engine

package
v0.0.0-...-bd521cb Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 19, 2026 License: MIT Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	OffsetsTypeString = 0
	OffsetsTypeInt64  = 1
	OffsetsTypeTime   = 2
)

Variables

View Source 
var (
	UtilsUnexpected = errors.NewCode(0, 0x01010001, "unexpected error")
)

utils utils包错误

Functions

func StructElem 

func StructElem[E string | int64 | bool, T any](p *T, offset uintptr) (pOut E)

func StructElemPointer 

func StructElemPointer[E string | int64 | bool, T any](p *T, offset uintptr) (pOut *E)

func ToLower 

func ToLower(c byte) byte

Types

type Behavior 

type Behavior struct {
	Object      string   `yaml:"Object"`      // #一级主体
	Objects     []string `yaml:"Objects"`     // #一级主体
	Subject     string   `yaml:"Subject"`     // #一级主体为空选为二级
	When        string   `yaml:"When"`        // #执行时间
	Who         string   `yaml:"Who"`         // #身份权限/准确执行体
	What        string   `yaml:"What"`        // #动作
	Role        string   `yaml:"Role"`        // #权限
	Where       string   `yaml:"Where"`       // #执行位置
	Why         string   `yaml:"Why"`         // 应该为解释说明内容
	Whom        string   `yaml:"Whom"`        // 关联
	Which       string   `yaml:"Which"`       // 标识mark吧,正常/攻击/脚本/服务类似
	How         string   `yaml:"How"`         // 怎么做的描述
	HowMuch     string   `yaml:"HowMuch"`     // 频率
	Effect      string   `yaml:"Effect"`      // 应该为变化区间的东西
	Environment string   `yaml:"Environment"` // 应该为标识上下文
}

type ConditionMerge 

type ConditionMerge struct {
	TimeWindow string   `yaml:"time_window"` // time window ; 时间窗口; 支持: hour/min/sec
	GroupBys   []string `yaml:"group_by"`    // group by
}

type ConditionMul 

type ConditionMul struct {
	TimeWindow  string         `yaml:"time_window"` // time window ; 时间窗口
	GroupBys    []string       `yaml:"group_by"`    // group by
	Havings     []string       `yaml:"having"`      // having ; group by 的 where 条件(WHERE 关键字无法与合计函数一起使用)
	CountLimits map[string]int `yaml:"count"`       // count limit ; 统计下限,低于统计值的数据行丢弃
}

type DataHit 

type DataHit[T any] struct {
	MulRuleID    int64
	MainRuleID   int64 // 主事件ID
	SingleRuleID int64
	EventID      int64
	Score        int16
	RuleType     RuleType
	Data         *T
}

type DetectionMerge 

type DetectionMerge struct {
	Selection map[string]int64 `yaml:"selection"` // where 子语句; AND 关系
	Condition ConditionMerge   `yaml:"condition"` //  where 条件
}

type DetectionMul 

type DetectionMul struct {
	Object    string           `yaml:"object"`    // # 主体规则,以该规则为主体,画关联图谱进程树。
	Ordered   bool             `yaml:"ordered"`   // 根据rule有序的;有序时 count不起作用
	Selection map[string]int64 `yaml:"selection"` // where 子语句; AND 关系
	Condition ConditionMul     `yaml:"condition"` //  where 条件
}

type Group 

type Group[T any] struct {
	// contains filtered or unexported fields
}

type HavingElem 

type HavingElem struct {
	RuleID int64
	Key    string
	// contains filtered or unexported fields
}

type MGroup 

type MGroup struct {
	sync.Mutex // 加锁实现单飞: singleflight
	// contains filtered or unexported fields
}

type MergeRuleset 

type MergeRuleset[T any] struct {
	// contains filtered or unexported fields
}

MergeRuleset 流处理的处理中心

func NewOneRulesetMerge 

func NewOneRulesetMerge[T any](ctx context.Context, bs []byte, in T) (rs *MergeRuleset[T], err error)

func NewRulesetMerge 

func NewRulesetMerge[T any](ctx context.Context, ymls [][]byte, in T) (ruleset *MergeRuleset[T], err error)

func NewRulesetMergeByDir 

func NewRulesetMergeByDir[T any](ctx context.Context, dir string, in T) (rs *MergeRuleset[T], err error)

func (*MergeRuleset[T]) Build 

func (rs *MergeRuleset[T]) Build() (err error)

func (MergeRuleset[T]) Eval 

func (rs MergeRuleset[T]) Eval(ruleID int64, m *T) (hitss [][]DataHit[T])

type Offsets 

type Offsets struct {
	Object  uintptr
	Objects struct {
		Connectors []string // 连接符
		Offsets    []uintptr
	}
	ObjectType      int
	Subject         uintptr
	SubjectType     int
	When            uintptr
	WhenType        int
	Who             uintptr
	WhoType         int
	What            uintptr
	WhatType        int
	Role            uintptr
	RoleType        int
	Where           uintptr
	WhereType       int
	Why             uintptr
	WhyType         int
	Whom            uintptr
	WhomType        int
	Which           uintptr
	WhichType       int
	How             uintptr
	HowType         int
	HowMuch         uintptr
	HowMuchType     int
	Effect          uintptr
	EffectType      int
	Environment     uintptr
	EnvironmentType int
}

type RuleType 

type RuleType int16
const (
	RuleTypeSingle   RuleType = 1
	RuleTypeMultiple RuleType = 2
	RuleTypeMerger   RuleType = 3
)

type Ruleset 

type Ruleset[T any] struct {
	// contains filtered or unexported fields
}

func NewOneRuleset 

func NewOneRuleset[T any](ctx context.Context, file string, in T) (rs *Ruleset[T], err error)

func NewRuleset 

func NewRuleset[T any](ctx context.Context, bsYmls [][]byte, in T) (rs *Ruleset[T], err error)

func NewRulesetByDir 

func NewRulesetByDir[T any](ctx context.Context, dir string, in T) (rs *Ruleset[T], err error)

func (*Ruleset[T]) Build 

func (rs *Ruleset[T]) Build() (err error)

func (*Ruleset[T]) Eval 

func (rs *Ruleset[T]) Eval(m *T, in []int64) (ruleIDs []int64)

func (*Ruleset[T]) Eval2 

func (rs *Ruleset[T]) Eval2(m *T, in []*SigmaYml[T]) (ruleIDs []*SigmaYml[T])

func (*Ruleset[T]) GetYml 

func (rs *Ruleset[T]) GetYml(ruleID int64) *SigmaYml[T]

func (*Ruleset[T]) GetYmls 

func (rs *Ruleset[T]) GetYmls() (ymls []*SigmaYml[T])

func (*Ruleset[T]) SplitByPlatform 

func (rs *Ruleset[T]) SplitByPlatform() (setLinux, setWin, setNetwork *Ruleset[T])

type Selection 

type Selection struct {
	Key    string
	Strs   []string
	Int64s []int64
	Bools  []bool
	Func   string
	All    bool
	Ti     *tag.TagInfo
}

type SigmaBranch 

type SigmaBranch[T any] struct {
	SelectionKey string    // selection 的名字
	Selection    Selection `json:"-"` // SelectionKey 在parse阶段就转成 Selection,避免运行时损耗

	CMD func(m *T) bool `json:"-"` // 最终执行的语句

	Not  bool
	OR   bool             // true: OR ; false:  AND ;
	Sons []SigmaBranch[T] // 子条件: 一个括号一个子条件; 条件变化时也要换一个条件,比如 OR 后出现 AND;
	// contains filtered or unexported fields
}

SigmaBranch sigma 里的条件分支

type SigmaRule 

type SigmaRule[T any] struct {
	Selections map[string]Selection
	Conditions []SigmaBranch[T] // 树形结构,类似 AST (抽象语法树)
	// contains filtered or unexported fields
}

SigmaRule sigma 加工后的条件信息

func (*SigmaRule[T]) ParseCondition 

func (rule *SigmaRule[T]) ParseCondition(str string, selections map[string]Selection) (branchs []SigmaBranch[T], err error)

type SigmaYml 

type SigmaYml[T any] struct {
	Title          string                 `yaml:"title"`          //规则名称
	RuleID         int64                  `yaml:"id"`             // 规则id
	Type           string                 `yaml:"type"`           // 规则类型 type: multiple/single/merger
	Status         int                    `yaml:"status"`         // 灰度状态(1是正常,0是关闭,2是灰度)
	Decisioncenter int                    `yaml:"decisioncenter"` // 是否进行多条判断(1是不进行多条判断,2是进行多条判断)
	Description    string                 `yaml:"description"`
	Detection      map[string]interface{} `yaml:"detection"` // 规则具体内容 // detection.condition 规则判断逻辑
	Level          string                 `yaml:"level"`     // 危险等级分为INFO(信息)、LOW(低)、MEDIUM(中)、HIGH(高)
	Tags           []string               `yaml:"tags"`      // attack分类
	Tag            string                 `yaml:"-"`
	TagInfos       map[string]*tag.TagInfo

	// 以下是新增的特性
	Time          string   `yaml:"time"` // 2023.9.13
	Example       string   `yaml:"example"`
	Analyze       string   `yaml:"analyze"`
	Common        string   `yaml:"common"`
	Environment   string   `yaml:"environment"`
	Class         string   `yaml:"class"`
	Source        string   `yaml:"source"`
	Focus         string   `yaml:"focus"`
	Author        string   `yaml:"author"`
	Version       string   `yaml:"version"`        // 1.0.0
	Application   string   `yaml:"application"`    // 默认规则
	Why           string   `yaml:"why"`            // 监控 ifconfig ip
	FalsePositive string   `yaml:"false_positive"` //
	Frequency     string   `yaml:"frequency"`      //
	Platform      string   `yaml:"platform"`       // Linux
	Much          string   `yaml:"much"`           //
	Initial       int      `yaml:"initial"`        // 30
	Analyzetype   int      `yaml:"analyzetype"`    // 1
	Behavior      Behavior `yaml:"behavior"`       // 30
	Offsets       Offsets  `yaml:"-"`              // Behavior 在pb.Log的偏移量
}
ID: 编号: {大分类编号}	{二级分类 三位数字}{初始分 两位}{系统 1 Wnindows 2Linux}{各级别编号 三位}
|				|	3位			|	2位		|		1位					|		3位		|
	{大分类编号}	{二级分类}		{初始分}	{系统 1 Wnindows 2Linux}	{各级别编号}
1001302004:	 1		001				30				2							004
大分类说明(Analyzetype配置):
"001-运行进程"
"002-文件"
"003-认证"
"004-执行"
"005-启动程序"
"006-管道"
"007-通信"
"008-资源访问"
"009-进程访问"
"010-网络"
"011-进程加载"
"012-注册表"

SigmaYml[T] sigma 原始配置信息

func (*SigmaYml[T]) GetLogTag 

func (s *SigmaYml[T]) GetLogTag(key string) *tag.TagInfo

func (*SigmaYml[T]) ParseOffset 

func (s *SigmaYml[T]) ParseOffset() (err error)

type SigmaYmlMerge 

type SigmaYmlMerge struct {
	Title         string `yaml:"title"`          //规则名称
	RuleID        int64  `yaml:"id"`             // 规则id
	Type          string `yaml:"type"`           // 规则类型 type: multiple/single/merger
	Status        int    `yaml:"status"`         // 灰度状态(1是正常,0是关闭,2是灰度)
	TechniqueType string `yaml:"technique_type"` //
	Description   string `yaml:"description"`    // 描述
	Seriousness   string `yaml:"seriousness"`    // 危险等级分为INFO(信息)、LOW(低)、MEDIUM(中)、HIGH(高)
	Platform      string `yaml:"platform"`       //规则名称
	Initial       int    `yaml:"initial"`        // 30
	Analyzetype   int    `yaml:"analyzetype"`    // 1

	Detection DetectionMerge `yaml:"detection"` // 规则具体内容 // detection.condition 规则判断逻辑
}
需要增加能表明主事件的 key , 用于计算进程树的中间节点

SigmaYmlMerge 多条配置信息

type SigmaYmlMul 

type SigmaYmlMul struct {
	Title         string `yaml:"title"`          //规则名称
	RuleID        int64  `yaml:"id"`             // 规则id
	Type          string `yaml:"type"`           // 规则类型 type: multiple/single/merger
	Status        int    `yaml:"status"`         // 灰度状态(1是正常,0是关闭,2是灰度)
	TechniqueType string `yaml:"technique_type"` //
	Description   string `yaml:"description"`    // 描述
	Seriousness   string `yaml:"seriousness"`    // 危险等级分为INFO(信息)、LOW(低)、MEDIUM(中)、HIGH(高)
	Platform      string `yaml:"platform"`       //规则名称
	Initial       int    `yaml:"initial"`        // 30
	Analyzetype   int    `yaml:"analyzetype"`    // 1

	Detection DetectionMul `yaml:"detection"` // 规则具体内容 // detection.condition 规则判断逻辑
}
需要增加能表明主事件的 key , 用于计算进程树的中间节点

SigmaYmlMul 多条配置信息

type StreamRuleset 

type StreamRuleset[T any] struct {
	// contains filtered or unexported fields
}

StreamRuleset 流处理的处理中心

func NewOneRulesetMul 

func NewOneRulesetMul[T any](ctx context.Context, bs []byte, in T) (rs *StreamRuleset[T], err error)

func NewRulesetMul 

func NewRulesetMul[T any](ctx context.Context, ymls [][]byte, in T) (ruleset *StreamRuleset[T], err error)

func NewRulesetMulByDir 

func NewRulesetMulByDir[T any](ctx context.Context, dir string, in T) (rs *StreamRuleset[T], err error)

func (*StreamRuleset[T]) Build 

func (rs *StreamRuleset[T]) Build() (err error)

func (StreamRuleset[T]) Eval 

func (rs StreamRuleset[T]) Eval(ruleID int64, m *T) (hitss [][]DataHit[T])

func (StreamRuleset[T]) ResetEventID 

func (rs StreamRuleset[T]) ResetEventID(eventID int64)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.