зеркало из https://github.com/mozilla/mig.git
vendoring update for gozdef
This commit is contained in:
Aaron Meihm
Родитель
35ea4f9f2f
Коммит
e51dcf4e8e
|
|
@ -0,0 +1 @@
|
|||
*.swp
|
||||
|
|
@ -3,6 +3,7 @@
|
|||
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
//
|
||||
// Contributor: Julien Vehent jvehent@mozilla.com [:ulfr]
|
||||
|
||||
package gozdef
|
||||
|
||||
import (
|
||||
|
|
@ -14,7 +15,7 @@ import (
|
|||
|
||||
// Generic MozDef event handling
|
||||
|
||||
// an Event represent a piece of information being passed to MozDef
|
||||
// Event represent a piece of information being passed to MozDef
|
||||
type Event struct {
|
||||
Timestamp time.Time `json:"timestamp"` // Full date plus time timestamp of the event in ISO format including the timezone offset
|
||||
Category string `json:"category"` // General category/type of event
|
||||
|
|
@ -28,6 +29,7 @@ type Event struct {
|
|||
Details interface{} `json:"details"` // Additional, event-specific fields included with the event
|
||||
}
|
||||
|
||||
// NewEvent returns a new generic event that can be populated and submitted to MozDef
|
||||
func NewEvent() (e Event, err error) {
|
||||
e.Timestamp = time.Now().UTC()
|
||||
e.Hostname, err = os.Hostname()
|
||||
|
|
@ -39,44 +41,44 @@ func NewEvent() (e Event, err error) {
|
|||
return
|
||||
}
|
||||
|
||||
const SEV_REGEX string = "^(DEBUG|INFO|NOTICE|WARNING|ERROR|CRITICAL|ALERT|EMERGENCY)$"
|
||||
const severityRegex string = "^(DEBUG|INFO|NOTICE|WARNING|ERROR|CRITICAL|ALERT|EMERGENCY)$"
|
||||
|
||||
// set the severity level of the event to DEBUG
|
||||
// Debug sets the severity level of the event to DEBUG
|
||||
func (e *Event) Debug() {
|
||||
e.Severity = "DEBUG"
|
||||
}
|
||||
|
||||
// set the severity level of the event to INFO
|
||||
// Info sets the severity level of the event to INFO
|
||||
func (e *Event) Info() {
|
||||
e.Severity = "INFO"
|
||||
}
|
||||
|
||||
// set the severity level of the event to NOTICE
|
||||
// Notice sets the severity level of the event to NOTICE
|
||||
func (e *Event) Notice() {
|
||||
e.Severity = "NOTICE"
|
||||
}
|
||||
|
||||
// set the severity level of the event to WARNING
|
||||
// Warning sets the severity level of the event to WARNING
|
||||
func (e *Event) Warning() {
|
||||
e.Severity = "WARNING"
|
||||
}
|
||||
|
||||
// set the severity level of the event to ERROR
|
||||
// Error sets the severity level of the event to ERROR
|
||||
func (e *Event) Error() {
|
||||
e.Severity = "ERROR"
|
||||
}
|
||||
|
||||
// set the severity level of the event to CRITICAL
|
||||
// Critical sets the severity level of the event to CRITICAL
|
||||
func (e *Event) Critical() {
|
||||
e.Severity = "CRITICAL"
|
||||
}
|
||||
|
||||
// set the severity level of the event to ALERT
|
||||
// Alert sets the severity level of the event to ALERT
|
||||
func (e *Event) Alert() {
|
||||
e.Severity = "ALERT"
|
||||
}
|
||||
|
||||
// set the severity level of the event to EMERGENCY
|
||||
// Emergency sets the severity level of the event to EMERGENCY
|
||||
func (e *Event) Emergency() {
|
||||
e.Severity = "EMERGENCY"
|
||||
}
|
||||
|
|
@ -96,9 +98,9 @@ func (e Event) Validate() error {
|
|||
if os.Args[0] != e.ProcessName {
|
||||
return fmt.Errorf("event processname does not match the name of the current process")
|
||||
}
|
||||
resev := regexp.MustCompile(SEV_REGEX)
|
||||
resev := regexp.MustCompile(severityRegex)
|
||||
if !resev.MatchString(e.Severity) {
|
||||
return fmt.Errorf("invalid severity '%s', must be one of %s", e.Severity, SEV_REGEX)
|
||||
return fmt.Errorf("invalid severity '%s', must be one of %s", e.Severity, severityRegex)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,6 +8,9 @@
|
|||
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
//
|
||||
// Contributor: Julien Vehent jvehent@mozilla.com [:ulfr]
|
||||
|
||||
// Package gozdef provides an interface for submitting events to MozDef in a
|
||||
// standardized format.
|
||||
package gozdef
|
||||
|
||||
import (
|
||||
|
|
@ -24,16 +27,17 @@ import (
|
|||
"time"
|
||||
)
|
||||
|
||||
// a Publisher sends events to MozDef, either via AMQP (if initialized
|
||||
// with InitAmqp()) or via rest API (if initialized via InitApi())
|
||||
// Publisher sends events to MozDef, either via AMQP (if initialized
|
||||
// with InitAmqp()) or via rest API (if initialized via InitAPI())
|
||||
type Publisher struct {
|
||||
use_amqp bool // selects the sending mode, if set to false use rest api instead of amqp
|
||||
useAmqp bool // selects the sending mode, if set to false use rest api instead of amqp
|
||||
amqpChan *amqp.Channel // channel handler
|
||||
mqconf MqConf // rabbitmq configuration the publisher was initialized with
|
||||
apiClient *http.Client // http client handler
|
||||
apiconf ApiConf // api configuration the publisher was initialized with
|
||||
apiconf APIConf // api configuration the publisher was initialized with
|
||||
}
|
||||
|
||||
// Send submits an event indicated by ExternalEvent e to the initialized publisher p
|
||||
func (p Publisher) Send(e ExternalEvent) error {
|
||||
err := e.Validate()
|
||||
if err != nil {
|
||||
|
|
@ -43,7 +47,8 @@ func (p Publisher) Send(e ExternalEvent) error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if p.use_amqp {
|
||||
// If using AMQP, publish the event on the configured queue
|
||||
if p.useAmqp {
|
||||
msg := amqp.Publishing{
|
||||
DeliveryMode: amqp.Persistent,
|
||||
Timestamp: time.Now(),
|
||||
|
|
@ -51,14 +56,14 @@ func (p Publisher) Send(e ExternalEvent) error {
|
|||
Body: data,
|
||||
}
|
||||
return p.amqpChan.Publish(p.mqconf.Exchange, p.mqconf.RoutingKey, false, false, msg)
|
||||
} else {
|
||||
b := bytes.NewBufferString(string(data))
|
||||
resp, err := p.apiClient.Post(p.apiconf.Url, "application/json", b)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
resp.Body.Close()
|
||||
}
|
||||
// Otherwise, we will be sending the event to the REST API
|
||||
b := bytes.NewBufferString(string(data))
|
||||
resp, err := p.apiClient.Post(p.apiconf.URL, "application/json", b)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
resp.Body.Close()
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
@ -150,21 +155,24 @@ func InitAmqp(conf MqConf) (p Publisher, err error) {
|
|||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
p.use_amqp = true
|
||||
p.useAmqp = true
|
||||
p.mqconf = conf
|
||||
return
|
||||
}
|
||||
|
||||
type ApiConf struct {
|
||||
Url string // a fully qualified URL where events are posted
|
||||
// APIConf holds the configuration parameters to publish events to the REST API
|
||||
type APIConf struct {
|
||||
URL string // a fully qualified URL where events are posted
|
||||
}
|
||||
|
||||
func InitApi(conf ApiConf) (p Publisher, err error) {
|
||||
if conf.Url == "" {
|
||||
return p, fmt.Errorf("must set Url value in ApiConf")
|
||||
// InitAPI initializes a new Publisher that can be used to submit events to the
|
||||
// REST API
|
||||
func InitAPI(conf APIConf) (p Publisher, err error) {
|
||||
if conf.URL == "" {
|
||||
return p, fmt.Errorf("must set URL value in APIConf")
|
||||
}
|
||||
p.apiClient = &http.Client{}
|
||||
p.use_amqp = false
|
||||
p.useAmqp = false
|
||||
p.apiconf = conf
|
||||
return p, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,56 +3,40 @@
|
|||
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
//
|
||||
// Contributor: Julien Vehent jvehent@mozilla.com [:ulfr]
|
||||
|
||||
package gozdef
|
||||
|
||||
// ExternalEvent provides a generalized interface that all event types
|
||||
// must provide
|
||||
type ExternalEvent interface {
|
||||
Validate() error
|
||||
}
|
||||
|
||||
// An HostAssetHint describes information about a host that can be used
|
||||
// to correlate asset information in MozDef. This is primarily used by MIG
|
||||
type HostAssetHint struct {
|
||||
Type string `json:"type"`
|
||||
Name string `json:"name"`
|
||||
IPv4 []string `json:"ipv4"`
|
||||
IPv6 []string `json:"ipv6"`
|
||||
OS string `json:"os"`
|
||||
Arch string `json:"arch"`
|
||||
Ident string `json:"ident"`
|
||||
Init string `json:"init"`
|
||||
IsProxied bool `json:"isproxied"`
|
||||
Operator string `json:"operator"`
|
||||
Team string `json:"team"`
|
||||
}
|
||||
|
||||
// a ComplianceItem measures the compliance of a target
|
||||
// ComplianceItem measures the compliance of a target
|
||||
// with particular requirement. The item must be send to mozdef
|
||||
// in the details of a regular Event.
|
||||
type ComplianceItem struct {
|
||||
Utctimestamp string `json:"utctimestamp"`
|
||||
Target string `json:"target"`
|
||||
Policy CompliancePolicy `json:"policy"`
|
||||
Check ComplianceCheck `json:"check"`
|
||||
Compliance bool `json:"compliance"`
|
||||
Link string `json:"link"`
|
||||
Tags interface{} `json:"tags"`
|
||||
}
|
||||
Utctimestamp string `json:"utctimestamp"`
|
||||
Target string `json:"target"`
|
||||
Compliance bool `json:"compliance"`
|
||||
Link string `json:"link"`
|
||||
Tags map[string]string `json:"tags"`
|
||||
|
||||
type CompliancePolicy struct {
|
||||
Name string `json:"name"`
|
||||
URL string `json:"url"`
|
||||
Level string `json:"level"`
|
||||
}
|
||||
Policy struct {
|
||||
Name string `json:"name"`
|
||||
URL string `json:"url"`
|
||||
Level string `json:"level"`
|
||||
} `json:"policy"`
|
||||
|
||||
type ComplianceCheck struct {
|
||||
Ref string `json:"ref"`
|
||||
Description string `json:"description"`
|
||||
Name string `json:"name"`
|
||||
Location string `json:"location"`
|
||||
Test ComplianceTest `json:"test"`
|
||||
}
|
||||
Check struct {
|
||||
Ref string `json:"ref"`
|
||||
Description string `json:"description"`
|
||||
Name string `json:"name"`
|
||||
Location string `json:"location"`
|
||||
|
||||
type ComplianceTest struct {
|
||||
Type string `json:"type"`
|
||||
Value string `json:"value"`
|
||||
Test struct {
|
||||
Type string `json:"type"`
|
||||
Value string `json:"value"`
|
||||
} `json:"test"`
|
||||
} `json:"check"`
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@
|
|||
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
//
|
||||
// Contributor: Aaron Meihm ameihm@mozilla.com [:alm]
|
||||
|
||||
package gozdef
|
||||
|
||||
import (
|
||||
|
|
@ -12,50 +13,41 @@ import (
|
|||
|
||||
// MozDef vulnerability event handling
|
||||
|
||||
// VulnEvent describes a vulnerability event
|
||||
type VulnEvent struct {
|
||||
Description string `json:"description"`
|
||||
UTCTimestamp time.Time `json:"utctimestamp"`
|
||||
SourceName string `json:"sourcename"`
|
||||
Asset VulnAsset `json:"asset"`
|
||||
Vuln VulnVuln `json:"vuln"`
|
||||
OS string `json:"os"`
|
||||
}
|
||||
|
||||
type VulnAsset struct {
|
||||
AssetID int `json:"assetid"`
|
||||
IPv4 string `json:"ipv4address"`
|
||||
Hostname string `json:"hostname"`
|
||||
MAC string `json:"macaddress"`
|
||||
Autogroup string `json:"autogroup"`
|
||||
Operator string `json:"operator"`
|
||||
Description string `json:"description"`
|
||||
UTCTimestamp time.Time `json:"utctimestamp"`
|
||||
SourceName string `json:"sourcename"`
|
||||
CredentialedChecks bool `json:"credentialed_checks"`
|
||||
Vuln []VulnVuln `json:"vulnerabilities"`
|
||||
ExemptVuln []VulnVuln `json:"exempt_vulnerabilities"`
|
||||
|
||||
Asset struct {
|
||||
IPAddress string `json:"ipv4address"`
|
||||
Hostname string `json:"hostname"`
|
||||
OS string `json:"os"`
|
||||
Owner struct {
|
||||
Operator string `json:"operator"`
|
||||
Team string `json:"team"`
|
||||
V2Bkey string `json:"v2bkey"`
|
||||
} `json:"owner"`
|
||||
} `json:"asset"`
|
||||
}
|
||||
|
||||
// VulnVuln describes individual vulnerabilities for inclusion in a vulnerability
|
||||
// event
|
||||
type VulnVuln struct {
|
||||
Status string `json:"status"`
|
||||
Title string `json:"title"`
|
||||
Description string `json:"description"`
|
||||
Proof string `json:"proof"`
|
||||
ImpactLabel string `json:"impact_label"`
|
||||
KnownExp bool `json:"known_exploits"`
|
||||
KnownMal bool `json:"known_malware"`
|
||||
Age float64 `json:"age_days"`
|
||||
DiscoveryTime int `json:"discovery_time"`
|
||||
PatchIn float64 `json:"patch_in"`
|
||||
VulnID string `json:"vulnid"`
|
||||
CVE []string `json:"cves"`
|
||||
CVEText []string `json:"cvetext"`
|
||||
CVSS float64 `json:"cvss"`
|
||||
CVSSVector VulnCVSS `json:"cvss_vector"`
|
||||
}
|
||||
|
||||
type VulnCVSS struct {
|
||||
AccessComplexity string `json:"access_complexity"`
|
||||
AvailabilityImpact string `json:"availability_impact"`
|
||||
ConfidentialityImpact string `json:"confidentiality_impact"`
|
||||
AccessVector string `json:"access_vector"`
|
||||
Authentication string `json:"authentication"`
|
||||
Risk string `json:"risk"`
|
||||
Link string `json:"link"`
|
||||
CVE string `json:"cve"`
|
||||
CVSS string `json:"cvss"`
|
||||
Name string `json:"name"`
|
||||
Packages []string `json:"vulnerable_packages"`
|
||||
LikelihoodIndicator string `json:"likelihood_indicator"`
|
||||
}
|
||||
|
||||
// NewVulnEvent initializes a new VulnEvent that can be populated and submitted
|
||||
// to MozDef
|
||||
func NewVulnEvent() (e VulnEvent, err error) {
|
||||
e.UTCTimestamp = time.Now().UTC()
|
||||
return
|
||||
|
|
@ -66,11 +58,8 @@ func (e VulnEvent) Validate() error {
|
|||
if e.SourceName == "" {
|
||||
return fmt.Errorf("must set SourceName in event")
|
||||
}
|
||||
if e.Asset.AssetID == 0 {
|
||||
return fmt.Errorf("must set AssetID in event")
|
||||
}
|
||||
if e.Vuln.VulnID == "" {
|
||||
return fmt.Errorf("must set VulnID in event")
|
||||
if e.Asset.IPAddress == "" && e.Asset.Hostname == "" {
|
||||
return fmt.Errorf("must set IPAddress or Hostname in event")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче