Documentation
¶
Index ¶
- func ActionTriggersAnalysis(action Action) bool
- func New(base mb.BaseMetricSet) (mb.MetricSet, error)
- func ParseProxyURL(raw string) (*url.URL, error)
- type AnalysisReport
- type AnalysisStats
- type AnalysisType
- type AuthenticationResponse
- type Config
- type Digest
- type ErrorResponse
- type Event
- type EventProducer
- type FileLookupResponse
- type HashType
- type Intelix
- type IntelixAnalysisCOnfig
- type IntelixConfig
- type IntelixCredentials
- type IntelixScanner
- type IntelixUrls
- type JobStatus
- type Metadata
- type MetricSet
- type QueryStat
- type QueryType
- type Report
- type Source
- type Type
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ActionTriggersAnalysis ¶
func ActionTriggersAnalysis(action Action) bool
Types ¶
type AnalysisReport ¶
type AnalysisStats ¶
type AnalysisStats struct {
TotalSeconds float64 `json:"total_seconds"`
QueryStats []QueryStat `json:"query_stats"`
}
func (*AnalysisStats) AddQueryStat ¶
func (stats *AnalysisStats) AddQueryStat(url *url.URL, d time.Duration)
type AnalysisType ¶
type AnalysisType string
--------------------------------------------------------------------------------------
const ( STATIC AnalysisType = "static" DYNAMIC AnalysisType = "dynamic" )
type AuthenticationResponse ¶
type Config ¶
type Config struct {
Paths []string `config:"paths" validate:"required"`
HashTypes []HashType `config:"hash_types"`
MaxFileSize string `config:"max_file_size"`
MaxFileSizeBytes uint64 `config:",ignore"`
ScanAtStart bool `config:"scan_at_start"`
ScanRatePerSec string `config:"scan_rate_per_sec"`
ScanRateBytesPerSec uint64 `config:",ignore"`
Recursive bool `config:"recursive"` // Recursive enables recursive monitoring of directories.
ExcludeFiles []match.Matcher `config:"exclude_files"`
IncludeFiles []match.Matcher `config:"include_files"`
Intelix IntelixConfig `config:"intelix" validate:"required"`
}
Config contains the configuration parameters for the file integrity metricset.
func (*Config) IsExcludedPath ¶
IsExcludedPath checks if a path matches the exclude_files regular expressions.
func (*Config) IsIncludedPath ¶
IsIncludedPath checks if a path matches the include_files regular expressions.
type Digest ¶
type Digest []byte
Digest is a output of a hash function.
func (Digest) MarshalText ¶
MarshalText encodes the digest to a hexadecimal representation of itself.
type ErrorResponse ¶
type Event ¶
type Event struct {
Timestamp time.Time `json:"timestamp"` // Time of event.
Path string `json:"path"` // The path associated with the event.
TargetPath string `json:"target_path,omitempty"` // Target path for symlinks.
Info *Metadata `json:"info"` // File metadata (if the file exists).
Source Source `json:"source"` // Source of the event.
Action Action `json:"action"` // Action (like created, updated).
Hashes map[HashType]Digest `json:"hash,omitempty"` // File hashes.
LookupResults map[string]interface{} `json:"intelix,omitempty"` // Intelix lookup results
// contains filtered or unexported fields
}
Event describe the filesystem change and includes metadata about the file.
func NewEvent ¶
func NewEvent( path string, action Action, source Source, maxFileSize uint64, hashTypes []HashType, ) Event
NewEvent creates a new Event. Any errors that occur are included in the returned Event.
func NewEventFromFileInfo ¶
func NewEventFromFileInfo( path string, info os.FileInfo, err error, action Action, source Source, maxFileSize uint64, hashTypes []HashType, ) Event
NewEventFromFileInfo creates a new Event based on data from a os.FileInfo object that has already been created. Any errors that occur are included in the returned Event.
func (*Event) AddLookupResult ¶
type EventProducer ¶
type EventProducer interface {
// Start starts the event producer and writes events to the returned
// channel. When the producer is finished it will close the returned
// channel. If the returned event channel is not drained the producer will
// block (possibly causing data loss). The producer can be stopped
// prematurely by closing the provided done channel. An error is returned
// if the producer fails to start.
Start(done <-chan struct{}) (<-chan Event, error)
}
EventProducer produces events.
type FileLookupResponse ¶
type HashType ¶
type HashType string
HashType identifies a cryptographic algorithm.
const ( BLAKE2B_256 HashType = "blake2b_256" BLAKE2B_384 HashType = "blake2b_384" BLAKE2B_512 HashType = "blake2b_512" MD5 HashType = "md5" SHA1 HashType = "sha1" SHA224 HashType = "sha224" SHA256 HashType = "sha256" SHA384 HashType = "sha384" SHA3_224 HashType = "sha3_224" SHA3_256 HashType = "sha3_256" SHA3_384 HashType = "sha3_384" SHA3_512 HashType = "sha3_512" SHA512 HashType = "sha512" SHA512_224 HashType = "sha512_224" SHA512_256 HashType = "sha512_256" XXH64 HashType = "xxh64" )
Enum of hash types.
type Intelix ¶
type Intelix struct {
// contains filtered or unexported fields
}
func (*Intelix) Analysis ¶
func (i *Intelix) Analysis(analysisType AnalysisType, size uint64, filePath string) (*AnalysisReport, error)
func (*Intelix) MalwareLookup ¶
func (i *Intelix) MalwareLookup(sha256 Digest) (*FileLookupResponse, error)
type IntelixAnalysisCOnfig ¶
type IntelixAnalysisCOnfig struct {
// TODO: use human friendly units, https://godoc.org/github.com/alecthomas/units
MinSize uint64 `config:"min_size" validate:"required"`
MaxSize uint64 `config:"max_size" validate:"required"`
ReportPollInterval int `config:"report_poll_interval" validate:"required"`
AnalysisTimeout int `config:"analysis_timeout" validate:"required"`
}
type IntelixConfig ¶
type IntelixConfig struct {
Credentials IntelixCredentials `config:"credentials" validate:"required"`
Urls IntelixUrls `config:"urls" validate:"required"`
QueryTimeout int `config:"query_timeout" validate:"required"`
StaticAnalysisReputationThreshold int `config:"static_analysis_reputation_threshold" validate:"required"`
DynamicAnalysisScoreThreshold int `config:"dynamic_analysis_score_threshold" validate:"required"`
StaticAnalysisConig IntelixAnalysisCOnfig `config:"static_analysis" validate:"required"`
DynamicAnalysisConfig IntelixAnalysisCOnfig `config:"dynamic_analysis" validate:"required"`
}
type IntelixCredentials ¶
type IntelixScanner ¶
type IntelixScanner interface {
MalwareLookup(sha256 Digest) (*FileLookupResponse, error)
Analysis(analysisType AnalysisType, size uint64, filePath string) (*AnalysisReport, error)
}
--------------------------------------------------------------------------------------
func NewIntelix ¶
func NewIntelix(c *IntelixConfig) (IntelixScanner, error)
type IntelixUrls ¶
type JobStatus ¶
type JobStatus string
--------------------------------------------------------------------------------------
type Metadata ¶
type Metadata struct {
Inode uint64 `json:"inode"`
UID uint32 `json:"uid"`
GID uint32 `json:"gid"`
SID string `json:"sid"`
Owner string `json:"owner"`
Group string `json:"group"`
Size uint64 `json:"size"`
MTime time.Time `json:"mtime"` // Last modification time.
CTime time.Time `json:"ctime"` // Last metadata change time.
Type Type `json:"type"` // File type (dir, file, symlink).
Mode os.FileMode `json:"mode"` // Permissions
SetUID bool `json:"setuid"` // setuid bit (POSIX only)
SetGID bool `json:"setgid"` // setgid bit (POSIX only)
Origin []string `json:"origin"` // External origin info for the file (MacOS only)
}
Metadata contains file metadata.
type MetricSet ¶
type MetricSet struct {
mb.BaseMetricSet
// contains filtered or unexported fields
}
MetricSet for monitoring file integrity.
func (*MetricSet) Run ¶
func (ms *MetricSet) Run(reporter mb.PushReporterV2)
Run runs the MetricSet. The method will not return control to the caller until it is finished (to stop it close the reporter.Done() channel).
type Report ¶
type Report struct {
// Common fields
Submission string
AnalysisType string
AnalysisSubject interface{}
Score int
// Static analysis fields
AnalysisSummary interface{} `json:"analysis_summary,omitempty"`
ContainerAnalysis interface{} `json:"container_analysis,omitempty"`
Detection interface{} `json:"detection,omitempty"`
DocumentAnalysis interface{} `json:"document_analysis,omitempty"`
MlAggregateResults interface{} `json:"ml_aggregate_results,omitempty"`
MlFile interface{} `json:"ml_file,omitempty"`
MlFilepath interface{} `json:"ml_filepath,omitempty"`
MlInputs interface{} `json:"ml_inputs,omitempty"`
PeAnalysis interface{} `json:"pe_analysis,omitempty"`
Reputation interface{} `json:"reputation,omitempty"`
Target interface{} `json:"target,omitempty"`
// Dynamic analysis Fields
MaliciousActivity interface{} `json:"malicious_activity,omitempty"`
MaliciousClassifications interface{} `json:"malicious_classifications,omitempty"`
DetonationInfo interface{} `json:"detonation_info,omitempty"`
Files interface{} `json:"files,omitempty"`
Processes interface{} `json:"processes,omitempty"`
Registry interface{} `json:"registry,omitempty"`
Network interface{} `json:"network,omitempty"`
Screenshots []string `json:"screenshots,omitempty"`
ScreenshotMap map[int]string `json:"screenshot,omitempty"`
ActivityTree interface{} `json:"activity_tree,omitempty"`
}
type Source ¶
type Source uint8
Source identifies the source of an event (i.e. what triggered it).
func (Source) MarshalText ¶
MarshalText marshals the Source to a textual representation of itself.
type Type ¶
type Type uint8
Type identifies the file type (e.g. dir, file, symlink).
const ( UnknownType Type = iota // Typically seen in deleted notifications where the object is gone. FileType DirType SymlinkType )
Enum of possible file.Types.
func (Type) MarshalText ¶
MarshalText marshals the Type to a textual representation of itself.
Source Files
Click to show internal directories.
Click to hide internal directories.