surevego

package module
v0.0.0-...-40e4cae Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 20, 2020 License: BSD-3-Clause Imports: 6 Imported by: 0

README

surevego

GoDoc Build Status

surevego is a Go library to parse suricata eve.json files with proper marshaling.

Please refer to the godoc for usage information or let me know if you need any further assistance.

Install
go get -u github.com/rhaist/surevego
License

BSD-3 Copyright (c) 2017 Robert Haist

Documentation

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

func LoadEveJSONFile 

func LoadEveJSONFile(path string) (<-chan EveEvent, <-chan error)

LoadEveJSONFile reads a suricata eve.json from a given path and returns two channels. One for parsed EveEvents and one for parsing errors. Those two channels need to be handled separately.

Example 
ee, ec := LoadEveJSONFile("pathto/eve.json")

// Fork handling of parsing errors to a gofunc
go func() {
	for err := range ec {
		log.Fatal("[ERR]", err)
	}
}()

// Range over the events and print dns answers to stdout
for event := range ee {
	if event.DNS != nil && event.DNS.Type == "answer" {
		log.Println(event.DNS)
	}
}

Types

type EveEvent 

type EveEvent struct {
	Timestamp *suriTime `json:"timestamp"`
	EventType string    `json:"event_type"`
	FlowID    int64     `json:"flow_id,omitempty"`
	InIface   string    `json:"in_iface,omitempty"`
	Vlan      []int     `json:"vlan,omitempty"`
	SrcIP     string    `json:"src_ip,omitempty"`
	SrcPort   int       `json:"src_port,omitempty"`
	DestIP    string    `json:"dest_ip,omitempty"`
	DestPort  int       `json:"dest_port,omitempty"`
	Proto     string    `json:"proto,omitempty"`
	AppProto  string    `json:"app_proto,omitempty"`
	TxID      int       `json:"tx_id,omitempty"`
	TCP       *tcpEvent `json:"tcp,omitempty"`

	PacketInfo struct {
		Linktype int `json:"linktype"`
	} `json:"packet_info,omitempty"`

	// Alert Events have some additional high level attributes to the json model
	Alert            *alertEvent `json:"alert,omitempty"`
	Payload          string      `json:"payload,omitempty"`
	PayloadPrintable string      `json:"payload_printable,omitempty"`
	Stream           int         `json:"stream,omitempty"`
	Packet           string      `json:"packet,omitempty"`

	// SMTP Events have some additional high level attributes to the json model
	SMTP *smtpEvent `json:"smtp,omitempty"`

	// Other sub event_types
	Email    *emailEvent    `json:"email,omitempty"`
	DNS      *dnsEvent      `json:"dns,omitempty"`
	HTTP     *httpEvent     `json:"http,omitempty"`
	Fileinfo *fileinfoEvent `json:"fileinfo,omitempty"`
	Flow     *flowEvent     `json:"flow,omitempty"`
	SSH      *sshEvent      `json:"ssh,omitempty"`
	TLS      *tlsEvent      `json:"tls,omitempty"`
	Stats    *statsEvent    `json:"stats,omitempty"`
}

EveEvent is the huge struct which can contain a parsed suricata eve.json log event.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.