-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathl9event.go
139 lines (123 loc) · 4.33 KB
/
l9event.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
package l9format
import "time"
const SEVERITY_CRITICAL = "critical"
const SEVERITY_HIGH = "high"
const SEVERITY_MEDIUM = "medium"
const SEVERITY_LOW = "low"
const SEVERITY_INFO = "info"
const STAGE_OPEN = "open"
const STAGE_EXPLORE = "explore"
const STAGE_EXFILTRATE = "exfiltrate"
type L9Event struct {
EventType string `json:"event_type"`
EventSource string `json:"event_source"`
EventPipeline []string `json:"event_pipeline"`
EventFingerprint string `json:"event_fingerprint"`
Ip string `json:"ip"`
Host string `json:"host"`
Reverse string `json:"reverse"`
Port string `json:"port"`
Mac string `json:"mac"`
Vendor string `json:"vendor"`
Transports []string `json:"transport"`
Protocol string `json:"protocol"`
Http L9HttpEvent `json:"http"`
Summary string `json:"summary"`
Time time.Time `json:"time"`
SSL L9SSLEvent `json:"ssl"`
SSH L9SSHEvent `json:"ssh"`
Service L9ServiceEvent `json:"service"`
Leak L9LeakEvent `json:"leak"`
Tags []string `json:"tags"`
GeoIp GeoLocation `json:"geoip"`
Network Network `json:"network"`
}
type L9HttpEvent struct {
Root string `json:"root"`
Url string `json:"url"`
Status int `json:"status"`
Length int64 `json:"length"`
Headers map[string]string `json:"header"`
Title string `json:"title"`
FaviconHash string `json:"favicon_hash"`
}
type L9ServiceEvent struct {
Credentials ServiceCredentials `json:"credentials"`
Software Software `json:"software"`
}
type L9SSHEvent struct {
Fingerprint string `json:"fingerprint"`
Version int `json:"version"`
Banner string `json:"banner"`
Motd string `json:"motd"`
}
type L9LeakEvent struct {
Stage string `json:"stage"`
Type string `json:"type"`
Severity string `json:"severity"`
Dataset DatasetSummary `json:"dataset"`
}
type L9SSLEvent struct {
Detected bool `json:"detected"`
Enabled bool `json:"enabled"`
JARM string `json:"jarm"`
CypherSuite string `json:"cypher_suite"`
Version string `json:"version"`
Certificate Certificate `json:"certificate"`
}
type DatasetSummary struct {
Rows int64 `json:"rows"`
Files int64 `json:"files"`
Size int64 `json:"size"`
Collections int64 `json:"collections"`
Infected bool `json:"infected"`
RansomNotes []string `json:"ransom_notes"`
}
type Software struct {
Name string `json:"name"`
Version string `json:"version"`
OperatingSystem string `json:"os"`
Modules []SoftwareModule `json:"modules"`
Fingerprint string `json:"fingerprint"`
}
type SoftwareModule struct {
Name string `json:"name"`
Version string `json:"version"`
Fingerprint string `json:"fingerprint"`
}
type ServiceCredentials struct {
NoAuth bool `json:"noauth"`
Username string `json:"username"`
Password string `json:"password"`
Key string `json:"key"`
Raw []byte `json:"raw"`
}
type Certificate struct {
CommonName string `json:"cn"`
Domains []string `json:"domain"`
Fingerprint string `json:"fingerprint"`
KeyAlgo string `json:"key_algo"`
KeySize int `json:"key_size"`
IssuerName string `json:"issuer_name"`
NotBefore time.Time `json:"not_before"`
NotAfter time.Time `json:"not_after"`
Valid bool `json:"valid"`
}
type GeoLocation struct {
ContinentName string `json:"continent_name"`
RegionISOCode string `json:"region_iso_code"`
CityName string `json:"city_name"`
CountryISOCode string `json:"country_iso_code"`
CountryName string `json:"country_name"`
RegionName string `json:"region_name"`
GeoPoint GeoPoint `json:"location"`
}
type GeoPoint struct {
Latitude float64 `json:"lat"`
Longitude float64 `json:"lon"`
}
type Network struct {
OrganisationName string `json:"organization_name"`
ASN int `json:"asn"`
NetworkCIDR string `json:"network"`
}