Documentation ¶
Overview ¶
Implements mapping alerts from suricata to netcap audit records
Index ¶
- Variables
- func Connections(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
- func CustomLabels(pathMappingInfo, outputPath string, useDescription bool, ...) error
- func CustomMap(wg *sync.WaitGroup, file string, typ string, labelMap map[string]*AttackInfo, ...) *pb.ProgressBar
- func Flows(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
- func HTTP(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
- func IPv4(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
- func IPv6(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
- func Layer(wg *sync.WaitGroup, file string, typ string, ...) *pb.ProgressBar
- func LinkFlow(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
- func NetworkFlow(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
- func SetExcluded(arg string)
- func Suricata(inputPcap string, outputPath string, useDescription bool, ...) error
- func TCP(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
- func TLS(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
- func TransportFlow(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
- func UDP(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
- type AttackInfo
- type SuricataAlert
Constants ¶
This section is empty.
Variables ¶
var ( // in case more than one label for the same timestamp exists // stop execution and print info // this affects layers being labeled, because they use the labelMap // other record types use the label array, which is not affected. // handling this needs to be improved in the future StopOnDuplicateLabels = false DisableLayerMapping = false // SuricataConfigPath contains the path for the suricata config file. SuricataConfigPath string )
regular expressions to match data from suricata fast.log
var ( // UseProgressBars whether to use the progress bar UseProgressBars = false // ClassificationMap map of classifications ClassificationMap = make(map[string]int) Debug bool RemoveFilesWithoutMatches = false )
var CollectLabels bool
CollectLabels indicates whether labels should be collected
Functions ¶
func Connections ¶
func Connections(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar
Connections labels type NC_Connection.
func CustomLabels ¶ added in v0.4.3
func CustomLabels(pathMappingInfo, outputPath string, useDescription bool, separator, selection string) error
CustomLabels uses info from a csv file to label the data
func CustomMap ¶ added in v0.4.3
func CustomMap(wg *sync.WaitGroup, file string, typ string, labelMap map[string]*AttackInfo, labels []*AttackInfo, outDir, separator, selection string) *pb.ProgressBar
CustomMap uses info from a csv file to label the data func CustomMap(wg *sync.WaitGroup, file string, typ string, labelMap map[string]*SuricataAlert, labels []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar {
func Flows ¶
func Flows(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar
Flows labels type NC_Flow.
func HTTP ¶
func HTTP(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar
HTTP labels http.
func IPv4 ¶
func IPv4(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar
IPv4 labels type NC_IPv4.
func IPv6 ¶
func IPv6(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar
IPv6 labels type NC_IPv6.
func Layer ¶
func Layer(wg *sync.WaitGroup, file string, typ string, labelMap map[string]*SuricataAlert, labels []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar
Layer labels packets of a given gopacket.LayerType string.
func LinkFlow ¶
func LinkFlow(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar
LinkFlow labels LinkFlows.
func NetworkFlow ¶
func NetworkFlow(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar
NetworkFlow labels a NetworkFlow.
func SetExcluded ¶
func SetExcluded(arg string)
SetExcluded takes a comma separated list of strings to exclude from labeling.
func Suricata ¶
func Suricata(inputPcap string, outputPath string, useDescription bool, separator, selection string) error
Suricata creates labeled CSV files for audit records derived from the provided input file alerts are generated by using suricata to scan the input pcap file a directory named after the input file is created, all suricata logs go there if no output directory is specified, netcap audit records are expected in the current directory. otherwise audit records are expected in the output directory
func TCP ¶
func TCP(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar
TCP labels type NC_TCP.
func TLS ¶
func TLS(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar
TLS labels type NC_TLSClientHello.
func TransportFlow ¶
func TransportFlow(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar
TransportFlow labels TransportFlow
func UDP ¶
func UDP(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar
UDP labels type NC_UDP.
Types ¶
type AttackInfo ¶ added in v0.4.3
type AttackInfo struct { Num int Name string Start time.Time End time.Time IPs []string Proto string Notes string Category string }
func ParseAttackInfos ¶ added in v0.4.3
func ParseAttackInfos(path string) (labelMap map[string]*AttackInfo, labels []*AttackInfo)
type SuricataAlert ¶
type SuricataAlert struct { Timestamp string Proto string SrcIP string SrcPort int DstIP string DstPort int Classification string Description string }
SuricataAlert is a summary structure of an alerts contents
func ParseSuricataFastLog ¶
func ParseSuricataFastLog(contents []byte, useDescription bool) (labelMap map[string]*SuricataAlert, arr []*SuricataAlert, err error)
ParseSuricataFastLog returns labels for a given suricata fast.log contents.