Categorygithub.com/ilyaglow/go-cortex/v3
modulepackage
3.1.0
Repository: https://github.com/ilyaglow/go-cortex.git
Documentation: pkg.go.dev
Overview
Versions
2
Dependencies
17
Dependents
1
Files
1.1k SLOC

# README

GoDoc Build Status Codacy Badge Coverage Status

Cortex client library

Usage example

Get the latest library version:

go get -u github.com/ilyaglow/go-cortex

Simply run analyzer for an observable

package main

import (
	"context"
	"fmt"
	"log"
	"time"

	"github.com/ilyaglow/go-cortex"
)

func main() {
	crtx, err := cortex.NewClient("http://127.0.0.1:9001/", &cortex.ClientOpts{
		Auth: &cortex.APIAuth{
			APIKey: "YOUR-API-KEY",
		},
	})
	if err != nil {
		log.Fatal(err)
	}

	rep, err := crtx.Analyzers.Run(context.Background(), "MaxMind_GeoIP_3_0", &cortex.Task{
		Data:     "1.1.1.1",
		DataType: "ip",
		TLP:      &cortex.TLPGreen,
		PAP:      &cortex.PAPGreen,
	}, time.Minute*5)
	if err != nil {
		log.Fatal(err)
	}

	fmt.Printf("%v\n", rep)
}

Aggregated analysis of an observable

Could be used to analyze an observable by all analyzers that can process it's data type at once.

You should use callback functions to set an action for each analyzer, when one returns a report or an error. Take a look at the following example:

package main

import (
	"context"
	"log"
	"os"
	"time"

	"github.com/ilyaglow/go-cortex"
)

func main() {
	crtx, err := cortex.NewClient("http://127.0.0.1:9001/", &cortex.ClientOpts{
		Auth: &cortex.APIAuth{
			APIKey: "YOUR-API-KEY",
		},
	})
	if err != nil {
		log.Fatal(err)
	}

	task := &cortex.Task{
		Data: "1.1.1.1",
		DataType: "ip",
		TLP: &cortex.TLPWhite,
		PAP: &cortex.PAPWhite,
	}

	// Create a new MultiRun struct with at most 5 minute timeout for the run
	mul := crtx.Analyzers.NewMultiRun(context.Background(), 5*time.Minute)

	// Handle each analyzer's report
	mul.OnReport = func(r *cortex.Report) {
		log.Println(r)
	}
	// Log each analyzer's error
	mul.OnError = func(e error, o cortex.Observable, a *cortex.Analyzer) {
		log.Printf("Cortex analyzer %s failed on data %s with an error: %s", a.Name, o.Description(), e.Error())
	}

	// Actually run the analysis
	err = mul.Do(task)
	if err != nil {
		log.Fatal(err)
	}
}

# Functions

ExtractArtifacts extracts all artifacts from the report string.
NewClient bootstraps a client to interact with Cortex API.
NewInput grabs DefaultInput (stdin by default) and bootstraps *JobInput and *http.Client.

# Constants

APIRoute represents a prefix path.
TxInfo is an info taxonomy level.
TxMalicious is a malicious taxonomy level.
TxSafe is a safe taxonomy level.
TxSuspicious is a suspicious taxonomy level.

# Variables

DefaultInput represents an analyzer or responder input that is used by default.
PAPAmber - passive cross check.
PAPGreen - active actions allowed.
PAPRed - non-detectable actions only.
PAPWhite represents no restrictions in using information.
Rxs represents map of regexes.
TLPAmber represents limited disclosure, restricted to participants’ organizations.
TLPGreen limits disclosure, restricted to the community.
TLPRed is not for disclosure, restricted to participants only.
TLPWhite represents non-limited disclosure.

# Structs

Analyzer defines a specific Cortex Analyzer.
AnalyzerError is the report that analyzer app should return in case something went wrong.
AnalyzerReport is the report that analyzer app should return in case everything is okay.
AnalyzerServiceOp handles analyzer methods from Cortex API.
APIAuth represents authentication by API token.
Artifact represents an artifact.
Client is used to communicate with Cortex API.
ClientOpts represent options that are passed to client.
ExtractedArtifact is used for artifacts with slightly different structure.
FileTask is a file to be analyzed.
FileTaskMeta represents meta data of the file observable.
Job is a sample Cortex job.
JobInput is used to track failed jobs and work with analyzer's input.
JobServiceOp handles cases methods from the Cortex API.
MultiRun represents configuration for running multiple analyzers.
Report represents a struct returned by the Cortex.
ReportBody represents a report with analyzer results.
Summary is a customized report object which may have taxonomies.
Task represents a Cortex task to run.
Taxonomy represents a taxonomy object in a report.
User represents a Cortex User.
UserServiceOp handles user specific methods from Cortex API.

# Interfaces

AnalyzerService is an interface for managing analyzers.
JobService is an interface for managing jobs.
Observable is an interface for string type artifact and file type artifact.
UserService is an interface for managing users.

# Type aliases

PAP means Permissible Actions Protocol.
TLP means Traffic Light Protocol.