SYMBOL INDEX (131 symbols across 13 files) FILE: main.go function isRoot (line 15) | func isRoot() bool { function main (line 23) | func main() { FILE: maps/auditd/auditd.go type AuditEvent (line 19) | type AuditEvent struct method Keywords (line 25) | func (e AuditEvent) Keywords() ([]string, bool) { method Select (line 34) | func (e AuditEvent) Select(name string) (interface{}, bool) { type MappedAuditEvent (line 47) | type MappedAuditEvent struct method Keywords (line 52) | func (e MappedAuditEvent) Keywords() ([]string, bool) { return e.Audit... method Select (line 54) | func (e MappedAuditEvent) Select(name string) (interface{}, bool) { function extractAuditToken (line 62) | func extractAuditToken(line string) (seq, ts string) { function mergeLineInto (line 96) | func mergeLineInto(line string, dest map[string]string, ts, seq string) { function parseLine (line 172) | func parseLine(line string) map[string]string { constant windowSize (line 183) | windowSize = 32 function ParseEvents (line 201) | func ParseEvents(logFile string) ([]AuditEvent, error) { function FindLog (line 270) | func FindLog(file string) (string, error) { function toScanResult (line 312) | func toScanResult(event AuditEvent, res sigma.Results) output.ScanResult { function Chop (line 329) | func Chop(rulePath, outputType, filePath, mappingPath string) error { function ChopToLog (line 377) | func ChopToLog(rulePath, outputType, filePath, mappingPath string) { FILE: maps/auditd/auditd_test.go constant testdataDir (line 12) | testdataDir = "../../testdata" function TestParseEventsStandard (line 14) | func TestParseEventsStandard(t *testing.T) { function TestParseEventsCorrelation (line 51) | func TestParseEventsCorrelation(t *testing.T) { function TestParseEventsSkipsNonTypeLines (line 92) | func TestParseEventsSkipsNonTypeLines(t *testing.T) { function TestParseEventsEmpty (line 110) | func TestParseEventsEmpty(t *testing.T) { function TestParseEventsBadTimestampDoesNotPanic (line 126) | func TestParseEventsBadTimestampDoesNotPanic(t *testing.T) { function TestParseEventsTimestampConversion (line 151) | func TestParseEventsTimestampConversion(t *testing.T) { function TestAuditEventSelect (line 172) | func TestAuditEventSelect(t *testing.T) { function TestAuditEventKeywords (line 195) | func TestAuditEventKeywords(t *testing.T) { function TestParseLineQuoting (line 228) | func TestParseLineQuoting(t *testing.T) { function TestParseEventsStripsQuotes (line 251) | func TestParseEventsStripsQuotes(t *testing.T) { function TestFindLogWithExistingFile (line 279) | func TestFindLogWithExistingFile(t *testing.T) { function TestFindLogMissingFile (line 295) | func TestFindLogMissingFile(t *testing.T) { constant representativeLine (line 304) | representativeLine = `type=SYSCALL msg=audit(1364481363.243:24287): arch... function TestParseEventsWindowBoundary (line 310) | func TestParseEventsWindowBoundary(t *testing.T) { function BenchmarkTokenizeParseLine (line 345) | func BenchmarkTokenizeParseLine(b *testing.B) { function BenchmarkParseEvents (line 355) | func BenchmarkParseEvents(b *testing.B) { function parseEventsOld (line 378) | func parseEventsOld(logFile string) ([]AuditEvent, error) { function BenchmarkParseEventsManySeqsOld (line 427) | func BenchmarkParseEventsManySeqsOld(b *testing.B) { function BenchmarkParseEventsManySeqs (line 452) | func BenchmarkParseEventsManySeqs(b *testing.B) { FILE: maps/journald/journald.go type JournaldEvent (line 20) | type JournaldEvent struct method Keywords (line 26) | func (e JournaldEvent) Keywords() ([]string, bool) { method Select (line 31) | func (e JournaldEvent) Select(name string) (interface{}, bool) { type MappedJournaldEvent (line 45) | type MappedJournaldEvent struct method Keywords (line 50) | func (e MappedJournaldEvent) Keywords() ([]string, bool) { return e.Jo... method Select (line 52) | func (e MappedJournaldEvent) Select(name string) (interface{}, bool) { function ParseEvents (line 59) | func ParseEvents() ([]JournaldEvent, error) { function Chop (line 109) | func Chop(rulePath, outputType, mappingPath string) error { function ChopToLog (line 159) | func ChopToLog(rulePath, outputType, mappingPath string) { FILE: maps/journald/journald_test.go function TestJournaldEventSelectMessage (line 10) | func TestJournaldEventSelectMessage(t *testing.T) { function TestJournaldEventSelectTimestamp (line 25) | func TestJournaldEventSelectTimestamp(t *testing.T) { function TestJournaldEventSelectUnknown (line 40) | func TestJournaldEventSelectUnknown(t *testing.T) { function TestJournaldEventKeywords (line 47) | func TestJournaldEventKeywords(t *testing.T) { FILE: maps/journald/stub.go function Chop (line 11) | func Chop(rulePath, outputType, mappingPath string) error { function ChopToLog (line 16) | func ChopToLog(rulePath, outputType, mappingPath string) { FILE: maps/mapping/mapping.go type Mapping (line 17) | type Mapping struct method Resolve (line 46) | func (m *Mapping) Resolve(sigmaField string) string { function Load (line 23) | func Load(path string) (*Mapping, error) { function Identity (line 39) | func Identity(source string) *Mapping { function LoadOrIdentity (line 56) | func LoadOrIdentity(path, source string) *Mapping { FILE: maps/mapping/mapping_test.go function writeTempMapping (line 9) | func writeTempMapping(t *testing.T, content string) string { function TestLoadValid (line 18) | func TestLoadValid(t *testing.T) { function TestLoadMissingFile (line 38) | func TestLoadMissingFile(t *testing.T) { function TestLoadInvalidYAML (line 45) | func TestLoadInvalidYAML(t *testing.T) { function TestLoadEmptyFields (line 54) | func TestLoadEmptyFields(t *testing.T) { function TestResolveKnownField (line 66) | func TestResolveKnownField(t *testing.T) { function TestResolveUnknownFieldPassthrough (line 77) | func TestResolveUnknownFieldPassthrough(t *testing.T) { function TestIdentity (line 89) | func TestIdentity(t *testing.T) { function TestLoadOrIdentityMissingFile (line 100) | func TestLoadOrIdentityMissingFile(t *testing.T) { function TestLoadOrIdentityValidFile (line 111) | func TestLoadOrIdentityValidFile(t *testing.T) { function TestRealMappingFiles (line 119) | func TestRealMappingFiles(t *testing.T) { FILE: maps/output/output.go type ScanResult (line 14) | type ScanResult struct type Renderer (line 29) | type Renderer struct function Write (line 36) | func Write(w io.Writer, outputType string, results []ScanResult, r Rende... function writeJSON (line 48) | func writeJSON(w io.Writer, results []ScanResult) error { function writeCSV (line 57) | func writeCSV(w io.Writer, results []ScanResult, r Renderer) error { function writeTable (line 71) | func writeTable(w io.Writer, results []ScanResult, r Renderer) { function TagString (line 81) | func TagString(tags []string) string { FILE: maps/output/output_test.go function TestWriteJSON (line 29) | func TestWriteJSON(t *testing.T) { function TestWriteJSONEmpty (line 53) | func TestWriteJSONEmpty(t *testing.T) { function TestWriteCSV (line 64) | func TestWriteCSV(t *testing.T) { function TestWriteCSVEmpty (line 86) | func TestWriteCSVEmpty(t *testing.T) { function TestWriteTable (line 97) | func TestWriteTable(t *testing.T) { function TestWriteUnknownTypeDefaultsToTable (line 111) | func TestWriteUnknownTypeDefaultsToTable(t *testing.T) { function TestTagString (line 121) | func TestTagString(t *testing.T) { FILE: maps/syslog/syslog.go function isAlpha (line 16) | func isAlpha(b byte) bool { return (b >= 'a' && b <= 'z') || (b >= 'A' &... function isDigit (line 17) | func isDigit(b byte) bool { return b >= '0' && b <= '9' } function parseSyslogTimestamp (line 28) | func parseSyslogTimestamp(line string) (ts string, n int) { type SyslogEvent (line 53) | type SyslogEvent struct method Keywords (line 61) | func (e SyslogEvent) Keywords() ([]string, bool) { method Select (line 66) | func (e SyslogEvent) Select(name string) (interface{}, bool) { type MappedSyslogEvent (line 82) | type MappedSyslogEvent struct method Keywords (line 87) | func (e MappedSyslogEvent) Keywords() ([]string, bool) { return e.Sysl... method Select (line 89) | func (e MappedSyslogEvent) Select(name string) (interface{}, bool) { function ParseEvents (line 96) | func ParseEvents(logFile string) ([]SyslogEvent, error) { function FindLog (line 138) | func FindLog(file string) (string, error) { function Chop (line 163) | func Chop(rulePath, outputType, filePath, mappingPath string) error { function ChopToLog (line 218) | func ChopToLog(rulePath, outputType, filePath, mappingPath string) { FILE: maps/syslog/syslog_test.go constant testdataDir (line 12) | testdataDir = "../../testdata" function TestParseEventsStandardFormat (line 14) | func TestParseEventsStandardFormat(t *testing.T) { function TestParseEventsRsyslogFormat (line 30) | func TestParseEventsRsyslogFormat(t *testing.T) { function TestParseEventsSkipsMalformedLines (line 44) | func TestParseEventsSkipsMalformedLines(t *testing.T) { function TestParseEventsEmptyFile (line 64) | func TestParseEventsEmptyFile(t *testing.T) { function TestParseEventsMessageContent (line 80) | func TestParseEventsMessageContent(t *testing.T) { function TestSyslogEventSelect (line 100) | func TestSyslogEventSelect(t *testing.T) { function TestSyslogEventKeywords (line 122) | func TestSyslogEventKeywords(t *testing.T) { function TestFindLogWithExistingFile (line 145) | func TestFindLogWithExistingFile(t *testing.T) { function TestFindLogMissingFile (line 161) | func TestFindLogMissingFile(t *testing.T) { function TestParseSyslogTimestampEquivalence (line 171) | func TestParseSyslogTimestampEquivalence(t *testing.T) { constant bsdLine (line 224) | bsdLine = "Mar 1 10:00:01 hostname sshd[1234]: Accepted publickey for u... constant rsyslogLine (line 225) | rsyslogLine = "2023-03-01T10:00:01.123456+00:00 hostname sshd[1234]: Acc... function BenchmarkParseEventsBSD (line 227) | func BenchmarkParseEventsBSD(b *testing.B) { function BenchmarkParseEventsRsyslog (line 247) | func BenchmarkParseEventsRsyslog(b *testing.B) { FILE: scripts/genlog/main.go function main (line 26) | func main() { type entry (line 69) | type entry struct method suspicious (line 74) | func (e entry) suspicious() bool { return e.rule != "" } function writeLog (line 76) | func writeLog(path string, entries []entry) error { function printSummary (line 96) | func printSummary(path string, entries []entry) { function pick (line 114) | func pick[T any](rng *rand.Rand, items []T) T { function randPID (line 118) | func randPID(rng *rand.Rand) int { return rng.Intn(64535) + 1000 } function randUID (line 119) | func randUID(rng *rand.Rand) int { return pick(rng, []int{0, 0, 1000, 10... function advanceTime (line 121) | func advanceTime(rng *rand.Rand, cur time.Time) time.Time { function generateAuditd (line 135) | func generateAuditd(rng *rand.Rand, start time.Time, count int, ratio fl... function auditField (line 156) | func auditField(ts int64, seq int, typ, fields string) string { function auditdBenign (line 161) | func auditdBenign(rng *rand.Rand, ts int64, seq int) entry { function auditdSuspicious (line 209) | func auditdSuspicious(rng *rand.Rand, ts int64, seq int) []entry { function generateSyslog (line 294) | func generateSyslog(rng *rand.Rand, start time.Time, count int, ratio fl... function syslogTS (line 311) | func syslogTS(t time.Time) string { function syslogLine (line 315) | func syslogLine(t time.Time, host, proc, msg string) string { function syslogBenign (line 319) | func syslogBenign(rng *rand.Rand, t time.Time) entry { function syslogSuspicious (line 350) | func syslogSuspicious(rng *rand.Rand, t time.Time) entry { function generateAuth (line 432) | func generateAuth(rng *rand.Rand, start time.Time, count int, ratio floa... function authBenign (line 449) | func authBenign(rng *rand.Rand, t time.Time) entry { function authSuspicious (line 494) | func authSuspicious(rng *rand.Rand, t time.Time) entry {