Documentation
¶
Index ¶
- Constants
- type ECE
- func (ece *ECE) AddEvent(message string) (err error)
- func (ece *ECE) DelayNotify(reqId string)
- func (ece *ECE) RemoveEvent(reqId string) *Event
- func (ece *ECE) RetrieveEvent(reqId string) *Event
- func (ece *ECE) Shutdown() (err error)
- func (ece *ECE) Start() (err error)
- func (ece *ECE) Wait()
- func (ece *ECE) WriteEvent(reqId string) (err error)
- type Event
- type OutputEvent
- type OutputWaf
- type RequestEntry
- type WafEntry
Constants ¶
View Source
const ECE_TLS_CRT_PATH_ENV_VAR = "ECE_TLS_CRT_PATH"
View Source
const ECE_TLS_KEY_PATH_ENV_VAR = "ECE_TLS_KEY_PATH"
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ECE ¶
type ECE struct {
sync.RWMutex
Events map[string]*Event
Ttl time.Duration
Debug bool
Address string
// contains filtered or unexported fields
}
ECE The Event Correlation Engine itself
func NewECE ¶
func NewECE(maxAge time.Duration, logFile string, maxLogSize int, maxLogBackups int, maxLogAge int, logCompress bool, address string) *ECE
NewECE Creates a new ECE.
func (*ECE) AddEvent ¶
AddEvent parses the event text, then looks it up in the internal cache. If it's there, it adds the appropriate record to the existing event. If not, it creates one and sets it's timeout.
func (*ECE) DelayNotify ¶
DelayNotify is intended to run from a goroutine. It sets a timer equal to the ttl, and then writes the event after the timer expires.
func (*ECE) RemoveEvent ¶
RemoveEvent removes the event from the internal cache
func (*ECE) RetrieveEvent ¶
RetrieveEvent returns the event for the request id, or nil if it doesn't exist
func (*ECE) WriteEvent ¶
WriteEvent writes the event to the log
type Event ¶
type Event struct {
WafEntries []WafEntry
RequestEntries []RequestEntry
// contains filtered or unexported fields
}
Event Struct representing an entire firewall event, containing generally 1 web event and 0 or more waf events
type OutputEvent ¶
type OutputEvent struct {
ServiceId string `json:"service_id"`
RequestId string `json:"request_id"`
StartTime string `json:"start_time"`
FastlyInfo string `json:"fastly_info"`
Datacenter string `json:"datacenter"`
ClientIp string `json:"client_ip"`
ReqMethod string `json:"req_method"`
ReqURI string `json:"req_uri"`
ReqHHost string `json:"req_h_host"`
ReqHUserAgent string `json:"req_h_user_agent"`
ReqHAcceptEncoding string `json:"req_h_accept_encoding"`
ReqHeaderBytes string `json:"req_header_bytes"`
ReqBodyBytes string `json:"req_body_bytes"`
RuleIds []int `json:"rule_ids"`
WafLogged string `json:"waf_logged"`
WafBlocked string `json:"waf_blocked"`
WafFailures string `json:"waf_failures"`
WafExecuted string `json:"waf_executed"`
AnomalyScore string `json:"anomaly_score"`
SqlInjectionScore string `json:"sql_injection_score"`
RfiScore string `json:"rfi_score"`
LfiScore string `json:"lfi_score"`
RceScore string `json:"rce_score"`
PhpInjectionScore string `json:"php_injection_score"`
SessionFixationScore string `json:"session_fixation_score"`
HTTPViolationScore string `json:"http_violation_score"`
XSSScore string `json:"xss_score"`
RespStatus string `json:"resp_status"`
RespBytes string `json:"resp_bytes"`
RespHeaderBytes string `json:"resp_header_bytes"`
RespBodyBytes string `json:"resp_body_bytes"`
WafEvents []OutputWaf `json:"waf_events"`
ThrottlingRule string `json:"throttling_rule"`
Throttled int `json:"throttled"`
TlsProtocol string `json:"tls_protocol"`
TlsCipher string `json:"tls_cipher"`
}
OutputEvent is simply the marshal format for the outputted merged event
type OutputWaf ¶
type OutputWaf struct {
RuleId string `json:"rule_id"`
Severity string `json:"severity"`
AnomalyScore string `json:"anomaly_score"`
LogData string `json:"logdata"`
WafMessage string `json:"waf_message"`
}
OutputWaf is the output format for the waf event
type RequestEntry ¶
type RequestEntry struct {
EventType string `json:"event_type"`
ServiceId string `json:"service_id"`
RequestId string `json:"request_id"`
StartTime string `json:"start_time"`
FastlyInfo string `json:"fastly_info"`
Datacenter string `json:"datacenter"`
ClientIp string `json:"client_ip"`
ReqMethod string `json:"req_method"`
ReqURI string `json:"req_uri"`
ReqHHost string `json:"req_h_host"`
ReqHUserAgent string `json:"req_h_user_agent"`
ReqHAcceptEncoding string `json:"req_h_accept_encoding"`
ReqHeaderBytes string `json:"req_header_bytes"`
ReqBodyBytes string `json:"req_body_bytes"`
WafLogged string `json:"waf_logged"`
WafBlocked string `json:"waf_blocked"`
WafFailures string `json:"waf_failures"`
WafExecuted string `json:"waf_executed"`
AnomalyScore string `json:"anomaly_score"`
SqlInjectionScore string `json:"sql_injection_score"`
RfiScore string `json:"rfi_score"`
LfiScore string `json:"lfi_score"`
RceScore string `json:"rce_score"`
PhpInjectionScore string `json:"php_injection_score"`
SessionFixationScore string `json:"session_fixation_score"`
HTTPViolationScore string `json:"http_violation_score"`
XSSScore string `json:"xss_score"`
RespStatus string `json:"resp_status"`
RespBytes string `json:"resp_bytes"`
RespHeaderBytes string `json:"resp_header_bytes"`
RespBodyBytes string `json:"resp_body_bytes"`
ThrottlingRule string `json:"throttling_rule"`
TlsProtocol string `json:"tls_protocol"`
TlsCipher string `json:"tls_cipher"`
}
RequestEntry a struct representing a Web Event
func UnmarshalWeb ¶
func UnmarshalWeb(message string) (web RequestEntry, err error)
UnmarshalWeb unmarshals the log json into a RequestEntry Object
type WafEntry ¶
type WafEntry struct {
EventType string `json:"event_type"`
RequestId string `json:"request_id"`
RuleId string `json:"rule_id"`
Severity string `json:"severity"`
AnomalyScore string `json:"anomaly_score"`
LogData string `json:"logdata"`
WafMessage string `json:"waf_message"`
}
WafEntry a struct representing a Waf Log Entry
func UnmarshalWaf ¶
UnmarshalWaf unmarshals the log json into a WafEntry Object
Source Files
Click to show internal directories.
Click to hide internal directories.