Documentation ¶
Index ¶
- Variables
- func LoadRuleFile(rulefile string) (map[string]Rule, error)
- func LoadRulesDir(rulesDir string) uint
- func LoadValidMatchKeysMap() map[string]interface{}
- func MakeAssetFullPath(path string) string
- func ParseHybridPattern(buffer []byte) ([]byte, error)
- func ReadPacketsFromPcap(pcapfile string, filter layers.IPProtocol, raw bool) ([]events.Event, []gopacket.Packet, error)
- func ReadRawTCPPacketsFromPcap(pcapfile string) ([]gopacket.Packet, error)
- type ConditionValue
- type Conditions
- type ConditionsList
- type Filters
- type GlobalRawRules
- type HTTPRule
- type ICMPv4Rule
- type ICMPv6Rule
- type Metadata
- type Options
- type ParsedHTTPRule
- type ParsedICMPv4Rule
- type ParsedICMPv6Rule
- type ParsedTCPRule
- type ParsedUDPRule
- type RawConditions
- type RawFragbits
- type RawFragbitsList
- type RawRule
- type RawRules
- type RawTCPFlags
- type RawTCPFlagsList
- type Rule
- func (rl *Rule) Match(ev events.Event) bool
- func (rl *Rule) MatchHTTPEvent(ev events.Event) bool
- func (rl *Rule) MatchICMPv4Event(ev events.Event) bool
- func (rl *Rule) MatchICMPv6Event(ev events.Event) bool
- func (rl *Rule) MatchTCPEvent(ev events.Event) bool
- func (rl *Rule) MatchUDPEvent(ev events.Event) bool
- type Rules
- type TCPRule
- type UDPRule
Constants ¶
This section is empty.
Variables ¶
var ( // GlobalRules is the global object holding all the loaded rules GlobalRules = make(map[string][]Rules) )
Functions ¶
func LoadRuleFile ¶
LoadRuleFile is an helper that parses the rule file at the given path and returns a rule set
func LoadRulesDir ¶
LoadRulesDir walks the given directory to find rule files and load them into GlobalRules
func LoadValidMatchKeysMap ¶ added in v1.1.0
func LoadValidMatchKeysMap() map[string]interface{}
LoadValidMatchKeysMap returns a map of the json keys for each of the protos structs
func MakeAssetFullPath ¶
MakeAssetFullPath is an helper that returns the path to the tests resources as defined by the assetsBasePath variable
func ParseHybridPattern ¶
ParseHybridPattern parses a byte array composed of hybrid hex and ascii characters and returns its equivalent as a byte array
Types ¶
type ConditionValue ¶
ConditionValue abstracts the parsed value of a condition to use in a match attempt
type Conditions ¶
type Conditions struct { Values []ConditionValue Options Options }
Conditions describes a parsed RawConditions
func (Conditions) Match ¶
func (cds Conditions) Match(received []byte) bool
Match matches a byte array against a set of conditions
func (Conditions) MatchBytesWithOptions ¶
func (cds Conditions) MatchBytesWithOptions(received []byte, condVal ConditionValue) bool
MatchBytesWithOptions matches a byte array against a set of conditions, according to the specified ConditionValue This function only cares about the matching modifier ("contains", "startswith", etc, not "all") The condition's options are being taken care of in the Conditions.Match function
func (*Conditions) ParseOptions ¶
func (cds *Conditions) ParseOptions(opt string) error
ParseOptions parses a condition's name to extract the options separated by a |
func (*Conditions) ParseValues ¶
func (cds *Conditions) ParseValues(list []string)
ParseValues loads a Conditions set from a list of condition strings
type ConditionsList ¶
type ConditionsList struct { Conditions []Conditions MatchAll bool }
ConditionsList describes the format of a list of RawConditions
func (ConditionsList) Match ¶
func (clst ConditionsList) Match(received []byte) bool
Match matches a byte array against a ConditionsList
type HTTPRule ¶
type HTTPRule struct { URI RawConditions `yaml:"http.uri"` Body RawConditions `yaml:"http.body"` Headers RawConditions `yaml:"http.headers"` Verb RawConditions `yaml:"http.method"` Proto RawConditions `yaml:"http.proto"` TLS *bool `yaml:"http.tls"` Any bool `yaml:"any"` }
HTTPRule describes the raw "match" section of a rule targeting HTTP
type ICMPv4Rule ¶
type ICMPv4Rule struct { TypeCode *uint16 `yaml:"icmpv4.typecode"` Type *uint8 `yaml:"icmpv4.type"` Code *uint8 `yaml:"icmpv4.code"` Checksum *uint16 `yaml:"icmpv4.checksum"` Seq *uint16 `yaml:"icmpv4.seq"` Payload RawConditions `yaml:"icmpv4.payload"` Any bool `yaml:"any"` }
ICMPv4Rule describes the raw "match" section of a rule targeting ICMPv4
type ICMPv6Rule ¶
type ICMPv6Rule struct { TypeCode *uint16 `yaml:"icmpv6.typecode"` Type *uint8 `yaml:"icmpv6.type"` Code *uint8 `yaml:"icmpv6.code"` Checksum *uint16 `yaml:"icmpv6.checksum"` Payload RawConditions `yaml:"icmpv6.payload"` Any bool `yaml:"any"` }
ICMPv6Rule describes the raw "match" section of a rule targeting ICMPv6
type Metadata ¶
type Metadata struct { ID string `yaml:"id"` Status string `yaml:"status"` Description string `yaml:"description"` Author string `yaml:"author"` Created string `yaml:"created"` Modified string `yaml:"modified"` References []string `yaml:"references"` }
Metadata describes the exposed content of the "meta" field
type Options ¶
type Options struct { Depth uint Offset uint Nocase bool Is bool All bool Contains bool Startswith bool Endswith bool Regex bool }
Options describes the available matching options
type ParsedHTTPRule ¶
type ParsedHTTPRule struct { URI *ConditionsList Body *ConditionsList Headers *ConditionsList Verb *ConditionsList Proto *ConditionsList TLS *bool }
ParsedHTTPRule describes the parsed "match" section of a rule targeting HTTP
type ParsedICMPv4Rule ¶
type ParsedICMPv4Rule struct { TypeCode *uint16 Type *uint8 Code *uint8 Checksum *uint16 Seq *uint16 Payload *ConditionsList }
ParsedICMPv4Rule describes the parsed "match" section of a rule targeting ICMPv4
type ParsedICMPv6Rule ¶
type ParsedICMPv6Rule struct { TypeCode *uint16 Type *uint8 Code *uint8 Checksum *uint16 Payload *ConditionsList }
ParsedICMPv6Rule describes the parsed "match" section of a rule targeting ICMPv6
type ParsedTCPRule ¶
type ParsedTCPRule struct { IPOption *ConditionsList Fragbits []*uint8 Flags []*uint8 Dsize *uint Seq *uint32 Ack *uint32 Window *uint16 Payload *ConditionsList }
ParsedTCPRule describes the parsed "match" section of a rule targeting TCP
type ParsedUDPRule ¶
type ParsedUDPRule struct { Length *uint16 Dsize *uint Checksum *uint16 Payload *ConditionsList }
ParsedUDPRule describes the parsed "match" section of a rule targeting UDP
type RawConditions ¶
type RawConditions struct { Groups map[string][]string `yaml:"-,inline"` Any bool `yaml:"any"` Depth uint `yaml:"depth"` Offset uint `yaml:"offset"` }
RawConditions describes the format of a condition field in a rule file
func (RawConditions) ParseList ¶
func (rclst RawConditions) ParseList() (*ConditionsList, error)
ParseList parses a RawConditions set to create a ConditionsList
type RawFragbits ¶
type RawFragbits string
RawFragbits abstracts a string describing raw fragbits
func (RawFragbits) Parse ¶
func (rfbs RawFragbits) Parse() *uint8
Parse parses a RawFragbits string to return its equivalent as an uint8
type RawFragbitsList ¶
type RawFragbitsList []RawFragbits
RawFragbitsList abstracts an array of RawFragbits
func (RawFragbitsList) ParseList ¶
func (list RawFragbitsList) ParseList() []*uint8
ParseList parses a RawFragbitsList and returns a list of fragbits as an uint8 array
type RawRule ¶
type RawRule struct { Whitelist Filters `yaml:"whitelist"` Blacklist Filters `yaml:"blacklist"` Match interface{} `yaml:"match"` Tags map[string]string `yaml:"tags"` Layer string `yaml:"layer"` IPProtocol RawConditions `yaml:"ip_protocol"` Metadata Metadata `yaml:"meta"` Additional map[string]string `yaml:"embed"` }
RawRule describes the format of a rule as written by the user
type RawRules ¶
RawRules abstracts a group of raw rules in a rule file
func ParseRulesDir ¶ added in v1.1.0
ParseRulesDir walks a directory and parses each of the rule file it encounters
func ParseYAMLRulesFile ¶
ParseYAMLRulesFile is an helper that parses the given YAML file and return a set of raw rules as RawRules
type RawTCPFlags ¶
type RawTCPFlags string
RawTCPFlags abstracts a string describing raw TCP flags
func (RawTCPFlags) Parse ¶
func (rfls RawTCPFlags) Parse() *uint8
Parse parses a RawTCPFlags string to return its equivalent as an uint8
type RawTCPFlagsList ¶
type RawTCPFlagsList []RawTCPFlags
RawTCPFlagsList abstracts an array of RawTCPFlags
func (RawTCPFlagsList) ParseList ¶
func (list RawTCPFlagsList) ParseList() []*uint8
ParseList parses a RawTCPFlagsList and returns a list of tcp flags as an uint8 array
type Rule ¶
type Rule struct { Name string ID string Tags map[string]string Layer string IPProtocol *ConditionsList HTTP ParsedHTTPRule TCP ParsedTCPRule UDP ParsedUDPRule ICMPv4 ParsedICMPv4Rule ICMPv6 ParsedICMPv6Rule IPs filters.IPRules Ports filters.PortRules Metadata Metadata Additional map[string]string MatchAll bool }
Rule describes a parsed Rule object, used to match against a byte array
func (*Rule) Match ¶
Match is the entry point of the Rule matching proc It attempt to match every supported rules to the given event after the rules filters have been applied
func (*Rule) MatchHTTPEvent ¶
MatchHTTPEvent attempt to match an HTTP event against the calling Rule
func (*Rule) MatchICMPv4Event ¶
MatchICMPv4Event attempt to match an ICMPv4 event against the calling Rule
func (*Rule) MatchICMPv6Event ¶
MatchICMPv6Event attempt to match an ICMPv6 event against the calling Rule
func (*Rule) MatchTCPEvent ¶
MatchTCPEvent attempt to match a TCP event against the calling Rule
type TCPRule ¶
type TCPRule struct { IPOption RawConditions `yaml:"tcp.ipoption"` Fragbits RawFragbitsList `yaml:"tcp.fragbits"` Dsize *uint `yaml:"tcp.dsize"` Flags RawTCPFlagsList `yaml:"tcp.flags"` Seq *uint32 `yaml:"tcp.seq"` Ack *uint32 `yaml:"tcp.ack"` Payload RawConditions `yaml:"tcp.payload"` Window *uint16 `yaml:"tcp.window"` Any bool `yaml:"any"` }
TCPRule describes the raw "match" section of a rule targeting TCP