feat(rules): Detection rules (#136)

* groundwork for detection rules. Introducing macros in rules and other rule sequence improvements

* move macro store logic to filters config

* move macro store logic to filters config

* adjust spearphisning group description

* event rendering from Go template

* introduce more detection rules and filter improvements

* introduce event type index optimization, add more detection rules

* alert rule email template

* HTML email template tweaking, field interpolation in emit rule action

* only visit eligible accessors, include footer in alert email notifications

* MD in alert text, tweak rules/add README, include additional rules for detecting credential access

* fix rules paths in config, check macros size against the map

* fix build errors caused by bad merge, bump go-yara

* bump yara version

* fix tests

* address lint warnings

Author: rabbitstack

.github/workflows/master.yml

@@ -16,7 +16,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-           go-version: 1.17.x
+           go-version: 1.19.x
       - name: Checkout
         uses: actions/checkout@v2
       - name: Adjust pkg-config prefix
@@ -49,7 +49,7 @@ jobs:
         if: steps.cache.outputs.cache-hit != 'true'
         shell: bash
         env:
-          VERSION: "4.0.x"
+          VERSION: "4.2.x"
         run: |
           git clone --depth 1 --branch $VERSION https://github.com/VirusTotal/yara.git
       - name: Configure yara
@@ -105,7 +105,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-           go-version: 1.17.x
+           go-version: 1.19.x
       - name: Checkout
         uses: actions/checkout@v2
       - name: Build
@@ -134,7 +134,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-           go-version: 1.17.x
+           go-version: 1.19.x
       - name: Setup msys2
         uses: msys2/setup-msys2@v2
         with:
@@ -184,7 +184,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-           go-version: 1.17.x
+           go-version: 1.19.x
       - name: Setup msys2
         uses: msys2/setup-msys2@v2
         with:
@@ -216,7 +216,7 @@ jobs:
         run: |
           curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin $GOLANGCI_LINT_VER
         env:
-          GOLANGCI_LINT_VER: v1.35.2
+          GOLANGCI_LINT_VER: v1.50.1
       - name: Lint
         shell: bash
         run: |

.github/workflows/pr.yml

@@ -14,7 +14,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-           go-version: 1.17.x
+           go-version: 1.19.x
       - name: Checkout
         uses: actions/checkout@v2
       - name: Adjust pkg-config prefix
@@ -47,7 +47,7 @@ jobs:
         if: steps.cache.outputs.cache-hit != 'true'
         shell: bash
         env:
-          VERSION: "4.0.x"
+          VERSION: "4.2.x"
         run: |
           git clone --depth 1 --branch $VERSION https://github.com/VirusTotal/yara.git
       - name: Configure yara
@@ -87,7 +87,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-           go-version: 1.17.x
+           go-version: 1.19.x
       - name: Setup msys2
         uses: msys2/setup-msys2@v2
         with:
@@ -137,7 +137,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-           go-version: 1.17.x
+           go-version: 1.19.x
       - name: Setup msys2
         uses: msys2/setup-msys2@v2
         with:
@@ -169,7 +169,7 @@ jobs:
         run: |
           curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin $GOLANGCI_LINT_VER
         env:
-          GOLANGCI_LINT_VER: v1.35.2
+          GOLANGCI_LINT_VER: v1.50.1
       - name: Lint
         shell: bash
         run: |

.github/workflows/release.yml

@@ -12,7 +12,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-           go-version: 1.17.x
+           go-version: 1.19.x
       - name: Checkout
         uses: actions/checkout@v2
       - name: Adjust pkg-config prefix
@@ -45,7 +45,7 @@ jobs:
         if: steps.cache.outputs.cache-hit != 'true'
         shell: bash
         env:
-          VERSION: "4.0.x"
+          VERSION: "4.2.x"
         run: |
           git clone --depth 1 --branch $VERSION https://github.com/VirusTotal/yara.git
       - name: Configure yara
@@ -102,7 +102,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-           go-version: 1.17.x
+           go-version: 1.19.x
       - name: Checkout
         uses: actions/checkout@v2
       - name: Get version

cmd/fibratus/app/list.go

@@ -27,7 +27,6 @@ import (
 	"github.com/rabbitstack/fibratus/pkg/filter/fields"
 	"github.com/rabbitstack/fibratus/pkg/kevent/ktypes"
 	"github.com/spf13/cobra"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
@@ -82,7 +81,7 @@ func listFilaments(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	filaments, err := ioutil.ReadDir(dir)
+	filaments, err := os.ReadDir(dir)
 	if err != nil {
 		return err
 	}

cmd/fibratus/main_windows.go

@@ -26,13 +26,13 @@ import (
 )
 
 func main() {
-	// determine if we are running in an interactive session
-	in, err := svc.IsAnInteractiveSession()
+	// determine if we are running as a Windows Service
+	isWinService, err := svc.IsWindowsService()
 	if err != nil {
 		fmt.Printf("interactive session check failed: %v\n", err)
 		os.Exit(-1)
 	}
-	if !in {
+	if isWinService {
 		app.RunService()
 		return
 	}

configs/fibratus.yml

@@ -25,7 +25,7 @@ alertsenders:
     #host:
 
     # Represents the port of the SMTP server
-    #port: 25
+    #port: 587
 
     # Specifies the user name when authenticating to the SMTP server
     #user:
@@ -38,7 +38,9 @@ alertsenders:
 
     # Specifies all the recipients that'll receive the alert
     #to:
-    #  - ""
+
+    # Specifies the email body content type
+    #content-type: text/html
 
   # Slack sender transports the alerts to the Slack workspace.
   slack:
@@ -95,14 +97,18 @@ filament:
 
 # =============================== Filters ===============================================
 
-# Contains the definition of filter rules. Filter expressions are contained in filter group files.
+# Contains the definition of detection rules. Rules are contained within rule group files.
 # Rule definitions can reside in the local file system or also can be served over HTTP/S.
+# For local file system rule paths, it is possible to use the glob expression to load the
+# rules from different directory locations.
 filters:
   rules:
     from-paths:
-    # - C:\Program Files\Fibratus\Config\Rules\Default\default.yml
+    # - C:\Program Files\Fibratus\Rules\*.yml
     #from-urls:
-    #  - https://raw.githubusercontent.com/rabbitstack/fibratus/master/configs/rules/default/default.yml
+  macros:
+    from-paths:
+      - C:\Program Files\Fibratus\Rules\Macros\*.yml
 
 # =============================== Handle ===============================================