Documentation ¶
Index ¶
- func ActionTriggersAnalysis(action Action) bool
- func New(base mb.BaseMetricSet) (mb.MetricSet, error)
- func ParseProxyURL(raw string) (*url.URL, error)
- type AnalysisReport
- type AnalysisStats
- type AnalysisType
- type AuthenticationResponse
- type Config
- type Digest
- type ErrorResponse
- type Event
- type EventProducer
- type FileLookupResponse
- type HashType
- type Intelix
- type IntelixAnalysisCOnfig
- type IntelixConfig
- type IntelixCredentials
- type IntelixScanner
- type IntelixUrls
- type JobStatus
- type Metadata
- type MetricSet
- type QueryStat
- type QueryType
- type Report
- type Source
- type Type
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ActionTriggersAnalysis ¶
func ActionTriggersAnalysis(action Action) bool
Types ¶
type AnalysisReport ¶
type AnalysisStats ¶
type AnalysisStats struct { TotalSeconds float64 `json:"total_seconds"` QueryStats []QueryStat `json:"query_stats"` }
func (*AnalysisStats) AddQueryStat ¶
func (stats *AnalysisStats) AddQueryStat(url *url.URL, d time.Duration)
type AnalysisType ¶
type AnalysisType string
--------------------------------------------------------------------------------------
const ( STATIC AnalysisType = "static" DYNAMIC AnalysisType = "dynamic" )
type AuthenticationResponse ¶
type Config ¶
type Config struct { Paths []string `config:"paths" validate:"required"` HashTypes []HashType `config:"hash_types"` MaxFileSize string `config:"max_file_size"` MaxFileSizeBytes uint64 `config:",ignore"` ScanAtStart bool `config:"scan_at_start"` ScanRatePerSec string `config:"scan_rate_per_sec"` ScanRateBytesPerSec uint64 `config:",ignore"` Recursive bool `config:"recursive"` // Recursive enables recursive monitoring of directories. ExcludeFiles []match.Matcher `config:"exclude_files"` IncludeFiles []match.Matcher `config:"include_files"` Intelix IntelixConfig `config:"intelix" validate:"required"` }
Config contains the configuration parameters for the file integrity metricset.
func (*Config) IsExcludedPath ¶
IsExcludedPath checks if a path matches the exclude_files regular expressions.
func (*Config) IsIncludedPath ¶
IsIncludedPath checks if a path matches the include_files regular expressions.
type Digest ¶
type Digest []byte
Digest is a output of a hash function.
func (Digest) MarshalText ¶
MarshalText encodes the digest to a hexadecimal representation of itself.
type ErrorResponse ¶
type Event ¶
type Event struct { Timestamp time.Time `json:"timestamp"` // Time of event. Path string `json:"path"` // The path associated with the event. TargetPath string `json:"target_path,omitempty"` // Target path for symlinks. Info *Metadata `json:"info"` // File metadata (if the file exists). Source Source `json:"source"` // Source of the event. Action Action `json:"action"` // Action (like created, updated). Hashes map[HashType]Digest `json:"hash,omitempty"` // File hashes. LookupResults map[string]interface{} `json:"intelix,omitempty"` // Intelix lookup results // contains filtered or unexported fields }
Event describe the filesystem change and includes metadata about the file.
func NewEvent ¶
func NewEvent( path string, action Action, source Source, maxFileSize uint64, hashTypes []HashType, ) Event
NewEvent creates a new Event. Any errors that occur are included in the returned Event.
func NewEventFromFileInfo ¶
func NewEventFromFileInfo( path string, info os.FileInfo, err error, action Action, source Source, maxFileSize uint64, hashTypes []HashType, ) Event
NewEventFromFileInfo creates a new Event based on data from a os.FileInfo object that has already been created. Any errors that occur are included in the returned Event.
func (*Event) AddLookupResult ¶
type EventProducer ¶
type EventProducer interface { // Start starts the event producer and writes events to the returned // channel. When the producer is finished it will close the returned // channel. If the returned event channel is not drained the producer will // block (possibly causing data loss). The producer can be stopped // prematurely by closing the provided done channel. An error is returned // if the producer fails to start. Start(done <-chan struct{}) (<-chan Event, error) }
EventProducer produces events.
type FileLookupResponse ¶
type HashType ¶
type HashType string
HashType identifies a cryptographic algorithm.
const ( BLAKE2B_256 HashType = "blake2b_256" BLAKE2B_384 HashType = "blake2b_384" BLAKE2B_512 HashType = "blake2b_512" MD5 HashType = "md5" SHA1 HashType = "sha1" SHA224 HashType = "sha224" SHA256 HashType = "sha256" SHA384 HashType = "sha384" SHA3_224 HashType = "sha3_224" SHA3_256 HashType = "sha3_256" SHA3_384 HashType = "sha3_384" SHA3_512 HashType = "sha3_512" SHA512 HashType = "sha512" SHA512_224 HashType = "sha512_224" SHA512_256 HashType = "sha512_256" XXH64 HashType = "xxh64" )
Enum of hash types.
type Intelix ¶
type Intelix struct {
// contains filtered or unexported fields
}
func (*Intelix) Analysis ¶
func (i *Intelix) Analysis(analysisType AnalysisType, size uint64, filePath string) (*AnalysisReport, error)
func (*Intelix) MalwareLookup ¶
func (i *Intelix) MalwareLookup(sha256 Digest) (*FileLookupResponse, error)
type IntelixAnalysisCOnfig ¶
type IntelixAnalysisCOnfig struct { // TODO: use human friendly units, https://godoc.org/github.com/alecthomas/units MinSize uint64 `config:"min_size" validate:"required"` MaxSize uint64 `config:"max_size" validate:"required"` ReportPollInterval int `config:"report_poll_interval" validate:"required"` AnalysisTimeout int `config:"analysis_timeout" validate:"required"` }
type IntelixConfig ¶
type IntelixConfig struct { Credentials IntelixCredentials `config:"credentials" validate:"required"` Urls IntelixUrls `config:"urls" validate:"required"` QueryTimeout int `config:"query_timeout" validate:"required"` StaticAnalysisReputationThreshold int `config:"static_analysis_reputation_threshold" validate:"required"` DynamicAnalysisScoreThreshold int `config:"dynamic_analysis_score_threshold" validate:"required"` StaticAnalysisConig IntelixAnalysisCOnfig `config:"static_analysis" validate:"required"` DynamicAnalysisConfig IntelixAnalysisCOnfig `config:"dynamic_analysis" validate:"required"` }
type IntelixCredentials ¶
type IntelixScanner ¶
type IntelixScanner interface { MalwareLookup(sha256 Digest) (*FileLookupResponse, error) Analysis(analysisType AnalysisType, size uint64, filePath string) (*AnalysisReport, error) }
--------------------------------------------------------------------------------------
func NewIntelix ¶
func NewIntelix(c *IntelixConfig) (IntelixScanner, error)
type IntelixUrls ¶
type JobStatus ¶
type JobStatus string
--------------------------------------------------------------------------------------
type Metadata ¶
type Metadata struct { Inode uint64 `json:"inode"` UID uint32 `json:"uid"` GID uint32 `json:"gid"` SID string `json:"sid"` Owner string `json:"owner"` Group string `json:"group"` Size uint64 `json:"size"` MTime time.Time `json:"mtime"` // Last modification time. CTime time.Time `json:"ctime"` // Last metadata change time. Type Type `json:"type"` // File type (dir, file, symlink). Mode os.FileMode `json:"mode"` // Permissions SetUID bool `json:"setuid"` // setuid bit (POSIX only) SetGID bool `json:"setgid"` // setgid bit (POSIX only) Origin []string `json:"origin"` // External origin info for the file (MacOS only) }
Metadata contains file metadata.
type MetricSet ¶
type MetricSet struct { mb.BaseMetricSet // contains filtered or unexported fields }
MetricSet for monitoring file integrity.
func (*MetricSet) Run ¶
func (ms *MetricSet) Run(reporter mb.PushReporterV2)
Run runs the MetricSet. The method will not return control to the caller until it is finished (to stop it close the reporter.Done() channel).
type Report ¶
type Report struct { // Common fields Submission string AnalysisType string AnalysisSubject interface{} Score int // Static analysis fields AnalysisSummary interface{} `json:"analysis_summary,omitempty"` ContainerAnalysis interface{} `json:"container_analysis,omitempty"` Detection interface{} `json:"detection,omitempty"` DocumentAnalysis interface{} `json:"document_analysis,omitempty"` MlAggregateResults interface{} `json:"ml_aggregate_results,omitempty"` MlFile interface{} `json:"ml_file,omitempty"` MlFilepath interface{} `json:"ml_filepath,omitempty"` MlInputs interface{} `json:"ml_inputs,omitempty"` PeAnalysis interface{} `json:"pe_analysis,omitempty"` Reputation interface{} `json:"reputation,omitempty"` Target interface{} `json:"target,omitempty"` // Dynamic analysis Fields MaliciousActivity interface{} `json:"malicious_activity,omitempty"` MaliciousClassifications interface{} `json:"malicious_classifications,omitempty"` DetonationInfo interface{} `json:"detonation_info,omitempty"` Files interface{} `json:"files,omitempty"` Processes interface{} `json:"processes,omitempty"` Registry interface{} `json:"registry,omitempty"` Network interface{} `json:"network,omitempty"` Screenshots []string `json:"screenshots,omitempty"` ScreenshotMap map[int]string `json:"screenshot,omitempty"` ActivityTree interface{} `json:"activity_tree,omitempty"` }
type Source ¶
type Source uint8
Source identifies the source of an event (i.e. what triggered it).
func (Source) MarshalText ¶
MarshalText marshals the Source to a textual representation of itself.
type Type ¶
type Type uint8
Type identifies the file type (e.g. dir, file, symlink).
const ( UnknownType Type = iota // Typically seen in deleted notifications where the object is gone. FileType DirType SymlinkType )
Enum of possible file.Types.
func (Type) MarshalText ¶
MarshalText marshals the Type to a textual representation of itself.