trisulrp 3.1.13 → 3.1.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/lib/trisulrp/protocol.rb +2 -2
- data/lib/trisulrp/trp.pb.rb +3 -0
- data/lib/trisulrp/trp.proto +608 -594
- data/trisulrp.gemspec +3 -3
- metadata +2 -2
data/lib/trisulrp/trp.proto
CHANGED
@@ -1,3 +1,7 @@
|
|
1
|
+
/// trp.proto - Trisul Remote Protocol .proto file
|
2
|
+
/// TRP : Trisul Remote Protocol is a remote query API that allows
|
3
|
+
/// clients to connect and retrieve data from Trisul Hub
|
4
|
+
|
1
5
|
// Trisul Remote Protocol (TRP) definition
|
2
6
|
// Based on Google Protocol Buffers
|
3
7
|
// (c) 2012-16, Unleash Networks (http://www.unleashnetworks.com)
|
@@ -11,174 +15,191 @@ package TRP;
|
|
11
15
|
//
|
12
16
|
// Basic structures
|
13
17
|
//
|
18
|
+
/// Timestamp : Epoch time unix time (seconds since Jan 1 1970)
|
14
19
|
message Timestamp {
|
15
20
|
required int64 tv_sec=1;
|
16
21
|
optional int64 tv_usec=2 [default=0];
|
17
22
|
}
|
18
23
|
|
24
|
+
/// TimeInterval from and to
|
19
25
|
message TimeInterval {
|
20
|
-
required Timestamp from=1;
|
21
|
-
required Timestamp to=2;
|
26
|
+
required Timestamp from=1; /// start time
|
27
|
+
required Timestamp to=2; /// end time
|
22
28
|
}
|
23
29
|
|
30
|
+
/// StatsTuple : a single timeseries vaue (t,v)
|
24
31
|
message StatsTuple {
|
25
|
-
required Timestamp ts=1;
|
26
|
-
required int64 val=2;
|
32
|
+
required Timestamp ts=1; /// ts
|
33
|
+
required int64 val=2; /// value metric
|
27
34
|
}
|
28
35
|
|
36
|
+
/// StatsArray : multiple timeseries values (t, v1, v2, v3...vn)
|
37
|
+
/// notice we use ts_tv_sec. Most Trisul data have 1 sec resolution.
|
29
38
|
message StatsArray {
|
30
|
-
required int64
|
31
|
-
repeated int64 values=2;
|
39
|
+
required int64 ts_tv_sec=1; /// tv.tv_sec
|
40
|
+
repeated int64 values=2; /// array of values
|
32
41
|
}
|
33
42
|
|
43
|
+
/// MeterValues : a timeseries (meter_id, stat1, stat2, ... statn)
|
44
|
+
/// this is rarely used because StatsArray is available .
|
34
45
|
message MeterValues {
|
35
|
-
required int32 meter=1;
|
46
|
+
required int32 meter=1; /// metric id , eg Hosts:TotalConnections
|
36
47
|
repeated StatsTuple values=2;
|
37
|
-
|
38
|
-
|
48
|
+
optional int64 total=3; /// total of all metric values
|
49
|
+
optional int64 seconds=4; /// total number of seconds in time series
|
39
50
|
}
|
40
51
|
|
52
|
+
|
53
|
+
/// MeterType : information about a particular meter
|
54
|
+
///
|
41
55
|
message MeterInfo {
|
42
56
|
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
+
/// types of meters
|
58
|
+
// from TrisulAPI
|
59
|
+
enum MeterType
|
60
|
+
{
|
61
|
+
VT_INVALID=0;
|
62
|
+
VT_RATE_COUNTER_WITH_SLIDING_WINDOW=1;/// this for top-N type counters
|
63
|
+
VT_COUNTER=2; /// basic counter, stores val in the raw
|
64
|
+
VT_COUNTER_WITH_SLIDING_WINDOW=3; /// use this for top-N type counters
|
65
|
+
VT_RATE_COUNTER=4; /// rate counter stores val/sec
|
66
|
+
VT_GAUGE=5; /// basic gauge
|
67
|
+
VT_GAUGE_MIN_MAX_AVG=6; /// gauge with 3 additional min/avg/max cols (auto)
|
68
|
+
VT_AUTO=7; /// automatic (eg, min/max/avg/stddev/)
|
69
|
+
VT_RUNNING_COUNTER=8; /// running counter, no delta calc
|
70
|
+
VT_AVERAGE=9; /// average of samples, total/sampl uses 32bt|32bit
|
71
|
+
}
|
57
72
|
|
58
73
|
|
59
74
|
required int32 id=1;
|
60
75
|
required MeterType type=2;
|
61
|
-
required int32
|
62
|
-
|
63
|
-
|
64
|
-
|
76
|
+
required int32 topcount=3;
|
77
|
+
required string name=4;
|
78
|
+
optional string description=5;
|
79
|
+
optional string units=6;
|
65
80
|
}
|
66
81
|
|
82
|
+
/// KeyStats - A full time series item (countergroup, key, timeseries)
|
83
|
+
///
|
67
84
|
message KeyStats {
|
68
|
-
required string counter_group=2;
|
69
|
-
required KeyT key=3;
|
70
|
-
repeated MeterValues meters=4;
|
85
|
+
required string counter_group=2; /// guid of counter group
|
86
|
+
required KeyT key=3; /// key representing an item
|
87
|
+
repeated MeterValues meters=4; /// array of timeseries (timeseries-meter0, ts-meter1, ...ts-meter-n)
|
71
88
|
}
|
72
89
|
|
73
90
|
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
//
|
91
|
+
/// KeyT : Represents a Key
|
92
|
+
/// Top level objects are named ObjT
|
93
|
+
/// eg KeyT - Key Type, SessionT - Session Type etc.
|
78
94
|
message KeyT {
|
79
|
-
optional string key=1;
|
80
|
-
optional string readable=2;
|
81
|
-
optional string label=3;
|
82
|
-
optional string description=4;
|
83
|
-
|
95
|
+
optional string key=1; /// key in trisul key format eg, C0.A8.01.02 for 192.168.1.2
|
96
|
+
optional string readable=2; /// human friendly name
|
97
|
+
optional string label=3; /// a user label eg, a hostname or manually assigned name
|
98
|
+
optional string description=4; /// description
|
99
|
+
optional int64 metric=5; /// optional : a single metric value - relevant to the query used
|
84
100
|
}
|
85
101
|
|
86
102
|
|
103
|
+
/// CounterGroupT : Represents a counter group
|
104
|
+
///
|
87
105
|
message CounterGroupT {
|
88
|
-
required string guid=1;
|
89
|
-
required string name=2;
|
90
|
-
optional int64 bucket_size=3;
|
91
|
-
optional TimeInterval time_interval=4;
|
92
|
-
optional int64 topper_bucket_size=5;
|
93
|
-
|
106
|
+
required string guid=1; /// guid identifying the CG
|
107
|
+
required string name=2; /// CG name
|
108
|
+
optional int64 bucket_size=3; /// bucketsize for all meters in this group
|
109
|
+
optional TimeInterval time_interval=4; /// total time interval available in DB
|
110
|
+
optional int64 topper_bucket_size=5; /// topper bucketsize (streaming analytics window)
|
111
|
+
repeated MeterInfo meters=6; /// array of meter information (m0, m1, .. mn)
|
94
112
|
}
|
95
113
|
|
114
|
+
/// SessionT : an IP flow
|
115
|
+
///
|
96
116
|
message SessionT {
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
}
|
122
|
-
|
123
|
-
|
124
|
-
|
125
|
-
|
117
|
+
optional string session_key=1; /// Trisul format eg 06A:C0.A8.01.02:p-0B94_D1.D8.F9.3A:p-0016
|
118
|
+
required string session_id=2; /// SID once stored in DB 883:3:883488
|
119
|
+
optional string user_label=3; /// any label assigned by user
|
120
|
+
required TimeInterval time_interval=4; /// start and end time of flow
|
121
|
+
optional int64 state=5; /// flow state (see docs)
|
122
|
+
optional int64 az_bytes=6; /// bytes in A>Z direction, see KeyA>KeyZ
|
123
|
+
optional int64 za_bytes=7; /// bytes in Z>A direction
|
124
|
+
optional int64 az_packets=8; /// pkts in A>Z direction
|
125
|
+
optional int64 za_packets=9; /// pkts in Z>A direction
|
126
|
+
required KeyT key1A=10; /// basically IP A End
|
127
|
+
required KeyT key2A=11; /// Port Z End (can be a string like ICMP00, GRE00, for non TCP/UDP)
|
128
|
+
required KeyT key1Z=12; /// IP Z end
|
129
|
+
required KeyT key2Z=13; /// Port Z End
|
130
|
+
required KeyT protocol=14; /// IP Protocol
|
131
|
+
optional KeyT nf_routerid=15; /// Netflow only : Router ID
|
132
|
+
optional KeyT nf_ifindex_in=16; /// Netflow only : Interface Index
|
133
|
+
optional KeyT nf_ifindex_out=17; /// Netflow only : Interface Index
|
134
|
+
optional string tags=18; /// tags assigned using flow taggers
|
135
|
+
optional int64 az_payload=19; /// AZ payload - actual content transferred
|
136
|
+
optional int64 za_payload=20; /// ZA payload
|
137
|
+
optional int64 setup_rtt=21; /// Round Trip Time for setup : Must have TCPReassmbly enabled on Probe
|
138
|
+
optional int64 retransmissions=22; /// Retransmissiosn total
|
139
|
+
optional int64 tracker_statval=23; /// Metric for flow trackers
|
140
|
+
optional string probe_id=24; /// Probe ID generating this flow
|
141
|
+
}
|
142
|
+
|
143
|
+
|
144
|
+
/// AlertT : an alert in Trisul
|
145
|
+
/// all alert types Threshold Crossing, Flow Tracker, Badfellas, custom alerts use
|
146
|
+
/// the same object below
|
126
147
|
message AlertT{
|
127
|
-
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
|
144
|
-
|
145
|
-
}
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
148
|
+
optional int64 sensor_id=1; /// source of alert, usually not used
|
149
|
+
required Timestamp time=2; /// timestamp
|
150
|
+
required string alert_id=3; /// DB alert ID eg 99:8:98838
|
151
|
+
optional KeyT source_ip=4; /// source ip
|
152
|
+
optional KeyT source_port=5;
|
153
|
+
optional KeyT destination_ip=6;
|
154
|
+
optional KeyT destination_port=7;
|
155
|
+
optional KeyT sigid=8; /// unique key representing alert type
|
156
|
+
optional KeyT classification=9; /// classification (from IDS terminology)
|
157
|
+
optional KeyT priority=10; /// priority 1,2,3
|
158
|
+
optional Timestamp dispatch_time=11; /// sent time
|
159
|
+
optional string dispatch_message1=12; /// a free format string created by generator of alert
|
160
|
+
optional string dispatch_message2=13; /// second format
|
161
|
+
optional int64 occurrances=14[default=1];/// number of occurranes, used by QueryAlerts for aggregation
|
162
|
+
optional string group_by_key=15; /// aggregation key
|
163
|
+
optional string probe_id=16; /// probe generating this alert
|
164
|
+
optional string alert_status=17; /// FIRE,CLEAR,BLOCK etc
|
165
|
+
optional int64 acknowledge_flag=18; /// ACK or NOT
|
166
|
+
}
|
167
|
+
|
168
|
+
|
169
|
+
/// ResourceT : represents a "resource" object
|
170
|
+
/// examples DNS records, HTTP URLs, TLS Certificates, extracted file hashes, etc
|
150
171
|
message ResourceT {
|
151
|
-
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
optional string uri=7;
|
158
|
-
optional string userlabel=8;
|
159
|
-
|
160
|
-
}
|
161
|
-
|
162
|
-
|
163
|
-
|
172
|
+
required Timestamp time=1; /// time resource was seen
|
173
|
+
required string resource_id=2; /// DB id format = 988:0:8388383
|
174
|
+
optional KeyT source_ip=3;
|
175
|
+
optional KeyT source_port=4;
|
176
|
+
optional KeyT destination_ip=5;
|
177
|
+
optional KeyT destination_port=6;
|
178
|
+
optional string uri=7; /// raw resource - uniform resource id ,dns names, http url, etc
|
179
|
+
optional string userlabel=8; /// additional data
|
180
|
+
optional string probe_id=9; /// which probe detected this
|
181
|
+
}
|
182
|
+
|
183
|
+
/// DocumentT : a full text document
|
184
|
+
/// full HTTP headers, printable TLS certs, etc
|
164
185
|
message DocumentT {
|
165
|
-
|
166
|
-
|
167
|
-
|
186
|
+
required string dockey=1; /// unique id
|
187
|
+
optional string fts_attributes=2; /// attibutes used for facets
|
188
|
+
optional string fullcontent=3; /// full document text
|
168
189
|
|
190
|
+
/// this document was seen at these time and on this flow
|
169
191
|
message Flow {
|
170
|
-
required Timestamp time=1;
|
192
|
+
required Timestamp time=1;
|
171
193
|
required string key=2;
|
172
194
|
}
|
173
195
|
|
174
|
-
repeated Flow
|
175
|
-
|
196
|
+
repeated Flow flows=4; /// list of flows where this doc was seen
|
197
|
+
optional string probe_id=5;
|
176
198
|
}
|
177
199
|
|
178
200
|
|
179
|
-
|
180
|
-
|
181
|
-
//
|
201
|
+
/// Enums
|
202
|
+
/// Auth Level
|
182
203
|
enum AuthLevel {
|
183
204
|
ADMIN=1;
|
184
205
|
BASIC_USER=2;
|
@@ -186,42 +207,46 @@ enum AuthLevel {
|
|
186
207
|
BLOCKED_USER=4;
|
187
208
|
}
|
188
209
|
|
210
|
+
/// Compression: Used by PCAP or other content requests
|
189
211
|
enum CompressionType {
|
190
212
|
UNCOMPRESSED=1;
|
191
213
|
GZIP=2;
|
192
214
|
}
|
193
215
|
|
216
|
+
/// Pcap: format
|
194
217
|
enum PcapFormat {
|
195
|
-
LIBPCAP=1;
|
196
|
-
UNSNIFF=2;
|
197
|
-
LIBPCAPNOFILEHEADER=3;
|
218
|
+
LIBPCAP=1; /// normal libpcap format *.pcap
|
219
|
+
UNSNIFF=2; ///
|
220
|
+
LIBPCAPNOFILEHEADER=3; /// libpcap but without the pcap file header
|
198
221
|
}
|
199
222
|
|
200
223
|
enum DomainNodeType
|
201
224
|
{
|
202
|
-
|
203
|
-
|
204
|
-
|
205
|
-
|
206
|
-
|
207
|
-
|
225
|
+
HUB=0;
|
226
|
+
PROBE=1;
|
227
|
+
CONFIG=2;
|
228
|
+
ROUTER=3;
|
229
|
+
WEB=4;
|
230
|
+
MONITOR=5;
|
208
231
|
}
|
209
232
|
|
210
233
|
enum DomainOperation {
|
211
|
-
|
212
|
-
|
213
|
-
|
234
|
+
GETNODES=1;
|
235
|
+
HEARTBEAT=2;
|
236
|
+
REGISTER=3;
|
214
237
|
}
|
215
238
|
|
216
239
|
message NameValue {
|
217
|
-
|
218
|
-
|
240
|
+
required string name=1;
|
241
|
+
optional string value=2;
|
219
242
|
}
|
220
243
|
|
221
|
-
|
222
|
-
|
223
|
-
|
224
|
-
|
244
|
+
/// Top level message is TRP::Message
|
245
|
+
/// wraps the actual request or response
|
246
|
+
///
|
247
|
+
/// You must set trp.command = <cmd> for EACH request in addition to
|
248
|
+
/// constructing the actual TRP request message
|
249
|
+
///
|
225
250
|
message Message {
|
226
251
|
enum Command { HELLO_REQUEST=1;
|
227
252
|
HELLO_RESPONSE=2;
|
@@ -249,12 +274,12 @@ message Message {
|
|
249
274
|
QUERY_ALERTS_RESPONSE=45;
|
250
275
|
QUERY_RESOURCES_REQUEST=48;
|
251
276
|
QUERY_RESOURCES_RESPONSE=49;
|
252
|
-
|
253
|
-
|
254
|
-
|
255
|
-
|
256
|
-
|
257
|
-
|
277
|
+
GREP_REQUEST=60;
|
278
|
+
GREP_RESPONSE=61;
|
279
|
+
KEYSPACE_REQUEST=70;
|
280
|
+
KEYSPACE_RESPONSE=71;
|
281
|
+
TOPPER_TREND_REQUEST=72;
|
282
|
+
TOPPER_TREND_RESPONSE=73;
|
258
283
|
STAB_PUBSUB_CTL=80;
|
259
284
|
QUERY_FTS_REQUEST=90;
|
260
285
|
QUERY_FTS_RESPONSE=91;
|
@@ -270,24 +295,24 @@ message Message {
|
|
270
295
|
CONFIG_RESPONSE=104;
|
271
296
|
LOG_REQUEST=105;
|
272
297
|
LOG_RESPONSE=106;
|
273
|
-
|
274
|
-
|
275
|
-
|
276
|
-
|
277
|
-
|
278
|
-
|
279
|
-
|
280
|
-
|
281
|
-
|
282
|
-
|
283
|
-
|
284
|
-
|
285
|
-
|
286
|
-
|
287
|
-
|
288
|
-
|
289
|
-
|
290
|
-
|
298
|
+
CONTEXT_CREATE_REQUEST=108;
|
299
|
+
CONTEXT_DELETE_REQUEST=109;
|
300
|
+
CONTEXT_START_REQUEST=110;
|
301
|
+
CONTEXT_STOP_REQUEST=111;
|
302
|
+
CONTEXT_INFO_REQUEST=112;
|
303
|
+
CONTEXT_INFO_RESPONSE=113;
|
304
|
+
CONTEXT_CONFIG_REQUEST=114;
|
305
|
+
CONTEXT_CONFIG_RESPONSE=115;
|
306
|
+
DOMAIN_REQUEST=116;
|
307
|
+
DOMAIN_RESPONSE=117;
|
308
|
+
NODE_CONFIG_REQUEST=118;
|
309
|
+
NODE_CONFIG_RESPONSE=119;
|
310
|
+
ASYNC_REQUEST=120;
|
311
|
+
ASYNC_RESPONSE=121;
|
312
|
+
FILE_REQUEST=122;
|
313
|
+
FILE_RESPONSE=123;
|
314
|
+
SUBSYSTEM_INIT=124; // init msg used to prepare services
|
315
|
+
SUBSYSTEM_EXIT=125;
|
291
316
|
|
292
317
|
}
|
293
318
|
|
@@ -327,32 +352,32 @@ message Message {
|
|
327
352
|
optional TimeSlicesRequest time_slices_request=62;
|
328
353
|
optional TimeSlicesResponse time_slices_response=63;
|
329
354
|
optional DeleteAlertsRequest delete_alerts_request=64;
|
330
|
-
|
331
|
-
|
332
|
-
|
333
|
-
|
334
|
-
|
335
|
-
|
336
|
-
|
337
|
-
|
338
|
-
|
339
|
-
|
340
|
-
|
341
|
-
|
342
|
-
|
343
|
-
|
344
|
-
|
345
|
-
|
346
|
-
|
347
|
-
|
348
|
-
|
349
|
-
|
350
|
-
|
351
|
-
|
352
|
-
|
353
|
-
optional string destination_node=200;
|
354
|
-
optional string probe_id=201;
|
355
|
-
optional bool run_async=202;
|
355
|
+
optional MetricsSummaryRequest metrics_summary_request=65;
|
356
|
+
optional MetricsSummaryResponse metrics_summary_response=66;
|
357
|
+
optional KeySpaceRequest key_space_request=67;
|
358
|
+
optional KeySpaceResponse key_space_response=68;
|
359
|
+
optional PcapSlicesRequest pcap_slices_request=69;
|
360
|
+
optional LogRequest log_request=105;
|
361
|
+
optional LogResponse log_response=106;
|
362
|
+
optional ContextCreateRequest context_create_request=108;
|
363
|
+
optional ContextDeleteRequest context_delete_request=109;
|
364
|
+
optional ContextStartRequest context_start_request=110;
|
365
|
+
optional ContextStopRequest context_stop_request=111;
|
366
|
+
optional ContextConfigRequest context_config_request=112;
|
367
|
+
optional ContextConfigResponse context_config_response=113;
|
368
|
+
optional ContextInfoRequest context_info_request=114;
|
369
|
+
optional ContextInfoResponse context_info_response=115;
|
370
|
+
optional DomainRequest domain_request=116;
|
371
|
+
optional DomainResponse domain_response=117;
|
372
|
+
optional NodeConfigRequest node_config_request=118;
|
373
|
+
optional NodeConfigResponse node_config_response=119;
|
374
|
+
optional AsyncRequest async_request=120;
|
375
|
+
optional AsyncResponse async_response=121;
|
376
|
+
optional FileRequest file_request=122;
|
377
|
+
optional FileResponse file_response=123;
|
378
|
+
optional string destination_node=200; // todo move 2nd
|
379
|
+
optional string probe_id=201; // todo move 3rd
|
380
|
+
optional bool run_async=202; /// if run_async = true, then you will immediately get a AsynResponse with a token you can poll
|
356
381
|
|
357
382
|
}
|
358
383
|
|
@@ -365,80 +390,75 @@ message Message {
|
|
365
390
|
// --------------- Messages Section -------------------------//
|
366
391
|
//////////////////////////////////////////////////////////////
|
367
392
|
|
368
|
-
|
369
|
-
// Hello
|
393
|
+
/// Hello Request : use to check connectivity
|
370
394
|
message HelloRequest{
|
371
|
-
required string station_id=1;
|
372
|
-
optional string
|
395
|
+
required string station_id=1; /// an id of the query client trying to connect
|
396
|
+
optional string message=2; /// a message (will be echoed back in response)
|
373
397
|
}
|
374
398
|
|
375
399
|
message HelloResponse{
|
376
|
-
required string station_id=1;
|
377
|
-
optional string station_id_request=2;
|
378
|
-
optional string message=3;
|
379
|
-
optional int64
|
400
|
+
required string station_id=1; /// station id of the query server
|
401
|
+
optional string station_id_request=2; /// station id found in the request
|
402
|
+
optional string message=3; /// message found in the request
|
403
|
+
optional int64 local_timestamp=4; /// local timestamp at server, used to detect drifts
|
380
404
|
}
|
381
405
|
|
382
|
-
|
383
|
-
|
406
|
+
/// ErrorResponse
|
407
|
+
/// All XYZRequest() messages can either generate a XYZResponse() or an ErrorResponse()
|
408
|
+
/// you need to handle the error case
|
384
409
|
message ErrorResponse{
|
385
|
-
required int64 original_command=1;
|
386
|
-
required int64 error_code=2;
|
387
|
-
required string error_message=3;
|
410
|
+
required int64 original_command=1; /// Command ID of request
|
411
|
+
required int64 error_code=2; /// numeric error code
|
412
|
+
required string error_message=3; /// error string
|
388
413
|
}
|
389
414
|
|
390
|
-
|
391
|
-
|
415
|
+
/// OKResponse
|
416
|
+
/// many messages return an OKResponse indicating success of operation
|
392
417
|
message OKResponse{
|
393
|
-
required int64 original_command=1;
|
394
|
-
optional string message=2;
|
418
|
+
required int64 original_command=1; /// command id of request
|
419
|
+
optional string message=2; /// success message
|
395
420
|
}
|
396
421
|
|
397
422
|
|
398
|
-
|
399
|
-
// CounterItemRequest
|
423
|
+
/// CounterItemRequest : Time series history statistics for an item
|
400
424
|
message CounterItemRequest{
|
401
|
-
required string counter_group=2;
|
402
|
-
optional int64 meter=3;
|
403
|
-
required KeyT
|
404
|
-
required TimeInterval time_interval=5;
|
405
|
-
|
425
|
+
required string counter_group=2; /// guid of counter group
|
426
|
+
optional int64 meter=3; /// optional meter, default will retrieve all (same cost)
|
427
|
+
required KeyT key=4; /// key (can specify key.key, key.label, etc too
|
428
|
+
required TimeInterval time_interval=5; /// Time interval for query
|
429
|
+
optional int64 volumes_only=6 [default=0]; /// if '1' ; then only retrieves totals for each meter
|
406
430
|
}
|
407
431
|
|
408
|
-
|
409
|
-
// CounterItemResponse
|
432
|
+
/// CounterItemResponse -
|
410
433
|
message CounterItemResponse{
|
411
|
-
|
412
|
-
|
413
|
-
optional StatsArray totals=3;
|
414
|
-
repeated StatsArray stats=4;
|
434
|
+
required string counter_group=1; /// guid of CG
|
435
|
+
required KeyT key=2; /// key : filled up with readable,label automatically
|
436
|
+
optional StatsArray totals=3; /// if volumes_only = 1 in request, this contains totals for each metric
|
437
|
+
repeated StatsArray stats=4; /// time series stats - can use to draw charts etc
|
415
438
|
}
|
416
439
|
|
417
440
|
|
418
|
-
|
419
|
-
// CounterGroupTopperRequest
|
441
|
+
/// CounterGroupTopperRequest - retrieve toppers for a counter group (top-K)
|
420
442
|
message CounterGroupTopperRequest{
|
421
|
-
required string counter_group=2;
|
422
|
-
optional int64 meter=3 [default=0];
|
423
|
-
optional int64 maxitems=4 [default=100];
|
424
|
-
optional TimeInterval time_interval=5;
|
425
|
-
optional Timestamp time_instant=6;
|
426
|
-
optional int64 flags=7;
|
427
|
-
optional bool resolve_keys=8 [default=true];
|
443
|
+
required string counter_group=2; /// guid of CG
|
444
|
+
optional int64 meter=3 [default=0]; /// meter; eg to get Top Hosts By Connections use cg=Hosts meter = 6(connections)
|
445
|
+
optional int64 maxitems=4 [default=100]; /// number of top items to retreive
|
446
|
+
optional TimeInterval time_interval=5; /// time interval
|
447
|
+
optional Timestamp time_instant=6; ///
|
448
|
+
optional int64 flags=7;
|
449
|
+
optional bool resolve_keys=8 [default=true]; /// retrieve labels as set in the response for each key
|
428
450
|
}
|
429
451
|
|
430
|
-
|
431
|
-
// CounterGroupTopperResponse
|
452
|
+
/// CounterGroupTopperResponse
|
432
453
|
message CounterGroupTopperResponse{
|
433
|
-
required string counter_group=2;
|
434
|
-
required int64 meter=3;
|
435
|
-
|
436
|
-
repeated KeyT
|
454
|
+
required string counter_group=2; /// request cgid
|
455
|
+
required int64 meter=3; /// from request
|
456
|
+
optional int64 sysgrouptotal=4; /// the metric value for "Others.." after Top-K
|
457
|
+
repeated KeyT keys=6; /// topper keys, KeyT.metric contains the top-k value
|
437
458
|
}
|
438
459
|
|
439
460
|
|
440
|
-
|
441
|
-
// SearchkeysRequest
|
461
|
+
/// SearchkeysRequest - search for keys
|
442
462
|
message SearchKeysRequest{
|
443
463
|
required string counter_group=2;
|
444
464
|
optional int64 maxitems=3[default=100];
|
@@ -449,174 +469,175 @@ message SearchKeysRequest{
|
|
449
469
|
optional bool get_totals=8[default=false];
|
450
470
|
}
|
451
471
|
|
452
|
-
|
453
|
-
// SearchKeysResponse
|
472
|
+
/// SearchKeysResponse
|
454
473
|
message SearchKeysResponse{
|
455
474
|
required string counter_group=2;
|
456
|
-
repeated KeyT
|
475
|
+
repeated KeyT keys=3;
|
457
476
|
optional int64 total_count=4;
|
458
477
|
|
459
478
|
}
|
460
479
|
|
461
|
-
|
462
|
-
/// CounterGroupInfoRequest
|
480
|
+
/// CounterGroupInfoRequest - retrieve information about enabled counter groups
|
463
481
|
message CounterGroupInfoRequest{
|
464
482
|
optional string counter_group=2;
|
465
|
-
|
483
|
+
optional bool get_meter_info=3[default=false];
|
466
484
|
}
|
467
485
|
|
468
|
-
///////////////////////////////////
|
469
486
|
/// CounterGroupInfoResponse
|
470
487
|
message CounterGroupInfoResponse{
|
471
488
|
repeated CounterGroupT group_details=2;
|
472
489
|
}
|
473
490
|
|
474
|
-
|
475
|
-
|
476
|
-
|
491
|
+
/// QuerySessions - Query flows
|
492
|
+
/// fields filled are treated as AND criteria
|
493
|
+
/// See SessionT for description of common query fields
|
477
494
|
message QuerySessionsRequest {
|
478
495
|
optional string session_group=2[default="{99A78737-4B41-4387-8F31-8077DB917336}"];
|
479
496
|
optional TimeInterval time_interval=3;
|
480
497
|
optional string key=4;
|
481
|
-
|
482
|
-
|
483
|
-
|
484
|
-
|
485
|
-
|
486
|
-
|
487
|
-
|
488
|
-
|
489
|
-
|
490
|
-
|
491
|
-
|
492
|
-
|
493
|
-
|
494
|
-
|
495
|
-
optional int64 maxitems=19[default=100];
|
496
|
-
optional int64 volume_filter=20[default=0];
|
497
|
-
|
498
|
-
|
499
|
-
|
500
|
-
}
|
501
|
-
|
502
|
-
|
503
|
-
|
498
|
+
optional KeyT source_ip=5;
|
499
|
+
optional KeyT source_port=6;
|
500
|
+
optional KeyT dest_ip=7;
|
501
|
+
optional KeyT dest_port=8;
|
502
|
+
optional KeyT any_ip=9; /// source or dest match
|
503
|
+
optional KeyT any_port=10; /// source or dest match
|
504
|
+
repeated KeyT ip_pair=11; /// array of 2 ips
|
505
|
+
optional KeyT protocol=12;
|
506
|
+
optional string flowtag=13; /// string flow tagger text
|
507
|
+
optional KeyT nf_routerid=14;
|
508
|
+
optional KeyT nf_ifindex_in=15;
|
509
|
+
optional KeyT nf_ifindex_out=16;
|
510
|
+
optional string subnet_24=17; /// ip /24 subnet matching
|
511
|
+
optional string subnet_16=18; /// ip /16 subnet
|
512
|
+
optional int64 maxitems=19[default=100]; /// maximum number of matching flows to retrieve
|
513
|
+
optional int64 volume_filter=20[default=0]; /// only retrieve flows > this many bytes (a+z)
|
514
|
+
optional bool resolve_keys=21[default=true];
|
515
|
+
optional string outputpath=22; /// write results to a file (CSV) on trisul-hub (for very large dumps)
|
516
|
+
repeated string idlist=23; /// array of flow ids , usually from SessionTracker response
|
517
|
+
}
|
518
|
+
|
519
|
+
|
520
|
+
/// QuerySessionsResponse
|
521
|
+
/// a list of matching flows
|
504
522
|
message QuerySessionsResponse {
|
505
|
-
required string
|
506
|
-
repeated SessionT
|
507
|
-
optional string
|
523
|
+
required string session_group=2;
|
524
|
+
repeated SessionT sessions=3; /// matching flows SessionT objects
|
525
|
+
optional string outputpath=4; /// if 'outputpath' set in request, the sessions are here (in CSV format)
|
508
526
|
}
|
509
527
|
|
510
|
-
//////////////////////////////////////////////
|
511
528
|
/// UpdatekeysRequest
|
512
529
|
/// Response = OKResponse or ErrorResponse
|
513
530
|
message UpdateKeyRequest{
|
514
531
|
required string counter_group=2;
|
515
|
-
repeated KeyT
|
532
|
+
repeated KeyT keys=4; /// key : if you set both key and label, the DB label will be updated
|
516
533
|
}
|
517
534
|
|
518
|
-
|
519
|
-
|
535
|
+
/// SessionTrackerRequest - query session trackers
|
536
|
+
/// session trackers are top-k streaming algorithm for network flows
|
537
|
+
/// They are Top Sessions fulfilling a particular preset criterion
|
520
538
|
message SessionTrackerRequest {
|
521
539
|
optional string session_group=2[default="{99A78737-4B41-4387-8F31-8077DB917336}"];
|
522
|
-
required int64 tracker_id=3 [default=1];
|
523
|
-
optional int64 maxitems=4 [default=100];
|
540
|
+
required int64 tracker_id=3 [default=1]; /// session tracker id
|
541
|
+
optional int64 maxitems=4 [default=100];
|
524
542
|
required TimeInterval time_interval=5;
|
525
543
|
optional bool resolve_keys=6 [default=true];
|
526
544
|
}
|
527
545
|
|
528
|
-
|
529
|
-
|
546
|
+
/// SessionTrackerResponse - results of tracker
|
547
|
+
/// returns a list of SessionT for the matching sessions.
|
548
|
+
/// Note: the returned list of SessionT only contains keys (in key format) and the
|
549
|
+
/// tracker_statval reprsenting the tracker metric. You need to send further QuerySession
|
550
|
+
/// request with the session_key to retrive the fullflow
|
530
551
|
message SessionTrackerResponse{
|
531
552
|
required string session_group=2;
|
532
|
-
repeated SessionT sessions=3;
|
553
|
+
repeated SessionT sessions=3; /// contains session_key and tracker_statval
|
533
554
|
optional int64 tracker_id=4;
|
534
555
|
}
|
535
556
|
|
536
|
-
|
537
|
-
|
557
|
+
/// QueryAlertsRequest - query alerts in system, can group_by (aggregate) any one field
|
558
|
+
/// multiple query fields are treated as AND
|
538
559
|
message QueryAlertsRequest {
|
539
560
|
required string alert_group=2;
|
540
561
|
optional TimeInterval time_interval=3;
|
541
562
|
optional int64 maxitems=5 [default=100];
|
542
|
-
optional KeyT
|
543
|
-
optional KeyT
|
544
|
-
optional KeyT
|
545
|
-
optional KeyT
|
546
|
-
optional KeyT
|
547
|
-
optional KeyT
|
548
|
-
optional KeyT
|
549
|
-
optional string aux_message1=13;
|
550
|
-
optional string aux_message2=14;
|
551
|
-
optional string group_by_fieldname=15;
|
552
|
-
|
553
|
-
|
554
|
-
optional KeyT any_ip=18;
|
555
|
-
optional KeyT any_port=19;
|
556
|
-
|
557
|
-
|
558
|
-
}
|
559
|
-
|
560
|
-
|
561
|
-
|
563
|
+
optional KeyT source_ip=6;
|
564
|
+
optional KeyT source_port=7;
|
565
|
+
optional KeyT destination_ip=8;
|
566
|
+
optional KeyT destination_port=9;
|
567
|
+
optional KeyT sigid=10;
|
568
|
+
optional KeyT classification=11;
|
569
|
+
optional KeyT priority=12;
|
570
|
+
optional string aux_message1=13; /// matches dispatchmessage1 in AlertT
|
571
|
+
optional string aux_message2=14; /// matches dispatchmessage2 in AlertT
|
572
|
+
optional string group_by_fieldname=15; /// can group by any field - group by 'sigid' will group results by sigid
|
573
|
+
repeated string idlist=16; /// list of alert ids
|
574
|
+
optional bool resolve_keys=17[default=true];
|
575
|
+
optional KeyT any_ip=18; /// search by any_ip (source_dest)
|
576
|
+
optional KeyT any_port=19; /// search by any_port (source_dest)
|
577
|
+
repeated KeyT ip_pair=20; /// array of 2 ips
|
578
|
+
optional string message_regex=21; /// searech via regex of the dispatch message
|
579
|
+
}
|
580
|
+
|
581
|
+
/// QueryAlertsResponse - response
|
582
|
+
/// if you used group_by_fieldname then AlertT.occurrances would contain the count
|
562
583
|
message QueryAlertsResponse {
|
563
584
|
required string alert_group=2;
|
564
|
-
repeated AlertT
|
585
|
+
repeated AlertT alerts=3; /// array of matching alerts
|
565
586
|
}
|
566
|
-
|
567
|
-
|
587
|
+
|
588
|
+
|
589
|
+
/// QueryResourcesRequest - resource queries
|
568
590
|
message QueryResourcesRequest {
|
569
591
|
required string resource_group=2;
|
570
592
|
optional TimeInterval time_interval=3;
|
571
593
|
optional int64 maxitems=4 [default=100];
|
572
|
-
optional KeyT
|
573
|
-
optional KeyT
|
574
|
-
optional KeyT
|
575
|
-
optional KeyT
|
594
|
+
optional KeyT source_ip=5;
|
595
|
+
optional KeyT source_port=6;
|
596
|
+
optional KeyT destination_ip=7;
|
597
|
+
optional KeyT destination_port=8;
|
576
598
|
optional string uri_pattern=9;
|
577
599
|
optional string userlabel_pattern=10;
|
578
600
|
repeated string regex_uri=12; // cant be combined with others
|
579
|
-
|
580
|
-
|
581
|
-
optional KeyT
|
582
|
-
optional KeyT
|
583
|
-
|
601
|
+
repeated string idlist=13; // resource ID list
|
602
|
+
optional bool resolve_keys=14 [default=true];
|
603
|
+
optional KeyT any_port=15;
|
604
|
+
optional KeyT any_ip=16;
|
605
|
+
repeated KeyT ip_pair=17; // array of 2 ips
|
584
606
|
}
|
585
607
|
|
586
|
-
|
587
|
-
// QueryResourceResponse
|
608
|
+
/// QueryResourceResponse
|
588
609
|
message QueryResourcesResponse {
|
589
|
-
required string
|
590
|
-
repeated ResourceT
|
610
|
+
required string resource_group=2;
|
611
|
+
repeated ResourceT resources=3;
|
591
612
|
}
|
592
613
|
|
593
614
|
|
594
615
|
|
595
|
-
|
596
|
-
|
616
|
+
/// KeySpaceRequest - search hits in Key Space
|
617
|
+
/// for example you can search the key space 10.0.0.0 to 11.0.0.0 to get all IP
|
618
|
+
/// seen in that range
|
597
619
|
message KeySpaceRequest {
|
598
620
|
required string counter_group=2;
|
599
621
|
required TimeInterval time_interval=3;
|
600
622
|
optional int64 maxitems=4 [default=100];
|
601
623
|
|
602
|
-
|
603
|
-
|
604
|
-
|
605
|
-
|
624
|
+
message KeySpace {
|
625
|
+
required KeyT from_key=1; /// from key representing start of keyspace
|
626
|
+
required KeyT to_key=2; /// end of key space
|
627
|
+
}
|
606
628
|
|
607
|
-
|
629
|
+
repeated KeySpace spaces=5;
|
608
630
|
optional bool resolve_keys=6[default=true];
|
609
631
|
}
|
610
632
|
|
611
|
-
|
612
|
-
// KeySpaceResponse
|
633
|
+
/// KeySpaceResponse
|
613
634
|
message KeySpaceResponse {
|
614
635
|
optional string counter_group=2;
|
615
|
-
repeated KeyT
|
636
|
+
repeated KeyT hits=3; /// array of keys in the requested space
|
616
637
|
}
|
617
638
|
|
618
|
-
|
619
|
-
|
639
|
+
/// TopperTrendRequest - raw top-K at each topper snapshot interval
|
640
|
+
/// can use this to see "Top apps over 1 Week"
|
620
641
|
message TopperTrendRequest {
|
621
642
|
required string counter_group=2;
|
622
643
|
optional int64 meter=3 [default=0];
|
@@ -624,53 +645,50 @@ message TopperTrendRequest {
|
|
624
645
|
optional TimeInterval time_interval=5;
|
625
646
|
}
|
626
647
|
|
627
|
-
|
628
|
-
// TopperTrendResponse
|
648
|
+
/// TopperTrendResponse
|
629
649
|
message TopperTrendResponse {
|
630
650
|
required string counter_group=2;
|
631
|
-
required int64 meter=3;
|
632
|
-
repeated KeyStats keytrends=4;
|
651
|
+
required int64 meter=3;
|
652
|
+
repeated KeyStats keytrends=4; /// timeseries - ts, (array of key stats) for each snapshot interval
|
633
653
|
}
|
634
654
|
|
635
655
|
|
636
656
|
|
637
|
-
|
638
|
-
// Subscribe - add a subcription to the Real Time channel
|
657
|
+
/// Subscribe - add a subcription to the Real Time channel
|
639
658
|
message SubscribeCtl {
|
640
659
|
|
641
|
-
|
642
|
-
|
643
|
-
|
644
|
-
|
645
|
-
|
646
|
-
|
647
|
-
|
648
|
-
|
660
|
+
// from TrisulAPI
|
661
|
+
enum StabberType
|
662
|
+
{
|
663
|
+
ST_COUNTER_ITEM=0;
|
664
|
+
ST_ALERT=1;
|
665
|
+
ST_FLOW=2;
|
666
|
+
ST_TOPPER=3;
|
667
|
+
}
|
649
668
|
|
650
|
-
|
651
|
-
|
652
|
-
|
653
|
-
|
654
|
-
|
669
|
+
enum CtlType
|
670
|
+
{
|
671
|
+
CT_SUBSCRIBE=0;
|
672
|
+
CT_UNSUBSCRIBE=1;
|
673
|
+
}
|
655
674
|
|
656
|
-
|
657
|
-
|
658
|
-
|
659
|
-
|
660
|
-
|
661
|
-
|
675
|
+
required string context_name=1;
|
676
|
+
required CtlType ctl=2;
|
677
|
+
required StabberType type=3;
|
678
|
+
optional string guid=4;
|
679
|
+
optional string key=5;
|
680
|
+
optional int64 meterid=6;
|
662
681
|
}
|
663
682
|
|
664
683
|
|
665
684
|
|
666
|
-
|
667
|
-
|
668
|
-
|
669
|
-
|
685
|
+
/// FTS
|
686
|
+
/// query to return docs, docids, and flows based on keyword search
|
687
|
+
///
|
670
688
|
message QueryFTSRequest {
|
671
689
|
|
672
690
|
required TimeInterval time_interval=2;
|
673
|
-
|
691
|
+
required string fts_group=3;
|
674
692
|
required string keywords=4;
|
675
693
|
optional int64 maxitems=5[default=100];
|
676
694
|
}
|
@@ -678,74 +696,71 @@ message QueryFTSRequest {
|
|
678
696
|
|
679
697
|
message QueryFTSResponse {
|
680
698
|
|
681
|
-
|
682
|
-
repeated DocumentT
|
699
|
+
required string fts_group=2;
|
700
|
+
repeated DocumentT documents=3;
|
683
701
|
|
684
702
|
}
|
685
703
|
|
686
704
|
|
687
|
-
|
688
|
-
|
689
|
-
|
690
|
-
|
691
|
-
|
705
|
+
/// Timeslices - retrieves the backend timeslice details
|
706
|
+
///
|
707
|
+
/// get the METERS METASLICE info
|
708
|
+
/// .. response = TimeSlicesResponse
|
692
709
|
message TimeSlicesRequest {
|
693
|
-
|
694
|
-
|
695
|
-
|
710
|
+
optional bool get_disk_usage=1[default=false];
|
711
|
+
optional bool get_all_engines=2[default=false];
|
712
|
+
optional bool get_total_window=3[default=false];
|
696
713
|
}
|
697
714
|
|
698
|
-
|
699
|
-
|
715
|
+
/// .. response = TimeSlicesResponse
|
716
|
+
/// get the PCAP METASLICE based info
|
700
717
|
message PcapSlicesRequest {
|
701
|
-
|
702
|
-
|
718
|
+
required string context_name=1;
|
719
|
+
optional bool get_total_window=2[default=false];
|
703
720
|
}
|
704
721
|
|
705
722
|
message TimeSlicesResponse {
|
706
|
-
|
707
|
-
|
708
|
-
|
709
|
-
|
710
|
-
|
711
|
-
|
712
|
-
|
713
|
-
|
714
|
-
|
715
|
-
|
716
|
-
|
723
|
+
message SliceT
|
724
|
+
{
|
725
|
+
required TimeInterval time_interval=1;
|
726
|
+
optional string name=2;
|
727
|
+
optional string status=3;
|
728
|
+
optional int64 disk_size=4;
|
729
|
+
optional string path=5;
|
730
|
+
optional bool available=6;
|
731
|
+
};
|
732
|
+
|
733
|
+
repeated SliceT slices=1;
|
717
734
|
optional TimeInterval total_window=2;
|
718
|
-
|
735
|
+
optional string context_name=3;
|
719
736
|
}
|
720
737
|
|
721
738
|
|
722
|
-
|
723
|
-
|
739
|
+
/// DeleteAlerts
|
740
|
+
/// - very limited exception to Trisul rule of not having delete options
|
724
741
|
message DeleteAlertsRequest {
|
725
742
|
required string alert_group=2;
|
726
743
|
required TimeInterval time_interval=3;
|
727
|
-
optional KeyT
|
728
|
-
optional KeyT
|
729
|
-
optional KeyT
|
730
|
-
optional KeyT
|
731
|
-
optional KeyT
|
732
|
-
optional KeyT
|
733
|
-
optional KeyT
|
734
|
-
optional KeyT
|
735
|
-
optional KeyT
|
736
|
-
|
744
|
+
optional KeyT source_ip=6;
|
745
|
+
optional KeyT source_port=7;
|
746
|
+
optional KeyT destination_ip=8;
|
747
|
+
optional KeyT destination_port=9;
|
748
|
+
optional KeyT sigid=10;
|
749
|
+
optional KeyT classification=11;
|
750
|
+
optional KeyT priority=12;
|
751
|
+
optional KeyT any_ip=18;
|
752
|
+
optional KeyT any_port=19;
|
753
|
+
optional string message_regex=21; /// delete using regex
|
737
754
|
}
|
738
755
|
|
739
|
-
|
740
|
-
// MetricsSummaryRequest
|
756
|
+
/// MetricsSummaryRequest - used to retrieve DB stats
|
741
757
|
message MetricsSummaryRequest{
|
742
758
|
optional TimeInterval time_interval=1;
|
743
759
|
required string metric_name=2;
|
744
|
-
|
760
|
+
optional bool totals_only=3[default=true];
|
745
761
|
}
|
746
762
|
|
747
|
-
|
748
|
-
// MetricsSummaryResponse
|
763
|
+
/// MetricsSummaryResponse
|
749
764
|
message MetricsSummaryResponse {
|
750
765
|
required string metric_name=2;
|
751
766
|
repeated StatsTuple vals=3;
|
@@ -753,265 +768,267 @@ message MetricsSummaryResponse {
|
|
753
768
|
|
754
769
|
|
755
770
|
|
756
|
-
|
757
|
-
// LogRequest - want log file
|
771
|
+
/// LogRequest - get log file from a domain node
|
758
772
|
message LogRequest {
|
759
773
|
|
760
774
|
required string context_name=1;
|
761
775
|
required string log_type=2;
|
762
776
|
optional string regex_filter=4;
|
763
777
|
optional int64 maxlines=5[default=1000];
|
764
|
-
|
765
|
-
|
766
|
-
|
778
|
+
optional string continue_logfilename=6;
|
779
|
+
optional int64 continue_seekpos=7;
|
780
|
+
optional bool latest_run_only=8[default=false];
|
767
781
|
}
|
768
782
|
|
769
783
|
|
770
784
|
message LogResponse {
|
771
785
|
|
772
786
|
required string context_name=1;
|
773
|
-
|
774
|
-
|
775
|
-
repeated string log_lines=8;
|
787
|
+
optional string logfilename=6;
|
788
|
+
optional int64 seekpos=7;
|
789
|
+
repeated string log_lines=8; /// compressed gz
|
776
790
|
}
|
777
791
|
|
778
792
|
|
779
|
-
|
793
|
+
/// messages to routerX backend
|
780
794
|
message DomainRequest {
|
781
|
-
|
782
|
-
|
783
|
-
|
784
|
-
|
795
|
+
required DomainOperation cmd=1;
|
796
|
+
optional string station_id=2;
|
797
|
+
optional string params=3;
|
798
|
+
optional DomainNodeType nodetype=4;
|
785
799
|
}
|
786
800
|
|
787
801
|
message DomainResponse {
|
788
802
|
|
789
803
|
|
790
|
-
|
804
|
+
message Node {
|
791
805
|
|
792
|
-
|
793
|
-
|
794
|
-
|
795
|
-
|
796
|
-
|
797
|
-
|
806
|
+
required string id=1;
|
807
|
+
required DomainNodeType nodetype=2;
|
808
|
+
optional string station_id=3;
|
809
|
+
optional string extra_info=4;
|
810
|
+
optional Timestamp register_time=5;
|
811
|
+
optional Timestamp heartbeat_time=6;
|
798
812
|
|
799
|
-
|
813
|
+
}
|
800
814
|
|
801
|
-
|
802
|
-
|
803
|
-
|
804
|
-
|
805
|
-
|
815
|
+
required DomainOperation cmd=1;
|
816
|
+
repeated Node nodes=2;
|
817
|
+
optional string req_params=3;
|
818
|
+
optional string params=4;
|
819
|
+
optional bool need_reconnect=5[default=false];
|
806
820
|
}
|
807
821
|
|
808
822
|
|
809
823
|
message NodeConfigRequest {
|
810
|
-
|
824
|
+
optional string message=1;
|
811
825
|
|
812
|
-
|
813
|
-
|
814
|
-
|
815
|
-
|
816
|
-
|
817
|
-
|
826
|
+
message IntelFeed {
|
827
|
+
required string guid=1; /// identifying feed group (eg Geo, Badfellas)
|
828
|
+
optional string name=2; /// name
|
829
|
+
optional string download_rules=3; /// xml file with feed update instructions
|
830
|
+
repeated string uri=4; /// individual files in config//.. for FileRequest download
|
831
|
+
}
|
818
832
|
|
819
|
-
|
820
|
-
|
821
|
-
|
822
|
-
|
833
|
+
optional IntelFeed add_feed=2;
|
834
|
+
optional IntelFeed process_new_feed=3;
|
835
|
+
optional bool get_all_nodes=4[default=true];
|
836
|
+
repeated NameValue query_config=5;
|
823
837
|
|
824
838
|
}
|
825
839
|
|
826
840
|
message NodeConfigResponse {
|
827
841
|
|
828
|
-
|
829
|
-
|
830
|
-
|
831
|
-
|
832
|
-
|
833
|
-
|
842
|
+
message Node {
|
843
|
+
required string id=1;
|
844
|
+
required DomainNodeType nodetype=2;
|
845
|
+
required string description=3;
|
846
|
+
required string public_key=4;
|
847
|
+
}
|
834
848
|
|
835
|
-
|
836
|
-
|
837
|
-
|
838
|
-
|
839
|
-
|
849
|
+
repeated Node domains=1;
|
850
|
+
repeated Node hubs=2;
|
851
|
+
repeated Node probes=3;
|
852
|
+
repeated string feeds=4;
|
853
|
+
repeated NameValue config_values=5;
|
840
854
|
}
|
841
855
|
|
842
856
|
|
843
|
-
|
844
|
-
|
845
|
-
|
846
|
-
//
|
857
|
+
/// ContextRequest - Context methods
|
858
|
+
/// response Ok or Error, follow up with ContextInfo to print details
|
859
|
+
///
|
847
860
|
message ContextCreateRequest {
|
848
861
|
required string context_name=1;
|
849
862
|
optional string clone_from=2;
|
850
863
|
}
|
851
864
|
|
852
|
-
|
853
|
-
|
854
|
-
// use is_init to prime with config
|
865
|
+
/// ContextInfo : one or all contexts
|
866
|
+
/// use is_init to prime with config
|
855
867
|
message ContextInfoRequest {
|
856
|
-
optional string context_name=1;
|
857
|
-
|
868
|
+
optional string context_name=1; /// if not set all context get in
|
869
|
+
optional bool get_size_on_disk=2[default=false]; /// get size on disk (expensive)
|
858
870
|
}
|
859
871
|
|
860
872
|
message ContextInfoResponse {
|
861
873
|
|
862
874
|
|
863
|
-
|
864
|
-
|
865
|
-
|
866
|
-
|
867
|
-
|
868
|
-
|
869
|
-
|
870
|
-
|
871
|
-
|
872
|
-
|
873
|
-
|
874
|
-
|
875
|
-
|
876
|
-
|
875
|
+
message Item
|
876
|
+
{
|
877
|
+
required string context_name=1;
|
878
|
+
required bool is_initialized=2;
|
879
|
+
required bool is_running=3;
|
880
|
+
optional int64 size_on_disk=4;
|
881
|
+
optional TimeInterval time_interval=5;
|
882
|
+
optional bool is_clean=6;
|
883
|
+
optional string extrainfo=7;
|
884
|
+
repeated TimeInterval run_history=8;
|
885
|
+
optional string profile=9;
|
886
|
+
optional string runmode=10;
|
887
|
+
optional string node_version=11;
|
888
|
+
}
|
877
889
|
|
878
|
-
|
890
|
+
repeated Item items=1;
|
879
891
|
}
|
880
892
|
|
881
|
-
|
882
|
-
|
883
|
-
// reset data only ..
|
893
|
+
/// ContextDelete : initialize
|
894
|
+
/// reset data only ..
|
884
895
|
message ContextDeleteRequest {
|
885
|
-
required string context_name=1;
|
886
|
-
|
896
|
+
required string context_name=1; /// if not set all context get in
|
897
|
+
optional bool reset_data=2; /// reset data dont delete everything
|
887
898
|
}
|
888
899
|
|
889
|
-
|
890
|
-
|
900
|
+
/// ContextStart : run
|
901
|
+
/// run data only ..
|
891
902
|
message ContextStartRequest {
|
892
|
-
required string context_name=1;
|
893
|
-
|
894
|
-
|
895
|
-
|
896
|
-
|
897
|
-
|
898
|
-
|
903
|
+
required string context_name=1; /// if not set all context get in
|
904
|
+
optional string mode=2; /// same as trisul cmdline run mode
|
905
|
+
optional bool background=3;
|
906
|
+
optional string pcap_path=4;
|
907
|
+
optional string run_tool=5; /// snort, suricata supported..
|
908
|
+
optional string tool_ids_config=6;
|
909
|
+
optional string tool_av_config=7;
|
910
|
+
optional string cmd_in=8; /// maps to trisul -in
|
911
|
+
optional string cmd_out=9; /// maps to trisul -out
|
912
|
+
optional string cmd_args=10; /// maps to trisul -args
|
899
913
|
|
900
914
|
}
|
901
915
|
|
902
|
-
|
916
|
+
/// ContextSttop : kill the context processes
|
903
917
|
message ContextStopRequest {
|
904
|
-
required string context_name=1;
|
905
|
-
|
918
|
+
required string context_name=1; /// if not set all context get in
|
919
|
+
optional string run_tool=5; /// snort, suricata , trp, flushd supported..
|
906
920
|
}
|
907
921
|
|
908
922
|
|
909
|
-
|
910
|
-
|
911
|
-
|
912
|
-
// Status = OK if running with PID etc in message text
|
923
|
+
/// ContextConfigRequest - start stop status
|
924
|
+
/// OK or ERROR response
|
925
|
+
/// Status = OK if running with PID etc in message text
|
913
926
|
message ContextConfigRequest {
|
914
927
|
required string context_name=1;
|
915
928
|
optional string profile=2;
|
916
929
|
optional string params=3;
|
917
|
-
|
918
|
-
|
919
|
-
|
930
|
+
optional bytes push_config_blob=4; /// push this ..
|
931
|
+
repeated NameValue query_config=5; /// query, leave the .value field blank
|
932
|
+
repeated NameValue set_config_values=6; /// push this .. (name=value;name=value ..)
|
920
933
|
}
|
921
934
|
|
922
935
|
|
923
936
|
message ContextConfigResponse {
|
924
937
|
|
925
|
-
|
926
|
-
|
927
|
-
|
928
|
-
|
929
|
-
|
930
|
-
|
931
|
-
|
932
|
-
|
933
|
-
|
934
|
-
|
935
|
-
|
936
|
-
|
937
|
-
|
938
|
-
|
939
|
-
|
940
|
-
|
941
|
-
|
942
|
-
|
943
|
-
}
|
944
|
-
|
945
|
-
|
946
|
-
|
947
|
-
|
948
|
-
|
949
|
-
|
950
|
-
|
951
|
-
|
952
|
-
|
953
|
-
|
954
|
-
|
938
|
+
message Layer
|
939
|
+
{
|
940
|
+
required int64 layer=1;
|
941
|
+
required string probe_id=2;
|
942
|
+
optional string probe_description=3;
|
943
|
+
}
|
944
|
+
|
945
|
+
required string context_name=1;
|
946
|
+
optional string profile=2;
|
947
|
+
optional string params=3; /// what kind of config you want
|
948
|
+
optional bytes pull_config_blob=4; /// config
|
949
|
+
optional bytes config_blob=5; /// compress tar.gz ..
|
950
|
+
repeated string endpoints_flush=6;
|
951
|
+
repeated string endpoints_query=7;
|
952
|
+
repeated string endpoints_pub=8;
|
953
|
+
repeated NameValue config_values=10; /// query, leave the .value field blank
|
954
|
+
repeated Layer layers=11;
|
955
|
+
|
956
|
+
}
|
957
|
+
|
958
|
+
/// PcapRequest - retrieve a PCAP
|
959
|
+
/// Sent directly to each probe rather than to the DB query HUB
|
960
|
+
///
|
961
|
+
/// the flow is PCAP Request for a file -> put a file on the probe > return a token
|
962
|
+
/// > use that token in FileRequest to download the file from the probe
|
963
|
+
///
|
964
|
+
/// see app notes and examples
|
965
|
+
///
|
966
|
+
/// NOTE - only one of the various filters are supported
|
967
|
+
/// sending > 1 will result in error
|
968
|
+
///
|
969
|
+
/// Modes
|
970
|
+
/// 1. nothing set => PCAP file in contents
|
971
|
+
/// 2. save_file_prefix set => file download token
|
972
|
+
/// 3. merge_pcap_files => file download token
|
973
|
+
///
|
974
|
+
///
|
955
975
|
message PcapRequest {
|
956
|
-
|
957
|
-
optional int64 max_bytes=2[default=100000000]; // 100MB , can increase to 0.75 Filesystem freespace
|
976
|
+
required string context_name=1; // context
|
977
|
+
optional int64 max_bytes=2[default=100000000]; // max return PCAP size default=100MB , can increase to 0.75 Filesystem freespace
|
958
978
|
optional CompressionType compress_type=3[default=UNCOMPRESSED];
|
959
|
-
|
979
|
+
optional TimeInterval time_interval=4; // not needed for merge option
|
960
980
|
optional string save_file_prefix=5;
|
961
|
-
|
962
|
-
|
963
|
-
|
981
|
+
optional string filter_expression=6; /// PCAP filter expression in Trisul Filter format
|
982
|
+
repeated string merge_pcap_files=7; /// list of PCAP files on probe that you need to merge
|
983
|
+
optional bool delete_after_merge=8[default=true];
|
964
984
|
optional PcapFormat format=9[default=LIBPCAP];
|
965
985
|
}
|
966
986
|
|
967
987
|
|
968
|
-
|
969
|
-
|
988
|
+
/// Pcap Response - for small files (<1MB) contents directly contain the PCAP
|
989
|
+
/// for larger files, save_file contains a download token for use by FileRequest
|
970
990
|
message PcapResponse {
|
971
|
-
|
972
|
-
optional PcapFormat
|
973
|
-
optional CompressionType
|
974
|
-
optional TimeInterval
|
975
|
-
optional int64
|
976
|
-
optional string
|
977
|
-
optional bytes
|
978
|
-
|
979
|
-
}
|
980
|
-
|
981
|
-
|
982
|
-
// GrepRequest
|
991
|
+
required string context_name=1;
|
992
|
+
optional PcapFormat format=2[default=LIBPCAP];
|
993
|
+
optional CompressionType compress_type=3[default=UNCOMPRESSED];
|
994
|
+
optional TimeInterval time_interval=4;
|
995
|
+
optional int64 num_bytes=5;
|
996
|
+
optional string sha1=6;
|
997
|
+
optional bytes contents=7;
|
998
|
+
optional string save_file=8; //use FileRequest framework to download
|
999
|
+
}
|
1000
|
+
|
1001
|
+
/// GrepRequest - reconstruct and search for patterns in saved packets
|
983
1002
|
message GrepRequest {
|
984
|
-
|
1003
|
+
required string context_name=1;
|
985
1004
|
required TimeInterval time_interval=2;
|
986
1005
|
optional int64 maxitems=3 [default=100];
|
987
1006
|
optional int64 flowcutoff_bytes=4;
|
988
|
-
optional string pattern_hex=5;
|
989
|
-
optional string pattern_text=6;
|
990
|
-
optional string pattern_file=7;
|
991
|
-
|
1007
|
+
optional string pattern_hex=5; /// hex patttern
|
1008
|
+
optional string pattern_text=6; /// plain text
|
1009
|
+
optional string pattern_file=7; /// a file - must be available at probe
|
1010
|
+
repeated string md5list=8; /// a list of MD5 matching the content
|
992
1011
|
optional bool resolve_keys=9 [default=true];
|
993
1012
|
}
|
994
1013
|
|
995
|
-
|
996
|
-
// GrepResponse
|
1014
|
+
/// GrepResponse
|
997
1015
|
message GrepResponse {
|
998
|
-
|
999
|
-
repeated SessionT sessions=2;
|
1000
|
-
repeated string hints=3;
|
1001
|
-
|
1016
|
+
required string context_name=1;
|
1017
|
+
repeated SessionT sessions=2; /// sessionT with keys containing the content
|
1018
|
+
repeated string hints=3; /// some surrounding context for the match
|
1019
|
+
optional string probe_id=4;
|
1002
1020
|
}
|
1003
1021
|
|
1004
|
-
|
1005
|
-
|
1022
|
+
/// ProbeStatsRequest - DOMAIN
|
1023
|
+
/// retrieve statistics about probe cpu, mem, etc
|
1006
1024
|
message ProbeStatsRequest{
|
1007
|
-
|
1025
|
+
required string context_name=1;
|
1008
1026
|
optional string param=2;
|
1009
1027
|
}
|
1010
1028
|
|
1011
|
-
|
1012
|
-
// ProbeStatsResponse
|
1029
|
+
/// ProbeStatsResponse
|
1013
1030
|
message ProbeStatsResponse {
|
1014
|
-
|
1031
|
+
required string context_name=1;
|
1015
1032
|
required string instance_name=2;
|
1016
1033
|
required int64 connections=3;
|
1017
1034
|
required int64 uptime_seconds=4;
|
@@ -1022,49 +1039,46 @@ message ProbeStatsResponse {
|
|
1022
1039
|
required double mem_total=9;
|
1023
1040
|
required double drop_percent_cap=10;
|
1024
1041
|
required double drop_percent_trisul=11;
|
1025
|
-
|
1026
|
-
|
1027
|
-
|
1028
|
-
|
1042
|
+
optional int64 proc_bytes=12;
|
1043
|
+
optional int64 proc_packets=13;
|
1044
|
+
optional string offline_pcap_file=14;
|
1045
|
+
optional bool is_running=15;
|
1029
1046
|
}
|
1030
1047
|
|
1031
|
-
|
1032
|
-
|
1048
|
+
/// AsyncResponse - a token represnting a future response
|
1049
|
+
/// you will get an AsyncResponse for TRP Request if you set the run_async=true at the message level
|
1033
1050
|
message AsyncResponse {
|
1034
|
-
required int64 token=1;
|
1035
|
-
|
1036
|
-
|
1051
|
+
required int64 token=1; /// use this token in AsyncRequest polling until you get the original Response you expected
|
1052
|
+
optional string response_message=3;
|
1053
|
+
optional Message response=4;
|
1037
1054
|
}
|
1038
1055
|
|
1039
|
-
|
1040
|
-
|
1041
|
-
// response taken from original (if ready) or not_ready flag set
|
1056
|
+
/// AsyncRequest - Asynchrononous query framework
|
1057
|
+
/// response taken from original , the token
|
1042
1058
|
message AsyncRequest {
|
1043
|
-
|
1059
|
+
required int64 token=1; // token from AsyncResponse
|
1044
1060
|
optional string request_message =2; // basically extra text for logging
|
1045
1061
|
}
|
1046
1062
|
|
1047
|
-
|
1048
|
-
// FileRequest
|
1063
|
+
/// FileRequest - used to download files from Trisul domain nodes like probes
|
1049
1064
|
message FileRequest {
|
1050
|
-
|
1051
|
-
required int64 position=2;
|
1052
|
-
|
1053
|
-
|
1054
|
-
|
1065
|
+
required string uri=1; /// uri of resource you want to download , example PcapResponse.save_file
|
1066
|
+
required int64 position=2; /// seek position in that file
|
1067
|
+
optional string params=3; /// local meaning sentback n response
|
1068
|
+
optional string context_name=4; /// context name
|
1069
|
+
optional bool delete_on_eof=5[default=false];
|
1055
1070
|
}
|
1056
1071
|
|
1057
|
-
|
1058
|
-
|
1059
|
-
|
1060
|
-
// for very large files, since most files are data feeds < 100MB fine for now
|
1072
|
+
/// FileResponse
|
1073
|
+
/// one chunk at at time, Trisul has slightly inefficient File Transfer
|
1074
|
+
/// for very large files, since most files are data feeds < 100MB fine for now
|
1061
1075
|
message FileResponse {
|
1062
|
-
|
1063
|
-
|
1064
|
-
optional int64 position=3;
|
1065
|
-
optional bytes content=4;
|
1076
|
+
required string uri=1; /// requested URI
|
1077
|
+
required bool eof=2; /// end of all chunks
|
1078
|
+
optional int64 position=3; /// current position
|
1079
|
+
optional bytes content=4; /// file chunk content
|
1066
1080
|
optional string request_params =5;
|
1067
|
-
|
1081
|
+
optional string context_name=6;
|
1068
1082
|
}
|
1069
1083
|
|
1070
1084
|
|