Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var BinaryPath string
View Source
var DefaultPatterns = map[string]string{
"INT": `(?:[+-]?(?:[0-9]+))`,
"BASE10NUM": `([+-]?(?:[0-9]+(?:\.[0-9]+)?)|\.[0-9]+)`,
"NUMBER": `(?:%{BASE10NUM})`,
"BASE16NUM": `(0[xX]?[0-9a-fA-F]+)`,
"POSINT": `\b(?:[1-9][0-9]*)\b`,
"NONNEGINT": `\b(?:[0-9]+)\b`,
"WORD": `\b\w+\b`,
"NOTSPACE": `\S+`,
"SPACE": `\s*`,
"DATA": `.*?`,
"GREEDYDATA": `.*`,
"QUOTEDSTRING": `"([^"\\]*(\\.[^"\\]*)*)"|\'([^\'\\]*(\\.[^\'\\]*)*)\'`,
"UUID": `[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}`,
"MAC": `(?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})`,
"CISCOMAC": `(?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4})`,
"WINDOWSMAC": `(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})`,
"COMMONMAC": `(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})`,
"IPV6": `((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?`,
"IPV4": `(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)`,
"IP": `(?:%{IPV6:ipv6}|%{IPV4:ipv4})`,
"HOSTNAME": `\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b)`,
"IPORHOST": `(?:%{IP:ip}|%{HOSTNAME:hostname})`,
"MONTH": `\b(?:Jan(?:uary|uar)?|Feb(?:ruary|ruar)?|M(?:a|ä)?r(?:ch|z)?|Apr(?:il)?|Ma(?:y|i)?|Jun(?:e|i)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|O(?:c|k)?t(?:ober)?|Nov(?:ember)?|De(?:c|z)(?:ember)?)\b`,
"MONTHNUM": `(?:0?[1-9]|1[0-2])`,
"MONTHNUM2": `(?:0[1-9]|1[0-2])`,
"MONTHDAY": `(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])`,
"DAY": `(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)`,
"YEAR": `(\d\d){1,2}`,
"HOUR": `(?:2[0123]|[01]?[0-9])`,
"MINUTE": `(?:[0-5][0-9])`,
"SECOND": `(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)`,
"TIME": `([^0-9]?)%{HOUR}:%{MINUTE}(?::%{SECOND})([^0-9]?)`,
"DATE": `%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}`,
"DATE_US": `%{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}`,
"DATE_EU": `%{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}`,
"ISO8601_TIMEZONE": `(?:Z|[+-]%{HOUR}(?::?%{MINUTE}))`,
"ISO8601_SECOND": `(?:%{SECOND}|60)`,
"TIMESTAMP_ISO8601": `%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?`,
"SYSLOGTIMESTAMP": `%{MONTH:month} +%{MONTHDAY:day} %{TIME:time}`,
"TIMESTAMP": `(?:%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP})`,
"SYSLOGHEADER": `%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:host} %{DATA:process_name}(?:\[%{POSINT:pid}\])?:`,
"DPKG_TIMESTAMP": `%{TIMESTAMP_ISO8601:timestamp}`,
"DPKG_PACKAGE": `[-+~\.0-9a-zA-Z]+`,
"DPKG_ARCH": `[a-z0-9]+`,
"DPKG_PKGARCH": `%{DPKG_PACKAGE:package}(:%{DPKG_ARCH:arch})?`,
"DPKG_VERSION": `[-+~<>\.0-9a-zA-Z]+`,
"DPKG_ACTION0": `(startup archives|startup packages|conffile)`,
"DPKG_ACTION1": `(configure|remove|upgrade|purge|status (config-files|installed|not-installed|triggers-awaited|triggers-pending|unpacked|half-installed|half-configured))`,
"DPKG_ACTION2": `(trigproc|upgrade)`,
"DPKG_0_VERSIONS": `%{DPKG_ACTION0:action}`,
"DPKG_1_VERSIONS": `(%{DPKG_ACTION1:action} %{DPKG_PKGARCH} %{DPKG_VERSION:version})$`,
"DPKG_2_VERSIONS": `(%{DPKG_ACTION2:action} %{DPKG_PKGARCH} %{DPKG_VERSION:version_from} %{DPKG_VERSION:version})$`,
}
Functions ¶
This section is empty.
Types ¶
type CSVProcessor ¶
type CSVProcessor struct {
processors.Default
}
func (CSVProcessor) Run ¶
func (CSVProcessor) Run(in string, _ *processors.Config, out writer.IManager) processors.PError
type GrokConfig ¶
type GrokConfig struct {
Pattern string
}
type GrokProcessor ¶
type GrokProcessor struct {
}
func (GrokProcessor) Configure ¶
func (GrokProcessor) Configure() error
func (GrokProcessor) Run ¶
func (GrokProcessor) Run(in string, config *processors.Config, out writer.IManager) processors.PError
type IniProcessor ¶
type IniProcessor struct {
processors.Default
}
func (IniProcessor) Run ¶
func (IniProcessor) Run(in string, _ *processors.Config, out writer.IManager) processors.PError
type SQLiteProcessor ¶
type SQLiteProcessor struct {
}
func (SQLiteProcessor) Configure ¶
func (SQLiteProcessor) Configure() error
func (SQLiteProcessor) Run ¶
func (SQLiteProcessor) Run(in string, _ *processors.Config, out writer.IManager) processors.PError
type ThorProcessor ¶
type ThorProcessor struct {
}
func (ThorProcessor) Configure ¶
func (ThorProcessor) Configure() error
func (ThorProcessor) Run ¶
func (ThorProcessor) Run(in string, _ *processors.Config, _ writer.IManager) processors.PError
type YaraProcessor ¶
type YaraProcessor struct {
}
func (*YaraProcessor) Configure ¶
func (proc *YaraProcessor) Configure() error
func (*YaraProcessor) ConfigureRules ¶
func (proc *YaraProcessor) ConfigureRules(rulesPath string) (*yara.Compiler, error)
func (*YaraProcessor) Run ¶
func (proc *YaraProcessor) Run(in string, config *processors.Config, out writer.IManager) processors.PError
Source Files
Click to show internal directories.
Click to hide internal directories.