u-siem 0.7.0

A framework for building custom SIEMs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

use crate::prelude::types::LogString;
use crate::prelude::SiemResult;
use crossbeam_channel::{Receiver, Sender};

use self::dataset::holder::DatasetHolder;

use super::events::SiemLog;
use common::{SiemComponentCapabilities, SiemMessage};
use dataset::SiemDatasetType;
use std::boxed::Box;
use std::collections::BTreeMap;
use std::sync::{Arc, Mutex};
use storage::SiemComponentStateStorage;

pub mod alert;
pub mod command;
pub mod command_types;
pub mod common;
pub mod dataset;
pub mod enrichment;
pub mod kernel_message;
pub mod metrics;
pub mod mitre;
pub mod parsing;
pub mod query;
pub mod rule;
pub mod storage;
pub mod task;
pub mod use_case;

pub trait SiemComponent: Send {
    fn name(&self) -> &'static str {
        "SiemComponent"
    }
    /// Get the channel to this component
    fn local_channel(&self) -> Sender<SiemMessage>;
    /// Sets the channel used to receive/send logs. It's the kernel who sets the channel
    fn set_log_channel(&mut self, sender: Sender<SiemLog>, receiver: Receiver<SiemLog>);

    /// Execute the logic of this component in an infinite loop. Must be stopped using Commands sent using the channel.
    fn run(&mut self) -> SiemResult<()>;

    /// Allow to store information about this component like the state or configurations.
    fn set_storage(&mut self, conn: Box<dyn SiemComponentStateStorage>);

    /// Capabilities and actions that can be performed by this component
    fn capabilities(&self) -> SiemComponentCapabilities;

    /// Allows the Kernel to duplicate this component
    fn duplicate(&self) -> Box<dyn SiemComponent>;

    /// Initialize the component with the datasets before executing run
    fn set_datasets(&mut self, datasets: DatasetHolder);
}

pub trait SiemDatasetManager: Send {
    fn set_id(&mut self, id: u64);

    fn name(&self) -> &str {
        "SiemDatasetManager"
    }
    /// Get the channel to this component
    fn local_channel(&self) -> Sender<SiemMessage>;

    /// Execute the logic of this component in an infinite loop. Must be stopped using Commands sent using the channel.
    fn run(&mut self) -> SiemResult<()>;

    /// The kernel registers the datasets of the components
    fn register_dataset(&mut self, dataset: SiemDatasetType);
    /// The kernel registers the datasets of the components
    fn register_datasets(&mut self, datasets: Vec<SiemDatasetType>);

    /// Get the list of datasets to initialize components.
    /// This must be the live version of the datasets shared only between the DatasetManager and the Kernel
    fn get_datasets(&self) -> Arc<Mutex<DatasetHolder>>;
}

pub trait SiemRuleEngine: SiemComponent {
    /// Sets the dictionary of languages to generate the different alerts of the rules
    fn set_languages(&mut self, languages: BTreeMap<LogString, BTreeMap<LogString, LogString>>);
}