├── manager ├── __init__.py ├── requirements.txt ├── HeartBeat.py └── JsonSocket.py ├── tests ├── core │ ├── __init__.py │ ├── test.py │ └── utils.py ├── tools │ ├── __init__.py │ ├── output.py │ ├── sofa_mock.py │ ├── darwin_utils.py │ └── utils.py ├── filters │ ├── __init__.py │ ├── fvaml.py │ ├── fvast.py │ └── test.py ├── manager_socket │ ├── __init__.py │ ├── test.py │ └── logging_test.py ├── requirements.txt ├── conf.py └── test.py ├── pkg └── stage │ ├── usr │ └── local │ │ ├── lib │ │ └── .gitkeep │ │ ├── include │ │ └── .gitkeep │ │ └── etc │ │ └── rc.d │ │ └── darwin │ ├── var │ ├── run │ │ └── darwin │ │ │ └── .gitkeep │ ├── log │ │ └── darwin │ │ │ ├── access.log │ │ │ ├── darwin.log │ │ │ └── darwin_manager.log │ └── sockets │ │ └── darwin │ │ └── .gitkeep │ └── home │ └── darwin │ ├── databases │ └── .gitkeep │ └── conf │ ├── fend │ └── fend.conf.example │ ├── fsession │ └── fsession.conf.example │ ├── freputation │ └── freputation.conf.example │ ├── fconnection │ ├── init_data_file.example │ └── fconnection.conf.example │ ├── fsofa │ └── fsofa.conf.example │ ├── fuser_agent │ └── fuser_agent.conf.example │ ├── fanomaly │ └── fanomaly.conf.example │ ├── ftanomaly │ └── ftanomaly.conf.example │ ├── fhostlookup │ └── fhostlookup.conf.example │ ├── fdga │ └── fdga.conf.example │ ├── fcontent_inspection │ ├── fcontent_inspection.conf.example │ └── exampleRule.yar │ └── darwin.conf.example ├── samples ├── fpythonexample │ ├── python_example_filter │ │ ├── __init__.py │ │ ├── requirements.txt │ │ └── example_filter.py │ ├── example_configuration_files │ │ ├── fpython_example │ │ │ └── fpython_example.conf │ │ └── darwin.conf │ ├── Generator.hpp │ ├── README.md │ └── PythonExampleTask.hpp ├── base │ ├── errors.hpp │ ├── Stats.cpp │ ├── ThreadGroup.cpp │ ├── Manager.hpp │ ├── Manager.cpp │ ├── main.cpp │ ├── Stats.hpp │ ├── ThreadGroup.hpp │ └── Monitor.hpp ├── fbuffer │ ├── Connectors │ │ ├── Connectors.hpp │ │ ├── fSofaConnector.cpp │ │ └── fSofaConnector.hpp │ ├── enums.hpp │ ├── BufferThreadManager.cpp │ ├── OutputConfig.cpp │ ├── OutputConfig.hpp │ ├── BufferThreadManager.hpp │ ├── BufferThread.hpp │ └── BufferThread.cpp ├── config.hpp ├── config.cpp ├── fanomaly │ ├── Generator.hpp │ └── Generator.cpp ├── fsession │ ├── Generator.hpp │ ├── Generator.cpp │ └── SessionTask.hpp ├── finspection │ ├── Generator.hpp │ ├── rand_utils.cpp │ ├── rand_utils.hpp │ ├── file_utils.hpp │ ├── packets.hpp │ ├── stream_buffer.hpp │ ├── extract_impcap.hpp │ └── ContentInspectionTask.hpp ├── fend │ ├── Generator.hpp │ ├── EndTask.hpp │ └── EndTask.cpp ├── fdecision │ ├── Generator.cpp │ ├── Generator.hpp │ └── DecisionTask.hpp ├── fconnection │ ├── Generator.hpp │ └── ConnectionSupervisionTask.hpp ├── ftest │ ├── Generator.hpp │ └── TestTask.hpp ├── freputation │ └── Generator.hpp ├── ftanomaly │ ├── Generator.hpp │ └── TAnomalyTask.hpp ├── fyara │ ├── Generator.hpp │ └── YaraTask.hpp ├── fuseragent │ ├── Generator.hpp │ └── UserAgentTask.hpp ├── fdga │ ├── Generator.hpp │ └── TfLiteHelper.hpp ├── fsofa │ ├── Generator.hpp │ └── SofaTask.hpp ├── fhostlookup │ ├── Generator.hpp │ └── HostLookupTask.hpp └── protocol.h ├── conf ├── fend │ └── fend.conf.example ├── fsession │ └── fsession.conf.example ├── fconnection │ ├── init_data_file.example │ └── fconnection.conf.example ├── freputation │ └── freputation.conf.example ├── fsofa │ └── fsofa.conf.example ├── fuser_agent │ └── fuser_agent.conf.example ├── fanomaly │ └── fanomaly.conf.example ├── ftanomaly │ └── ftanomaly.conf.example ├── fyara │ ├── fyara.conf │ └── rule.yara ├── fhostlookup │ └── fhostlookup.conf.example ├── fdga │ └── fdga.conf.example ├── fcontent_inspection │ ├── fcontent_inspection.conf.example │ └── exampleRule.yar ├── fbuffer │ └── fbuffer.conf.example └── darwin.conf.example ├── .gitmodules ├── toolkit ├── Uuid.hpp ├── Time.hpp ├── Validators.hpp ├── Uuid.cpp ├── Time.cpp ├── StringUtils.cpp ├── StringUtils.hpp ├── Files.hpp ├── Validators.cpp ├── rapidjson │ ├── internal │ │ ├── swap.h │ │ └── strfunc.h │ ├── cursorstreamwrapper.h │ └── ostreamwrapper.h ├── AThread.cpp ├── AThreadManager.cpp ├── ThreadManager.hpp ├── Network.hpp ├── AThreadManager.hpp ├── AThread.hpp ├── FileManager.hpp ├── Files.cpp ├── FileManager.cpp └── PythonUtils.hpp ├── cmake ├── ftest.cmake ├── LICENSE.txt ├── fhostlookup.cmake ├── fsession.cmake ├── fconnection.cmake ├── fsofa.cmake ├── fyara.cmake ├── ARMA_FindARPACK.cmake ├── FindFaup.cmake ├── ARMA_FindOpenBLAS.cmake ├── fanomaly.cmake ├── ARMA_FindACML.cmake ├── ARMA_FindBLAS.cmake ├── fbuffer.cmake ├── ARMA_FindACMLMP.cmake ├── ARMA_FindLAPACK.cmake ├── ftanomaly.cmake ├── fdga.cmake ├── ARMA_FindCBLAS.cmake ├── ARMA_FindCLAPACK.cmake ├── ARMA_FindMKL.cmake ├── finspection.cmake ├── FindTensorflow.cmake ├── FindYara.cmake └── FindHiredis.cmake └── .github ├── ISSUE_TEMPLATE ├── feature-filter-request.md └── bug_report.md ├── pull_request_template.md └── workflows ├── docker-dev.yml └── docker-releases.yml /manager/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /tests/core/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /tests/tools/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /tests/filters/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /pkg/stage/usr/local/lib/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /pkg/stage/var/run/darwin/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /tests/manager_socket/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /pkg/stage/usr/local/include/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /pkg/stage/var/log/darwin/access.log: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /pkg/stage/var/log/darwin/darwin.log: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /pkg/stage/var/sockets/darwin/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /pkg/stage/home/darwin/databases/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /pkg/stage/var/log/darwin/darwin_manager.log: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /samples/fpythonexample/python_example_filter/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /manager/requirements.txt: -------------------------------------------------------------------------------- 1 | jsonschema==3.2.0 2 | psutil==5.6.6 3 | redis==3.3.11 4 | -------------------------------------------------------------------------------- /conf/fend/fend.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "redis_socket_path": "/var/sockets/redis/redis.sock" 3 | } 4 | -------------------------------------------------------------------------------- /conf/fsession/fsession.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "redis_socket_path": "/var/sockets/redis/redis.sock" 3 | } 4 | -------------------------------------------------------------------------------- /tests/requirements.txt: -------------------------------------------------------------------------------- 1 | git+https://github.com/VultureProject/darwin-client-python.git 2 | redis==3.3.11 3 | -------------------------------------------------------------------------------- /samples/fpythonexample/python_example_filter/requirements.txt: -------------------------------------------------------------------------------- 1 | numpy==1.22.0 2 | python-sample-package==0.4.0 3 | -------------------------------------------------------------------------------- /pkg/stage/home/darwin/conf/fend/fend.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "redis_socket_path": "/var/sockets/redis/redis.sock" 3 | } 4 | -------------------------------------------------------------------------------- /pkg/stage/home/darwin/conf/fsession/fsession.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "redis_socket_path": "/var/sockets/redis/redis.sock" 3 | } 4 | -------------------------------------------------------------------------------- /conf/fconnection/init_data_file.example: -------------------------------------------------------------------------------- 1 | 192.168.1.10;192.168.1.1;80;6 2 | 192.168.1.12;192.168.1.1;443;6 3 | 192.168.1.42;192.168.1.5;22;6 -------------------------------------------------------------------------------- /conf/freputation/freputation.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "mmdb_database": "/home/darwin/conf/freputation/my_reputation_database.mmdb" 3 | } 4 | -------------------------------------------------------------------------------- /pkg/stage/home/darwin/conf/freputation/freputation.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "mmdb_database": "/home/darwin/conf/freputation/my_reputation_database.mmdb" 3 | } 4 | -------------------------------------------------------------------------------- /pkg/stage/home/darwin/conf/fconnection/init_data_file.example: -------------------------------------------------------------------------------- 1 | 192.168.1.10;192.168.1.1;80;6 2 | 192.168.1.12;192.168.1.1;443;6 3 | 192.168.1.42;192.168.1.5;22;6 -------------------------------------------------------------------------------- /tests/filters/fvaml.py: -------------------------------------------------------------------------------- 1 | 2 | def run(): 3 | # This is a proprietary filter, tests are not implemented here 4 | tests = [] 5 | 6 | for i in tests: 7 | print_result("vaml: " + i.__name__, i) 8 | -------------------------------------------------------------------------------- /tests/filters/fvast.py: -------------------------------------------------------------------------------- 1 | 2 | def run(): 3 | # This is a proprietary filter, tests are not implemented here 4 | tests = [] 5 | 6 | for i in tests: 7 | print_result("vast: " + i.__name__, i) 8 | -------------------------------------------------------------------------------- /conf/fsofa/fsofa.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "python_env_path": "/home/vlt-os/env/bin/python", 3 | "module": "scan_analysis_anomaly_core", 4 | "function": "main", 5 | "custom_python_path": "/home/darwin/conf/fsofa/" 6 | } -------------------------------------------------------------------------------- /conf/fuser_agent/fuser_agent.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "model_path": "/home/darwin/conf/fuser_agent/fuser_agent.pb", 3 | "token_map_path": "/home/darwin/conf/fuser_agent/fuser_agent_tokens.csv", 4 | "max_tokens": 50 5 | } 6 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "docs"] 2 | path = docs 3 | url = https://github.com/VultureProject/darwin.wiki 4 | [submodule "tensorflow"] 5 | path = tensorflow 6 | url = https://github.com/tensorflow/tensorflow.git 7 | branch = r2.6 8 | -------------------------------------------------------------------------------- /pkg/stage/home/darwin/conf/fsofa/fsofa.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "python_env_path": "/home/vlt-os/env/bin/python", 3 | "module": "scan_analysis_anomaly_core", 4 | "function": "main", 5 | "custom_python_path": "/home/darwin/conf/fsofa/" 6 | } -------------------------------------------------------------------------------- /pkg/stage/home/darwin/conf/fuser_agent/fuser_agent.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "model_path": "/home/darwin/conf/fuser_agent/fuser_agent.pb", 3 | "token_map_path": "/home/darwin/conf/fuser_agent/fuser_agent_tokens.csv", 4 | "max_tokens": 50 5 | } 6 | -------------------------------------------------------------------------------- /conf/fanomaly/fanomaly.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "log_file_path": "/var/log/darwin/alerts.log", 3 | "redis_socket_path": "/var/sockets/redis/redis.sock", 4 | "alert_redis_list_name": "darwin_alerts", 5 | "alert_redis_channel_name": "darwin.alerts" 6 | } -------------------------------------------------------------------------------- /conf/ftanomaly/ftanomaly.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "log_file_path": "/var/log/darwin/alerts.log", 3 | "redis_socket_path": "/var/sockets/redis/redis.sock", 4 | "alert_redis_list_name": "darwin_alerts", 5 | "alert_redis_channel_name": "darwin.alerts" 6 | } -------------------------------------------------------------------------------- /tests/core/test.py: -------------------------------------------------------------------------------- 1 | import core.base as base 2 | import core.redis as redis 3 | import core.alert as alert 4 | 5 | 6 | def run(): 7 | print("Core Results:") 8 | 9 | base.run() 10 | redis.run() 11 | alert.run() 12 | 13 | print() 14 | print() -------------------------------------------------------------------------------- /pkg/stage/home/darwin/conf/fanomaly/fanomaly.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "log_file_path": "/var/log/darwin/alerts.log", 3 | "redis_socket_path": "/var/sockets/redis/redis.sock", 4 | "alert_redis_list_name": "darwin_alerts", 5 | "alert_redis_channel_name": "darwin.alerts" 6 | } -------------------------------------------------------------------------------- /pkg/stage/home/darwin/conf/ftanomaly/ftanomaly.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "log_file_path": "/var/log/darwin/alerts.log", 3 | "redis_socket_path": "/var/sockets/redis/redis.sock", 4 | "alert_redis_list_name": "darwin_alerts", 5 | "alert_redis_channel_name": "darwin.alerts" 6 | } -------------------------------------------------------------------------------- /samples/fpythonexample/example_configuration_files/fpython_example/fpython_example.conf: -------------------------------------------------------------------------------- 1 | { 2 | "python_env_path": "/home/darwin/conf/fpython_example/env/bin/python", 3 | "module": "example_filter", 4 | "function": "my_super_machine_learning_function", 5 | "custom_python_path": "/home/darwin/filters/" 6 | } 7 | -------------------------------------------------------------------------------- /conf/fyara/fyara.conf: -------------------------------------------------------------------------------- 1 | { 2 | "log_file_path": "/var/log/darwin/alerts.log", 3 | "redis_socket_path": "/var/sockets/redis/redis.sock", 4 | "alert_redis_list_name": "darwin_alerts", 5 | "alert_redis_channel_name": "darwin.alerts", 6 | "fastmode": true, 7 | "rule_file_list": ["/path/to/rule/file.yar"] 8 | } 9 | -------------------------------------------------------------------------------- /tests/core/utils.py: -------------------------------------------------------------------------------- 1 | from conf import DEFAULT_FILTER_PATH 2 | from tools.filter import DEFAULT_ALERTS_FILE 3 | 4 | 5 | DEFAULT_PATH = DEFAULT_FILTER_PATH + "darwin_logs" 6 | RESP_MON_STATUS_RUNNING = '"status": "running"' 7 | FTEST_CONFIG = f'{{"log_file_path": "{DEFAULT_ALERTS_FILE}"}}' 8 | FTEST_CONFIG_NO_ALERT_LOG = '{}' -------------------------------------------------------------------------------- /conf/fhostlookup/fhostlookup.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "log_file_path": "/var/log/darwin/alerts.log", 3 | "redis_socket_path": "/var/sockets/redis/redis.sock", 4 | "alert_redis_list_name": "darwin_alerts", 5 | "alert_redis_channel_name": "darwin.alerts", 6 | "database": "/home/darwin/conf/fhostlookup/database" 7 | } -------------------------------------------------------------------------------- /pkg/stage/home/darwin/conf/fhostlookup/fhostlookup.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "log_file_path": "/var/log/darwin/alerts.log", 3 | "redis_socket_path": "/var/sockets/redis/redis.sock", 4 | "alert_redis_list_name": "darwin_alerts", 5 | "alert_redis_channel_name": "darwin.alerts", 6 | "database": "/home/darwin/conf/fhostlookup/database" 7 | } -------------------------------------------------------------------------------- /conf/fconnection/fconnection.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "log_file_path": "/var/log/darwin/alerts.log", 3 | "redis_socket_path": "/var/sockets/redis/redis.sock", 4 | "alert_redis_list_name": "darwin_alerts", 5 | "alert_redis_channel_name": "darwin.alerts", 6 | "init_data_path": "/home/darwin/conf/fconnection/init_data_file.example", 7 | "redis_expire": 300 8 | } 9 | -------------------------------------------------------------------------------- /samples/fpythonexample/example_configuration_files/darwin.conf: -------------------------------------------------------------------------------- 1 | { 2 | "python_example_1": { 3 | "exec_path": "/home/darwin/filters/darwin_python_example", 4 | "config_file": "/home/darwin/conf/fpython_example/fpython_example.conf", 5 | "decision_filter": "", 6 | "nb_thread": 5, 7 | "log_level": "DEBUG", 8 | "cache_size": 2048 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /toolkit/Uuid.hpp: -------------------------------------------------------------------------------- 1 | /// \file uuid.hpp 2 | /// \authors ggonzalez 3 | /// \version 1.0 4 | /// \date 12/08/20 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2020 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | 12 | namespace darwin { 13 | namespace uuid { 14 | std::vector GenUuid(); 15 | } 16 | } -------------------------------------------------------------------------------- /pkg/stage/home/darwin/conf/fconnection/fconnection.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "log_file_path": "/var/log/darwin/alerts.log", 3 | "redis_socket_path": "/var/sockets/redis/redis.sock", 4 | "alert_redis_list_name": "darwin_alerts", 5 | "alert_redis_channel_name": "darwin.alerts", 6 | "init_data_path": "/home/darwin/conf/fconnection/init_data_file.example", 7 | "redis_expire": 300 8 | } 9 | -------------------------------------------------------------------------------- /conf/fdga/fdga.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "log_file_path": "/var/log/darwin/alerts.log", 3 | "redis_socket_path": "/var/sockets/redis/redis.sock", 4 | "alert_redis_list_name": "darwin_alerts", 5 | "alert_redis_channel_name": "darwin.alerts", 6 | "model_path": "/home/darwin/conf/fdga/fdga.pb", 7 | "token_map_path": "/home/darwin/conf/fdga/fdga_tokens.csv", 8 | "max_tokens": 75 9 | } 10 | -------------------------------------------------------------------------------- /samples/base/errors.hpp: -------------------------------------------------------------------------------- 1 | /// \file errors.hpp 2 | /// \authors hsoszynski 3 | /// \version 1.0 4 | /// \date 29/04/2020 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2020 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #define DARWIN_RESPONSE_CODE_OK 0 11 | #define DARWIN_RESPONSE_CODE_REQUEST_ERROR 400 12 | #define DARWIN_RESPONSE_CODE_PROCESSING_ERROR 500 13 | -------------------------------------------------------------------------------- /samples/fpythonexample/python_example_filter/example_filter.py: -------------------------------------------------------------------------------- 1 | # we need to import a package here, to test our Python environment 2 | from myPackage.somePython import fahrToKelv 3 | 4 | # we could imagine a complicated machine learning function which in the end returns a result 5 | def my_super_machine_learning_function(fahrenheit_temperature=32): 6 | return fahrToKelv(fahrenheit_temperature) 7 | -------------------------------------------------------------------------------- /cmake/ftest.cmake: -------------------------------------------------------------------------------- 1 | set(TEST_NAME darwin_test) 2 | 3 | add_executable( 4 | ${TEST_NAME} 5 | ${DARWIN_SOURCES} 6 | samples/ftest/TestTask.cpp samples/ftest/TestTask.hpp 7 | samples/ftest/Generator.cpp samples/ftest/Generator.hpp 8 | ) 9 | 10 | target_link_libraries( 11 | ${TEST_NAME} 12 | ${DARWIN_LIBRARIES} 13 | ) 14 | 15 | target_include_directories(${TEST_NAME} PUBLIC samples/ftest/) -------------------------------------------------------------------------------- /toolkit/Time.hpp: -------------------------------------------------------------------------------- 1 | /// \file Time.hpp 2 | /// \authors tbertin 3 | /// \version 1.0 4 | /// \date 04/09/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2019 Advens. All rights reserved. 7 | 8 | #include 9 | 10 | /// \namespace darwin 11 | namespace darwin { 12 | /// \namespace validator 13 | namespace time_utils { 14 | std::string GetTime(); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /pkg/stage/home/darwin/conf/fdga/fdga.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "log_file_path": "/var/log/darwin/alerts.log", 3 | "redis_socket_path": "/var/sockets/redis/redis.sock", 4 | "alert_redis_list_name": "darwin_alerts", 5 | "alert_redis_channel_name": "darwin.alerts", 6 | "model_path": "/home/darwin/conf/fdga/fdga.pb", 7 | "token_map_path": "/home/darwin/conf/fdga/fdga_tokens.csv", 8 | "max_tokens": 75 9 | } 10 | -------------------------------------------------------------------------------- /cmake/LICENSE.txt: -------------------------------------------------------------------------------- 1 | The ARMA_*.cmake files in this directory are from the Armadillo project, and are 2 | generally written by Conrad Sanderson and other Armadillo contributors. The 3 | Armadillo project, which is used heavily in mlpack, can be found at 4 | 5 | http://arma.sourceforge.net/ 6 | 7 | Those files are subject to the terms of the Mozilla Public License, v. 2.0. A 8 | copy of the license may be obtained at http://mozilla.org/MPL/2.0/. 9 | -------------------------------------------------------------------------------- /toolkit/Validators.hpp: -------------------------------------------------------------------------------- 1 | /// \file Validators.hpp 2 | /// \authors gcatto 3 | /// \version 1.0 4 | /// \date 02/05/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2019 Advens. All rights reserved. 7 | 8 | #include 9 | 10 | /// \namespace darwin 11 | namespace darwin { 12 | /// \namespace validator 13 | namespace validator { 14 | bool IsDomainValid(const std::string& domain); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /tests/conf.py: -------------------------------------------------------------------------------- 1 | # Where all Runtime and temporary files will be put (configurations, sockets, pid files, logging files... except darwin.log) 2 | TEST_FILES_DIR = '/tmp' 3 | 4 | # ENV CONFIG 5 | PYTHON_ENV_PATH = "/usr/local/lib/python3.7" 6 | DEFAULT_PYTHON_EXEC = 'python3' 7 | 8 | DEFAULT_MANAGER_PATH = '/home/darwin/manager/manager.py' 9 | DEFAULT_FILTER_PATH = '/home/darwin/filters/' 10 | 11 | # TEST CONFIG 12 | VALGRIND_MEMCHECK = False 13 | -------------------------------------------------------------------------------- /samples/fbuffer/Connectors/Connectors.hpp: -------------------------------------------------------------------------------- 1 | /// \file Connectors.hpp 2 | /// \authors ggonzalez 3 | /// \version 1.0 4 | /// \date 03/06/20 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2020 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | // Base class definition 11 | #include "AConnector.hpp" 12 | 13 | // Subclasses 14 | #include "fAnomalyConnector.hpp" 15 | #include "fSofaConnector.hpp" 16 | #include "SumConnector.hpp" 17 | -------------------------------------------------------------------------------- /tests/tools/output.py: -------------------------------------------------------------------------------- 1 | def print_results(results): 2 | 3 | for i in results: 4 | if i[1] is True: 5 | print("OK | " + i[0]) 6 | else: 7 | print("ERROR | " + i[0]) 8 | 9 | def print_result(name, function): 10 | print(name + "... ", end='', flush=True) 11 | result = function() 12 | if result is True: 13 | print("\33[32m OK \33[0m") 14 | else: 15 | print("\033[91m ERROR \33[0m") 16 | -------------------------------------------------------------------------------- /tests/test.py: -------------------------------------------------------------------------------- 1 | import logging 2 | from sys import stderr 3 | import manager_socket.test as manager_socket 4 | import core.test as core 5 | import filters.test as filters 6 | 7 | 8 | if __name__ == "__main__": 9 | logging.basicConfig(filename="test_error.log", filemode='w', level=logging.ERROR) 10 | 11 | core.run() 12 | filters.run() 13 | manager_socket.run() 14 | 15 | print("Note: you can read test_error.log for more details", file=stderr) 16 | -------------------------------------------------------------------------------- /conf/fcontent_inspection/fcontent_inspection.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "log_file_path": "/var/log/darwin/alerts.log", 3 | "redis_socket_path": "/var/sockets/redis/redis.sock", 4 | "alert_redis_list_name": "darwin_alerts", 5 | "alert_redis_channel_name": "darwin.alerts", 6 | "maxConnections": 64000, 7 | "yaraRuleFile": "/home/darwin/conf/fcontent_inspection/exampleRule.yar", 8 | "yaraScanType": "packet", 9 | "yaraScanMaxSize": 16384, 10 | "maxMemoryUsage": 10 11 | } 12 | -------------------------------------------------------------------------------- /cmake/fhostlookup.cmake: -------------------------------------------------------------------------------- 1 | set(HOSTLOOKUP_NAME darwin_hostlookup) 2 | 3 | add_executable( 4 | ${HOSTLOOKUP_NAME} 5 | ${DARWIN_SOURCES} 6 | samples/fhostlookup/HostLookupTask.cpp samples/fhostlookup/HostLookupTask.hpp 7 | samples/fhostlookup/Generator.cpp samples/fhostlookup/Generator.hpp 8 | ) 9 | 10 | target_link_libraries( 11 | ${HOSTLOOKUP_NAME} 12 | ${DARWIN_LIBRARIES} 13 | ) 14 | 15 | target_include_directories(${HOSTLOOKUP_NAME} PUBLIC samples/fhostlookup/) -------------------------------------------------------------------------------- /pkg/stage/home/darwin/conf/fcontent_inspection/fcontent_inspection.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "log_file_path": "/var/log/darwin/alerts.log", 3 | "redis_socket_path": "/var/sockets/redis/redis.sock", 4 | "alert_redis_list_name": "darwin_alerts", 5 | "alert_redis_channel_name": "darwin.alerts", 6 | "maxConnections": 64000, 7 | "yaraRuleFile": "/root/darwin/conf/fcontent_inspection/exampleRule.yar.example", 8 | "yaraScanType": "packet", 9 | "yaraScanMaxSize": 16384, 10 | "maxMemoryUsage": 10 11 | } 12 | -------------------------------------------------------------------------------- /tests/manager_socket/test.py: -------------------------------------------------------------------------------- 1 | import pprint 2 | import manager_socket.monitor_test as monitor_test 3 | import manager_socket.update_test as update_test 4 | import manager_socket.reporting_test as reporting_test 5 | import manager_socket.logging_test as logging_test 6 | from tools.output import print_results 7 | 8 | def run(): 9 | print('Management Socket Results:') 10 | 11 | monitor_test.run() 12 | update_test.run() 13 | reporting_test.run() 14 | logging_test.run() 15 | 16 | print() 17 | print() -------------------------------------------------------------------------------- /cmake/fsession.cmake: -------------------------------------------------------------------------------- 1 | set(SESSION_NAME darwin_session) 2 | 3 | ################### 4 | # EXECUTABLE # 5 | ################### 6 | 7 | add_executable( 8 | ${SESSION_NAME} 9 | ${DARWIN_SOURCES} 10 | samples/fsession/SessionTask.cpp samples/fsession/SessionTask.hpp 11 | samples/fsession/Generator.cpp samples/fsession/Generator.hpp 12 | ) 13 | 14 | target_link_libraries( 15 | ${SESSION_NAME} 16 | ${DARWIN_LIBRARIES} 17 | ) 18 | 19 | target_include_directories(${SESSION_NAME} PUBLIC samples/fsession/) -------------------------------------------------------------------------------- /toolkit/Uuid.cpp: -------------------------------------------------------------------------------- 1 | /// \file uuid.hpp 2 | /// \authors ggonzalez 3 | /// \version 1.0 4 | /// \date 12/08/20 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2020 Advens. All rights reserved. 7 | 8 | #include 9 | 10 | #include "Uuid.hpp" 11 | 12 | std::vector darwin::uuid::GenUuid() { 13 | boost::uuids::random_generator gen; 14 | boost::uuids::uuid u = gen(); 15 | 16 | std::vector v(u.size()); 17 | std::copy(u.begin(), u.end(), v.begin()); 18 | return v; 19 | } -------------------------------------------------------------------------------- /toolkit/Time.cpp: -------------------------------------------------------------------------------- 1 | #include "Time.hpp" 2 | #include 3 | 4 | namespace darwin { 5 | namespace time_utils { 6 | std::string GetTime(){ 7 | char str_time[256]; 8 | time_t rawtime; 9 | struct tm * timeinfo; 10 | std::string res; 11 | 12 | time(&rawtime); 13 | timeinfo = gmtime(&rawtime); 14 | strftime(str_time, sizeof(str_time), "%FT%TZ", timeinfo); 15 | res = str_time; 16 | 17 | return res; 18 | } 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /cmake/fconnection.cmake: -------------------------------------------------------------------------------- 1 | set(CONNECTION_NAME darwin_connection) 2 | 3 | ################### 4 | # EXECUTABLE # 5 | ################### 6 | 7 | add_executable( 8 | ${CONNECTION_NAME} 9 | ${DARWIN_SOURCES} 10 | samples/fconnection/ConnectionSupervisionTask.cpp samples/fconnection/ConnectionSupervisionTask.hpp 11 | samples/fconnection/Generator.cpp samples/fconnection/Generator.hpp 12 | ) 13 | 14 | target_link_libraries( 15 | ${CONNECTION_NAME} 16 | ${DARWIN_LIBRARIES} 17 | ) 18 | 19 | target_include_directories(${CONNECTION_NAME} PUBLIC samples/fconnection/) -------------------------------------------------------------------------------- /samples/base/Stats.cpp: -------------------------------------------------------------------------------- 1 | /// \file Stats.hpp 2 | /// \authors tbertin 3 | /// \version 1.0 4 | /// \date 25/11/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #include "Stats.hpp" 9 | 10 | namespace darwin { 11 | 12 | namespace stats { 13 | 14 | std::atomic filter_status; 15 | std::atomic_uint_fast64_t clientsNum; 16 | std::atomic_uint_fast64_t received; 17 | std::atomic_uint_fast64_t parseError; 18 | std::atomic_uint_fast64_t matchCount; 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /samples/fbuffer/enums.hpp: -------------------------------------------------------------------------------- 1 | /// \file enums.hpp 2 | /// \authors ggonzalez 3 | /// \version 1.0 4 | /// \date 03/06/20 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | namespace darwin { 11 | typedef enum valueType_e { 12 | STRING = 0, 13 | INT, 14 | FLOAT, 15 | UNKNOWN_VALUE_TYPE 16 | } valueType; 17 | 18 | typedef enum outputType_e { 19 | ANOMALY = 0, 20 | SOFA, 21 | SUM, 22 | UNKNOWN_OUTPUT 23 | } outputType; 24 | } // namespace darwin -------------------------------------------------------------------------------- /toolkit/StringUtils.cpp: -------------------------------------------------------------------------------- 1 | /// \file StringUtils.cpp 2 | /// \authors ggonzalez 3 | /// \version 1.0 4 | /// \date 06/08/20 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2020 Advens. All rights reserved. 7 | 8 | #include 9 | 10 | #include "StringUtils.hpp" 11 | 12 | std::vector darwin::strings::SplitString(const std::string& source, char delim) { 13 | std::vector res; 14 | 15 | std::istringstream stream(source); 16 | std::string str; 17 | 18 | while (getline(stream, str, delim)) 19 | res.emplace_back(str); 20 | return res; 21 | } 22 | -------------------------------------------------------------------------------- /conf/fyara/rule.yara: -------------------------------------------------------------------------------- 1 | /* 2 | This is a default rule to detect Eicar pattern 3 | go to https://github.com/Yara-Rules/rules to find more rules available 4 | or make your own rules using documentation at https://yara.readthedocs.io/en/v3.10.0/writingrules.html 5 | */ 6 | 7 | rule eicar 8 | { 9 | meta: 10 | description = "Rule to detect Eicar pattern" 11 | author = "Marc Rivero | @seifreed" 12 | hash1 = "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" 13 | 14 | strings: 15 | $s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii 16 | 17 | condition: 18 | all of them 19 | } -------------------------------------------------------------------------------- /conf/fcontent_inspection/exampleRule.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This is a default rule to detect Eicar pattern 3 | go to https://github.com/Yara-Rules/rules to find more rules available 4 | or make your own rules using documentation at https://yara.readthedocs.io/en/v3.10.0/writingrules.html 5 | */ 6 | 7 | rule eicar 8 | { 9 | meta: 10 | description = "Rule to detect Eicar pattern" 11 | author = "Marc Rivero | @seifreed" 12 | hash1 = "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" 13 | 14 | strings: 15 | $s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii 16 | 17 | condition: 18 | all of them 19 | } -------------------------------------------------------------------------------- /cmake/fsofa.cmake: -------------------------------------------------------------------------------- 1 | set(SOFA_NAME darwin_sofa) 2 | 3 | ################### 4 | # EXECUTABLE # 5 | ################### 6 | 7 | add_executable( 8 | ${SOFA_NAME} 9 | ${DARWIN_SOURCES} 10 | samples/fsofa/Generator.cpp samples/fsofa/Generator.hpp 11 | samples/fsofa/SofaTask.cpp samples/fsofa/SofaTask.hpp 12 | toolkit/PythonUtils.cpp toolkit/PythonUtils.hpp 13 | ) 14 | 15 | target_link_libraries( 16 | ${SOFA_NAME} 17 | ${DARWIN_LIBRARIES} 18 | python3.7m 19 | boost_filesystem 20 | ) 21 | 22 | target_include_directories(${SOFA_NAME} PUBLIC /usr/local/include/python3.7m/) 23 | target_include_directories(${SOFA_NAME} PUBLIC samples/fsofa/) -------------------------------------------------------------------------------- /pkg/stage/home/darwin/conf/fcontent_inspection/exampleRule.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This is a default rule to detect Eicar pattern 3 | go to https://github.com/Yara-Rules/rules to find more rules available 4 | or make your own rules using documentation at https://yara.readthedocs.io/en/v3.10.0/writingrules.html 5 | */ 6 | 7 | rule eicar 8 | { 9 | meta: 10 | description = "Rule to detect Eicar pattern" 11 | author = "Marc Rivero | @seifreed" 12 | hash1 = "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" 13 | 14 | strings: 15 | $s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii 16 | 17 | condition: 18 | all of them 19 | } -------------------------------------------------------------------------------- /samples/base/ThreadGroup.cpp: -------------------------------------------------------------------------------- 1 | /// \file ThreadGroup.cpp 2 | /// \authors hsoszynski 3 | /// \version 1.0 4 | /// \date 15/10/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2019 Advens. All rights reserved. 7 | 8 | #include "ThreadGroup.hpp" 9 | 10 | namespace darwin { 11 | 12 | ThreadGroup::~ThreadGroup() { 13 | if (!this->_thread_list.empty()) 14 | this->JoinAll(); 15 | } 16 | 17 | void ThreadGroup::JoinAll() { 18 | while (!this->_thread_list.empty()) { 19 | std::unique_ptr t = std::move(this->_thread_list.front()); 20 | t->join(); 21 | this->_thread_list.pop_front(); 22 | } 23 | } 24 | 25 | } -------------------------------------------------------------------------------- /conf/fbuffer/fbuffer.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "redis_socket_path": "/var/sockets/redis/redis.sock", 3 | "input_format": [ 4 | {"name": "net_src_ip", "type": "string"}, 5 | {"name": "net_dst_ip", "type": "string"}, 6 | {"name": "net_dst_port", "type": "string"}, 7 | {"name": "ip_proto", "type": "string"} 8 | ], 9 | "outputs": [ 10 | { 11 | "filter_type": "fanomaly", 12 | "filter_socket_path": "/var/sockets/darwin/anomaly.sock", 13 | "interval": 300, 14 | "required_log_lines": 11, 15 | "redis_lists": [{ 16 | "source": "source_1", 17 | "name": "darwin_buffer_anomaly" 18 | }, 19 | { 20 | "source": "source_2", 21 | "name": "darwin_buffer_anomaly_2" 22 | }] 23 | } 24 | ] 25 | } 26 | -------------------------------------------------------------------------------- /tests/tools/sofa_mock.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | def main(csv_input, csv_output, json_output): 4 | in_file = open(csv_input, 'r') 5 | out_file = open(csv_output, 'w') 6 | json_file = open(json_output, 'w') 7 | ret = True 8 | write = True 9 | clear_out_file = False 10 | 11 | for line in in_file: 12 | if "trigger_false" in line: 13 | ret = False 14 | if "trigger_no_write" in line: 15 | write = False 16 | if "trigger_no_out_file" in line: 17 | clear_out_file = True 18 | if write: 19 | out_file.write(line) 20 | 21 | in_file.close() 22 | out_file.close() 23 | json_file.close() 24 | 25 | if clear_out_file: 26 | os.remove(csv_output) 27 | os.remove(json_output) 28 | 29 | return ret 30 | -------------------------------------------------------------------------------- /samples/fbuffer/BufferThreadManager.cpp: -------------------------------------------------------------------------------- 1 | /// \file BufferThreadManager.cpp 2 | /// \authors ggonzalez 3 | /// \version 1.0 4 | /// \date 28/05/20 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #include "../../toolkit/RedisManager.hpp" 9 | #include "BufferThreadManager.hpp" 10 | #include "BufferThread.hpp" 11 | 12 | BufferThreadManager::BufferThreadManager(int nb_threads) : AThreadManager(nb_threads) {} 13 | 14 | std::shared_ptr BufferThreadManager::Start() { 15 | auto ptr = std::make_shared(_connector); 16 | std::shared_ptr res = std::static_pointer_cast(ptr); 17 | return res; 18 | } 19 | 20 | void BufferThreadManager::SetConnector(std::shared_ptr connector) { 21 | this->_connector = connector; 22 | } -------------------------------------------------------------------------------- /toolkit/StringUtils.hpp: -------------------------------------------------------------------------------- 1 | /// \file StringUtils.hpp 2 | /// \authors ggonzalez 3 | /// \version 1.0 4 | /// \date 06/08/20 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2020 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | 13 | namespace darwin { 14 | namespace strings { 15 | ///\brief Small Util to split a string into a vector of string on char delim 16 | /// 17 | ///\param source The string to split 18 | ///\param delim The char on which to split (will NOT be included anywere in the result) 19 | /// 20 | ///\return The newly created vector of strings 21 | std::vector SplitString(const std::string& source, char delim); 22 | } // namespace strings 23 | } // namespace darwin 24 | -------------------------------------------------------------------------------- /tests/filters/test.py: -------------------------------------------------------------------------------- 1 | import filters.fdga as fdga 2 | import filters.fsofa as fsofa 3 | import filters.fanomaly as fanomaly 4 | import filters.ftanomaly as ftanomaly 5 | import filters.fconnection as fconnection 6 | import filters.fhostlookup as fhostlookup 7 | import filters.fyara as fyara 8 | import filters.fbuffer as fbuffer 9 | import filters.fvast as fvast 10 | import filters.fvaml as fvaml 11 | import filters.fsession as fsession 12 | 13 | from tools.output import print_results 14 | 15 | 16 | def run(): 17 | print('Filter Results:') 18 | 19 | ftanomaly.run() 20 | fdga.run() 21 | fconnection.run() 22 | fhostlookup.run() 23 | fsofa.run() 24 | fanomaly.run() 25 | fyara.run() 26 | fbuffer.run() 27 | fvast.run() 28 | fvaml.run() 29 | fsession.run() 30 | 31 | print() 32 | print() 33 | -------------------------------------------------------------------------------- /samples/config.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | namespace darwin{ 7 | namespace config { 8 | 9 | /// Represent the type of output the filter 10 | /// will send to the next filter 11 | /// 12 | /// \enum output_type 13 | enum output_type { 14 | RAW, //!< Send the unparsed body the filter have received 15 | LOG, //!< Send result 16 | NONE,//!< Send nothing to the next filter 17 | PARSED, //!< Send the body parsed by the filter 18 | }; 19 | 20 | /// Return the output_type associated with the string given 21 | /// If the string given is not valid, return the output_type NONE 22 | /// 23 | /// \param output the string we want to convert 24 | /// \return the output_type associated 25 | output_type convert_output_string(const std::string &output); 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /samples/config.cpp: -------------------------------------------------------------------------------- 1 | /// \file config.cpp 2 | /// \authors nsanti 3 | /// \version 1.0 4 | /// \date 11/07/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #include "config.hpp" 9 | 10 | namespace darwin { 11 | namespace config{ 12 | 13 | // The map that associate a representative string to an output_type 14 | std::map output_map = {{"RAW", RAW},{"LOG", LOG},{"NONE", NONE},{"PARSED", PARSED}}; 15 | 16 | output_type convert_output_string(const std::string &output){ 17 | 18 | output_type res; 19 | 20 | try { 21 | res = output_map.at(output); 22 | } 23 | catch (const std::out_of_range& e) { 24 | res = output_type::NONE; 25 | } 26 | 27 | return res; 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /samples/fbuffer/OutputConfig.cpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.cpp 2 | /// \authors ggonzalez 3 | /// \version 1.0 4 | /// \date 09/07/20 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2020 Advens. All rights reserved. 7 | 8 | #include "OutputConfig.hpp" 9 | 10 | OutputConfig::OutputConfig(std::string &filter_type, 11 | std::string &filter_socket_path, 12 | unsigned int interval, 13 | std::vector> &redis_lists, 14 | unsigned int required_log_lines) : 15 | _filter_type(filter_type), 16 | _filter_socket_path(filter_socket_path), 17 | _interval(interval), 18 | _redis_lists(redis_lists), 19 | _required_log_lines(required_log_lines) {} -------------------------------------------------------------------------------- /samples/fanomaly/Generator.hpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.hpp 2 | /// \authors nsanti 3 | /// \version 1.0 4 | /// \date 01/07/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | #include "../toolkit/rapidjson/document.h" 15 | #include "Session.hpp" 16 | #include "AGenerator.hpp" 17 | 18 | class Generator: public AGenerator { 19 | public: 20 | Generator() = default; 21 | ~Generator() = default; 22 | 23 | public: 24 | virtual bool LoadConfig(const rapidjson::Document &configuration) override final; 25 | virtual bool ConfigureAlerting(const std::string& tags) override final; 26 | 27 | virtual darwin::session_ptr_t 28 | CreateTask(boost::asio::local::stream_protocol::socket& socket, 29 | darwin::Manager& manager) noexcept override final; 30 | }; -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature-filter-request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature/Filter request 3 | about: Suggest an idea for this project 4 | title: "[IDEA]" 5 | labels: enhancement 6 | assignees: '' 7 | 8 | --- 9 | 10 | **What is your feature about ?** 11 | - Is it related to a problem/frustration ? 12 | - Is it an idea for a new filter ? 13 | 14 | **If your request is about an existing filter/functionality** 15 | Please give its name/description. Ex: Tanomaly, the manager... 16 | 17 | **If your request is an idea for a new filter** 18 | Please give a name for the new filter (keep it simple and descriptive !). 19 | 20 | **Describe what you'd like** 21 | A clear and concise description of what you want to happen. 22 | 23 | **Additional context** 24 | Add any other context or screenshots about the feature request here. 25 | Don't be shy on the details ! The more you put, the more appealing your request will be, and the more likely we'll treat your idea quickly ! 26 | -------------------------------------------------------------------------------- /cmake/fyara.cmake: -------------------------------------------------------------------------------- 1 | set(YARA_NAME darwin_yara) 2 | 3 | ####################### 4 | # FILTER DEPENDENCIES # 5 | ####################### 6 | 7 | find_package(Yara REQUIRED) 8 | 9 | # Search for static OpenSSL libs, then fall back to dynamic ones 10 | set(OPENSSL_USE_STATIC_LIBS TRUE) 11 | find_package(OpenSSL QUIET) 12 | if(NOT OpenSSL_FOUND) 13 | set(OPENSSL_USE_STATIC_LIBS FALSE) 14 | find_package(OpenSSL) 15 | endif() 16 | 17 | ################### 18 | # EXECUTABLE # 19 | ################### 20 | 21 | add_executable( 22 | ${YARA_NAME} 23 | ${DARWIN_SOURCES} 24 | samples/fyara/Generator.cpp samples/fyara/Generator.hpp 25 | samples/fyara/YaraTask.cpp samples/fyara/YaraTask.hpp 26 | toolkit/Yara.cpp toolkit/Yara.hpp 27 | ) 28 | 29 | target_link_libraries( 30 | ${YARA_NAME} 31 | ${DARWIN_LIBRARIES} 32 | Yara::Yara 33 | OpenSSL::Crypto 34 | ) 35 | 36 | target_include_directories(${YARA_NAME} PUBLIC samples/fyara/) 37 | -------------------------------------------------------------------------------- /cmake/ARMA_FindARPACK.cmake: -------------------------------------------------------------------------------- 1 | # - Try to find ARPACK 2 | # Once done this will define 3 | # 4 | # ARPACK_FOUND - system has ARPACK 5 | # ARPACK_LIBRARY - Link this to use ARPACK 6 | 7 | 8 | find_library(ARPACK_LIBRARY 9 | NAMES arpack 10 | PATHS /usr/lib64 /usr/lib /usr/local/lib64 /usr/local/lib 11 | ) 12 | 13 | 14 | if (ARPACK_LIBRARY) 15 | set(ARPACK_FOUND YES) 16 | else () 17 | # Search for PARPACK. 18 | find_library(ARPACK_LIBRARY 19 | NAMES parpack 20 | PATHS /usr/lib64 /usr/lib /usr/local/lib64 /usr/local/lib 21 | ) 22 | 23 | if (ARPACK_LIBRARY) 24 | set(ARPACK_FOUND YES) 25 | else () 26 | set(ARPACK_FOUND NO) 27 | endif () 28 | endif () 29 | 30 | 31 | if (ARPACK_FOUND) 32 | if (NOT ARPACK_FIND_QUIETLY) 33 | message(STATUS "Found an ARPACK library: ${ARPACK_LIBRARY}") 34 | endif () 35 | else () 36 | if (ARPACK_FIND_REQUIRED) 37 | message(FATAL_ERROR "Could not find an ARPACK library") 38 | endif () 39 | endif () 40 | -------------------------------------------------------------------------------- /cmake/FindFaup.cmake: -------------------------------------------------------------------------------- 1 | # Find faup library 2 | # This module defines 3 | # FAUP_LIBRARIES, the libraries needed to use faup 4 | # FAUP_INCLUDE_DIRS, the headers needed to use faup 5 | # FAUP_FOUND, whether faup was found on system 6 | 7 | set(FAUP_NAMES ${FAUP_NAMES} libfaup_static.a faupl) 8 | 9 | # Try with manually given path 10 | find_library( 11 | FAUP_LIBRARY 12 | NAMES ${FAUP_NAMES} 13 | HINTS ${FAUP_ROOT} 14 | PATH_SUFFIXES lib/ usr/local/lib/) 15 | 16 | find_path( 17 | FAUP_INCLUDE_DIR 18 | NAMES faup/faup.h 19 | HINTS ${FAUP_ROOT} 20 | PATH_SUFFIXES include/ usr/local/include/) 21 | 22 | if(FAUP_LIBRARY) 23 | set(FAUP_FOUND "YES") 24 | else() 25 | set(FAUP_FOUND "NO") 26 | endif() 27 | 28 | set(FAUP_LIBRARIES ${FAUP_LIBRARY}) 29 | set(FAUP_INCLUDE_DIRS ${FAUP_INCLUDE_DIR}) 30 | 31 | include (FindPackageHandleStandardArgs) 32 | find_package_handle_standard_args( 33 | Faup 34 | DEFAULT_MSG 35 | FAUP_LIBRARIES FAUP_INCLUDE_DIRS) 36 | 37 | mark_as_advanced(FAUP_LIBRARY) 38 | mark_as_advanced(FAUP_INCLUDE_DIR) 39 | -------------------------------------------------------------------------------- /samples/fsession/Generator.hpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.hpp 2 | /// \authors jjourdin 3 | /// \version 1.0 4 | /// \date 30/08/18 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | extern "C" { 11 | #include 12 | } 13 | 14 | #include 15 | #include 16 | #include 17 | 18 | #include "Session.hpp" 19 | #include "../../toolkit/RedisManager.hpp" 20 | #include "../toolkit/rapidjson/document.h" 21 | #include "AGenerator.hpp" 22 | 23 | class Generator: public AGenerator { 24 | public: 25 | Generator() = default; 26 | ~Generator() = default; 27 | 28 | public: 29 | virtual darwin::session_ptr_t 30 | CreateTask(boost::asio::local::stream_protocol::socket& socket, 31 | darwin::Manager& manager) noexcept override final; 32 | 33 | private: 34 | virtual bool LoadConfig(const rapidjson::Document &configuration) override final; 35 | virtual bool ConfigureAlerting(const std::string& tags) override final; 36 | }; -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: "[BUG]" 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **Plateform (please complete the following information):** 14 | - OS (version): [e.g. FreeBSD (12.0)] 15 | - Darwin version: [e.g. 1.1] 16 | - Clients version (if applicable): [e.g. darwin-client-python 0.5] 17 | 18 | **To Reproduce** 19 | Steps to reproduce the behavior: 20 | 1. Go to '...' 21 | 2. Click on '....' 22 | 3. Scroll down to '....' 23 | 4. See error 24 | 25 | **Expected behavior** 26 | A clear and concise description of what you expected to happen. 27 | 28 | **Screenshots/logs** 29 | If applicable, add screenshots to help explain your problem. 30 | Please try to add extensive and relevant logs. 31 | 32 | **Additional context** 33 | Add any other context about the problem here. (e.g clients you use, data input if applicable...) 34 | Ex: Using Rsyslog's mmdarwin module 35 | -------------------------------------------------------------------------------- /samples/finspection/Generator.hpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.hpp 2 | /// \authors jjourdin 3 | /// \version 1.0 4 | /// \date 07/09/18 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | #include "Session.hpp" 15 | #include "data_pool.hpp" 16 | #include "AGenerator.hpp" 17 | #include "ContentInspectionTask.hpp" 18 | 19 | 20 | class Generator: public AGenerator { 21 | public: 22 | Generator(); 23 | ~Generator(); 24 | 25 | public: 26 | virtual darwin::session_ptr_t 27 | CreateTask(boost::asio::local::stream_protocol::socket& socket, 28 | darwin::Manager& manager) noexcept override final; 29 | 30 | protected: 31 | virtual bool LoadConfig(const rapidjson::Document &configuration) override final; 32 | virtual bool ConfigureAlerting(const std::string& tags) override final; 33 | 34 | private: 35 | Configurations _configurations; 36 | MemManagerParams *_memoryManager; 37 | }; -------------------------------------------------------------------------------- /tests/tools/darwin_utils.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | import os 3 | from time import sleep 4 | from conf import DEFAULT_MANAGER_PATH, DEFAULT_PYTHON_EXEC, TEST_FILES_DIR 5 | 6 | 7 | def darwin_start(darwin_manager_path=DEFAULT_MANAGER_PATH, config_path="{}/darwin.conf".format(TEST_FILES_DIR)): 8 | process = subprocess.Popen([ 9 | DEFAULT_PYTHON_EXEC, 10 | darwin_manager_path, 11 | '-l', 12 | 'DEBUG', 13 | '-p', 14 | TEST_FILES_DIR, 15 | '--no-suffix-directories', 16 | config_path 17 | ]) 18 | 19 | sleep(6) 20 | return process 21 | 22 | def darwin_stop(process): 23 | process.terminate() 24 | process.wait() 25 | 26 | def darwin_configure(conf, path="{}/darwin.conf".format(TEST_FILES_DIR)): 27 | with open(path, mode='w') as file: 28 | file.write(conf) 29 | 30 | def darwin_remove_configuration(path="{}/darwin.conf".format(TEST_FILES_DIR)): 31 | os.remove(path) 32 | 33 | def count_file_lines(filepath): 34 | with open(filepath, 'r') as file: 35 | return len(file.readlines()) -------------------------------------------------------------------------------- /samples/fend/Generator.hpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.hpp 2 | /// \authors jjourdin 3 | /// \version 1.0 4 | /// \date 22/05/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | #include "../toolkit/rapidjson/document.h" 15 | #include "../../toolkit/RedisManager.hpp" 16 | #include "Session.hpp" 17 | 18 | class Generator { 19 | public: 20 | Generator() = default; 21 | ~Generator(); 22 | 23 | public: 24 | bool Configure(std::string const& configFile, const std::size_t cache_size); 25 | 26 | darwin::session_ptr_t 27 | CreateTask(boost::asio::local::stream_protocol::socket& socket, 28 | darwin::Manager& manager) noexcept; 29 | 30 | private: 31 | bool SetUpClassifier(const std::string &configuration_file_path); 32 | bool LoadClassifier(const rapidjson::Document &configuration); 33 | 34 | // The cache for already processed request 35 | std::shared_ptr> _cache; 36 | }; -------------------------------------------------------------------------------- /samples/fdecision/Generator.cpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.cpp 2 | /// \authors hsoszynski 3 | /// \version 1.0 4 | /// \date 18/04/18 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #include 9 | #include "Generator.hpp" 10 | #include "DecisionTask.hpp" 11 | #include "../../toolkit/lru_cache.hpp" 12 | #include "base/Logger.hpp" 13 | 14 | bool Generator::Configure(std::string const& configFile, const std::size_t cache_size) { 15 | DARWIN_LOGGER; 16 | (void) configFile; 17 | 18 | DARWIN_LOG_DEBUG("Generator:: Cache initialization. Cache size: " + std::to_string(cache_size)); 19 | if (cache_size > 0) { 20 | _cache = std::make_shared>(cache_size); 21 | } 22 | 23 | return true; 24 | } 25 | 26 | darwin::session_ptr_t Generator::CreateTask( 27 | boost::asio::local::stream_protocol::socket& socket, 28 | darwin::Manager& manager) noexcept { 29 | return std::static_pointer_cast( 30 | std::make_shared(socket, manager, _cache, &data, &data_mutex)); 31 | } -------------------------------------------------------------------------------- /samples/finspection/rand_utils.cpp: -------------------------------------------------------------------------------- 1 | /* rand_utils.c 2 | * 3 | * This file contains functions related to random numbers generation 4 | * 5 | * File begun on 2019-17-5 6 | * 7 | * Created by: 8 | * - Théo Bertin (theo.bertin@advens.fr) 9 | * 10 | * This file is part of rsyslog. 11 | * 12 | * Licensed under the Apache License, Version 2.0 (the "License"); 13 | * you may not use this file except in compliance with the License. 14 | * You may obtain a copy of the License at 15 | * 16 | * http://www.apache.org/licenses/LICENSE-2.0 17 | * -or- 18 | * see COPYING.ASL20 in the source distribution 19 | * 20 | * Unless required by applicable law or agreed to in writing, software 21 | * distributed under the License is distributed on an "AS IS" BASIS, 22 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 23 | * See the License for the specific language governing permissions and 24 | * limitations under the License. 25 | */ 26 | 27 | #include "rand_utils.hpp" 28 | 29 | long int getRandom() { 30 | struct timeval tv; 31 | gettimeofday(&tv, NULL); 32 | srand(tv.tv_usec ^ tv.tv_sec); 33 | 34 | return rand(); 35 | } -------------------------------------------------------------------------------- /samples/fconnection/Generator.hpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.hpp 2 | /// \authors jjourdin 3 | /// \version 1.0 4 | /// \date 22/05/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | #include "../toolkit/rapidjson/document.h" 15 | #include "../../toolkit/RedisManager.hpp" 16 | #include "Session.hpp" 17 | #include "AGenerator.hpp" 18 | 19 | class Generator: public AGenerator { 20 | public: 21 | Generator() = default; 22 | ~Generator(); 23 | 24 | public: 25 | virtual darwin::session_ptr_t 26 | CreateTask(boost::asio::local::stream_protocol::socket& socket, 27 | darwin::Manager& manager) noexcept override final; 28 | 29 | protected: 30 | virtual bool LoadConfig(const rapidjson::Document &configuration) override final; 31 | virtual bool ConfigureAlerting(const std::string& tags) override final; 32 | 33 | private: 34 | bool ConfigRedis(const std::string &redis_socket_path, 35 | const std::string &init_data_path); 36 | 37 | unsigned int _redis_expire = 0; 38 | }; -------------------------------------------------------------------------------- /samples/base/Manager.hpp: -------------------------------------------------------------------------------- 1 | /// \file Manager.hpp 2 | /// \authors hsoszynski 3 | /// \version 1.0 4 | /// \date 05/07/18 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | #include "Session.hpp" 13 | 14 | namespace darwin { 15 | class Manager { 16 | public: 17 | Manager() = default; 18 | 19 | ~Manager() = default; 20 | 21 | // Make the manager non copyable & non movable 22 | Manager(Manager const&) = delete; 23 | 24 | Manager(Manager const&&) = delete; 25 | 26 | Manager& operator=(Manager const&) = delete; 27 | 28 | Manager& operator=(Manager const&&) = delete; 29 | 30 | public: 31 | /// Add the specified session to the manager and start it. 32 | void Start(session_ptr_t c); 33 | 34 | /// Stop the specified session. 35 | void Stop(session_ptr_t c); 36 | 37 | /// Stop all sessions. 38 | void StopAll(); 39 | 40 | private: 41 | std::set _sessions; //!< The managed sessions. 42 | std::mutex _mutex; 43 | }; 44 | } -------------------------------------------------------------------------------- /samples/fdecision/Generator.hpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.hpp 2 | /// \authors hsoszynski 3 | /// \version 1.0 4 | /// \date 18/04/18 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | #include 13 | #include "Session.hpp" 14 | #include "protocol.h" 15 | 16 | // The Generator is used to generated configured Task objects. 17 | // You MUST create a class named 'Generator' out of any namespace. 18 | 19 | class Generator { 20 | public: 21 | // The constructor MUST NOT take any parameter. 22 | Generator() = default; 23 | ~Generator() = default; 24 | 25 | public: 26 | bool Configure(std::string const& configFile, const std::size_t cache_size); 27 | 28 | darwin::session_ptr_t 29 | CreateTask(boost::asio::local::stream_protocol::socket& socket, 30 | darwin::Manager& manager) noexcept; 31 | 32 | private: 33 | std::map data; 34 | std::mutex data_mutex; 35 | // The cache for already processed request 36 | std::shared_ptr> _cache; 37 | }; 38 | -------------------------------------------------------------------------------- /cmake/ARMA_FindOpenBLAS.cmake: -------------------------------------------------------------------------------- 1 | # - Find the OpenBLAS library (no includes) 2 | # This module defines 3 | # OpenBLAS_LIBRARIES, the libraries needed to use OpenBLAS. 4 | # OpenBLAS_FOUND, If false, do not try to use OpenBLAS. 5 | # also defined, but not for general use are 6 | # OpenBLAS_LIBRARY, where to find the OpenBLAS library. 7 | 8 | set(OpenBLAS_NAMES ${OpenBLAS_NAMES} openblas) 9 | find_library(OpenBLAS_LIBRARY 10 | NAMES ${OpenBLAS_NAMES} 11 | PATHS /lib64 /lib /usr/lib64 /usr/lib /usr/local/lib64 /usr/local/lib 12 | ) 13 | 14 | if (OpenBLAS_LIBRARY) 15 | set(OpenBLAS_LIBRARIES ${OpenBLAS_LIBRARY}) 16 | set(OpenBLAS_FOUND "YES") 17 | else () 18 | set(OpenBLAS_FOUND "NO") 19 | endif () 20 | 21 | 22 | if (OpenBLAS_FOUND) 23 | if (NOT OpenBLAS_FIND_QUIETLY) 24 | message(STATUS "Found the OpenBLAS library: ${OpenBLAS_LIBRARIES}") 25 | endif () 26 | else () 27 | if (OpenBLAS_FIND_REQUIRED) 28 | message(FATAL_ERROR "Could not find the OpenBLAS library") 29 | endif () 30 | endif () 31 | 32 | # Deprecated declarations. 33 | get_filename_component (NATIVE_OpenBLAS_LIB_PATH ${OpenBLAS_LIBRARY} PATH) 34 | 35 | mark_as_advanced( 36 | OpenBLAS_LIBRARY 37 | ) 38 | -------------------------------------------------------------------------------- /samples/ftest/Generator.hpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.hpp 2 | /// \authors Hugo Soszynski 3 | /// \version 1.0 4 | /// \date 11/12/2019 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2019 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | #include "Session.hpp" 15 | #include "AGenerator.hpp" 16 | #include "../toolkit/Files.hpp" 17 | #include "../toolkit/rapidjson/document.h" 18 | #include "../toolkit/RedisManager.hpp" 19 | 20 | class Generator: public AGenerator { 21 | public: 22 | Generator() = default; 23 | ~Generator() = default; 24 | 25 | public: 26 | virtual darwin::session_ptr_t 27 | CreateTask(boost::asio::local::stream_protocol::socket& socket, 28 | darwin::Manager& manager) noexcept override final; 29 | 30 | protected: 31 | virtual bool LoadConfig(const rapidjson::Document &configuration) override final; 32 | virtual bool ConfigureAlerting(const std::string& tags) override final; 33 | 34 | private: 35 | bool ConfigRedis(std::string redis_socket_path); 36 | 37 | std::string _redis_list_name; 38 | std::string _redis_channel_name; 39 | }; 40 | -------------------------------------------------------------------------------- /samples/base/Manager.cpp: -------------------------------------------------------------------------------- 1 | /// \file Manager.cpp 2 | /// \authors hsoszynski 3 | /// \version 1.0 4 | /// \date 05/07/18 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #include "Logger.hpp" 9 | #include "Stats.hpp" 10 | #include "Manager.hpp" 11 | 12 | namespace darwin { 13 | 14 | void Manager::Start(darwin::session_ptr_t c) { 15 | DARWIN_LOGGER; 16 | 17 | DARWIN_LOG_DEBUG("Manager::Start:: Starting new session..."); 18 | { 19 | std::unique_lock lck(this->_mutex); 20 | _sessions.insert(c); 21 | } 22 | STAT_CLIENT_INC; 23 | c->Start(); 24 | } 25 | 26 | void Manager::Stop(darwin::session_ptr_t c) { 27 | { 28 | std::unique_lock lck(this->_mutex); 29 | _sessions.erase(c); 30 | } 31 | STAT_CLIENT_DEC; 32 | c->Stop(); 33 | } 34 | 35 | void Manager::StopAll() { 36 | { 37 | std::unique_lock lck(this->_mutex); 38 | for (auto& c: _sessions) 39 | c->Stop(); 40 | _sessions.clear(); 41 | } 42 | } 43 | 44 | } -------------------------------------------------------------------------------- /samples/freputation/Generator.hpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.hpp 2 | /// \authors gcatto 3 | /// \version 1.0 4 | /// \date 10/12/18 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | extern "C" { 11 | #include 12 | } 13 | 14 | #include 15 | #include 16 | 17 | #include "../toolkit/rapidjson/document.h" 18 | #include "Session.hpp" 19 | 20 | class Generator { 21 | public: 22 | Generator() = default; 23 | ~Generator(); 24 | 25 | public: 26 | // The config file is the database here 27 | bool Configure(std::string const& configFile, const std::size_t cache_size); 28 | bool SetUpClassifier(const std::string &configuration_file_path); 29 | bool LoadClassifier(const rapidjson::Document &configuration); 30 | 31 | darwin::session_ptr_t 32 | CreateTask(boost::asio::local::stream_protocol::socket& socket, 33 | darwin::Manager& manager) noexcept; 34 | 35 | private: 36 | MMDB_s _database; // The GeoIP database 37 | // The cache for already processed request 38 | std::shared_ptr> _cache; 39 | }; -------------------------------------------------------------------------------- /toolkit/Files.hpp: -------------------------------------------------------------------------------- 1 | /// \file Files.hpp 2 | /// \authors tbertin 3 | /// \version 1.0 4 | /// \date 04/09/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2019 Advens. All rights reserved. 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | /// \namespace darwin 14 | namespace darwin { 15 | /// \namespace validator 16 | namespace files_utils { 17 | std::istream& GetLineSafe(std::istream& is, std::string& t); 18 | 19 | /// Extract the file name from the complete file path 20 | /// 21 | /// \param filename A string containing the complete file path 22 | /// \return A string contaning the extracted file name. Empty not found. 23 | std::string GetNameFromPath(const std::string& filename); 24 | 25 | /// Replace the file extension. 26 | /// If no extension found no action performed. 27 | /// 28 | /// \param filename The original filename. This agrument is modified. 29 | /// \param new_extension The new extension to applys to the filename 30 | void ReplaceExtension(std::string& filename, const std::string& new_extension); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /samples/base/main.cpp: -------------------------------------------------------------------------------- 1 | /// \file main.cpp 2 | /// \authors hsoszynski 3 | /// \version 1.0 4 | /// \date 16/04/18 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #include 9 | #include 10 | #include "Core.hpp" 11 | #include "Logger.hpp" 12 | #include "AlertManager.hpp" 13 | 14 | void rotateLogsHandler(int signum __attribute__((unused))) { 15 | darwin::logger::Logger& log = darwin::logger::Logger::instance(); 16 | log.log(darwin::logger::Info, "Rotating logs..."); 17 | log.RotateLogs(); 18 | 19 | darwin::AlertManager::instance().Rotate(); 20 | } 21 | 22 | int main(int ac, char**av) { 23 | signal(SIGUSR1, rotateLogsHandler); 24 | signal(SIGHUP, rotateLogsHandler); 25 | 26 | DARWIN_LOGGER; 27 | 28 | darwin::Core& core = darwin::Core::instance(); 29 | 30 | if (!core.Configure(ac, av)) 31 | return 1; 32 | DARWIN_LOG_INFO("Configured"); 33 | 34 | if (core.daemon) { 35 | daemon(1, 0); 36 | } 37 | 38 | if (!core.WritePID()) 39 | return 1; 40 | 41 | DARWIN_LOG_INFO("Starting..."); 42 | auto ret = core.run(); 43 | 44 | core.ClearPID(); 45 | 46 | return ret; 47 | } -------------------------------------------------------------------------------- /samples/ftanomaly/Generator.hpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.hpp 2 | /// \authors nsanti 3 | /// \version 1.0 4 | /// \date 01/07/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | #include "../toolkit/rapidjson/document.h" 15 | #include "../toolkit/FileManager.hpp" 16 | #include "Session.hpp" 17 | #include "TAnomalyThreadManager.hpp" 18 | #include "AGenerator.hpp" 19 | 20 | #define REDIS_INTERNAL_LIST "_anomalyFilter_internal" 21 | 22 | class Generator: public AGenerator { 23 | public: 24 | Generator() = default; 25 | ~Generator() = default; 26 | 27 | public: 28 | virtual darwin::session_ptr_t 29 | CreateTask(boost::asio::local::stream_protocol::socket& socket, 30 | darwin::Manager& manager) noexcept override final; 31 | 32 | private: 33 | virtual bool LoadConfig(const rapidjson::Document &configuration) override final; 34 | virtual bool ConfigureAlerting(const std::string& tags) override final; 35 | 36 | std::string _redis_internal = REDIS_INTERNAL_LIST; 37 | std::shared_ptr _anomaly_thread_manager; 38 | }; -------------------------------------------------------------------------------- /cmake/fanomaly.cmake: -------------------------------------------------------------------------------- 1 | set(ANOMALY_NAME darwin_anomaly) 2 | 3 | ####################### 4 | # FILTER DEPENDENCIES # 5 | ####################### 6 | 7 | find_package(Armadillo 9.400.0 REQUIRED) 8 | 9 | find_package(Mlpack 3.0.1 REQUIRED) 10 | 11 | set(Boost_STATIC_LIBS ON) 12 | # MLPACK Boost dependencies 13 | find_package(Boost 14 | COMPONENTS 15 | program_options 16 | unit_test_framework 17 | serialization 18 | REQUIRED) 19 | 20 | ################### 21 | # EXECUTABLE # 22 | ################### 23 | 24 | add_executable( 25 | ${ANOMALY_NAME} 26 | ${DARWIN_SOURCES} 27 | samples/fanomaly/AnomalyTask.cpp samples/fanomaly/AnomalyTask.hpp 28 | samples/fanomaly/Generator.cpp samples/fanomaly/Generator.hpp 29 | ) 30 | 31 | target_link_libraries( 32 | ${ANOMALY_NAME} 33 | ${DARWIN_LIBRARIES} 34 | ${ARMADILLO_LIBRARIES} 35 | ${MLPACK_LIBRARIES} 36 | Boost::program_options 37 | Boost::unit_test_framework 38 | Boost::serialization 39 | ) 40 | 41 | target_include_directories(${ANOMALY_NAME} PUBLIC ${ARMADILLO_INCLUDE_DIRS}) 42 | target_include_directories(${ANOMALY_NAME} PUBLIC ${MLPACK_INCLUDE_DIRS}) 43 | target_include_directories(${ANOMALY_NAME} PUBLIC samples/fanomaly/) 44 | -------------------------------------------------------------------------------- /samples/finspection/rand_utils.hpp: -------------------------------------------------------------------------------- 1 | /* rand_utils.h 2 | * 3 | * This file contains functions related to random numbers generation 4 | * 5 | * File begun on 2019-17-5 6 | * 7 | * Created by: 8 | * - Théo Bertin (theo.bertin@advens.fr) 9 | * 10 | * This file is part of rsyslog. 11 | * 12 | * Licensed under the Apache License, Version 2.0 (the "License"); 13 | * you may not use this file except in compliance with the License. 14 | * You may obtain a copy of the License at 15 | * 16 | * http://www.apache.org/licenses/LICENSE-2.0 17 | * -or- 18 | * see COPYING.ASL20 in the source distribution 19 | * 20 | * Unless required by applicable law or agreed to in writing, software 21 | * distributed under the License is distributed on an "AS IS" BASIS, 22 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 23 | * See the License for the specific language governing permissions and 24 | * limitations under the License. 25 | */ 26 | #ifdef __cplusplus 27 | extern "C" { 28 | #endif 29 | 30 | #include 31 | #include 32 | #include 33 | 34 | #ifndef RAND_UTILS_H 35 | #define RAND_UTILS_H 36 | 37 | long int getRandom(); 38 | 39 | #ifdef __cplusplus 40 | }; 41 | #endif 42 | 43 | #endif /* RAND_UTILS_H */ 44 | -------------------------------------------------------------------------------- /samples/fyara/Generator.hpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.hpp 2 | /// \authors tbertin 3 | /// \version 1.0 4 | /// \date 10/10/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | #include "Session.hpp" 15 | #include "AGenerator.hpp" 16 | #include "AlertManager.hpp" 17 | #include "../../toolkit/rapidjson/document.h" 18 | #include "Yara.hpp" 19 | 20 | class Generator : public AGenerator { 21 | public: 22 | Generator() = default; 23 | ~Generator() = default; 24 | 25 | public: 26 | darwin::session_ptr_t 27 | CreateTask(boost::asio::local::stream_protocol::socket& socket, 28 | darwin::Manager& manager) noexcept override final; 29 | 30 | private: 31 | virtual bool LoadConfig(const rapidjson::Document &configuration) override final; 32 | virtual bool ConfigureAlerting(const std::string &tags) override final; 33 | 34 | private: 35 | bool _fastmode; 36 | int _timeout; 37 | std::shared_ptr _yaraCompiler = nullptr; 38 | // The cache for already processed request 39 | std::shared_ptr> _cache; 40 | }; -------------------------------------------------------------------------------- /cmake/ARMA_FindACML.cmake: -------------------------------------------------------------------------------- 1 | # - Find AMD's ACML library (no includes) which provides optimised BLAS and LAPACK functions 2 | # This module defines 3 | # ACML_LIBRARIES, the libraries needed to use ACML. 4 | # ACML_FOUND, If false, do not try to use ACML. 5 | # also defined, but not for general use are 6 | # ACML_LIBRARY, where to find the ACML library. 7 | 8 | set(ACML_NAMES ${ACML_NAMES} acml) 9 | find_library(ACML_LIBRARY 10 | NAMES ${ACML_NAMES} 11 | PATHS /usr/lib64 /usr/lib /usr/*/lib64 /usr/*/lib /usr/*/gfortran64/lib/ /usr/*/gfortran32/lib/ /usr/local/lib64 /usr/local/lib /opt/lib64 /opt/lib /opt/*/lib64 /opt/*/lib /opt/*/gfortran64/lib/ /opt/*/gfortran32/lib/ 12 | ) 13 | 14 | if (ACML_LIBRARY) 15 | set(ACML_LIBRARIES ${ACML_LIBRARY}) 16 | set(ACML_FOUND "YES") 17 | else () 18 | set(ACML_FOUND "NO") 19 | endif () 20 | 21 | 22 | if (ACML_FOUND) 23 | if (NOT ACML_FIND_QUIETLY) 24 | message(STATUS "Found the ACML library: ${ACML_LIBRARIES}") 25 | endif () 26 | else () 27 | if (ACML_FIND_REQUIRED) 28 | message(FATAL_ERROR "Could not find the ACML library") 29 | endif () 30 | endif () 31 | 32 | # Deprecated declarations. 33 | get_filename_component (NATIVE_ACML_LIB_PATH ${ACML_LIBRARY} PATH) 34 | 35 | mark_as_advanced( 36 | ACML_LIBRARY 37 | ) 38 | -------------------------------------------------------------------------------- /cmake/ARMA_FindBLAS.cmake: -------------------------------------------------------------------------------- 1 | # - Find a BLAS library (no includes) 2 | # This module defines 3 | # BLAS_LIBRARIES, the libraries needed to use BLAS. 4 | # BLAS_FOUND, If false, do not try to use BLAS. 5 | # also defined, but not for general use are 6 | # BLAS_LIBRARY, where to find the BLAS library. 7 | 8 | set(BLAS_NAMES ${BLAS_NAMES} blas) 9 | 10 | # Find the ATLAS version preferentially. 11 | find_library(BLAS_LIBRARY 12 | NAMES ${BLAS_NAMES} 13 | PATHS /usr/lib64/atlas /usr/lib/atlas /usr/local/lib64/atlas /usr/local/lib/atlas 14 | NO_DEFAULT_PATH) 15 | 16 | find_library(BLAS_LIBRARY 17 | NAMES ${BLAS_NAMES} 18 | PATHS /usr/lib64/atlas /usr/lib/atlas /usr/lib64 /usr/lib /usr/local/lib64 /usr/local/lib 19 | ) 20 | 21 | if (BLAS_LIBRARY) 22 | set(BLAS_LIBRARIES ${BLAS_LIBRARY}) 23 | set(BLAS_FOUND "YES") 24 | else () 25 | set(BLAS_FOUND "NO") 26 | endif () 27 | 28 | 29 | if (BLAS_FOUND) 30 | if (NOT BLAS_FIND_QUIETLY) 31 | message(STATUS "Found BLAS: ${BLAS_LIBRARIES}") 32 | endif () 33 | else () 34 | if (BLAS_FIND_REQUIRED) 35 | message(FATAL_ERROR "Could not find BLAS") 36 | endif () 37 | endif () 38 | 39 | # Deprecated declarations. 40 | get_filename_component (NATIVE_BLAS_LIB_PATH ${BLAS_LIBRARY} PATH) 41 | 42 | mark_as_advanced( 43 | BLAS_LIBRARY 44 | ) 45 | -------------------------------------------------------------------------------- /cmake/fbuffer.cmake: -------------------------------------------------------------------------------- 1 | set(BUFFER_NAME darwin_buffer) 2 | 3 | ####################### 4 | # FILTER DEPENDENCIES # 5 | ####################### 6 | 7 | ################### 8 | # EXECUTABLE # 9 | ################### 10 | 11 | add_executable( 12 | ${BUFFER_NAME} 13 | ${DARWIN_SOURCES} 14 | samples/fbuffer/BufferTask.cpp samples/fbuffer/BufferTask.hpp 15 | samples/fbuffer/BufferThreadManager.cpp samples/fbuffer/BufferThreadManager.hpp 16 | samples/fbuffer/BufferThread.cpp samples/fbuffer/BufferThread.hpp 17 | samples/fbuffer/Generator.cpp samples/fbuffer/Generator.hpp 18 | samples/fbuffer/Connectors/AConnector.cpp samples/fbuffer/Connectors/AConnector.hpp 19 | samples/fbuffer/Connectors/fAnomalyConnector.cpp samples/fbuffer/Connectors/fAnomalyConnector.hpp 20 | samples/fbuffer/Connectors/fSofaConnector.cpp samples/fbuffer/Connectors/fSofaConnector.hpp 21 | samples/fbuffer/Connectors/SumConnector.cpp samples/fbuffer/Connectors/SumConnector.hpp 22 | samples/fbuffer/OutputConfig.cpp samples/fbuffer/OutputConfig.hpp 23 | toolkit/AThreadManager.cpp toolkit/AThreadManager.hpp 24 | toolkit/AThread.cpp toolkit/AThread.hpp 25 | ) 26 | 27 | target_link_libraries( 28 | ${BUFFER_NAME} 29 | ${DARWIN_LIBRARIES} 30 | ) 31 | 32 | target_include_directories(${BUFFER_NAME} PUBLIC samples/fbuffer/ samples/fbuffer/Connectors/) -------------------------------------------------------------------------------- /cmake/ARMA_FindACMLMP.cmake: -------------------------------------------------------------------------------- 1 | # - Find AMD's ACMLMP library (no includes) which provides optimised and parallelised BLAS and LAPACK functions 2 | # This module defines 3 | # ACMLMP_LIBRARIES, the libraries needed to use ACMLMP. 4 | # ACMLMP_FOUND, If false, do not try to use ACMLMP. 5 | # also defined, but not for general use are 6 | # ACMLMP_LIBRARY, where to find the ACMLMP library. 7 | 8 | set(ACMLMP_NAMES ${ACMLMP_NAMES} acml_mp) 9 | find_library(ACMLMP_LIBRARY 10 | NAMES ${ACMLMP_NAMES} 11 | PATHS /usr/lib64 /usr/lib /usr/*/lib64 /usr/*/lib /usr/*/gfortran64_mp/lib/ /usr/*/gfortran32_mp/lib/ /usr/local/lib64 /usr/local/lib /opt/lib64 /opt/lib /opt/*/lib64 /opt/*/lib /opt/*/gfortran64_mp/lib/ /opt/*/gfortran32_mp/lib/ 12 | ) 13 | 14 | if (ACMLMP_LIBRARY) 15 | set(ACMLMP_LIBRARIES ${ACMLMP_LIBRARY}) 16 | set(ACMLMP_FOUND "YES") 17 | else () 18 | set(ACMLMP_FOUND "NO") 19 | endif () 20 | 21 | 22 | if (ACMLMP_FOUND) 23 | if (NOT ACMLMP_FIND_QUIETLY) 24 | message(STATUS "Found the ACMLMP library: ${ACMLMP_LIBRARIES}") 25 | endif () 26 | else () 27 | if (ACMLMP_FIND_REQUIRED) 28 | message(FATAL_ERROR "Could not find the ACMLMP library") 29 | endif () 30 | endif () 31 | 32 | # Deprecated declarations. 33 | get_filename_component (NATIVE_ACMLMP_LIB_PATH ${ACMLMP_LIBRARY} PATH) 34 | 35 | mark_as_advanced( 36 | ACMLMP_LIBRARY 37 | ) 38 | -------------------------------------------------------------------------------- /cmake/ARMA_FindLAPACK.cmake: -------------------------------------------------------------------------------- 1 | # - Find a LAPACK library (no includes) 2 | # This module defines 3 | # LAPACK_LIBRARIES, the libraries needed to use LAPACK. 4 | # LAPACK_FOUND, If false, do not try to use LAPACK. 5 | # also defined, but not for general use are 6 | # LAPACK_LIBRARY, where to find the LAPACK library. 7 | 8 | set(LAPACK_NAMES ${LAPACK_NAMES} lapack) 9 | 10 | # Check ATLAS paths preferentially, using this necessary hack (I love CMake). 11 | find_library(LAPACK_LIBRARY 12 | NAMES ${LAPACK_NAMES} 13 | PATHS /usr/lib64/atlas /usr/lib/atlas /usr/local/lib64/atlas /usr/local/lib/atlas 14 | NO_DEFAULT_PATH) 15 | 16 | find_library(LAPACK_LIBRARY 17 | NAMES ${LAPACK_NAMES} 18 | PATHS /usr/lib64 /usr/lib /usr/local/lib64 /usr/local/lib 19 | ) 20 | 21 | if (LAPACK_LIBRARY) 22 | set(LAPACK_LIBRARIES ${LAPACK_LIBRARY}) 23 | set(LAPACK_FOUND "YES") 24 | else () 25 | set(LAPACK_FOUND "NO") 26 | endif () 27 | 28 | 29 | if (LAPACK_FOUND) 30 | if (NOT LAPACK_FIND_QUIETLY) 31 | message(STATUS "Found LAPACK: ${LAPACK_LIBRARIES}") 32 | endif () 33 | else () 34 | if (LAPACK_FIND_REQUIRED) 35 | message(FATAL_ERROR "Could not find LAPACK") 36 | endif () 37 | endif () 38 | 39 | # Deprecated declarations. 40 | get_filename_component (NATIVE_LAPACK_LIB_PATH ${LAPACK_LIBRARY} PATH) 41 | 42 | mark_as_advanced( 43 | LAPACK_LIBRARY 44 | ) 45 | -------------------------------------------------------------------------------- /toolkit/Validators.cpp: -------------------------------------------------------------------------------- 1 | /// \file Validators.cpp 2 | /// \authors gcatto 3 | /// \version 1.0 4 | /// \date 02/05/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2019 Advens. All rights reserved. 7 | 8 | #include 9 | 10 | #include "Logger.hpp" 11 | #include "Validators.hpp" 12 | 13 | /// \namespace darwin 14 | namespace darwin { 15 | /// \namespace validator 16 | namespace validator { 17 | bool IsDomainValid(const std::string& domain) { 18 | DARWIN_LOGGER; 19 | 20 | // Regex taken from https://validators.readthedocs.io/en/latest/_modules/validators/domain.html#domain 21 | std::regex domain_regex = std::regex( 22 | R"(^(([a-zA-Z]{1})|([a-zA-Z]{1}[a-zA-Z]{1})|([a-zA-Z]{1}[0-9]{1})|([0-9]{1}[a-zA-Z]{1})|([a-zA-Z0-9][-_.a-zA-Z0-9]{0,61}[a-zA-Z0-9]))\.([a-zA-Z]{2,13}|[a-zA-Z0-9-]{2,30}.[a-zA-Z]{2,3})$)" 23 | ); 24 | 25 | std::smatch match; 26 | 27 | bool is_valid = std::regex_search(domain.begin(), domain.end(), match, domain_regex); 28 | 29 | if (is_valid) { 30 | DARWIN_LOG_DEBUG("The domain '" + domain + "' is valid"); 31 | } else { 32 | DARWIN_LOG_DEBUG("The domain '" + domain + "' is not valid"); 33 | } 34 | 35 | return is_valid; 36 | } 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /samples/base/Stats.hpp: -------------------------------------------------------------------------------- 1 | /// \file Stats.hpp 2 | /// \authors tbertin 3 | /// \version 1.0 4 | /// \date 25/11/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | 13 | namespace darwin { 14 | 15 | namespace stats { 16 | enum class FilterStatusEnum {starting, configuring, running, stopping}; 17 | 18 | extern std::atomic filter_status; 19 | extern std::atomic_uint_fast64_t clientsNum; 20 | extern std::atomic_uint_fast64_t received; 21 | extern std::atomic_uint_fast64_t parseError; 22 | extern std::atomic_uint_fast64_t matchCount; 23 | } 24 | } 25 | 26 | #define SET_FILTER_STATUS(status) darwin::stats::filter_status.store(status) 27 | #define STAT_CLIENT_INC darwin::stats::clientsNum++ 28 | #define STAT_CLIENT_DEC darwin::stats::clientsNum-- 29 | #define STAT_INPUT_INC darwin::stats::received++ 30 | #define STAT_PARSE_ERROR_INC darwin::stats::parseError++ 31 | #define STAT_MATCH_INC darwin::stats::matchCount++ 32 | 33 | #define STAT_FILTER_STATUS darwin::stats::filter_status 34 | #define STAT_CLIENTS_NUM darwin::stats::clientsNum 35 | #define STAT_INPUTS darwin::stats::received 36 | #define STAT_PARSE_ERRORS darwin::stats::parseError 37 | #define STAT_MATCHES darwin::stats::matchCount 38 | -------------------------------------------------------------------------------- /cmake/ftanomaly.cmake: -------------------------------------------------------------------------------- 1 | set(TANOMALY_NAME darwin_tanomaly) 2 | 3 | ####################### 4 | # FILTER DEPENDENCIES # 5 | ####################### 6 | 7 | find_package(Armadillo 9.400.0 REQUIRED) 8 | 9 | find_package(Mlpack 3.0.1 REQUIRED) 10 | 11 | set(Boost_STATIC_LIBS ON) 12 | # MLPACK Boost dependencies 13 | find_package(Boost 14 | COMPONENTS 15 | program_options 16 | unit_test_framework 17 | serialization 18 | REQUIRED) 19 | 20 | ################### 21 | # EXECUTABLE # 22 | ################### 23 | 24 | add_executable( 25 | ${TANOMALY_NAME} 26 | ${DARWIN_SOURCES} 27 | samples/ftanomaly/TAnomalyTask.cpp samples/ftanomaly/TAnomalyTask.hpp 28 | samples/ftanomaly/TAnomalyThreadManager.cpp samples/ftanomaly/TAnomalyThreadManager.hpp 29 | samples/ftanomaly/Generator.cpp samples/ftanomaly/Generator.hpp 30 | toolkit/ThreadManager.cpp toolkit/ThreadManager.hpp 31 | ) 32 | 33 | target_link_libraries( 34 | ${TANOMALY_NAME} 35 | ${DARWIN_LIBRARIES} 36 | ${ARMADILLO_LIBRARIES} 37 | ${MLPACK_LIBRARIES} 38 | Boost::program_options 39 | Boost::unit_test_framework 40 | Boost::serialization) 41 | 42 | target_include_directories(${TANOMALY_NAME} PUBLIC ${ARMADILLO_INCLUDE_DIRS}) 43 | target_include_directories(${TANOMALY_NAME} PUBLIC ${MLPACK_INCLUDE_DIRS}) 44 | target_include_directories(${TANOMALY_NAME} PUBLIC samples/ftanomaly/) 45 | -------------------------------------------------------------------------------- /cmake/fdga.cmake: -------------------------------------------------------------------------------- 1 | set(DGA_NAME darwin_dga) 2 | 3 | ####################### 4 | # FILTER DEPENDENCIES # 5 | ####################### 6 | 7 | # This will deactivate XNNPACK by default as it is uncompatible with FreeBSD 8 | set(TFLITE_ENABLE_XNNPACK OFF CACHE BOOL "Deactivate XNNPACK for the build (incompatible with freebsd)") 9 | 10 | set(TENSORFLOW_SOURCE_DIR "" CACHE PATH 11 | "Directory that contains the TensorFlow project" 12 | ) 13 | if(NOT TENSORFLOW_SOURCE_DIR) 14 | get_filename_component(TENSORFLOW_SOURCE_DIR 15 | "${CMAKE_CURRENT_LIST_DIR}/../tensorflow" 16 | ABSOLUTE 17 | ) 18 | endif() 19 | 20 | add_subdirectory( 21 | "${TENSORFLOW_SOURCE_DIR}/tensorflow/lite" 22 | "${CMAKE_CURRENT_BINARY_DIR}/tensorflow-lite" EXCLUDE_FROM_ALL) 23 | 24 | find_package(Faup REQUIRED) 25 | 26 | ################### 27 | # EXECUTABLE # 28 | ################### 29 | 30 | add_executable( 31 | ${DGA_NAME} 32 | ${DARWIN_SOURCES} 33 | samples/fdga/DGATask.cpp samples/fdga/DGATask.hpp 34 | samples/fdga/Generator.cpp samples/fdga/Generator.hpp 35 | samples/fdga/TfLiteHelper.cpp samples/fdga/TfLiteHelper.hpp 36 | ) 37 | 38 | target_link_libraries( 39 | ${DGA_NAME} 40 | ${DARWIN_LIBRARIES} 41 | tensorflow-lite 42 | ${FAUP_LIBRARIES} 43 | ) 44 | 45 | target_include_directories(${DGA_NAME} PUBLIC ${FAUP_INCLUDE_DIRS}) 46 | target_include_directories(${DGA_NAME} PUBLIC samples/fdga/) -------------------------------------------------------------------------------- /samples/fuseragent/Generator.hpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.hpp 2 | /// \authors gcatto 3 | /// \version 1.0 4 | /// \date 16/01/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | 13 | #include "../toolkit/rapidjson/document.h" 14 | #include "Session.hpp" 15 | #include "AGenerator.hpp" 16 | #include "tensorflow/core/public/session.h" 17 | 18 | class Generator: public AGenerator { 19 | public: 20 | Generator() = default; 21 | ~Generator(); 22 | 23 | public: 24 | static constexpr int DEFAULT_MAX_TOKENS = 50; 25 | 26 | virtual darwin::session_ptr_t 27 | CreateTask(boost::asio::local::stream_protocol::socket& socket, 28 | darwin::Manager& manager) noexcept override final; 29 | 30 | private: 31 | virtual bool LoadConfig(const rapidjson::Document &configuration) override final; 32 | bool LoadTokenMap(const std::string &token_map_path); 33 | bool LoadModel(const std::string &model_path); 34 | 35 | // The doc is quite hard to find so here is a link to the version currently used on BSD 36 | // (see vulture-libtensorflow) 37 | // https://github.com/tensorflow/tensorflow/blob/r1.13/tensorflow/core/public/session.h 38 | std::shared_ptr _session; 39 | std::map _token_map; 40 | unsigned int _max_tokens = 50; 41 | }; 42 | -------------------------------------------------------------------------------- /cmake/ARMA_FindCBLAS.cmake: -------------------------------------------------------------------------------- 1 | # - Find CBLAS (includes and library) 2 | # This module defines 3 | # CBLAS_INCLUDE_DIR 4 | # CBLAS_LIBRARIES 5 | # CBLAS_FOUND 6 | # also defined, but not for general use are 7 | # CBLAS_LIBRARY, where to find the library. 8 | 9 | find_path(CBLAS_INCLUDE_DIR cblas.h 10 | /usr/include/atlas/ 11 | /usr/local/include/atlas/ 12 | /usr/include/ 13 | /usr/local/include/ 14 | ) 15 | 16 | set(CBLAS_NAMES ${CBLAS_NAMES} cblas) 17 | find_library(CBLAS_LIBRARY 18 | NAMES ${CBLAS_NAMES} 19 | PATHS /usr/lib64/atlas-sse3 /usr/lib64/atlas /usr/lib64 /usr/local/lib64/atlas /usr/local/lib64 /usr/lib/atlas-sse3 /usr/lib/atlas-sse2 /usr/lib/atlas-sse /usr/lib/atlas-3dnow /usr/lib/atlas /usr/lib /usr/local/lib/atlas /usr/local/lib 20 | ) 21 | 22 | if (CBLAS_LIBRARY AND CBLAS_INCLUDE_DIR) 23 | set(CBLAS_LIBRARIES ${CBLAS_LIBRARY}) 24 | set(CBLAS_FOUND "YES") 25 | else () 26 | set(CBLAS_FOUND "NO") 27 | endif () 28 | 29 | 30 | if (CBLAS_FOUND) 31 | if (NOT CBLAS_FIND_QUIETLY) 32 | message(STATUS "Found a CBLAS library: ${CBLAS_LIBRARIES}") 33 | endif () 34 | else () 35 | if (CBLAS_FIND_REQUIRED) 36 | message(FATAL_ERROR "Could not find a CBLAS library") 37 | endif () 38 | endif () 39 | 40 | # Deprecated declarations. 41 | set (NATIVE_CBLAS_INCLUDE_PATH ${CBLAS_INCLUDE_DIR} ) 42 | get_filename_component (NATIVE_CBLAS_LIB_PATH ${CBLAS_LIBRARY} PATH) 43 | 44 | mark_as_advanced( 45 | CBLAS_LIBRARY 46 | CBLAS_INCLUDE_DIR 47 | ) 48 | -------------------------------------------------------------------------------- /pkg/stage/home/darwin/conf/darwin.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "session_1": { 3 | "exec_path": "/home/darwin/filters/darwin_session", 4 | "config_file": "/home/darwin/conf/fsession/fsession.conf.example", 5 | "nb_thread": 5, 6 | "log_level": "ERROR", 7 | "cache_size": 0, 8 | "output": "", 9 | "next_filter": "" 10 | }, 11 | "content_inspection_1": { 12 | "exec_path": "/home/darwin/filters/darwin_content_inspection", 13 | "config_file": "/home/darwin/conf/fcontent_inspection/fcontent_inspection.conf.example", 14 | "nb_thread": 20, 15 | "log_level": "DEBUG", 16 | "cache_size": 0, 17 | "output": "", 18 | "next_filter": "", 19 | "threshold": 80 20 | }, 21 | "dga_1": { 22 | "exec_path": "/home/darwin/filters/darwin_dga", 23 | "config_file": "/home/darwin/conf/fdga/fdga.conf.example", 24 | "nb_thread": 5, 25 | "log_level": "DEBUG", 26 | "cache_size": 1000, 27 | "output": "", 28 | "next_filter": "", 29 | "threshold": 80 30 | }, 31 | "tanomaly_1": { 32 | "exec_path": "/home/darwin/filters/darwin_tanomaly", 33 | "config_file": "/home/darwin/conf/ftanomaly/ftanomaly.conf.example", 34 | "nb_thread": 5, 35 | "log_level": "DEBUG", 36 | "cache_size": 0, 37 | "output": "NONE", 38 | "next_filter": "", 39 | "threshold": 80 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /samples/fdecision/DecisionTask.hpp: -------------------------------------------------------------------------------- 1 | /// \file DecisionTask.hpp 2 | /// \authors hsoszynski 3 | /// \version 1.0 4 | /// \date 17/04/18 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | #include "protocol.h" 13 | #include "Session.hpp" 14 | #include "Manager.hpp" 15 | 16 | #include "../../toolkit/lru_cache.hpp" 17 | #include "../../toolkit/xxhash.h" 18 | #include "../../toolkit/xxhash.hpp" 19 | 20 | #define DARWIN_FILTER_DECISION 0x64656373 21 | 22 | class DecisionTask : public darwin::Session { 23 | public: 24 | // data_map[ip] -> flags 25 | typedef std::map request_data_map_t; 26 | 27 | public: 28 | DecisionTask(boost::asio::local::stream_protocol::socket& socket, 29 | darwin::Manager& manager, 30 | std::shared_ptr> cache, 31 | request_data_map_t* data, 32 | std::mutex* mut); 33 | ~DecisionTask() override = default; 34 | 35 | public: 36 | void operator()() override; 37 | 38 | private: 39 | void Decide(const std::string &data); 40 | 41 | void SaveInfo(const std::string &data); 42 | 43 | bool ParseBody() override; 44 | 45 | private: 46 | request_data_map_t* _data; 47 | std::mutex* _data_mutex; 48 | std::string _current_data; 49 | std::vector _data_list; 50 | }; 51 | -------------------------------------------------------------------------------- /manager/HeartBeat.py: -------------------------------------------------------------------------------- 1 | __author__ = "Hugo SOSZYNSKI" 2 | __credits__ = [] 3 | __license__ = "GPLv3" 4 | __version__ = "3.0.0" 5 | __maintainer__ = "Vulture Project" 6 | __email__ = "contact@vultureproject.org" 7 | __doc__ = 'The heartbeat functions and main class' 8 | 9 | from os import kill, access, F_OK 10 | 11 | 12 | class HeartBeat: 13 | """ 14 | This class is in charge of the health check for the filters. 15 | """ 16 | 17 | @staticmethod 18 | def check_socket(file): 19 | try: 20 | if access(file, F_OK): 21 | return True 22 | return False 23 | except Exception: 24 | return False 25 | 26 | @staticmethod 27 | def check_pid_file(file): 28 | """ 29 | Check if the PID fil exist. 30 | 31 | :param file: The file to check. 32 | :return: The pid contained by the file on success, None otherwise. 33 | """ 34 | try: 35 | with open(file, 'r') as f: 36 | return int(f.read()) 37 | except Exception: 38 | return None 39 | 40 | @staticmethod 41 | def check_process(pid): 42 | """ 43 | Check if the process is currently running. 44 | 45 | :param pid: The pid of the process. 46 | :return: True if the process is running, False otherwise. 47 | """ 48 | try: 49 | kill(pid, 0) 50 | except OSError: 51 | return False 52 | else: 53 | return True 54 | -------------------------------------------------------------------------------- /samples/fpythonexample/Generator.hpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.hpp 2 | /// \authors gcatto 3 | /// \version 1.0 4 | /// \date 23/07/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2019 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | 12 | #include "../../toolkit/PythonUtils.hpp" 13 | #include "../toolkit/rapidjson/document.h" 14 | #include "Session.hpp" 15 | 16 | class Generator { 17 | public: 18 | Generator() = default; 19 | ~Generator(); 20 | 21 | private: 22 | bool LoadConfigurationFile(const rapidjson::Document &configuration); 23 | bool LoadPythonCode(const std::string& python_env_path_str, const std::string& module_str, 24 | const std::string& function_str, const std::string* custom_python_path_str=nullptr); 25 | 26 | public: 27 | // The config file is the database here 28 | bool Configure(std::string const& configFile, const std::size_t cache_size); 29 | 30 | darwin::session_ptr_t 31 | CreateTask(boost::asio::local::stream_protocol::socket& socket, 32 | darwin::Manager& manager) noexcept; 33 | 34 | private: 35 | wchar_t *_program_name = nullptr; // the Python environment path to load 36 | PyObject *_py_module = nullptr; // the Python module to load in the environment 37 | PyObject *_py_function = nullptr; // the Python function to call in the module 38 | 39 | // The cache for already processed request 40 | std::shared_ptr> _cache; 41 | }; -------------------------------------------------------------------------------- /samples/fdga/Generator.hpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.hpp 2 | /// \authors gcatto 3 | /// \version 1.0 4 | /// \date 30/01/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | #include "../toolkit/rapidjson/document.h" 15 | #include "Session.hpp" 16 | #include "AGenerator.hpp" 17 | #include "TfLiteHelper.hpp" 18 | #include "tensorflow/lite/model.h" 19 | 20 | class Generator: public AGenerator { 21 | public: 22 | Generator() = default; 23 | ~Generator(); 24 | 25 | public: 26 | static constexpr int DEFAULT_MAX_TOKENS = 75; 27 | 28 | virtual darwin::session_ptr_t 29 | CreateTask(boost::asio::local::stream_protocol::socket& socket, 30 | darwin::Manager& manager) noexcept override final; 31 | 32 | private: 33 | virtual bool LoadConfig(const rapidjson::Document &configuration) override final; 34 | virtual bool ConfigureAlerting(const std::string& tags) override final; 35 | bool LoadFaupOptions(); 36 | bool LoadTokenMap(const std::string &token_map_path); 37 | bool LoadModel(const std::string &model_path); 38 | 39 | std::shared_ptr _model; 40 | std::map _token_map; 41 | unsigned int _max_tokens = 75; 42 | faup_options_t* _faup_options = nullptr; 43 | 44 | // Object that distributes the thread_local interpreters 45 | DarwinTfLiteInterpreterFactory _interpreter_factory; 46 | }; 47 | -------------------------------------------------------------------------------- /samples/fbuffer/OutputConfig.hpp: -------------------------------------------------------------------------------- 1 | /// \file OutputConfig.hpp 2 | /// \authors ggonzalez 3 | /// \version 1.0 4 | /// \date 09/07/20 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2020 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | class OutputConfig { 15 | /// This class is used to handle an output config for Filter Buffer. 16 | /// It holds everything needed to create an AConnector 17 | /// 18 | ///\class OutputConfig 19 | 20 | public: 21 | ///\brief Unique constructor 22 | /// 23 | ///\param filter_type To fill _filter_type 24 | ///\param filter_socket_path To fill _filter_socket_path 25 | ///\param interval To fill interval 26 | ///\param redis_lists To fill _redis_lists 27 | ///\param required_log_lines To fill _required_log_lines 28 | OutputConfig(std::string &filter_type, 29 | std::string &filter_socket_path, 30 | unsigned int interval, 31 | std::vector> &redis_lists, 32 | unsigned int required_log_lines); 33 | 34 | ///\brief unique default destructor 35 | ~OutputConfig() = default; 36 | 37 | /// All the following members are sent to the constructor of AConnector 38 | std::string _filter_type; 39 | std::string _filter_socket_path; 40 | unsigned int _interval; 41 | std::vector> _redis_lists; 42 | unsigned int _required_log_lines; 43 | }; -------------------------------------------------------------------------------- /samples/fbuffer/Connectors/fSofaConnector.cpp: -------------------------------------------------------------------------------- 1 | /// \file fSofaConnector.cpp 2 | /// \authors ggonzalez 3 | /// \version 1.0 4 | /// \date 02/06/20 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #include "fSofaConnector.hpp" 9 | 10 | fSofaConnector::fSofaConnector(boost::asio::io_context &context, std::string &filter_socket_path, unsigned int interval, std::vector> &redis_lists, unsigned int minLogLen) : 11 | AConnector(context, darwin::SOFA, filter_socket_path, interval, redis_lists, minLogLen) {} 12 | 13 | bool fSofaConnector::ParseInputForRedis(std::map &input_line) { 14 | this->_input_line = input_line; 15 | this->_entry.clear(); 16 | 17 | std::string source = this->GetSource(); 18 | 19 | if (not this->ParseData("ip")) 20 | return false; 21 | if (not this->ParseData("hostname")) 22 | return false; 23 | if (not this->ParseData("os")) 24 | return false; 25 | if (not this->ParseData("proto")) 26 | return false; 27 | if (not this->ParseData("port")) 28 | return false; 29 | 30 | for (const auto &redis_config : this->_redis_lists) { 31 | // If the source in the input is equal to the source in the redis list, or the redis list's source is "" 32 | if (not redis_config.first.compare(source) or redis_config.first.empty()) 33 | this->REDISAddEntry(this->_entry, redis_config.second); 34 | } 35 | return true; 36 | } -------------------------------------------------------------------------------- /samples/fsofa/Generator.hpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.hpp 2 | /// \authors Hugo Soszynski 3 | /// \version 1.0 4 | /// \date 25/11/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2019 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | 12 | #include "../../toolkit/PythonUtils.hpp" 13 | #include "../toolkit/rapidjson/document.h" 14 | #include "AGenerator.hpp" 15 | #include "Session.hpp" 16 | 17 | class Generator: public AGenerator { 18 | public: 19 | Generator() = default; 20 | ~Generator(); 21 | 22 | private: 23 | bool LoadPythonCode(const std::string& python_env_path_str, const std::string& module_str, 24 | const std::string& function_str, const std::string* custom_python_path_str=nullptr); 25 | 26 | /// Generate a pseudo-random alpha-numeric string of length 32 27 | /// \return A randomly generated string 28 | static std::string RandomString(); 29 | 30 | public: 31 | virtual darwin::session_ptr_t 32 | CreateTask(boost::asio::local::stream_protocol::socket& socket, 33 | darwin::Manager& manager) noexcept override; 34 | 35 | protected: 36 | virtual bool LoadConfig(const rapidjson::Document& configuration) override final; 37 | virtual bool ConfigureAlerting(const std::string& tags) override final; 38 | 39 | private: 40 | wchar_t *_program_name = nullptr; // the Python environment path to load 41 | PyObject *_py_module = nullptr; // the Python module to load in the environment 42 | PyObject *_py_function = nullptr; // the Python function to call in the module 43 | }; -------------------------------------------------------------------------------- /cmake/ARMA_FindCLAPACK.cmake: -------------------------------------------------------------------------------- 1 | # - Find a version of CLAPACK (includes and library) 2 | # This module defines 3 | # CLAPACK_INCLUDE_DIR 4 | # CLAPACK_LIBRARIES 5 | # CLAPACK_FOUND 6 | # also defined, but not for general use are 7 | # CLAPACK_LIBRARY, where to find the library. 8 | 9 | find_path(CLAPACK_INCLUDE_DIR clapack.h 10 | /usr/include/atlas/ 11 | /usr/local/include/atlas/ 12 | /usr/include/ 13 | /usr/local/include/ 14 | ) 15 | 16 | set(CLAPACK_NAMES ${CLAPACK_NAMES} lapack_atlas) 17 | set(CLAPACK_NAMES ${CLAPACK_NAMES} clapack) 18 | find_library(CLAPACK_LIBRARY 19 | NAMES ${CLAPACK_NAMES} 20 | PATHS /usr/lib64/atlas-sse3 /usr/lib64/atlas /usr/lib64 /usr/local/lib64/atlas /usr/local/lib64 /usr/lib/atlas-sse3 /usr/lib/atlas-sse2 /usr/lib/atlas-sse /usr/lib/atlas-3dnow /usr/lib/atlas /usr/lib /usr/local/lib/atlas /usr/local/lib 21 | ) 22 | 23 | if (CLAPACK_LIBRARY AND CLAPACK_INCLUDE_DIR) 24 | set(CLAPACK_LIBRARIES ${CLAPACK_LIBRARY}) 25 | set(CLAPACK_FOUND "YES") 26 | else () 27 | set(CLAPACK_FOUND "NO") 28 | endif () 29 | 30 | 31 | if (CLAPACK_FOUND) 32 | if (NOT CLAPACK_FIND_QUIETLY) 33 | message(STATUS "Found a CLAPACK library: ${CLAPACK_LIBRARIES}") 34 | endif () 35 | else () 36 | if (CLAPACK_FIND_REQUIRED) 37 | message(FATAL_ERROR "Could not find a CLAPACK library") 38 | endif () 39 | endif () 40 | 41 | # Deprecated declarations. 42 | set (NATIVE_CLAPACK_INCLUDE_PATH ${CLAPACK_INCLUDE_DIR} ) 43 | get_filename_component (NATIVE_CLAPACK_LIB_PATH ${CLAPACK_LIBRARY} PATH) 44 | 45 | mark_as_advanced( 46 | CLAPACK_LIBRARY 47 | CLAPACK_INCLUDE_DIR 48 | ) 49 | -------------------------------------------------------------------------------- /samples/fanomaly/Generator.cpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.cpp 2 | /// \authors nsanti 3 | /// \version 1.0 4 | /// \date 01/07/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #include 9 | #include 10 | 11 | #include "../../toolkit/lru_cache.hpp" 12 | #include "base/Logger.hpp" 13 | #include "Generator.hpp" 14 | #include "AnomalyTask.hpp" 15 | #include "AlertManager.hpp" 16 | 17 | bool Generator::ConfigureAlerting(const std::string& tags) { 18 | DARWIN_LOGGER; 19 | 20 | DARWIN_LOG_DEBUG("Anomaly:: ConfigureAlerting:: Configuring Alerting"); 21 | DARWIN_ALERT_MANAGER_SET_FILTER_NAME(DARWIN_FILTER_NAME); 22 | DARWIN_ALERT_MANAGER_SET_RULE_NAME(DARWIN_ALERT_RULE_NAME); 23 | if (tags.empty()) { 24 | DARWIN_LOG_DEBUG("Anomaly:: ConfigureAlerting:: No alert tags provided in the configuration. Using default."); 25 | DARWIN_ALERT_MANAGER_SET_TAGS(DARWIN_ALERT_TAGS); 26 | } else { 27 | DARWIN_ALERT_MANAGER_SET_TAGS(tags); 28 | } 29 | return true; 30 | } 31 | 32 | bool Generator::LoadConfig(const rapidjson::Document &configuration __attribute__((unused))) { 33 | DARWIN_LOGGER; 34 | DARWIN_LOG_DEBUG("Anomaly:: Generator:: Configured"); 35 | return true; 36 | } 37 | 38 | darwin::session_ptr_t 39 | Generator::CreateTask(boost::asio::local::stream_protocol::socket& socket, 40 | darwin::Manager& manager) noexcept { 41 | return std::static_pointer_cast( 42 | std::make_shared(socket, manager, _cache, _cache_mutex)); 43 | } -------------------------------------------------------------------------------- /toolkit/rapidjson/internal/swap.h: -------------------------------------------------------------------------------- 1 | // Tencent is pleased to support the open source community by making RapidJSON available. 2 | // 3 | // Copyright (C) 2015 THL A29 Limited, a Tencent company, and Milo Yip. All rights reserved. 4 | // 5 | // Licensed under the MIT License (the "License"); you may not use this file except 6 | // in compliance with the License. You may obtain a copy of the License at 7 | // 8 | // http://opensource.org/licenses/MIT 9 | // 10 | // Unless required by applicable law or agreed to in writing, software distributed 11 | // under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 12 | // CONDITIONS OF ANY KIND, either express or implied. See the License for the 13 | // specific language governing permissions and limitations under the License. 14 | 15 | #ifndef RAPIDJSON_INTERNAL_SWAP_H_ 16 | #define RAPIDJSON_INTERNAL_SWAP_H_ 17 | 18 | #include "../rapidjson.h" 19 | 20 | #if defined(__clang__) 21 | RAPIDJSON_DIAG_PUSH 22 | RAPIDJSON_DIAG_OFF(c++98-compat) 23 | #endif 24 | 25 | RAPIDJSON_NAMESPACE_BEGIN 26 | namespace internal { 27 | 28 | //! Custom swap() to avoid dependency on C++ header 29 | /*! \tparam T Type of the arguments to swap, should be instantiated with primitive C++ types only. 30 | \note This has the same semantics as std::swap(). 31 | */ 32 | template 33 | inline void Swap(T& a, T& b) RAPIDJSON_NOEXCEPT { 34 | T tmp = a; 35 | a = b; 36 | b = tmp; 37 | } 38 | 39 | } // namespace internal 40 | RAPIDJSON_NAMESPACE_END 41 | 42 | #if defined(__clang__) 43 | RAPIDJSON_DIAG_POP 44 | #endif 45 | 46 | #endif // RAPIDJSON_INTERNAL_SWAP_H_ 47 | -------------------------------------------------------------------------------- /samples/base/ThreadGroup.hpp: -------------------------------------------------------------------------------- 1 | /// \file ThreadGroup.hpp 2 | /// \authors hsoszynski 3 | /// \version 1.0 4 | /// \date 15/10/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2019 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | /// \namespace darwin 15 | namespace darwin { 16 | 17 | /// Class used to manage a group of std::thread. 18 | /// 19 | /// \class ThreadGroup 20 | class ThreadGroup { 21 | protected: 22 | std::forward_list> _thread_list; 23 | 24 | public: 25 | 26 | /// Default constructor. 27 | ThreadGroup() = default; 28 | 29 | /// Destructor. 30 | /// If the threads were not joined, join all and free ressources. 31 | virtual ~ThreadGroup(); 32 | 33 | // You cannot copy a ThreadGroup 34 | ThreadGroup(const ThreadGroup&) = delete; 35 | ThreadGroup(const ThreadGroup&&) = delete; 36 | ThreadGroup& operator=(const ThreadGroup&) = delete; 37 | ThreadGroup& operator=(const ThreadGroup&&) = delete; 38 | 39 | /// Create a thread and place it inside the group. 40 | /// 41 | /// \param args Arguments to pass to the thread constructor. (See std::thread constructor documentation) 42 | template 43 | void CreateThread(Args&&... args) { 44 | _thread_list.emplace_front(std::make_unique(args...)); 45 | } 46 | 47 | /// Join all the thread currently in the group. 48 | /// Then remove them from the group. 49 | void JoinAll(); 50 | }; 51 | } -------------------------------------------------------------------------------- /tests/tools/utils.py: -------------------------------------------------------------------------------- 1 | import operator as op 2 | 3 | class ApproxDict(object): 4 | def __init__(self, iterable=(), float_eq=op.eq): 5 | self._float_eq = float_eq 6 | self._dict = dict(iterable) 7 | 8 | def __getitem__(self, key): 9 | return self._dict[key] 10 | 11 | def __setitem__(self, key, val): 12 | self._dict[key] = val 13 | 14 | def __iter__(self): 15 | return iter(self._dict) 16 | 17 | def __len__(self): 18 | return len(self._dict) 19 | 20 | def __contains__(self, key): 21 | return key in self._dict 22 | 23 | def __str__(self): 24 | return self._dict.__str__() 25 | 26 | def __repr__(self): 27 | return self._dict.__repr__() 28 | 29 | def __eq__(self, other): 30 | def compare(a, b): 31 | if isinstance(a, float) and isinstance(b, float): 32 | return self._float_eq(a, b) 33 | else: 34 | return a == b 35 | try: 36 | if len(self) != len(other): 37 | return False 38 | for key in self: 39 | if not compare(self[key], other[key]): 40 | return False 41 | return True 42 | except Exception: 43 | return False 44 | 45 | def __getattr__(self, attr): 46 | attr_val = getattr(self._dict, attr) 47 | if callable(attr_val): 48 | def wrapper(*args, **kwargs): 49 | result = attr_val(*args, **kwargs) 50 | if isinstance(result, dict): 51 | return ApproxDict(result, self._float_eq) 52 | return result 53 | return wrapper 54 | return attr_val -------------------------------------------------------------------------------- /samples/fbuffer/BufferThreadManager.hpp: -------------------------------------------------------------------------------- 1 | /// \file ThreadManager.hpp 2 | /// \authors ggonzalez 3 | /// \version 1.0 4 | /// \date 28/05/20 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | 13 | #include "Connectors.hpp" 14 | #include "AThreadManager.hpp" 15 | #include "AThread.hpp" 16 | 17 | class BufferThreadManager : public AThreadManager { 18 | /// This class is inheritating from AThreadManager which contains everything needed 19 | /// to create, run and handle several threads. 20 | /// This class is adding everything specific to BufferThreads. 21 | /// This class is overriding Start to create BufferThreads. 22 | /// 23 | ///\class BufferThreadManager 24 | 25 | public: 26 | ///\brief Unique constructor. Does not create the BufferThreads 27 | /// 28 | ///\param nb_thread The number of threads the Manager can handle. 29 | BufferThreadManager(int nb_thread); 30 | 31 | ///\brief default destructor (Parent class destructor stops the threads) 32 | virtual ~BufferThreadManager() = default; 33 | 34 | public: 35 | ///\brief Starts a BufferThread 36 | /// 37 | ///\return a shared_ptr on the newly created BufferThread 38 | virtual std::shared_ptr Start() override final; 39 | 40 | ///\brief Sets _connector field. 41 | /// 42 | ///\param connector The connector to set in the field 43 | void SetConnector(std::shared_ptr connector); 44 | 45 | private: 46 | /// The connector used to create a new Thread (as Start does not takes any parameter) 47 | std::shared_ptr _connector; 48 | }; -------------------------------------------------------------------------------- /cmake/ARMA_FindMKL.cmake: -------------------------------------------------------------------------------- 1 | # - Find the MKL libraries (no includes) 2 | # This module defines 3 | # MKL_LIBRARIES, the libraries needed to use Intel's implementation of BLAS & LAPACK. 4 | # MKL_FOUND, If false, do not try to use MKL. 5 | 6 | set(MKL_NAMES ${MKL_NAMES} mkl_lapack) 7 | set(MKL_NAMES ${MKL_NAMES} mkl_intel_thread) 8 | set(MKL_NAMES ${MKL_NAMES} mkl_core) 9 | set(MKL_NAMES ${MKL_NAMES} guide) 10 | set(MKL_NAMES ${MKL_NAMES} mkl) 11 | set(MKL_NAMES ${MKL_NAMES} iomp5) 12 | #set(MKL_NAMES ${MKL_NAMES} pthread) 13 | 14 | if(CMAKE_SIZEOF_VOID_P EQUAL 8) 15 | set(MKL_NAMES ${MKL_NAMES} mkl_intel_lp64) 16 | else() 17 | set(MKL_NAMES ${MKL_NAMES} mkl_intel) 18 | endif() 19 | 20 | foreach (MKL_NAME ${MKL_NAMES}) 21 | find_library(${MKL_NAME}_LIBRARY 22 | NAMES ${MKL_NAME} 23 | PATHS /usr/lib64 /usr/lib /usr/local/lib64 /usr/local/lib /opt/intel/lib/intel64 /opt/intel/lib/ia32 /opt/intel/mkl/lib/lib64 /opt/intel/mkl/lib/intel64 /opt/intel/mkl/lib/ia32 /opt/intel/mkl/lib /opt/intel/*/mkl/lib/intel64 /opt/intel/*/mkl/lib/ia32/ /opt/mkl/*/lib/em64t /opt/mkl/*/lib/32 /opt/intel/mkl/*/lib/em64t /opt/intel/mkl/*/lib/32 24 | ) 25 | 26 | set(TMP_LIBRARY ${${MKL_NAME}_LIBRARY}) 27 | 28 | if(TMP_LIBRARY) 29 | set(MKL_LIBRARIES ${MKL_LIBRARIES} ${TMP_LIBRARY}) 30 | endif() 31 | endforeach() 32 | 33 | if (MKL_LIBRARIES) 34 | set(MKL_FOUND "YES") 35 | else () 36 | set(MKL_FOUND "NO") 37 | endif () 38 | 39 | if (MKL_FOUND) 40 | if (NOT MKL_FIND_QUIETLY) 41 | message(STATUS "Found MKL libraries: ${MKL_LIBRARIES}") 42 | endif () 43 | else () 44 | if (MKL_FIND_REQUIRED) 45 | message(FATAL_ERROR "Could not find MKL libraries") 46 | endif () 47 | endif () 48 | 49 | # mark_as_advanced(MKL_LIBRARY) 50 | -------------------------------------------------------------------------------- /toolkit/AThread.cpp: -------------------------------------------------------------------------------- 1 | /// \file AThread.cpp 2 | /// \authors ggonzalez 3 | /// \version 1.0 4 | /// \date 17/06/20 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | 9 | #include 10 | #include "AThread.hpp" 11 | #include "Logger.hpp" 12 | 13 | AThread::AThread(int interval) : 14 | _interval(interval), 15 | _thread(), 16 | _is_stop(false) {} 17 | 18 | void AThread::ThreadMain() { 19 | DARWIN_LOGGER; 20 | DARWIN_LOG_DEBUG("AThread::ThreadMain:: Begin"); 21 | std::mutex mtx; 22 | std::unique_lock lck(mtx); 23 | 24 | while (!(this->_is_stop)) { 25 | if (!this->Main()) { 26 | DARWIN_LOG_DEBUG("AThread::ThreadMain:: Error in main function, stopping the thread"); 27 | _is_stop = true; 28 | break; 29 | } 30 | // Wait for notification or until timeout 31 | this->_cv.wait_for(lck, std::chrono::seconds(_interval)); 32 | } 33 | } 34 | 35 | void AThread::InitiateThread() { 36 | this->_thread = std::thread(&AThread::ThreadMain, this); 37 | } 38 | 39 | bool AThread::Stop() { 40 | DARWIN_LOGGER; 41 | DARWIN_LOG_DEBUG("AThread::Stop:: Stopping thread..."); 42 | 43 | this->_is_stop = true; 44 | //Notify the thread 45 | this->_cv.notify_all(); 46 | try { 47 | if (_thread.joinable()) { 48 | _thread.join(); 49 | } 50 | } catch (const std::system_error &e) { 51 | DARWIN_LOG_WARNING("AThread::Stop:: Error when trying to stop the thread: " + e.code().message()); 52 | return false; 53 | } 54 | DARWIN_LOG_DEBUG("AThread::Stop:: Thread stopped"); 55 | return true; 56 | } -------------------------------------------------------------------------------- /toolkit/AThreadManager.cpp: -------------------------------------------------------------------------------- 1 | /// \file AThreadManager.cpp 2 | /// \authors ggonzalez 3 | /// \version 1.0 4 | /// \date 17/06/20 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #include "AThreadManager.hpp" 9 | #include "Logger.hpp" 10 | 11 | AThreadManager::AThreadManager(int nb_threads) : 12 | _nb_threads(nb_threads) {} 13 | 14 | bool AThreadManager::ThreadStart() { 15 | DARWIN_LOGGER; 16 | DARWIN_LOG_DEBUG("AThreadManager:: Starting threads"); 17 | 18 | if (this->_threads.size() >= this->_nb_threads) { 19 | DARWIN_LOG_WARNING("AThreadManager:: Could not start a new thread, maximum number reached."); 20 | return false; 21 | } 22 | try { 23 | std::shared_ptr th = this->Start(); 24 | th->InitiateThread(); 25 | this->_threads.push_back(th); 26 | } catch (const std::system_error &e) { 27 | DARWIN_LOG_WARNING("AThreadManager:: Error when starting the thread: " + e.code().message()); 28 | return false; 29 | } 30 | DARWIN_LOG_DEBUG("AThreadManager:: All threads started"); 31 | return true; 32 | } 33 | 34 | bool AThreadManager::Stop() { 35 | bool ret = true; 36 | for (auto &thread : this->_threads) { 37 | if (!thread->Stop()) 38 | ret = false; 39 | } 40 | return ret; 41 | } 42 | 43 | AThreadManager::~AThreadManager() { 44 | DARWIN_LOGGER; 45 | DARWIN_LOG_DEBUG("AThreadManager::~AThreadManager:: Preparing to shut down all the threads"); 46 | if (not this->Stop()) { 47 | DARWIN_LOG_ERROR("AThreadManager::~AThreadManager:: At least one thread didn't stop correctly"); 48 | } else { 49 | DARWIN_LOG_DEBUG("AThreadManager::~AThreadManager:: All threads stopped correctly"); 50 | } 51 | } -------------------------------------------------------------------------------- /samples/fend/EndTask.hpp: -------------------------------------------------------------------------------- 1 | /// \file EndTask.hpp 2 | /// \authors jjourdin 3 | /// \version 1.0 4 | /// \date 22/05/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include "protocol.h" 12 | #include "Session.hpp" 13 | 14 | #include "../../toolkit/RedisManager.hpp" 15 | #include "../../toolkit/lru_cache.hpp" 16 | 17 | #define DARWIN_FILTER_END 0x454E4453 18 | 19 | // To create a usable task method you MUST inherit from darwin::thread::Task publicly. 20 | // The code bellow show all what's necessary to have a working task. 21 | // For more information about Tasks, please refer to the class definition. 22 | 23 | class EndTask: public darwin::Session { 24 | public: 25 | explicit EndTask(boost::asio::local::stream_protocol::socket& socket, 26 | darwin::Manager& manager, 27 | std::shared_ptr> cache); 28 | 29 | ~EndTask() override = default; 30 | 31 | public: 32 | // You need to override the functor to compile and be executed by the thread 33 | void operator()() override; 34 | 35 | protected: 36 | /// Return filter code 37 | long GetFilterCode() noexcept override; 38 | 39 | private: 40 | /// According to the header response, 41 | /// init the following Darwin workflow 42 | void Workflow(); 43 | 44 | /// Parse the line received. Useless for this filter. 45 | bool ParseLine(rapidjson::Value& line) final {} 46 | 47 | /// Add to REDIS the evt id and the certitude list size received by the filter 48 | /// 49 | /// \return true on success, false otherwise. 50 | bool REDISAdd(const std::string& evt_id, const std::string& nb_result) noexcept; 51 | }; 52 | -------------------------------------------------------------------------------- /toolkit/ThreadManager.hpp: -------------------------------------------------------------------------------- 1 | /// \file ThreadManager.hpp 2 | /// \authors nsanti 3 | /// \version 1.0 4 | /// \date 09/07/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | /// \namespace darwin 15 | namespace darwin { 16 | /// \namespace toolkit 17 | namespace toolkit { 18 | 19 | class ThreadManager { 20 | public: 21 | ThreadManager(); 22 | 23 | virtual ~ThreadManager(); 24 | 25 | public: 26 | /// Start the thread 27 | /// 28 | /// \return true in success, else false 29 | /// \param interval the number of seconds between 2 wake-ups (in seconds), defaults to 300 30 | bool Start(unsigned int interval = 300); 31 | 32 | /// Stop the thread 33 | /// 34 | /// \return true in success, else false 35 | bool Stop(); 36 | 37 | protected: 38 | /// The loop in which the thread main will be executed every _interval seconds 39 | void ThreadMain(); 40 | 41 | /// The function executed in the thread main 42 | /// 43 | /// \return true in success, else false 44 | virtual bool Main() = 0; 45 | 46 | private: 47 | std::thread _thread; 48 | std::atomic _is_stop{true}; // To know if the thread is stopped or not 49 | std::condition_variable cv; 50 | std::mutex _thread_mutex; // The mutex used to manage multiple acces to the _thread member 51 | 52 | protected: 53 | unsigned int _interval; // Interval in which the thread main function will be executed (in seconds) 54 | 55 | }; 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /cmake/finspection.cmake: -------------------------------------------------------------------------------- 1 | set(INSPECTION_NAME darwin_content_inspection) 2 | 3 | ####################### 4 | # FILTER DEPENDENCIES # 5 | ####################### 6 | 7 | link_directories( 8 | ${LIBYARA_LIBRARY_DIRS} 9 | ) 10 | 11 | find_package(Yara REQUIRED) 12 | 13 | # Search for static OpenSSL libs, then fall back to dynamic ones 14 | set(OPENSSL_USE_STATIC_LIBS TRUE) 15 | find_package(OpenSSL QUIET) 16 | if(NOT OpenSSL_FOUND) 17 | set(OPENSSL_USE_STATIC_LIBS FALSE) 18 | find_package(OpenSSL) 19 | endif() 20 | 21 | ################### 22 | # EXECUTABLE # 23 | ################### 24 | 25 | add_executable( 26 | ${INSPECTION_NAME} 27 | ${DARWIN_SOURCES} 28 | samples/finspection/ContentInspectionTask.cpp samples/finspection/ContentInspectionTask.hpp 29 | samples/finspection/Generator.cpp samples/finspection/Generator.hpp 30 | samples/finspection/data_pool.cpp samples/finspection/data_pool.hpp 31 | samples/finspection/file_utils.cpp samples/finspection/file_utils.hpp 32 | samples/finspection/hash_utils.cpp samples/finspection/hash_utils.hpp 33 | samples/finspection/rand_utils.cpp samples/finspection/rand_utils.hpp 34 | samples/finspection/flow.cpp samples/finspection/flow.hpp 35 | samples/finspection/packets.cpp samples/finspection/packet-utils.hpp 36 | samples/finspection/extract_impcap.cpp samples/finspection/extract_impcap.hpp 37 | samples/finspection/stream_buffer.cpp samples/finspection/stream_buffer.hpp 38 | samples/finspection/tcp_sessions.cpp samples/finspection/tcp_sessions.hpp 39 | samples/finspection/yara_utils.cpp samples/finspection/yara_utils.hpp 40 | samples/finspection/packet-utils.hpp 41 | ) 42 | 43 | target_link_libraries( 44 | ${INSPECTION_NAME} 45 | ${DARWIN_LIBRARIES} 46 | Yara::Yara 47 | OpenSSL::Crypto 48 | ) 49 | 50 | target_include_directories(${INSPECTION_NAME} PUBLIC samples/finspection/) -------------------------------------------------------------------------------- /pkg/stage/usr/local/etc/rc.d/darwin: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # PROVIDE: darwin 3 | # KEYWORD: shutdown 4 | # This file is part of Vulture 3. 5 | # 6 | # Vulture 3 is free software: you can redistribute it and/or modify 7 | # it under the terms of the GNU General Public License as published by 8 | # the Free Software Foundation, either version 3 of the License, or 9 | # (at your option) any later version. 10 | 11 | # Vulture 3 is distributed in the hope that it will be useful, 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | # GNU General Public License for more details. 15 | 16 | # You should have received a copy of the GNU General Public License 17 | # along with Vulture 3. If not, see http://www.gnu.org/licenses/. 18 | 19 | ########################## WARNING ############################### 20 | # Don't edit this file, it is automatically generated by Vulture # 21 | ########################## WARNING ############################### 22 | 23 | . /etc/rc.subr 24 | 25 | name="darwin" 26 | rcvar="${name}_enable" 27 | 28 | load_rc_config "$name" 29 | : ${darwin_log_level="WARNING"} 30 | : ${darwin_enable="YES"} 31 | : ${darwin_user="darwin"} 32 | : ${darwin_group="vlt-conf"} 33 | : ${darwin_config="/home/darwin/conf/$name.conf"} 34 | 35 | procname="/home/vlt-os/env/bin/python" 36 | command="/usr/sbin/daemon" 37 | pidfile="/var/run/darwin/manager.pid" 38 | command_args="-f -p ${pidfile} ${procname} /home/darwin/manager/manager.py ${darwin_config} -l ${darwin_log_level}" 39 | required_files="${darwin_config}" 40 | 41 | start_postcmd="def_set_unix_perms" 42 | 43 | 44 | def_set_unix_perms() { 45 | /bin/sleep 2 46 | /usr/sbin/chown $darwin_user:$darwin_group /var/sockets/darwin/*.sock 2> /dev/null 47 | /bin/chmod -h 775 /var/sockets/darwin/*.sock 2> /dev/null 48 | } 49 | 50 | extra_commands="reload" 51 | 52 | run_rc_command "$1" 53 | -------------------------------------------------------------------------------- /samples/fbuffer/BufferThread.hpp: -------------------------------------------------------------------------------- 1 | /// \file BufferThread.hpp 2 | /// \authors ggonzalez 3 | /// \version 1.0 4 | /// \date 17/06/20 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | 13 | #include "Connectors.hpp" 14 | #include "AThread.hpp" 15 | 16 | class BufferThread : public AThread { 17 | /// This class is inheriting from AThread (AThread.hpp) 18 | /// Its purpose is to add to everything needed to handle a thread (implemented by AThread) 19 | /// what is specific to Buffer Filter threads. 20 | /// 21 | ///\class BufferThread 22 | 23 | public: 24 | ///\brief Unique constructor, needs an AConnector to setup BufferThread fields and to send interval to AThread 25 | /// 26 | ///\param output The connector needed to perform output Filter related actions. 27 | BufferThread(std::shared_ptr output); 28 | 29 | ///\brief virtual default destructor 30 | virtual ~BufferThread() override = default; 31 | 32 | private: 33 | ///\brief Entry point (called by AThread's ThreadMain function) every _interval seconds. 34 | /// Must override AThread's Main function. 35 | /// This function checks on Redis if there is enough logs on the associated _redis_list. (Given by Connector) 36 | /// If needed, it tries to pick the logs in REDIS. 37 | /// On success it sends them to the output Filter. 38 | /// On failure, it reinserts the logs into REDIS. 39 | /// 40 | ///\return true on success, false otherwise. 41 | virtual bool Main() override final; 42 | 43 | private: 44 | /// The connector to ensure link with the output Filter. 45 | std::shared_ptr _connector; 46 | 47 | /// The Redis Lists on which to write and pickup data for the ouptut Filter. 48 | std::vector> _redis_lists; 49 | }; -------------------------------------------------------------------------------- /toolkit/Network.hpp: -------------------------------------------------------------------------------- 1 | /// \file DecisionTask.cpp 2 | /// \authors gcatto 3 | /// \version 1.0 4 | /// \date 17/09/18 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | 11 | extern "C" { 12 | #include 13 | } 14 | 15 | #include 16 | 17 | /// \namespace darwin 18 | namespace darwin { 19 | /// \namespace network 20 | namespace network { 21 | /// Get the IP address type. 22 | /// 23 | /// \param ip_address_string The IP address to get the type from. 24 | /// \param ip_type The integer to set the result with. 25 | /// \return true on success, false otherwise. 26 | bool GetIpAddressType(const std::string &ip_address_string, int *ip_type); 27 | 28 | /// Get an IPv4 sockaddr structure from an IPv4 IP address string. 29 | /// 30 | /// \param ip_address_string The IP address to get the sockaddrr structure from. 31 | /// \param sa The sockaddr structure to be saved. 32 | void GetSockAddrIn(const std::string &ip_address_string, sockaddr_in *sa); 33 | 34 | /// Get an IPv6 sockaddr structure from an IPv4 IP address string. 35 | /// 36 | /// \param ip_address_string The IP address to get the sockaddrr structure from. 37 | /// \param sa The sockaddr structure to be saved. 38 | void GetSockAddrIn6(const std::string &ip_address_string, sockaddr_in6 *sa); 39 | 40 | /// Get an IPv4 address string from an IPv4 in_addr structure. 41 | /// 42 | /// \param sa The in_addr structure to be stringified. 43 | std::string GetStringAddrFromSockAddrIn(const in_addr &addr); 44 | 45 | /// Get an IPv6 address string from an IPv6 in_addr structure. 46 | /// 47 | /// \param sa The in6_addr structure to be stringified. 48 | std::string GetStringAddrFromSockAddrIn6(const in6_addr &addr); 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | # :sparkles: Pull Request Template 2 | :bangbang: Once all the **checklist** is **done** you have to: 3 | * **stash merge** this pull request 4 | * **delete** the corresponding **branch** 5 | * **close** the associated **issue** 6 | 7 | ## :page_with_curl: Type of change 8 | 9 | Please delete options that are not relevant. 10 | 11 | **Bug fix**: non-breaking change which fixes an issue. 12 | **New feature**: non-breaking change which adds functionality. 13 | **Breaking change**: fix or feature that would cause existing functionality to not work as expected. 14 | 15 | ## :bulb: Related Issue(s) 16 | 17 | - Resolve #(issue number) 18 | 19 | ## :black_nib: Description 20 | 21 | Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. 22 | 23 | ## :dart: Test Environments 24 | 25 | ### FreeBSD (version) 26 | - Redis (version) 27 | - Boost (version) 28 | - clang++ (or g++) (version) 29 | - CMake (version) 30 | - Python (version) 31 | 32 | ### Ubuntu (version) 33 | - Redis (version) 34 | - Boost (version) 35 | - g++ (or clang++) (version) 36 | - CMake (version) 37 | - Python (version) 38 | - Valgrind (version) 39 | 40 | ## :heavy_check_mark: Checklist: 41 | 42 | - [ ] My code follows the style guidelines of this project 43 | - [ ] I have performed a self-review of my own code 44 | - [ ] I have commented my code, particularly in hard-to-understand areas 45 | - [ ] (**If new filter**) I have added corresponding page to the documentation 46 | - [ ] (**If other changes**) I have made corresponding changes to the documentation 47 | - [ ] I have added tests that prove my fix is effective or that my feature works 48 | - [ ] New and existing unit tests pass locally with my changes 49 | 50 |
51 | 52 | - [ ] :raising_hand: **I certify on my honor that all the information provided is true, and I've done all I can to deliver a high-quality code** 53 | -------------------------------------------------------------------------------- /.github/workflows/docker-dev.yml: -------------------------------------------------------------------------------- 1 | name: docker dev 2 | 3 | on: 4 | push: 5 | branches: 6 | - dev 7 | 8 | env: 9 | FAUP_VERSION: 1.5 10 | BOOST_VERSION: 1.71.0 11 | ARMADILLO_VERSION: 9.900.x 12 | MLPACK_VERSION: 3.4.0 13 | TF_VERSION: 1.13.0 14 | YARA_VERSION: 3.11.0 15 | DOCKER_REPO: vultureproject 16 | DOCKER_USER: vultureworker 17 | IMAGE_NAME: darwin 18 | IMAGE_TAG: dev 19 | 20 | jobs: 21 | 22 | darwin-docker-dev: 23 | runs-on: ubuntu-latest 24 | 25 | steps: 26 | - uses: actions/checkout@v2 27 | - name: Prepare build 28 | run: | 29 | GITHUB_LOWERCASE_REPO=`echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]'` 30 | echo "::set-env name=github_lowercase_repo::${GITHUB_LOWERCASE_REPO}" 31 | 32 | - uses: whoan/docker-build-with-cache-action@v5 33 | with: 34 | image_name: ${{ env.IMAGE_NAME }} 35 | username: ${{ github.actor }} 36 | password: ${{ secrets.DEPLOY_TOKEN }} 37 | registry: docker.pkg.github.com/${{ env.github_lowercase_repo }} 38 | image_tag: ${{ env.IMAGE_TAG }} 39 | dockerfile: docker/darwin 40 | build_extra_args: --target darwin_builder --cpuset-cpus 0,1 --build-arg FAUP_VERSION=${{ env.FAUP_VERSION }} --build-arg BOOST_VERSION=${{ env.BOOST_VERSION }} --build-arg ARMADILLO_VERSION=${{ env.ARMADILLO_VERSION }} --build-arg MLPACK_VERSION=${{ env.MLPACK_VERSION }} --build-arg TF_VERSION=${{ env.TF_VERSION }} --build-arg YARA_VERSION=${{ env.YARA_VERSION }} 41 | 42 | - name: push image to docker hub 43 | run: | 44 | echo ${{secrets.DOCKER_USER_TOKEN}} | docker login -u ${{ env.DOCKER_USER }} --password-stdin 45 | docker tag docker.pkg.github.com/${{ env.github_lowercase_repo }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} ${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} 46 | docker push ${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} 47 | docker logout 48 | -------------------------------------------------------------------------------- /toolkit/AThreadManager.hpp: -------------------------------------------------------------------------------- 1 | /// \file AThreadManager.hpp 2 | /// \authors ggonzalez 3 | /// \version 1.0 4 | /// \date 17/06/20 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2020 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | 12 | #include "../../toolkit/RedisManager.hpp" 13 | #include "AThread.hpp" 14 | 15 | 16 | class AThreadManager { 17 | /// This abstract class is made to be inherited by subclasses 18 | /// Its purpose is to handle everything needed to run multiple AThread instances (AThread.hpp). 19 | /// Start MUST be overrode. It creates an AThread (or child) instance and returns it as a pointer. 20 | /// It can handle AThreads, and any subclasses of it by overriding Start to create the correct type of AThread child. 21 | /// ThreadStart is calling Start if possible. 22 | /// 23 | ///\class AThreadManager 24 | 25 | public: 26 | ///\brief Unique constructor. Does not create the AThreads 27 | /// 28 | ///\param nb_thread The number of threads that the ThreadManager can handle. 29 | AThreadManager(int nb_thread); 30 | 31 | ///\brief call Stop 32 | ~AThreadManager(); 33 | 34 | public: 35 | ///\brief calls Start if there are less than _nb_threads Threads already created 36 | /// 37 | ///\return true on success, false otherwise 38 | bool ThreadStart(); 39 | 40 | ///\brief Stop all the threads 41 | /// 42 | ///\return true in success, else false 43 | bool Stop(); 44 | 45 | private: 46 | ///\brief Starts a Thread. MUST be overrode by children to create the appropriate type of AThread children 47 | /// 48 | ///\return a shared_ptr on the newly created AThread child. 49 | virtual std::shared_ptr Start() = 0; 50 | 51 | /// The number of threads handled by the ThreadManager. Set in the constructor 52 | unsigned long _nb_threads; 53 | 54 | /// A vector containing all the threads 55 | std::vector> _threads; 56 | }; -------------------------------------------------------------------------------- /samples/fhostlookup/Generator.hpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.hpp 2 | /// \authors jjourdin 3 | /// \version 1.0 4 | /// \date 07/09/18 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | #include "Session.hpp" 15 | #include "AGenerator.hpp" 16 | #include "HostLookupTask.hpp" 17 | #include "tsl/hopscotch_map.h" 18 | #include "tsl/hopscotch_set.h" 19 | #include "../toolkit/Files.hpp" 20 | #include "../toolkit/rapidjson/document.h" 21 | 22 | class Generator: public AGenerator { 23 | public: 24 | Generator() = default; 25 | ~Generator() = default; 26 | 27 | public: 28 | virtual darwin::session_ptr_t 29 | CreateTask(boost::asio::local::stream_protocol::socket& socket, 30 | darwin::Manager& manager) noexcept override final; 31 | 32 | protected: 33 | enum class db_type { 34 | text = 0, 35 | json, 36 | rsyslog 37 | }; 38 | 39 | protected: 40 | virtual bool LoadConfig(const rapidjson::Document &configuration) override final; 41 | virtual bool ConfigureAlerting(const std::string& tags) override final; 42 | 43 | bool LoadTextFile(const std::string& filename); 44 | bool LoadJsonFile(const std::string& filename, const db_type type); 45 | void LoadFeedNameFromFile(const std::string& filename); 46 | bool LoadJsonDatabase(const rapidjson::Document& database); 47 | bool LoadJsonEntry(const rapidjson::Value& entry); 48 | bool LoadRsyslogDatabase(const rapidjson::Document& database); 49 | bool LoadRsyslogEntry(const rapidjson::Value& entry); 50 | 51 | private: 52 | // This implementation is thread safe with multiple reader 53 | // with no writer. 54 | // This is indicated by the repository doc. 55 | // It should mimic thread safety of std::unordered_map<> 56 | tsl::hopscotch_map> _database; //!< The "bad" hostname database 57 | std::string _feed_name; 58 | }; -------------------------------------------------------------------------------- /samples/finspection/file_utils.hpp: -------------------------------------------------------------------------------- 1 | /* file_utils.h 2 | * 3 | * This header contains prototypes for file_utils.c, 4 | * being functions to manage files 5 | * 6 | * File begun on 2018-12-5 7 | * 8 | * Created by: 9 | * - François Bernard (francois.bernard@isen.yncrea.fr) 10 | * - Théo Bertin (theo.bertin@isen.yncrea.fr) 11 | * - Tianyu Geng (tianyu.geng@isen.yncrea.fr) 12 | * 13 | * This file is part of rsyslog. 14 | * 15 | * Licensed under the Apache License, Version 2.0 (the "License"); 16 | * you may not use this file except in compliance with the License. 17 | * You may obtain a copy of the License at 18 | * 19 | * http://www.apache.org/licenses/LICENSE-2.0 20 | * -or- 21 | * see COPYING.ASL20 in the source distribution 22 | * 23 | * Unless required by applicable law or agreed to in writing, software 24 | * distributed under the License is distributed on an "AS IS" BASIS, 25 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 26 | * See the License for the specific language governing permissions and 27 | * limitations under the License. 28 | */ 29 | 30 | #ifndef FILE_UTILS_H 31 | #define FILE_UTILS_H 32 | 33 | #ifdef __cplusplus 34 | extern "C" { 35 | #endif 36 | 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | #include 46 | #include 47 | 48 | #include 49 | 50 | typedef struct FileStruct_ { 51 | char *directory; 52 | char *filename; 53 | FILE *pFile; 54 | pthread_mutex_t mFile; 55 | uint32_t size; 56 | } FileStruct; 57 | 58 | void addDataToFile(char *pData, uint32_t sizeData, uint32_t offSet, FileStruct *file); 59 | void appendLineToFile(char *, FileStruct *); 60 | FILE *openFile(char *path, char *file_name); 61 | int createFolder(char *folder); 62 | FileStruct *createFileStruct(); 63 | void deleteFileStruct(FileStruct *); 64 | 65 | #ifdef __cplusplus 66 | }; 67 | #endif 68 | 69 | #endif /* FILE_UTILS_H */ 70 | -------------------------------------------------------------------------------- /samples/fbuffer/BufferThread.cpp: -------------------------------------------------------------------------------- 1 | /// \file ThreadManager.cpp 2 | /// \authors ggonzalez 3 | /// \version 1.0 4 | /// \date 28/05/20 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #include 9 | #include 10 | 11 | #include "../../toolkit/RedisManager.hpp" 12 | #include "BufferThread.hpp" 13 | #include "Logger.hpp" 14 | #include "AlertManager.hpp" 15 | 16 | BufferThread::BufferThread(std::shared_ptr output) : 17 | AThread(output->GetInterval()), 18 | _connector(output), 19 | _redis_lists(output->GetRedisLists()) {} 20 | 21 | 22 | bool BufferThread::Main() { 23 | DARWIN_LOGGER; 24 | DARWIN_LOG_DEBUG("BufferThread::Main:: Begin"); 25 | 26 | for (auto &redis_config : this->_redis_lists) { 27 | std::string redis_list = redis_config.second; 28 | long long int len = this->_connector->REDISListLen(redis_list); 29 | DARWIN_LOG_DEBUG("BufferThread::Main:: There are " + std::to_string(len) + " entries in " + redis_list + " redis list."); 30 | std::vector logs; 31 | 32 | if (len >= 0 && len < this->_connector->GetRequiredLogLength()){ 33 | DARWIN_LOG_DEBUG("BufferThread::Main:: Not enough log in Redis, wait for more"); 34 | continue; 35 | } else if (len<0 || !this->_connector->REDISPopLogs(len, logs, redis_list)) { 36 | DARWIN_LOG_ERROR("BufferThread::Main:: Error when querying Redis on list: " + redis_list + " for source: '" + redis_config.first + "'"); 37 | continue; 38 | } else { 39 | if (not _connector->SendToFilter(logs)) { 40 | DARWIN_LOG_INFO("BufferThread::Main:: unable to send data to next filter, reinserting logs in redis ..."); 41 | this->_connector->REDISReinsertLogs(logs, redis_list); 42 | } else { 43 | DARWIN_LOG_DEBUG("BufferThread::Main:: Removed " + std::to_string(logs.size()) + " elements from redis"); 44 | } 45 | } 46 | } 47 | 48 | return true; 49 | } -------------------------------------------------------------------------------- /manager/JsonSocket.py: -------------------------------------------------------------------------------- 1 | __author__ = "Hugo SOSZYNSKI" 2 | __credits__ = [] 3 | __license__ = "GPLv3" 4 | __version__ = "3.0.0" 5 | __maintainer__ = "Vulture Project" 6 | __email__ = "contact@vultureproject.org" 7 | __doc__ = 'JSON encoding and decoding socket encapsulation class' 8 | 9 | import json 10 | 11 | 12 | class JsonSocket: 13 | """ 14 | Encapsulation of a socket made to send and receive JSON. 15 | """ 16 | 17 | def __init__(self, sock): 18 | """ 19 | Constructor. Set timeout to the socket. 20 | 21 | :param sock: The socket to encapsulate. 22 | """ 23 | self._socket = sock 24 | self._socket.settimeout(1) 25 | 26 | def __del__(self): 27 | """ 28 | Destructor. Close the socket. 29 | """ 30 | self._socket.close() 31 | 32 | def send(self, data): 33 | """ 34 | Send the given data JSON formatted through the socket. 35 | 36 | :param data: The data to send. 37 | """ 38 | j = json.dumps(data) 39 | self._socket.send(j.encode('ascii')) 40 | 41 | def recv(self): 42 | """ 43 | Receive JSON formatted data from the socket. 44 | 45 | :return: Dict object containing the deserialized JSON data. 46 | """ 47 | data = '' 48 | cpt = 0 49 | first_chunk = True 50 | while True: 51 | chunk = self._socket.recv(2048) 52 | chunk = chunk.decode().rstrip('\x00') 53 | if not chunk: 54 | raise ValueError('No data received') 55 | for c in chunk: 56 | if first_chunk: 57 | if c != '{': 58 | raise TypeError('Data received not a json') 59 | cpt += 1 60 | first_chunk = False 61 | else: 62 | if c == '{': 63 | cpt += 1 64 | elif c == '}': 65 | cpt -= 1 66 | data += chunk 67 | 68 | # Full JSON received ? 69 | if cpt == 0: 70 | return json.loads(data) 71 | -------------------------------------------------------------------------------- /conf/darwin.conf.example: -------------------------------------------------------------------------------- 1 | { 2 | "session_1": { 3 | "exec_path": "/home/darwin/filters/darwin_session", 4 | "config_file": "/home/darwin/conf/fsession/fsession.conf.example", 5 | "nb_thread": 5, 6 | "log_level": "ERROR", 7 | "cache_size": 0, 8 | "output": "", 9 | "next_filter": "" 10 | }, 11 | "content_inspection_1": { 12 | "exec_path": "/home/darwin/filters/darwin_content_inspection", 13 | "config_file": "/home/darwin/conf/fcontent_inspection/fcontent_inspection.conf.example", 14 | "nb_thread": 20, 15 | "log_level": "DEBUG", 16 | "cache_size": 0, 17 | "output": "", 18 | "next_filter": "", 19 | "threshold": 80 20 | }, 21 | "dga_1": { 22 | "exec_path": "/home/darwin/filters/darwin_dga", 23 | "config_file": "/home/darwin/conf/fdga/fdga.conf.example", 24 | "nb_thread": 5, 25 | "log_level": "DEBUG", 26 | "cache_size": 1000, 27 | "output": "", 28 | "next_filter": "", 29 | "threshold": 80 30 | }, 31 | "tanomaly_1": { 32 | "exec_path": "/home/darwin/filters/darwin_tanomaly", 33 | "config_file": "/home/darwin/conf/ftanomaly/ftanomaly.conf.example", 34 | "nb_thread": 5, 35 | "log_level": "DEBUG", 36 | "cache_size": 0, 37 | "output": "NONE", 38 | "next_filter": "", 39 | "threshold": 80 40 | }, 41 | "anomaly_1": { 42 | "exec_path": "/home/darwin/filters/darwin_anomaly", 43 | "config_file": "/home/darwin/conf/fanomaly/fanomaly.conf.example", 44 | "nb_thread": 5, 45 | "log_level": "DEBUG", 46 | "cache_size": 0, 47 | "output": "NONE", 48 | "next_filter": "", 49 | "threshold": 80 50 | }, 51 | "buffer_1": { 52 | "exec_path": "/home/darwin/filters/darwin_buffer", 53 | "config_file": "/home/darwin/conf/fbuffer/fbuffer.conf.example", 54 | "nb_thread": 1, 55 | "log_level": "DEBUG", 56 | "cache_size": 0, 57 | "output": "NONE", 58 | "next_filter": "", 59 | "threshold": 80 60 | } 61 | } -------------------------------------------------------------------------------- /samples/fpythonexample/README.md: -------------------------------------------------------------------------------- 1 | # Python example filter 2 | 3 | ## Purpose of this guide and disclaimer 4 | 5 | This is an example filter that calls Python code from Darwin and then returns the result. You can use this filter as a template project when you want to create a new Darwin filter that uses Python code. 6 | 7 | Below are commands that help you install and configure the Python filter if you want to test it. However, this is **NOT** a real filter: the guide below just serves as an example to show you how to setup a Python-based Darwin filter. 8 | 9 | ## 1. Filter compilation 10 | 11 | First, you need to compile the filter. After setting the `DARWIN_PROJECT_PATH` variable to your Darwin project, run these commands below: 12 | 13 | ```bash 14 | cd $DARWIN_PROJECT_PATH 15 | mkdir "$DARWIN_PROJECT_PATH/build" # create a build folder to contain your darwin_python_example filter built 16 | cd "$DARWIN_PROJECT_PATH/build" 17 | cmake .. -DFILTER=PYTHON_EXAMPLE # generate your Makefile files 18 | make 19 | ``` 20 | 21 | ## 2. Add the filter to Darwin 22 | 23 | Then, you have to add the filter to Darwin. Just copy it to your Darwin filter folder: 24 | 25 | ```bash 26 | cp "$DARWIN_PROJECT_PATH/build/darwin_python_example /home/darwin/filters/" # will add your darwin_python_example filter to the other existing ones 27 | ``` 28 | 29 | ## 3. Configuration 30 | 31 | Finally, you need to change your Darwin configuration to take into account the Python-based filter. **Be careful: these commands below will override your current darwin.conf!** 32 | 33 | ```bash 34 | cp -R "$DARWIN_PROJECT_PATH/samples/fpythonexample/example_configuration_files/* /home/darwin/conf/" # will OVERRIDE your current darwin.conf! 35 | virtualenv -p python3.6 /home/darwin/conf/fpython_example/env # the filter NEEDS a Python environment to run 36 | /home/darwin/conf/fpython_example/env/bin/pip install -r "$DARWIN_PROJECT_PATH/samples/fpythonexample/python_example_filter/requirements.txt" # after creating it, we install the dependencies 37 | cp -R "$DARWIN_PROJECT_PATH/samples/fpythonexample/python_example_filter/example_filter.py" /home/darwin/filters/ # here, we just copy our Python code 38 | ``` 39 | -------------------------------------------------------------------------------- /samples/fconnection/ConnectionSupervisionTask.hpp: -------------------------------------------------------------------------------- 1 | /// \file ConnectionSupervisionTask.hpp 2 | /// \authors jjourdin 3 | /// \version 1.0 4 | /// \date 22/05/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include "protocol.h" 12 | #include "Session.hpp" 13 | 14 | #include "../../toolkit/lru_cache.hpp" 15 | #include "../../toolkit/RedisManager.hpp" 16 | #include "../toolkit/rapidjson/document.h" 17 | 18 | #define DARWIN_FILTER_CONNECTION 0x636E7370 19 | #define DARWIN_FILTER_NAME "connection" 20 | #define DARWIN_ALERT_RULE_NAME "New Connection Detection" 21 | #define DARWIN_ALERT_TAGS "[]" 22 | 23 | // To create a usable task method you MUST inherit from darwin::thread::Task publicly. 24 | // The code bellow show all what's necessary to have a working task. 25 | // For more information about Tasks, please refer to the class definition. 26 | 27 | class ConnectionSupervisionTask : public darwin::Session { 28 | public: 29 | explicit ConnectionSupervisionTask(boost::asio::local::stream_protocol::socket& socket, 30 | darwin::Manager& manager, 31 | std::shared_ptr> cache, 32 | std::mutex& cache_mutex, 33 | unsigned int expire); 34 | ~ConnectionSupervisionTask() override = default; 35 | 36 | public: 37 | // You need to override the functor to compile and be executed by the thread 38 | void operator()() override; 39 | 40 | protected: 41 | /// Return filter code 42 | long GetFilterCode() noexcept override; 43 | 44 | private: 45 | /// Parse a line in the body. 46 | bool ParseLine(rapidjson::Value &line) final; 47 | 48 | /// Read a connection description from the session and 49 | /// perform a redis lookup. 50 | /// 51 | /// \return true on success, false otherwise. 52 | unsigned int REDISLookup(const std::string& connection) noexcept; 53 | 54 | private: 55 | unsigned int _redis_expire; 56 | std::string _connection; 57 | }; 58 | -------------------------------------------------------------------------------- /samples/ftest/TestTask.hpp: -------------------------------------------------------------------------------- 1 | /// \file TestTask.hpp 2 | /// \authors Hugo Soszynski 3 | /// \version 1.0 4 | /// \date 11/12/2019 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2019 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | 12 | #include "../../toolkit/lru_cache.hpp" 13 | #include "protocol.h" 14 | #include "Session.hpp" 15 | 16 | #define DARWIN_FILTER_TEST 0x74657374 17 | #define DARWIN_FILTER_NAME "test" 18 | #define DARWIN_ALERT_RULE_NAME "Test" 19 | #define DARWIN_ALERT_TAGS "[\"default_test_tag_0\", \"default_test_tag_1\"]" 20 | 21 | // To create a usable task method you MUST inherit from darwin::thread::Task publicly. 22 | // The code bellow show all what's necessary to have a working task. 23 | // For more information about Tasks, please refer to the class definition. 24 | 25 | class TestTask : public darwin::Session { 26 | public: 27 | explicit TestTask(boost::asio::local::stream_protocol::socket& socket, 28 | darwin::Manager& manager, 29 | std::shared_ptr> cache, 30 | std::mutex& cache_mutex, 31 | std::string& list, 32 | std::string& channel); 33 | 34 | ~TestTask() override = default; 35 | 36 | public: 37 | // You need to override the functor to compile and be executed by the thread 38 | void operator()() override; 39 | 40 | protected: 41 | /// Get the result from the cache 42 | xxh::hash64_t GenerateHash() override; 43 | /// Return filter code 44 | long GetFilterCode() noexcept override; 45 | 46 | /// Adds a line to a test list in redis 47 | bool REDISAddList(const std::string& list, const std::string& line); 48 | 49 | /// Publish a line to a test channel in redis 50 | bool REDISPublishChannel(const std::string& channel, const std::string& line); 51 | 52 | private: 53 | /// Parse a line from the body. 54 | bool ParseLine(rapidjson::Value &line) final; 55 | 56 | private: 57 | std::string _line; 58 | std::string _redis_list; 59 | std::string _redis_channel; 60 | }; 61 | -------------------------------------------------------------------------------- /toolkit/AThread.hpp: -------------------------------------------------------------------------------- 1 | /// \file AThread.hpp 2 | /// \authors ggonzalez 3 | /// \version 1.0 4 | /// \date 17/06/20 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | #include "../../toolkit/RedisManager.hpp" 15 | 16 | class AThread { 17 | /// This abstract class is made to be inheritated by subclasses 18 | /// Its purpose is to handle everything needed to run a thread. 19 | /// It is likely to be called by AThreadManager or any subclass inheriting from it. 20 | /// ThreadMain is calling Main every _interval seconds. 21 | /// Main MUST be overrode by children. 22 | /// 23 | ///\class AThread 24 | 25 | public: 26 | ///\brief Unique constructor, creates a thread and immediately calls ThreadMain. 27 | /// 28 | ///\param interval The interval in seconds between two calls of Main by ThreadMain 29 | AThread(int interval); 30 | 31 | ///\brief Default virtual destructor 32 | virtual ~AThread() = default; 33 | 34 | ///\brief initiates the _thread member 35 | void InitiateThread(); 36 | 37 | ///\brief Stops the thread (with join) 38 | /// 39 | ///\return true on success, false otherwise 40 | bool Stop(); 41 | 42 | ///\brief It is the entry point of the thread, it calls Main every _interval seconds and is called in the constructor. 43 | void ThreadMain(); 44 | 45 | ///\brief This function is called every _interval seconds, and MUST be overrode by children 46 | /// 47 | ///\return Override MUST return true on success and false otherwise 48 | virtual bool Main() = 0; 49 | 50 | 51 | private: 52 | /// Interval, set by the ctor, between two calls of Main by ThreadMain 53 | int _interval; 54 | 55 | /// The actual thread 56 | std::thread _thread; 57 | 58 | /// A boolean to know if the thread is stopped (true) or not (false). 59 | /// Set true in constructor 60 | /// Set false in destructor and in case an error occured 61 | std::atomic _is_stop; 62 | 63 | /// The condition variable for the thread 64 | std::condition_variable _cv; 65 | }; -------------------------------------------------------------------------------- /cmake/FindTensorflow.cmake: -------------------------------------------------------------------------------- 1 | # Find tensorflow cpp libraries and includes 2 | # This module defines 3 | # TENSORFLOW_LIBRARIES, the libraries needed to use tensorflow 4 | # TENSORFLOW_INCLUDE_DIRS, the folders containing tensorflow development files 5 | # TENSORFLOW_FOUND, whether tensorflow was found on system 6 | 7 | find_package(TensorflowCC QUIET) 8 | 9 | if(TensorflowCC_FOUND) 10 | message("found TensorflowCC taget") 11 | set(TENSORFLOW_LIBRARIES "${TENSORFLOW_LIBRARIES}" "TensorflowCC::Static") 12 | else() 13 | message("didn't find TensorflowCC target, linking tensorflow manually") 14 | 15 | find_library( 16 | TF_CC_LIBRARY 17 | NAMES libtensorflow_cc.so 18 | PATH_SUFFIXES tensorflow/) 19 | find_library( 20 | TF_FRAMEWORK_LIBRARY 21 | NAMES libtensorflow_framework.so 22 | PATH_SUFFIXES tensorflow/) 23 | 24 | find_path( 25 | PROTOBUF_SOURCE 26 | NAMES google/protobuf/stubs/common.h 27 | PATH_SUFFIXES contrib/protobuf/src/) 28 | find_path( 29 | EIGEN_SOURCE 30 | NAMES unsupported/Eigen/CXX11/Tensor 31 | PATH_SUFFIXES contrib/eigen) 32 | find_path( 33 | ABSL_SOURCE 34 | NAMES absl/strings/string_view.h 35 | PATH_SUFFIXES contrib/absl) 36 | 37 | set(TENSORFLOW_LIBRARIES ${TENSORFLOW_LIBRARIES} ${TF_CC_LIBRARY}) 38 | set(TENSORFLOW_LIBRARIES ${TENSORFLOW_LIBRARIES} ${TF_FRAMEWORK_LIBRARY}) 39 | set(TENSORFLOW_INCLUDE_DIRS ${TENSORFLOW_INCLUDE_DIRS} ${PROTOBUF_SOURCE}) 40 | set(TENSORFLOW_INCLUDE_DIRS ${TENSORFLOW_INCLUDE_DIRS} ${EIGEN_SOURCE}) 41 | set(TENSORFLOW_INCLUDE_DIRS ${TENSORFLOW_INCLUDE_DIRS} ${ABSL_SOURCE}) 42 | 43 | include (FindPackageHandleStandardArgs) 44 | find_package_handle_standard_args( 45 | Tensorflow 46 | REQUIRED_VARS TF_CC_LIBRARY TF_FRAMEWORK_LIBRARY) 47 | 48 | mark_as_advanced(TENSORFLOW_LIBRARIES TENSORFLOW_INCLUDE_DIRS) 49 | endif() 50 | 51 | if(CMAKE_SYSTEM_NAME STREQUAL "FreeBSD") 52 | find_library(EXECINFO_LIBRARY 53 | NAMES execinfo 54 | PATHS /usr/local/lib/ /usr/lib/) 55 | if(EXECINFO_LIBRARY) 56 | message("libexecinfo found, adding to included libraries") 57 | set(TENSORFLOW_LIBRARIES ${TENSORFLOW_LIBRARIES} ${EXECINFO_LIBRARY}) 58 | endif() 59 | endif() 60 | -------------------------------------------------------------------------------- /samples/fyara/YaraTask.hpp: -------------------------------------------------------------------------------- 1 | /// \file toolkit/Yara.hpp 2 | /// \authors tbertin 3 | /// \version 1.0 4 | /// \date 10/10/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | 12 | #include "../toolkit/lru_cache.hpp" 13 | #include "../toolkit/xxhash.h" 14 | #include "../toolkit/xxhash.hpp" 15 | #include "../../toolkit/rapidjson/document.h" 16 | #include "../../toolkit/rapidjson/stringbuffer.h" 17 | #include "../../toolkit/rapidjson/writer.h" 18 | #include "Encoders.h" 19 | 20 | #include "Yara.hpp" 21 | #include "Session.hpp" 22 | 23 | #define DARWIN_FILTER_YARA_SCAN 0x79617261 24 | #define DARWIN_FILTER_NAME "yara" 25 | #define DARWIN_ALERT_RULE_NAME "Yara scanner" 26 | #define DARWIN_ALERT_TAGS "[]" 27 | 28 | // To create a usable task method you MUST inherit from darwin::thread::Task publicly. 29 | // The code bellow show all what's necessary to have a working task. 30 | // For more information about Tasks, please refer to the class definition. 31 | 32 | class YaraTask : public darwin::Session { 33 | public: 34 | explicit YaraTask(boost::asio::local::stream_protocol::socket& socket, 35 | darwin::Manager& manager, 36 | std::shared_ptr> cache, 37 | std::mutex& cache_mutex, 38 | std::shared_ptr yaraEngine); 39 | 40 | ~YaraTask() override = default; 41 | 42 | public: 43 | // You need to override the functor to compile and be executed by the thread 44 | void operator()() override; 45 | 46 | protected: 47 | /// Get the result from the cache 48 | xxh::hash64_t GenerateHash() override; 49 | /// Return filter code 50 | long GetFilterCode() noexcept override; 51 | 52 | private: 53 | /// Parse the body received. 54 | bool ParseLine(rapidjson::Value &line) final; 55 | 56 | /// Convert a std::set to string json list 57 | std::string GetJsonListFromSet(std::set &input); 58 | 59 | private: 60 | std::string _chunk; 61 | std::shared_ptr _yaraEngine = nullptr; 62 | }; 63 | -------------------------------------------------------------------------------- /samples/fbuffer/Connectors/fSofaConnector.hpp: -------------------------------------------------------------------------------- 1 | /// \file fSofaConnector.cpp 2 | /// \authors ggonzalez 3 | /// \version 1.0 4 | /// \date 03/06/20 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include "AConnector.hpp" 11 | 12 | class fSofaConnector final : public AConnector { 13 | /// This class inherits from AConnector (see AConnector.hpp) 14 | /// It provides correct info picking to send to Sofa type filter. 15 | /// 16 | ///\class fSofaConnector 17 | 18 | public: 19 | ///\brief Unique constructor. It contains all stuff needed to ensure REDIS and output Sofa Filter communication 20 | /// 21 | ///\param io_context The boost::asio::io_context used by the Server. Needed for communication with output Filter. 22 | ///\param filter_socket_path The socket path used to connect to the output filter. 23 | ///\param interval Interval between two data sendings to output filter if there are enough logs in redis_list REDIS storage. 24 | ///\param redis_lists The names of the Redis List on which the connector will store and retrieve data depending on source, before sending to output Filter 25 | ///\param required_log_lines The number of logs required before sending data to output Filter 26 | fSofaConnector(boost::asio::io_context &context, 27 | std::string &filter_socket_path, 28 | unsigned int interval, 29 | std::vector> &redis_lists, 30 | unsigned int required_log_lines); 31 | 32 | ///\brief Virtual final default constructor 33 | virtual ~fSofaConnector() override final = default; 34 | 35 | public: 36 | ///\brief This function sends data to the REDIS storage. It overrides default pure virtual one as each filter doesn't need the same data. 37 | /// 38 | /// It should fill _entry with the data to send as REDISAddEntry is picking from it. 39 | /// 40 | ///\param input_line is a map representing all the entries received by the BufferTask. 41 | /// 42 | ///\return true on success, false otherwise. 43 | virtual bool ParseInputForRedis(std::map &input_line) override final; 44 | }; -------------------------------------------------------------------------------- /samples/finspection/packets.hpp: -------------------------------------------------------------------------------- 1 | /* packets.h 2 | * 3 | * This header contains the definition of internal structures 4 | * representing packets metadata and payload, as well as prototypes 5 | * for packets.c 6 | * 7 | * File begun on 2018-12-5 8 | * 9 | * Created by: 10 | * - François Bernard (francois.bernard@isen.yncrea.fr) 11 | * - Théo Bertin (theo.bertin@isen.yncrea.fr) 12 | * - Tianyu Geng (tianyu.geng@isen.yncrea.fr) 13 | * 14 | * This file is part of rsyslog. 15 | * 16 | * Licensed under the Apache License, Version 2.0 (the "License"); 17 | * you may not use this file except in compliance with the License. 18 | * You may obtain a copy of the License at 19 | * 20 | * http://www.apache.org/licenses/LICENSE-2.0 21 | * -or- 22 | * see COPYING.ASL20 in the source distribution 23 | * 24 | * Unless required by applicable law or agreed to in writing, software 25 | * distributed under the License is distributed on an "AS IS" BASIS, 26 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 27 | * See the License for the specific language governing permissions and 28 | * limitations under the License. 29 | */ 30 | 31 | #ifndef PACKETS_H 32 | #define PACKETS_H 33 | 34 | #include "extract_impcap.hpp" 35 | #include "flow.hpp" 36 | #include "hash_utils.hpp" 37 | 38 | #ifdef __cplusplus 39 | extern "C" { 40 | #endif 41 | 42 | #include 43 | #include 44 | #include 45 | 46 | typedef struct Packet_ { 47 | Address src, dst; 48 | Port sp, dp; 49 | uint8_t proto; 50 | 51 | struct Flow_ *flow; 52 | FlowHash hash; 53 | 54 | uint8_t flags; 55 | #define PKT_ADDRS_KNOWN 0x01 56 | #define PKT_PORTS_KNOWN 0x02 57 | #define PKT_PROTO_KNOWN 0x04 58 | #define PKT_HASH_READY 0x08 59 | #define PKT_IPV4_ADDR 0x10 60 | #define PKT_IPV6_ADDR 0x20 61 | 62 | struct IPV6Hdr_ *ipv6h; 63 | struct IPV4Hdr_ *ipv4h; 64 | struct TCPHdr_ *tcph; 65 | 66 | uint8_t *payload; 67 | uint16_t payloadLen; 68 | 69 | uint32_t pktNumber; 70 | 71 | time_t enterTime; 72 | } Packet; 73 | 74 | Packet *createPacket(); 75 | void freePacket(Packet *); 76 | void updatePacketFromHeaders(Packet *); 77 | FlowHash calculatePacketFlowHash(Packet *); 78 | 79 | #ifdef __cplusplus 80 | }; 81 | #endif 82 | 83 | #endif /* PACKETS_H */ 84 | -------------------------------------------------------------------------------- /.github/workflows/docker-releases.yml: -------------------------------------------------------------------------------- 1 | name: docker releases 2 | 3 | on: 4 | release: 5 | types: 6 | - published 7 | 8 | env: 9 | FAUP_VERSION: 1.5 10 | BOOST_VERSION: 1.71.0 11 | ARMADILLO_VERSION: 9.900.x 12 | MLPACK_VERSION: 3.4.0 13 | TF_VERSION: 1.13.0 14 | YARA_VERSION: 3.11.0 15 | DOCKER_REPO: vultureproject 16 | DOCKER_USER: vultureworker 17 | IMAGE_NAME: darwin 18 | 19 | jobs: 20 | 21 | darwin-docker-release: 22 | runs-on: ubuntu-latest 23 | 24 | steps: 25 | - uses: actions/checkout@v2 26 | - name: Prepare build 27 | run: | 28 | GITHUB_LOWERCASE_REPO=`echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]'` 29 | GITHUB_TAG=`echo "${{ github.ref }}" | cut -d / -f 3` 30 | echo "::set-env name=github_lowercase_repo::${GITHUB_LOWERCASE_REPO}" 31 | echo "::set-env name=tag_name::${GITHUB_TAG}" 32 | 33 | - uses: whoan/docker-build-with-cache-action@v5 34 | with: 35 | image_name: ${{ env.IMAGE_NAME }} 36 | username: ${{ github.actor }} 37 | password: ${{ secrets.DEPLOY_TOKEN }} 38 | registry: docker.pkg.github.com/${{ env.github_lowercase_repo }} 39 | push_git_tag: true 40 | dockerfile: docker/darwin 41 | build_extra_args: --target darwin --cpuset-cpus 0,1 --build-arg FAUP_VERSION=${{ env.FAUP_VERSION }} --build-arg BOOST_VERSION=${{ env.BOOST_VERSION }} --build-arg ARMADILLO_VERSION=${{ env.ARMADILLO_VERSION }} --build-arg MLPACK_VERSION=${{ env.MLPACK_VERSION }} --build-arg TF_VERSION=${{ env.TF_VERSION }} --build-arg YARA_VERSION=${{ env.YARA_VERSION }} 42 | 43 | - name: push image to docker hub 44 | run: | 45 | echo ${{secrets.DOCKER_USER_TOKEN}} | docker login -u ${{ env.DOCKER_USER }} --password-stdin 46 | docker tag docker.pkg.github.com/${{ env.github_lowercase_repo }}/${{ env.IMAGE_NAME }}:${{ env.tag_name }} ${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}:${{ env.tag_name }} 47 | docker tag docker.pkg.github.com/${{ env.github_lowercase_repo }}/${{ env.IMAGE_NAME }}:latest ${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}:latest 48 | docker push ${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}:${{ env.tag_name }} 49 | docker push ${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}:latest 50 | docker logout 51 | -------------------------------------------------------------------------------- /tests/manager_socket/logging_test.py: -------------------------------------------------------------------------------- 1 | import logging 2 | from os import kill, rename, remove 3 | from signal import SIGHUP 4 | from manager_socket.utils import requests, CONF_EMPTY, REQ_MONITOR 5 | from tools.darwin_utils import darwin_configure, darwin_start, darwin_stop, darwin_remove_configuration, count_file_lines 6 | from tools.output import print_result 7 | from conf import TEST_FILES_DIR 8 | 9 | MANAGER_LOGFILE = TEST_FILES_DIR + "/log/darwin_manager.log" 10 | 11 | def run(): 12 | tests = [ 13 | check_write_logs, 14 | check_rotate_logs, 15 | ] 16 | 17 | for i in tests: 18 | print_result("Logging: " + i.__name__, i) 19 | 20 | 21 | def check_write_logs(): 22 | ret = True 23 | 24 | try: 25 | init_lines = count_file_lines(MANAGER_LOGFILE) 26 | except: 27 | init_lines = 0 28 | 29 | darwin_configure(CONF_EMPTY) 30 | process = darwin_start() 31 | 32 | darwin_stop(process) 33 | darwin_remove_configuration() 34 | 35 | if init_lines == count_file_lines(MANAGER_LOGFILE): 36 | logging.error("check_write_logs: manager didn't write a single line in expected logfile") 37 | ret = False 38 | 39 | return ret 40 | 41 | 42 | def check_rotate_logs(): 43 | ret = True 44 | 45 | darwin_configure(CONF_EMPTY) 46 | process = darwin_start() 47 | 48 | rename(MANAGER_LOGFILE, MANAGER_LOGFILE + ".moved") 49 | kill(process.pid, SIGHUP) 50 | lines_after_rotate = count_file_lines(MANAGER_LOGFILE + ".moved") 51 | 52 | resp = requests(REQ_MONITOR) 53 | if resp == "": 54 | logging.error("check_rotate_logs: manager didn't respond to monitoring query") 55 | ret = False 56 | 57 | darwin_stop(process) 58 | darwin_remove_configuration() 59 | 60 | if count_file_lines(MANAGER_LOGFILE + ".moved") > lines_after_rotate: 61 | logging.error("check_rotate_logs: new lines were written to old logfile") 62 | ret = False 63 | 64 | try: 65 | if count_file_lines(MANAGER_LOGFILE) == 0: 66 | logging.error("check_rotate_logs: no new lines were written on file after rotation") 67 | ret = False 68 | except FileNotFoundError: 69 | logging.error("check_rotate_logs: log file wasn't recreated by manager") 70 | ret = False 71 | 72 | remove(MANAGER_LOGFILE + ".moved") 73 | 74 | return ret -------------------------------------------------------------------------------- /samples/finspection/stream_buffer.hpp: -------------------------------------------------------------------------------- 1 | /* stream_buffer.h 2 | * 3 | * This header contains the definition of stream buffers 4 | * 5 | * File begun on 2019-20-05 6 | * 7 | * Created by: 8 | * - Théo Bertin (theo.bertin@advens.fr) 9 | * 10 | * This file is part of rsyslog. 11 | * 12 | * Licensed under the Apache License, Version 2.0 (the "License"); 13 | * you may not use this file except in compliance with the License. 14 | * You may obtain a copy of the License at 15 | * 16 | * http://www.apache.org/licenses/LICENSE-2.0 17 | * -or- 18 | * see COPYING.ASL20 in the source distribution 19 | * 20 | * Unless required by applicable law or agreed to in writing, software 21 | * distributed under the License is distributed on an "AS IS" BASIS, 22 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 23 | * See the License for the specific language governing permissions and 24 | * limitations under the License. 25 | */ 26 | 27 | #ifndef STREAM_BUFFER_H 28 | #define STREAM_BUFFER_H 29 | 30 | #include "file_utils.hpp" 31 | #include "data_pool.hpp" 32 | 33 | #ifdef __cplusplus 34 | extern "C" { 35 | #endif 36 | 37 | #include 38 | #include 39 | #include 40 | 41 | 42 | #define DEFAULT_BUFF_START_SIZE 4096 43 | #define BUFF_ADD_BLOCK_SIZE 4096 44 | 45 | typedef struct StreamsCnf_ { 46 | char *streamStoreFolder; 47 | uint32_t streamMaxBufferSize; 48 | 49 | DataPool *sbPool; 50 | } StreamsCnf; 51 | 52 | extern StreamsCnf *streamsCnf; 53 | 54 | typedef struct StreamBuffer_ { 55 | uint8_t *buffer; 56 | uint32_t bufferSize; 57 | uint32_t bufferFill; 58 | uint32_t streamOffset; 59 | 60 | struct YaraRuleList_ *ruleList; 61 | 62 | FileStruct *bufferDump; 63 | 64 | pthread_mutex_t mutex; 65 | 66 | DataObject *object; 67 | } StreamBuffer; 68 | 69 | void yaraDeleteRuleList(struct YaraRuleList_ *); 70 | void streamBufferReset(void *); 71 | void streamInitConfig(StreamsCnf *); 72 | void streamDeleteConfig(StreamsCnf *); 73 | int linkStreamBufferToDumpFile(StreamBuffer *, char *); 74 | uint32_t streamBufferDumpToFile(StreamBuffer *); 75 | int streamBufferExtend(StreamBuffer *, uint32_t); 76 | int streamBufferAddDataSegment(StreamBuffer *, uint32_t, uint8_t *); 77 | 78 | #ifdef __cplusplus 79 | }; 80 | #endif 81 | 82 | #endif /* STREAM_BUFFER_H */ 83 | -------------------------------------------------------------------------------- /samples/fpythonexample/PythonExampleTask.hpp: -------------------------------------------------------------------------------- 1 | /// \file PythonExample.hpp 2 | /// \authors gcatto 3 | /// \version 1.0 4 | /// \date 23/07/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2019 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | 12 | #include "../../toolkit/lru_cache.hpp" 13 | #include "../../toolkit/PythonUtils.hpp" 14 | #include "../../toolkit/xxhash.h" 15 | #include "../../toolkit/xxhash.hpp" 16 | #include "protocol.h" 17 | #include "Session.hpp" 18 | 19 | #define DARWIN_FILTER_PYTHON_EXAMPLE 0x70797468 20 | 21 | // To create a usable task method you MUST inherit from darwin::thread::Task publicly. 22 | // The code bellow show all what's necessary to have a working task. 23 | // For more information about Tasks, please refer to the class definition. 24 | 25 | class PythonExampleTask : public darwin::Session { 26 | public: 27 | explicit PythonExampleTask(boost::asio::local::stream_protocol::socket& socket, 28 | darwin::Manager& manager, 29 | std::shared_ptr> cache, 30 | PyObject *py_function); 31 | 32 | ~PythonExampleTask() override = default; 33 | 34 | static constexpr int KELVIN_TEMP_THRESHOLD = 300; 35 | 36 | public: 37 | // You need to override the functor to compile and be executed by the thread 38 | void operator()() override; 39 | 40 | protected: 41 | /// Get the result from the cache 42 | xxh::hash64_t GenerateHash() override; 43 | /// Return filter code 44 | long GetFilterCode() noexcept override; 45 | 46 | private: 47 | /// According to the header response, 48 | /// init the following Darwin workflow 49 | void Workflow(); 50 | 51 | /// Read a struct in_addr from the session and 52 | /// lookup in the bad host map to fill _result. 53 | /// 54 | /// \return the certitude of host's bad reputation (100: BAD, 0:Good) 55 | unsigned int WarmWeatherDetector(const int fahrenheit_temperature) noexcept; 56 | 57 | /// Parse the body received. 58 | bool ParseBody() override; 59 | 60 | private: 61 | int _current_fahrenheit_temp; //The host to lookup 62 | PyObject *_py_function = nullptr; // the Python function to call in the module 63 | std::vector _fahrenheit_temps; 64 | }; 65 | -------------------------------------------------------------------------------- /samples/finspection/extract_impcap.hpp: -------------------------------------------------------------------------------- 1 | /* extract_impcap.h 2 | * 3 | * This header contains the definition of structures and functions 4 | * to get Impcap data 5 | * 6 | * File begun on 2018-12-5 7 | * 8 | * Created by: 9 | * - François Bernard (francois.bernard@isen.yncrea.fr) 10 | * - Théo Bertin (theo.bertin@isen.yncrea.fr) 11 | * - Tianyu Geng (tianyu.geng@isen.yncrea.fr) 12 | * 13 | * This file is part of rsyslog. 14 | * 15 | * Licensed under the Apache License, Version 2.0 (the "License"); 16 | * you may not use this file except in compliance with the License. 17 | * You may obtain a copy of the License at 18 | * 19 | * http://www.apache.org/licenses/LICENSE-2.0 20 | * -or- 21 | * see COPYING.ASL20 in the source distribution 22 | * 23 | * Unless required by applicable law or agreed to in writing, software 24 | * distributed under the License is distributed on an "AS IS" BASIS, 25 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 26 | * See the License for the specific language governing permissions and 27 | * limitations under the License. 28 | */ 29 | #ifndef EXTRACT_IMPCAP_H 30 | #define EXTRACT_IMPCAP_H 31 | 32 | #define IMPCAP_METADATA "!impcap" 33 | #define IMPCAP_DATA "!data" 34 | 35 | #include 36 | #include 37 | #include "packets.hpp" 38 | 39 | #include "../toolkit/rapidjson/document.h" 40 | 41 | #define HTTP_PORT 80 42 | #define FTP_PORT 21 43 | #define FTP_PORT_DATA 20 44 | 45 | typedef struct TCPHdr_ { 46 | uint16_t sport; 47 | uint16_t dport; 48 | uint32_t seq; 49 | uint32_t ack; 50 | uint32_t TCPDataLength; 51 | const char *flags; 52 | } TCPHdr; 53 | 54 | #define ETHERTYPE_IPV4 0x0800 55 | #define ETHERTYPE_IPV6 0X86DD 56 | 57 | typedef struct IPV4Hdr_ { 58 | const char *src; 59 | const char *dst; 60 | uint8_t hLen; 61 | uint8_t ttl; 62 | uint8_t proto; 63 | } IPV4Hdr; 64 | 65 | typedef struct IPV6Hdr_ { 66 | const char *src; 67 | const char *dst; 68 | uint8_t ttl; 69 | uint8_t proto; 70 | } IPV6Hdr; 71 | 72 | struct Packet_ *getImpcapData(std::string, std::string); 73 | uint8_t *ImpcapDataDecode(const char *, uint32_t); 74 | TCPHdr *getTcpHeader(rapidjson::Document&); 75 | IPV4Hdr *getIpv4Header(rapidjson::Document&); 76 | IPV6Hdr *getIpv6Header(rapidjson::Document&); 77 | 78 | #endif /* EXTRACT_IMPCAP_H */ 79 | -------------------------------------------------------------------------------- /cmake/FindYara.cmake: -------------------------------------------------------------------------------- 1 | #[=======================================================================[.rst: 2 | FindYara 3 | ------- 4 | 5 | Finds the Yara library. 6 | 7 | Imported Targets 8 | ^^^^^^^^^^^^^^^^ 9 | 10 | This module provides the following imported targets, if found: 11 | 12 | ``Yara::Yara`` 13 | The Yara library 14 | 15 | Result Variables 16 | ^^^^^^^^^^^^^^^^ 17 | 18 | This will define the following variables: 19 | 20 | ``Yara_FOUND`` 21 | True if the system has the Yara library. 22 | ``Yara_VERSION`` 23 | The version of the Yara library which was found. 24 | ``Yara_INCLUDE_DIRS`` 25 | Include directories needed to use Yara. 26 | ``Yara_LIBRARIES`` 27 | Libraries needed to link to Yara. 28 | 29 | Cache Variables 30 | ^^^^^^^^^^^^^^^ 31 | 32 | The following cache variables may also be set: 33 | 34 | ``Yara_INCLUDE_DIR`` 35 | The directory containing ``foo.h``. 36 | ``Yara_LIBRARY`` 37 | The path to the Yara library. 38 | 39 | #]=======================================================================] 40 | 41 | set(YARA_NAMES ${YARA_NAMES} yara libyara.a) 42 | 43 | find_package(PkgConfig) 44 | pkg_check_modules(PC_Yara QUIET yara crypto) 45 | 46 | find_path(Yara_INCLUDE_DIR 47 | NAMES yara.h 48 | PATHS ${PC_Yara_INCLUDE_DIRS} 49 | HINTS ${YARA_ROOT} 50 | PATH_SUFFIXES include/ 51 | ) 52 | find_library(Yara_LIBRARY 53 | NAMES ${YARA_NAMES} 54 | PATHS ${PC_Yara_LIBRARY_DIRS} 55 | HINTS ${YARA_ROOT} 56 | PATH_SUFFIXES lib/ 57 | ) 58 | 59 | set(Yara_VERSION ${PC_Yara_VERSION}) 60 | 61 | include(FindPackageHandleStandardArgs) 62 | find_package_handle_standard_args( 63 | Yara 64 | FOUND_VAR Yara_FOUND 65 | REQUIRED_VARS 66 | Yara_LIBRARY 67 | Yara_INCLUDE_DIR 68 | VERSION_VAR Yara_VERSION 69 | ) 70 | 71 | if(Yara_FOUND) 72 | set(Yara_LIBRARIES ${Yara_LIBRARY}) 73 | set(Yara_INCLUDE_DIRS ${Yara_INCLUDE_DIR}) 74 | set(Yara_DEFINITIONS ${PC_Yara_CFLAGS_OTHER}) 75 | endif() 76 | 77 | if(Yara_FOUND AND NOT TARGET Yara::Yara) 78 | add_library(Yara::Yara UNKNOWN IMPORTED) 79 | set_target_properties(Yara::Yara PROPERTIES 80 | IMPORTED_LOCATION "${Yara_LIBRARY}" 81 | INTERFACE_COMPILE_OPTIONS "${PC_Yara_CFLAGS_OTHER}" 82 | INTERFACE_INCLUDE_DIRECTORIES "${Yara_INCLUDE_DIR}" 83 | ) 84 | endif() 85 | 86 | mark_as_advanced( 87 | Yara_INCLUDE_DIR 88 | Yara_LIBRARY 89 | ) 90 | 91 | # compatibility variables 92 | set(Yara_VERSION_STRING ${Yara_VERSION}) -------------------------------------------------------------------------------- /samples/fsession/Generator.cpp: -------------------------------------------------------------------------------- 1 | /// \file Generator.cpp 2 | /// \authors jjourdin 3 | /// \version 1.0 4 | /// \date 30/08/18 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #include 9 | #include 10 | #include 11 | 12 | #include "../../toolkit/lru_cache.hpp" 13 | #include "base/Logger.hpp" 14 | #include "Generator.hpp" 15 | #include "SessionTask.hpp" 16 | #include "AlertManager.hpp" 17 | 18 | bool Generator::ConfigureAlerting(const std::string& tags) { 19 | DARWIN_LOGGER; 20 | 21 | DARWIN_LOG_DEBUG("Session:: ConfigureAlerting:: Configuring Alerting"); 22 | DARWIN_ALERT_MANAGER_SET_FILTER_NAME(DARWIN_FILTER_NAME); 23 | DARWIN_ALERT_MANAGER_SET_RULE_NAME(DARWIN_ALERT_RULE_NAME); 24 | if (tags.empty()) { 25 | DARWIN_LOG_DEBUG("Session:: ConfigureAlerting:: No alert tags provided in the configuration. Using default."); 26 | DARWIN_ALERT_MANAGER_SET_TAGS(DARWIN_ALERT_TAGS); 27 | } else { 28 | DARWIN_ALERT_MANAGER_SET_TAGS(tags); 29 | } 30 | return true; 31 | } 32 | 33 | bool Generator::LoadConfig(const rapidjson::Document &configuration) { 34 | DARWIN_LOGGER; 35 | DARWIN_LOG_DEBUG("Session:: Generator:: Loading configuration..."); 36 | 37 | std::string redis_socket_path; 38 | 39 | if (!configuration.HasMember("redis_socket_path")) { 40 | DARWIN_LOG_CRITICAL("Session:: Generator:: Missing parameter: 'redis_socket_path'"); 41 | return false; 42 | } 43 | 44 | if (!configuration["redis_socket_path"].IsString()) { 45 | DARWIN_LOG_CRITICAL("Session:: Generator:: 'redis_socket_path' needs to be a string"); 46 | return false; 47 | } 48 | 49 | redis_socket_path = configuration["redis_socket_path"].GetString(); 50 | darwin::toolkit::RedisManager& redis = darwin::toolkit::RedisManager::GetInstance(); 51 | // Done in AlertManager before arriving here, but will allow better transition from redis singleton 52 | redis.SetUnixConnection(redis_socket_path); 53 | return redis.FindAndConnect(); 54 | } 55 | 56 | darwin::session_ptr_t 57 | Generator::CreateTask(boost::asio::local::stream_protocol::socket& socket, 58 | darwin::Manager& manager) noexcept { 59 | return std::static_pointer_cast( 60 | std::make_shared(socket, manager, _cache, _cache_mutex)); 61 | } 62 | -------------------------------------------------------------------------------- /samples/fend/EndTask.cpp: -------------------------------------------------------------------------------- 1 | /// \file EndTask.cpp 2 | /// \authors jjourdin 3 | /// \version 1.0 4 | /// \date 22/05/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | #include "../../toolkit/RedisManager.hpp" 14 | #include "../../toolkit/lru_cache.hpp" 15 | #include "../../toolkit/xxhash.h" 16 | #include "../../toolkit/xxhash.hpp" 17 | #include "EndTask.hpp" 18 | #include "Logger.hpp" 19 | #include "protocol.h" 20 | 21 | EndTask::EndTask(boost::asio::local::stream_protocol::socket& socket, 22 | darwin::Manager& manager, 23 | std::shared_ptr> cache) 24 | : Session{"end", socket, manager, cache}{ 25 | _is_cache = _cache != nullptr; 26 | } 27 | 28 | void EndTask::operator()() { 29 | std::string evt_id, nb_result; 30 | 31 | evt_id = Evt_idToString(); 32 | nb_result = std::to_string(_header.certitude_size); 33 | REDISAdd(evt_id, nb_result); 34 | Workflow(); 35 | } 36 | 37 | long EndTask::GetFilterCode() noexcept { 38 | return DARWIN_FILTER_END; 39 | } 40 | 41 | void EndTask::Workflow() { 42 | switch (_header.response) { 43 | case DARWIN_RESPONSE_SEND_BOTH: 44 | SendToDarwin(); 45 | SendResToSession(); 46 | break; 47 | case DARWIN_RESPONSE_SEND_BACK: 48 | SendResToSession(); 49 | break; 50 | case DARWIN_RESPONSE_SEND_DARWIN: 51 | SendToDarwin(); 52 | break; 53 | case DARWIN_RESPONSE_SEND_NO: 54 | default: 55 | break; 56 | } 57 | } 58 | 59 | bool EndTask::REDISAdd(const std::string& evt_id, const std::string& nb_result) noexcept { 60 | DARWIN_LOGGER; 61 | DARWIN_LOG_DEBUG("EndTask::REDISAdd:: Add to key 'darwin_<" + evt_id + ">' the number :" + nb_result); 62 | 63 | darwin::toolkit::RedisManager& redis = darwin::toolkit::RedisManager::GetInstance(); 64 | if(redis.Query(std::vector{"SET", "darwin_" + evt_id, nb_result}, true) != REDIS_REPLY_STATUS) { 65 | DARWIN_LOG_ERROR("EndTask::REDISAdd:: Not the expected Redis response "); 66 | return false; 67 | } 68 | 69 | return true; 70 | } 71 | -------------------------------------------------------------------------------- /samples/ftanomaly/TAnomalyTask.hpp: -------------------------------------------------------------------------------- 1 | /// \file AnomalyTask.hpp 2 | /// \authors nsanti 3 | /// \version 1.0 4 | /// \date 01/07/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include "protocol.h" 12 | #include "Session.hpp" 13 | #include "TAnomalyThreadManager.hpp" 14 | 15 | #include "../../toolkit/RedisManager.hpp" 16 | #include "../../toolkit/lru_cache.hpp" 17 | 18 | #define DARWIN_FILTER_TANOMALY 0x544D4C59 19 | #define DARWIN_FILTER_NAME "anomaly" 20 | #define DARWIN_ALERT_RULE_NAME "Abnormal Number of Unique Port Connexion" 21 | #define DARWIN_ALERT_TAGS "[\"attack.discovery\", \"attack.t1046\", \"attack.command_and_control\", \"attack.defense_evasion\", \"attack.t1205\"]" 22 | 23 | 24 | // To create a usable task method you MUST inherit from darwin::thread::Task publicly. 25 | // The code bellow show all what's necessary to have a working task. 26 | // For more information about Tasks, please refer to the class definition. 27 | 28 | class AnomalyTask: public darwin::Session { 29 | public: 30 | explicit AnomalyTask(boost::asio::local::stream_protocol::socket& socket, 31 | darwin::Manager& manager, 32 | std::shared_ptr> cache, 33 | std::mutex& cache_mutex, 34 | std::shared_ptr vat, 35 | std::string redis_list_name); 36 | ~AnomalyTask() override = default; 37 | 38 | public: 39 | // You need to override the functor to compile and be executed by the thread 40 | void operator()() override; 41 | 42 | protected: 43 | /// Return filter code 44 | long GetFilterCode() noexcept override; 45 | 46 | private: 47 | /// Parse a line from the body. 48 | /// \return true on parsing success, false otherwise 49 | /// \warning modifies _entry class attribute 50 | bool ParseLine(rapidjson::Value& line) final; 51 | 52 | /// Add the _entry parsed to REDIS 53 | /// \return true on success, false otherwise. 54 | bool REDISAddEntry() noexcept; 55 | 56 | private: 57 | std::string _redis_list_name; 58 | std::string _entry; 59 | std::shared_ptr _anomaly_thread_manager = nullptr; 60 | }; 61 | -------------------------------------------------------------------------------- /toolkit/FileManager.hpp: -------------------------------------------------------------------------------- 1 | #ifndef DARWIN_FILEMANAGER_HPP 2 | #define DARWIN_FILEMANAGER_HPP 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "tsl/hopscotch_map.h" 10 | 11 | /// \namespace darwin 12 | namespace darwin { 13 | /// \namespace toolkit 14 | namespace toolkit { 15 | 16 | class FileManager { 17 | 18 | public: 19 | /// FileManager constructor 20 | /// \param file the file's path to manage 21 | /// \param append if we append data to the file 22 | explicit FileManager(const std::string& file, bool app=true, bool reopen_on_failure=true, std::size_t nb_retry=3); 23 | ~FileManager(); 24 | 25 | /// Open the file 26 | /// \param force_reopen If true, close the file and reopen it no matter what 27 | /// \return true if successful, else false 28 | bool Open(bool force_reopen=false); 29 | 30 | /// Write in the file 31 | /// \return true if successful, else false 32 | bool Write(const std::string& s); 33 | 34 | /// Add a value to add in the file 35 | /// \param val the value to add 36 | bool operator<<(int val); 37 | /// Add a string to add in the file 38 | /// \param str the string to add 39 | bool operator<<(const std::string& str); 40 | 41 | /// Check whether the file is open, accessible and the stream is in a good state. 42 | /// Also Checks for filbit and badbit just in case. 43 | /// \return true on success, false otherwise. 44 | explicit operator bool(); 45 | 46 | /// Set the value of the 'reopen_on_failure' flag. 47 | /// \param reopen The new value of the flag. 48 | void SetReOpenOnFailure(bool reopen); 49 | 50 | /// Return whether the manager is currently associated to a file. 51 | /// \return true if a file is open and associated with this manager, false otherwise. 52 | bool IsOpen(); 53 | 54 | private: 55 | bool app; 56 | std::string file; 57 | std::atomic_bool reopen_on_failure; 58 | std::size_t _nb_retry; 59 | std::mutex file_mutex; 60 | std::ofstream file_stream; 61 | }; 62 | } 63 | } 64 | 65 | #endif //DARWIN_FILEMANAGER_HPP 66 | -------------------------------------------------------------------------------- /toolkit/rapidjson/internal/strfunc.h: -------------------------------------------------------------------------------- 1 | // Tencent is pleased to support the open source community by making RapidJSON available. 2 | // 3 | // Copyright (C) 2015 THL A29 Limited, a Tencent company, and Milo Yip. All rights reserved. 4 | // 5 | // Licensed under the MIT License (the "License"); you may not use this file except 6 | // in compliance with the License. You may obtain a copy of the License at 7 | // 8 | // http://opensource.org/licenses/MIT 9 | // 10 | // Unless required by applicable law or agreed to in writing, software distributed 11 | // under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 12 | // CONDITIONS OF ANY KIND, either express or implied. See the License for the 13 | // specific language governing permissions and limitations under the License. 14 | 15 | #ifndef RAPIDJSON_INTERNAL_STRFUNC_H_ 16 | #define RAPIDJSON_INTERNAL_STRFUNC_H_ 17 | 18 | #include "../stream.h" 19 | #include 20 | 21 | RAPIDJSON_NAMESPACE_BEGIN 22 | namespace internal { 23 | 24 | //! Custom strlen() which works on different character types. 25 | /*! \tparam Ch Character type (e.g. char, wchar_t, short) 26 | \param s Null-terminated input string. 27 | \return Number of characters in the string. 28 | \note This has the same semantics as strlen(), the return value is not number of Unicode codepoints. 29 | */ 30 | template 31 | inline SizeType StrLen(const Ch* s) { 32 | RAPIDJSON_ASSERT(s != 0); 33 | const Ch* p = s; 34 | while (*p) ++p; 35 | return SizeType(p - s); 36 | } 37 | 38 | template <> 39 | inline SizeType StrLen(const char* s) { 40 | return SizeType(std::strlen(s)); 41 | } 42 | 43 | template <> 44 | inline SizeType StrLen(const wchar_t* s) { 45 | return SizeType(std::wcslen(s)); 46 | } 47 | 48 | //! Returns number of code points in a encoded string. 49 | template 50 | bool CountStringCodePoint(const typename Encoding::Ch* s, SizeType length, SizeType* outCount) { 51 | RAPIDJSON_ASSERT(s != 0); 52 | RAPIDJSON_ASSERT(outCount != 0); 53 | GenericStringStream is(s); 54 | const typename Encoding::Ch* end = s + length; 55 | SizeType count = 0; 56 | while (is.src_ < end) { 57 | unsigned codepoint; 58 | if (!Encoding::Decode(is, &codepoint)) 59 | return false; 60 | count++; 61 | } 62 | *outCount = count; 63 | return true; 64 | } 65 | 66 | } // namespace internal 67 | RAPIDJSON_NAMESPACE_END 68 | 69 | #endif // RAPIDJSON_INTERNAL_STRFUNC_H_ 70 | -------------------------------------------------------------------------------- /samples/fdga/TfLiteHelper.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | #include "tensorflow/lite/interpreter.h" 5 | #include "tensorflow/lite/model.h" 6 | 7 | /// 8 | /// \brief Subclass of tflite::ErrorReporter to log TF lite errors to the darwin 9 | /// logger 10 | /// 11 | /// 12 | class DarwinTfLiteErrorReporter: public tflite::ErrorReporter { 13 | public: 14 | ~DarwinTfLiteErrorReporter() = default; 15 | static DarwinTfLiteErrorReporter* GetInstance() noexcept ; 16 | int Report(const char* format, va_list args) noexcept override final; 17 | private: 18 | DarwinTfLiteErrorReporter() = default; 19 | /// 20 | /// \brief Static instance of the tf lite reporter used to log errors in darwin 21 | /// 22 | /// 23 | static DarwinTfLiteErrorReporter tfErrorReporter; 24 | }; 25 | 26 | /// 27 | /// \brief Class that will hold a pointer to the model and 28 | /// dispatch thread_local tflite interpreters 29 | /// 30 | /// 31 | class DarwinTfLiteInterpreterFactory { 32 | public: 33 | DarwinTfLiteInterpreterFactory() = default; 34 | ~DarwinTfLiteInterpreterFactory() = default; 35 | 36 | //No copy, no move 37 | DarwinTfLiteInterpreterFactory(const DarwinTfLiteInterpreterFactory&) = delete; 38 | DarwinTfLiteInterpreterFactory& operator=(const DarwinTfLiteInterpreterFactory&) = delete; 39 | 40 | DarwinTfLiteInterpreterFactory(DarwinTfLiteInterpreterFactory&&) = delete; 41 | DarwinTfLiteInterpreterFactory& operator=(DarwinTfLiteInterpreterFactory&&) = delete; 42 | 43 | /// 44 | /// \brief TF lite interpreters are *NOT* thread-safe, to ensure thread safety in darwin, 45 | /// this function returns a pointer to a thread_local tflite::interpreter 46 | /// This method must be called AFTER Factory::SetModel 47 | /// In case of an error (model not set), it kills its process and returns a nullptr 48 | /// 49 | /// \return std::shared_ptr pointer to a thread_local allocated interpreter, may be null if no model is set 50 | /// 51 | std::shared_ptr GetInterpreter(); 52 | 53 | /// 54 | /// \brief acquire pointer to model to be used for prediction 55 | /// 56 | /// \param model pointer to model to be used for prediction 57 | /// 58 | void SetModel(std::shared_ptr model); 59 | private: 60 | std::shared_ptr _model; 61 | }; -------------------------------------------------------------------------------- /samples/fsofa/SofaTask.hpp: -------------------------------------------------------------------------------- 1 | /// \file SofaTask.hpp 2 | /// \authors Hugo Soszynski 3 | /// \version 1.0 4 | /// \date 25/11/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2019 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | 12 | #include "../../toolkit/lru_cache.hpp" 13 | #include "../../toolkit/PythonUtils.hpp" 14 | #include "../../toolkit/xxhash.h" 15 | #include "../../toolkit/xxhash.hpp" 16 | #include "protocol.h" 17 | #include "Session.hpp" 18 | #include "FileManager.hpp" 19 | 20 | #define DARWIN_FILTER_SOFA 0x72676476 21 | #define DARWIN_FILTER_NAME "sofa" 22 | #define DARWIN_ALERT_RULE_NAME "Scan Outlier Finding and Analysis" 23 | #define DARWIN_ALERT_TAGS "[\"attack.t1200\"]" 24 | 25 | // To create a usable task method you MUST inherit from darwin::thread::Task publicly. 26 | // The code bellow show all what's necessary to have a working task. 27 | // For more information about Tasks, please refer to the class definition. 28 | 29 | class SofaTask : public darwin::Session { 30 | public: 31 | explicit SofaTask(boost::asio::local::stream_protocol::socket& socket, 32 | darwin::Manager& manager, 33 | std::shared_ptr> cache, 34 | std::mutex& cache_mutex, 35 | PyObject *py_function, 36 | std::string input_csv, 37 | std::string output_csv, 38 | std::string output_json); 39 | 40 | ~SofaTask() override; 41 | 42 | public: 43 | // You need to override the functor to compile and be executed by the thread 44 | void operator()() override; 45 | 46 | protected: 47 | /// Return filter code 48 | long GetFilterCode() noexcept override; 49 | 50 | private: 51 | /// Parse the body received. 52 | bool ParseBody() override; 53 | 54 | virtual bool ParseLine(rapidjson::Value& line) override final; 55 | virtual bool ParseLine(rapidjson::Value& line, darwin::toolkit::FileManager& file) final; 56 | 57 | bool RunScript() noexcept; 58 | bool LoadResponseFromFile(); 59 | virtual bool SendToClient() noexcept override; 60 | 61 | private: 62 | PyObject *_py_function = nullptr; // the Python function to call in the module 63 | std::string _csv_input_path; //!< Python script input 64 | std::string _csv_output_path; //!< Python Script output 65 | std::string _json_output_path; //!< Python Script output 66 | std::string _response_body; 67 | }; 68 | -------------------------------------------------------------------------------- /samples/base/Monitor.hpp: -------------------------------------------------------------------------------- 1 | /// \file Monitor.hpp 2 | /// \authors hsoszynski 3 | /// \version 1.0 4 | /// \date 12/04/18 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | /// \namespace darwin 15 | namespace darwin { 16 | 17 | /// This class is made to handle one connection at the time. 18 | /// Each connection will receive monitoring data. 19 | /// 20 | ///\class Monitor 21 | class Monitor { 22 | 23 | public: 24 | /// Constructor. 25 | /// 26 | /// \param unix_socket_path The path to the unix socket to connect to the management API. 27 | explicit Monitor(std::string const& unix_socket_path); 28 | ~Monitor() = default; 29 | 30 | public: 31 | /// Main loop of the monitoring thread. 32 | /// Listen to incoming connection on the monitoring socket to 33 | /// send back monitoring data. 34 | /// 35 | /// \param tp The ThreadPool to monitor. 36 | void Run(); 37 | 38 | private: 39 | /// Start async waiting for the stopping signals. 40 | void AwaitStop(); 41 | 42 | /// Handler called when signal is received by the async wait. 43 | /// 44 | /// \param sig The received signal. 45 | void HandleStop(boost::system::error_code const& error, int sig); 46 | 47 | /// Start an async connection acceptation on _new_session's socket. 48 | void Accept(); 49 | 50 | /// Handler called on async accept trigger. 51 | void HandleAccept(boost::system::error_code const& e); 52 | 53 | /// Send the monitoring data through the socket asynchronously. 54 | void SendMonitoringData(); 55 | 56 | /// Called when data is sent using SendMonitoringData() method. 57 | /// Terminate the session on failure. 58 | /// 59 | /// \param size The number of byte sent. 60 | void HandleSend(boost::system::error_code const& e, std::size_t size); 61 | 62 | private: 63 | std::string _socket_path; //!< Path to the UNIX socket to listen on. 64 | boost::asio::io_context _io_context; //!< The async io context. 65 | boost::asio::signal_set _signals; //!< Set of the stopping signals. 66 | boost::asio::local::stream_protocol::acceptor _acceptor; //!< Acceptor for the incoming connections. 67 | boost::asio::local::stream_protocol::socket _connection; //!< Socket of the current connection. 68 | }; 69 | } -------------------------------------------------------------------------------- /cmake/FindHiredis.cmake: -------------------------------------------------------------------------------- 1 | #[=======================================================================[.rst: 2 | FindHiredis 3 | ------- 4 | 5 | Finds the Hiredis library. 6 | 7 | Imported Targets 8 | ^^^^^^^^^^^^^^^^ 9 | 10 | This module provides the following imported targets, if found: 11 | 12 | ``Hiredis::Hiredis`` 13 | The Hiredis library 14 | 15 | Result Variables 16 | ^^^^^^^^^^^^^^^^ 17 | 18 | This will define the following variables: 19 | 20 | ``Hiredis_FOUND`` 21 | True if the system has the Hiredis library. 22 | ``Hiredis_VERSION`` 23 | The version of the Hiredis library which was found. 24 | ``Hiredis_INCLUDE_DIRS`` 25 | Include directories needed to use Hiredis. 26 | ``Hiredis_LIBRARIES`` 27 | Libraries needed to link to Hiredis. 28 | 29 | Cache Variables 30 | ^^^^^^^^^^^^^^^ 31 | 32 | The following cache variables may also be set: 33 | 34 | ``Hiredis_INCLUDE_DIR`` 35 | The directory containing ``foo.h``. 36 | ``Hiredis_LIBRARY`` 37 | The path to the Hiredis library. 38 | 39 | #]=======================================================================] 40 | 41 | set(HIREDIS_NAMES ${HIREDIS_NAMES} libhiredis.a hiredis) 42 | 43 | find_package(PkgConfig) 44 | pkg_check_modules(PC_Hiredis QUIET hiredis) 45 | 46 | 47 | find_path(Hiredis_INCLUDE_DIR 48 | NAMES hiredis/hiredis.h 49 | PATHS ${PC_Hiredis_INCLUDE_DIRS} 50 | HINTS ${HIREDIS_ROOT} 51 | PATH_SUFFIXES usr/local/include/ 52 | ) 53 | find_library(Hiredis_LIBRARY 54 | NAMES ${HIREDIS_NAMES} 55 | PATHS ${PC_Hiredis_LIBRARY_DIRS} 56 | HINTS ${HIREDIS_ROOT} 57 | PATH_SUFFIXES usr/local/lib/ 58 | ) 59 | 60 | set(Hiredis_VERSION ${PC_Hiredis_VERSION}) 61 | 62 | include(FindPackageHandleStandardArgs) 63 | find_package_handle_standard_args( 64 | Hiredis 65 | FOUND_VAR Hiredis_FOUND 66 | REQUIRED_VARS 67 | Hiredis_LIBRARY 68 | Hiredis_INCLUDE_DIR 69 | VERSION_VAR Hiredis_VERSION 70 | ) 71 | 72 | if(Hiredis_FOUND) 73 | set(Hiredis_LIBRARIES ${Hiredis_LIBRARY}) 74 | set(Hiredis_INCLUDE_DIRS ${Hiredis_INCLUDE_DIR}) 75 | set(Hiredis_DEFINITIONS ${PC_Hiredis_CFLAGS_OTHER}) 76 | endif() 77 | 78 | if(Hiredis_FOUND AND NOT TARGET Hiredis::Hiredis) 79 | add_library(Hiredis::Hiredis UNKNOWN IMPORTED) 80 | set_target_properties(Hiredis::Hiredis PROPERTIES 81 | IMPORTED_LOCATION "${Hiredis_LIBRARY}" 82 | INTERFACE_COMPILE_OPTIONS "${PC_Hiredis_CFLAGS_OTHER}" 83 | INTERFACE_INCLUDE_DIRECTORIES "${Hiredis_INCLUDE_DIR}" 84 | ) 85 | endif() 86 | 87 | mark_as_advanced( 88 | Hiredis_INCLUDE_DIR 89 | Hiredis_LIBRARY 90 | ) 91 | 92 | # compatibility variables 93 | set(Hiredis_VERSION_STRING ${Hiredis_VERSION}) -------------------------------------------------------------------------------- /samples/finspection/ContentInspectionTask.hpp: -------------------------------------------------------------------------------- 1 | /// \file ContentInspection.hpp 2 | /// \authors jjourdin 3 | /// \version 1.0 4 | /// \date 10/09/18 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | 13 | #include "../../toolkit/lru_cache.hpp" 14 | #include "../../toolkit/rapidjson/stringbuffer.h" 15 | #include "../../toolkit/rapidjson/writer.h" 16 | #include "protocol.h" 17 | #include "Session.hpp" 18 | 19 | #include "tcp_sessions.hpp" 20 | #include "stream_buffer.hpp" 21 | #include "flow.hpp" 22 | #include "yara_utils.hpp" 23 | #include "extract_impcap.hpp" 24 | 25 | #define DARWIN_FILTER_CONTENT_INSPECTION 0x79617261 26 | #define DARWIN_FILTER_NAME "inspection" 27 | #define DARWIN_ALERT_RULE_NAME "YARA Network Packet & Stream Inspection" 28 | #define DARWIN_ALERT_TAGS "[]" 29 | 30 | typedef struct Configurations_t { 31 | StreamsCnf *streamsCnf; 32 | FlowCnf *flowCnf; 33 | YaraCnf *yaraCnf; 34 | }Configurations; 35 | 36 | // To create a usable task method you MUST inherit from darwin::thread::Task publicly. 37 | // The code bellow show all what's necessary to have a working task. 38 | // For more information about Tasks, please refer to the class definition. 39 | 40 | class ContentInspectionTask : public darwin::Session { 41 | public: 42 | explicit ContentInspectionTask(boost::asio::local::stream_protocol::socket& socket, 43 | darwin::Manager& manager, 44 | std::shared_ptr> cache, 45 | std::mutex& _cache_mutex, 46 | Configurations& configurations); 47 | 48 | ~ContentInspectionTask() override = default; 49 | 50 | public: 51 | // You need to override the functor to compile and be executed by the thread 52 | void operator()() override; 53 | 54 | protected: 55 | /// Return filter code 56 | long GetFilterCode() noexcept override; 57 | 58 | private: 59 | /// According to the header response, 60 | /// init the following Darwin workflow 61 | void Workflow(); 62 | 63 | /// Parse the body received. 64 | bool ParseBody() override; 65 | 66 | /// Convert a std::set to string json list 67 | std::string GetJsonListFromSet(std::set &input); 68 | 69 | // Implemented but not used. 70 | bool ParseLine(rapidjson::Value& line __attribute__((unsused))) final {return true;} 71 | 72 | private: 73 | Configurations _configurations; 74 | std::vector _packetList; 75 | }; 76 | -------------------------------------------------------------------------------- /toolkit/Files.cpp: -------------------------------------------------------------------------------- 1 | #include "Files.hpp" 2 | 3 | namespace darwin { 4 | namespace files_utils { 5 | 6 | std::istream& GetLineSafe(std::istream& is, std::string& t) { 7 | t.clear(); 8 | 9 | // The characters in the stream are read one-by-one using a std::streambuf. 10 | // That is faster than reading them one-by-one using the std::istream. 11 | // Code that uses streambuf this way must be guarded by a sentry object. 12 | // The sentry object performs various tasks, 13 | // such as thread synchronization and updating the stream state. 14 | 15 | std::istream::sentry se(is, true); 16 | std::streambuf* sb = is.rdbuf(); 17 | 18 | for (;;) { 19 | int c = sb->sbumpc(); 20 | switch (c) { 21 | case '\n': 22 | return is; 23 | case '\r': 24 | if (sb->sgetc() == '\n') { 25 | sb->sbumpc(); 26 | } 27 | return is; 28 | case EOF: 29 | // Also handle the case when the last line has no line ending 30 | if (t.empty()) { 31 | is.setstate(std::ios::eofbit); 32 | } 33 | return is; 34 | case ' ': 35 | break; 36 | case '\t': 37 | break; 38 | default: 39 | t += (char)c; 40 | } 41 | } 42 | } 43 | 44 | std::string GetNameFromPath(const std::string& filename) { 45 | char sep = '/'; 46 | 47 | #ifdef _WIN32 48 | sep = '\\'; 49 | #endif 50 | 51 | size_t i = filename.rfind(sep, filename.length()); 52 | if (i != std::string::npos) { 53 | return(filename.substr(i+1, filename.length() - i)); 54 | } 55 | 56 | return(""); 57 | } 58 | 59 | void ReplaceExtension(std::string& filename, const std::string& new_extension) { 60 | std::string::size_type i = filename.rfind('.', filename.length()); 61 | 62 | if (i != std::string::npos) { 63 | if (new_extension.empty()) 64 | filename = filename.substr(0, i); 65 | else 66 | filename.replace(i+1, new_extension.length(), new_extension); 67 | } 68 | } 69 | 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /toolkit/rapidjson/cursorstreamwrapper.h: -------------------------------------------------------------------------------- 1 | // Tencent is pleased to support the open source community by making RapidJSON available. 2 | // 3 | // Copyright (C) 2015 THL A29 Limited, a Tencent company, and Milo Yip. All rights reserved. 4 | // 5 | // Licensed under the MIT License (the "License"); you may not use this file except 6 | // in compliance with the License. You may obtain a copy of the License at 7 | // 8 | // http://opensource.org/licenses/MIT 9 | // 10 | // Unless required by applicable law or agreed to in writing, software distributed 11 | // under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 12 | // CONDITIONS OF ANY KIND, either express or implied. See the License for the 13 | // specific language governing permissions and limitations under the License. 14 | 15 | #ifndef RAPIDJSON_CURSORSTREAMWRAPPER_H_ 16 | #define RAPIDJSON_CURSORSTREAMWRAPPER_H_ 17 | 18 | #include "stream.h" 19 | 20 | #if defined(__GNUC__) 21 | RAPIDJSON_DIAG_PUSH 22 | RAPIDJSON_DIAG_OFF(effc++) 23 | #endif 24 | 25 | #if defined(_MSC_VER) && _MSC_VER <= 1800 26 | RAPIDJSON_DIAG_PUSH 27 | RAPIDJSON_DIAG_OFF(4702) // unreachable code 28 | RAPIDJSON_DIAG_OFF(4512) // assignment operator could not be generated 29 | #endif 30 | 31 | RAPIDJSON_NAMESPACE_BEGIN 32 | 33 | 34 | //! Cursor stream wrapper for counting line and column number if error exists. 35 | /*! 36 | \tparam InputStream Any stream that implements Stream Concept 37 | */ 38 | template > 39 | class CursorStreamWrapper : public GenericStreamWrapper { 40 | public: 41 | typedef typename Encoding::Ch Ch; 42 | 43 | CursorStreamWrapper(InputStream& is): 44 | GenericStreamWrapper(is), line_(1), col_(0) {} 45 | 46 | // counting line and column number 47 | Ch Take() { 48 | Ch ch = this->is_.Take(); 49 | if(ch == '\n') { 50 | line_ ++; 51 | col_ = 0; 52 | } else { 53 | col_ ++; 54 | } 55 | return ch; 56 | } 57 | 58 | //! Get the error line number, if error exists. 59 | size_t GetLine() const { return line_; } 60 | //! Get the error column number, if error exists. 61 | size_t GetColumn() const { return col_; } 62 | 63 | private: 64 | size_t line_; //!< Current Line 65 | size_t col_; //!< Current Column 66 | }; 67 | 68 | #if defined(_MSC_VER) && _MSC_VER <= 1800 69 | RAPIDJSON_DIAG_POP 70 | #endif 71 | 72 | #if defined(__GNUC__) 73 | RAPIDJSON_DIAG_POP 74 | #endif 75 | 76 | RAPIDJSON_NAMESPACE_END 77 | 78 | #endif // RAPIDJSON_CURSORSTREAMWRAPPER_H_ 79 | -------------------------------------------------------------------------------- /toolkit/rapidjson/ostreamwrapper.h: -------------------------------------------------------------------------------- 1 | // Tencent is pleased to support the open source community by making RapidJSON available. 2 | // 3 | // Copyright (C) 2015 THL A29 Limited, a Tencent company, and Milo Yip. All rights reserved. 4 | // 5 | // Licensed under the MIT License (the "License"); you may not use this file except 6 | // in compliance with the License. You may obtain a copy of the License at 7 | // 8 | // http://opensource.org/licenses/MIT 9 | // 10 | // Unless required by applicable law or agreed to in writing, software distributed 11 | // under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 12 | // CONDITIONS OF ANY KIND, either express or implied. See the License for the 13 | // specific language governing permissions and limitations under the License. 14 | 15 | #ifndef RAPIDJSON_OSTREAMWRAPPER_H_ 16 | #define RAPIDJSON_OSTREAMWRAPPER_H_ 17 | 18 | #include "stream.h" 19 | #include 20 | 21 | #ifdef __clang__ 22 | RAPIDJSON_DIAG_PUSH 23 | RAPIDJSON_DIAG_OFF(padded) 24 | #endif 25 | 26 | RAPIDJSON_NAMESPACE_BEGIN 27 | 28 | //! Wrapper of \c std::basic_ostream into RapidJSON's Stream concept. 29 | /*! 30 | The classes can be wrapped including but not limited to: 31 | 32 | - \c std::ostringstream 33 | - \c std::stringstream 34 | - \c std::wpstringstream 35 | - \c std::wstringstream 36 | - \c std::ifstream 37 | - \c std::fstream 38 | - \c std::wofstream 39 | - \c std::wfstream 40 | 41 | \tparam StreamType Class derived from \c std::basic_ostream. 42 | */ 43 | 44 | template 45 | class BasicOStreamWrapper { 46 | public: 47 | typedef typename StreamType::char_type Ch; 48 | BasicOStreamWrapper(StreamType& stream) : stream_(stream) {} 49 | 50 | void Put(Ch c) { 51 | stream_.put(c); 52 | } 53 | 54 | void Flush() { 55 | stream_.flush(); 56 | } 57 | 58 | // Not implemented 59 | char Peek() const { RAPIDJSON_ASSERT(false); return 0; } 60 | char Take() { RAPIDJSON_ASSERT(false); return 0; } 61 | size_t Tell() const { RAPIDJSON_ASSERT(false); return 0; } 62 | char* PutBegin() { RAPIDJSON_ASSERT(false); return 0; } 63 | size_t PutEnd(char*) { RAPIDJSON_ASSERT(false); return 0; } 64 | 65 | private: 66 | BasicOStreamWrapper(const BasicOStreamWrapper&); 67 | BasicOStreamWrapper& operator=(const BasicOStreamWrapper&); 68 | 69 | StreamType& stream_; 70 | }; 71 | 72 | typedef BasicOStreamWrapper OStreamWrapper; 73 | typedef BasicOStreamWrapper WOStreamWrapper; 74 | 75 | #ifdef __clang__ 76 | RAPIDJSON_DIAG_POP 77 | #endif 78 | 79 | RAPIDJSON_NAMESPACE_END 80 | 81 | #endif // RAPIDJSON_OSTREAMWRAPPER_H_ 82 | -------------------------------------------------------------------------------- /toolkit/FileManager.cpp: -------------------------------------------------------------------------------- 1 | #include "FileManager.hpp" 2 | 3 | #include 4 | #include 5 | #include 6 | #include "base/Logger.hpp" 7 | 8 | /// \namespace darwin 9 | namespace darwin { 10 | /// \namespace toolkit 11 | namespace toolkit{ 12 | 13 | FileManager::FileManager(const std::string& file, bool app, bool reopen_on_failure, std::size_t nb_retry) 14 | : app{app}, file{file}, reopen_on_failure{reopen_on_failure}, 15 | _nb_retry{nb_retry} {} 16 | 17 | bool FileManager::Open(bool force_reopen) { 18 | if (not force_reopen && (*this)) 19 | return true; 20 | 21 | std::lock_guard lock(file_mutex); 22 | file_stream.close(); 23 | 24 | if (app) 25 | file_stream.open(file, std::ios_base::in | std::ios_base::out | std::ios_base::app); 26 | else 27 | file_stream.open(file, std::ios_base::in | std::ios_base::out | std::ios_base::trunc); 28 | 29 | return true && (*this); // Little trick to trigger the bool operator instead of cast 30 | } 31 | 32 | bool FileManager::Write(const std::string& s){ 33 | bool force_reopen = false; 34 | for (std::size_t i = 0; i < this->_nb_retry; ++i) { 35 | if(Open(force_reopen)){ 36 | try { 37 | std::lock_guard lock(file_mutex); 38 | file_stream << s << std::flush; 39 | return true; 40 | } catch (std::ofstream::failure& e) { 41 | std::cerr << "Exception when writing in file..." << e.what(); 42 | } 43 | } 44 | force_reopen = true; 45 | } 46 | return false; 47 | } 48 | 49 | bool FileManager::operator<<(const std::string& str) { 50 | return Write(str); 51 | } 52 | 53 | bool FileManager::operator<<(int val) { 54 | std::string val_str = std::to_string(val); 55 | return Write(val_str); 56 | } 57 | 58 | bool FileManager::IsOpen() { 59 | return this->file_stream.is_open(); 60 | } 61 | 62 | void FileManager::SetReOpenOnFailure(bool reopen) { 63 | reopen_on_failure = reopen; 64 | } 65 | 66 | FileManager::operator bool() { 67 | return file_stream.is_open() && file_stream.good() && file_stream && (access(file.c_str(), F_OK) != -1); 68 | } 69 | 70 | FileManager::~FileManager() { 71 | file_stream.close(); 72 | } 73 | } 74 | } 75 | -------------------------------------------------------------------------------- /samples/fhostlookup/HostLookupTask.hpp: -------------------------------------------------------------------------------- 1 | /// \file HostLookup.hpp 2 | /// \authors jjourdin 3 | /// \version 1.0 4 | /// \date 10/09/18 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | 12 | #include "../../toolkit/lru_cache.hpp" 13 | #include "protocol.h" 14 | #include "Session.hpp" 15 | #include "tsl/hopscotch_map.h" 16 | #include "tsl/hopscotch_set.h" 17 | 18 | #define DARWIN_FILTER_HOSTLOOKUP 0x66726570 19 | #define DARWIN_FILTER_NAME "hostlookup" 20 | #define DARWIN_ALERT_RULE_NAME "Lookup: " 21 | #define DARWIN_ALERT_TAGS "[]" 22 | 23 | // To create a usable task method you MUST inherit from darwin::thread::Task publicly. 24 | // The code bellow show all what's necessary to have a working task. 25 | // For more information about Tasks, please refer to the class definition. 26 | 27 | class HostLookupTask : public darwin::Session { 28 | public: 29 | explicit HostLookupTask(boost::asio::local::stream_protocol::socket& socket, 30 | darwin::Manager& manager, 31 | std::shared_ptr> cache, 32 | std::mutex& cache_mutex, 33 | tsl::hopscotch_map>& db, 34 | const std::string& feed_name); 35 | 36 | ~HostLookupTask() override = default; 37 | 38 | public: 39 | // You need to override the functor to compile and be executed by the thread 40 | void operator()() override; 41 | 42 | protected: 43 | /// Get the result from the cache 44 | xxh::hash64_t GenerateHash() override; 45 | /// Return filter code 46 | long GetFilterCode() noexcept override; 47 | 48 | private: 49 | /// Read a struct in_addr from the session and 50 | /// lookup in the bad host map to fill _result. 51 | /// 52 | /// \param description The description to be "returned" by the lookup 53 | /// \return the certitude of host's bad reputation (100: BAD, 0:Good) 54 | unsigned int DBLookup(std::string& description) noexcept; 55 | 56 | const std::string BuildAlert(const std::string& host, unsigned int certitude); 57 | 58 | /// Parse a line from the body. 59 | bool ParseLine(rapidjson::Value &line) final; 60 | 61 | const std::string AlertDetails(std::string const& descrption = ""); 62 | 63 | private: 64 | // This implementation of the hopscotch map allows multiple reader with no writer 65 | tsl::hopscotch_map>& _database ; //!< The "bad" hostname database 66 | const std::string& _feed_name; 67 | std::string _host; 68 | }; 69 | -------------------------------------------------------------------------------- /samples/fsession/SessionTask.hpp: -------------------------------------------------------------------------------- 1 | /// \file SessionTask.hpp 2 | /// \authors jjourdin 3 | /// \version 1.0 4 | /// \date 30/08/18 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | extern "C" { 11 | #include 12 | } 13 | 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include "protocol.h" 22 | #include "Session.hpp" 23 | #include "../../toolkit/lru_cache.hpp" 24 | #include "../../toolkit/RedisManager.hpp" 25 | 26 | 27 | #define DARWIN_FILTER_SESSION 0x73657373 28 | #define DARWIN_FILTER_NAME "session" 29 | #define DARWIN_ALERT_RULE_NAME "Session" 30 | #define DARWIN_ALERT_TAGS "[]" 31 | 32 | // To create a usable task method you MUST inherit from darwin::thread::Task publicly. 33 | // The code bellow show all what's necessary to have a working task. 34 | // For more information about Tasks, please refer to the class definition. 35 | 36 | class SessionTask : public darwin::Session { 37 | public: 38 | explicit SessionTask(boost::asio::local::stream_protocol::socket& socket, 39 | darwin::Manager& manager, 40 | std::shared_ptr> cache, 41 | std::mutex& cache_mutex); 42 | ~SessionTask() override = default; 43 | 44 | 45 | public: 46 | // You need to override the functor to compile and be executed by the thread 47 | void operator()() override; 48 | 49 | protected: 50 | /// Return filter code 51 | long GetFilterCode() noexcept override; 52 | 53 | private: 54 | /// Reset the expiration of key(s) in Redis depending on cases 55 | /// will reset the expiration of key(s) _ with _expiration 56 | /// will reset the expiration of the key with _expiration if current TTL is lower 57 | /// 58 | /// \return true on success, false otherwise 59 | bool REDISResetExpire(const std::string &token, const std::string &repo_ids); 60 | 61 | /// Read a session number (from Cookie or HTTP header) from the session and 62 | /// perform a redis lookup. 63 | /// 64 | /// \return true on success, false otherwise. 65 | unsigned int REDISLookup(const std::string &token, const std::vector &repo_ids) noexcept; 66 | 67 | /// Parse a line of the body. 68 | bool ParseLine(rapidjson::Value &line) final; 69 | 70 | private: 71 | // Session_status in Redis 72 | std::string _token; // The token to check 73 | std::vector _repo_ids; // The associated repository IDs to check 74 | uint64_t _expiration = 0; // The expiration to set 75 | }; 76 | -------------------------------------------------------------------------------- /samples/protocol.h: -------------------------------------------------------------------------------- 1 | /* Copyright 2019 Advens 2 | * 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | #ifndef DARWIN_PROTOCOL_H 16 | # define DARWIN_PROTOCOL_H 17 | 18 | #ifdef __cplusplus 19 | extern "C" { 20 | #endif 21 | 22 | #include 23 | #include 24 | 25 | #define DARWIN_FILTER_CODE_NO 0x00000000 26 | // the default certitude list size, which is 1, to allow FMAs (see flexible array members on C99) for both C and C++ code 27 | #define DEFAULT_CERTITUDE_LIST_SIZE 1 28 | 29 | /// Represent the receiver of the results. 30 | /// 31 | /// \enum darwin_response_type 32 | enum darwin_filter_response_type { 33 | DARWIN_RESPONSE_SEND_NO = 0,//!< Don't send results to anybody. 34 | DARWIN_RESPONSE_SEND_BACK, //!< Send results back to caller. 35 | DARWIN_RESPONSE_SEND_DARWIN, //!< Send results to the next filter. 36 | DARWIN_RESPONSE_SEND_BOTH, //!< Send results to both caller and the next filter. 37 | }; 38 | 39 | /// Represent the type of information sent. 40 | /// 41 | /// \enum darwin_packet_type 42 | enum darwin_packet_type { 43 | DARWIN_PACKET_OTHER = 0, //!< Information sent by something else. 44 | DARWIN_PACKET_FILTER, //!< Information sent by another filter. 45 | }; 46 | 47 | /// First packet to be sent to a filter. 48 | /// 49 | /// \struct darwin_filter_packet_t 50 | typedef struct { 51 | enum darwin_packet_type type; //!< The type of information sent. 52 | enum darwin_filter_response_type response; //!< Whom the response will be sent to. 53 | long filter_code; //!< The unique identifier code of a filter. 54 | size_t body_size; //!< The complete size of the the parameters to be sent (if needed). 55 | unsigned char evt_id[16]; //!< An array containing the event ID 56 | size_t certitude_size; //!< The size of the list containing the certitudes. 57 | unsigned int certitude_list[DEFAULT_CERTITUDE_LIST_SIZE]; //!< The scores or the certitudes of the module. May be used to pass other info in specific cases. 58 | } darwin_filter_packet_t; 59 | 60 | #ifdef __cplusplus 61 | }; 62 | #endif 63 | 64 | #endif /* !DARWIN_PROTOCOL_H */ 65 | -------------------------------------------------------------------------------- /toolkit/PythonUtils.hpp: -------------------------------------------------------------------------------- 1 | /// \file PythonUtils.hpp 2 | /// \authors gcatto 3 | /// \version 1.0 4 | /// \date 30/01/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | 13 | /// \namespace darwin 14 | namespace darwin { 15 | /// \namespace pythonutils 16 | namespace pythonutils { 17 | bool InitPythonProgram(const std::string &python_path_str, wchar_t **program_name, 18 | const std::string *custom_python_path=nullptr); 19 | 20 | bool ImportPythonModule(const std::string &module_str, PyObject **py_module); 21 | 22 | bool GetPythonFunction(PyObject *py_module, const std::string &function_str, PyObject **py_function); 23 | 24 | bool CallPythonFunction(PyObject *py_function, PyObject **py_result); 25 | 26 | bool CallPythonFunction(PyObject *py_function, PyObject *py_args, PyObject **py_result); 27 | 28 | void ExitPythonProgram(wchar_t **program_name); 29 | } 30 | } 31 | 32 | // int main(int argc, char **argv) { 33 | // std::string python_path_str = "./testenv/bin/python"; 34 | // std::string module_str = "request_test"; 35 | // std::string function_str = "make_dummy_request"; 36 | // wchar_t *program_name = nullptr; 37 | // PyObject *py_function = nullptr; 38 | // PyObject *py_module = nullptr; 39 | // PyObject *py_result = nullptr; 40 | 41 | // if (!darwin::pythonutils::InitPythonProgram(python_path_str, &program_name) || 42 | // !darwin::pythonutils::ImportPythonModule(module_str, &py_module) || 43 | // !darwin::pythonutils::GetPythonFunction(py_module, function_str, &py_function) || 44 | // !darwin::pythonutils::CallPythonFunction(py_function, &py_result)) { 45 | // std::cout << "Exiting" << std::endl; 46 | // std::exit(EXIT_FAILURE); 47 | // } 48 | 49 | // PyObject *py_unicode_str = nullptr; 50 | 51 | // if ((py_unicode_str = PyUnicode_AsUTF8String(py_result)) == nullptr) { 52 | // std::cout << "An error occurred while getting the Unicode object from the function result" << std::endl; 53 | // PyErr_Print(); 54 | // std::exit(EXIT_FAILURE); 55 | // } 56 | 57 | // char *result_char = nullptr; 58 | 59 | // if ((result_char = PyBytes_AsString(py_unicode_str)) == nullptr) { 60 | // std::cout << "An error occurred while getting the C string object from the Unicode object" << std::endl; 61 | // PyErr_Print(); 62 | // std::exit(EXIT_FAILURE); 63 | // } 64 | 65 | // darwin::pythonutils::ExitPythonProgram(&program_name); 66 | 67 | // auto result_str = std::string(result_char); 68 | // std::cout << result_str << std::endl; 69 | 70 | // std::exit(EXIT_SUCCESS); 71 | // } 72 | -------------------------------------------------------------------------------- /samples/fuseragent/UserAgentTask.hpp: -------------------------------------------------------------------------------- 1 | /// \file UserAgentTask.hpp 2 | /// \authors gcatto 3 | /// \version 1.0 4 | /// \date 16/01/19 5 | /// \license GPLv3 6 | /// \brief Copyright (c) 2018 Advens. All rights reserved. 7 | 8 | #pragma once 9 | 10 | #include 11 | #include 12 | 13 | #include "../../toolkit/lru_cache.hpp" 14 | #include "../../toolkit/xxhash.h" 15 | #include "../../toolkit/xxhash.hpp" 16 | #include "protocol.h" 17 | #include "Session.hpp" 18 | #include "tensorflow/core/public/session.h" 19 | 20 | #define DARWIN_FILTER_USER_AGENT 0x75736572 21 | 22 | // To create a usable task method you MUST inherit from darwin::thread::Task publicly. 23 | // The code bellow show all what's necessary to have a working task. 24 | // For more information about Tasks, please refer to the class definition. 25 | 26 | class UserAgentTask : public darwin::Session { 27 | public: 28 | explicit UserAgentTask(boost::asio::local::stream_protocol::socket& socket, 29 | darwin::Manager& manager, 30 | std::shared_ptr> cache, 31 | std::mutex& cache_mutex, 32 | std::shared_ptr &session, 33 | std::map &token_map, const unsigned int max_tokens = 50); 34 | ~UserAgentTask() override; 35 | 36 | public: 37 | // You need to override the functor to compile and be executed by the thread 38 | void operator()() override; 39 | static const std::vector USER_AGENT_CLASSES; 40 | 41 | protected: 42 | /// Get the result from the cache 43 | xxh::hash64_t GenerateHash() override; 44 | /// Return filter code 45 | long GetFilterCode() noexcept override; 46 | 47 | private: 48 | /// Classify the parsed request. 49 | /// 50 | /// \return true on success, false otherwise. 51 | unsigned int Predict(const std::string &user_agent); 52 | 53 | /// Parse the body received. 54 | /// 55 | /// \return true on success, false otherwise. 56 | bool ParseBody() override; 57 | 58 | /// Tokenize the user agent to be classified. 59 | /// 60 | /// \param ua_tokens The user agent tokens to be used. 61 | void UserAgentTokenizer(const std::string &user_agent, std::vector &ua_tokens); 62 | 63 | private: 64 | unsigned int _max_tokens = 50; 65 | boost::char_separator _separator {" ());,:-~?!{}/[]"}; 66 | std::shared_ptr _session = nullptr; // The tensorflow session to use 67 | std::map _token_map; // The token map to help classifying user agents 68 | std::string _current_user_agent; // The user agent to check 69 | std::vector _user_agents; 70 | }; 71 | --------------------------------------------------------------------------------