gnat_tag
Synopsis
Annotages flow recods with tags (labels).
Description
The gnat_tag tool is used to annotate flow records that match a pattern.
The tags are used to label the flow records with additional information that can be used for filtering and analysis.
Patterns are specified in a JSON file which contains a list of patterns and tags that are used to match and annotate the flow records.
This tool implements the gnat command line interface and shares the same required and optional arguments as other GNAT tools.
Required Arguments
--tag <JSON file>
The --tag argument specifies the path to a JSON file containing a list of patterns and tags that are used to match and annotate the flow records.
If running within a Docker container, this directory should be accessible from the Docker container running the GNAT tool.
Examples
$ gnat_tag --input /var/spool/input --output /var/spool/output --options tag=/etc/tag_patterns.json
File tag_patterns.json containing an array of JSON objects, each object representing a rule pattern.
[
{ "tag":"cloudflare","observe":"lan0","proto":"tcp","ndpi_appid":"tls.cloudflare"},
{ "tag":"dns","observe":"lan1","ndpi_appid":"dns" },
{ "tag":"intrusion","orient":"oi"},
{ "tag":"tls","proto":"tcp","ndpi_appid":"tls"},
{ "tag":"app8181","observe":"lan","proto":"tcp","daddr":"10.1.10.81","dport":8181},
{ "tag":"snmp","proto":"udp","daddr":"192.168.73.13","dport":161,"ndpi_appid":"snmp"},
{ "tag":"china","daddr":"218.199.73"},
{ "tag":"app9000","proto":"tcp","saddr":"10.0.4.240","daddr":"10.1.1.61","dport":9000,"ndpi_appid":"http", "orient":"ii"}
]