func keyAlert(metadata ssh.ConnMetadata, key ssh.PublicKey) string {
meta := baseAlertMap(metadata)
meta["authtype"] = "publickey"
meta["key"] = string(ssh.MarshalAuthorizedKey(key))
return alert.NewSplunkAlertMessage(meta)
}
func passwdAlert(metadata ssh.ConnMetadata, passwd []byte) string {
meta := baseAlertMap(metadata)
meta["authtype"] = "password"
meta["password"] = string(passwd)
return alert.NewSplunkAlertMessage(meta)
}
func makeAlert(r *http.Request) string {
meta := make(map[string]string)
meta["service"] = "web"
meta["remote"] = r.RemoteAddr
meta["local"] = r.Host
meta["url"] = r.URL.String()
meta["user-agent"] = r.Header.Get("User-Agent")
meta["cookie"] = r.Header.Get("Cookie")
meta["referer"] = r.Header.Get("Referer")
meta["method"] = r.Method
err := r.ParseForm()
if err == nil {
meta["username"] = r.Form.Get("username")
meta["password"] = r.Form.Get("password")
}
return alert.NewSplunkAlertMessage(meta)
}