Documentation ¶
Overview ¶
Package cortex is the client library for Cortex v1 API. Link: https://github.com/TheHive-Project/Cortex.
Check out Cortex v1 documentation: https://github.com/TheHive-Project/CortexDocs/tree/cortex-1
Example ¶
package main import ( "log" cortex "github.com/ilyaglow/go-cortex" ) func main() { // Create a client struct client := cortex.NewClient("http://127.0.0.1:9000") // Fill the Artifact struct j := &cortex.Artifact{ Data: "8.8.8.8", Attributes: cortex.ArtifactAttributes{ DataType: "ip", TLP: 3, }, } // Run all analyzers over it with 1 minute timeout reports, err := client.AnalyzeData(j, "1minute") if err != nil { panic(err) } // Iterate over channel with reports and get taxonomies for m := range reports { txs := m.Taxonomies() for _, t := range txs { log.Printf("\"%s:%s\"=\"%s\"", t.Namespace, t.Predicate, t.Value) } } }
Output:
Index ¶
- Constants
- Variables
- func SayError(input *JobInput, msg string)
- func SayReport(body interface{}, taxs []Taxonomy)
- type Analyzer
- type AnalyzerError
- type AnalyzerReport
- type Artifact
- type ArtifactAttributes
- type Cfg
- type Client
- func (c *Client) AnalyzeData(obs Observable, timeout string) (<-chan *JobReport, error)
- func (c *Client) DeleteJob(id string) (bool, error)
- func (c *Client) GetAnalyzer(id string) (*Analyzer, error)
- func (c *Client) GetJob(id string) (*Job, error)
- func (c *Client) GetJobReport(id string) (*JobReport, error)
- func (c *Client) ListAnalyzers(datatype string) ([]Analyzer, error)
- func (c *Client) ListFilteredJobs(f *JobsFilter) ([]Job, error)
- func (c *Client) ListJobs() ([]Job, error)
- func (c *Client) RunAnalyzer(id string, obs Observable) (*Job, error)
- func (c *Client) RunAnalyzerThenGetReport(id string, obs Observable, timeout string) (*JobReport, error)
- func (c *Client) WaitForJob(id string, duration string) (*Job, error)
- type ExtractedArtifact
- type FileArtifact
- type FileArtifactMeta
- type Job
- type JobBody
- type JobInput
- type JobReport
- type JobsFilter
- type Observable
- type ReportBody
- type Summary
- type Taxonomy
Examples ¶
Constants ¶
const ( // TxSafe is a safe taxonomy level TxSafe = "safe" // TxInfo is an info taxonomy level TxInfo = "info" // TxSuspicious is a suspicious taxonomy level TxSuspicious = "suspicious" // TxMalicious is a malicious taxonomy level TxMalicious = "malicious" )
Variables ¶
var Rxs = map[string]*regexp.Regexp{
"cc": rxCC,
"ipv4": rxIPv4,
"ipv6": rxIPv6,
"domain": rxDomain,
"email": rxEmail,
"hash": rxHash,
"registry": rxRegistryKey,
"url": rxURL,
"user-agent": rxUserAgent,
"bitcoin-address": rxBitcoinAddress,
}
Rxs represents map of regexes
Functions ¶
Types ¶
type Analyzer ¶
type Analyzer struct { ID string `json:"id"` Name string `json:"name"` Description string `json:"description"` Version string `json:"version"` DataTypeList []string `json:"dataTypeList"` }
Analyzer defines a specific Cortex Analyzer
More info: https://github.com/CERT-BDF/CortexDocs/blob/master/api/get-analyzer.md
type AnalyzerError ¶ added in v1.1.0
type AnalyzerError struct { Success bool `json:"success"` ErrorMessage string `json:"errorMessage"` Input *JobInput `json:"input"` }
AnalyzerError is the report that analyzer app should return in case something went wrong
type AnalyzerReport ¶ added in v1.1.0
type AnalyzerReport struct { Artifacts []ExtractedArtifact `json:"artifacts"` FullReport interface{} `json:"full"` Success bool `json:"success"` Summary *Summary `json:"summary"` }
AnalyzerReport is the report that analyzer app should return in case everything is okay
type Artifact ¶
type Artifact struct { Attributes ArtifactAttributes `json:"attributes"` Data string `json:"data,omitempty"` }
Artifact represents a basic artifact which can be supplied for the analysis and retrieved from a job later
func (*Artifact) Description ¶
Description returns artifact data value
type ArtifactAttributes ¶
type ArtifactAttributes struct { DataType string `json:"dataType,omitempty"` TLP int `json:"tlp,omitempty"` ContentType string `json:"content-type,omitempty"` Filename string `json:"filename,omitempty"` }
ArtifactAttributes struct represents Artifact Attributes
type Cfg ¶ added in v1.1.0
type Cfg map[string]interface{}
Cfg represents custom config field in the Analyzer definition
type Client ¶
type Client struct { Location string // Location is the Cortex base URL Client *http.Client // Client is used to communicate with the API Debug bool // Debug mode }
Client is used to deal with the API location and basic auth (in the future)
func NewClient ¶
NewClient bootstraps a Client If there is a need to change the http.DefaultClient you should construct a Client struct by yourself
func (*Client) AnalyzeData ¶
func (c *Client) AnalyzeData(obs Observable, timeout string) (<-chan *JobReport, error)
AnalyzeData runs all analyzers suitable for a specified job and returns a channel with reports
func (*Client) GetAnalyzer ¶
GetAnalyzer retrieves an Analyzer by its' ID
func (*Client) GetJobReport ¶
GetJobReport retrieves a JobReport by Job ID
func (*Client) ListAnalyzers ¶
ListAnalyzers retrieves all analyzers that are available. Analyzers can be filtered by a datatype parameter. When "*" is used as a parameter, function returns all analyzers.
func (*Client) ListFilteredJobs ¶
func (c *Client) ListFilteredJobs(f *JobsFilter) ([]Job, error)
ListFilteredJobs shows available filtered jobs
func (*Client) RunAnalyzer ¶
func (c *Client) RunAnalyzer(id string, obs Observable) (*Job, error)
RunAnalyzer runs a selected analyzer for a specified job
func (*Client) RunAnalyzerThenGetReport ¶
func (c *Client) RunAnalyzerThenGetReport(id string, obs Observable, timeout string) (*JobReport, error)
RunAnalyzerThenGetReport is a helper function that combines multiple functions to return JobReport providing more clear API
type ExtractedArtifact ¶ added in v1.1.0
ExtractedArtifact is used for artifacts with slightly different structure
func ExtractArtifacts ¶ added in v1.1.0
func ExtractArtifacts(body string) []ExtractedArtifact
ExtractArtifacts extracts all artifacts from report string
type FileArtifact ¶
type FileArtifact struct { FileArtifactMeta Reader io.Reader // anything that implements io.Reader (os.File or http.Response.Body or whatever) FileName string // could be filename or the URL }
FileArtifact represents a file observable
func (*FileArtifact) Description ¶
func (f *FileArtifact) Description() string
Description returns file name or URL
func (*FileArtifact) Type ¶
func (f *FileArtifact) Type() string
Type implements observable function and should return "file"
type FileArtifactMeta ¶
FileArtifactMeta contains meta fields for FileArtifact
type Job ¶
type Job struct { ID string `json:"id"` AnalyzerID string `json:"analyzerId"` Status string `json:"status"` Date int64 `json:"date"` Artifact Artifact `json:"artifact"` }
Job defines an analysis job
type JobInput ¶
type JobInput struct { ArtifactAttributes Data string `json:"data,omitempty"` File string `json:"file,omitempty"` Config Cfg `json:"config,omitempty"` Proxy map[string]string `json:"proxy,omitempty"` }
JobInput is used to track failed jobs and work with analyzer's input
type JobReport ¶
type JobReport struct { Job Report ReportBody `json:"report"` }
JobReport represents a job response.
More info: https://github.com/CERT-BDF/CortexDocs/blob/master/api/get-job-report.md
func (*JobReport) Taxonomies ¶
Taxonomies retrieves all taxonomies from a JobReport
type JobsFilter ¶
type JobsFilter struct { Analyzer string `url:"analyzerFilter,omitempty"` DataType string `url:"dataTypeFilter,omitempty"` Data string `url:"dataFilter,omitempty"` // contains filtered or unexported fields }
JobsFilter is used to filter ListJobs results
type Observable ¶
Observable is an interface for string type artifact and file type artifact
type ReportBody ¶
type ReportBody struct { Artifacts []Artifact `json:"artifacts,omitempty"` FullReport interface{} `json:"full,omitempty"` Success bool `json:"success,omitempty"` Summary *Summary `json:"summary,omitempty"` ErrorMessage string `json:"errorMessage,omitempty"` Input *JobInput `json:"input,omitempty"` }
ReportBody defines a report for a given job. FullReport and Summary are arbitrary objects.