Documentation

Overview

    Implements mapping alerts from suricata to netcap audit records

    Index

    Constants

    This section is empty.

    Variables

    View Source
    var (
    
    	// in case more than one label for the same timestamp exists
    	// stop execution and print info
    	// this affects layers being labeled, because they use the labelMap
    	// other record types use the label array, which is not affected.
    	// handling this needs to be improved in the future
    	StopOnDuplicateLabels = false
    
    	DisableLayerMapping = false
    
    	// SuricataConfigPath contains the path for the suricata config file.
    	SuricataConfigPath string
    )

      regular expressions to match data from suricata fast.log

      View Source
      var (
      	// UseProgressBars whether to use the progress bar
      	UseProgressBars = false
      	// ClassificationMap map of classifications
      	ClassificationMap = make(map[string]int)
      
      	Debug bool
      
      	RemoveFilesWithoutMatches = false
      )
      View Source
      var CollectLabels bool

        CollectLabels indicates whether labels should be collected

        Functions

        func Connections

        func Connections(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

          Connections labels type NC_Connection.

          func CustomLabels

          func CustomLabels(pathMappingInfo, outputPath string, useDescription bool, separator, selection string) error

            CustomLabels uses info from a csv file to label the data

            func CustomMap

            func CustomMap(wg *sync.WaitGroup, file string, typ string, labelMap map[string]*AttackInfo, labels []*AttackInfo, outDir, separator, selection string) *pb.ProgressBar

              CustomMap uses info from a csv file to label the data func CustomMap(wg *sync.WaitGroup, file string, typ string, labelMap map[string]*SuricataAlert, labels []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar {

              func Flows

              func Flows(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

                Flows labels type NC_Flow.

                func HTTP

                func HTTP(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

                  HTTP labels http.

                  func IPv4

                  func IPv4(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

                    IPv4 labels type NC_IPv4.

                    func IPv6

                    func IPv6(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

                      IPv6 labels type NC_IPv6.

                      func Layer

                      func Layer(wg *sync.WaitGroup, file string, typ string, labelMap map[string]*SuricataAlert, labels []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

                        Layer labels packets of a given gopacket.LayerType string.

                        func LinkFlow

                        func LinkFlow(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

                          LinkFlow labels LinkFlows.

                          func NetworkFlow

                          func NetworkFlow(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

                            NetworkFlow labels a NetworkFlow.

                            func SetExcluded

                            func SetExcluded(arg string)

                              SetExcluded takes a comma separated list of strings to exclude from labeling.

                              func Suricata

                              func Suricata(inputPcap string, outputPath string, useDescription bool, separator, selection string) error

                                Suricata creates labeled CSV files for audit records derived from the provided input file alerts are generated by using suricata to scan the input pcap file a directory named after the input file is created, all suricata logs go there if no output directory is specified, netcap audit records are expected in the current directory. otherwise audit records are expected in the output directory

                                func TCP

                                func TCP(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

                                  TCP labels type NC_TCP.

                                  func TLS

                                  func TLS(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

                                    TLS labels type NC_TLSClientHello.

                                    func TransportFlow

                                    func TransportFlow(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

                                      TransportFlow labels TransportFlow

                                      func UDP

                                      func UDP(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

                                        UDP labels type NC_UDP.

                                        Types

                                        type AttackInfo

                                        type AttackInfo struct {
                                        	Num      int
                                        	Name     string
                                        	Start    time.Time
                                        	End      time.Time
                                        	IPs      []string
                                        	Proto    string
                                        	Notes    string
                                        	Category string
                                        }

                                        func ParseAttackInfos

                                        func ParseAttackInfos(path string) (labelMap map[string]*AttackInfo, labels []*AttackInfo)

                                        type SuricataAlert

                                        type SuricataAlert struct {
                                        	Timestamp      string
                                        	Proto          string
                                        	SrcIP          string
                                        	SrcPort        int
                                        	DstIP          string
                                        	DstPort        int
                                        	Classification string
                                        	Description    string
                                        }

                                          SuricataAlert is a summary structure of an alerts contents

                                          func ParseSuricataFastLog

                                          func ParseSuricataFastLog(contents []byte, useDescription bool) (labelMap map[string]*SuricataAlert, arr []*SuricataAlert, err error)

                                            ParseSuricataFastLog returns labels for a given suricata fast.log contents.