Documentation ¶
Index ¶
- Variables
- type Engine
- func (e *Engine) AddRule(r *rules.CompiledRule) error
- func (e *Engine) AddToContainer(container, value string)
- func (e *Engine) AddTraceRules(ruleList ...*rules.CompiledRule)
- func (e *Engine) Blacklist(value string)
- func (e *Engine) BlacklistLen() int
- func (e *Engine) Count() int
- func (e *Engine) GetCRuleByName(name string) (r *rules.CompiledRule)
- func (e *Engine) GetRawRule(regex string) (cs chan string)
- func (e *Engine) GetRawRuleByName(name string) string
- func (e *Engine) GetRuleNames() (names []string)
- func (e *Engine) Load(rulefile string) error
- func (e *Engine) LoadContainer(container string, reader io.Reader)
- func (e *Engine) LoadDirectory(rulesDir string) error
- func (e *Engine) LoadReader(reader io.ReadSeeker) error
- func (e *Engine) LoadTemplate(templatefile string) error
- func (e *Engine) Match(event *evtx.GoEvtxMap) (names []string, criticality int)
- func (e *Engine) MatchOrFilter(event *evtx.GoEvtxMap) (names []string, criticality int, filtered bool)
- func (e *Engine) SetDumpRaw(value bool)
- func (e *Engine) SetFilters(names, tags []string)
- func (e *Engine) SetShowAttck(value bool)
- func (e *Engine) Tags() []string
- func (e *Engine) Whitelist(value string)
- func (e *Engine) WhitelistLen() int
- type ErrRuleExist
- type Stats
Constants ¶
This section is empty.
Variables ¶
var ( // GeneInfoPath path to the Gene information in a modified event GeneInfoPath = evtx.Path("/Event/GeneInfo") // CriticalityPath path to criticality information CriticalityPath = evtx.Path("/Event/GeneInfo/Criticality") // SignaturePath path to signature match information SignaturePath = evtx.Path("/Event/GeneInfo/Signature") // AttackPath path to MITRE ATT&CK information AttackPath = evtx.Path("/Event/GeneInfo/Attack") // ActionsPath path to actions ActionsPath = evtx.Path("/Event/GeneInfo/Actions") // DefaultRuleExtensions default extensions for rule files DefaultRuleExtensions = datastructs.NewInitSyncedSet(".gen", ".gene") // DefaultTplExtensions default extensions for template files DefaultTplExtensions = datastructs.NewInitSyncedSet(".tpl") )
Functions ¶
This section is empty.
Types ¶
type Engine ¶
type Engine struct { sync.RWMutex // engine statistics Stats Stats ShowActions bool ShowAttack bool // contains filtered or unexported fields }
Engine defines the engine managing several rules
func (*Engine) AddRule ¶
func (e *Engine) AddRule(r *rules.CompiledRule) error
AddRule adds a rule to the current engine
func (*Engine) AddToContainer ¶ added in v1.4.4
AddToContainer adds a value to a given container and creates it if needed the string pushed to the container is lower cased (behaviour of AddSTringToContainer)
func (*Engine) AddTraceRules ¶
func (e *Engine) AddTraceRules(ruleList ...*rules.CompiledRule)
AddTraceRules adds rules generated on the flight when trace mode is enabled
func (*Engine) BlacklistLen ¶
BlacklistLen returns the size of the blacklist
func (*Engine) GetCRuleByName ¶
func (e *Engine) GetCRuleByName(name string) (r *rules.CompiledRule)
GetCRuleByName gets a compile rule by its name
func (*Engine) GetRawRule ¶
GetRawRule returns the raw rule according to its name it is convenient to get the rule after template replacement
func (*Engine) GetRawRuleByName ¶ added in v1.6.10
GetRawRuleByName returns the raw rule for a given rule name
func (*Engine) GetRuleNames ¶ added in v1.6.10
GetRuleNames returns a slice of containing the names of all the rules loaded in the engine
func (*Engine) LoadContainer ¶ added in v1.4.5
LoadContainer loads every line found in reader into the container
func (*Engine) LoadDirectory ¶ added in v1.4.2
LoadDirectory loads all the templates and rules inside a directory
func (*Engine) LoadReader ¶
func (e *Engine) LoadReader(reader io.ReadSeeker) error
LoadReader loads rule from a ReadSeeker
func (*Engine) LoadTemplate ¶
LoadTemplate loads a template from a file
func (*Engine) MatchOrFilter ¶ added in v1.6.4
func (e *Engine) MatchOrFilter(event *evtx.GoEvtxMap) (names []string, criticality int, filtered bool)
MatchOrFilter checks if there is a match in any rule of the engine. The only difference with Match function is that it also return a flag indicating if the event is filtered.
func (*Engine) SetDumpRaw ¶
SetDumpRaw setter for dumpRaw flag
func (*Engine) SetFilters ¶
SetFilters sets the filters to use in the engine
func (*Engine) SetShowAttck ¶ added in v1.5.0
SetShowAttck sets engine flag to display ATT&CK information in matching events Update: member was private before, this method is kept for compatibility purposes
func (*Engine) WhitelistLen ¶
WhitelistLen returns the size of the whitelist
type ErrRuleExist ¶
type ErrRuleExist struct {
// contains filtered or unexported fields
}
ErrRuleExist definition