Documentation ¶
Index ¶
- Constants
- func ChannelKiller(l2s *Layer2SingleLayer)
- func ConcurrencyUnlockNewWorkers(ch_limit_worker chan struct{}, nr_of_files int)
- func PrintRemaingWorkers(Atomic_Counter_Workers *uint64)
- func RunL1Worker(Wg_l1_all *sync.WaitGroup, efi *common.EvtxFileInfo, Hclist HostnameToChannels, ...)
- func RunL2Worker(l2s *Layer2SingleLayer, Wg_l2_all *sync.WaitGroup)
- func RunL2WorkerFlat(l2s *Layer2SingleLayer)
- func RunL2WorkerPowershellScriptblock(l2s *Layer2SingleLayer)
- type ChanFullInfo
- type ChannelTOEID
- type EIDToChan
- type Engine
- func (e *Engine) AllowLayerToBeAppendedBasedOnL2Name(IncludeOnly common.CommaSeparated, ExcludeOnly common.CommaSeparated, ...) bool
- func (e *Engine) FindL2LayerByName(name string) *Layer2
- func (e *Engine) GetAllLayer1WhichSupportsChannel(channel string) []*Layer1
- func (e *Engine) GetAllLayer1WhichSupportsLayer2(l2_name string) []Layer1
- func (e *Engine) GetCSVHeadersOrdered(l2_name string) []string
- func (e *Engine) GetDoubleQuotesForChannel(channel string) map[string]string
- func (e *Engine) GetEIDDescription(ev_map *ordereddict.Dict, l2_name string) string
- func (e *Engine) IncreaseUsageCounterForLayer2(l2name string)
- func (e *Engine) IsEfiSupported(efi *common.EvtxFileInfo)
- func (e *Engine) LoadLayer1(IncludeOnly common.CommaSeparated, ExcludeOnly common.CommaSeparated)
- func (e *Engine) LoadLayer2(Output_dir string, IncludeOnly common.CommaSeparated, ...)
- func (e *Engine) LoadParams()
- func (e *Engine) ParseCommonFieldsOrderedDict(ev_map *eventmap.EventMap, l2_name string) *ordereddict.Dict
- func (e *Engine) ParseL2FieldsOrderedDict(l2_name string, ev_map *eventmap.EventMap) *ordereddict.Dict
- func (e *Engine) PrepareCommonAndLayer2FieldsEmptyOrderedDict(l2_name string) *ordereddict.Dict
- func (e *Engine) PrepareCommonFieldsEmptyOrderedDict() *ordereddict.Dict
- func (e *Engine) PrepareEventCache()
- func (e *Engine) PrepareLayer2FieldsEmptyOrderedDict(l2_name string) *ordereddict.Dict
- func (e *Engine) SingleFieldExtractor(function string) common.SingleField
- type HostnameToChannels
- type Layer1
- type Layer1Events
- type Layer1EventsEnhanced
- type Layer1GlobalMemory
- func (l1globmem *Layer1GlobalMemory) HClistAddChan(latest_computer string, channel string, eid string, provider_guid string, ...)
- func (l1globmem *Layer1GlobalMemory) HClistAddChannel(latest_computer string, channel string)
- func (l1globmem *Layer1GlobalMemory) HClistAddEID(latest_computer string, channel string, eid string, provider_guid string, ...)
- func (l1globmem *Layer1GlobalMemory) HClistAddHostname(latest_computer string)
- func (l1globmem *Layer1GlobalMemory) SetupWorkers(e *Engine, efi []common.EvtxFileInfo, l2globmem *Layer2GlobalMemory)
- func (l1globmem *Layer1GlobalMemory) StartL1Workers(e *Engine, efi []common.EvtxFileInfo, l2globmem *Layer2GlobalMemory, ...)
- type Layer1Info
- type Layer2
- type Layer2GlobalMemory
- func (l2mem *Layer2GlobalMemory) FindLayer2SingleLayer(l2_name string, latest_computer string) *Layer2SingleLayer
- func (l2mem *Layer2GlobalMemory) SetupChannelKillers()
- func (l2mem *Layer2GlobalMemory) SetupChannels(engi *Engine, efi []common.EvtxFileInfo)
- func (l2mem *Layer2GlobalMemory) SetupLayer2SingleLayer(l2_name string, latest_computer string, engine *Engine)
- func (l2mem *Layer2GlobalMemory) SetupOptions(ScriptBlocksXor bool)
- func (l2mem *Layer2GlobalMemory) StartL2Workers(engi *Engine)
- type Layer2Info
- type Layer2Output
- type Layer2SingleLayer
- func (l2s *Layer2SingleLayer) GetComputerDir() string
- func (l2s *Layer2SingleLayer) GetOngoingOutputPath() string
- func (l2s *Layer2SingleLayer) GetOutputFormatExtension() string
- func (l2s *Layer2SingleLayer) GetOutputFormatName() string
- func (l2s *Layer2SingleLayer) GetOutputPath() string
- func (l2s *Layer2SingleLayer) GetScriptBlockOutputPath(filename string) string
- func (l2s *Layer2SingleLayer) IncrementWorkerCounter()
- type LogicEngine
- func (le *LogicEngine) AreLogicalTestsPassed(ev_map *ordereddict.Dict, MR MatchingRulesT, ...) bool
- func (le *LogicEngine) CanWeFinishNow(global_logic string, all_containers_result []bool) (bool, bool)
- func (le *LogicEngine) CaseSensiveFlagToBool(CaseSensitive string) bool
- func (le *LogicEngine) EvaluateRule(rule common.ExtractedLogic, attrib_map *ordereddict.Dict) bool
- func (le *LogicEngine) EvaluateSingleAndContainer(container_rules []common.ExtractedLogic, attrib_map *ordereddict.Dict) bool
- func (le *LogicEngine) EvaluateSingleOrContainer(container_rules []common.ExtractedLogic, attrib_map *ordereddict.Dict) bool
- func (le *LogicEngine) IsProviderTestPassed(ev_map *ordereddict.Dict, Provider_guid string, Provider_name string) bool
- func (le *LogicEngine) ReturnMatchingChanFullInfo(ev_map *ordereddict.Dict) []ChanFullInfo
- func (le *LogicEngine) SetSupportedEIDs(supported_eids ChannelTOEID)
- func (le *LogicEngine) SingleMatchDecimalEqual(event_value interface{}, ExpectedValue string) bool
- func (le *LogicEngine) SingleMatchSubstring(event_value interface{}, ExpectedValue string, CaseSensitive bool) bool
- type MatchingRulesT
Constants ¶
View Source
const CHANNEL_EVENT_CAPACITY = 300
Variables ¶
This section is empty.
Functions ¶
func ChannelKiller ¶
func ChannelKiller(l2s *Layer2SingleLayer)
func ConcurrencyUnlockNewWorkers ¶
func ConcurrencyUnlockNewWorkers(ch_limit_worker chan struct{}, nr_of_files int)
func PrintRemaingWorkers ¶
func PrintRemaingWorkers(Atomic_Counter_Workers *uint64)
func RunL1Worker ¶
func RunL1Worker(Wg_l1_all *sync.WaitGroup, efi *common.EvtxFileInfo, Hclist HostnameToChannels, l2s_wg_to_close_channel_list []*sync.WaitGroup, ch_limit_worker chan struct{}, Atomic_Counter_Workers *uint64)
func RunL2Worker ¶
func RunL2Worker(l2s *Layer2SingleLayer, Wg_l2_all *sync.WaitGroup)
func RunL2WorkerFlat ¶
func RunL2WorkerFlat(l2s *Layer2SingleLayer)
func RunL2WorkerPowershellScriptblock ¶
func RunL2WorkerPowershellScriptblock(l2s *Layer2SingleLayer)
Types ¶
type ChanFullInfo ¶
type ChanFullInfo struct { Chan chan *eventmap.EventMap Provider_guid string Provider_name string Attrib_extraction []common.ExtractedFunction Matching_Rules MatchingRulesT }
type ChannelTOEID ¶
type EIDToChan ¶
type EIDToChan struct {
Chans []ChanFullInfo
}
type Engine ¶
type Engine struct { Layer1 []Layer1 Layer2 []Layer2 EventsCache map[string]map[string]map[string]Layer1EventsEnhanced // EventsCache[l2_name][channel][eid] = l1events_enhanced DoubleQuotes map[string]common.Params SIDList map[string]string VariousMappers map[string]common.Params Common Layer1 Maps_path string OutputFormat string }
func (*Engine) AllowLayerToBeAppendedBasedOnL2Name ¶
func (e *Engine) AllowLayerToBeAppendedBasedOnL2Name(IncludeOnly common.CommaSeparated, ExcludeOnly common.CommaSeparated, l2name string) bool
func (*Engine) FindL2LayerByName ¶
func (*Engine) GetAllLayer1WhichSupportsChannel ¶
func (*Engine) GetAllLayer1WhichSupportsLayer2 ¶
func (*Engine) GetCSVHeadersOrdered ¶
func (*Engine) GetDoubleQuotesForChannel ¶
func (*Engine) GetEIDDescription ¶
func (e *Engine) GetEIDDescription(ev_map *ordereddict.Dict, l2_name string) string
func (*Engine) IncreaseUsageCounterForLayer2 ¶
func (*Engine) IsEfiSupported ¶
func (e *Engine) IsEfiSupported(efi *common.EvtxFileInfo)
func (*Engine) LoadLayer1 ¶
func (e *Engine) LoadLayer1(IncludeOnly common.CommaSeparated, ExcludeOnly common.CommaSeparated)
func (*Engine) LoadLayer2 ¶
func (e *Engine) LoadLayer2(Output_dir string, IncludeOnly common.CommaSeparated, ExcludeOnly common.CommaSeparated)
func (*Engine) LoadParams ¶
func (e *Engine) LoadParams()
func (*Engine) ParseCommonFieldsOrderedDict ¶
func (*Engine) ParseL2FieldsOrderedDict ¶
func (*Engine) PrepareCommonAndLayer2FieldsEmptyOrderedDict ¶
func (e *Engine) PrepareCommonAndLayer2FieldsEmptyOrderedDict(l2_name string) *ordereddict.Dict
func (*Engine) PrepareCommonFieldsEmptyOrderedDict ¶
func (e *Engine) PrepareCommonFieldsEmptyOrderedDict() *ordereddict.Dict
func (*Engine) PrepareEventCache ¶
func (e *Engine) PrepareEventCache()
func (*Engine) PrepareLayer2FieldsEmptyOrderedDict ¶
func (e *Engine) PrepareLayer2FieldsEmptyOrderedDict(l2_name string) *ordereddict.Dict
func (*Engine) SingleFieldExtractor ¶
func (e *Engine) SingleFieldExtractor(function string) common.SingleField
type HostnameToChannels ¶
type HostnameToChannels struct {
Channels map[string]ChannelTOEID
}
func NewHostnameToChannels ¶
func NewHostnameToChannels() HostnameToChannels
type Layer1 ¶
type Layer1 struct { Info Layer1Info Sendto_layer2 string Ordered_fields []string Events map[string]Layer1Events EventsEnhanced map[string]Layer1EventsEnhanced Options map[string]string }
type Layer1Events ¶
type Layer1Events struct { Attrib_extraction []string Short_description string Provider_guid string Provider_name string Matching_Rules MatchingRulesT }
type Layer1EventsEnhanced ¶
type Layer1EventsEnhanced struct { Attrib_extraction []common.ExtractedFunction Short_description string Provider_guid string Provider_name string Matching_Rules MatchingRulesT }
func NewLayer1EventsEnhanced ¶
func NewLayer1EventsEnhanced(l1e *Layer1Events) Layer1EventsEnhanced
type Layer1GlobalMemory ¶
type Layer1GlobalMemory struct { Hclist map[string]HostnameToChannels Wg_l1_all *sync.WaitGroup Atomic_Counter_Workers uint64 }
func NewLayer1GlobalMemory ¶
func NewLayer1GlobalMemory() Layer1GlobalMemory
func (*Layer1GlobalMemory) HClistAddChan ¶
func (l1globmem *Layer1GlobalMemory) HClistAddChan(latest_computer string, channel string, eid string, provider_guid string, provider_name string, attrib_extraction []common.ExtractedFunction, Matching_Rules MatchingRulesT, ch chan *eventmap.EventMap)
func (*Layer1GlobalMemory) HClistAddChannel ¶
func (l1globmem *Layer1GlobalMemory) HClistAddChannel(latest_computer string, channel string)
func (*Layer1GlobalMemory) HClistAddEID ¶
func (l1globmem *Layer1GlobalMemory) HClistAddEID(latest_computer string, channel string, eid string, provider_guid string, provider_name string, Matching_Rules MatchingRulesT)
func (*Layer1GlobalMemory) HClistAddHostname ¶
func (l1globmem *Layer1GlobalMemory) HClistAddHostname(latest_computer string)
func (*Layer1GlobalMemory) SetupWorkers ¶
func (l1globmem *Layer1GlobalMemory) SetupWorkers(e *Engine, efi []common.EvtxFileInfo, l2globmem *Layer2GlobalMemory)
func (*Layer1GlobalMemory) StartL1Workers ¶
func (l1globmem *Layer1GlobalMemory) StartL1Workers(e *Engine, efi []common.EvtxFileInfo, l2globmem *Layer2GlobalMemory, WorkersLimit int)
type Layer1Info ¶
type Layer2 ¶
type Layer2 struct { Info Layer2Info Output Layer2Output Aggregation_options map[string]string Fields_remap map[string]string Fields_remap_dict *ordereddict.Dict Field_extra_transformations []common.Layer2FieldExtraTransformations Ordered_fields []string Ordered_fields_enhanced map[string]common.SingleField UsageCounter int }
type Layer2GlobalMemory ¶
type Layer2GlobalMemory struct { Layers []Layer2SingleLayer Wg_l2_all *sync.WaitGroup }
func NewLayer2GlobalMemory ¶
func NewLayer2GlobalMemory() Layer2GlobalMemory
func (*Layer2GlobalMemory) FindLayer2SingleLayer ¶
func (l2mem *Layer2GlobalMemory) FindLayer2SingleLayer(l2_name string, latest_computer string) *Layer2SingleLayer
func (*Layer2GlobalMemory) SetupChannelKillers ¶
func (l2mem *Layer2GlobalMemory) SetupChannelKillers()
func (*Layer2GlobalMemory) SetupChannels ¶
func (l2mem *Layer2GlobalMemory) SetupChannels(engi *Engine, efi []common.EvtxFileInfo)
func (*Layer2GlobalMemory) SetupLayer2SingleLayer ¶
func (l2mem *Layer2GlobalMemory) SetupLayer2SingleLayer(l2_name string, latest_computer string, engine *Engine)
func (*Layer2GlobalMemory) SetupOptions ¶
func (l2mem *Layer2GlobalMemory) SetupOptions(ScriptBlocksXor bool)
func (*Layer2GlobalMemory) StartL2Workers ¶
func (l2mem *Layer2GlobalMemory) StartL2Workers(engi *Engine)
type Layer2Info ¶
type Layer2Output ¶
type Layer2SingleLayer ¶
type Layer2SingleLayer struct {
// contains filtered or unexported fields
}
func NewLayer2SingleLayer ¶
func NewLayer2SingleLayer(l2_name string, latest_computer string, engine *Engine) Layer2SingleLayer
func (*Layer2SingleLayer) GetComputerDir ¶
func (l2s *Layer2SingleLayer) GetComputerDir() string
func (*Layer2SingleLayer) GetOngoingOutputPath ¶
func (l2s *Layer2SingleLayer) GetOngoingOutputPath() string
func (*Layer2SingleLayer) GetOutputFormatExtension ¶
func (l2s *Layer2SingleLayer) GetOutputFormatExtension() string
func (*Layer2SingleLayer) GetOutputFormatName ¶
func (l2s *Layer2SingleLayer) GetOutputFormatName() string
func (*Layer2SingleLayer) GetOutputPath ¶
func (l2s *Layer2SingleLayer) GetOutputPath() string
func (*Layer2SingleLayer) GetScriptBlockOutputPath ¶
func (l2s *Layer2SingleLayer) GetScriptBlockOutputPath(filename string) string
func (*Layer2SingleLayer) IncrementWorkerCounter ¶
func (l2s *Layer2SingleLayer) IncrementWorkerCounter()
type LogicEngine ¶
type LogicEngine struct {
// contains filtered or unexported fields
}
func NewLogicEngine ¶
func NewLogicEngine() LogicEngine
func (*LogicEngine) AreLogicalTestsPassed ¶
func (le *LogicEngine) AreLogicalTestsPassed(ev_map *ordereddict.Dict, MR MatchingRulesT, attrib_extraction []common.ExtractedFunction) bool
func (*LogicEngine) CanWeFinishNow ¶
func (le *LogicEngine) CanWeFinishNow(global_logic string, all_containers_result []bool) (bool, bool)
func (*LogicEngine) CaseSensiveFlagToBool ¶
func (le *LogicEngine) CaseSensiveFlagToBool(CaseSensitive string) bool
func (*LogicEngine) EvaluateRule ¶
func (le *LogicEngine) EvaluateRule(rule common.ExtractedLogic, attrib_map *ordereddict.Dict) bool
func (*LogicEngine) EvaluateSingleAndContainer ¶
func (le *LogicEngine) EvaluateSingleAndContainer(container_rules []common.ExtractedLogic, attrib_map *ordereddict.Dict) bool
func (*LogicEngine) EvaluateSingleOrContainer ¶
func (le *LogicEngine) EvaluateSingleOrContainer(container_rules []common.ExtractedLogic, attrib_map *ordereddict.Dict) bool
func (*LogicEngine) IsProviderTestPassed ¶
func (le *LogicEngine) IsProviderTestPassed(ev_map *ordereddict.Dict, Provider_guid string, Provider_name string) bool
func (*LogicEngine) ReturnMatchingChanFullInfo ¶
func (le *LogicEngine) ReturnMatchingChanFullInfo(ev_map *ordereddict.Dict) []ChanFullInfo
func (*LogicEngine) SetSupportedEIDs ¶
func (le *LogicEngine) SetSupportedEIDs(supported_eids ChannelTOEID)
func (*LogicEngine) SingleMatchDecimalEqual ¶
func (le *LogicEngine) SingleMatchDecimalEqual(event_value interface{}, ExpectedValue string) bool
func (*LogicEngine) SingleMatchSubstring ¶
func (le *LogicEngine) SingleMatchSubstring(event_value interface{}, ExpectedValue string, CaseSensitive bool) bool
type MatchingRulesT ¶
type MatchingRulesT struct { Global_Logic string Container_Or [][]string Container_OrEnhanced [][]common.ExtractedLogic Container_And [][]string Container_AndEnhanced [][]common.ExtractedLogic }
func (*MatchingRulesT) EnhanceRulesInPlace ¶
func (MRT *MatchingRulesT) EnhanceRulesInPlace()
Click to show internal directories.
Click to hide internal directories.