Documentation
¶
Index ¶
- func CaseSensitive(e *RuleEvaluator)
- func LazyEvaluation(e *RuleEvaluator)
- type Event
- type GroupedByValues
- type Option
- func AverageImplementation(...) Option
- func CountImplementation(count func(ctx context.Context, key GroupedByValues) (float64, error)) Option
- func SumImplementation(...) Option
- func WithConfig(config ...sigma.Config) Option
- func WithPlaceholderExpander(f func(ctx context.Context, placeholderName string) ([]string, error)) Option
- type Result
- type RuleEvaluator
- func (rule *RuleEvaluator) GetFieldValuesFromEvent(field string, event Event) ([]interface{}, error)
- func (rule RuleEvaluator) Indexes() []string
- func (rule RuleEvaluator) Matches(ctx context.Context, event Event) (Result, error)
- func (rule RuleEvaluator) RelevantToEvent(ctx context.Context, eventIndex string, event Event) (bool, error)
- type RuleEvaluatorBundle
- type RuleResult
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CaseSensitive ¶
func CaseSensitive(e *RuleEvaluator)
CaseSensitive turns off the default Sigma behaviour that string operations are by default case-insensitive This can increase performance (especially for larger events) by skipping expensive calls to strings.ToLower
func LazyEvaluation ¶
func LazyEvaluation(e *RuleEvaluator)
LazyEvaluation allows the evaluator to skip evaluating searches if they won't affect the overall match result
Types ¶
type Event ¶
type Event interface{}
Event should be some form a map[string]interface{} or map[string]string
type GroupedByValues ¶
type GroupedByValues struct {
ConditionID int // TODO: there's some forward/backward compatibility pitfalls here: what happens if you switch the order of conditions in your Sigma file?
EventValues map[string]interface{}
}
GroupedByValues contains the fields that uniquely identify a distinct aggregation statistic. Think of it like a ratelimit key.
For example, if a Sigma rule has a condition like this (attempting to detect login brute forcing)
detection:
login_attempt:
# something here
condition:
login_attempt | count() by (username) > 100
timeframe: 1m
Conceptually there's a bunch of boxes somewhere (one for each username) containing their current count. Each different GroupedByValues points to a different box.
GroupedByValues
|| ___↓↓___ ________ | User A | | User B | |__2041__| |___01___|
It's up to your implementation to ensure that different GroupedByValues map to different boxes (although a default Key() method is provided which is good enough for most use cases)
func (GroupedByValues) Key ¶
func (a GroupedByValues) Key() string
type Option ¶
type Option func(*RuleEvaluator)
func AverageImplementation ¶
func CountImplementation ¶
func SumImplementation ¶
func WithConfig ¶
type RuleEvaluator ¶
func (*RuleEvaluator) GetFieldValuesFromEvent ¶
func (rule *RuleEvaluator) GetFieldValuesFromEvent(field string, event Event) ([]interface{}, error)
func (RuleEvaluator) Indexes ¶
func (rule RuleEvaluator) Indexes() []string
func (RuleEvaluator) RelevantToEvent ¶
func (rule RuleEvaluator) RelevantToEvent(ctx context.Context, eventIndex string, event Event) (bool, error)
RelevantToEvent calculates whether a rule is applicable to an event based on:
- Whether the rule has been configured with a config file that matches the eventIndex
- Whether the event matches the conditions from the config file
type RuleEvaluatorBundle ¶
type RuleEvaluatorBundle struct {
// contains filtered or unexported fields
}
func ForRules ¶
func ForRules(rules []sigma.Rule, options ...Option) RuleEvaluatorBundle
ForRules compiles a set of rule evaluators which are evaluated together allowing for use of more efficient string matching algorithms
func (RuleEvaluatorBundle) Matches ¶
func (bundle RuleEvaluatorBundle) Matches(ctx context.Context, event Event) ([]RuleResult, error)
Source Files
Directories