forked from 0xrawsec/whids
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfilters.go
90 lines (79 loc) · 2.5 KB
/
filters.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
package agent
import (
"github.com/0xrawsec/golang-utils/datastructs"
"github.com/0xrawsec/whids/event"
)
//Sysmon related
var (
// sysmonChannel Sysmon windows event log channel
sysmonChannel = "Microsoft-Windows-Sysmon/Operational"
// Filters definitions
fltAnyEvent = NewFilter([]int64{}, "")
// Sysmon filters
fltAnySysmon = NewFilter([]int64{}, sysmonChannel)
fltProcessCreate = NewFilter([]int64{SysmonProcessCreate}, sysmonChannel)
fltTrack = NewFilter([]int64{SysmonProcessCreate, SysmonDriverLoad}, sysmonChannel)
fltProcTermination = NewFilter([]int64{SysmonProcessTerminate}, sysmonChannel)
fltImageLoad = NewFilter([]int64{SysmonImageLoad}, sysmonChannel)
fltRegSetValue = NewFilter([]int64{SysmonRegSetValue}, sysmonChannel)
//fltNetwork = NewFilter([]int64{SysmonNetworkConnect, SysmonDNSQuery}, sysmonChannel)
//fltDNS = NewFilter([]int64{SysmonDNSQuery}, sysmonChannel)
fltClipboard = NewFilter([]int64{SysmonClipboardChange}, sysmonChannel)
fltImageTampering = NewFilter([]int64{SysmonProcessTampering}, sysmonChannel)
fltImageSize = NewFilter([]int64{
SysmonProcessCreate,
SysmonDriverLoad,
SysmonImageLoad},
sysmonChannel)
fltStats = NewFilter([]int64{
SysmonProcessCreate,
SysmonNetworkConnect,
SysmonFileCreate,
SysmonDNSQuery,
SysmonFileDelete,
SysmonFileDeleteDetected},
sysmonChannel)
)
// Security channel related
var (
// securityChannel Security windows event log channel
securityChannel = "Security"
// Security filters
fltFSObjectAccess = NewFilter([]int64{SecurityAccessObject}, securityChannel)
)
// ETW Kernel File related
var (
kernelFileChannel = "Microsoft-Windows-Kernel-File/Analytic"
/*fltKernelFile = NewFilter([]int64{
KernelFileCreate,
KernelFileClose,
KernelFileRead,
KernelFileWrite},
kernelFileChannel)
*/
fltKernelFile = NewFilter([]int64{},
kernelFileChannel)
)
// Filter structure
type Filter struct {
EventIDs *datastructs.SyncedSet
Channel string
}
// NewFilter creates a new Filter structure
func NewFilter(eids []int64, channel string) *Filter {
f := &Filter{}
f.EventIDs = datastructs.NewInitSyncedSet(datastructs.ToInterfaceSlice(eids)...)
f.Channel = channel
return f
}
// Match checks if an event matches the filter
func (f *Filter) Match(e *event.EdrEvent) bool {
if !f.EventIDs.Contains(e.EventID()) && f.EventIDs.Len() > 0 {
return false
}
// Don't check channel if empty string
if f.Channel != "" && f.Channel != e.Channel() {
return false
}
return true
}