bitbucket.org/Aishee/synsec@v0.0.0-20210414005726-236fc01a153d/pkg/types/event.go (about)

     1  package types
     2  
     3  import (
     4  	"time"
     5  
     6  	log "github.com/sirupsen/logrus"
     7  
     8  	"github.com/antonmedv/expr/vm"
     9  	"bitbucket.org/Aishee/synsec/pkg/models"
    10  )
    11  
    12  const (
    13  	LOG = iota
    14  	OVFLW
    15  )
    16  
    17  //Event is the structure representing a runtime event (log or overflow)
    18  type Event struct {
    19  	/* is it a log or an overflow */
    20  	Type            int    `yaml:"Type,omitempty" json:"Type,omitempty"`             //Can be types.LOG (0) or types.OVFLOW (1)
    21  	ExpectMode      int    `yaml:"ExpectMode,omitempty" json:"ExpectMode,omitempty"` //how to buckets should handle event : leaky.TIMEMACHINE or leaky.LIVE
    22  	Whitelisted     bool   `yaml:"Whitelisted,omitempty" json:"Whitelisted,omitempty"`
    23  	WhiteListReason string `yaml:"whitelist_reason,omitempty" json:"whitelist_reason,omitempty"`
    24  	//should add whitelist reason ?
    25  	/* the current stage of the line being parsed */
    26  	Stage string `yaml:"Stage,omitempty" json:"Stage,omitempty"`
    27  	/* original line (produced by acquisition) */
    28  	Line Line `yaml:"Line,omitempty" json:"Line,omitempty"`
    29  	/* output of groks */
    30  	Parsed map[string]string `yaml:"Parsed,omitempty" json:"Parsed,omitempty"`
    31  	/* output of enrichment */
    32  	Enriched map[string]string `yaml:"Enriched,omitempty" json:"Enriched,omitempty"`
    33  	/* Overflow */
    34  	Overflow      RuntimeAlert `yaml:"Alert,omitempty" json:"Alert,omitempty"`
    35  	Time          time.Time    `yaml:"Time,omitempty" json:"Time,omitempty"` //parsed time `json:"-"` ``
    36  	StrTime       string       `yaml:"StrTime,omitempty" json:"StrTime,omitempty"`
    37  	MarshaledTime string       `yaml:"MarshaledTime,omitempty" json:"MarshaledTime,omitempty"`
    38  	Process       bool         `yaml:"Process,omitempty" json:"Process,omitempty"` //can be set to false to avoid processing line
    39  	/* Meta is the only part that will make it to the API - it should be normalized */
    40  	Meta map[string]string `yaml:"Meta,omitempty" json:"Meta,omitempty"`
    41  }
    42  
    43  func (e *Event) GetType() string {
    44  	if e.Type == OVFLW {
    45  		return "overflow"
    46  	} else if e.Type == LOG {
    47  		return "log"
    48  	} else {
    49  		log.Warningf("unknown event type for %+v", e)
    50  		return "unknown"
    51  	}
    52  }
    53  
    54  //Move in leakybuckets
    55  const (
    56  	Undefined = ""
    57  	Ip        = "Ip"
    58  	Range     = "Range"
    59  	Filter    = "Filter"
    60  )
    61  
    62  //Move in leakybuckets
    63  type ScopeType struct {
    64  	Scope         string `yaml:"type"`
    65  	Filter        string `yaml:"expression"`
    66  	RunTimeFilter *vm.Program
    67  }
    68  
    69  type RuntimeAlert struct {
    70  	Mapkey      string                   `yaml:"MapKey,omitempty" json:"MapKey,omitempty"`
    71  	BucketId    string                   `yaml:"BucketId,omitempty" json:"BucketId,omitempty"`
    72  	Whitelisted bool                     `yaml:"Whitelisted,omitempty" json:"Whitelisted,omitempty"`
    73  	Reprocess   bool                     `yaml:"Reprocess,omitempty" json:"Reprocess,omitempty"`
    74  	Sources     map[string]models.Source `yaml:"Sources,omitempty" json:"Sources,omitempty"`
    75  	Alert       *models.Alert            `yaml:"Alert,omitempty" json:"Alert,omitempty"` //this one is a pointer to APIAlerts[0] for convenience.
    76  	//APIAlerts will be populated at the end when there is more than one source
    77  	APIAlerts []models.Alert `yaml:"APIAlerts,omitempty" json:"APIAlerts,omitempty"`
    78  }