rules

package
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 19, 2021 License: MIT Imports: 19 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// GlobalRules is the global object holding all the loaded rules
	GlobalRules = make(map[string][]Rules)
)

Functions

func LoadRuleFile 

func LoadRuleFile(rulefile string) (map[string]Rule, error)

LoadRuleFile is an helper that parses the rule file at the given path and returns a rule set

func LoadRulesDir 

func LoadRulesDir(rulesDir string) uint

LoadRulesDir walks the given directory to find rule files and load them into GlobalRules

func LoadValidMatchKeysMap added in v1.1.0 

func LoadValidMatchKeysMap() map[string]interface{}

LoadValidMatchKeysMap returns a map of the json keys for each of the protos structs

func MakeAssetFullPath 

func MakeAssetFullPath(path string) string

MakeAssetFullPath is an helper that returns the path to the tests resources as defined by the assetsBasePath variable

func ParseHybridPattern 

func ParseHybridPattern(buffer []byte) ([]byte, error)

ParseHybridPattern parses a byte array composed of hybrid hex and ascii characters and returns its equivalent as a byte array

func ReadPacketsFromPcap 

func ReadPacketsFromPcap(pcapfile string, filter layers.IPProtocol, raw bool) ([]events.Event, []gopacket.Packet, error)

ReadPacketsFromPcap is an helper that reads packets from the specified pcap file and returns them as an array of Event

func ReadRawTCPPacketsFromPcap 

func ReadRawTCPPacketsFromPcap(pcapfile string) ([]gopacket.Packet, error)

ReadRawTCPPacketsFromPcap is an helper that reads raw TCP packets from the specified pcap file

Types

type ConditionValue 

type ConditionValue struct {
	CompiledRegex *regexp.Regexp
	ByteValue     []byte
}

ConditionValue abstracts the parsed value of a condition to use in a match attempt

type Conditions 

type Conditions struct {
	Values  []ConditionValue
	Options Options
}

Conditions describes a parsed RawConditions

func (Conditions) Match 

func (cds Conditions) Match(received []byte) bool

Match matches a byte array against a set of conditions

func (Conditions) MatchBytesWithOptions 

func (cds Conditions) MatchBytesWithOptions(received []byte, condVal ConditionValue) bool

MatchBytesWithOptions matches a byte array against a set of conditions, according to the specified ConditionValue This function only cares about the matching modifier ("contains", "startswith", etc, not "all") The condition's options are being taken care of in the Conditions.Match function

func (*Conditions) ParseOptions 

func (cds *Conditions) ParseOptions(opt string) error

ParseOptions parses a condition's name to extract the options separated by a |

func (*Conditions) ParseValues 

func (cds *Conditions) ParseValues(list []string)

ParseValues loads a Conditions set from a list of condition strings

type ConditionsList 

type ConditionsList struct {
	Conditions []Conditions
	MatchAll   bool
}

ConditionsList describes the format of a list of RawConditions

func (ConditionsList) Match 

func (clst ConditionsList) Match(received []byte) bool

Match matches a byte array against a ConditionsList

type Filters 

type Filters struct {
	Ports []string `yaml:"ports"`
	IPs   []string `yaml:"ips"`
}

Filters groups the exposed rule filters

type GlobalRawRules 

type GlobalRawRules []RawRules

GlobalRawRules describes a set of RawRules

type HTTPRule 

type HTTPRule struct {
	URI     RawConditions `yaml:"http.uri"`
	Body    RawConditions `yaml:"http.body"`
	Headers RawConditions `yaml:"http.headers"`
	Verb    RawConditions `yaml:"http.method"`
	Proto   RawConditions `yaml:"http.proto"`
	TLS     *bool         `yaml:"http.tls"`
	Any     bool          `yaml:"any"`
}

HTTPRule describes the raw "match" section of a rule targeting HTTP

type ICMPv4Rule 

type ICMPv4Rule struct {
	TypeCode *uint16       `yaml:"icmpv4.typecode"`
	Type     *uint8        `yaml:"icmpv4.type"`
	Code     *uint8        `yaml:"icmpv4.code"`
	Checksum *uint16       `yaml:"icmpv4.checksum"`
	Seq      *uint16       `yaml:"icmpv4.seq"`
	Payload  RawConditions `yaml:"icmpv4.payload"`
	Any      bool          `yaml:"any"`
}

ICMPv4Rule describes the raw "match" section of a rule targeting ICMPv4

type ICMPv6Rule 

type ICMPv6Rule struct {
	TypeCode *uint16       `yaml:"icmpv6.typecode"`
	Type     *uint8        `yaml:"icmpv6.type"`
	Code     *uint8        `yaml:"icmpv6.code"`
	Checksum *uint16       `yaml:"icmpv6.checksum"`
	Payload  RawConditions `yaml:"icmpv6.payload"`
	Any      bool          `yaml:"any"`
}

ICMPv6Rule describes the raw "match" section of a rule targeting ICMPv6

type Metadata 

type Metadata struct {
	ID          string   `yaml:"id"`
	Status      string   `yaml:"status"`
	Description string   `yaml:"description"`
	Author      string   `yaml:"author"`
	Created     string   `yaml:"created"`
	Modified    string   `yaml:"modified"`
	References  []string `yaml:"references"`
}

Metadata describes the exposed content of the "meta" field

type Options 

type Options struct {
	Depth      uint
	Offset     uint
	Nocase     bool
	Is         bool
	All        bool
	Contains   bool
	Startswith bool
	Endswith   bool
	Regex      bool
}

Options describes the available matching options

type ParsedHTTPRule 

type ParsedHTTPRule struct {
	URI     *ConditionsList
	Body    *ConditionsList
	Headers *ConditionsList
	Verb    *ConditionsList
	Proto   *ConditionsList
	TLS     *bool
}

ParsedHTTPRule describes the parsed "match" section of a rule targeting HTTP

type ParsedICMPv4Rule 

type ParsedICMPv4Rule struct {
	TypeCode *uint16
	Type     *uint8
	Code     *uint8
	Checksum *uint16
	Seq      *uint16
	Payload  *ConditionsList
}

ParsedICMPv4Rule describes the parsed "match" section of a rule targeting ICMPv4

type ParsedICMPv6Rule 

type ParsedICMPv6Rule struct {
	TypeCode *uint16
	Type     *uint8
	Code     *uint8
	Checksum *uint16
	Payload  *ConditionsList
}

ParsedICMPv6Rule describes the parsed "match" section of a rule targeting ICMPv6

type ParsedTCPRule 

type ParsedTCPRule struct {
	IPOption *ConditionsList
	Fragbits []*uint8
	Flags    []*uint8
	Dsize    *uint
	Seq      *uint32
	Ack      *uint32
	Window   *uint16
	Payload  *ConditionsList
}

ParsedTCPRule describes the parsed "match" section of a rule targeting TCP

type ParsedUDPRule 

type ParsedUDPRule struct {
	Length   *uint16
	Dsize    *uint
	Checksum *uint16
	Payload  *ConditionsList
}

ParsedUDPRule describes the parsed "match" section of a rule targeting UDP

type RawConditions 

type RawConditions struct {
	Groups map[string][]string `yaml:"-,inline"`
	Any    bool                `yaml:"any"`
	Depth  uint                `yaml:"depth"`
	Offset uint                `yaml:"offset"`
}

RawConditions describes the format of a condition field in a rule file

func (RawConditions) ParseList 

func (rclst RawConditions) ParseList() (*ConditionsList, error)

ParseList parses a RawConditions set to create a ConditionsList

type RawFragbits 

type RawFragbits string

RawFragbits abstracts a string describing raw fragbits

func (RawFragbits) Parse 

func (rfbs RawFragbits) Parse() *uint8

Parse parses a RawFragbits string to return its equivalent as an uint8

type RawFragbitsList 

type RawFragbitsList []RawFragbits

RawFragbitsList abstracts an array of RawFragbits

func (RawFragbitsList) ParseList 

func (list RawFragbitsList) ParseList() []*uint8

ParseList parses a RawFragbitsList and returns a list of fragbits as an uint8 array

type RawRule 

type RawRule struct {
	Whitelist Filters `yaml:"whitelist"`
	Blacklist Filters `yaml:"blacklist"`

	Match interface{} `yaml:"match"`

	Tags       map[string]string `yaml:"tags"`
	Layer      string            `yaml:"layer"`
	IPProtocol RawConditions     `yaml:"ip_protocol"`

	Metadata   Metadata          `yaml:"meta"`
	Additional map[string]string `yaml:"embed"`
}

RawRule describes the format of a rule as written by the user

func (RawRule) Parse 

func (rawRule RawRule) Parse() (Rule, error)

Parse creates a Rule from a RawRule

type RawRules 

type RawRules map[string]RawRule

RawRules abstracts a group of raw rules in a rule file

func ParseRulesDir added in v1.1.0 

func ParseRulesDir(rulesDir string, skiplist []string) ([]RawRules, error)

ParseRulesDir walks a directory and parses each of the rule file it encounters

func ParseYAMLRulesFile 

func ParseYAMLRulesFile(filepath string) (RawRules, error)

ParseYAMLRulesFile is an helper that parses the given YAML file and return a set of raw rules as RawRules

type RawTCPFlags 

type RawTCPFlags string

RawTCPFlags abstracts a string describing raw TCP flags

func (RawTCPFlags) Parse 

func (rfls RawTCPFlags) Parse() *uint8

Parse parses a RawTCPFlags string to return its equivalent as an uint8

type RawTCPFlagsList 

type RawTCPFlagsList []RawTCPFlags

RawTCPFlagsList abstracts an array of RawTCPFlags

func (RawTCPFlagsList) ParseList 

func (list RawTCPFlagsList) ParseList() []*uint8

ParseList parses a RawTCPFlagsList and returns a list of tcp flags as an uint8 array

type Rule 

type Rule struct {
	Name string
	ID   string
	Tags map[string]string

	Layer string

	IPProtocol *ConditionsList

	HTTP   ParsedHTTPRule
	TCP    ParsedTCPRule
	UDP    ParsedUDPRule
	ICMPv4 ParsedICMPv4Rule
	ICMPv6 ParsedICMPv6Rule

	IPs        filters.IPRules
	Ports      filters.PortRules
	Metadata   Metadata
	Additional map[string]string

	MatchAll bool
}

Rule describes a parsed Rule object, used to match against a byte array

func NewRule 

func NewRule(rawRule RawRule) Rule

NewRule creates a Rule from a RawRule

func (*Rule) Match 

func (rl *Rule) Match(ev events.Event) bool

Match is the entry point of the Rule matching proc It attempt to match every supported rules to the given event after the rules filters have been applied

func (*Rule) MatchHTTPEvent 

func (rl *Rule) MatchHTTPEvent(ev events.Event) bool

MatchHTTPEvent attempt to match an HTTP event against the calling Rule

func (*Rule) MatchICMPv4Event 

func (rl *Rule) MatchICMPv4Event(ev events.Event) bool

MatchICMPv4Event attempt to match an ICMPv4 event against the calling Rule

func (*Rule) MatchICMPv6Event 

func (rl *Rule) MatchICMPv6Event(ev events.Event) bool

MatchICMPv6Event attempt to match an ICMPv6 event against the calling Rule

func (*Rule) MatchTCPEvent 

func (rl *Rule) MatchTCPEvent(ev events.Event) bool

MatchTCPEvent attempt to match a TCP event against the calling Rule

func (*Rule) MatchUDPEvent 

func (rl *Rule) MatchUDPEvent(ev events.Event) bool

MatchUDPEvent attempt to match an UDP event against the calling Rule

type Rules 

type Rules []Rule

Rules abstracts an array of Rule

func (Rules) Filter 

func (rules Rules) Filter(fn func(rule Rule) bool) Rules

Filter is a helper filtering out one or multiple Rule according to a function returning true or false Similar to array.filter() in python

type TCPRule 

type TCPRule struct {
	IPOption RawConditions   `yaml:"tcp.ipoption"`
	Fragbits RawFragbitsList `yaml:"tcp.fragbits"`
	Dsize    *uint           `yaml:"tcp.dsize"`
	Flags    RawTCPFlagsList `yaml:"tcp.flags"`
	Seq      *uint32         `yaml:"tcp.seq"`
	Ack      *uint32         `yaml:"tcp.ack"`
	Payload  RawConditions   `yaml:"tcp.payload"`
	Window   *uint16         `yaml:"tcp.window"`
	Any      bool            `yaml:"any"`
}

TCPRule describes the raw "match" section of a rule targeting TCP

type UDPRule 

type UDPRule struct {
	Length   *uint16       `yaml:"udp.length"`
	Dsize    *uint         `yaml:"udp.dsize"`
	Checksum *uint16       `yaml:"udp.checksum"`
	Payload  RawConditions `yaml:"udp.payload"`
	Any      bool          `yaml:"any"`
}

UDPRule describes the raw "match" section of a rule targeting UDP

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.