Documentation
¶
Index ¶
Constants ¶
View Source
const (
AstVersion = 1
)
Variables ¶
View Source
var ( ErrInvalidEventType = errors.New("invalid event type") ErrInvalidNodeType = errors.New("invalid node type") ErrRootNodeWithoutEventSrc = errors.New("root node has no event source") ErrInvalidWindow = errors.New("invalid window") ErrMissingOrigin = errors.New("missing origin event") ErrMultipleOrigin = errors.New("multiple origin events") ErrInvalidAnchor = errors.New("invalid negate anchor") ErrNoTermIdx = errors.New("no term idx") )
View Source
var ( ErrSeqPosConditions = errors.New("sequences require two or more positive conditions") ErrMissingScalar = errors.New("missing string, jq, or regex condition") ErrExtractTerm = errors.New("invalid extract (must have name and one of jq or regex)") ErrNegateCount = errors.New("negate fields cannot have count > 1") ErrExtractNegate = errors.New("negate fields cannot have extracts") )
Functions ¶
func NewBuilder ¶ added in v0.0.3
func NewBuilder() *builderT
Types ¶
type AstExtractT ¶ added in v0.0.17
type AstFieldT ¶
type AstFieldT struct {
Field string `json:"field"`
TermValue match.TermT `json:"term_value"`
NegateOpts *AstNegateOptsT `json:"negate_opts"`
Extracts []AstExtractT `json:"extracts"`
}
type AstLogMatcherT ¶
type AstMetadataT ¶
type AstMetadataT struct {
Type schema.NodeTypeT `json:"type"` // Type of the node
Address *AstNodeAddressT `json:"address"` // Address of this node in the rule tree. Must be globally unique in the tree
ParentAddress *AstNodeAddressT `json:"parent_address"` // Address of the parent node
NegateOpts *AstNegateOptsT `json:"negate_opts"` // Optional egate options for the node
RuleId string `json:"rule_id"` // Consistent identifier for the rule that remains consistent through rule logic changes
Scope string `json:"scope"` // Scope can be an individual node, a cluster, or a set of clusters
NegIdx int `json:"neg_idx"` // Index into children where negative conditions begin. Equals -1 if no children or no negative conditions
}
type AstNegateOptsT ¶
type AstNegateOptsT struct {
Window time.Duration `json:"window"`
Slide time.Duration `json:"slide"`
Anchor uint32 `json:"anchor"`
Absolute bool `json:"absolute"`
}
NegateOptsT contains optional negate settings for the matcher object
type AstNodeAddressT ¶ added in v0.0.3
type AstNodeAddressT struct {
Version string `json:"version"` // Version of the address format
Name string `json:"name"` // Name of the node. Currently using type
RuleHash string `json:"rule_hash"` // unique semantic identifier for the rule
Depth uint32 `json:"depth"` // Depth of the node in the rule tree
NodeId uint32 `json:"node_id"` // globally unique identifier for the match in the rule tree
TermIdx *uint32 `json:"term_idx"` // Index of term/condition into parent's conditions. Used for assertion to assign term idx into parent machines
}
func (*AstNodeAddressT) GetDepth ¶ added in v0.0.3
func (a *AstNodeAddressT) GetDepth() uint32
func (*AstNodeAddressT) GetNodeId ¶ added in v0.0.3
func (a *AstNodeAddressT) GetNodeId() uint32
func (*AstNodeAddressT) GetRuleHash ¶ added in v0.0.3
func (a *AstNodeAddressT) GetRuleHash() string
func (*AstNodeAddressT) GetTermIdx ¶ added in v0.0.3
func (a *AstNodeAddressT) GetTermIdx() (uint32, error)
func (*AstNodeAddressT) String ¶ added in v0.0.3
func (a *AstNodeAddressT) String() string
type AstNodeT ¶
type AstNodeT struct {
Metadata AstMetadataT `json:"metadata"` // Metadata for the node
Children []*AstNodeT `json:"children"` // Children of the node
Object any `json:"object"` // Object for the node (e.g. log matcher, state machine, descriptor, etc.)
}
type AstSeqMatcherT ¶
type AstSeqMatcherT struct {
Order []*AstMetadataT
Negate []*AstMetadataT
Correlations []string
Window time.Duration
}
type AstSetMatcherT ¶
type AstSetMatcherT struct {
Match []*AstMetadataT
Negate []*AstMetadataT
Correlations []string
Window time.Duration
}
Source Files
Click to show internal directories.
Click to hide internal directories.