diff --git a/go.mod b/go.mod index d410a3e..b716895 100644 --- a/go.mod +++ b/go.mod @@ -9,6 +9,7 @@ require ( github.com/apex/log v0.0.0-20170216004756-fac6c51185bc github.com/asaskevich/govalidator v0.0.0-20170104211126-fdf19785fd35 github.com/davecgh/go-spew v1.1.1 // indirect + github.com/google/gonids v0.0.0-20190510211530-bacab9879ae4 github.com/mattn/go-isatty v0.0.7 // indirect github.com/pkg/errors v0.0.0-20161029093637-248dadf4e906 github.com/pmezard/go-difflib v1.0.0 // indirect diff --git a/go.sum b/go.sum index 3a23e08..b4eeb3b 100644 --- a/go.sum +++ b/go.sum @@ -13,6 +13,8 @@ github.com/apex/log v0.0.0-20170216004756-fac6c51185bc/go.mod h1:yA770aXIDQrhVOI github.com/asaskevich/govalidator v0.0.0-20170104211126-fdf19785fd35 h1:jtOyR8GH6bAopQsGgvAhTLbp2kIgGw5hJpfRoFjr6AI= github.com/asaskevich/govalidator v0.0.0-20170104211126-fdf19785fd35/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/google/gonids v0.0.0-20190510211530-bacab9879ae4 h1:aO39F2Ag2xAfnclcCE5o5YkV/aIqb20xr+xHX37o3dM= +github.com/google/gonids v0.0.0-20190510211530-bacab9879ae4/go.mod h1:Zq6rDS/pkt/UBg6Ol4sbNG6RTShiuWDAM3gC3yPpCsg= github.com/mattn/go-isatty v0.0.7 h1:UvyT9uN+3r7yLEYSlJsbQGdsaB/a0DlgWP3pql6iwOc= github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= github.com/pkg/errors v0.0.0-20161029093637-248dadf4e906 h1:aXc/AM323HlkOXjl3QuSO06wbXK45HrzBT+pwVOufXg= diff --git a/vendor/github.com/google/gonids/CONTRIBUTING b/vendor/github.com/google/gonids/CONTRIBUTING new file mode 100644 index 0000000..1a09deb --- /dev/null +++ b/vendor/github.com/google/gonids/CONTRIBUTING @@ -0,0 +1,27 @@ +Want to contribute? Great! First, read this page (including the small print at the end). + +### Before you contribute +Before we can use your code, you must sign the +[Google Individual Contributor License Agreement] +(https://cla.developers.google.com/about/google-individual) +(CLA), which you can do online. The CLA is necessary mainly because you own the +copyright to your changes, even after your contribution becomes part of our +codebase, so we need your permission to use and distribute your code. We also +need to be sure of various other things—for instance that you'll tell us if you +know that your code infringes on other people's patents. You don't have to sign +the CLA until after you've submitted your code for review and a member has +approved it, but you must do it before we can put your code into our codebase. +Before you start working on a larger contribution, you should get in touch with +us first through the issue tracker with your idea so that we can help out and +possibly guide you. Coordinating up front makes it much easier to avoid +frustration later on. + +### Code reviews +All submissions, including submissions by project members, require review. We +use GitHub pull requests for this purpose. + +### The small print +Contributions made by corporations are covered by a different agreement than +the one above, the +[Software Grant and Corporate Contributor License Agreement] +(https://cla.developers.google.com/about/google-corporate). diff --git a/vendor/github.com/google/gonids/LICENSE b/vendor/github.com/google/gonids/LICENSE new file mode 100644 index 0000000..25dd999 --- /dev/null +++ b/vendor/github.com/google/gonids/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2016 Google Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/google/gonids/README.md b/vendor/github.com/google/gonids/README.md new file mode 100644 index 0000000..692215b --- /dev/null +++ b/vendor/github.com/google/gonids/README.md @@ -0,0 +1,35 @@ +gonids is a library to parse IDS rules for engines like Snort and Suricata. + +### Installation +``` +$ go get github.com/google/gonids +``` + +### Quick Start +Add this import line to the file you're working in: +``` +import "github.com/google/gonids" +``` + +To parse a rule: +``` +rule := `alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"GONIDS TEST hello world"; flow:established,to_server; content:"hello world"; classtype:trojan-activity; sid:1; rev:1;)` +r, err := gonids.ParseRule(rule) +if err != nil { + // Handle parse error +} +// Do something with your rule. +switch r.Action { +case "alert": + // This is an 'alert' rule. +case "drop": + // This is a 'drop' rule. +case "pass": + // This is a 'pass' rule. +default: + // I have no idea what this would be. =) +} +``` + +### Miscellaneous +This is not an official Google product. diff --git a/vendor/github.com/google/gonids/lex.go b/vendor/github.com/google/gonids/lex.go new file mode 100644 index 0000000..76a6a6e --- /dev/null +++ b/vendor/github.com/google/gonids/lex.go @@ -0,0 +1,426 @@ +/* Copyright 2016 Google Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package gonids implements a basic lexer of IDS rules (Snort/Suricata). +// +// For now the lexer is able to lex all parts of the rule but it is still +// pretty lax on error handling. +package gonids + +import ( + "errors" + "fmt" + "strings" + "unicode" + "unicode/utf8" +) + +// item represents a token or text string returned from the lexer. +type item struct { + typ itemType // The type of this item. + value string // The value of this item. +} + +// String returns a string describing an item. +func (i item) String() string { + switch i.typ { + case itemEOF: + return "EOF" + case itemError: + return i.value + } + return fmt.Sprintf("%q: %s", i.typ, i.value) +} + +type itemType int + +const ( + itemError itemType = iota + itemComment + itemAction + itemProtocol + itemSourceAddress + itemSourcePort + itemDirection + itemDestinationAddress + itemDestinationPort + itemNot + itemOptionKey + itemOptionValue + itemOptionNoValue + itemOptionValueString + itemEOR + itemEOF +) + +const eof = -1 + +// stateFn represents the state of the scanner as a function that returns the next state. +type stateFn func(*lexer) stateFn + +// lexer holds the state of the scanner. +type lexer struct { + input string // the string being scanned + state stateFn // the next lexing function to enter + pos int // current position in the input + start int // start position of this item + width int // width of last rune read from input + items chan item // channel of scanned items +} + +// next returns the next rune in the input. +func (l *lexer) next() rune { + if l.pos >= len(l.input) { + l.width = 0 + return eof + } + r, w := utf8.DecodeRuneInString(l.input[l.pos:]) + if r == utf8.RuneError && w == 1 { + // The whole input string has been validated at init. + panic("invalid UTF-8 character") + } + l.width = w + l.pos += l.width + return r +} + +// skipNext skips over the next rune in the input. +func (l *lexer) skipNext() { + l.next() + l.ignore() +} + +// peek returns but does not consume the next rune in the input. +func (l *lexer) peek() rune { + r := l.next() + l.backup() + return r +} + +// len returns the the current length of the item in processing. +func (l *lexer) len() int { + if l.pos >= len(l.input) { + return -1 + } + return l.pos - l.start +} + +// backup steps back one rune. Can only be called once per call of next. +func (l *lexer) backup() { + if l.width == -1 { + panic("double backup") + } + l.pos -= l.width + l.width = -1 +} + +// emit passes an item back to the client, trimSpaces can be used to trim spaces around item +// value before emiting. +func (l *lexer) emit(t itemType, trimSpaces bool) { + input := l.input[l.start:l.pos] + if trimSpaces { + input = strings.TrimSpace(input) + } + l.items <- item{t, input} + l.start = l.pos +} + +// ignore skips over the pending input before this point. +func (l *lexer) ignore() { + l.start = l.pos +} + +// accept consumes the next rune if it's from the valid set. +func (l *lexer) accept(valid string) bool { + if strings.IndexRune(valid, l.next()) >= 0 { + return true + } + l.backup() + return false +} + +// acceptRun consumes a run of runes from the valid set. +func (l *lexer) acceptRun(valid string) { + for strings.IndexRune(valid, l.next()) >= 0 { + } + l.backup() +} + +// ignoreSpaces ignores all spaces at the start of the input. +func (l *lexer) ignoreSpaces() { + for unicode.IsSpace(l.next()) { + l.ignore() + } + l.backup() +} + +// errorf returns an error token and terminates the scan by passing +// back a nil pointer that will be the next state, terminating l.nextItem. +func (l *lexer) errorf(format string, args ...interface{}) stateFn { + l.items <- item{itemError, fmt.Sprintf(format, args...)} + return nil +} + +func (l *lexer) unexpectedEOF() stateFn { + l.items <- item{itemError, "unexpected EOF"} + return nil +} + +// nextItem returns the next item from the input. +func (l *lexer) nextItem() item { + return <-l.items +} + +// lex initializes and runs a new scanner for the input string. +func lex(input string) (*lexer, error) { + if !utf8.ValidString(input) { + return nil, errors.New("input is not a valid UTF-8 string") + } + l := &lexer{ + input: input, + items: make(chan item), + } + go l.run() + return l, nil +} + +// TODO: handle error and corner case in all states. +// run runs the state machine for the lexer. +func (l *lexer) run() { + for l.state = lexRule; l.state != nil; { + l.state = l.state(l) + } +} + +// lexRule starts the scan of a rule. +func lexRule(l *lexer) stateFn { + r := l.next() + switch { + case unicode.IsSpace(r): + l.ignore() + return lexRule + case r == '#': + return lexComment + case r == eof: + l.emit(itemEOF, false) + return nil + } + return lexAction +} + +// lexComment consumes a commented rule. +func lexComment(l *lexer) stateFn { + for { + switch l.next() { + case '\n': + l.emit(itemComment, false) + return lexRule + case eof: + l.backup() + l.emit(itemComment, false) + return lexRule + } + } +} + +// lexAction consumes a rule action. +func lexAction(l *lexer) stateFn { + for { + r := l.next() + switch { + case r == ' ': + l.emit(itemAction, true) + return lexProtocol + case !unicode.IsLetter(r): + return l.errorf("invalid character %q for a rule action", r) + } + } +} + +// lexProtocol consumes a rule protocol. +func lexProtocol(l *lexer) stateFn { + l.ignoreSpaces() + for { + r := l.next() + switch { + case r == ' ': + l.emit(itemProtocol, true) + return lexSourceAddress + case !(unicode.IsLetter(r) || (l.len() > 0 && r == '-')): + return l.errorf("invalid character %q for a rule protocol", r) + } + } + +} + +// lexSourceAddress consumes a source address. +func lexSourceAddress(l *lexer) stateFn { + l.ignoreSpaces() + for { + switch l.next() { + case ' ': + l.emit(itemSourceAddress, true) + return lexSourcePort + case eof: + return l.unexpectedEOF() + } + } +} + +// lexSourcePort consumes a source port. +func lexSourcePort(l *lexer) stateFn { + l.ignoreSpaces() + for { + switch l.next() { + case ' ': + l.emit(itemSourcePort, true) + return lexDirection + case eof: + return l.unexpectedEOF() + } + } +} + +// lexDirection consumes a rule direction. +func lexDirection(l *lexer) stateFn { + l.ignoreSpaces() + l.acceptRun("<->") + if r := l.next(); r != ' ' { + return l.errorf("invalid character %q for a rule direction", r) + } + l.emit(itemDirection, true) + return lexDestinationAddress +} + +// lexDestinationAddress consumes a destination address. +func lexDestinationAddress(l *lexer) stateFn { + l.ignoreSpaces() + for { + switch l.next() { + case ' ': + l.emit(itemDestinationAddress, true) + return lexDestinationPort + case eof: + return l.unexpectedEOF() + } + } +} + +// lexDestinationPort consumes a destination port. +func lexDestinationPort(l *lexer) stateFn { + for { + switch l.next() { + case '(': + l.backup() + l.emit(itemDestinationPort, true) + l.skipNext() + return lexOptionKey + case eof: + return l.unexpectedEOF() + } + } +} + +// lexOptionKey scans a key from the rule options. +func lexOptionKey(l *lexer) stateFn { + for { + switch l.next() { + case ':': + l.backup() + l.emit(itemOptionKey, true) + l.skipNext() + return lexOptionValueBegin + case ';': + l.backup() + if l.pos > l.start { + l.emit(itemOptionKey, true) + l.emit(itemOptionNoValue, true) + } + l.skipNext() + return lexOptionKey + case ')': + l.backup() + if l.pos > l.start { + l.emit(itemOptionKey, true) + } + l.skipNext() + return lexRuleEnd + case eof: + return l.unexpectedEOF() + } + } +} + +// lexOptionValueBegin scans the beginning of a value from the rule option. +func lexOptionValueBegin(l *lexer) stateFn { + switch l.next() { + case '"': + l.ignore() + return lexOptionValueString + case ' ': + l.ignore() + return lexOptionValueBegin + case '!': + l.emit(itemNot, true) + return lexOptionValueBegin + } + return lexOptionValue +} + +// lexOptionValueString consumes the inner content of a string value from the rule options. +func lexOptionValueString(l *lexer) stateFn { + escaped := false + for { + switch l.next() { + case '"': + l.backup() + l.emit(itemOptionValueString, false) + l.skipNext() + return lexOptionKey + case '\\': + escaped = !escaped + if l.next() != '"' || !escaped { + l.backup() + } + case eof: + return l.unexpectedEOF() + default: + escaped = false + } + } +} + +// lexOptionValue scans a value from the rule options. +func lexOptionValue(l *lexer) stateFn { + for { + switch l.next() { + case ';': + l.backup() + l.emit(itemOptionValue, true) + l.skipNext() + return lexOptionKey + case eof: + return l.unexpectedEOF() + } + } +} + +// lexOptionEnd marks the end of a rule. +func lexRuleEnd(l *lexer) stateFn { + l.acceptRun(" \t;") + l.ignore() + l.emit(itemEOR, false) + return lexRule +} diff --git a/vendor/github.com/google/gonids/parser.go b/vendor/github.com/google/gonids/parser.go new file mode 100644 index 0000000..c972f8a --- /dev/null +++ b/vendor/github.com/google/gonids/parser.go @@ -0,0 +1,425 @@ +/* Copyright 2016 Google Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package gonids implements a basic parser of IDS rules. +// +// For now the parser is very basic and it only parses a subset of fields. +// We intentionally omit http_encode as it doesn't seem to be used in practice. +package gonids + +import ( + "encoding/hex" + "errors" + "fmt" + "regexp" + "strconv" + "strings" +) + +// hexRE matches on hexadecimal content like |41 41 41| for example. +var hexRE = regexp.MustCompile(`(?i)(\|(?:\s*[a-f0-9]{2}\s*)+\|)`) + +// escapeRE matches char that needs to escaped in regexp. +var escapeRE = regexp.MustCompile(`([()+.'\\])`) + +// metaSplitRE matches string in metadata +var metaSplitRE = regexp.MustCompile(`,\s*`) + +// parseContent decodes rule content match. For now it only takes care of escaped and hex +// encoded content. +func parseContent(content string) ([]byte, error) { + // Unescape, decode and replace all occurrences of hexadecimal content. + b := hexRE.ReplaceAllStringFunc(strings.Replace(content, `\`, "", -1), + func(h string) string { + r, err := hex.DecodeString(strings.Replace(strings.Trim(h, "|"), " ", "", -1)) + if err != nil { + panic("invalid hexRE regexp") + } + return string(r) + }) + return []byte(b), nil +} + +// parsePCRE parses the components of a PCRE. Returns PCRE struct. +func parsePCRE(s string) (*PCRE, error) { + c := strings.Count(s, "/") + if c < 2 { + return nil, fmt.Errorf("all pcre patterns must contain at least 2 '/', found: %d", c) + } + + l := strings.LastIndex(s, "/") + if l < 0 { + return nil, fmt.Errorf("couldn't find options in PCRE") + } + + i := strings.Index(s, "/") + if l < 0 { + return nil, fmt.Errorf("couldn't find start of pattern") + } + + return &PCRE{ + Pattern: []byte(s[i+1 : l]), + Options: []byte(s[l+1:]), + }, nil +} + +func unquote(s string) string { + if strings.IndexByte(s, '"') < 0 { + return s + } + return strings.Replace(s, `\"`, `"`, -1) +} + +func inSlice(str string, strings []string) bool { + for _, k := range strings { + if str == k { + return true + } + } + return false +} + +// comment decodes a comment (commented rule, or just a comment.) +func (r *Rule) comment(key item, l *lexer) error { + if key.typ != itemComment { + panic("item is not a comment") + } + // Pop off all leading # and space, try to parse as rule + rule, err := ParseRule(strings.TrimLeft(key.value, "# ")) + + // If there was an error this means the comment is not a rule. + if err != nil { + return fmt.Errorf("this is not a rule: %s", err) + } + + // We parsed a rule, this was a comment so set the rule to disabled. + rule.Disabled = true + + // Overwrite the rule we're working on with the recently parsed, disabled rule. + *r = *rule + return nil +} + +// action decodes an IDS rule option based on its key. +func (r *Rule) action(key item, l *lexer) error { + if key.typ != itemAction { + panic("item is not an action") + } + r.Action = key.value + return nil +} + +// protocol decodes an IDS rule protocol based on its key. +func (r *Rule) protocol(key item, l *lexer) error { + if key.typ != itemProtocol { + panic("item is not a protocol") + } + r.Protocol = key.value + return nil +} + +// netSplitRE matches the characters to split a list of networks [$HOME_NET, 192.168.1.1/32] for example. +var netSplitRE = regexp.MustCompile(`\s*,\s*`) + +// network decodes an IDS rule network (networks and ports) based on its key. +func (r *Rule) network(key item, l *lexer) error { + items := netSplitRE.Split(strings.Trim(key.value, "[]"), -1) + switch key.typ { + case itemSourceAddress: + r.Source.Nets = append(r.Source.Nets, items...) + case itemSourcePort: + r.Source.Ports = append(r.Source.Ports, items...) + case itemDestinationAddress: + r.Destination.Nets = append(r.Destination.Nets, items...) + case itemDestinationPort: + r.Destination.Ports = append(r.Destination.Ports, items...) + default: + panic("item is not a network component") + } + return nil +} + +// direction decodes an IDS rule direction based on its key. +func (r *Rule) direction(key item, l *lexer) error { + if key.typ != itemDirection { + panic("item is not a direction") + } + switch key.value { + case "->": + r.Bidirectional = false + case "<>": + r.Bidirectional = true + default: + return fmt.Errorf("invalid direction operator %q", key.value) + } + return nil +} + +var dataPosition = pktData + +// option decodes an IDS rule option based on its key. +func (r *Rule) option(key item, l *lexer) error { + if key.typ != itemOptionKey { + panic("item is not an option key") + } + switch { + case inSlice(key.value, []string{"classtype", "flow", "threshold", "tag", "priority"}): + nextItem := l.nextItem() + if nextItem.typ != itemOptionValue { + return fmt.Errorf("no valid value for %s tag", key.value) + } + if r.Tags == nil { + r.Tags = make(map[string]string) + } + r.Tags[key.value] = nextItem.value + case key.value == "reference": + nextItem := l.nextItem() + if nextItem.typ != itemOptionValue { + return errors.New("no valid value for reference") + } + refs := strings.SplitN(nextItem.value, ",", 2) + if len(refs) != 2 { + return fmt.Errorf("invalid reference definition: %s", refs) + } + r.References = append(r.References, &Reference{Type: refs[0], Value: refs[1]}) + case key.value == "metadata": + nextItem := l.nextItem() + if nextItem.typ != itemOptionValue { + return errors.New("no valid value for metadata") + } + metas := metaSplitRE.Split(nextItem.value, -1) + for _, kv := range metas { + metaTmp := strings.SplitN(kv, " ", 2) + if len(metaTmp) != 2 { + return fmt.Errorf("invalid metadata definition: %s", metaTmp) + } + r.Metas = append(r.Metas, &Metadata{Key: strings.TrimSpace(metaTmp[0]), Value: strings.TrimSpace(metaTmp[1])}) + } + case key.value == "sid": + nextItem := l.nextItem() + if nextItem.typ != itemOptionValue { + return errors.New("no value for option sid") + } + sid, err := strconv.Atoi(nextItem.value) + if err != nil { + return fmt.Errorf("invalid sid %s", nextItem.value) + } + r.SID = sid + case key.value == "rev": + nextItem := l.nextItem() + if nextItem.typ != itemOptionValue { + return errors.New("no value for option rev") + } + rev, err := strconv.Atoi(nextItem.value) + if err != nil { + return fmt.Errorf("invalid rev %s", nextItem.value) + } + r.Revision = rev + case key.value == "msg": + nextItem := l.nextItem() + if nextItem.typ != itemOptionValueString { + return errors.New("no value for option msg") + } + r.Description = nextItem.value + case isStickyBuffer(key.value): + var d dataPos + var err error + if d, err = StickyBuffer(key.value); err != nil { + return err + } + dataPosition = d + case inSlice(key.value, []string{"content", "uricontent"}): + nextItem := l.nextItem() + negate := false + if nextItem.typ == itemNot { + nextItem = l.nextItem() + negate = true + } + if nextItem.typ == itemOptionValueString { + c, err := parseContent(nextItem.value) + if err != nil { + return err + } + var options []*ContentOption + if key.value == "uricontent" { + options = append(options, &ContentOption{Name: "http_uri"}) + } + r.Contents = append(r.Contents, &Content{ + DataPosition: dataPosition, + Pattern: c, + Negate: negate, + Options: options, + }) + } else { + return fmt.Errorf("invalid type %q for option content", nextItem.typ) + } + case inSlice(key.value, []string{"http_cookie", "http_raw_cookie", "http_method", "http_header", "http_raw_header", + "http_uri", "http_raw_uri", "http_user_agent", "http_stat_code", "http_stat_msg", + "http_client_body", "http_server_body", "nocase"}): + if len(r.Contents) == 0 { + return fmt.Errorf("invalid content option %q with no content match", key.value) + } + lastContent := r.Contents[len(r.Contents)-1] + lastContent.Options = append(lastContent.Options, &ContentOption{Name: key.value}) + case inSlice(key.value, []string{"depth", "distance", "offset", "within"}): + if len(r.Contents) == 0 { + return fmt.Errorf("invalid content option %q with no content match", key.value) + } + nextItem := l.nextItem() + if nextItem.typ != itemOptionValue { + return fmt.Errorf("no value for content option %s", key.value) + } + + // check if the value is an integer value + if _, err := strconv.Atoi(nextItem.value); err != nil { + // check if it is the name of a var + if _, ok := r.Vars[nextItem.value]; !ok { + return fmt.Errorf("invalid value %s for option %s", nextItem.value, key.value) + } + } + lastContent := r.Contents[len(r.Contents)-1] + lastContent.Options = append(lastContent.Options, &ContentOption{Name: key.value, Value: nextItem.value}) + + case key.value == "fast_pattern": + if len(r.Contents) == 0 { + return fmt.Errorf("invalid content option %q with no content match", key.value) + } + var ( + only bool + offset int + length int + ) + nextItem := l.nextItem() + if nextItem.typ == itemOptionValue { + v := nextItem.value + switch { + case v == "only": + only = true + case strings.Contains(v, ","): + s := strings.Split(v, ",") + i, err := strconv.Atoi(s[0]) + if err != nil { + return fmt.Errorf("fast_pattern offset is not an int: %s; %s", s[0], err) + } + offset = i + i, err = strconv.Atoi(s[1]) + if err != nil { + return fmt.Errorf("fast_pattern length is not an int: %s; %s", s[1], err) + } + length = i + } + } + lastContent := r.Contents[len(r.Contents)-1] + lastContent.FastPattern = FastPattern{true, only, offset, length} + case key.value == "pcre": + nextItem := l.nextItem() + negate := false + if nextItem.typ == itemNot { + nextItem = l.nextItem() + negate = true + } + if nextItem.typ == itemOptionValueString { + p, err := parsePCRE(unquote(nextItem.value)) + if err != nil { + return err + } + p.Negate = negate + r.PCREs = append(r.PCREs, p) + } else { + return fmt.Errorf("invalid type %q for option content", nextItem.typ) + } + case key.value == "byte_extract": + if len(r.Contents) == 0 { + return fmt.Errorf("invalid content option %q with no content match", key.value) + } + nextItem := l.nextItem() + parts := strings.Split(nextItem.value, ",") + if len(parts) < 3 { + return fmt.Errorf("invalid byte_extract value: %s", nextItem.value) + } + + v := new(Var) + + n, err := strconv.Atoi(parts[0]) + if err != nil { + return fmt.Errorf("byte_extract number of bytes is not an int: %s; %s", parts[0], err) + } + v.NumBytes = n + + offset, err := strconv.Atoi(parts[1]) + if err != nil { + return fmt.Errorf("byte_extract offset is not an int: %s; %s", parts[1], err) + } + v.Offset = offset + + name := parts[2] + if r.Vars == nil { + // Lazy init r.Vars if necessary + r.Vars = make(map[string]*Var) + } else if _, exists := r.Vars[name]; exists { + return fmt.Errorf("byte_extract var already declared: %s", name) + } + + // options + for i, l := 3, len(parts); i < l; i++ { + parts[i] = strings.TrimSpace(parts[i]) + v.Options = append(v.Options, parts[i]) + } + + r.Vars[name] = v + lastContent := r.Contents[len(r.Contents)-1] + lastContent.Options = append(lastContent.Options, &ContentOption{Name: key.value, Value: strings.Join(parts, ",")}) + } + return nil +} + +// ParseRule parses an IDS rule and returns a struct describing the rule. +func ParseRule(rule string) (*Rule, error) { + l, err := lex(rule) + if err != nil { + return nil, err + } + dataPosition = pktData + r := &Rule{} + for item := l.nextItem(); item.typ != itemEOR && item.typ != itemEOF && err == nil; item = l.nextItem() { + switch item.typ { + case itemComment: + err = r.comment(item, l) + // Error here means that the comment was not a commented rule. + // So we're not parsing a rule and we need to break out. + if err != nil { + break + } + // This line was a commented rule. + return r, nil + case itemAction: + err = r.action(item, l) + case itemProtocol: + err = r.protocol(item, l) + case itemSourceAddress, itemDestinationAddress, itemSourcePort, itemDestinationPort: + err = r.network(item, l) + case itemDirection: + err = r.direction(item, l) + case itemOptionKey: + err = r.option(item, l) + case itemError: + err = errors.New(item.value) + } + if err != nil { + return nil, err + } + } + return r, nil +} diff --git a/vendor/github.com/google/gonids/rule.go b/vendor/github.com/google/gonids/rule.go new file mode 100644 index 0000000..674ac54 --- /dev/null +++ b/vendor/github.com/google/gonids/rule.go @@ -0,0 +1,488 @@ +/* Copyright 2016 Google Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package gonids implements a basic parser of IDS rules. +// +// For now the parser is very basic and it only parses a subset of fields. +// We intentionally omit http_encode as it doesn't seem to be used in practice. +package gonids + +import ( + "bytes" + "fmt" + "regexp" + "strconv" + "strings" +) + +// Rule describes an IDS rule. +type Rule struct { + // Disbled identifies if the rule is disabled/commented out. + Disabled bool + // Action is the action the rule will take (alert, pass, drop, etc.). + Action string + // Protocol is the protocol the rule looks at. + Protocol string + // Source is the address and ports for the source of the traffic. + Source Network + // Destination is the address and ports for the source of the traffic. + Destination Network + // Bidirectional indicates the directionality of a rule (-> or <>). + Bidirectional bool + // SID is the identifier of the rule. + SID int + // Revision is the revision of the rule. + Revision int + // Description is the msg field of the rule. + Description string + // References contains references associated to the rule (e.g. CVE number). + References []*Reference + // TODO: Define some structure for tracking checks that do not directly apply + // to a content. urilen, dsize, etc. Various buffers, and directions need structured + // places to live. + // Contents are all the decoded content matches. + Contents Contents + // PCREs is a slice of PCRE structs that represent the regular expressions in a rule. + PCREs []*PCRE + // Tags is a map of tag names to tag values (e.g. classtype:trojan). + Tags map[string]string + // Vars is a map of variable names to variable values extracted via byte_extract. + Vars map[string]*Var + // Metas is a slice of Metadata. + Metas Metadatas +} + +// Var describes a variable extracted via byte_extract. +type Var struct { + NumBytes int + Offset int + Options []string +} + +// Metadata describes metadata tags in key-value struct. +type Metadata struct { + Key string + Value string +} + +// Metadatas allows for a Stringer on []*Metadata +type Metadatas []*Metadata + +// TODO: Ensure all values either begin with $ (variable) or they are valid IPNet/int. +// Network describes the IP addresses and port numbers used in a rule. +type Network struct { + Nets []string // Currently just []string because these can be variables $HOME_NET, not a valid IPNet. + Ports []string // Currently just []string because these can be variables $HTTP_PORTS, not just ints. +} + +type dataPos int + +const ( + pktData dataPos = iota + fileData + base64Data + // HTTP Sticky buffers + httpAcceptEnc + httpAccept + httpAcceptLang + httpConnection + httpContentLen + httpContentType + httpHeaderNames + httpProtocol + httpReferer + httpRequestLine + httpResponseLine + httpStart + // TLS Sticky Buffers + tlsCertSubject + tlsCertIssuer + tlsCertSerial + tlsCertFingerprint + tlsSNI + // JA3 Sticky Buffers + ja3Hash + ja3String + // SSH Sticky Buffers + sshProto + sshSoftware + // Kerberos Sticky Buffers + krb5Cname + krb5Sname + // DNS Sticky Buffers + dnsQuery + // SMB Sticky Buffers + smbNamedPipe + smbShare +) + +var stickyBuffers = map[dataPos]string{ + pktData: "pkt_data", + fileData: "file_data", + base64Data: "base64_data", + // HTTP Sticky Buffers + httpAcceptEnc: "http_accept_enc", + httpAccept: "http_accept", + httpAcceptLang: "http_accept_lang", + httpConnection: "http_connection", + httpContentLen: "http_content_len", + httpContentType: "http_content_type", + httpHeaderNames: "http_header_names", + httpProtocol: "http_protocol", + httpReferer: "http_referer", + httpRequestLine: "http_request_line", + httpResponseLine: "http_response_line", + httpStart: "http_start", + // TLS Sticky Buffers + tlsCertSubject: "tls_cert_subject", + tlsCertIssuer: "tls_cert_issuer", + tlsCertSerial: "tls_cert_serial", + tlsCertFingerprint: "tls_cert_fingerprint", + tlsSNI: "tls_sni", + // JA3 Sticky Buffers + ja3Hash: "ja3_hash", + ja3String: "ja3_string", + // SSH Sticky Buffers + sshProto: "ssh_proto", + sshSoftware: "ssh_software", + // Kerberos Sticky Buffers + krb5Cname: "krb5_cname", + krb5Sname: "krb5_sname", + // DNS Sticky Buffers + dnsQuery: "dns_query", + // SMB Sticky Buffers + smbNamedPipe: "smb_named_pipe", + smbShare: "smb_share", +} + +func (d dataPos) String() string { + return stickyBuffers[d] +} + +// StickyBuffer returns the data position value for the string representation of a sticky buffer name (e.g. "file_data") +func StickyBuffer(s string) (dataPos, error) { + for k, v := range stickyBuffers { + if v == s { + return k, nil + } + } + return pktData, fmt.Errorf("not a sticky buffer") +} + +func isStickyBuffer(s string) bool { + _, err := StickyBuffer(s) + return err == nil +} + +// Content describes a rule content. A content is composed of a pattern followed by options. +type Content struct { + // DataPosition defaults to pkt_data state, can be modified to apply to file_data, base64_data locations. + // This value will apply to all following contents, to reset to default you must reset DataPosition during processing. + DataPosition dataPos + // FastPattern settings for the content. + FastPattern FastPattern + // Pattern is the pattern match of a content (e.g. HTTP in content:"HTTP"). + Pattern []byte + // Negate is true for negated content match. + Negate bool + // Options are the option associated to the content (e.g. http_header). + Options []*ContentOption +} + +// Contents is used so we can have a target type for a Stringer. +type Contents []*Content + +// PCRE describes a PCRE item of a rule. +type PCRE struct { + Pattern []byte + Negate bool + Options []byte +} + +// FastPattern describes various properties of a fast_pattern value for a content. +type FastPattern struct { + Enabled bool + Only bool + Offset int + Length int +} + +// ContentOption describes an option set on a rule content. +type ContentOption struct { + // Name is the name of the option (e.g. offset). + Name string + // Value is the value associated to the option, default to "" for option without value. + Value string +} + +// Reference describes a gonids reference in a rule. +type Reference struct { + // Type is the system name for the reference: (url, cve, md5, etc.) + Type string + // Value is the identifier in the system: (address, cvd-id, hash) + Value string +} + +// escape escapes special char used in regexp. +func escape(r string) string { + return escapeRE.ReplaceAllString(r, `\$1`) +} + +// within returns the within value for a specific content. +func within(options []*ContentOption) string { + for _, o := range options { + if o.Name == "within" { + return o.Value + } + } + return "" +} + +// RE returns all content matches as a single and simple regexp. +func (r *Rule) RE() string { + var re string + for _, c := range r.Contents { + // TODO: handle pcre, depth, offset, distance. + if d, err := strconv.Atoi(within(c.Options)); err == nil && d > 0 { + re += fmt.Sprintf(".{0,%d}", d) + } else { + re += ".*" + } + re += escape(string(c.Pattern)) + } + return re +} + +// CVE extracts CVE from a rule. +func (r *Rule) CVE() string { + for _, ref := range r.References { + if ref.Type == "cve" { + return ref.Value + } + } + return "" +} + +func netString(netPart []string) string { + var s strings.Builder + if len(netPart) > 1 { + s.WriteString("[") + } + for i, n := range netPart { + s.WriteString(n) + if i < len(netPart)-1 { + s.WriteString(", ") + } + } + if len(netPart) > 1 { + s.WriteString("]") + } + return s.String() +} + +// String retunrs a string for a Network. +func (n Network) String() string { + return fmt.Sprintf("%s %s", netString(n.Nets), netString(n.Ports)) +} + +// String returns a string for a FastPattern. +func (f FastPattern) String() string { + if !f.Enabled { + return "" + } + // This is an invalid state. + if f.Only && (f.Offset != 0 || f.Length != 0) { + return "" + } + + var s strings.Builder + s.WriteString("fast_pattern") + if f.Only { + s.WriteString(":only;") + return s.String() + } + + // "only" and "chop" modes are mutually exclusive. + if f.Offset != 0 && f.Length != 0 { + s.WriteString(fmt.Sprintf(":%d,%d", f.Offset, f.Length)) + } + + s.WriteString(";") + return s.String() +} + +// String returns a string for a ContentOption. +func (co ContentOption) String() string { + if inSlice(co.Name, []string{"byte_extract", "depth", "distance", "offset", "within"}) { + return fmt.Sprintf("%s:%v;", co.Name, co.Value) + } + return fmt.Sprintf("%s;", co.Name) +} + +// String returns a string for a Reference. +func (r Reference) String() string { + return fmt.Sprintf("reference:%s,%s;", r.Type, r.Value) +} + +// String returns a string for a Content (ignoring sticky buffers.) +func (c Content) String() string { + var s strings.Builder + s.WriteString("content:") + if c.Negate { + s.WriteString("!") + } + s.WriteString(fmt.Sprintf(`"%s";`, c.FormatPattern())) + for _, o := range c.Options { + s.WriteString(fmt.Sprintf(" %s", o)) + } + if c.FastPattern.Enabled { + s.WriteString(fmt.Sprintf(" %s", c.FastPattern)) + } + + return s.String() +} + +// String returns a string for all of the contents. +func (cs Contents) String() string { + var s strings.Builder + d := pktData + for _, c := range cs { + if d != c.DataPosition { + d = c.DataPosition + s.WriteString(fmt.Sprintf(" %s;", d)) + } + s.WriteString(fmt.Sprintf(" %s", c)) + } + return strings.TrimSpace(s.String()) +} + +// String returns a string for all of the metadata values. +func (ms Metadatas) String() string { + var s strings.Builder + if len(ms) < 1 { + return "" + } + s.WriteString("metadata:") + for i, m := range ms { + if i < len(ms)-1 { + s.WriteString(fmt.Sprintf("%s %s, ", m.Key, m.Value)) + continue + } + s.WriteString(fmt.Sprintf("%s %s;", m.Key, m.Value)) + } + return s.String() +} + +// String returns a string for a PCRE. +func (p PCRE) String() string { + pattern := p.Pattern + if len(pattern) < 1 { + return "" + } + + // escape quote signs, if necessary + if bytes.IndexByte(pattern, '"') > -1 { + pattern = bytes.Replace(pattern, []byte(`"`), []byte(`\"`), -1) + } + + var s strings.Builder + s.WriteString("pcre:") + if p.Negate { + s.WriteString("!") + } + s.WriteString(fmt.Sprintf(`"/%s/%s";`, pattern, p.Options)) + return s.String() +} + +// String returns a string for a rule. +func (r Rule) String() string { + var s strings.Builder + if r.Disabled { + s.WriteString("#") + } + s.WriteString(fmt.Sprintf("%s %s %s ", r.Action, r.Protocol, r.Source)) + if !r.Bidirectional { + s.WriteString("-> ") + } else { + s.WriteString("<> ") + } + + s.WriteString(fmt.Sprintf(`%s (msg:"%s"; `, r.Destination, r.Description)) + + if len(r.Contents) > 0 { + s.WriteString(fmt.Sprintf("%s ", r.Contents)) + } + + for _, p := range r.PCREs { + s.WriteString(fmt.Sprintf("%s ", p)) + } + + if len(r.Metas) > 0 { + s.WriteString(fmt.Sprintf("%s ", r.Metas)) + } + + for k, v := range r.Tags { + s.WriteString(fmt.Sprintf("%s:%s; ", k, v)) + } + + for _, ref := range r.References { + s.WriteString(fmt.Sprintf("%s ", ref)) + } + + s.WriteString(fmt.Sprintf("sid:%d; rev:%d;)", r.SID, r.Revision)) + return s.String() + +} + +// ToRegexp returns a string that can be used as a regular expression +// to identify content matches in an ASCII dump of a packet capture (tcpdump -A). +func (c *Content) ToRegexp() string { + var buffer bytes.Buffer + for _, b := range c.Pattern { + if b > 126 || b < 32 { + buffer.WriteString(".") + } else { + buffer.WriteByte(b) + } + } + return regexp.QuoteMeta(buffer.String()) +} + +// FormatPattern returns a string for a Pattern in a content +func (c *Content) FormatPattern() string { + var buffer bytes.Buffer + pipe := false + for _, b := range c.Pattern { + if b != ' ' && (b > 126 || b < 35 || b == ':' || b == ';') { + if !pipe { + buffer.WriteByte('|') + pipe = true + } else { + buffer.WriteString(" ") + } + buffer.WriteString(fmt.Sprintf("%.2X", b)) + } else { + if pipe { + buffer.WriteByte('|') + pipe = false + } + buffer.WriteByte(b) + } + } + if pipe { + buffer.WriteByte('|') + } + return buffer.String() +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 31030bc..9766e7e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -10,6 +10,8 @@ github.com/apex/log/handlers/cli github.com/asaskevich/govalidator # github.com/davecgh/go-spew v1.1.1 github.com/davecgh/go-spew/spew +# github.com/google/gonids v0.0.0-20190510211530-bacab9879ae4 +github.com/google/gonids # github.com/pkg/errors v0.0.0-20161029093637-248dadf4e906 github.com/pkg/errors # github.com/pmezard/go-difflib v1.0.0