config

Documentation

Index

• func AddFlags(flags *pflag.FlagSet)
• type Config
  • func (c *Config) InitFromViper(v *viper.Viper)
  • func (c Config) ShouldSkipFile(file string) bool
  • func (c Config) ShouldSkipProcess(ps string) bool
• type Rule
• type RulePath
• type RuleString

Functions

func AddFlags

func AddFlags(flags *pflag.FlagSet)

AddFlags registers persistent flags.

Types

type Config

type Config struct {
	// Enabled indicates if YARA watcher is enabled.
	Enabled bool `json:"yara.enabled" yaml:"yara.enabled"`
	// Rule contains rule-specific settings.
	Rule Rule `json:"yara.rule" yaml:"yara.rule" mapstructure:"rule"`
	// AlertVia defines which alert sender is used to emit the alert on rule matches.
	AlertVia string `json:"yara.alert-via" yaml:"yara.alert-via"`
	// AlertTemplate defines the template that is used to render the text of the alert.
	AlertTextTemplate string `json:"yara.alert-text-template" yaml:"yara.alert-text-template"`
	// AlertTitle represents the template for the alert title
	AlertTitleTemplate string `json:"yara.alert-title-template" yaml:"yara.alert-title-template"`
	// FastScanMode avoids multiple matches of the same string when not necessary.
	FastScanMode bool `json:"yara.fastscan" yaml:"yara.fastscan"`
	// ScanTimeout sets the timeout for the scanner. If the timeout is reached, the scan operation is cancelled.
	ScanTimeout time.Duration `json:"yara.scan-timeout" yaml:"yara.scan-timeout"`
	// SkipFiles indicates whether file scanning is disabled
	SkipFiles bool `json:"yara.skip-files" yaml:"yara.skip-files"`
	// ExcludedProcesses contains the list of the process' image names that shouldn't be scanned
	ExcludedProcesses []string `json:"yara.excluded-procs" yaml:"yara.excluded-procs"`
	// ExcludedProcesses contains the list of the file names that shouldn't be scanned
	ExcludedFiles []string `json:"yara.excluded-files" yaml:"yara.excluded-files"`
}

Config stores YARA watcher specific configuration.

func (*Config) InitFromViper

func (c *Config) InitFromViper(v *viper.Viper)

InitFromViper initializes Yara config from Viper.

func (Config) ShouldSkipFile

func (c Config) ShouldSkipFile(file string) bool

ShouldSkipFile determines whether the specified file name is rejected by the scanner.

func (Config) ShouldSkipProcess

func (c Config) ShouldSkipProcess(ps string) bool

ShouldSkipProcess determines whether the specified process name is rejected by the scanner.

type Rule

type Rule struct {
	// Paths defines the location of the yara rules
	Paths []RulePath `json:"yara.rule.paths" yaml:"yara.rule.paths" mapstructure:"paths"`
	// Strings contains the raw rule definitions
	Strings []RuleString `json:"yara.rule.strings" yaml:"yara.rule.strings" mapstructure:"strings"`
}

Rule contains rule-specific settings.

type RulePath

type RulePath struct {
	Path      string `json:"path" yaml:"path" mapstructure:"path"`
	Namespace string `json:"namespace" yaml:"namespace" mapstructure:"namespace"`
}

RulePath contains the rule path information.

type RuleString

type RuleString struct {
	String    string `json:"string" yaml:"string" mapstructure:"string"`
	Namespace string `json:"namespace" yaml:"namespace" mapstructure:"namespace"`
}

RuleString contains the in-place strings for the rule definition.