rules

package
v1.6.14 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 6, 2021 License: GPL-3.0 Imports: 13 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	//TypeOperand constant to type a ConditionElement
	TypeOperand = 0x1 << iota
	//TypeOperator constant to type a ConditionElement
	TypeOperator
	//TypeNegate constant to type a ConditionElement
	TypeNegate
)

Variables

View Source 
var (
	//ErrEOT End Of Tokens
	ErrEOT = fmt.Errorf("End of tokens")
	//ErrUnexpectedToken definition
	ErrUnexpectedToken = fmt.Errorf("Unexpected tokens")
	//ErrEmptyToken definition
	ErrEmptyToken = fmt.Errorf("Empty token")
)
View Source 
var (
	//ErrContainerAlreadyExists should be returned in case an container name is already used in Containers
	ErrContainerAlreadyExists = fmt.Errorf("Already existing container")
)
View Source 
var (
	//ErrUnkOperator error to return when an operator is not known
	ErrUnkOperator = fmt.Errorf("Unknown operator")
)

Functions

func Compute 

func Compute(ce *ConditionElement, operands OperandReader) bool

Compute computes a given condition given the operands

func GetOperands 

func GetOperands(ce *ConditionElement) []string

GetOperands retrieves all the operands involed in a condition

func IsContainerMatch 

func IsContainerMatch(s string) bool

IsContainerMatch returns true if match is compliant with ContainerMatch syntax

func IsFieldMatch 

func IsFieldMatch(s string) bool

IsFieldMatch returns true if s compiliant with FieldMatch syntax

func Pretty added in v1.6.1 

func Pretty(c *ConditionElement, group bool) string

func PrettySplit added in v1.6.1 

func PrettySplit(split []*ConditionElement) string

Types

type Attack added in v1.5.0 

type Attack struct {
	ID          string
	Tactic      string
	Description string `json:",omitempty"`
	Reference   string
}

Attack structure definiton to encode information from ATT&CK Mitre

type CompiledRule 

type CompiledRule struct {
	Name        string
	Criticality int
	Channels    *datastructs.SyncedSet
	Computers   *datastructs.SyncedSet
	Tags        *datastructs.SyncedSet
	EventIDs    *datastructs.SyncedSet
	AtomMap     *datastructs.SyncedMap
	Traces      []*Trace
	Disabled    bool // Way to deal with no container issue
	Filter      bool // whether it is a Filter rule or not
	Conditions  *ConditionElement
	Actions     []string
	// ATT&CK information
	Attack []Attack
	// contains filtered or unexported fields
}

CompiledRule definition

func Load 

func Load(b []byte, containers *ContainerDB) (*CompiledRule, error)

Load loads rule to EvtxRule

func NewCompiledRule 

func NewCompiledRule() (er CompiledRule)

NewCompiledRule initializes and returns an EvtxRule object

func (*CompiledRule) AddMatcher 

func (er *CompiledRule) AddMatcher(m Matcher)

AddMatcher adds an atom rule to the CompiledRule func (er *CompiledRule) AddMatcher(a *AtomRule) {

func (*CompiledRule) Match 

func (er *CompiledRule) Match(event *evtx.GoEvtxMap) bool

Match returns whether the CompiledRule matches the EVTX event

func (*CompiledRule) SetContainers 

func (er *CompiledRule) SetContainers(containers *ContainerDB)

SetContainers sets the ContainerDB pointer of rule

type ConditionElement 

type ConditionElement struct {
	Operand  string
	Operator rune
	Negate   bool
	Level    int
	Group    int
	Type     int
	Next     *ConditionElement
	Prev     *ConditionElement
}

ConditionElement structure definition

func (*ConditionElement) DebugString 

func (c *ConditionElement) DebugString() string

DebugString formats a ConditionElement to be nicely printed

func (*ConditionElement) GetGroup added in v1.6.1 

func (ce *ConditionElement) GetGroup() []*ConditionElement

GetGroup retrieves an array with the condition elements part of the same group as current condition

func (*ConditionElement) GetLevels added in v1.6.1 

func (ce *ConditionElement) GetLevels(lvl int) [][]*ConditionElement

GetLevels retrieve all the levels from condition

func (*ConditionElement) Pretty added in v1.6.1 

func (c *ConditionElement) Pretty(group bool) string

func (*ConditionElement) Prioritize added in v1.6.1 

func (ce *ConditionElement) Prioritize()

Prioritize creates precedence between boolean operators

func (*ConditionElement) Simplify added in v1.6.1 

func (ce *ConditionElement) Simplify()

Simplify condition

func (*ConditionElement) String 

func (c *ConditionElement) String() string

type ContainerDB 

type ContainerDB map[string]*datastructs.SyncedSet

ContainerDB structure used to store several containers

func NewContainers 

func NewContainers() *ContainerDB

NewContainers initializes a new Containers structure

func (*ContainerDB) AddContainer 

func (c *ContainerDB) AddContainer(name string, container *datastructs.SyncedSet) error

AddContainer adds a new container to c

func (*ContainerDB) AddNewContainer 

func (c *ContainerDB) AddNewContainer(name string) error

AddNewContainer adds an empty container to the DB

func (*ContainerDB) AddStringToContainer added in v1.6.0 

func (c *ContainerDB) AddStringToContainer(name string, values ...string)

AddStringToContainer adds new strings (converted to lower case) into a container and creates a new container if it does not exist yet.

func (*ContainerDB) AddToContainer 

func (c *ContainerDB) AddToContainer(name string, values ...interface{})

AddToContainer adds a new value into a container and creates a new container if it does not exist yet

func (*ContainerDB) Contains 

func (c *ContainerDB) Contains(name string, value string) bool

Contains checks if named container contains value

func (*ContainerDB) ContainsString added in v1.6.0 

func (c *ContainerDB) ContainsString(name string, value string) bool

ContainsString checks if named container contains value ignoring value case

func (*ContainerDB) Get 

func (c *ContainerDB) Get(name string) (*datastructs.SyncedSet, bool)

Get get a container by its name

func (*ContainerDB) Has 

func (c *ContainerDB) Has(name string) bool

Has checks if a named container is in the DB

func (*ContainerDB) Len 

func (c *ContainerDB) Len(name string) int

Len gives the size of a Container

func (*ContainerDB) String added in v1.6.0 

func (c *ContainerDB) String() string

type ContainerMatch 

type ContainerMatch struct {
	Name      string `regexp:"name"`
	RexName   string `regexp:"rexname"`
	Regexp    string `regexp:"regexp"`
	Operand   string `regexp:"operand"`
	Container string `regexp:"container"`
	// contains filtered or unexported fields
}

ContainerMatch atomic extract structure

func NewContainerMatch 

func NewContainerMatch() *ContainerMatch

NewContainerMatch creates a new ContainerMatch structure

func ParseContainerMatch 

func ParseContainerMatch(extract string) (ae *ContainerMatch, err error)

ParseContainerMatch parses an extract and returns an AtomExtract from it

func (*ContainerMatch) Compile 

func (c *ContainerMatch) Compile() (err error)

Compile compiles an AtomExtract, any AtomExtract must be compiled before use

func (*ContainerMatch) Extract 

func (c *ContainerMatch) Extract(ev *evtx.GoEvtxMap) (string, bool)

Extract uses the AtomExtract to extract a substring from a value of a Windows Event

func (*ContainerMatch) ExtractFromString 

func (c *ContainerMatch) ExtractFromString(s string) (string, bool)

ExtractFromString uses the AtomExtract to extract a substring from s

func (*ContainerMatch) GetName 

func (c *ContainerMatch) GetName() string

GetName implements Matcher interface

func (*ContainerMatch) Match 

func (c *ContainerMatch) Match(ev *evtx.GoEvtxMap) bool

Match matches the extract rule against a ContainerDB and implements Matcher interface the string matched against the container are converted to lower case (default behaviour of ContainsString method)

func (*ContainerMatch) SetContainerDB 

func (c *ContainerMatch) SetContainerDB(db *ContainerDB)

SetContainerDB sets the containerDB member

func (*ContainerMatch) String 

func (c *ContainerMatch) String() string

type EventOpReader 

type EventOpReader struct {
	// contains filtered or unexported fields
}

EventOpReader OperandReader interface to access operand value of a rule on an event

func (*EventOpReader) Read 

func (oe *EventOpReader) Read(operand string) (value bool, ok bool)

Read OperandStore interface definition

type FieldMatch 

type FieldMatch struct {
	Name     string `regexp:"name"`
	Operand  string `regexp:"operand"`
	Operator string `regexp:"operator"`
	Value    string `regexp:"value"`
	// contains filtered or unexported fields
}

FieldMatch is the smallest rule we can have

func NewFieldMatch 

func NewFieldMatch(name, operand, operator, value string) *FieldMatch

NewFieldMatch creates a new FieldMatch rule from data

func ParseFieldMatch 

func ParseFieldMatch(rule string) (ar FieldMatch, err error)

ParseFieldMatch parses a string and returns an FieldMatch

func (*FieldMatch) Compile 

func (f *FieldMatch) Compile() error

Compile AtomRule into a regexp

func (*FieldMatch) GetName 

func (f *FieldMatch) GetName() string

GetName implements Matcher interface

func (*FieldMatch) Match 

func (f *FieldMatch) Match(se *evtx.GoEvtxMap) bool

Match checks whether the AtomRule match the SysmonEvent

func (*FieldMatch) String 

func (f *FieldMatch) String() string

type Matcher 

type Matcher interface {
	GetName() string
	Match(*evtx.GoEvtxMap) bool
}

Matcher interface

type MetaSection 

type MetaSection struct {
	EventIDs    []int64 // GoEvtxMap.EventID returns int64
	Channels    []string
	Computers   []string
	Traces      []string `json:",omitempty"`
	Attack      []Attack `json:"ATTACK,omitempty"`
	Criticality int
	Disable     bool
	Filter      bool
}

MetaSection defines the section holding the metadata of the rule

type OperandMap 

type OperandMap map[string]bool

OperandMap defines a simple structure to implement OperandReader

func (OperandMap) Read 

func (om OperandMap) Read(operand string) (value, ok bool)

type OperandReader 

type OperandReader interface {
	// Return operand value and ok (true if operand found false otherwise)
	Read(string) (bool, bool)
}

OperandReader interface

type Rule 

type Rule struct {
	Name      string
	Tags      []string
	Meta      MetaSection
	Matches   []string
	Condition string
	Actions   []string
}

Rule is a JSON parsable rule

func NewRule 

func NewRule() Rule

NewRule creates a new rule used to deserialize from JSON

func (*Rule) Compile 

func (jr *Rule) Compile(containers *ContainerDB) (*CompiledRule, error)

Compile a JSONRule into CompiledRule

func (*Rule) IsDisabled 

func (jr *Rule) IsDisabled() bool

IsDisabled returns true if the rule has been disabled

func (*Rule) JSON 

func (jr *Rule) JSON() (string, error)

JSON returns the JSON string corresponding to the rule

func (*Rule) ReplaceTemplate 

func (jr *Rule) ReplaceTemplate(tm *TemplateMap)

ReplaceTemplate the regexp templates found in the matches

type Template 

type Template struct {
	Name  string `regexp:"name"`
	Value string `regexp:"value"`
}

Template structure definition

func ParseTemplate 

func ParseTemplate(tplString string) (tpl Template, err error)

ParseTemplate parses a template string

func (*Template) Replace 

func (t *Template) Replace(s string) (new string)

Replace function

type TemplateMap 

type TemplateMap struct {
	*datastructs.SyncedMap
}

TemplateMap structure

func NewTemplateMap 

func NewTemplateMap() *TemplateMap

NewTemplateMap creates a new TemplateMap structure

func (*TemplateMap) AddTemplate 

func (tm *TemplateMap) AddTemplate(t *Template)

AddTemplate adds a new template to the TemplateMap

func (*TemplateMap) GetTemplate 

func (tm *TemplateMap) GetTemplate(name string) (ok bool, tpl *Template)

GetTemplate return the template associated to the name

func (*TemplateMap) LoadReader 

func (tm *TemplateMap) LoadReader(r io.Reader) error

LoadReader loads templates from a reader, one template per line If the line starts with #, it is considered as comment and is not parsed

func (*TemplateMap) ReplaceAll 

func (tm *TemplateMap) ReplaceAll(s string) (new string)

ReplaceAll replaces all templates in string and return the new string

type Tokenizer 

type Tokenizer struct {
	// contains filtered or unexported fields
}

Tokenizer structure

func NewTokenizer 

func NewTokenizer(condition string) (c Tokenizer)

NewTokenizer creates and inits a new Tokenizer struct

func (*Tokenizer) NextExpectedToken 

func (t *Tokenizer) NextExpectedToken(expects ...string) (token string, err error)

NextExpectedToken grabs the next token and returns it. ErrUnexpectedToken is returned if the token returned is not in the list of expected tokens

func (*Tokenizer) NextToken 

func (t *Tokenizer) NextToken() (token string, err error)

NextToken grabs the next token

func (*Tokenizer) ParseCondition 

func (t *Tokenizer) ParseCondition(group, level int) (*ConditionElement, error)

ParseCondition parses a condition from a Tokenizer object

type Trace 

type Trace struct {
	Name     string
	EventIDs []int64
	Channels []string
	Operand  string
	Operator string
	Value    string
	// contains filtered or unexported fields
}

Trace structure

func NewTrace 

func NewTrace(name string) *Trace

NewTrace creates a NewTrace and returns its pointer

func ParseTrace 

func ParseTrace(name, trace string) (*Trace, error)

ParseTrace parsec a trace string

func (*Trace) Compile 

func (t *Trace) Compile(trigger *CompiledRule, value string) (*CompiledRule, error)

Compile compiles a trace given a trigger rule (rule defining the trace)

func (*Trace) Hash 

func (t *Trace) Hash() string

Hash returns a MD5 hash a trace

func (*Trace) HashWithValue 

func (t *Trace) HashWithValue(value string) string

HashWithValue returns a salted hash

func (*Trace) Path 

func (t *Trace) Path() *evtx.GoEvtxPath

Path returns the path of the

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.