u-siem 0.7.0

A framework for building custom SIEMs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

use crate::prelude::SiemIp;
use crossbeam_channel::Sender;
use serde::Serialize;
use std::collections::BTreeSet;
use std::sync::Arc;

#[derive(Serialize, Debug)]
pub enum UpdateIpSet {
    Add(SiemIp),
    Remove(SiemIp),
    Replace(IpSetDataset),
}
#[derive(Debug, Clone)]
pub struct IpSetSynDataset {
    dataset: Arc<IpSetDataset>,
    comm: Sender<UpdateIpSet>,
}
impl IpSetSynDataset {
    pub fn new(dataset: Arc<IpSetDataset>, comm: Sender<UpdateIpSet>) -> Self {
        Self { dataset, comm }
    }
    pub fn empty() -> Self {
        let (sender, _) = crossbeam_channel::bounded(1);
        Self {
            dataset: Arc::new(IpSetDataset::new()),
            comm: sender,
        }
    }
    /// Used to add IP with custom information like tags.
    pub fn insert(&self, ip: SiemIp) {
        // Todo: improve with local cache to send retries
        let _ = self.comm.try_send(UpdateIpSet::Add(ip));
    }
    pub fn remove(&self, ip: SiemIp) {
        // Todo: improve with local cache to send retries
        let _ = self.comm.try_send(UpdateIpSet::Remove(ip));
    }
    pub fn update(&self, data: IpSetDataset) {
        // Todo: improve with local cache to send retries
        let _ = self.comm.try_send(UpdateIpSet::Replace(data));
    }
    pub fn contains(&self, ip: &SiemIp) -> bool {
        // Todo improve with cached content
        self.dataset.contains(ip)
    }
}
#[derive(Serialize, Debug)]
pub struct IpSetDataset {
    data4: BTreeSet<u32>,
    data6: BTreeSet<u128>,
}

impl Default for IpSetDataset {
    fn default() -> Self {
        Self::new()
    }
}

impl IpSetDataset {
    pub fn new() -> Self {
        Self {
            data4: BTreeSet::new(),
            data6: BTreeSet::new(),
        }
    }
    pub fn insert(&mut self, ip: SiemIp) {
        match ip {
            SiemIp::V4(ip) => {
                self.data4.insert(ip);
            }
            SiemIp::V6(ip) => {
                self.data6.insert(ip);
            }
        }
    }
    pub fn contains(&self, ip: &SiemIp) -> bool {
        match ip {
            SiemIp::V4(ip) => self.data4.contains(ip),
            SiemIp::V6(ip) => self.data6.contains(ip),
        }
    }
    pub fn internal_ref(&self) -> (&BTreeSet<u32>, &BTreeSet<u128>) {
        (&self.data4, &self.data6)
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    #[test]
    fn should_be_in_set() {
        let mut dataset = IpSetDataset::new();
        dataset.insert(SiemIp::from_ip_str("192.168.1.1").unwrap());
        assert_eq!(
            dataset.contains(&SiemIp::from_ip_str("192.168.1.1").unwrap()),
            true
        );
    }
}