filter

func CompileExpression ¶

func CompileExpression(expression string, recordType types.Type) (*vm.Program, error)

CompileExpression compiles an expr-lang expression for a specific audit record type. The expression has access to all fields of the audit record and helper functions.

func Contains ¶

func Contains(slice any, value any) bool

Contains checks if a slice contains a specific value. Supports []string, []int, and []int32 (common in protobuf).

func ContainsAny ¶

func ContainsAny(str string, substrs []string) bool

ContainsAny checks if a string contains any of the provided substrings.

func CreateEnvironment ¶

func CreateEnvironment(record types.AuditRecord) map[string]any

CreateEnvironment creates an expression environment from an audit record. This makes all fields of the record accessible in expressions. Note: Helper functions are declared via expr.Function() in CompileExpression() with explicit type signatures.

func DurationSince ¶

func DurationSince(ts int64) int64

DurationSince returns the duration in nanoseconds since a given timestamp.

func EvaluateExpression ¶

func EvaluateExpression(program *vm.Program, record types.AuditRecord) (bool, error)

EvaluateExpression evaluates a compiled expression against an audit record. Returns true if the record matches the filter, false otherwise.

func FormatTime ¶

func FormatTime(ts int64, format string) string

FormatTime formats a timestamp (nanoseconds) according to the provided format string. Uses Go's time format layout (e.g., "2006-01-02 15:04:05").

func HasKey ¶

func HasKey(m any, key string) bool

HasKey checks if a map contains a specific key. Supports map[string]string and map[string]interface{}.

func InSubnet ¶

func InSubnet(ip, cidr string) bool

InSubnet checks if an IP address is within a given CIDR subnet.

func IsPrivateIP ¶

func IsPrivateIP(ip string) bool

IsPrivateIP checks if an IP address is in a private range.

func IsPublicIP ¶

func IsPublicIP(ip string) bool

IsPublicIP checks if an IP address is a public (non-private) address.

func MatchesPattern ¶

func MatchesPattern(str, pattern string) bool

MatchesPattern checks if a string matches a regular expression pattern. Compiled regexes are cached to avoid recompilation on repeated calls.

When the binary is built with `-tags hyperscan` and the pattern is one Hyperscan accepts, the boolean answer is taken directly from a per-pattern Hyperscan database (single-pattern block-mode DBs return the same true/false predicate as RE2 for the HS-supported subset of PCRE). Patterns Hyperscan refuses to compile transparently fall through to the existing RE2 cache path so behaviour is preserved.

func MustCompileExpression ¶

func MustCompileExpression(expression string, recordType types.Type) *vm.Program

MustCompileExpression compiles an expression and panics on error. Useful for static expressions that are known to be valid.

func ParsePort ¶

func ParsePort(port string) int

ParsePort converts a port string to an integer. Returns 0 if the string cannot be parsed.

func PortInRange ¶

func PortInRange(port, start, end int) bool

PortInRange checks if a port is within a given range (inclusive).

func TimeInRange ¶

func TimeInRange(ts, start, end int64) bool

TimeInRange checks if a timestamp (nanoseconds) is within a given range.