Documentation
¶
Index ¶
- Constants
- type Scanner
- func (s *Scanner) AddSignature(sig *detection.Signature) error
- func (s *Scanner) Close() error
- func (s *Scanner) GetDatabase() *detection.SignatureDatabase
- func (s *Scanner) GetSignature(id string) (*detection.Signature, error)
- func (s *Scanner) LoadDatabase(path string) error
- func (s *Scanner) SaveDatabase(path string) error
- func (s *Scanner) ScanCandidates(topo *topology.FunctionTopology) ([]*detection.Signature, error)
- func (s *Scanner) ScanTopology(topo *topology.FunctionTopology, funcName string) ([]detection.ScanResult, error)
- func (s *Scanner) ScanTopologyExact(topo *topology.FunctionTopology, funcName string) (*detection.ScanResult, error)
- func (s *Scanner) SetThreshold(threshold float64) error
Constants ¶
const ( // Prevents memory exhaustion attacks via massive JSON payloads. // 64MB is generous enough for thousands of signatures but stops an attacker // from blowing the heap with a 10GB padding bomb. MaxDBSizeBytes = 64 * 1024 * 1024 // SecureFilePerms enforces owner only read write access. // We do not want the web server or other low privilege users snooping on our logic. SecureFilePerms = 0600 )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Scanner ¶
type Scanner struct {
// contains filtered or unexported fields
}
Implements a JSON backed signature store. We use a Read/Write mutex here because detection is heavily read biased. We only want to stop the world when we are actually mutating the state, otherwise we let the readers swarm.
func NewScanner ¶
func NewScanner() *Scanner
Creates a new scanner instance. We initialize with safe defaults so the thing works out of the box. Returning a nil db pointer would just be setting traps for our future selves.
func (*Scanner) AddSignature ¶
Adds a new signature to the database. We use crypto/rand for ID generation because math/rand is deterministic and we don't want ID collisions if the seed isn't set properly.
func (*Scanner) Close ¶
Close is a placeholder. Sometimes interfaces demand things we don't need, but we play along.
func (*Scanner) GetDatabase ¶
func (s *Scanner) GetDatabase() *detection.SignatureDatabase
Returns a deep copy of the current signature database. We manually duplicate slice structures. If we just returned *s.db, the slice headers would still point to the same backing array.
func (*Scanner) GetSignature ¶
Retrieves a signature by ID. Returns a deep copy to prevent the caller from modifying the internal database state without a lock. Shared mutable state is the root of all evil.
func (*Scanner) LoadDatabase ¶
Loads signatures from a JSON file. This operation holds a Write lock because we are performing a brain transplant on the scanner. We cannot have readers looking at a half loaded struct.
func (*Scanner) SaveDatabase ¶
Writes the signature database to a JSON file. We use a streaming encoder to avoid loading the entire JSON string into memory (heap protection), and an atomic write strategy (write to temp, sync, rename) so a power failure doesn't leave us with a 0 byte DB.
func (*Scanner) ScanCandidates ¶
Finds potential matches based on entropy and hash. CRITICAL: This returns pointers to NEW COPIES of the signatures. If we returned pointers to the existing slice, a subsequent AddSignature could trigger a slice realloc, invalidating our pointers and crashing the app.
func (*Scanner) ScanTopology ¶
func (s *Scanner) ScanTopology(topo *topology.FunctionTopology, funcName string) ([]detection.ScanResult, error)
Checks a function topology against all signatures. We explicitly lock here. Iterating a slice is not thread safe in Go.
func (*Scanner) ScanTopologyExact ¶
func (s *Scanner) ScanTopologyExact(topo *topology.FunctionTopology, funcName string) (*detection.ScanResult, error)
Checks a function topology against all signatures for an exact match.
func (*Scanner) SetThreshold ¶
Sets the minimum confidence threshold for alerts. We validate inputs here to prevent NaN poisoning. If NaN gets into the confidence logic, comparisons will fail silently and we will miss detections.
Source Files