Skip to content

Commit 4322805

Browse files
authored
feat(rules): Detection rules (#136)
* groundwork for detection rules. Introducing macros in rules and other rule sequence improvements * move macro store logic to filters config * move macro store logic to filters config * adjust spearphisning group description * event rendering from Go template * introduce more detection rules and filter improvements * introduce event type index optimization, add more detection rules * alert rule email template * HTML email template tweaking, field interpolation in emit rule action * only visit eligible accessors, include footer in alert email notifications * MD in alert text, tweak rules/add README, include additional rules for detecting credential access * fix rules paths in config, check macros size against the map * fix build errors caused by bad merge, bump go-yara * bump yara version * fix tests * address lint warnings
1 parent f050bc2 commit 4322805

95 files changed

Lines changed: 3007 additions & 1046 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/master.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ jobs:
1616
- name: Install Go
1717
uses: actions/setup-go@v2
1818
with:
19-
go-version: 1.17.x
19+
go-version: 1.19.x
2020
- name: Checkout
2121
uses: actions/checkout@v2
2222
- name: Adjust pkg-config prefix
@@ -49,7 +49,7 @@ jobs:
4949
if: steps.cache.outputs.cache-hit != 'true'
5050
shell: bash
5151
env:
52-
VERSION: "4.0.x"
52+
VERSION: "4.2.x"
5353
run: |
5454
git clone --depth 1 --branch $VERSION https://github.com/VirusTotal/yara.git
5555
- name: Configure yara
@@ -105,7 +105,7 @@ jobs:
105105
- name: Install Go
106106
uses: actions/setup-go@v2
107107
with:
108-
go-version: 1.17.x
108+
go-version: 1.19.x
109109
- name: Checkout
110110
uses: actions/checkout@v2
111111
- name: Build
@@ -134,7 +134,7 @@ jobs:
134134
- name: Install Go
135135
uses: actions/setup-go@v2
136136
with:
137-
go-version: 1.17.x
137+
go-version: 1.19.x
138138
- name: Setup msys2
139139
uses: msys2/setup-msys2@v2
140140
with:
@@ -184,7 +184,7 @@ jobs:
184184
- name: Install Go
185185
uses: actions/setup-go@v2
186186
with:
187-
go-version: 1.17.x
187+
go-version: 1.19.x
188188
- name: Setup msys2
189189
uses: msys2/setup-msys2@v2
190190
with:
@@ -216,7 +216,7 @@ jobs:
216216
run: |
217217
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin $GOLANGCI_LINT_VER
218218
env:
219-
GOLANGCI_LINT_VER: v1.35.2
219+
GOLANGCI_LINT_VER: v1.50.1
220220
- name: Lint
221221
shell: bash
222222
run: |

.github/workflows/pr.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
- name: Install Go
1515
uses: actions/setup-go@v2
1616
with:
17-
go-version: 1.17.x
17+
go-version: 1.19.x
1818
- name: Checkout
1919
uses: actions/checkout@v2
2020
- name: Adjust pkg-config prefix
@@ -47,7 +47,7 @@ jobs:
4747
if: steps.cache.outputs.cache-hit != 'true'
4848
shell: bash
4949
env:
50-
VERSION: "4.0.x"
50+
VERSION: "4.2.x"
5151
run: |
5252
git clone --depth 1 --branch $VERSION https://github.com/VirusTotal/yara.git
5353
- name: Configure yara
@@ -87,7 +87,7 @@ jobs:
8787
- name: Install Go
8888
uses: actions/setup-go@v2
8989
with:
90-
go-version: 1.17.x
90+
go-version: 1.19.x
9191
- name: Setup msys2
9292
uses: msys2/setup-msys2@v2
9393
with:
@@ -137,7 +137,7 @@ jobs:
137137
- name: Install Go
138138
uses: actions/setup-go@v2
139139
with:
140-
go-version: 1.17.x
140+
go-version: 1.19.x
141141
- name: Setup msys2
142142
uses: msys2/setup-msys2@v2
143143
with:
@@ -169,7 +169,7 @@ jobs:
169169
run: |
170170
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin $GOLANGCI_LINT_VER
171171
env:
172-
GOLANGCI_LINT_VER: v1.35.2
172+
GOLANGCI_LINT_VER: v1.50.1
173173
- name: Lint
174174
shell: bash
175175
run: |

.github/workflows/release.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ jobs:
1212
- name: Install Go
1313
uses: actions/setup-go@v2
1414
with:
15-
go-version: 1.17.x
15+
go-version: 1.19.x
1616
- name: Checkout
1717
uses: actions/checkout@v2
1818
- name: Adjust pkg-config prefix
@@ -45,7 +45,7 @@ jobs:
4545
if: steps.cache.outputs.cache-hit != 'true'
4646
shell: bash
4747
env:
48-
VERSION: "4.0.x"
48+
VERSION: "4.2.x"
4949
run: |
5050
git clone --depth 1 --branch $VERSION https://github.com/VirusTotal/yara.git
5151
- name: Configure yara
@@ -102,7 +102,7 @@ jobs:
102102
- name: Install Go
103103
uses: actions/setup-go@v2
104104
with:
105-
go-version: 1.17.x
105+
go-version: 1.19.x
106106
- name: Checkout
107107
uses: actions/checkout@v2
108108
- name: Get version

cmd/fibratus/app/list.go

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,6 @@ import (
2727
"github.com/rabbitstack/fibratus/pkg/filter/fields"
2828
"github.com/rabbitstack/fibratus/pkg/kevent/ktypes"
2929
"github.com/spf13/cobra"
30-
"io/ioutil"
3130
"os"
3231
"path/filepath"
3332
"strings"
@@ -82,7 +81,7 @@ func listFilaments(cmd *cobra.Command, args []string) error {
8281
return err
8382
}
8483

85-
filaments, err := ioutil.ReadDir(dir)
84+
filaments, err := os.ReadDir(dir)
8685
if err != nil {
8786
return err
8887
}

cmd/fibratus/main_windows.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -26,13 +26,13 @@ import (
2626
)
2727

2828
func main() {
29-
// determine if we are running in an interactive session
30-
in, err := svc.IsAnInteractiveSession()
29+
// determine if we are running as a Windows Service
30+
isWinService, err := svc.IsWindowsService()
3131
if err != nil {
3232
fmt.Printf("interactive session check failed: %v\n", err)
3333
os.Exit(-1)
3434
}
35-
if !in {
35+
if isWinService {
3636
app.RunService()
3737
return
3838
}

configs/fibratus.yml

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ alertsenders:
2525
#host:
2626

2727
# Represents the port of the SMTP server
28-
#port: 25
28+
#port: 587
2929

3030
# Specifies the user name when authenticating to the SMTP server
3131
#user:
@@ -38,7 +38,9 @@ alertsenders:
3838

3939
# Specifies all the recipients that'll receive the alert
4040
#to:
41-
# - ""
41+
42+
# Specifies the email body content type
43+
#content-type: text/html
4244

4345
# Slack sender transports the alerts to the Slack workspace.
4446
slack:
@@ -95,14 +97,18 @@ filament:
9597

9698
# =============================== Filters ===============================================
9799

98-
# Contains the definition of filter rules. Filter expressions are contained in filter group files.
100+
# Contains the definition of detection rules. Rules are contained within rule group files.
99101
# Rule definitions can reside in the local file system or also can be served over HTTP/S.
102+
# For local file system rule paths, it is possible to use the glob expression to load the
103+
# rules from different directory locations.
100104
filters:
101105
rules:
102106
from-paths:
103-
# - C:\Program Files\Fibratus\Config\Rules\Default\default.yml
107+
# - C:\Program Files\Fibratus\Rules\*.yml
104108
#from-urls:
105-
# - https://raw.githubusercontent.com/rabbitstack/fibratus/master/configs/rules/default/default.yml
109+
macros:
110+
from-paths:
111+
- C:\Program Files\Fibratus\Rules\Macros\*.yml
106112

107113
# =============================== Handle ===============================================
108114

0 commit comments

Comments
 (0)