Documentation
¶
Index ¶
- type Action
- type ActionType
- type AuditLog
- type AuditLogConfig
- type AuditLogFormatter
- type AuditLogMessage
- type AuditLogMessageData
- type AuditLogTransaction
- type AuditLogTransactionProducer
- type AuditLogTransactionRequest
- type AuditLogTransactionRequestFiles
- type AuditLogTransactionResponse
- type AuditLogWriter
- type BodyProcessor
- type BodyProcessorOptions
- type Operator
- type OperatorFactory
- type OperatorOptions
- type Rule
- type RuleMetadata
- type TransactionState
- type TransactionVariables
- type Transformation
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Action ¶
type Action interface {
// Init initializes the action.
Init(RuleMetadata, string) error
// Evaluate evaluates the action.
Evaluate(RuleMetadata, TransactionState)
// Type returns the type of action.
Type() ActionType
}
Action is an action that can be used within a rule.
type ActionType ¶
type ActionType int
ActionType is used to define when an action is going to be triggered
const ( // ActionTypeMetadata is used to provide more information about rules. ActionTypeMetadata ActionType = 1 // ActionTypeDisruptive is used to make the integrator do something like drop the request. ActionTypeDisruptive ActionType = 2 // ActionTypeData Not really actions, these are mere containers that hold data used by other actions. ActionTypeData ActionType = 3 // ActionTypeNondisruptive is used to do something that does not affect the flow of the rule. ActionTypeNondisruptive ActionType = 4 // ActionTypeFlow is used to affect the rule flow (for example skip or skipAfter). ActionTypeFlow ActionType = 5 )
type AuditLog ¶
type AuditLog interface {
Parts() types.AuditLogParts
Transaction() AuditLogTransaction
Messages() []AuditLogMessage
}
AuditLog represents the main struct for audit log data
type AuditLogConfig ¶
type AuditLogConfig struct {
// Target is the path to the file to write the raw audit log to.
Target string
// FileMode is the mode to use when creating File.
FileMode fs.FileMode
// Dir is the path to the directory to write formatted audit logs to.
Dir string
// DirMode is the mode to use when creating Dir.
DirMode fs.FileMode
// Formatter is the formatter to use when writing formatted audit logs.
Formatter AuditLogFormatter
}
AuditLogConfig is the configuration of a Writer.
type AuditLogFormatter ¶
AuditLogFormatter formats an audit log to a byte slice.
type AuditLogMessage ¶
type AuditLogMessage interface {
Actionset() string
Message() string
Data() AuditLogMessageData
}
AuditLogMessage contains information about the triggered rules
type AuditLogMessageData ¶
type AuditLogMessageData interface {
File() string
Line() int
ID() int
Rev() string
Msg() string
Data() string
Severity() types.RuleSeverity
Ver() string
Maturity() int
Accuracy() int
Tags() []string
Raw() string
}
AuditLogMessageData contains information about the triggered rules in detail
type AuditLogTransaction ¶
type AuditLogTransaction interface {
Timestamp() string
UnixTimestamp() int64
ID() string
ClientIP() string
ClientPort() int
HostIP() string
HostPort() int
ServerID() string
Request() AuditLogTransactionRequest
HasRequest() bool
Response() AuditLogTransactionResponse
HasResponse() bool
Producer() AuditLogTransactionProducer
}
AuditLogTransaction contains transaction specific information
type AuditLogTransactionProducer ¶
type AuditLogTransactionProducer interface {
Connector() string
Version() string
Server() string
RuleEngine() string
Stopwatch() string
Rulesets() []string
}
AuditLogTransactionProducer contains producer specific information for debugging
type AuditLogTransactionRequest ¶
type AuditLogTransactionRequest interface {
Method() string
Protocol() string
URI() string
HTTPVersion() string
Headers() map[string][]string
Body() string
Files() []AuditLogTransactionRequestFiles
}
AuditLogTransactionRequest contains request specific information
type AuditLogTransactionRequestFiles ¶
AuditLogTransactionRequestFiles contains information for the uploaded files using multipart forms
type AuditLogTransactionResponse ¶
type AuditLogTransactionResponse interface {
Protocol() string
Status() int
Headers() map[string][]string
Body() string
}
AuditLogTransactionResponse contains response specific information
type AuditLogWriter ¶
type AuditLogWriter interface {
// Init the writer requires previous preparations
Init(AuditLogConfig) error
// Write the audit log to the output destination.
// Using the Formatter is mandatory to generate a "readable" audit log
// It is not sent as a bslice because some writers may require some Audit
// metadata.
Write(AuditLog) error
// Close the writer if required
Close() error
}
AuditLogWriter is the interface for all log writers. It receives an auditlog and writes it to the output stream An output stream may be a file, a socket, an URL, etc
type BodyProcessor ¶
type BodyProcessor interface {
ProcessRequest(reader io.Reader, variables TransactionVariables, options BodyProcessorOptions) error
ProcessResponse(reader io.Reader, variables TransactionVariables, options BodyProcessorOptions) error
}
BodyProcessor interface is used to create body processors for different content-types. They are able to read the body, force a collection. Hook to some variable and return data based on special expressions like XPATH, JQ, etc.
type BodyProcessorOptions ¶
type BodyProcessorOptions struct {
// Mime is the type of the body, it may contain parameters
// like charset, boundary, etc.
Mime string
// StoragePath is the path where the body will be stored
StoragePath string
// FileMode is the mode of the file that will be created
FileMode fs.FileMode
// DirMode is the mode of the directory that will be created
DirMode fs.FileMode
}
BodyProcessorOptions are used by BodyProcessors to provide some settings like a path to store temporary files. Implementations may ignore the options.
type Operator ¶
type Operator interface {
// Evaluate is used during the rule evaluation,
// it returns true if the operator succeeded against
// the input data for the transaction
Evaluate(TransactionState, string) bool
}
Operator interface is used to define rule @operators
type OperatorFactory ¶
type OperatorFactory func(options OperatorOptions) (Operator, error)
type OperatorOptions ¶
type OperatorOptions struct {
// Arguments is used to store the operator args
Arguments string
// Path is used to store a list of possible data paths
Path []string
// Root is the root to resolve Path from.
Root fs.FS
// Datasets contains input datasets or dictionaries
Datasets map[string][]string
}
OperatorOptions is used to store the options for a rule operator
type Rule ¶
type Rule interface {
// Evaluate evaluates the rule, returning data related to matches if any.
Evaluate(state TransactionState) []types.MatchData
}
Rule is a rule executed against a transaction.
type RuleMetadata ¶
type RuleMetadata interface {
// GetID returns the ID of the rule.
ID() int
// GetParentID returns the ID of the parent of the rule for a chained rule.
ParentID() int
// Status returns the status to set if the rule matches.
Status() int
}
RuleMetadata is information about a rule parsed from directives.
type TransactionState ¶
type TransactionState interface {
// ID returns the ID of the transaction.
ID() string // TODO(anuraaga): If only for logging, can be built into logger
// Variables returns the TransactionVariables of the transaction.
Variables() TransactionVariables
// Collection returns a collection from the transaction.
Collection(idx variables.RuleVariable) collection.Collection
// Interrupt interrupts the transaction.
Interrupt(interruption *types.Interruption)
// DebugLogger returns the logger for this transaction.
DebugLogger() debuglog.Logger
// Capturing returns whether the transaction is capturing. CaptureField only works if capturing, this can be used
// as an optimization to avoid processing specific to capturing fields.
Capturing() bool // TODO(anuraaga): Only needed in operators?
// CaptureField captures a field.
CaptureField(idx int, value string)
LastPhase() types.RulePhase
}
TransactionState tracks the state of a transaction for use in actions and operators.
type TransactionVariables ¶
type TransactionVariables interface {
// All iterates over all the variables in this TransactionVariables, invoking f for each.
// Results are passed in no defined order. If f returns false, iteration stops.
All(f func(v variables.RuleVariable, col collection.Collection) bool)
// Simple Variables
UrlencodedError() collection.Single
ResponseContentType() collection.Single
UniqueID() collection.Single
ArgsCombinedSize() collection.Collection
FilesCombinedSize() collection.Single
FullRequestLength() collection.Single
InboundDataError() collection.Single
MatchedVar() collection.Single
MatchedVarName() collection.Single
MultipartDataAfter() collection.Single
MultipartPartHeaders() collection.Map
OutboundDataError() collection.Single
QueryString() collection.Single
RemoteAddr() collection.Single
RemoteHost() collection.Single
RemotePort() collection.Single
RequestBodyError() collection.Single
RequestBodyErrorMsg() collection.Single
RequestBodyProcessorError() collection.Single
RequestBodyProcessorErrorMsg() collection.Single
RequestBodyProcessor() collection.Single
RequestBasename() collection.Single
RequestBody() collection.Single
RequestBodyLength() collection.Single
RequestFilename() collection.Single
RequestLine() collection.Single
RequestMethod() collection.Single
RequestProtocol() collection.Single
RequestURI() collection.Single
RequestURIRaw() collection.Single
ResponseBody() collection.Single
ResponseArgs() collection.Map
ResponseContentLength() collection.Single
ResponseProtocol() collection.Single
ResponseStatus() collection.Single
ResponseBodyProcessor() collection.Single
ServerAddr() collection.Single
ServerName() collection.Single
ServerPort() collection.Single
HighestSeverity() collection.Single
StatusLine() collection.Single
Env() collection.Map
TX() collection.Map
Rule() collection.Map
Duration() collection.Single
Args() collection.Keyed
ArgsGet() collection.Map
ArgsPost() collection.Map
ArgsPath() collection.Map
FilesTmpNames() collection.Map
Geo() collection.Map
Files() collection.Map
RequestCookies() collection.Map
RequestHeaders() collection.Map
ResponseHeaders() collection.Map
MultipartName() collection.Map
MatchedVarsNames() collection.Collection
MultipartFilename() collection.Map
MatchedVars() collection.Map
FilesSizes() collection.Map
FilesNames() collection.Map
FilesTmpContent() collection.Map
ResponseHeadersNames() collection.Collection
RequestHeadersNames() collection.Collection
RequestCookiesNames() collection.Collection
XML() collection.Map
RequestXML() collection.Map
ResponseXML() collection.Map
ArgsNames() collection.Collection
ArgsGetNames() collection.Collection
ArgsPostNames() collection.Collection
}
TransactionVariables has pointers to all the variables of the transaction
type Transformation ¶
Transformation is used to create transformation plugins See the documentation for more information If a transformation fails to run it will return the same string and an error, errors are only used for logging, it won't stop the execution of the rule
Source Files
Click to show internal directories.
Click to hide internal directories.