The highest tagged major version is v2.

engine

package

v1.6.14 Latest Latest Go to latest Published: Jul 6, 2021 License: GPL-3.0 Imports: 19 Imported by: 2

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/0xrawsec/gene

Links

Open Source Insights

Documentation ¶

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// GeneInfoPath path to the Gene information in a modified event
	GeneInfoPath = evtx.Path("/Event/GeneInfo")
	// CriticalityPath path to criticality information
	CriticalityPath = evtx.Path("/Event/GeneInfo/Criticality")
	// SignaturePath path to signature match information
	SignaturePath = evtx.Path("/Event/GeneInfo/Signature")
	// AttackPath path to MITRE ATT&CK information
	AttackPath = evtx.Path("/Event/GeneInfo/Attack")
	// ActionsPath path to actions
	ActionsPath = evtx.Path("/Event/GeneInfo/Actions")

	// DefaultRuleExtensions default extensions for rule files
	DefaultRuleExtensions = datastructs.NewInitSyncedSet(".gen", ".gene")
	// DefaultTplExtensions default extensions for template files
	DefaultTplExtensions = datastructs.NewInitSyncedSet(".tpl")
)

Functions ¶

This section is empty.

Types ¶

type Engine ¶

type Engine struct {
	sync.RWMutex

	// engine statistics
	Stats       Stats
	ShowActions bool
	ShowAttack  bool
	// contains filtered or unexported fields
}

Engine defines the engine managing several rules

func NewEngine ¶

func NewEngine(trace bool) (e Engine)

NewEngine creates a new engine

func (*Engine) AddRule ¶

func (e *Engine) AddRule(r *rules.CompiledRule) error

AddRule adds a rule to the current engine

func (*Engine) AddToContainer ¶ added in v1.4.4

func (e *Engine) AddToContainer(container, value string)

AddToContainer adds a value to a given container and creates it if needed the string pushed to the container is lower cased (behaviour of AddSTringToContainer)

func (*Engine) AddTraceRules ¶

func (e *Engine) AddTraceRules(ruleList ...*rules.CompiledRule)

AddTraceRules adds rules generated on the flight when trace mode is enabled

func (*Engine) Blacklist ¶

func (e *Engine) Blacklist(value string)

Blacklist insert a value to be blacklisted

func (*Engine) BlacklistLen ¶

func (e *Engine) BlacklistLen() int

BlacklistLen returns the size of the blacklist

func (*Engine) Count ¶

func (e *Engine) Count() int

Count returns the number of rules successfuly loaded

func (*Engine) GetCRuleByName ¶

func (e *Engine) GetCRuleByName(name string) (r *rules.CompiledRule)

GetCRuleByName gets a compile rule by its name

func (*Engine) GetRawRule ¶

func (e *Engine) GetRawRule(regex string) (cs chan string)

GetRawRule returns the raw rule according to its name it is convenient to get the rule after template replacement

func (*Engine) GetRawRuleByName ¶ added in v1.6.10

func (e *Engine) GetRawRuleByName(name string) string

GetRawRuleByName returns the raw rule for a given rule name

func (*Engine) GetRuleNames ¶ added in v1.6.10

func (e *Engine) GetRuleNames() (names []string)

GetRuleNames returns a slice of containing the names of all the rules loaded in the engine

func (*Engine) Load ¶

func (e *Engine) Load(rulefile string) error

Load loads a rule file into the current engine

func (*Engine) LoadContainer ¶ added in v1.4.5

func (e *Engine) LoadContainer(container string, reader io.Reader)

LoadContainer loads every line found in reader into the container

func (*Engine) LoadDirectory ¶ added in v1.4.2

func (e *Engine) LoadDirectory(rulesDir string) error

LoadDirectory loads all the templates and rules inside a directory

func (*Engine) LoadReader ¶

func (e *Engine) LoadReader(reader io.ReadSeeker) error

LoadReader loads rule from a ReadSeeker

func (*Engine) LoadTemplate ¶

func (e *Engine) LoadTemplate(templatefile string) error

LoadTemplate loads a template from a file

func (*Engine) Match ¶

func (e *Engine) Match(event *evtx.GoEvtxMap) (names []string, criticality int)

Match (deprecated) checks if there is a match in any rule of the engine

func (*Engine) MatchOrFilter ¶ added in v1.6.4

func (e *Engine) MatchOrFilter(event *evtx.GoEvtxMap) (names []string, criticality int, filtered bool)

MatchOrFilter checks if there is a match in any rule of the engine. The only difference with Match function is that it also return a flag indicating if the event is filtered.

func (*Engine) SetDumpRaw ¶

func (e *Engine) SetDumpRaw(value bool)

SetDumpRaw setter for dumpRaw flag

func (*Engine) SetFilters ¶

func (e *Engine) SetFilters(names, tags []string)

SetFilters sets the filters to use in the engine

func (*Engine) SetShowAttck ¶ added in v1.5.0

func (e *Engine) SetShowAttck(value bool)

SetShowAttck sets engine flag to display ATT&CK information in matching events Update: member was private before, this method is kept for compatibility purposes

func (*Engine) Tags ¶

func (e *Engine) Tags() []string

Tags returns the tags of the rules currently loaded into the engine

func (*Engine) Whitelist ¶

func (e *Engine) Whitelist(value string)

Whitelist insert a value to be whitelisted

func (*Engine) WhitelistLen ¶

func (e *Engine) WhitelistLen() int

WhitelistLen returns the size of the whitelist

type ErrRuleExist ¶

type ErrRuleExist struct {
	// contains filtered or unexported fields
}

ErrRuleExist definition

func (ErrRuleExist) Error ¶

func (e ErrRuleExist) Error() string

Error error implementation

type Stats ¶ added in v1.6.0

type Stats struct {
	Scanned   uint64
	Positives uint64
}

Source Files ¶

View all Source files

engine.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL