Documentation ¶
Index ¶
- func SetupProcessors(s state.State, k *koanf.Koanf, inputPubSub *input.PubSub, ...)
- type Base64
- type BeaconingDetector
- type CSVFQDN
- type CSVFQDNRow
- type CSVIP
- type MISPWarningCIDR
- type MISPWarningFQDN
- type MixedCase
- type MultiQ
- type Processor
- func NewBase64Decetor(s state.State, name string) (Processor, error)
- func NewBeaconingDetector(s state.State, name string) (Processor, error)
- func NewCSVCIDR(s state.State, path string, name string) (Processor, error)
- func NewCSVFQDN(s state.State, path string, name string) (Processor, error)
- func NewDummyProcessor(s state.State) Processor
- func NewMixedCaseDecetor(s state.State, name string) (Processor, error)
- func NewMultiQ(s state.State) (Processor, error)
- func NewRateDetector(s state.State, name string, window time.Duration, qtype []int, rcodes []int, ...) (Processor, error)
- func NewRebindingDetector(s state.State, name string) (Processor, error)
- type RateDetector
- type RebindingDetector
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Base64 ¶
type Base64 struct {
// contains filtered or unexported fields
}
func (Base64) ProvideAlarms ¶
type BeaconingDetector ¶
type BeaconingDetector struct {
// contains filtered or unexported fields
}
func (BeaconingDetector) ProvideAlarms ¶
func (p BeaconingDetector) ProvideAlarms() chan alarm.Alarm
func (BeaconingDetector) Run ¶
func (p BeaconingDetector) Run(events chan dnszilla.DNSResult)
type CSVFQDN ¶
type CSVFQDN struct {
// contains filtered or unexported fields
}
func (CSVFQDN) ProvideAlarms ¶
type CSVFQDNRow ¶
type CSVIP ¶
type CSVIP struct {
// contains filtered or unexported fields
}
func (CSVIP) ProvideAlarms ¶
type MISPWarningCIDR ¶
type MISPWarningCIDR struct {
// contains filtered or unexported fields
}
func NewMISPWarningCIDR ¶
func NewMISPWarningCIDR(s state.State, path string, name string, alarmMsgTmpl string) (MISPWarningCIDR, error)
creates a new MISP warning processor. each hit of FQDN will generate an alarm unlike CSV, MISP's default JSON format is not edited/created by dnszilla's user so it also accepts an alarm template in `gotemplate` format.
func (MISPWarningCIDR) ProvideAlarms ¶
func (m MISPWarningCIDR) ProvideAlarms() chan alarm.Alarm
func (MISPWarningCIDR) Run ¶
func (m MISPWarningCIDR) Run(events chan dnszilla.DNSResult)
type MISPWarningFQDN ¶
type MISPWarningFQDN struct {
// contains filtered or unexported fields
}
func NewMISPWarningFQDN ¶
func NewMISPWarningFQDN(s state.State, path string, name string, alarmMsgTmpl string) (MISPWarningFQDN, error)
creates a new MISP warning processor. each hit of FQDN will generate an alarm unlike CSV, MISP's default JSON format is not edited/created by dnszilla's user so it also accepts an alarm template in `gotemplate` format.
func (MISPWarningFQDN) ProvideAlarms ¶
func (m MISPWarningFQDN) ProvideAlarms() chan alarm.Alarm
func (MISPWarningFQDN) Run ¶
func (m MISPWarningFQDN) Run(events chan dnszilla.DNSResult)
type MixedCase ¶
type MixedCase struct {
// contains filtered or unexported fields
}
func (MixedCase) ProvideAlarms ¶
type MultiQ ¶
type MultiQ struct {
// contains filtered or unexported fields
}
MultiQ is used to detect DNS packets that have more than one question
func (MultiQ) ProvideAlarms ¶
type Processor ¶
type Processor interface { // Run starts the processor Run(events chan dnszilla.DNSResult) // ProvideAlarms returns a channel that the processor will send alarms to ProvideAlarms() chan alarm.Alarm }
func NewBeaconingDetector ¶
func NewCSVCIDR ¶
NewCSVCIDR creates a new CSV processor for a list of CIDRs/IPs. each row can optionally have a different alarm message. example:
1.1.1.1,{{ range $q := .DNS.Question}}{{$q.Name}}{{end}} 192.168.1.0/24,{{ range $q := .DNS.Question}}{{$q.Name}}{{end}}
above csv row will match any DNS query that ends with google.com, and will emit an alarm with the DNS question please note that the CSV does not have a header row, and the order of the columns is important.
func NewCSVFQDN ¶
NewCSVFQDN creates a new CSV processor for a list of (partial)FQDNs. each row can optionally have a different alarm message. example:
google.com.,suffix,{{ range $q := .DNS.Question}}{{$q.Name}}{{end}}
above csv row will match any DNS query that ends with google.com, and will emit an alarm with the DNS question please note that the CSV does not have a header row, and the order of the columns is important.
func NewDummyProcessor ¶
type RateDetector ¶
type RateDetector struct {
// contains filtered or unexported fields
}
RateDetector is design to alarm based on number of particular DNS events per a period of time from a source IP
func (RateDetector) ProvideAlarms ¶
func (r RateDetector) ProvideAlarms() chan alarm.Alarm
func (RateDetector) Run ¶
func (r RateDetector) Run(events chan dnszilla.DNSResult)
type RebindingDetector ¶
type RebindingDetector struct {
// contains filtered or unexported fields
}
func (RebindingDetector) ProvideAlarms ¶
func (r RebindingDetector) ProvideAlarms() chan alarm.Alarm
func (RebindingDetector) Run ¶
func (r RebindingDetector) Run(events chan dnszilla.DNSResult)