReconnection chan bool ErrorChan chan wabbit.Error Logger *log.Entry ChanMutex sync.Mutex ConnMutex sync.Mutex Reconnector func(string) (wabbit.Conn, error) NofSubmitters uint }
AMQPBaseSubmitter is the base engine that sends reports to a RabbitMQ host and handles reconnection.
type AMQPSubmitter ¶
type AMQPSubmitter struct { Submitter *AMQPBaseSubmitter Target string Compress bool }
AMQPSubmitter is a StatsSubmitter that sends reports to a RabbitMQ exchange.
func MakeAMQPSubmitter ¶
func MakeAMQPSubmitter(url string, target string, verbose bool) (*AMQPSubmitter, error)
MakeAMQPSubmitter creates a new submitter connected to a RabbitMQ server at the given URL.
func MakeAMQPSubmitterWithReconnector ¶
func MakeAMQPSubmitterWithReconnector(url string, target string, verbose bool, reconnector func(string) (wabbit.Conn, error)) (*AMQPSubmitter, error)
MakeAMQPSubmitterWithReconnector creates a new submitter connected to a RabbitMQ server at the given URL, using the reconnector function as a means to Dial() in order to obtain a Connection object.
func (*AMQPSubmitter) Finish ¶
func (s *AMQPSubmitter) Finish()
Finish cleans up the AMQP connection (reference counted).
func (*AMQPSubmitter) Submit ¶
func (s *AMQPSubmitter) Submit(rawData []byte, key string, contentType string)
Submit sends the rawData payload via the registered RabbitMQ connection.
func (*AMQPSubmitter) SubmitWithHeaders ¶
func (s *AMQPSubmitter) SubmitWithHeaders(rawData []byte, key string, contentType string, myHeaders map[string]string)
SubmitWithHeaders sends the rawData payload via the registered RabbitMQ connection, adding some extra key-value pairs to the header.
func (*AMQPSubmitter) UseCompression ¶
func (s *AMQPSubmitter) UseCompression()
UseCompression enables gzip compression of submitted payloads.
type AlertJSONProvider ¶ added in v1.0.12
type AlertJSONProvider interface { // GetAlertJSON is a function that returns a byte slice containing the // JSON data for an `alert` EVE-JSON sub-object. GetAlertJSON(inputEvent types.Entry, prefix string, ioc string) ([]byte, error) }
AlertJSONProvider is an interface describing a component that returns an `alert` JSON sub-object to use in an EVE-JSON event.
type AlertJSONProviderDNSReq ¶ added in v1.0.12
type AlertJSONProviderDNSReq struct{}
AlertJSONProviderDNSReq is an AlertJSONProvider for DNS request matches.
func (AlertJSONProviderDNSReq) GetAlertJSON ¶ added in v1.0.12
func (a AlertJSONProviderDNSReq) GetAlertJSON(inputEvent types.Entry, prefix string, ioc string) ([]byte, error)
GetAlertJSON returns the "alert" subobject for an alert EVE event.
type AlertJSONProviderDNSResp ¶ added in v1.0.12
type AlertJSONProviderDNSResp struct{}
AlertJSONProviderDNSResp is an AlertJSONProvider for DNS response matches.
func (AlertJSONProviderDNSResp) GetAlertJSON ¶ added in v1.0.12
func (a AlertJSONProviderDNSResp) GetAlertJSON(inputEvent types.Entry, prefix string, ioc string) ([]byte, error)
GetAlertJSON returns the "alert" subobject for an alert EVE event.
type AlertJSONProviderHTTPHost ¶ added in v1.0.12
type AlertJSONProviderHTTPHost struct{}
AlertJSONProviderHTTPHost is an AlertJSONProvider for HTTP Host header matches.
func (AlertJSONProviderHTTPHost) GetAlertJSON ¶ added in v1.0.12
func (a AlertJSONProviderHTTPHost) GetAlertJSON(inputEvent types.Entry, prefix string, ioc string) ([]byte, error)
GetAlertJSON returns the "alert" subobject for an alert EVE event.
type AlertJSONProviderHTTPURL ¶ added in v1.0.12
type AlertJSONProviderHTTPURL struct{}
AlertJSONProviderHTTPURL is an AlertJSONProvider for HTTP URL matches.
func (AlertJSONProviderHTTPURL) GetAlertJSON ¶ added in v1.0.12
func (a AlertJSONProviderHTTPURL) GetAlertJSON(inputEvent types.Entry, prefix string, ioc string) ([]byte, error)
GetAlertJSON returns the "alert" subobject for an alert EVE event.
type AlertJSONProviderTLSFingerprint ¶ added in v1.0.19
type AlertJSONProviderTLSFingerprint struct{}
AlertJSONProviderTLSFingerprint is an AlertJSONProvider for TLS Fingerprint matches.
func (AlertJSONProviderTLSFingerprint) GetAlertJSON ¶ added in v1.0.19
func (a AlertJSONProviderTLSFingerprint) GetAlertJSON(inputEvent types.Entry, prefix string, ioc string) ([]byte, error)
GetAlertJSON returns the "alert" subobject for an alert EVE event.
type AlertJSONProviderTLSSNI ¶ added in v1.0.12
type AlertJSONProviderTLSSNI struct{}
AlertJSONProviderTLSSNI is an AlertJSONProvider for TLS SNI matches.
func (AlertJSONProviderTLSSNI) GetAlertJSON ¶ added in v1.0.12
func (a AlertJSONProviderTLSSNI) GetAlertJSON(inputEvent types.Entry, prefix string, ioc string) ([]byte, error)
GetAlertJSON returns the "alert" subobject for an alert EVE event.
type Alertifier ¶ added in v1.0.12
type Alertifier struct {
// contains filtered or unexported fields
}
Alertifier is a component that creates EVE-JSON alerts from arbitrary EVE-JSON events. It does this by cloning the original event and adding alert-specific fields, depending on the given ExtraModifier and a set of AlertJSONProviders, selectable using a string tag.
func MakeAlertifier ¶ added in v1.0.12
func MakeAlertifier(prefix string) *Alertifier
MakeAlertifier returns a new Alertifier, with no AlertJSONProviders set for any match types, but with the given alert prefix preconfigured. The alert prefix is a string that is prepended to all alert.signature values, as in "DCSO TIE-BLF" or "ETPRO CURRENT_EVENTS", etc.
func (*Alertifier) MakeAlert ¶ added in v1.0.12
func (a *Alertifier) MakeAlert(inputEvent types.Entry, ioc string, matchType string) (*types.Entry, error)
MakeAlert generates a new Entry representing an `alert` event based on the given input metadata event. It uses the information from the Alertifier as well as the given IoC to craft an `alert` sub-object in the resulting alert, which is built by the AlertJSONProvider registered under the specified matchType.
func (*Alertifier) RegisterMatchType ¶ added in v1.0.12
func (a *Alertifier) RegisterMatchType(matchTypeName string, mt AlertJSONProvider)
RegisterMatchType associates a given AlertJSONProvider with a match type tag. It makes it callable in the MakeAlert() function in this Alertifier.
func (*Alertifier) SetAddedFields ¶ added in v1.3.1
func (a *Alertifier) SetAddedFields(fields map[string]string) error
SetAddedFields adds string key-value pairs to be added as extra JSON values.
func (*Alertifier) SetExtraModifier ¶ added in v1.0.12
func (a *Alertifier) SetExtraModifier(em ExtraModifier)
SetExtraModifier sets the _extra modifier of the current Alertifier to the passed function. Set it to nil to disable modification of the _extra sub-object.
func (*Alertifier) SetPrefix ¶ added in v1.0.12
func (a *Alertifier) SetPrefix(prefix string)
SetPrefix sets the signature prefix of the current Alertifier to the given string value.
type Consumer ¶
Consumer reads and processes messages from a fake RabbitMQ server.
type DummySubmitter ¶
DummySubmitter is a StatsSubmitter that just logs submissions without sending them over the network.
func MakeDummySubmitter ¶
func MakeDummySubmitter() (*DummySubmitter, error)
MakeDummySubmitter creates a new submitter just logging to the default log target.
func (*DummySubmitter) Finish ¶
func (s *DummySubmitter) Finish()
Finish is a no-op in this implementation.
func (*DummySubmitter) Submit ¶
func (s *DummySubmitter) Submit(rawData []byte, key string, contentType string)
Submit logs the rawData payload.
func (*DummySubmitter) SubmitWithHeaders ¶
func (s *DummySubmitter) SubmitWithHeaders(rawData []byte, key string, contentType string, myHeaders map[string]string)
SubmitWithHeaders logs rawData payload, adding some extra key-value pairs to the header.
func (*DummySubmitter) UseCompression ¶
func (s *DummySubmitter) UseCompression()
UseCompression enables gzip compression of submitted payloads (not applicable in this implementation).
type ExtraModifier ¶ added in v1.0.12
ExtraModifier is a function type that describes a function that adds the appropriate `_extra` sub-object entries to a EVE-JSON event.
type HostNamer ¶ added in v1.0.6
HostNamer is an interface specifying a component that provides cached hostnames for IP addresses passed as strings.
type HostNamerRDNS ¶ added in v1.0.10
type HostNamerRDNS struct {
// contains filtered or unexported fields
}
HostNamerRDNS is a component that provides cached hostnames for IP addresses passed as strings, determined via reverse DNS lookups.
func NewHostNamerRDNS ¶ added in v1.0.10
func NewHostNamerRDNS(defaultExpiration, cleanupInterval time.Duration) *HostNamerRDNS
NewHostNamerRDNS returns a new HostNamer with the given default expiration time. Data entries will be purged after each cleanupInterval.
func (*HostNamerRDNS) Flush ¶ added in v1.0.10
func (n *HostNamerRDNS) Flush()
Flush clears the cache of a HostNamerRDNS.
func (*HostNamerRDNS) GetHostname ¶ added in v1.0.10
func (n *HostNamerRDNS) GetHostname(ipAddr string) ([]string, error)
GetHostname returns a list of host names for a given IP address.
type PerformanceStatsEncoder ¶
type PerformanceStatsEncoder struct { sync.RWMutex Encoder *fluxline.Encoder Buffer bytes.Buffer Logger *log.Entry Tags map[string]string Submitter StatsSubmitter SubmitPeriod time.Duration LastSubmitted time.Time DummyMode bool }
PerformanceStatsEncoder is a component to collect, encode and submit data to an InfluxDb via RabbitMQ.
func MakePerformanceStatsEncoder ¶
func MakePerformanceStatsEncoder(statsSubmitter StatsSubmitter, submitPeriod time.Duration, dummyMode bool) *PerformanceStatsEncoder
MakePerformanceStatsEncoder creates a new stats encoder, submitting via the given StatsSubmitter, with at least submitPeriod time between submissions. if dummyMode is set, then the result will be printed to stdout instead of submitting.
func (*PerformanceStatsEncoder) Submit ¶
func (a *PerformanceStatsEncoder) Submit(val interface{})
Submit encodes the data annotated with 'influx' tags in the passed struct and sends it to the configured submitter.
func (*PerformanceStatsEncoder) SubmitWithTags ¶ added in v1.2.0
func (a *PerformanceStatsEncoder) SubmitWithTags(val interface{}, tags map[string]string)
SubmitWithTags encodes the data annotated with 'influx' tags in the passed struct and sends it to the configured submitter. This version also allows to add a set of user-defined tags as a key-value map.
type StatsSubmitter ¶
type StatsSubmitter interface { Submit(rawData []byte, key string, contentType string) SubmitWithHeaders(rawData []byte, key string, contentType string, myHeaders map[string]string) UseCompression() Finish() }
StatsSubmitter is an interface for an entity that sends JSON data to an endpoint