rules

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 19, 2026 License: GPL-2.0, GPL-2.0-only Imports: 7 Imported by: 0

Documentation

Overview

Package rules manages cryptographic detection rules, including loading, validation, and filtering of both local and remote rule sets.

Package rules manages cryptographic detection rules, including loading, validation, and filtering of both local and remote rule sets.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type LocalRuleSource 

type LocalRuleSource struct {
	// contains filtered or unexported fields
}

LocalRuleSource handles loading and validation of local rule files.

func NewLocalRuleSource 

func NewLocalRuleSource(rulePaths, ruleDirs []string) *LocalRuleSource

NewLocalRuleSource creates a new local rule source.

Parameters:

  • rulePaths: Individual rule file paths (from --rules flags)
  • ruleDirs: Rule directory paths (from --rules-dir flags)

Returns:

  • *LocalRuleSource: Source configured to load from local paths and directories

func (*LocalRuleSource) Load 

func (l *LocalRuleSource) Load() ([]string, error)

Load validates and collects all rule file paths from individual files and directories. Returns absolute paths to all valid YAML rule files.

Returns:

  • []string: All validated rule file paths (absolute paths)
  • error: If any path is invalid or doesn't exist

func (*LocalRuleSource) Name 

func (l *LocalRuleSource) Name() string

Name returns a descriptive name for this rule source.

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

Manager orchestrates rule loading from multiple sources. It provides a central coordination point for aggregating rules from various sources (local files, remote URLs, etc.) and will handle caching and validation in the future.

func NewManager 

func NewManager(sources ...RuleSource) *Manager

NewManager creates a new rules manager with the specified sources. Sources are loaded and aggregated when Load() is called.

Parameters:

  • sources: Variable number of RuleSource implementations to aggregate

Returns:

  • *Manager: Manager configured with the specified sources

Example: 

manager := rules.NewManager(
    rules.NewLocalRuleSource(rulePaths, ruleDirs),
    // Future: rules.NewRemoteRuleSource(url, cache),
)

func (*Manager) Load 

func (m *Manager) Load() ([]string, error)

Load aggregates and returns rule file paths from all configured sources. Uses MultiSource internally to handle deduplication and error handling.

Returns:

  • []string: Deduplicated absolute paths to all rule files
  • error: If any source fails to load

type MultiSource 

type MultiSource struct {
	// contains filtered or unexported fields
}

MultiSource aggregates rule paths from multiple sources. It loads rules from all sources and merges them, removing duplicates.

func NewMultiSource 

func NewMultiSource(sources ...RuleSource) *MultiSource

NewMultiSource creates a new MultiSource that aggregates rules from multiple sources. Sources are loaded in the order provided. Rule paths are deduplicated automatically.

Parameters:

  • sources: Variable number of RuleSource implementations

Returns:

  • *MultiSource: Aggregator for multiple rule sources

func (*MultiSource) Load 

func (m *MultiSource) Load() ([]string, error)

Load retrieves and merges rule paths from all configured sources. If any source fails to load, the error is returned immediately. Empty paths from sources are filtered out automatically.

Returns:

  • []string: Deduplicated merged rule paths from all sources
  • error: First error encountered while loading sources, if any

func (*MultiSource) Name 

func (m *MultiSource) Name() string

Name returns a descriptive name for this multi-source.

type RemoteRuleSource 

type RemoteRuleSource struct {
	// contains filtered or unexported fields
}

RemoteRuleSource loads rules from a remote ruleset via API and caches them locally. It returns the path to the cached ruleset directory.

func NewRemoteRuleSource 

func NewRemoteRuleSource(
	ctx context.Context,
	rulesetName string,
	version string,
	cacheManager *cache.Manager,
) *RemoteRuleSource

NewRemoteRuleSource creates a new remote rule source

Parameters:

  • ctx: Context for API requests and cancellation
  • rulesetName: Name of the ruleset to fetch (e.g., "dca")
  • version: Version of the ruleset (e.g., "latest", "v1.0.0")
  • cacheManager: Cache manager for downloading and caching rulesets

Returns:

  • *RemoteRuleSource: Configured remote rule source

func (*RemoteRuleSource) Load 

func (r *RemoteRuleSource) Load() ([]string, error)

Load retrieves the path to the cached ruleset directory. If the ruleset is not cached or has expired, it will be downloaded. The returned path points to a directory containing the ruleset's .yaml files.

Returns:

  • []string: Slice containing the absolute path to the cached ruleset directory
  • error: Error if download/cache retrieval fails

func (*RemoteRuleSource) Name 

func (r *RemoteRuleSource) Name() string

Name returns a human-readable identifier for this source.

type RuleSource 

type RuleSource interface {
	// Load retrieves absolute paths to rule files from the source.
	// Returns an empty slice if the source has no rules (not an error).
	// Returns an error only if the source exists but cannot be read/parsed.
	Load() ([]string, error)

	// Name returns a human-readable identifier for this source.
	// Used for logging and debugging purposes.
	Name() string
}

RuleSource defines an interface for loading rule file paths from various sources. Implementations can load rules from local files, remote URLs, databases, etc. Each source returns absolute paths to YAML rule files.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.