label

package

v0.4.7 Latest Latest Go to latest Published: Mar 15, 2020 License: GPL-3.0 Imports: 21 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/dreadl0ck/netcap

Links

Open Source Insights

Documentation ¶

Overview ¶

Implements mapping alerts from suricata to netcap audit records

Index ¶

Variables
func Connections(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
func CustomLabels(pathMappingInfo, outputPath string, useDescription bool, ...) error
func CustomMap(wg *sync.WaitGroup, file string, typ string, labelMap map[string]*AttackInfo, ...) *pb.ProgressBar
func Flows(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
func HTTP(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
func IPv4(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
func IPv6(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
func Layer(wg *sync.WaitGroup, file string, typ string, ...) *pb.ProgressBar
func LinkFlow(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
func NetworkFlow(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
func SetExcluded(arg string)
func Suricata(inputPcap string, outputPath string, useDescription bool, ...) error
func TCP(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
func TLS(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
func TransportFlow(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
func UDP(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, ...) *pb.ProgressBar
type AttackInfo
- func ParseAttackInfos(path string) (labelMap map[string]*AttackInfo, labels []*AttackInfo)
type SuricataAlert
- func ParseSuricataFastLog(contents []byte, useDescription bool) (labelMap map[string]*SuricataAlert, arr []*SuricataAlert, err error)

Constants ¶

This section is empty.

Variables ¶

View Source

var (

	// in case more than one label for the same timestamp exists
	// stop execution and print info
	// this affects layers being labeled, because they use the labelMap
	// other record types use the label array, which is not affected.
	// handling this needs to be improved in the future
	StopOnDuplicateLabels = false

	DisableLayerMapping = false

	// SuricataConfigPath contains the path for the suricata config file.
	SuricataConfigPath string
)

regular expressions to match data from suricata fast.log

View Source

var (
	// UseProgressBars whether to use the progress bar
	UseProgressBars = false
	// ClassificationMap map of classifications
	ClassificationMap = make(map[string]int)

	Debug bool

	RemoveFilesWithoutMatches = false
)

View Source

var CollectLabels bool

CollectLabels indicates whether labels should be collected

Functions ¶

func Connections ¶

func Connections(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

Connections labels type NC_Connection.

func CustomLabels ¶ added in v0.4.3

func CustomLabels(pathMappingInfo, outputPath string, useDescription bool, separator, selection string) error

CustomLabels uses info from a csv file to label the data

func CustomMap ¶ added in v0.4.3

func CustomMap(wg *sync.WaitGroup, file string, typ string, labelMap map[string]*AttackInfo, labels []*AttackInfo, outDir, separator, selection string) *pb.ProgressBar

CustomMap uses info from a csv file to label the data func CustomMap(wg *sync.WaitGroup, file string, typ string, labelMap map[string]*SuricataAlert, labels []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar {

func Flows ¶

func Flows(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

Flows labels type NC_Flow.

func HTTP ¶

func HTTP(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

HTTP labels http.

func IPv4 ¶

func IPv4(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

IPv4 labels type NC_IPv4.

func IPv6 ¶

func IPv6(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

IPv6 labels type NC_IPv6.

func Layer ¶

func Layer(wg *sync.WaitGroup, file string, typ string, labelMap map[string]*SuricataAlert, labels []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

Layer labels packets of a given gopacket.LayerType string.

func LinkFlow ¶

func LinkFlow(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

LinkFlow labels LinkFlows.

func NetworkFlow ¶

func NetworkFlow(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

NetworkFlow labels a NetworkFlow.

func SetExcluded ¶

func SetExcluded(arg string)

SetExcluded takes a comma separated list of strings to exclude from labeling.

func Suricata ¶

func Suricata(inputPcap string, outputPath string, useDescription bool, separator, selection string) error

Suricata creates labeled CSV files for audit records derived from the provided input file alerts are generated by using suricata to scan the input pcap file a directory named after the input file is created, all suricata logs go there if no output directory is specified, netcap audit records are expected in the current directory. otherwise audit records are expected in the output directory

func TCP ¶

func TCP(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

TCP labels type NC_TCP.

func TLS ¶

func TLS(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

TLS labels type NC_TLSClientHello.

func TransportFlow ¶

func TransportFlow(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

TransportFlow labels TransportFlow

func UDP ¶

func UDP(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

UDP labels type NC_UDP.

Types ¶

type AttackInfo ¶ added in v0.4.3

type AttackInfo struct {
	Num      int
	Name     string
	Start    time.Time
	End      time.Time
	IPs      []string
	Proto    string
	Notes    string
	Category string
}

func ParseAttackInfos ¶ added in v0.4.3

func ParseAttackInfos(path string) (labelMap map[string]*AttackInfo, labels []*AttackInfo)

type SuricataAlert ¶

type SuricataAlert struct {
	Timestamp      string
	Proto          string
	SrcIP          string
	SrcPort        int
	DstIP          string
	DstPort        int
	Classification string
	Description    string
}

SuricataAlert is a summary structure of an alerts contents

func ParseSuricataFastLog ¶

func ParseSuricataFastLog(contents []byte, useDescription bool) (labelMap map[string]*SuricataAlert, arr []*SuricataAlert, err error)

ParseSuricataFastLog returns labels for a given suricata fast.log contents.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL