Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var Location = time.Local
Location is the location to use for timestamp parsing and comparison.
Functions ¶
func ResetStats ¶
func ResetStats()
Types ¶
type AttackInfo ¶
type AttackInfo struct { // Attack instance number Num int `csv:"num" yaml:"num"` // Attack Name Name string `csv:"name" yaml:"name"` // Attack timeframe Start string `csv:"start" yaml:"start"` End string `csv:"end" yaml:"end"` // any traffic going from and towards the specified IPs in the given timeframe // the field value from parsed CSV is going to be split by ";" IPs []string `csv:"ips" yaml:"ips"` // Underlying Protocol(s) Proto string `csv:"proto" yaml:"proto"` // Additional notes Notes string `csv:"notes" yaml:"notes"` // Associated category Category string `csv:"category" yaml:"category"` // MITRE Tactic or Technique Name MITRE string `csv:"mitre" yaml:"mitre"` // Day of Attack Date string `yaml:"date" yaml:"date"` // Separate victims and attacks, flag any traffic BETWEEN the specified IPs. Victims []string `csv:"victims" yaml:"victims"` Attackers []string `csv:"attackers" yaml:"attackers"` // FlagVictimTraffic will also label traffic from and towards the victim for the current attack timeframe, // and can be used when specifying victim and attacker IPs separately. // This is useful for example during infiltration scenarios, // where malicious activity is conducted by an infected host. FlagVictimTraffic bool `yaml:"flagVictimTraffic"` }
AttackInfo models an attack and contains meta information. Timestamps are provided as strings to support custom time formats.
type LabelManager ¶
type LabelManager struct { // debug mode Debug bool sync.Mutex // contains filtered or unexported fields }
LabelManager keeps track of attack information that shall be mapped onto the audit records.
func NewLabelManager ¶
func NewLabelManager(progress bool, debug bool, removeFilesWithoutMatches bool, scatterplot bool, scatterDuration time.Duration) *LabelManager
NewLabelManager returns a new label manager instance.
func (*LabelManager) Init ¶
func (m *LabelManager) Init(pathMappingInfo string)
Init will load the attack information from disk.
func (*LabelManager) Label ¶
func (m *LabelManager) Label(record types.AuditRecord) string
Label returns the label for the current audit record according to the loaded label mapping.
Click to show internal directories.
Click to hide internal directories.