evaluator

package
v0.6.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 21, 2023 License: MIT Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func FuzzRuleMatches 

func FuzzRuleMatches(data []byte) int

Run with: go-fuzz-build --preserve "encoding/json" && go-fuzz

Types

type Event 

type Event interface{}

Event should be some form a map[string]interface{} or map[string]string

type GroupedByValues 

type GroupedByValues struct {
	ConditionID int // TODO: there's some forward/backward compatibility pitfalls here: what happens if you switch the order of conditions in your Sigma file?
	EventValues map[string]interface{}
}

GroupedByValues contains the fields that uniquely identify a distinct aggregation statistic. Think of it like a ratelimit key.

For example, if a Sigma rule has a condition like this (attempting to detect login brute forcing)

detection: 

  login_attempt:
    # something here
  condition:
    login_attempt | count() by (username) > 100
	 timeframe: 1m

Conceptually there's a bunch of boxes somewhere (one for each username) containing their current count. Each different GroupedByValues points to a different box.

GroupedByValues 

    ||
 ___↓↓___          ________
| User A |        | User B |
|__2041__|        |___01___|

It's up to your implementation to ensure that different GroupedByValues map to different boxes (although a default Key() method is provided which is good enough for most use cases)

func (GroupedByValues) Key 

func (a GroupedByValues) Key() string

type Option 

type Option func(*RuleEvaluator)

func AverageImplementation 

func AverageImplementation(average func(ctx context.Context, key GroupedByValues, value float64) (float64, error)) Option

func CountImplementation 

func CountImplementation(count func(ctx context.Context, key GroupedByValues) (float64, error)) Option

func SumImplementation 

func SumImplementation(sum func(ctx context.Context, key GroupedByValues, value float64) (float64, error)) Option

func WithConfig 

func WithConfig(config ...sigma.Config) Option

func WithPlaceholderExpander 

func WithPlaceholderExpander(f func(ctx context.Context, placeholderName string) ([]string, error)) Option

type Result 

type Result struct {
	Match            bool            // whether this event matches the Sigma rule
	SearchResults    map[string]bool // For each Search, whether it matched the event
	ConditionResults []bool          // For each Condition, whether it matched the event
}

type RuleEvaluator 

type RuleEvaluator struct {
	sigma.Rule
	// contains filtered or unexported fields
}

func ForRule 

func ForRule(rule sigma.Rule, options ...Option) *RuleEvaluator

func (*RuleEvaluator) GetFieldValuesFromEvent 

func (rule *RuleEvaluator) GetFieldValuesFromEvent(field string, event Event) ([]interface{}, error)

func (RuleEvaluator) Indexes 

func (rule RuleEvaluator) Indexes() []string

func (RuleEvaluator) Matches 

func (rule RuleEvaluator) Matches(ctx context.Context, event Event) (Result, error)

func (RuleEvaluator) RelevantToEvent 

func (rule RuleEvaluator) RelevantToEvent(ctx context.Context, eventIndex string, event Event) (bool, error)

RelevantToEvent calculates whether a rule is applicable to an event based on:

  • Whether the rule has been configured with a config file that matches the eventIndex
  • Whether the event matches the conditions from the config file

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.