mjnovice
commented
2 years ago Hi @markuskont I would be happy to help on this as I am thinking of contributing to some open source project, as it has been a while.
From what I can infer, we want an intelligent way to do the following
func (r Ruleset) EvalAll(e Event) (Results, bool) {
results := make(Results, 0)
for _, rule := range r.Rules {
if res, match := rule.Eval(e); match {
results = append(results, *res)
}
}
if len(results) > 0 {
return results, true
}
return nil, false
}Idea would be to organize ruleset into a tree (or possibly a skiplist) where branches follow the selection JSON keys For the above could you pass a documentation from Sigma for how we branch based on the
selectionkey ?
markuskont
This is a research issue for major development.
Initial research into this project went entirely into building individual rules themselves and making matching work. Ruleset as a whole was a afterthought and is still implemented as a simple linear list. That means that while individual rules are pretty fast, ruleset as a whole can still take a significant time to process as every event has to be evaluated against every rule.
This can also mean a lot of redundant and slow lookups, as rule might invoke a slow regexp match only to get a negative response from a missing key later. Yet other rules might also get negative matches from missing event keys, making the text matches especially useless.
Idea would be to organize ruleset into a tree (or possibly a skiplist) where branches follow the
selectionJSON keys. That way eachEventcould in theory only follow a branch of keys that actually exist in the message, and potentially skip over a lot of redundant and even expensive rule evaluations.