parser

package

v0.0.28 Latest Latest Go to latest Published: Apr 5, 2025 License: Apache-2.0 Imports: 4 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/prequel-dev/prequel

Links

Open Source Insights

Documentation ¶

Index ¶

Constants ¶

View Source

const (
	SeverityCritical = 0
	SeverityHigh     = 1
	SeverityMedium   = 2
	SeverityLow      = 3
	SeverityInfo     = 4
)

Variables ¶

View Source

var (
	ErrNotSupported = errors.New("not supported")
	ErrTermNotFound = errors.New("term not found")
	ErrMissingOrder = errors.New("sequence missing order")
	ErrMissingMatch = errors.New("set missing match")
	ErrInvalidSet   = errors.New("invalid set")
	ErrInvalidSeq   = errors.New("invalid sequence")
)

Functions ¶

func ParseCres ¶

func ParseCres(data []byte) (map[string]ParseCreT, error)

Types ¶

type EventT ¶

type EventT struct {
	Origin bool   `json:"origin"`
	Source string `json:"source"`
}

type FieldT ¶

type FieldT struct {
	Field      string       `json:"field"`
	StrValue   string       `json:"value"`
	JqValue    string       `json:"jq_value"`
	RegexValue string       `json:"regex_value"`
	Count      int          `json:"count"`
	NegateOpts *NegateOptsT `json:"negate"`
}

type MatcherT ¶

type MatcherT struct {
	Match  TermsT        `json:"match"`
	Negate TermsT        `json:"negate"`
	Window time.Duration `json:"window"`
}

type NegateOptsT ¶

type NegateOptsT struct {
	Window   time.Duration `json:"window"`
	Slide    time.Duration `json:"slide"`
	Anchor   uint32        `json:"anchor"`
	Absolute bool          `json:"absolute"`
}

type NodeMetadataT ¶

type NodeMetadataT struct {
	RuleHash     string        `json:"rule_hash"`
	RuleId       string        `json:"rule_id"`
	Window       time.Duration `json:"window"`
	Event        *EventT       `json:"event"`
	Type         NodeTypeT     `json:"type"`
	Correlations []string      `json:"correlations"`
	NegateOpts   *NegateOptsT  `json:"negate_opts"`
}

type NodeT ¶

type NodeT struct {
	Metadata NodeMetadataT `json:"metadata"`
	NegIdx   int           `json:"neg_idx"`
	Children []any         `json:"children"`
}

type NodeTypeT ¶

type NodeTypeT string

const (
	NodeTypeSeq          NodeTypeT = "seq"
	NodeTypeSeqNeg       NodeTypeT = "seq_neg"
	NodeTypeSeqNegSingle NodeTypeT = "seq_neg_single"
	NodeTypeSet          NodeTypeT = "set"
	NodeTypeSetNeg       NodeTypeT = "set_neg"
	NodeTypeSetNegSingle NodeTypeT = "set_neg_single"
)

type ParseApplicationT ¶

type ParseApplicationT struct {
	Name          string `yaml:"name,omitempty" json:"name,omitempty"`
	ProcessName   string `yaml:"processName,omitempty" json:"process_name,omitempty"`
	ProcessPath   string `yaml:"processPath,omitempty" json:"process_path,omitempty"`
	ContainerName string `yaml:"containerName,omitempty" json:"container_name,omitempty"`
	ImageUrl      string `yaml:"imageUrl,omitempty" json:"image_url,omitempty"`
	RepoUrl       string `yaml:"repoUrl,omitempty" json:"repo_url,omitempty"`
	Version       string `yaml:"version,omitempty" json:"version,omitempty"`
}

type ParseCreT ¶

type ParseCreT struct {
	Id           string              `yaml:"id,omitempty" json:"id,omitempty"`
	Severity     uint                `yaml:"severity,omitempty" json:"severity,omitempty"`
	Title        string              `yaml:"title,omitempty" json:"title,omitempty"`
	Category     string              `yaml:"category,omitempty" json:"category,omitempty"`
	Tags         []string            `yaml:"tags,omitempty" json:"tags,omitempty"`
	Author       string              `yaml:"author,omitempty" json:"author,omitempty"`
	Description  string              `yaml:"description,omitempty" json:"description,omitempty"`
	Impact       string              `yaml:"impact,omitempty" json:"impact,omitempty"`
	Cause        string              `yaml:"cause,omitempty" json:"cause,omitempty"`
	Mitigation   string              `yaml:"mitigation,omitempty" json:"mitigation,omitempty"`
	References   []string            `yaml:"references,omitempty" json:"references,omitempty"`
	Reports      uint                `yaml:"reports,omitempty" json:"reports,omitempty"`
	Applications []ParseApplicationT `yaml:"applications,omitempty" json:"applications,omitempty"`
}

type ParseEventT ¶

type ParseEventT struct {
	Source string `yaml:"source"`
	Origin bool   `yaml:"origin,omitempty" json:"origin,omitempty"`
}

type ParseNegateOptsT ¶

type ParseNegateOptsT struct {
	Window   string `yaml:"window,omitempty"`
	Slide    string `yaml:"slide,omitempty"`
	Anchor   uint32 `yaml:"anchor,omitempty"`
	Absolute bool   `yaml:"absolute,omitempty"`
}

type ParseRuleDataT ¶

type ParseRuleDataT struct {
	Sequence *ParseSequenceT `yaml:"sequence,omitempty"`
	Set      *ParseSetT      `yaml:"set,omitempty"`
}

type ParseRuleMetadataT ¶

type ParseRuleMetadataT struct {
	Name    string `yaml:"name,omitempty" json:"name,omitempty"`
	Id      string `yaml:"id,omitempty" json:"id,omitempty"`
	Hash    string `yaml:"hash,omitempty" json:"hash,omitempty"`
	Gen     uint   `yaml:"generation,omitempty" json:"generation,omitempty"`
	Kind    string `yaml:"kind,omitempty" json:"kind,omitempty"`
	Version string `yaml:"version,omitempty" json:"version,omitempty"`
}

type ParseRuleT ¶

type ParseRuleT struct {
	Metadata ParseRuleMetadataT `yaml:"metadata,omitempty" json:"metadata,omitempty"`
	Cre      ParseCreT          `yaml:"cre,omitempty" json:"cre,omitempty"`
	Rule     ParseRuleDataT     `yaml:"rule,omitempty" json:"rule,omitempty"`
}

type ParseSequenceT ¶

type ParseSequenceT struct {
	Window       string       `yaml:"window"`
	Correlations []string     `yaml:"correlations,omitempty"`
	Event        *ParseEventT `yaml:"event,omitempty"`
	Origin       bool         `yaml:"origin,omitempty"`
	Order        []ParseTermT `yaml:"order,omitempty"`
	Negate       []ParseTermT `yaml:"negate,omitempty"`
}

type ParseSetT ¶

type ParseSetT struct {
	Window       string       `yaml:"window,omitempty"`
	Correlations []string     `yaml:"correlations,omitempty"`
	Event        *ParseEventT `yaml:"event,omitempty"`
	Match        []ParseTermT `yaml:"match,omitempty"`
	Negate       []ParseTermT `yaml:"negate,omitempty"`
}

type ParseTermT ¶

type ParseTermT struct {
	Field      string            `yaml:"field,omitempty"`
	StrValue   string            `yaml:"value,omitempty"`
	JqValue    string            `yaml:"jq,omitempty"`
	RegexValue string            `yaml:"regex,omitempty"`
	Count      int               `yaml:"count,omitempty"`
	Set        *ParseSetT        `yaml:"set,omitempty"`
	Sequence   *ParseSequenceT   `yaml:"sequence,omitempty"`
	NegateOpts *ParseNegateOptsT `yaml:",inline,omitempty"`
}

func (*ParseTermT) UnmarshalYAML ¶

func (o *ParseTermT) UnmarshalYAML(unmarshal func(any) error) error

type RulesT ¶

type RulesT struct {
	Rules []ParseRuleT          `yaml:"rules"`
	Terms map[string]ParseTermT `yaml:"terms"`
}

type TermsT ¶

type TermsT struct {
	Fields []FieldT `json:"fields"`
}

type TreeT ¶

type TreeT struct {
	Nodes []*NodeT `json:"nodes"`
}

func Parse ¶

func Parse(data []byte) (*TreeT, error)

func ParseRules ¶

func ParseRules(config *RulesT) (*TreeT, error)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL