bitbucket.org/Aishee/synsec@v0.0.0-20210414005726-236fc01a153d/pkg/parser/enrich.go

bitbucket.org/Aishee/synsec@v0.0.0-20210414005726-236fc01a153d/pkg/parser/enrich.go (about)

     1  package parser
     2  
     3  import (
     4  	"plugin"
     5  	"time"
     6  
     7  	"bitbucket.org/Aishee/synsec/pkg/types"
     8  	log "github.com/sirupsen/logrus"
     9  )
    10  
    11  /* should be part of a packaged shared with enrich/geoip.go */
    12  type EnrichFunc func(string, *types.Event, interface{}) (map[string]string, error)
    13  type InitFunc func(map[string]string) (interface{}, error)
    14  
    15  type EnricherCtx struct {
    16  	Funcs      map[string]EnrichFunc
    17  	Init       InitFunc
    18  	Plugin     *plugin.Plugin //pointer to the actual plugin
    19  	Name       string
    20  	Path       string      //path to .so ?
    21  	RuntimeCtx interface{} //the internal context of plugin, given back over every call
    22  	initiated  bool
    23  }
    24  
    25  /* mimic plugin loading */
    26  // TODO fix this shit with real plugin loading
    27  func Loadplugin(path string) ([]EnricherCtx, error) {
    28  	var err error
    29  
    30  	c := EnricherCtx{}
    31  	c.Name = path
    32  	c.Path = path
    33  	/* we don't want to deal with plugin loading for now :p */
    34  	c.Funcs = map[string]EnrichFunc{
    35  		"GeoIpASN":    GeoIpASN,
    36  		"GeoIpCity":   GeoIpCity,
    37  		"reverse_dns": reverse_dns,
    38  		"ParseDate":   ParseDate,
    39  		"IpToRange":   IpToRange,
    40  	}
    41  	c.Init = GeoIpInit
    42  
    43  	c.RuntimeCtx, err = c.Init(map[string]string{"datadir": path})
    44  	if err != nil {
    45  		log.Warningf("load (fake) plugin load : %v", err)
    46  		c.initiated = false
    47  	}
    48  	c.initiated = true
    49  	return []EnricherCtx{c}, nil
    50  }
    51  
    52  func GenDateParse(date string) (string, time.Time) {
    53  	var retstr string
    54  	var layouts = [...]string{
    55  		time.RFC3339,
    56  		"02/Jan/2006:15:04:05 -0700",
    57  		"Mon Jan 2 15:04:05 2006",
    58  		"02-Jan-2006 15:04:05 europe/paris",
    59  		"01/02/2006 15:04:05",
    60  		"2006-01-02 15:04:05.999999999 -0700 MST",
    61  		//Jan  5 06:25:11
    62  		"Jan  2 15:04:05",
    63  		"Mon Jan 02 15:04:05.000000 2006",
    64  		"2006-01-02T15:04:05Z07:00",
    65  		"2006/01/02",
    66  		"2006/01/02 15:04",
    67  		"2006-01-02",
    68  		"2006-01-02 15:04",
    69  		"2006/01/02 15:04:05",
    70  		"2006-01-02 15:04:05",
    71  	}
    72  
    73  	for _, dateFormat := range layouts {
    74  		t, err := time.Parse(dateFormat, date)
    75  		if err == nil && !t.IsZero() {
    76  			//if the year isn't set, set it to current date :)
    77  			if t.Year() == 0 {
    78  				t = t.AddDate(time.Now().Year(), 0, 0)
    79  			}
    80  			retstr, err := t.MarshalText()
    81  			if err != nil {
    82  				log.Warningf("Failed marshaling '%v'", t)
    83  				continue
    84  			}
    85  			return string(retstr), t
    86  		}
    87  	}
    88  	return retstr, time.Time{}
    89  }
    90  
    91  func ParseDate(in string, p *types.Event, x interface{}) (map[string]string, error) {
    92  
    93  	var ret map[string]string = make(map[string]string)
    94  
    95  	tstr, tbin := GenDateParse(in)
    96  	if !tbin.IsZero() {
    97  		ret["MarshaledTime"] = string(tstr)
    98  		return ret, nil
    99  	}
   100  	return nil, nil
   101  }