gnat_tag_file
Synopsis
Definition of JSON file for defining, matching, and tagging patterns of flow records.
Description
Tag rules are used to define and match patterns to tag flow record.
The tag is used to identify the flow record and can be used for filtering or grouping purposes.
The tag patterns are defined in a file as JSON elements and can be used with the --options tag argument of the gnat_tag command line interface.
Json File Format
The JSON file is composed of an array of JSON objects, each object representing a rule pattern. Each object contains a set of key-value pairs, where the key is the name of the field. The value is the value to match against. The following fields are available for matching:
| field | type | required | match type |
|---|---|---|---|
tag | str | yes | n/a |
observe | str | no | prefix match |
proto | str | no | prefix match |
saddr | str | no | prefix match |
sport | int | no | exact match |
daddr | str | no | prefix match |
dport | int | no | exact match |
ndpi_appid | str | no | prefix match |
orient | str | no | prefix match |
Examples
[
{ "tag":"cloudflare","observe":"lan0","proto":"tcp","ndpi_appid":"tls.cloudflare"},
{ "tag":"dns","observe":"lan1","ndpi_appid":"dns" },
{ "tag":"intrusion","orient":"oi"},
{ "tag":"tls","proto":"tcp","ndpi_appid":"tls"},
{ "tag":"app8181","observe":"lan","proto":"tcp","daddr":"10.1.10.81","dport":8181},
{ "tag":"snmp","proto":"udp","daddr":"192.168.73.13","dport":161,"ndpi_appid":"snmp"},
{ "tag":"china","daddr":"218.199.73"},
{ "tag":"internal_web","proto":"tcp","saddr":"10.0.4.240","daddr":"10.1.1.61","dport":9000,"ndpi_appid":"http", "orient":"ii"}
]