sysmon

package
v0.2.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 21, 2023 License: GPL-3.0 Imports: 8 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func LoadSysmonModules 

func LoadSysmonModules(basePath string, modulesPath []string) (map[string]EventFiltersContainer, error)

Types

type Condition added in v0.2.0 

type Condition struct {
	XMLName       xml.Name
	NameAttr      string `xml:"name,attr,omitempty"`
	ConditionAttr string `xml:"condition,attr"`
	Value         string `xml:",innerxml"`
}

Generic Condition

type Conditions added in v0.2.0 

type Conditions []Condition

Sorting implementation for Condition 1. Condition Tag Name, 2. Value

func (Conditions) Len added in v0.2.0 

func (c Conditions) Len() int

func (Conditions) Less added in v0.2.0 

func (c Conditions) Less(i, j int) bool

func (Conditions) Swap added in v0.2.0 

func (c Conditions) Swap(i, j int)

type EventFilter added in v0.2.0 

type EventFilter struct {
	XMLName    xml.Name
	OnMatchAtt string     `xml:"onmatch,attr"`
	Conditions Conditions `xml:",any"`
	Rules      []Rule     `xml:"Rule,omitempty"`
}

ProcessCreate, FileCreateTime...

func (EventFilter) GenRuleID added in v0.2.0 

func (e EventFilter) GenRuleID()

Replaces condition and rule names with id

func (EventFilter) RemoveRuleNames added in v0.2.0 

func (e EventFilter) RemoveRuleNames()

Removes rule name

func (EventFilter) Sort added in v0.2.0 

func (e EventFilter) Sort()

type EventFilteringRules 

type EventFilteringRules struct {
	RuleGroups []RuleGroup `xml:"RuleGroup"`
}

type EventFiltersContainer added in v0.2.0 

type EventFiltersContainer struct {
	Includes EventFilter
	Excludes EventFilter
}

DTO to easier work with the individual filters

type Rule added in v0.2.0 

type Rule struct {
	XMLName           xml.Name
	NameAttr          string     `xml:"name,attr,omitempty"`
	GroupRelationAttr string     `xml:"groupRelation,attr"`
	Conditions        Conditions `xml:",any"`
}

Subrule

type RuleGroup 

type RuleGroup struct {
	EventFilters      EventFilter `xml:",any"`
	GroupRelationAttr string      `xml:"groupRelation,attr,omitempty"`
}

type SysmonConfig added in v0.2.0 

type SysmonConfig struct {
	XMLName                xml.Name
	Comment                string              `xml:",comment"`
	SchemaversionAttr      string              `xml:"schemaversion,attr"`
	ArchiveDirectory       string              `xml:"ArchiveDirectory,omitempty"`
	CheckRevocation        bool                `xml:"CheckRevocation,omitempty"`
	CopyOnDeleteExtensions string              `xml:"CopyOnDeleteExtensions,omitempty"`
	CopyOnDeletePE         bool                `xml:"CopyOnDeletePE,omitempty"`
	CopyOnDeleteProcesses  string              `xml:"CopyOnDeleteProcesses,omitempty"`
	CopyOnDeleteSIDs       string              `xml:"CopyOnDeleteSIDs,omitempty"`
	DnsLookup              bool                `xml:"DnsLookup,omitempty"`
	DriverName             string              `xml:"DriverName,omitempty"`
	HashAlgorithms         string              `xml:"HashAlgorithms,omitempty"`
	EventFiltering         EventFilteringRules `xml:"EventFiltering"`
}

SysmonConfig ...

func AddModulesToConfig added in v0.2.0 

func AddModulesToConfig(sysmonConfig SysmonConfig, sysmonModules map[string]EventFiltersContainer, cfg []config.EventFilter, generateRuleIds bool, removeRuleNames bool) (SysmonConfig, error)

func GenerateBaseSysmonConfig added in v0.2.0 

func GenerateBaseSysmonConfig(cfg config.Config, buildVersion string) (SysmonConfig, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.