-
Notifications
You must be signed in to change notification settings - Fork 363
/
beaconing.go
41 lines (36 loc) · 1.14 KB
/
beaconing.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
package crossref
import (
"github.com/activecm/rita/analysis/beacon"
dataBeacon "github.com/activecm/rita/datatypes/beacon"
"github.com/activecm/rita/resources"
)
type (
//BeaconingSelector implements the XRefSelector interface for beaconing
BeaconingSelector struct{}
)
//GetName returns "beaconing"
func (s BeaconingSelector) GetName() string {
return "beaconing"
}
//Select selects beaconing hosts for XRef analysis
func (s BeaconingSelector) Select(res *resources.Resources) (<-chan string, <-chan string) {
// make channels to return
sourceHosts := make(chan string)
destHosts := make(chan string)
// run the read code async and return the channels immediately
go func() {
ssn := res.DB.Session.Copy()
defer ssn.Close()
iter := beacon.GetBeaconResultsView(res, ssn, res.Config.S.Crossref.BeaconThreshold)
//this will produce duplicates if multiple sources beaconed to the same dest
//however, this is accounted for in the finalizing step of xref
var data dataBeacon.AnalysisView
for iter.Next(&data) {
sourceHosts <- data.Src
destHosts <- data.Dst
}
close(sourceHosts)
close(destHosts)
}()
return sourceHosts, destHosts
}