rule

package
v1.3.5-alpha-0814 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 14, 2024 License: AGPL-3.0 Imports: 22 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ParseRuleMetadata added in v1.3.2 

func ParseRuleMetadata(rule *Rule)

Types

type AddressRule 

type AddressRule struct {
	// 这两个是修饰词
	Any      bool
	Negative bool

	IPv4CIDR string
	IPv6CIDR string

	SubRules []*AddressRule

	Env string
	// contains filtered or unexported fields
}

func (*AddressRule) Generate 

func (a *AddressRule) Generate() string

Generate is not uniform distribution also, linklocal addr, multicast addr, loopback addr, etc. are not escaped

func (*AddressRule) Match 

func (a *AddressRule) Match(i string) bool

type ContentRule 

type ContentRule struct {
	Negative bool
	Content  []byte

	// payload config
	Nocase     bool // case insensitive
	Depth      *int
	Offset     *int
	StartsWith bool
	EndsWith   bool
	Distance   *int
	Within     *int
	// no effect
	RawBytes bool
	IsDataAt string
	BSize    string
	DSize    string
	// won't support
	ByteTest string
	// won't support
	ByteMath string
	// won't support
	ByteJump string
	// won't support
	ByteExtract string
	// won't support
	RPC string // sunrpc call
	// won't support
	Replace     []byte
	PCRE        string
	PCREParsed  *pcre.PCRE
	FastPattern bool

	// e.g set,bihinder3
	FlowBits     string
	FlowInt      string
	XBits        string
	NoAlert      bool
	Base64Decode string
	Base64Data   bool

	ExtraFlags []string

	Modifier modifier.Modifier
}

type ContentRuleConfig 

type ContentRuleConfig struct {
	Flow *FlowRule

	Thresholding *ThresholdingConfig

	/* DNS Config*/
	DNS *DNSRule

	/* HTTP Config */
	HTTPConfig *HTTPConfig

	/* IP */
	IPConfig *IPLayerRule

	/* TCP */
	TcpConfig *TCPLayerRule

	/* ICMP */
	IcmpConfig *ICMPLayerRule

	/* Payload Match */
	ContentRules []*ContentRule

	// PrefilterRule is a contentRuleConfig with no more than single config.
	// not implement yet
	PrefilterRule *ContentRuleConfig
}

type DNSRule 

type DNSRule struct {
	OpcodeNegative bool
	Opcode         int
}

type FlowRule 

type FlowRule struct {
	ToClient    bool
	Established bool
	ToServer    bool
}

type HTTPConfig 

type HTTPConfig struct {
	// deprecated and not implemented
	Uricontent string
	Urilen     *numrange.NumRange
}

type ICMPLayerRule 

type ICMPLayerRule struct {
	IType     *numrange.NumRange // itype
	ICode     *numrange.NumRange // icode
	ICMPId    *int               // icmp_id
	ICMPSeq   *int
	ICMPv6MTU *numrange.NumRange
}

type IPLayerRule 

type IPLayerRule struct {
	TTL int
	/*
		IP Option	Description
		rr	Record Route
		eol	End of List
		nop	No Op
		ts	Time Stamp
		sec	IP Security
		esec	IP Extended Security
		lsrr	Loose Source Routing
		ssrr	Strict Source Routing
		satid	Stream Identifier
		any	any IP options are set
	*/
	IPOpts     string
	Sameip     bool
	IPProto    string
	Id         int
	Geoip      string
	FragBits   string
	FragOffset string
	Tos        string
}

type MultipleBufferMatching 

type MultipleBufferMatching struct {
	// contains filtered or unexported fields
}

type PortRule 

type PortRule struct {
	Any      bool
	Negative bool

	Ports []int

	Rules []*PortRule

	Env string
	// contains filtered or unexported fields
}

func (*PortRule) GenerateWithDefault 

func (p *PortRule) GenerateWithDefault(def uint32) uint32

func (*PortRule) GetAvailablePort 

func (p *PortRule) GetAvailablePort() uint32

func (*PortRule) Match 

func (p *PortRule) Match(i int) bool

type Rule 

type Rule struct {
	Raw                string       `json:"raw"`
	Message            string       `json:"message"`
	MessageChinese     string       `json:"message_chinese"`
	Action             string       `json:"action"`
	Protocol           string       `json:"protocol"`
	SourceAddress      *AddressRule `json:"source_address"`
	DestinationAddress *AddressRule `json:"destination_address"`
	SourcePort         *PortRule    `json:"source_port"`
	DestinationPort    *PortRule    `json:"destination_port"`

	Sid       int
	Rev       int
	Gid       int
	ClassType string
	Reference map[string]string
	Priority  int
	Metadata  []string
	Target    string // src_ip/dest_ip

	ContentRuleConfig *ContentRuleConfig

	RuleUpdatedAt      string `json:"update_at"`
	RuleCreatedAt      string `json:"created_at"`
	Deployment         string `json:"deployment"`
	SignatureSeverity  string `json:"signature_severity"`
	AttackTarget       string `json:"attack_target"`
	FormerCategory     string `json:"former_category"`
	AffectedProduct    string `json:"affected_product"`
	Tag                string `json:"tag"`
	PerformanceImpact  string `json:"performance_impact"`
	MalwareFamily      string `json:"malware_family"`
	MitreTechniqueID   string `json:"mitre_technique_id"`
	MitreTacticID      string `json:"mitre_tactic_id"`
	MitreTechniqueName string `json:"mitre_technique_name"`
	MitreTacticName    string `json:"mitre_tactic_name"`
	Confidence         string `json:"confidence"`
	ReviewedAt         string `json:"reviewed_at"`
	CVE                string `json:"cve"`
}

Rule is a suricata rule

func Parse 

func Parse(data string, envs ...string) ([]*Rule, error)

func (*Rule) AIDecoration added in v1.3.1 

func (r *Rule) AIDecoration(opts ...openai.ConfigOption)

type RuleSyntaxVisitor 

type RuleSyntaxVisitor struct {
	Raw        []byte
	CompileRaw string
	Errors     []error
	Rules      []*Rule

	// 设置环境变量规则
	Environment map[string]string
}

func (*RuleSyntaxVisitor) Errorf 

func (v *RuleSyntaxVisitor) Errorf(msg string, items ...interface{})

func (*RuleSyntaxVisitor) MergeErrors 

func (v *RuleSyntaxVisitor) MergeErrors() error

func (*RuleSyntaxVisitor) ShowErrors 

func (v *RuleSyntaxVisitor) ShowErrors()

func (*RuleSyntaxVisitor) VisitAddress 

func (v *RuleSyntaxVisitor) VisitAddress(i *parser.AddressContext) (addr *AddressRule)

func (*RuleSyntaxVisitor) VisitDstAddress 

func (v *RuleSyntaxVisitor) VisitDstAddress(i *parser.Dest_addressContext) *AddressRule

func (*RuleSyntaxVisitor) VisitDstPort 

func (v *RuleSyntaxVisitor) VisitDstPort(i *parser.Dest_portContext) *PortRule

func (*RuleSyntaxVisitor) VisitParams 

func (v *RuleSyntaxVisitor) VisitParams(i *parser.ParamsContext, rule *Rule)

func (*RuleSyntaxVisitor) VisitPortRule 

func (v *RuleSyntaxVisitor) VisitPortRule(i *parser.PortContext) *PortRule

func (*RuleSyntaxVisitor) VisitRule 

func (v *RuleSyntaxVisitor) VisitRule(rule *parser.RuleContext) interface{}

func (*RuleSyntaxVisitor) VisitRules 

func (v *RuleSyntaxVisitor) VisitRules(ctx *parser.RulesContext) interface{}

func (*RuleSyntaxVisitor) VisitSrcAddress 

func (v *RuleSyntaxVisitor) VisitSrcAddress(i *parser.Src_addressContext) *AddressRule

func (*RuleSyntaxVisitor) VisitSrcPort 

func (v *RuleSyntaxVisitor) VisitSrcPort(i *parser.Src_portContext) *PortRule

type TCPLayerRule 

type TCPLayerRule struct {
	Seq            *int
	Ack            *int
	NegativeWindow bool
	Window         *int
	TCPMss         *numrange.NumRange
	Flags          string
}

type ThresholdingConfig 

type ThresholdingConfig struct {
	ThresholdMode bool
	LimitMode     bool
	Count         int
	Seconds       int
	Track         string
}

func (*ThresholdingConfig) Repeat 

func (t *ThresholdingConfig) Repeat() int

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.