rule

package

v0.0.0-...-f54534b Latest Latest Go to latest Published: Mar 5, 2025 License: GPL-3.0 Imports: 22 Imported by: 1

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/evilsocket/opensnitch

Documentation ¶

Index ¶

Constants
Variables
func GetAliasByIP(ip string) string
func LoadAliases(filename string) error
type Action
type Duration
type Loader
- func NewLoader(liveReload bool) (*Loader, error)
type Operand
type Operator
- func NewOperator(t Type, s Sensitive, o Operand, data string, list []Operator) (*Operator, error)
type Rule
- func Create(name, description string, enabled, precedence, nolog bool, action Action, ...) *Rule
- func Deserialize(reply *protocol.Rule) (*Rule, error)
type Sensitive
type Type

Constants ¶

View Source

const (
	Simple  = Type("simple")
	Regexp  = Type("regexp")
	Complex = Type("complex") // for future use
	List    = Type("list")
	Network = Type("network")
	Lists   = Type("lists")
)

Available types

View Source

const (
	OpTrue                = Operand("true")
	OpProcessID           = Operand("process.id")
	OpProcessPath         = Operand("process.path")
	OpProcessParentPath   = Operand("process.parent.path")
	OpProcessCmd          = Operand("process.command")
	OpProcessEnvPrefix    = Operand("process.env.")
	OpProcessEnvPrefixLen = 12
	OpProcessHashMD5      = Operand("process.hash.md5")
	OpProcessHashSHA1     = Operand("process.hash.sha1")
	OpUserID              = Operand("user.id")
	OpUserName            = Operand("user.name")
	OpSrcIP               = Operand("source.ip")
	OpSrcPort             = Operand("source.port")
	OpDstIP               = Operand("dest.ip")
	OpDstHost             = Operand("dest.host")
	OpDstPort             = Operand("dest.port")
	OpDstNetwork          = Operand("dest.network")
	OpSrcNetwork          = Operand("source.network")
	OpProto               = Operand("protocol")
	OpIfaceIn             = Operand("iface.in")
	OpIfaceOut            = Operand("iface.out")
	OpList                = Operand("list")
	OpDomainsLists        = Operand("lists.domains")
	OpDomainsRegexpLists  = Operand("lists.domains_regexp")
	OpIPLists             = Operand("lists.ips")
	OpNetLists            = Operand("lists.nets")
	OpHashMD5Lists        = Operand("lists.hash.md5")
)

Available operands

View Source

const (
	Allow  = Action("allow")
	Deny   = Action("deny")
	Reject = Action("reject")
)

Actions of rules

View Source

const (
	Once    = Duration("once")
	Restart = Duration("until restart")
	Always  = Duration("always")
)

daemon possible durations

View Source

const (
	DefaultPath = "/etc/opensnitchd/rules"
)

DefaultPath directory

Variables ¶

View Source

var AliasIPCache = make(map[string][]*net.IPNet)

View Source

var NetworkAliases = make(map[string][]string)

Functions ¶

func GetAliasByIP ¶

func GetAliasByIP(ip string) string

func LoadAliases ¶

func LoadAliases(filename string) error

Types ¶

type Action ¶

type Action string

Action of a rule

type Duration ¶

type Duration string

Duration of a rule

type Loader ¶

type Loader struct {
	Path string

	sync.RWMutex
	// contains filtered or unexported fields
}

Loader is the object that holds the rules loaded from disk, as well as the rules watcher.

func NewLoader ¶

func NewLoader(liveReload bool) (*Loader, error)

NewLoader loads rules from disk, and watches for changes made to the rules files on disk.

func (*Loader) Add ¶

func (l *Loader) Add(rule *Rule, saveToDisk bool) error

Add adds a rule to the list of rules, and optionally saves it to disk.

func (*Loader) Delete ¶

func (l *Loader) Delete(ruleName string) error

Delete deletes a rule from the list by name. If the duration is Always (i.e: saved on disk), it'll attempt to delete it from disk.

func (*Loader) EnableChecksums ¶

func (l *Loader) EnableChecksums(enable bool)

EnableChecksums enables checksums field for rules globally.

func (*Loader) FindFirstMatch ¶

func (l *Loader) FindFirstMatch(con *conman.Connection) (match *Rule)

FindFirstMatch will try match the connection against the existing rule set.

func (*Loader) GetAll ¶

func (l *Loader) GetAll() map[string]*Rule

GetAll returns the loaded rules.

func (*Loader) HasChecksums ¶

func (l *Loader) HasChecksums(op Operand)

HasChecksums checks if the rule will check for binary checksum matches

func (*Loader) Load ¶

func (l *Loader) Load(path string) error

Load loads rules files from disk.

func (*Loader) NumRules ¶

func (l *Loader) NumRules() int

NumRules returns he number of loaded rules.

func (*Loader) Reload ¶

func (l *Loader) Reload(path string) error

Reload loads rules from the specified path, deleting existing loaded rules from memory.

func (*Loader) Replace ¶

func (l *Loader) Replace(rule *Rule, saveToDisk bool) error

Replace adds a rule to the list of rules, and optionally saves it to disk.

func (*Loader) Save ¶

func (l *Loader) Save(rule *Rule, path string) error

Save a rule to disk.

type Operand ¶

type Operand string

Operand is what we check on a connection.

type Operator ¶

type Operator struct {
	Operand   Operand    `json:"operand"`
	Data      string     `json:"data"`
	Type      Type       `json:"type"`
	List      []Operator `json:"list"`
	Sensitive Sensitive  `json:"sensitive"`

	sync.RWMutex
	// contains filtered or unexported fields
}

Operator represents what we want to filter of a connection, and how.

func NewOperator ¶

func NewOperator(t Type, s Sensitive, o Operand, data string, list []Operator) (*Operator, error)

NewOperator returns a new operator object

func (*Operator) ClearLists ¶

func (o *Operator) ClearLists()

ClearLists deletes all the entries of a list

func (*Operator) Compile ¶

func (o *Operator) Compile() error

Compile translates the operator type field to its callback counterpart

func (*Operator) Match ¶

func (o *Operator) Match(con *conman.Connection, hasChecksums bool) bool

Match tries to match parts of a connection with the given operator.

func (*Operator) SerializeData ¶

func (o *Operator) SerializeData() string

func (*Operator) StopMonitoringLists ¶

func (o *Operator) StopMonitoringLists()

StopMonitoringLists stops the monitoring lists goroutine.

func (*Operator) String ¶

func (o *Operator) String() string

type Rule ¶

type Rule struct {
	// Save date fields as string, to avoid issues marshalling Time (#1140).
	Created string `json:"created"`
	Updated string `json:"updated"`

	Name        string   `json:"name"`
	Description string   `json:"description"`
	Action      Action   `json:"action"`
	Duration    Duration `json:"duration"`
	Operator    Operator `json:"operator"`
	Enabled     bool     `json:"enabled"`
	Precedence  bool     `json:"precedence"`
	Nolog       bool     `json:"nolog"`
}

Rule represents an action on a connection. The fields match the ones saved as json to disk. If a .json rule file is modified on disk, it's reloaded automatically.

func Create ¶

func Create(name, description string, enabled, precedence, nolog bool, action Action, duration Duration, op *Operator) *Rule

Create creates a new rule object with the specified parameters.

func Deserialize ¶

func Deserialize(reply *protocol.Rule) (*Rule, error)

Deserialize translates back the rule received to a Rule object

func (*Rule) Match ¶

func (r *Rule) Match(con *conman.Connection, hasChecksums bool) bool

Match performs on a connection the checks a Rule has, to determine if it must be allowed or denied.

func (*Rule) Serialize ¶

func (r *Rule) Serialize() *protocol.Rule

Serialize translates a Rule to the protocol object

func (*Rule) String ¶

func (r *Rule) String() string

type Sensitive ¶

type Sensitive bool

Sensitive defines if a rule is case-sensitive or not. By default no.

type Type ¶

type Type string

Type is the type of rule. Every type has its own way of checking the user data against connections.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL