yevaluator

package

v1.4.1 Latest Latest Go to latest Published: Mar 9, 2024 License: MIT Imports: 10 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/mtnmunuklu/alterix

Links

Open Source Insights

Documentation ¶

Index ¶

type Option
- func WithConfig(config ...yara.Config) Option
type Result
type RuleEvaluator
- func ForRule(rule *ast.Rule, options ...Option) *RuleEvaluator
- func (rule RuleEvaluator) Alters() (Result, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Option ¶

type Option func(*RuleEvaluator)

Option is a function that takes a RuleEvaluator pointer and modifies its configuration

func WithConfig ¶

func WithConfig(config ...yara.Config) Option

WithConfig returns an Option that sets the provided Sigma configs to the RuleEvaluator. The configs are used to initialize the RuleEvaluator, which creates field mappings and indexes for efficient evaluation of Sigma rules. The configs should be provided in the order of precedence, and the function will append them to the RuleEvaluator's config slice. After the configs are set, the function will recalculate the RuleEvaluator's indexes and field mappings.

type Result ¶

type Result struct {
	MetaResults     map[string]string
	StringsResults  map[string]string // The map of strings identifiers to their result values
	ConditionResult string            // The map of condition indices to their result values
	QueryResult     string            // The map of query indices to their result values
}

Result represents the evaluation result of a Sigma rule. It contains the search, condition, aggregation, and query results of the rule evaluation.

type RuleEvaluator ¶

type RuleEvaluator struct {
	*ast.Rule
	// contains filtered or unexported fields
}

RuleEvaluator represents a rule evaluator that is capable of computing the search, condition, and query results of a Yara rule. It holds the rule configuration, search conditions, and field mappings necessary to apply the rule to log events and generate the query results.

func ForRule ¶

func ForRule(rule *ast.Rule, options ...Option) *RuleEvaluator

ForRule constructs a new RuleEvaluator with the given Sigma rule and evaluation options. It applies any provided options to the new RuleEvaluator and returns it.

func (RuleEvaluator) Alters ¶

func (rule RuleEvaluator) Alters() (Result, error)

This function returns a Result object containing the evaluation results for the rule's Detection field. It uses the evaluateSearch, evaluateSearchExpression and evaluateAggregationExpression functions to compute the results.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
modifiers

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL