Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Option ¶
type Option func(*RuleEvaluator)
Option is a function that takes a RuleEvaluator pointer and modifies its configuration
func WithConfig ¶
WithConfig returns an Option that sets the provided Sigma configs to the RuleEvaluator. The configs are used to initialize the RuleEvaluator, which creates field mappings and indexes for efficient evaluation of Sigma rules. The configs should be provided in the order of precedence, and the function will append them to the RuleEvaluator's config slice. After the configs are set, the function will recalculate the RuleEvaluator's indexes and field mappings.
type Result ¶
type Result struct { MetaResults map[string]string StringsResults map[string]string // The map of strings identifiers to their result values ConditionResult string // The map of condition indices to their result values QueryResult string // The map of query indices to their result values }
Result represents the evaluation result of a Sigma rule. It contains the search, condition, aggregation, and query results of the rule evaluation.
type RuleEvaluator ¶
RuleEvaluator represents a rule evaluator that is capable of computing the search, condition, and query results of a Yara rule. It holds the rule configuration, search conditions, and field mappings necessary to apply the rule to log events and generate the query results.
func ForRule ¶
func ForRule(rule *ast.Rule, options ...Option) *RuleEvaluator
ForRule constructs a new RuleEvaluator with the given Sigma rule and evaluation options. It applies any provided options to the new RuleEvaluator and returns it.
func (RuleEvaluator) Alters ¶
func (rule RuleEvaluator) Alters() (Result, error)
This function returns a Result object containing the evaluation results for the rule's Detection field. It uses the evaluateSearch, evaluateSearchExpression and evaluateAggregationExpression functions to compute the results.