Documentation ¶
Overview ¶
Package gourmet is an extendable network analysis and intrusion detection system.
Gourmet is designed to be fast, simple, and customized. To customize your Gourmet sensor, you can implement existing analyzers, or create your own.
Usage With No Analyzers ¶
By default, gourmet analyzes Ethernet packets and logs basic information about the connections. This information is contained in a Connection type. This Connection type is marshalled into a JSON object and appended to the log file.
For UDP connections, each packet is transformed into a Connection object. However, for TCP connections, the stream is first reassembled and then turned into a Connection object.
Usage With Analyzers ¶
If you wish to add an analyzer to Gourmet, you must add the analyzer repo URL to your config.yml file.
Creating Your Own Analyzer ¶
Analyzers are an implementation of the Analyzer interface. They are written as a Go plugin. More information about Go plugins can be found here: https://golang.org/pkg/plugin.
Example custom analyzers can be found in the Gourmet Project repository at https://github.com/gourmetproject. simple_analyzer is the best one to start with.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Analyzer ¶
type Analyzer interface { Filter(c *Connection) bool Analyze(c *Connection) (Result, error) }
type Config ¶
type Config struct { InterfaceType string `json:"type"` Interface string Promiscuous bool MaxCores int `json:"max_cores"` ConnTimeout int `json:"connection_timeout"` SnapLen int `json:"snapshot_length"` Bpf string LogFile string `json:"log_file"` SkipUpdate bool `json:"skip_update"` Analyzers map[string]interface{} }
Config is the data structure used to expose Gourmet configuration settings to the user. Each of these fields have a default value, except for InterfaceType. For a list of default values and which values are allowed for each field, consult the web documentation at docs.gourmetproject.io
type Connection ¶
type Connection struct { Timestamp time.Time UID uint64 SourceIP string SourcePort int DestinationIP string DestinationPort int TransportType string Duration float64 State string `json:",omitempty"` Payload *bytes.Buffer `json:"-"` Analyzers map[string]interface{} }
Connection contains basic information about an IP connection, including application layer bytes. If the connection is TCP-based, then the Connection contains basic information about the reassembled stream of packets for that TCP session.
A Connection is given to each Analyzer. The Result returned from an Analyzer is added to the Analyzers map for that Connection object. Once all Analyzers have been run against the Connection, it is marshaled as a JSON object into raw bytes and written to the log file.