ast

package
v0.0.28 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 5, 2025 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidEventType        = errors.New("invalid event type")
	ErrInvalidNodeType         = errors.New("invalid node type")
	ErrRootNodeWithoutEventSrc = errors.New("root node has no event src")
	ErrInvalidWindow           = errors.New("invalid window")
	ErrMissingOrigin           = errors.New("missing origin event")
	ErrInvalidAnchor           = errors.New("invalid anchor")
)
View Source 
var (
	ErrUnknownField                  = errors.New("unknown source field")
	ErrUnknownSrc                    = errors.New("unknown source")
	ErrSeqPosConditions              = errors.New("sequences require two or more positive conditions")
	ErrMissingScalar                 = errors.New("missing string, jq, or regex condition")
	ErrMissingPositiveOrderCondition = errors.New("missing one or more positive condition under an order statement")
	ErrMissingPositiveMatchCondition = errors.New("missing one or more positive condition under a match statement")
)
View Source 
var (
	ErrInvalidDescriptor = errors.New("invalid descriptor")
)

Functions

func DrawTree 

func DrawTree(tree *AstT, path string) error

Types

type AstDescriptorT 

type AstDescriptorT struct {
	Type       AstNodeTypeT
	MatchId    uint32
	Depth      int
	NegateOpts *AstNegateOptsT
}

type AstEventT 

type AstEventT struct {
	Origin bool   `json:"origin"`
	Source string `json:"source"`
}

type AstFieldT 

type AstFieldT struct {
	Field      string
	StrValue   string
	JsonValue  string
	RegexValue string
	TermValue  match.TermT
	NegateOpts *AstNegateOptsT
}

type AstLogMatcherT 

type AstLogMatcherT struct {
	Event  AstEventT
	Match  []AstFieldT
	Negate []AstFieldT
	Window time.Duration
}

type AstMatchIdT 

type AstMatchIdT uint

type AstMetadataT 

type AstMetadataT struct {
	Scope         string
	Type          AstNodeTypeT
	RuleId        string
	RuleHash      string
	MatchId       uint32
	ParentMatchId uint32
	Depth         int
	NegateOpts    *AstNegateOptsT
}

type AstNegateOptsT 

type AstNegateOptsT struct {
	Window   time.Duration
	Slide    time.Duration
	Anchor   uint32
	Absolute bool
}

type AstNodePairT 

type AstNodePairT struct {
	Match      *AstNodeT
	Descriptor *AstNodeT
}

Each matcher node requires a corresponding descriptor node (except for the root, which is a detection)

type AstNodeT 

type AstNodeT struct {
	Metadata AstMetadataT
	Object   any
	Children []*AstNodeT
	NegIdx   int
}

type AstNodeTypeT 

type AstNodeTypeT string
const (
	NodeTypeUnk    AstNodeTypeT = "Unknown"
	NodeTypeSeq    AstNodeTypeT = "machine_seq"
	NodeTypeSet    AstNodeTypeT = "machine_set"
	NodeTypeLogSeq AstNodeTypeT = "log_seq"
	NodeTypeLogSet AstNodeTypeT = "log_set"
	NodeTypeDesc   AstNodeTypeT = "desc"
)

func (AstNodeTypeT) String 

func (t AstNodeTypeT) String() string

type AstSeqMatcherT 

type AstSeqMatcherT struct {
	Order        []*AstDescriptorT
	Negate       []*AstDescriptorT
	Correlations []string
	Window       time.Duration
}

type AstSetMatcherT 

type AstSetMatcherT struct {
	Match        []*AstDescriptorT
	Negate       []*AstDescriptorT
	Correlations []string
	Window       time.Duration
}

type AstT 

type AstT struct {
	Nodes []*AstNodeT
}

func Build 

func Build(data []byte) (*AstT, error)

func BuildTree 

func BuildTree(tree *parser.TreeT) (*AstT, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.