README
¶
IDMEF for Go
Intrusion Detection Message Exchange Format
Go library for authoring and parsing data in IDMEF format (IETF RFC 4765).
Usage
There are two sets of Message structs, one for authoring and one for parsing. The reason is due to Go's lack of support for parsing XML with tag prefixes.
Authoring
Use the go-idmef (idmef) package structs to create the idmef.Message struct and then call xml.Marshal() or idmef.Message.Bytes().
An example is in the testdata/example_pingofdeath.go file.
Parsing
See unmarshal.ReadFile() function for an example to parse aa IDMEF XML file.
Coverage
- IDMEF-Message
- Alert
- Analyzer
- CreateTime
- DetectTime
- AnalyzerTime
- Source
- Node
- Address
- User
- UserId
- Process
- Service
- Node
- Target
- Node
- Address
- User
- UserId
- Process
- Service
- File
- FileAccess
- Permission
- Linkage
- FileAccess
- Node
- Classification
- Reference
- Assessment
- AdditionalData
- Heartbeat
- Analyzer
- CreateTime
- AdditionalData
- Alert
Examples
The examples in RFC 4765 are included and tested in this repo. Go and XML representations are provided, parsed and compared. The following is a lists of the examples in RFC 4765.
- Denial-of-Service Attacks
- Port Scanning Attacks
- Connection to a Disallowed Service (xml)
- Simple Port Scanning
- Local Attacks
- The "loadmodule" Attack
- The "phf" Attack
- File Modification (xml)
- System Policy Violation (xml)
- Correlated Alerts
- Analyzer Assessments (xml)
- Heartbeat
Notes
idmefis the authoring package and creates XML with theidmeftag.unmarshalis the parsing package which reads in XML files but does not support theidmeftag prefix due to Go issue 9519. Unmarshal or parse a file usingunmarshalto receive a*unmarshal.Messagewhich can then be converted to an authoring struct with*unmarshal.Message.Common().
References
IDMEF
- IETF RFC 4765: Format Details
- IETF RFC 4766: Format Requirements
- IETF RFC 4767: Recommended Transport Protocol (IDXP)
- IDMEF on Wikipedia
- XML Schema-Based Minification for Communication of Security Information and Event
- awesome-idmef
Alternative Formats
Go XML situation
- encoding/xml: support for XML namespace prefixes
- xml namespace prefix issue at go: "To fix that you need to use two structs, one for Unmarshalling and second to Marshalling data"
- Unable to parse xml in GO with : in tags
Other Implementations
Comparisons
Credits
timestamp.Timestamp is based on code from github.com/coreos/mantle under the Apache 2.0 license. This is a large, archived
codebase with many dependencies.
Documentation
¶
Index ¶
- Constants
- type Action
- type AdditionalData
- type Address
- type Alert
- type Analyzer
- type Assessment
- type Classification
- type Confidence
- type File
- type FileAccess
- type Impact
- type Linkage
- type Message
- type Node
- type Permission
- type Process
- type Reference
- type Service
- type Source
- type Target
- type Time
- type User
- type UserId
Constants ¶
View Source
const ( IPV4Addr = "ipv4-addr" IPV4AddrHex = "ipv4-addr-hex" IPV4NetMask = "ipv4-net-mask" CategoryOSDevice = "os-device" LocationConsole = "console" LocationLocal = "local" ServiceDNS = "dns" ServiceFinger = "finger" ServiceLogin = "login" ServiceNIS = "nis" ServiceNISPlus = "nisplus" UserIdTypeCurrentUser = "current-user" UserIdTypeOriginalUser = "original-user" UserIdTypeGroupPrivs = "group-privs" UserIdTypeUserPrivs = "user-privs" OriginUserSpecific = "user-specific" OriginVendorSpecific = "vendor-specific" DateTime = "date-time" StartTime = "start-time" StopTime = "stop-time" )
View Source
const ( XMLNSIDMEFUrl = "http://iana.org/idmef" XMLNSIDMEFVersion = "1.0" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AdditionalData ¶ added in v0.2.0
type Alert ¶
type Alert struct {
MessageId string `xml:"messageid,attr,omitempty"`
Analyzer Analyzer `xml:"idmef:Analyzer"` // Exactly one.
CreateTime Time `xml:"idmef:CreateTime"` // Exactly one.
DetectTime *Time `xml:"idmef:DetectTime"` // Zero or one
AnalyzerTime *Time `xml:"idmef:AnalyzerTime"` // Zero or one.
Source []Source `xml:"idmef:Source"` // Zero or more.
Target []Target `xml:"idmef:Target"` // Zero or more.
Classification Classification `xml:"idmef:Classification"` // Exactly one.
Assessment *Assessment `xml:"idmef:Assessment"`
AdditionalData []AdditionalData `xml:"idmef:AdditionalData"`
}
type Assessment ¶ added in v0.2.0
type Assessment struct {
Impact *Impact `xml:"idmef:Impact,omitempty"`
Action []Action `xml:"idmef:Action,omitempty"`
Confidence *Confidence `xml:"idmef:Confidence,omitempty"`
}
type Classification ¶
type Confidence ¶ added in v0.2.0
type Confidence struct {
Rating string `xml:"rating,attr,omitempty"`
}
type File ¶ added in v0.2.0
type File struct {
Category string `xml:"category,attr,omitempty"`
FSType string `xml:"fstype,attr,omitempty"`
Name string `xml:"idmef:name,omitempty"`
Path string `xml:"idmef:path,omitempty"`
FileAccess []FileAccess `xml:"idmef:FileAccess,omitempty"`
Linkage *Linkage `xml:"idmef:Linkage,omitempty"`
}
type FileAccess ¶ added in v0.2.0
type FileAccess struct {
UserId *UserId `xml:"idmef:UserId,omitempty"`
Permission []Permission `xml:"idmef:permission,omitempty"`
}
type Message ¶
type Message struct {
XMLName xml.Name `xml:"idmef:IDMEF-Message"`
XMLNSIDMEF string `xml:"xmlns:idmef,attr"`
Version string `xml:"version,attr"`
Alert *Alert `xml:"idmef:Alert"`
}
Message is for authoring. For parsing use `github.com/grokify/go-idmef/unmarshal/Message`.
type Permission ¶ added in v0.2.0
type Permission struct {
Perms string `xml:"perms,attr,omitempty"`
}
type Target ¶ added in v0.2.0
type Target struct {
Ident string `xml:"ident,attr,omitempty"`
Decoy string `xml:"decoy,attr,omitempty"` // Target
Node *Node `xml:"idmef:Node,omitempty"`
User *User `xml:"idmef:User,omitempty"`
Process *Process `xml:"idmef:Process,omitempty"`
Service *Service `xml:"idmef:Service,omitempty"`
File *File `xml:"idmef:File,omitempty"`
}
type Time ¶
func (*Time) InflateNtpStamp ¶
func (t *Time) InflateNtpStamp()
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.