README
¶
sigma-go 
A Go implementation and parser of Sigma rules. Useful for building your own detection pipelines.
Who's using sigma-go in production?
Usage
This library is designed for you to build your own alert systems. It exposes the ability to check whether a rule matches a given event but not much else. It's up to you to use this building block in your own detection pipeline.
A basic usage of this library might look like this:
// You can load/create rules dynamically or use sigmac to load Sigma rule files
var rule, _ = sigma.ParseRule(contents)
// Rules need to be wrapped in an evaluator.
// This is also where (if needed) you provide functions implementing the count, max, etc. aggregation functions
e := sigma.Evaluator(rule, options...)
// Get a stream of events from somewhere e.g. audit logs
for event := range events {
if e.Matches(ctx, event) {
// Raise your alert here
newAlert(rule.ID, rule.Description, ...)
}
}
Aggregation functions
If your Sigma rules make use of the count, max, min, or any other aggregation function in your conditions then you'll need some extra setup.
When creating an evaluator, you can pass in implementations of each of the aggregation functions:
sigma.Evaluator(rule, sigma.CountFunc(countImplementation), sigma.MaxFunc(maxImplementation))
This repo includes some toy implementations in the aggregators package but for production use cases you'll need to supply your own.
Documentation
¶
Index ¶
- func FuzzConditionParser(data []byte) int
- func FuzzConfigParser(data []byte) int
- func FuzzRuleParser(data []byte) int
- type AggregationExpr
- type AggregationFunc
- type AllOfIdentifier
- type AllOfPattern
- type AllOfThem
- type And
- type Average
- type Comparison
- type ComparisonOp
- type Condition
- type Conditions
- type Config
- type Correlation
- type Count
- type Detection
- type EventMatcher
- type FieldMapping
- type FieldMatcher
- type FileType
- type Logsource
- type LogsourceIndexes
- type LogsourceMapping
- type Max
- type Min
- type Near
- type Not
- type OneOfIdentifier
- type OneOfPattern
- type OneOfThem
- type Or
- type RelatedRule
- type Rule
- type Search
- type SearchExpr
- type SearchIdentifier
- type Sum
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FuzzConditionParser ¶
func FuzzConfigParser ¶
func FuzzRuleParser ¶
Types ¶
type AggregationExpr ¶
type AggregationExpr interface {
// contains filtered or unexported methods
}
type AggregationFunc ¶
type AggregationFunc interface {
// contains filtered or unexported methods
}
type AllOfIdentifier ¶
type AllOfIdentifier struct {
Ident SearchIdentifier
}
type AllOfPattern ¶
type AllOfPattern struct {
Pattern string
}
type And ¶
type And []SearchExpr
type Comparison ¶
type Comparison struct {
Func AggregationFunc
Op ComparisonOp
Threshold float64
}
type ComparisonOp ¶
type ComparisonOp string
var ( Equal ComparisonOp = "=" NotEqual ComparisonOp = "!=" LessThan ComparisonOp = "<" LessThanEqual ComparisonOp = "<=" GreaterThan ComparisonOp = ">" GreaterThanEqual ComparisonOp = ">=" )
type Condition ¶
type Condition struct {
Search SearchExpr `yaml:"search,omitempty" json:"Search,omitempty"`
Aggregation AggregationExpr `yaml:"aggregation,omitempty" json:"Aggregation,omitempty"`
// contains filtered or unexported fields
}
func ParseCondition ¶
Parses the Sigma condition syntax
func (Condition) MarshalYAML ¶
type Conditions ¶
type Conditions []Condition
func (Conditions) MarshalYAML ¶
func (c Conditions) MarshalYAML() (interface{}, error)
Marshal the conditions back to grammar expressions :sob:
func (*Conditions) UnmarshalYAML ¶
func (c *Conditions) UnmarshalYAML(node *yaml.Node) error
type Config ¶
type Config struct {
Title string // A short description of what this configuration does
Order int // Defines the order of expansion when multiple config files are applicable
Backends []string // Lists the Sigma implementations that this config file is compatible with
FieldMappings map[string]FieldMapping
Logsources map[string]LogsourceMapping
// TODO: LogsourceMerging option
DefaultIndex string // Defines a default index if no logsources match
Placeholders map[string][]interface{} // Defines values for placeholders that might appear in Sigma rules
}
func ParseConfig ¶
type Correlation ¶
type Correlation struct {
Type string `json:"type,omitempty" yaml:"type,omitempty"`
Rules []string `json:"rules,omitempty" yaml:"rules,omitempty"`
GroupBy []string `json:"group-by,omitempty" yaml:"group-by,omitempty"`
Timespan string `json:"timespan,omitempty" yaml:"timespan,omitempty"`
Condition map[string]interface{} `json:"condition,omitempty" yaml:"condition,omitempty"`
Generate bool `json:"generate,omitempty" yaml:"generate,omitempty"`
}
type Detection ¶
type Detection struct {
Searches map[string]Search `yaml:"searches,inline,omitempty" json:"Searches,inline,omitempty"`
Conditions Conditions `yaml:"condition,omitempty" json:"Condition,omitempty"`
// This is not actually supported right now since there are no
// aggregates so we just preserve it in its string form.
// Timeframe time.Duration `yaml:",omitempty" json:",omitempty"`
Timeframe string `yaml:",omitempty" json:",omitempty"`
}
type EventMatcher ¶
type EventMatcher []FieldMatcher
func (EventMatcher) MarshalYAML ¶
func (f EventMatcher) MarshalYAML() (interface{}, error)
func (*EventMatcher) UnmarshalYAML ¶
func (f *EventMatcher) UnmarshalYAML(node *yaml.Node) error
type FieldMapping ¶
type FieldMapping struct {
TargetNames []string // The name(s) that appear in the events being matched
}
func (*FieldMapping) UnmarshalYAML ¶
func (f *FieldMapping) UnmarshalYAML(value *yaml.Node) error
type FieldMatcher ¶
type FieldMatcher struct {
Field string `yaml:"field,omitempty" json:"field,omitempty"`
Modifiers []string `yaml:"modifiers,omitempty" json:"modifiers,omitempty"`
Values []interface{} `yaml:"values,omitempty" json:"values,omitempty"`
// contains filtered or unexported fields
}
func (FieldMatcher) Position ¶
func (f FieldMatcher) Position() (int, int)
Position returns the line and column of this FieldMatcher in the original input
type Logsource ¶
type Logsource struct {
Category string `yaml:"category,omitempty" json:"Category,omitempty"`
Product string `yaml:"product,omitempty" json:"Product,omitempty"`
Service string `yaml:"service,omitempty" json:"Service,omitempty"`
Definition string `yaml:"definition,omitempty" json:"Definition,omitempty"`
// Any non-standard fields will end up in here
AdditionalFields map[string]interface{} `yaml:",inline,omitempty" json:",inline,omitempty"`
}
type LogsourceIndexes ¶
type LogsourceIndexes []string
func (*LogsourceIndexes) UnmarshalYAML ¶
func (i *LogsourceIndexes) UnmarshalYAML(value *yaml.Node) error
type LogsourceMapping ¶
type LogsourceMapping struct {
Logsource `yaml:",inline,omitempty"` // Matches the logsource field in Sigma rules
Index LogsourceIndexes // The index(es) that should be used
Conditions Search // Conditions that are added to all rules targeting this logsource
Rewrite Logsource // Rewrites this logsource (i.e. so that it can be matched by another lower precedence config)
}
type Near ¶
type Near struct {
Condition SearchExpr
}
type Not ¶
type Not struct {
Expr SearchExpr
}
type OneOfIdentifier ¶
type OneOfIdentifier struct {
Ident SearchIdentifier
}
type OneOfPattern ¶
type OneOfPattern struct {
Pattern string
}
type Or ¶
type Or []SearchExpr
type RelatedRule ¶
type Rule ¶
type Rule struct {
// Required fields
Title string `yaml:"title,omitempty" json:"Title,omitempty"`
Name string `yaml:"name,omitempty" json:"Name,omitempty"`
Logsource Logsource `yaml:"logsource,omitempty" json:"Logsource,omitempty"`
Detection Detection `yaml:"detection,omitempty" json:"Detection,omitempty"`
Correlation *Correlation `yaml:"correlation,omitempty" json:"Correlation,omitempty"`
ID string `yaml:"id,omitempty" json:"Id,omitempty"`
Related []RelatedRule `yaml:"related,omitempty" json:"related,omitempty"`
Status string `yaml:"status,omitempty" json:"status,omitempty"`
Description string `yaml:"description,omitempty" json:"Description,omitempty"`
Author string `yaml:"author,omitempty" json:"Author,omitempty"`
Level string `yaml:"level,omitempty" json:"Level,omitempty"`
// This field can be a list of strings or a single string. We
// actually never care about this field so we just preserve it.
// https://sigmahq.io/docs/basics/rules.html#metadata-references
References interface{} `yaml:"references,omitempty" json:"References,omitempty"`
Tags []string `yaml:"tags,omitempty" json:"Tags,omitempty"`
// Any non-standard fields will end up in here
AdditionalFields map[string]interface{} `yaml:",inline,omitempty" json:",inline,omitempty"`
}
type Search ¶
type Search struct {
Keywords []string `yaml:"keywords,omitempty" json:"keywords,omitempty"`
EventMatchers []EventMatcher `yaml:"event_matchers,omitempty" json:"event_matchers,omitempty"`
// contains filtered or unexported fields
}
func (Search) MarshalYAML ¶
type SearchExpr ¶
type SearchExpr interface {
// contains filtered or unexported methods
}
type SearchIdentifier ¶
type SearchIdentifier struct {
Name string `yaml:"name,omitempty" json:"Name,omitempty"`
}
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.