netcap: github.com/dreadl0ck/netcap/label Index | Files

package label

import "github.com/dreadl0ck/netcap/label"

Implements mapping alerts from suricata to netcap audit records

Index

Package Files

connection.go custom.go flow.go http.go ipv4.go ipv6.go layer.go linkFlow.go networkFlow.go suricata.go tcp.go tls.go transportFlow.go udp.go utils.go

Variables

var (

    // in case more than one label for the same timestamp exists
    // stop execution and print info
    // this affects layers being labeled, because they use the labelMap
    // other record types use the label array, which is not affected.
    // handling this needs to be improved in the future
    StopOnDuplicateLabels = false

    DisableLayerMapping = false

    // SuricataConfigPath contains the path for the suricata config file.
    SuricataConfigPath string
)

regular expressions to match data from suricata fast.log

var (
    // UseProgressBars whether to use the progress bar
    UseProgressBars = false
    // ClassificationMap map of classifications
    ClassificationMap = make(map[string]int)

    Debug bool

    RemoveFilesWithoutMatches = false
)
var CollectLabels bool

CollectLabels indicates whether labels should be collected

func Connections Uses

func Connections(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

Connections labels type NC_Connection.

func CustomLabels Uses

func CustomLabels(pathMappingInfo, outputPath string, useDescription bool, separator, selection string) error

CustomLabels uses info from a csv file to label the data

func CustomMap Uses

func CustomMap(wg *sync.WaitGroup, file string, typ string, labelMap map[string]*AttackInfo, labels []*AttackInfo, outDir, separator, selection string) *pb.ProgressBar

CustomMap uses info from a csv file to label the data func CustomMap(wg *sync.WaitGroup, file string, typ string, labelMap map[string]*SuricataAlert, labels []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar {

func Flows Uses

func Flows(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

Flows labels type NC_Flow.

func HTTP Uses

func HTTP(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

HTTP labels http.

func IPv4 Uses

func IPv4(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

IPv4 labels type NC_IPv4.

func IPv6 Uses

func IPv6(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

IPv6 labels type NC_IPv6.

func Layer Uses

func Layer(wg *sync.WaitGroup, file string, typ string, labelMap map[string]*SuricataAlert, labels []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

Layer labels packets of a given gopacket.LayerType string.

func LinkFlow Uses

func LinkFlow(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

LinkFlow labels LinkFlows.

func NetworkFlow Uses

func NetworkFlow(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

NetworkFlow labels a NetworkFlow.

func SetExcluded Uses

func SetExcluded(arg string)

SetExcluded takes a comma separated list of strings to exclude from labeling.

func Suricata Uses

func Suricata(inputPcap string, outputPath string, useDescription bool, separator, selection string) error

Suricata creates labeled CSV files for audit records derived from the provided input file alerts are generated by using suricata to scan the input pcap file a directory named after the input file is created, all suricata logs go there if no output directory is specified, netcap audit records are expected in the current directory. otherwise audit records are expected in the output directory

func TCP Uses

func TCP(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

TCP labels type NC_TCP.

func TLS Uses

func TLS(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

TLS labels type NC_TLSClientHello.

func TransportFlow Uses

func TransportFlow(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

TransportFlow labels TransportFlow

func UDP Uses

func UDP(wg *sync.WaitGroup, file string, alerts []*SuricataAlert, outDir, separator, selection string) *pb.ProgressBar

UDP labels type NC_UDP.

type AttackInfo Uses

type AttackInfo struct {
    Num      int
    Name     string
    Start    time.Time
    End      time.Time
    IPs      []string
    Proto    string
    Notes    string
    Category string
}

func ParseAttackInfos Uses

func ParseAttackInfos(path string) (labelMap map[string]*AttackInfo, labels []*AttackInfo)

type SuricataAlert Uses

type SuricataAlert struct {
    Timestamp      string
    Proto          string
    SrcIP          string
    SrcPort        int
    DstIP          string
    DstPort        int
    Classification string
    Description    string
}

SuricataAlert is a summary structure of an alerts contents

func ParseSuricataFastLog Uses

func ParseSuricataFastLog(contents []byte, useDescription bool) (labelMap map[string]*SuricataAlert, arr []*SuricataAlert, err error)

ParseSuricataFastLog returns labels for a given suricata fast.log contents.

Package label imports 21 packages (graph) and is imported by 2 packages. Updated 2020-03-01. Refresh now. Tools for package owners.