sevaluator

package

v1.0.0 Latest Latest Go to latest Published: Mar 1, 2024 License: MIT Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/mtnmunuklu/logen

Links

Open Source Insights

Documentation ¶

Index ¶

func CaseSensitive(e *RuleEvaluator)
func FuzzRuleMatches(data []byte) int
func SendMessageToOpenAI(apiKey, content string) (string, error)
type OpenAIClient
- func NewOpenAIClient(apiKey string) *OpenAIClient
type OpenAIService
type Option
- func WithConfig(config ...sigma.Config) Option
- func WithPlaceholderExpander(f func(ctx context.Context, placeholderName string) ([]string, error)) Option
type Result
type RuleEvaluator
- func ForRule(rule sigma.Rule, options ...Option) *RuleEvaluator
- func (rule RuleEvaluator) Alters(ctx context.Context) (Result, error)
- func (rule RuleEvaluator) Indexes() []string

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CaseSensitive ¶

func CaseSensitive(e *RuleEvaluator)

CaseSensitive turns off the default Sigma behaviour that string operations are by default case-insensitive This can increase performance (especially for larger events) by skipping expensive calls to strings.ToLower

func FuzzRuleMatches ¶

func FuzzRuleMatches(data []byte) int

Fuzz function that checks if a given input byte slice can trigger an alteration to the system

func SendMessageToOpenAI ¶

func SendMessageToOpenAI(apiKey, content string) (string, error)

SendMessageToOpenAI sends a message to OpenAI and returns the response

Types ¶

type OpenAIClient ¶

type OpenAIClient struct {
	*openai.Client
}

OpenAIClient implements OpenAIService

func NewOpenAIClient ¶

func NewOpenAIClient(apiKey string) *OpenAIClient

NewOpenAIClient creates a new OpenAIClient instance

type OpenAIService ¶

type OpenAIService interface {
	CreateChatCompletion(context.Context, openai.ChatCompletionRequest) (*openai.ChatCompletionResponse, error)
}

OpenAIService interface defines the operations for OpenAI service

type Option ¶

type Option func(*RuleEvaluator)

Option is a function that takes a RuleEvaluator pointer and modifies its configuration

func WithConfig ¶

func WithConfig(config ...sigma.Config) Option

WithConfig returns an Option that sets the provided Sigma configs to the RuleEvaluator. The configs are used to initialize the RuleEvaluator, which creates field mappings and indexes for efficient evaluation of Sigma rules. The configs should be provided in the order of precedence, and the function will append them to the RuleEvaluator's config slice. After the configs are set, the function will recalculate the RuleEvaluator's indexes and field mappings.

func WithPlaceholderExpander ¶

func WithPlaceholderExpander(f func(ctx context.Context, placeholderName string) ([]string, error)) Option

WithPlaceholderExpander returns an Option that sets the provided function as the placeholder expander for the RuleEvaluator. The placeholder expander is used to expand any placeholders that might be present in the Sigma rule before evaluation. The provided function should take a context and a placeholder name and return a slice of strings that replace the placeholder in the Sigma rule. If an error occurs during the expansion process, the function should return an error.

type Result ¶

type Result struct {
	Searches    map[string][]string // The map of search identifiers to their result values
	Conditions  map[int][]string    // The map of condition indices to their result values
	SourceTypes map[int]string      // The map of sourcetype indices to their result values
	Queries     map[int]string      // The map of query indices to their result values
}

Result represents the evaluation result of a Sigma rule. It contains the search, condition, aggregation, and query results of the rule evaluation.

type RuleEvaluator ¶

type RuleEvaluator struct {
	sigma.Rule
	// contains filtered or unexported fields
}

RuleEvaluator represents a rule evaluator that is capable of computing the search, condition, and query results of a Sigma rule. It holds the rule configuration, search conditions, and field mappings necessary to apply the rule to log events and generate the query results.

func ForRule ¶

func ForRule(rule sigma.Rule, options ...Option) *RuleEvaluator

ForRule constructs a new RuleEvaluator with the given Sigma rule and evaluation options. It applies any provided options to the new RuleEvaluator and returns it.

func (RuleEvaluator) Alters ¶

func (rule RuleEvaluator) Alters(ctx context.Context) (Result, error)

This function returns a Result object containing the evaluation results for the rule's Detection field. It uses the evaluateSearch, evaluateSearchExpression and evaluateAggregationExpression functions to compute the results.

func (RuleEvaluator) Indexes ¶

func (rule RuleEvaluator) Indexes() []string

The Indexes method returns the possible indexes for the current rule

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
modifiers

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL