engine

package
v0.0.0-...-d75dffe Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 16, 2024 License: MIT Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source
const CHANNEL_EVENT_CAPACITY = 300

Variables

This section is empty.

Functions

func ChannelKiller

func ChannelKiller(l2s *Layer2SingleLayer)

func ConcurrencyUnlockNewWorkers

func ConcurrencyUnlockNewWorkers(ch_limit_worker chan struct{}, nr_of_files int)

func PrintRemaingWorkers

func PrintRemaingWorkers(Atomic_Counter_Workers *uint64)

func RunL1Worker

func RunL1Worker(Wg_l1_all *sync.WaitGroup, efi *common.EvtxFileInfo, Hclist HostnameToChannels, l2s_wg_to_close_channel_list []*sync.WaitGroup, ch_limit_worker chan struct{}, Atomic_Counter_Workers *uint64)

func RunL2Worker

func RunL2Worker(l2s *Layer2SingleLayer, Wg_l2_all *sync.WaitGroup)

func RunL2WorkerFlat

func RunL2WorkerFlat(l2s *Layer2SingleLayer)

func RunL2WorkerPowershellScriptblock

func RunL2WorkerPowershellScriptblock(l2s *Layer2SingleLayer)

Types

type ChanFullInfo

type ChanFullInfo struct {
	Chan              chan *eventmap.EventMap
	Provider_guid     string
	Provider_name     string
	Attrib_extraction []common.ExtractedFunction
	Matching_Rules    MatchingRulesT
}

type ChannelTOEID

type ChannelTOEID struct {
	Eid map[string]EIDToChan
}

type EIDToChan

type EIDToChan struct {
	Chans []ChanFullInfo
}

type Engine

type Engine struct {
	Layer1         []Layer1
	Layer2         []Layer2
	EventsCache    map[string]map[string]map[string]Layer1EventsEnhanced // EventsCache[l2_name][channel][eid] = l1events_enhanced
	DoubleQuotes   map[string]common.Params
	SIDList        map[string]string
	VariousMappers map[string]common.Params
	Common         Layer1
	Maps_path      string
	OutputFormat   string
}

func NewEngine

func NewEngine(output_format string, maps_path string) Engine

func (*Engine) AllowLayerToBeAppendedBasedOnL2Name

func (e *Engine) AllowLayerToBeAppendedBasedOnL2Name(IncludeOnly common.CommaSeparated, ExcludeOnly common.CommaSeparated, l2name string) bool

func (*Engine) FindL2LayerByName

func (e *Engine) FindL2LayerByName(name string) *Layer2

func (*Engine) GetAllLayer1WhichSupportsChannel

func (e *Engine) GetAllLayer1WhichSupportsChannel(channel string) []*Layer1

func (*Engine) GetAllLayer1WhichSupportsLayer2

func (e *Engine) GetAllLayer1WhichSupportsLayer2(l2_name string) []Layer1

func (*Engine) GetCSVHeadersOrdered

func (e *Engine) GetCSVHeadersOrdered(l2_name string) []string

func (*Engine) GetDoubleQuotesForChannel

func (e *Engine) GetDoubleQuotesForChannel(channel string) map[string]string

func (*Engine) GetEIDDescription

func (e *Engine) GetEIDDescription(ev_map *ordereddict.Dict, l2_name string) string

func (*Engine) IncreaseUsageCounterForLayer2

func (e *Engine) IncreaseUsageCounterForLayer2(l2name string)

func (*Engine) IsEfiSupported

func (e *Engine) IsEfiSupported(efi *common.EvtxFileInfo)

func (*Engine) LoadLayer1

func (e *Engine) LoadLayer1(IncludeOnly common.CommaSeparated, ExcludeOnly common.CommaSeparated)

func (*Engine) LoadLayer2

func (e *Engine) LoadLayer2(Output_dir string, IncludeOnly common.CommaSeparated, ExcludeOnly common.CommaSeparated)

func (*Engine) LoadParams

func (e *Engine) LoadParams()

func (*Engine) ParseCommonFieldsOrderedDict

func (e *Engine) ParseCommonFieldsOrderedDict(ev_map *eventmap.EventMap, l2_name string) *ordereddict.Dict

func (*Engine) ParseL2FieldsOrderedDict

func (e *Engine) ParseL2FieldsOrderedDict(l2_name string, ev_map *eventmap.EventMap) *ordereddict.Dict

func (*Engine) PrepareCommonAndLayer2FieldsEmptyOrderedDict

func (e *Engine) PrepareCommonAndLayer2FieldsEmptyOrderedDict(l2_name string) *ordereddict.Dict

func (*Engine) PrepareCommonFieldsEmptyOrderedDict

func (e *Engine) PrepareCommonFieldsEmptyOrderedDict() *ordereddict.Dict

func (*Engine) PrepareEventCache

func (e *Engine) PrepareEventCache()

func (*Engine) PrepareLayer2FieldsEmptyOrderedDict

func (e *Engine) PrepareLayer2FieldsEmptyOrderedDict(l2_name string) *ordereddict.Dict

func (*Engine) SingleFieldExtractor

func (e *Engine) SingleFieldExtractor(function string) common.SingleField

type HostnameToChannels

type HostnameToChannels struct {
	Channels map[string]ChannelTOEID
}

func NewHostnameToChannels

func NewHostnameToChannels() HostnameToChannels

type Layer1

type Layer1 struct {
	Info           Layer1Info
	Sendto_layer2  string
	Ordered_fields []string
	Events         map[string]Layer1Events
	EventsEnhanced map[string]Layer1EventsEnhanced
	Options        map[string]string
}

type Layer1Events

type Layer1Events struct {
	Attrib_extraction []string
	Short_description string
	Provider_guid     string
	Provider_name     string
	Matching_Rules    MatchingRulesT
}

type Layer1EventsEnhanced

type Layer1EventsEnhanced struct {
	Attrib_extraction []common.ExtractedFunction
	Short_description string
	Provider_guid     string
	Provider_name     string
	Matching_Rules    MatchingRulesT
}

func NewLayer1EventsEnhanced

func NewLayer1EventsEnhanced(l1e *Layer1Events) Layer1EventsEnhanced

type Layer1GlobalMemory

type Layer1GlobalMemory struct {
	Hclist                 map[string]HostnameToChannels
	Wg_l1_all              *sync.WaitGroup
	Atomic_Counter_Workers uint64
}

func NewLayer1GlobalMemory

func NewLayer1GlobalMemory() Layer1GlobalMemory

func (*Layer1GlobalMemory) HClistAddChan

func (l1globmem *Layer1GlobalMemory) HClistAddChan(latest_computer string, channel string, eid string, provider_guid string, provider_name string, attrib_extraction []common.ExtractedFunction, Matching_Rules MatchingRulesT, ch chan *eventmap.EventMap)

func (*Layer1GlobalMemory) HClistAddChannel

func (l1globmem *Layer1GlobalMemory) HClistAddChannel(latest_computer string, channel string)

func (*Layer1GlobalMemory) HClistAddEID

func (l1globmem *Layer1GlobalMemory) HClistAddEID(latest_computer string, channel string, eid string, provider_guid string, provider_name string, Matching_Rules MatchingRulesT)

func (*Layer1GlobalMemory) HClistAddHostname

func (l1globmem *Layer1GlobalMemory) HClistAddHostname(latest_computer string)

func (*Layer1GlobalMemory) SetupWorkers

func (l1globmem *Layer1GlobalMemory) SetupWorkers(e *Engine, efi []common.EvtxFileInfo, l2globmem *Layer2GlobalMemory)

func (*Layer1GlobalMemory) StartL1Workers

func (l1globmem *Layer1GlobalMemory) StartL1Workers(e *Engine, efi []common.EvtxFileInfo, l2globmem *Layer2GlobalMemory, WorkersLimit int)

type Layer1Info

type Layer1Info struct {
	Typ            string
	Source_comment string
	Channel        string
}

type Layer2

type Layer2 struct {
	Info                        Layer2Info
	Output                      Layer2Output
	Aggregation_options         map[string]string
	Fields_remap                map[string]string
	Fields_remap_dict           *ordereddict.Dict
	Field_extra_transformations []common.Layer2FieldExtraTransformations
	Ordered_fields              []string
	Ordered_fields_enhanced     map[string]common.SingleField
	UsageCounter                int
}

type Layer2GlobalMemory

type Layer2GlobalMemory struct {
	Layers    []Layer2SingleLayer
	Wg_l2_all *sync.WaitGroup
}

func NewLayer2GlobalMemory

func NewLayer2GlobalMemory() Layer2GlobalMemory

func (*Layer2GlobalMemory) FindLayer2SingleLayer

func (l2mem *Layer2GlobalMemory) FindLayer2SingleLayer(l2_name string, latest_computer string) *Layer2SingleLayer

func (*Layer2GlobalMemory) SetupChannelKillers

func (l2mem *Layer2GlobalMemory) SetupChannelKillers()

func (*Layer2GlobalMemory) SetupChannels

func (l2mem *Layer2GlobalMemory) SetupChannels(engi *Engine, efi []common.EvtxFileInfo)

func (*Layer2GlobalMemory) SetupLayer2SingleLayer

func (l2mem *Layer2GlobalMemory) SetupLayer2SingleLayer(l2_name string, latest_computer string, engine *Engine)

func (*Layer2GlobalMemory) SetupOptions

func (l2mem *Layer2GlobalMemory) SetupOptions(ScriptBlocksXor bool)

func (*Layer2GlobalMemory) StartL2Workers

func (l2mem *Layer2GlobalMemory) StartL2Workers(engi *Engine)

type Layer2Info

type Layer2Info struct {
	Typ  string
	Name string
}

type Layer2Output

type Layer2Output struct {
	Typ                   string
	Category              string
	Subcategory           string
	Filename              string
	GlobalOutputDirectory string
}

type Layer2SingleLayer

type Layer2SingleLayer struct {
	// contains filtered or unexported fields
}

func NewLayer2SingleLayer

func NewLayer2SingleLayer(l2_name string, latest_computer string, engine *Engine) Layer2SingleLayer

func (*Layer2SingleLayer) GetComputerDir

func (l2s *Layer2SingleLayer) GetComputerDir() string

func (*Layer2SingleLayer) GetOngoingOutputPath

func (l2s *Layer2SingleLayer) GetOngoingOutputPath() string

func (*Layer2SingleLayer) GetOutputFormatExtension

func (l2s *Layer2SingleLayer) GetOutputFormatExtension() string

func (*Layer2SingleLayer) GetOutputFormatName

func (l2s *Layer2SingleLayer) GetOutputFormatName() string

func (*Layer2SingleLayer) GetOutputPath

func (l2s *Layer2SingleLayer) GetOutputPath() string

func (*Layer2SingleLayer) GetScriptBlockOutputPath

func (l2s *Layer2SingleLayer) GetScriptBlockOutputPath(filename string) string

func (*Layer2SingleLayer) IncrementWorkerCounter

func (l2s *Layer2SingleLayer) IncrementWorkerCounter()

type LogicEngine

type LogicEngine struct {
	// contains filtered or unexported fields
}

func NewLogicEngine

func NewLogicEngine() LogicEngine

func (*LogicEngine) AreLogicalTestsPassed

func (le *LogicEngine) AreLogicalTestsPassed(ev_map *ordereddict.Dict, MR MatchingRulesT, attrib_extraction []common.ExtractedFunction) bool

func (*LogicEngine) CanWeFinishNow

func (le *LogicEngine) CanWeFinishNow(global_logic string, all_containers_result []bool) (bool, bool)

func (*LogicEngine) CaseSensiveFlagToBool

func (le *LogicEngine) CaseSensiveFlagToBool(CaseSensitive string) bool

func (*LogicEngine) EvaluateRule

func (le *LogicEngine) EvaluateRule(rule common.ExtractedLogic, attrib_map *ordereddict.Dict) bool

func (*LogicEngine) EvaluateSingleAndContainer

func (le *LogicEngine) EvaluateSingleAndContainer(container_rules []common.ExtractedLogic, attrib_map *ordereddict.Dict) bool

func (*LogicEngine) EvaluateSingleOrContainer

func (le *LogicEngine) EvaluateSingleOrContainer(container_rules []common.ExtractedLogic, attrib_map *ordereddict.Dict) bool

func (*LogicEngine) IsProviderTestPassed

func (le *LogicEngine) IsProviderTestPassed(ev_map *ordereddict.Dict, Provider_guid string, Provider_name string) bool

func (*LogicEngine) ReturnMatchingChanFullInfo

func (le *LogicEngine) ReturnMatchingChanFullInfo(ev_map *ordereddict.Dict) []ChanFullInfo

func (*LogicEngine) SetSupportedEIDs

func (le *LogicEngine) SetSupportedEIDs(supported_eids ChannelTOEID)

func (*LogicEngine) SingleMatchDecimalEqual

func (le *LogicEngine) SingleMatchDecimalEqual(event_value interface{}, ExpectedValue string) bool

func (*LogicEngine) SingleMatchSubstring

func (le *LogicEngine) SingleMatchSubstring(event_value interface{}, ExpectedValue string, CaseSensitive bool) bool

type MatchingRulesT

type MatchingRulesT struct {
	Global_Logic          string
	Container_Or          [][]string
	Container_OrEnhanced  [][]common.ExtractedLogic
	Container_And         [][]string
	Container_AndEnhanced [][]common.ExtractedLogic
}

func (*MatchingRulesT) EnhanceRulesInPlace

func (MRT *MatchingRulesT) EnhanceRulesInPlace()

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL