Documentation
¶
Index ¶
- func FuzzConditionParser(data []byte) int
- func FuzzConfigParser(data []byte) int
- func FuzzRuleParser(data []byte) int
- type AggregationExpr
- type AggregationFunc
- type AllOfIdentifier
- type AllOfPattern
- type AllOfThem
- type And
- type Average
- type Comparison
- type ComparisonOp
- type Condition
- type Conditions
- type Config
- type Count
- type Detection
- type EventMatcher
- type FieldMapping
- type FieldMatcher
- type FileType
- type Logsource
- type LogsourceIndexes
- type LogsourceMapping
- type Max
- type Min
- type Near
- type Not
- type OneOfIdentifier
- type OneOfPattern
- type OneOfThem
- type Or
- type RelatedRule
- type Rule
- type Search
- type SearchExpr
- type SearchIdentifier
- type Sum
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FuzzConditionParser ¶
Try parsing the input data as a Sigma condition, return 0 if it fails (no match), 1 otherwise (match)
func FuzzConfigParser ¶
Try parsing the input data as a Sigma config file, return 0 if it fails (no match), 1 otherwise (match)
func FuzzRuleParser ¶
Try parsing the input data as a Sigma rule, return 0 if it fails (no match), 1 otherwise (match)
Types ¶
type AggregationExpr ¶
type AggregationExpr interface {
// contains filtered or unexported methods
}
Define the AggregationExpr interface with two methods.
type AggregationFunc ¶
type AggregationFunc interface {
// contains filtered or unexported methods
}
AggregationFunc is an interface for defining aggregation functions.
type AllOfIdentifier ¶
type AllOfIdentifier struct {
Ident SearchIdentifier
}
AllOfIdentifier is a struct representing a search expression that matches documents containing all of the specified identifiers.
type AllOfPattern ¶
type AllOfPattern struct {
Pattern string
}
AllOfPattern defines a struct that represents a search query for all occurrences of a given pattern
type AllOfThem ¶
type AllOfThem struct{}
AllOfThem is a struct that represents a search expression for all of the items matching the search criteria.
type And ¶
type And []SearchExpr
And is a type that represents a list of search expressions that are connected with the "and" operator.
type Average ¶
type Average struct {
Field string // The field to be averaged.
GroupedBy string // Optional field to group the results by.
}
Average represents an aggregation function that calculates the average of a field.
type Comparison ¶
type Comparison struct {
Func AggregationFunc // the aggregation function to apply
Op ComparisonOp // the comparison operator to use
Threshold float64 // the threshold value to compare against
}
Comparison represents a comparison expression that applies a comparison operator to an aggregation result
type ComparisonOp ¶
type ComparisonOp string
ComparisonOp represents the comparison operators used in comparisons
var ( Equal ComparisonOp = "=" NotEqual ComparisonOp = "!=" LessThan ComparisonOp = "<" LessThanEqual ComparisonOp = "<=" GreaterThan ComparisonOp = ">" GreaterThanEqual ComparisonOp = ">=" )
Define the different comparison operators as constants
type Condition ¶
type Condition struct {
Search SearchExpr `yaml:",omitempty" json:",omitempty"` // represents the search query
Aggregation AggregationExpr `yaml:",omitempty" json:",omitempty"` // represents the aggregation operation
// contains filtered or unexported fields
}
func ParseCondition ¶
Parses the Sigma condition syntax and returns a Condition struct and/or an error
func (Condition) MarshalYAML ¶
This function is used to convert a Condition struct to YAML format. It takes the Condition struct and returns its YAML representation.
type Conditions ¶
type Conditions []Condition
func (Conditions) MarshalYAML ¶
func (c Conditions) MarshalYAML() (interface{}, error)
MarshalYAML marshals the Conditions slice to YAML.
func (*Conditions) UnmarshalYAML ¶
func (c *Conditions) UnmarshalYAML(node *yaml.Node) error
UnmarshalYAML unmarshals the YAML node to the Conditions slice.
type Config ¶
type Config struct {
Title string // A short description of what this configuration does
Order int // Defines the order of expansion when multiple config files are applicable
Backends []string // Lists the Sigma implementations that this config file is compatible with
FieldMappings map[string]FieldMapping
Logsources map[string]LogsourceMapping
// TODO: LogsourceMerging option
DefaultIndex string // Defines a default index if no logsources match
Placeholders map[string][]interface{} // Defines values for placeholders that might appear in Sigma rules
}
Config is a struct that defines the Sigma configuration
func ParseConfig ¶
ParseConfig takes a byte slice of YAML data and returns a Config struct or an error if unmarshaling fails
type Detection ¶
type Detection struct {
Searches map[string]Search `yaml:",inline" json:",inline"` // Searches holds a map of search query strings and their corresponding configurations.
Conditions Conditions `yaml:"condition" json:"condition"` // Conditions holds a slice of conditions to be checked for the detection to occur.
Timeframe time.Duration `yaml:",omitempty" json:",omitempty"` // Timeframe specifies the time duration within which the detection must occur.
}
func (*Detection) UnmarshalYAML ¶
type EventMatcher ¶
type EventMatcher []FieldMatcher
func (EventMatcher) MarshalYAML ¶
func (f EventMatcher) MarshalYAML() (interface{}, error)
MarshalYAML returns a YAML representation of the EventMatcher struct
func (*EventMatcher) UnmarshalYAML ¶
func (f *EventMatcher) UnmarshalYAML(node *yaml.Node) error
UnmarshalYAML parses the YAML node and sets the fields on the EventMatcher struct
type FieldMapping ¶
type FieldMapping struct {
TargetNames []string // The name(s) that appear in the events being matched
}
FieldMapping is a struct that defines the target fields to be matched in Sigma rules
func (*FieldMapping) UnmarshalYAML ¶
func (f *FieldMapping) UnmarshalYAML(value *yaml.Node) error
UnmarshalYAML is a custom method for unmarshaling YAML data into FieldMapping
type FieldMatcher ¶
type FieldMatcher struct {
Field string `yaml:",omitempty" json:",omitempty"`
Modifiers []string `yaml:",omitempty" json:",omitempty"`
Values []interface{} `yaml:",omitempty" json:",omitempty"`
// contains filtered or unexported fields
}
FieldMatcher defines a matcher for a single field
func (FieldMatcher) Position ¶
func (f FieldMatcher) Position() (int, int)
Position returns the line and column of this FieldMatcher in the original input
type FileType ¶
type FileType string
FileType represents the type of a Sigma file
const ( UnknownFile FileType = "" // Unknown file type InvalidFile FileType = "invalid" // Invalid file type RuleFile FileType = "rule" // Sigma rule file type ConfigFile FileType = "config" // Sigma config file type )
Possible file types
func InferFileType ¶
InferFileType attempts to infer the type of Sigma file by unmarshalling the YAML contents and checking if it contains certain required fields for a rule or config file. If there is an error unmarshalling the contents, it returns an invalid file type.
func (*FileType) UnmarshalYAML ¶
UnmarshalYAML is a custom unmarshaller for the FileType type. It checks if the YAML node contains certain required fields for a rule or config file, and sets the corresponding FileType value.
type Logsource ¶
type Logsource struct {
Category string `yaml:",omitempty" json:",omitempty"` // The category of the log source
Product string `yaml:",omitempty" json:",omitempty"` // The product associated with the log source
Service string `yaml:",omitempty" json:",omitempty"` // The service associated with the log source
Definition string `yaml:",omitempty" json:",omitempty"` // The definition of the log source
// Any non-standard fields will end up in here
AdditionalFields map[string]interface{} `yaml:",inline,omitempty" json:",inline,omitempty"` // Any additional fields in the YAML document
}
type LogsourceIndexes ¶
type LogsourceIndexes []string
LogsourceIndexes is a list of strings representing indexes for a logsource
func (*LogsourceIndexes) UnmarshalYAML ¶
func (i *LogsourceIndexes) UnmarshalYAML(value *yaml.Node) error
UnmarshalYAML is a custom method for unmarshaling YAML data into LogsourceIndexes
type LogsourceMapping ¶
type LogsourceMapping struct {
Logsource `yaml:",inline"` // A LogsourceMapping embeds the Logsource struct, which defines a set of fields that can be matched in Sigma rules
Index LogsourceIndexes // The index(es) that should be used for this logsource
Conditions Search // Conditions that are added to all rules targeting this logsource
Rewrite Logsource // Rewrites this logsource (i.e. so that it can be matched by another lower precedence config)
}
LogsourceMapping defines the mapping between a logsource and its indexes, conditions, and rewrites
type Max ¶
type Max struct {
Field string // The field to apply the max function to.
GroupedBy string // The field to group the results by.
}
Max is a type that represents a maximum aggregation function.
type Min ¶
type Min struct {
Field string // Field to apply the aggregation on
GroupedBy string // Optional field to group the aggregation by
}
Min represents the minimum aggregation function.
type Near ¶
type Near struct {
Condition SearchExpr
}
Define the Near struct with a Condition field.
type Not ¶
type Not struct {
Expr SearchExpr // The search expression to be negated.
}
Not struct represents a negation of a search expression.
type OneOfIdentifier ¶
type OneOfIdentifier struct {
Ident SearchIdentifier
}
OneOfIdentifier represents an expression that matches one of the search identifiers.
type OneOfPattern ¶
type OneOfPattern struct {
Pattern string
}
OneOfPattern represents a search expression that matches one of the search patterns.
type OneOfThem ¶
type OneOfThem struct{}
OneOfThem is a struct representing a search expression that matches if exactly one search result is matched.
type Or ¶
type Or []SearchExpr
Or is a slice of SearchExpr representing a logical "or" operation between multiple search expressions.
type RelatedRule ¶
type Rule ¶
type Rule struct {
// Required fields
Title string // The title of the Sigma rule
Logsource Logsource // The log source that the rule should be applied to
Detection Detection // The detection logic of the rule
// Optional fields
ID string `yaml:",omitempty" json:",omitempty"` // The unique ID of the rule
Related []RelatedRule `yaml:",omitempty" json:",omitempty"` // Related rules, if any
Status string `yaml:",omitempty" json:",omitempty"` // The status of the rule (e.g. "testing", "production")
Description string `yaml:",omitempty" json:",omitempty"` // A brief description of the rule
Author string `yaml:",omitempty" json:",omitempty"` // The author of the rule
Level string `yaml:",omitempty" json:",omitempty"` // The severity level of the rule (e.g. "low", "medium", "high")
References []string `yaml:",omitempty" json:",omitempty"` // References related to the rule
Tags []string `yaml:",omitempty" json:",omitempty"` // Tags that can be used to organize the rules
// Any non-standard fields will end up in here
AdditionalFields map[string]interface{} `yaml:",inline,omitempty" json:",inline,omitempty"` // Any additional fields in the YAML document
}
type Search ¶
type Search struct {
Keywords []string `yaml:",omitempty" json:",omitempty"` // Keywords to search for
EventMatchers []EventMatcher `yaml:",omitempty" json:",omitempty"` // List of event matchers (maps of fields to values)
// contains filtered or unexported fields
}
Search defines a search criteria that can be used to match events.
func (Search) MarshalYAML ¶
MarshalYAML encodes the Search object into a YAML representation.
func (*Search) UnmarshalYAML ¶
UnmarshalYAML decodes the YAML representation of a Search object.
type SearchExpr ¶
type SearchExpr interface {
// contains filtered or unexported methods
}
SearchExpr is an interface that represents a search expression.
type SearchIdentifier ¶
type SearchIdentifier struct {
Name string // The name of the identifier.
}
SearchIdentifier represents a search identifier, which is simply a string.
Source Files
Directories