README
¶
sigma-go 
A Go implementation and parser of Sigma rules. Useful for building your own detection pipelines.
Who's using sigma-go in production?
Usage
This library is designed for you to build your own alert systems. It exposes the ability to check whether a rule matches a given event but not much else. It's up to you to use this building block in your own detection pipeline.
A basic usage of this library might look like this:
// You can load/create rules dynamically or use sigmac to load Sigma rule files
var rule, _ = sigma.ParseRule(contents)
// Rules need to be wrapped in an evaluator.
// This is also where (if needed) you provide functions implementing the count, max, etc. aggregation functions
e := sigma.Evaluator(rule, options...)
// Get a stream of events from somewhere e.g. audit logs
for event := range events {
if e.Matches(ctx, event) {
// Raise your alert here
newAlert(rule.ID, rule.Description, ...)
}
}
Aggregation functions
If your Sigma rules make use of the count, max, min, or any other aggregation function in your conditions then you'll need some extra setup.
When creating an evaluator, you can pass in implementations of each of the aggregation functions:
sigma.Evaluator(rule, sigma.CountFunc(countImplementation), sigma.MaxFunc(maxImplementation))
This repo includes some toy implementations in the aggregators package but for production use cases you'll need to supply your own.
Documentation
¶
Index ¶
- func FuzzConditionParser(data []byte) int
- func FuzzConfigParser(data []byte) int
- func FuzzRuleParser(data []byte) int
- type AggregationExpr
- type AggregationFunc
- type AllOfIdentifier
- type AllOfPattern
- type AllOfThem
- type And
- type Average
- type Comparison
- type ComparisonOp
- type Condition
- type Conditions
- type Config
- type Count
- type Detection
- type EventMatcher
- type FieldMapping
- type FieldMatcher
- type FileType
- type Logsource
- type LogsourceIndexes
- type LogsourceMapping
- type Max
- type Min
- type Near
- type Not
- type OneOfIdentifier
- type OneOfPattern
- type OneOfThem
- type Or
- type RelatedRule
- type Rule
- type Search
- type SearchExpr
- type SearchIdentifier
- type Sum
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FuzzConditionParser ¶ added in v0.1.2
func FuzzConfigParser ¶ added in v0.1.2
func FuzzRuleParser ¶ added in v0.1.2
Types ¶
type AggregationExpr ¶ added in v0.1.0
type AggregationExpr interface {
// contains filtered or unexported methods
}
type AggregationFunc ¶ added in v0.1.0
type AggregationFunc interface {
// contains filtered or unexported methods
}
type AllOfIdentifier ¶
type AllOfIdentifier struct {
Ident SearchIdentifier
}
type AllOfPattern ¶
type AllOfPattern struct {
Pattern string
}
type And ¶
type And []SearchExpr
type Comparison ¶ added in v0.1.0
type Comparison struct {
Func AggregationFunc
Op ComparisonOp
Threshold float64
}
type ComparisonOp ¶
type ComparisonOp string
var ( Equal ComparisonOp = "=" NotEqual ComparisonOp = "!=" LessThan ComparisonOp = "<" LessThanEqual ComparisonOp = "<=" GreaterThan ComparisonOp = ">" GreaterThanEqual ComparisonOp = ">=" )
type Condition ¶
type Condition struct {
Search SearchExpr `yaml:",omitempty" json:",omitempty"`
Aggregation AggregationExpr `yaml:",omitempty" json:",omitempty"`
// contains filtered or unexported fields
}
func ParseCondition ¶
Parses the Sigma condition syntax
func (Condition) MarshalYAML ¶ added in v0.6.0
type Conditions ¶
type Conditions []Condition
func (Conditions) MarshalYAML ¶ added in v0.6.0
func (c Conditions) MarshalYAML() (interface{}, error)
Marshal the conditions back to grammar expressions :sob:
func (*Conditions) UnmarshalYAML ¶
func (c *Conditions) UnmarshalYAML(node *yaml.Node) error
type Config ¶ added in v0.1.0
type Config struct {
Title string // A short description of what this configuration does
Order int // Defines the order of expansion when multiple config files are applicable
Backends []string // Lists the Sigma implementations that this config file is compatible with
FieldMappings map[string]FieldMapping
Logsources map[string]LogsourceMapping
// TODO: LogsourceMerging option
DefaultIndex string // Defines a default index if no logsources match
Placeholders map[string][]interface{} // Defines values for placeholders that might appear in Sigma rules
}
func ParseConfig ¶ added in v0.1.0
type Detection ¶
type Detection struct {
Searches map[string]Search `yaml:",inline" json:",inline"`
Conditions Conditions `yaml:"condition" json:"condition"`
Timeframe time.Duration `yaml:",omitempty" json:",omitempty"`
}
type EventMatcher ¶ added in v0.4.0
type EventMatcher []FieldMatcher
func (EventMatcher) MarshalYAML ¶ added in v0.6.0
func (f EventMatcher) MarshalYAML() (interface{}, error)
func (*EventMatcher) UnmarshalYAML ¶ added in v0.4.0
func (f *EventMatcher) UnmarshalYAML(node *yaml.Node) error
type FieldMapping ¶ added in v0.1.0
type FieldMapping struct {
TargetNames []string // The name(s) that appear in the events being matched
}
func (*FieldMapping) UnmarshalYAML ¶ added in v0.1.0
func (f *FieldMapping) UnmarshalYAML(value *yaml.Node) error
type FieldMatcher ¶
type FieldMatcher struct {
Field string `yaml:",omitempty" json:",omitempty"`
Modifiers []string `yaml:",omitempty" json:",omitempty"`
Values []interface{} `yaml:",omitempty" json:",omitempty"`
// contains filtered or unexported fields
}
func (FieldMatcher) Position ¶ added in v0.6.2
func (f FieldMatcher) Position() (int, int)
Position returns the line and column of this FieldMatcher in the original input
type Logsource ¶
type Logsource struct {
Category string `yaml:",omitempty" json:",omitempty"`
Product string `yaml:",omitempty" json:",omitempty"`
Service string `yaml:",omitempty" json:",omitempty"`
Definition string `yaml:",omitempty" json:",omitempty"`
// Any non-standard fields will end up in here
AdditionalFields map[string]interface{} `yaml:",inline,omitempty" json:",inline,omitempty"`
}
type LogsourceIndexes ¶ added in v0.1.0
type LogsourceIndexes []string
func (*LogsourceIndexes) UnmarshalYAML ¶ added in v0.1.0
func (i *LogsourceIndexes) UnmarshalYAML(value *yaml.Node) error
type LogsourceMapping ¶ added in v0.1.0
type LogsourceMapping struct {
Logsource `yaml:",inline"` // Matches the logsource field in Sigma rules
Index LogsourceIndexes // The index(es) that should be used
Conditions Search // Conditions that are added to all rules targeting this logsource
Rewrite Logsource // Rewrites this logsource (i.e. so that it can be matched by another lower precedence config)
}
type Near ¶ added in v0.1.0
type Near struct {
Condition SearchExpr
}
type Not ¶
type Not struct {
Expr SearchExpr
}
type OneOfIdentifier ¶
type OneOfIdentifier struct {
Ident SearchIdentifier
}
type OneOfPattern ¶
type OneOfPattern struct {
Pattern string
}
type Or ¶
type Or []SearchExpr
type RelatedRule ¶ added in v0.5.0
type Rule ¶
type Rule struct {
// Required fields
Title string
Logsource Logsource
Detection Detection
ID string `yaml:",omitempty" json:",omitempty"`
Related []RelatedRule `yaml:",omitempty" json:",omitempty"`
Status string `yaml:",omitempty" json:",omitempty"`
Description string `yaml:",omitempty" json:",omitempty"`
Author string `yaml:",omitempty" json:",omitempty"`
Level string `yaml:",omitempty" json:",omitempty"`
References []string `yaml:",omitempty" json:",omitempty"`
Tags []string `yaml:",omitempty" json:",omitempty"`
// Any non-standard fields will end up in here
AdditionalFields map[string]interface{} `yaml:",inline,omitempty" json:",inline,omitempty"`
}
type Search ¶
type Search struct {
Keywords []string `yaml:",omitempty" json:",omitempty"`
EventMatchers []EventMatcher `yaml:",omitempty" json:",omitempty"`
// contains filtered or unexported fields
}
func (Search) MarshalYAML ¶ added in v0.6.0
type SearchExpr ¶
type SearchExpr interface {
// contains filtered or unexported methods
}
type SearchIdentifier ¶
type SearchIdentifier struct {
Name string
}
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.