sevaluator

package
v1.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 9, 2024 License: MIT Imports: 6 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CaseSensitive 

func CaseSensitive(e *RuleEvaluator)

CaseSensitive turns off the default Sigma behaviour that string operations are by default case-insensitive This can increase performance (especially for larger events) by skipping expensive calls to strings.ToLower

func FuzzRuleMatches 

func FuzzRuleMatches(data []byte) int

Fuzz function that checks if a given input byte slice can trigger an alteration to the system

Types

type Option 

type Option func(*RuleEvaluator)

Option is a function that takes a RuleEvaluator pointer and modifies its configuration

func WithConfig 

func WithConfig(config ...sigma.Config) Option

WithConfig returns an Option that sets the provided Sigma configs to the RuleEvaluator. The configs are used to initialize the RuleEvaluator, which creates field mappings and indexes for efficient evaluation of Sigma rules. The configs should be provided in the order of precedence, and the function will append them to the RuleEvaluator's config slice. After the configs are set, the function will recalculate the RuleEvaluator's indexes and field mappings.

func WithPlaceholderExpander 

func WithPlaceholderExpander(f func(ctx context.Context, placeholderName string) ([]string, error)) Option

WithPlaceholderExpander returns an Option that sets the provided function as the placeholder expander for the RuleEvaluator. The placeholder expander is used to expand any placeholders that might be present in the Sigma rule before evaluation. The provided function should take a context and a placeholder name and return a slice of strings that replace the placeholder in the Sigma rule. If an error occurs during the expansion process, the function should return an error.

type Result 

type Result struct {
	SearchResults      map[string][]string // The map of search identifiers to their result values
	ConditionResults   map[int][]string    // The map of condition indices to their result values
	AggregationResults map[int]string      // The map of aggregation indices to their result values
	QueryResults       map[int]string      // The map of query indices to their result values
}

Result represents the evaluation result of a Sigma rule. It contains the search, condition, aggregation, and query results of the rule evaluation.

type RuleEvaluator 

type RuleEvaluator struct {
	sigma.Rule
	// contains filtered or unexported fields
}

RuleEvaluator represents a rule evaluator that is capable of computing the search, condition, and query results of a Sigma rule. It holds the rule configuration, search conditions, and field mappings necessary to apply the rule to log events and generate the query results.

func ForRule 

func ForRule(rule sigma.Rule, options ...Option) *RuleEvaluator

ForRule constructs a new RuleEvaluator with the given Sigma rule and evaluation options. It applies any provided options to the new RuleEvaluator and returns it.

func (RuleEvaluator) Alters 

func (rule RuleEvaluator) Alters(ctx context.Context) (Result, error)

This function returns a Result object containing the evaluation results for the rule's Detection field. It uses the evaluateSearch, evaluateSearchExpression and evaluateAggregationExpression functions to compute the results.

func (RuleEvaluator) Indexes 

func (rule RuleEvaluator) Indexes() []string

The Indexes method returns the possible indexes for the current rule

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.