Documentation
¶
Index ¶
- func FuzzRuleMatches(data []byte) int
- type Event
- type GroupedByValues
- type Option
- func AverageImplementation(...) Option
- func CountImplementation(count func(ctx context.Context, key GroupedByValues) (float64, error)) Option
- func SumImplementation(...) Option
- func WithConfig(config ...sigma.Config) Option
- func WithPlaceholderExpander(f func(ctx context.Context, placeholderName string) ([]string, error)) Option
- type Result
- type RuleEvaluator
- func (rule *RuleEvaluator) GetFieldValuesFromEvent(field string, event Event) ([]interface{}, error)
- func (rule RuleEvaluator) Indexes() []string
- func (rule RuleEvaluator) Matches(ctx context.Context, event Event) (Result, error)
- func (rule RuleEvaluator) RelevantToEvent(ctx context.Context, eventIndex string, event Event) (bool, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FuzzRuleMatches ¶
Run with: go-fuzz-build --preserve "encoding/json" && go-fuzz
Types ¶
type Event ¶
type Event interface{}
Event should be some form a map[string]interface{} or map[string]string
type GroupedByValues ¶
type GroupedByValues struct {
ConditionID int // TODO: there's some forward/backward compatibility pitfalls here: what happens if you switch the order of conditions in your Sigma file?
EventValues map[string]interface{}
}
GroupedByValues contains the fields that uniquely identify a distinct aggregation statistic. Think of it like a ratelimit key.
For example, if a Sigma rule has a condition like this (attempting to detect login brute forcing)
detection:
login_attempt:
# something here
condition:
login_attempt | count() by (username) > 100
timeframe: 1m
Conceptually there's a bunch of boxes somewhere (one for each username) containing their current count. Each different GroupedByValues points to a different box.
GroupedByValues
|| ___↓↓___ ________ | User A | | User B | |__2041__| |___01___|
It's up to your implementation to ensure that different GroupedByValues map to different boxes (although a default Key() method is provided which is good enough for most use cases)
func (GroupedByValues) Key ¶
func (a GroupedByValues) Key() string
type Option ¶
type Option func(*RuleEvaluator)
func AverageImplementation ¶
func CountImplementation ¶
func SumImplementation ¶
func WithConfig ¶
func WithConfig(config ...sigma.Config) Option
type RuleEvaluator ¶
type RuleEvaluator struct {
sigma.Rule
// contains filtered or unexported fields
}
func ForRule ¶
func ForRule(rule sigma.Rule, options ...Option) *RuleEvaluator
func (*RuleEvaluator) GetFieldValuesFromEvent ¶
func (rule *RuleEvaluator) GetFieldValuesFromEvent(field string, event Event) ([]interface{}, error)
func (RuleEvaluator) Indexes ¶
func (rule RuleEvaluator) Indexes() []string
func (RuleEvaluator) RelevantToEvent ¶
func (rule RuleEvaluator) RelevantToEvent(ctx context.Context, eventIndex string, event Event) (bool, error)
RelevantToEvent calculates whether a rule is applicable to an event based on:
- Whether the rule has been configured with a config file that matches the eventIndex
- Whether the event matches the conditions from the config file
Source Files
Directories