Documentation ¶
Index ¶
- func BinaryRescanRuleWatcher(bindb *gorm.DB, ruleChanged <-chan fsnotify.Event, ...)
- func PipeWorker(dest chan<- fsnotify.Event, source <-chan fsnotify.Event, wg *sync.WaitGroup)
- func ResultDBWorker(db *gorm.DB, scanResults <-chan BinaryMatches, wg *sync.WaitGroup)
- func ScanningWorker(binDir string, toScan <-chan fsnotify.Event, scanResults chan<- BinaryMatches, ...)
- type BinaryMatches
- type RulesetProvider
- type Scanner
- type WatchedRulesetProvider
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BinaryRescanRuleWatcher ¶
func BinaryRescanRuleWatcher(bindb *gorm.DB, ruleChanged <-chan fsnotify.Event, tobeScanned chan<- fsnotify.Event, wg *sync.WaitGroup)
BinaryRescanRuleWatcher Uses rule notifications to query the DB, and send a list of binary-hash-names to be scanned-again with the new ruleset (ie , all of the bins)
func PipeWorker ¶
PipeWorker joins two channels (the file events, and the artifical channel hosted by the scanner, is the usage below)
func ResultDBWorker ¶
func ResultDBWorker(db *gorm.DB, scanResults <-chan BinaryMatches, wg *sync.WaitGroup)
ResultDBWorker enters Results into the DB
func ScanningWorker ¶
func ScanningWorker(binDir string, toScan <-chan fsnotify.Event, scanResults chan<- BinaryMatches, rulesetProvider *WatchedRulesetProvider, wg *sync.WaitGroup)
ScanningWorker go routine worker that knows how to scan files by name using a configured ruleset
Types ¶
type BinaryMatches ¶
type BinaryMatches struct { Matches []yara.MatchRule FileHash string }
BinaryMatches pairs a Binary-Hash/filename with set of results from yarascans - [] yara.MatchRule
type RulesetProvider ¶
type RulesetProvider interface { LoadRules() error GetRules() (*yara.Rules, error) Go(wg *sync.WaitGroup) Stop() }
RulesetProvider is any source of yara rules providing a GetRules function
type Scanner ¶
type Scanner struct { RuleDir string BinDir string RulesetProvider *WatchedRulesetProvider ScanningChan chan fsnotify.Event // contains filtered or unexported fields }
Scanner type monitors a rule directory, a bin directory, and timely scans binaries and records the results in the configured DB
func NewScanner ¶
NewScanner returns a new scanner, or an error if construction fails
func NewScannerDBString ¶
NewScannerDBString returns a scanner, or error if construction fails
func (*Scanner) GetRules ¶
GetRules returns the rules from the underlying provider, or an error if that fails
type WatchedRulesetProvider ¶
type WatchedRulesetProvider struct { Compiler *yara.Compiler IncomingRulesChan chan fsnotify.Event OutgoingRulesChan chan fsnotify.Event RuleDB *gorm.DB sync.RWMutex RuleDir string // contains filtered or unexported fields }
WatchedRulesetProvider is a RulesetProvider that updates the rules when they change
func NewWatchedRulesetProvider ¶
func NewWatchedRulesetProvider(ruleDir string, ruleDb *gorm.DB, rulesUpdateChan chan fsnotify.Event) (*WatchedRulesetProvider, error)
NewWatchedRulesetProvider factory method constructing a working RulesetProvider
func (*WatchedRulesetProvider) GetRules ¶
func (wrp *WatchedRulesetProvider) GetRules() (rules *yara.Rules, err error)
GetRules returns the current rules from the underlying provider
func (*WatchedRulesetProvider) Go ¶
func (wrp *WatchedRulesetProvider) Go(wg *sync.WaitGroup)
Go -- run in a goroutine and update rules
func (*WatchedRulesetProvider) LoadRules ¶
func (wrp *WatchedRulesetProvider) LoadRules() error
LoadRules load a directory of yara rules and generates a ruleset for yara
func (*WatchedRulesetProvider) Stop ¶
func (wrp *WatchedRulesetProvider) Stop()
Stop closes output channel