Documentation
¶
Index ¶
- func BinaryRescanRuleWatcher(bindb *gorm.DB, ruleChanged <-chan fsnotify.Event, ...)
- func PipeWorker(dest chan<- fsnotify.Event, source <-chan fsnotify.Event, wg *sync.WaitGroup)
- func ResultDBWorker(db *gorm.DB, scanResults <-chan BinaryMatches, wg *sync.WaitGroup)
- func ScanningWorker(binDir string, toScan <-chan fsnotify.Event, scanResults chan<- BinaryMatches, ...)
- type BinaryMatches
- type RulesetProvider
- type Scanner
- type WatchedRulesetProvider
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BinaryRescanRuleWatcher ¶
func BinaryRescanRuleWatcher(bindb *gorm.DB, ruleChanged <-chan fsnotify.Event, tobeScanned chan<- fsnotify.Event, wg *sync.WaitGroup)
BinaryRescanRuleWatcher Uses rule notifications to query the DB, and send a list of binary-hash-names to be scanned-again with the new ruleset (ie , all of the bins)
func PipeWorker ¶
PipeWorker joins two channels (the file events, and the artifical channel hosted by the scanner, is the usage below)
func ResultDBWorker ¶
func ResultDBWorker(db *gorm.DB, scanResults <-chan BinaryMatches, wg *sync.WaitGroup)
ResultDBWorker enters Results into the DB
func ScanningWorker ¶
func ScanningWorker(binDir string, toScan <-chan fsnotify.Event, scanResults chan<- BinaryMatches, rulesetProvider *WatchedRulesetProvider, wg *sync.WaitGroup)
ScanningWorker go routine worker that knows how to scan files by name using a configured ruleset
Types ¶
type BinaryMatches ¶
type BinaryMatches struct {
Matches []yara.MatchRule
FileHash string
}
BinaryMatches pairs a Binary-Hash/filename with set of results from yarascans - [] yara.MatchRule
type RulesetProvider ¶
type RulesetProvider interface {
LoadRules() error
GetRules() (*yara.Rules, error)
Go(wg *sync.WaitGroup)
Stop()
}
RulesetProvider is any source of yara rules providing a GetRules function
type Scanner ¶
type Scanner struct {
RuleDir string
BinDir string
RulesetProvider *WatchedRulesetProvider
ScanningChan chan fsnotify.Event
// contains filtered or unexported fields
}
Scanner type monitors a rule directory, a bin directory, and timely scans binaries and records the results in the configured DB
func NewScanner ¶
NewScanner returns a new scanner, or an error if construction fails
func NewScannerDBString ¶
NewScannerDBString returns a scanner, or error if construction fails
func (*Scanner) GetRules ¶
GetRules returns the rules from the underlying provider, or an error if that fails
type WatchedRulesetProvider ¶
type WatchedRulesetProvider struct {
Compiler *yara.Compiler
IncomingRulesChan chan fsnotify.Event
OutgoingRulesChan chan fsnotify.Event
RuleDB *gorm.DB
sync.RWMutex
RuleDir string
// contains filtered or unexported fields
}
WatchedRulesetProvider is a RulesetProvider that updates the rules when they change
func NewWatchedRulesetProvider ¶
func NewWatchedRulesetProvider(ruleDir string, ruleDb *gorm.DB, rulesUpdateChan chan fsnotify.Event) (*WatchedRulesetProvider, error)
NewWatchedRulesetProvider factory method constructing a working RulesetProvider
func (*WatchedRulesetProvider) GetRules ¶
func (wrp *WatchedRulesetProvider) GetRules() (rules *yara.Rules, err error)
GetRules returns the current rules from the underlying provider
func (*WatchedRulesetProvider) Go ¶
func (wrp *WatchedRulesetProvider) Go(wg *sync.WaitGroup)
Go -- run in a goroutine and update rules
func (*WatchedRulesetProvider) LoadRules ¶
func (wrp *WatchedRulesetProvider) LoadRules() error
LoadRules load a directory of yara rules and generates a ruleset for yara
func (*WatchedRulesetProvider) Stop ¶
func (wrp *WatchedRulesetProvider) Stop()
Stop closes output channel
Source Files