siem

Documentation

Index

• Variables
• func CountBackLogs() (sum int, activeDirectives int, ttlDirectives int)
• func InitBackLogManager(logFile string, bpChan chan<- bool, holdDuration int) (err error)
• func InitDirectives(confDir string, ch <-chan event.NormalizedEvent, ...) error
• func ValidateDirective(d *Directive, res *Directives) (err error)
• func ValidateRules(d *Directive) error
• type Directive
• type Directives
  • func LoadDirectivesFromFile(confDir string, namePattern string, includeDisabled bool) (res Directives, totalFromFile int, err error)

Variables

var (
	ErrZeroStage            = errors.New("can not use 0 as rule stage")
	ErrInvalidRuleType      = fmt.Errorf("invalid rule type, valid types: %v", validRuleType)
	ErrInvalidPluginID      = errors.New("PluginRule requires PluginID to be 1 or higher")
	ErrNoPluginSID          = errors.New("PluginRule requires PluginSID to be defined")
	ErrInvalidPluginSID     = errors.New("PluginRule requires PluginSID to be 1 or higher")
	ErrNoProduct            = errors.New("TaxonomyRule requires Product to be defined")
	ErrNoCategory           = errors.New("TaxonomyRule requires Category to be defined")
	ErrNoDirectiveName      = errors.New("Directive name cannot be empty")
	ErrNoDirectiveKingdom   = errors.New("Directive kingdom cannot be empty")
	ErrNoDirectiveCategory  = errors.New("Directive category cannot be empty")
	ErrReferenceOnFirstRule = errors.New("first rule cannot contain reference")
	ErrInvalidReference     = errors.New("invalid reference number, must be larger than 0 and less than the rule count")
	ErrEmptyFromTo          = errors.New("rule From/To cannot be empty")
)

var (
	ErrNoDirectiveLoaded = errors.New("no directive loaded from the file")
)

Functions

func CountBackLogs

func CountBackLogs() (sum int, activeDirectives int, ttlDirectives int)

CountBackLogs returns the number of active backlogs

func InitBackLogManager

func InitBackLogManager(logFile string, bpChan chan<- bool, holdDuration int) (err error)

InitBackLogManager initialize backlog and ticker

func InitDirectives

func InitDirectives(confDir string, ch <-chan event.NormalizedEvent, minAlarmLifetime, maxEPS, maxEventQueueLength int) error

InitDirectives initialize directive from directive_*.json files in confDir then start backlog manager for each directive

func ValidateDirective

func ValidateDirective(d *Directive, res *Directives) (err error)

func ValidateRules

func ValidateRules(d *Directive) error

Types

type Directive

type Directive struct {
	ID                   int                   `json:"id"`
	Name                 string                `json:"name"`
	Priority             int                   `json:"priority"`
	Disabled             bool                  `json:"disabled"`
	AllRulesAlwaysActive bool                  `json:"all_rules_always_active"`
	Kingdom              string                `json:"kingdom"`
	Category             string                `json:"category"`
	Rules                []rule.DirectiveRule  `json:"rules"`
	StickyDiffs          []rule.StickyDiffData `json:"-"`
}

Directive represents a SIEM use case that has several correlation rules

type Directives

type Directives struct {
	Dirs []Directive `json:"directives"`
}

Directives group directive together

func LoadDirectivesFromFile

func LoadDirectivesFromFile(confDir string, namePattern string, includeDisabled bool) (res Directives, totalFromFile int, err error)

LoadDirectivesFromFile load directive from namePattern (glob) files in confDir