u-siem 0.7.0

A framework for building custom SIEMs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117

use crate::prelude::{types::LogString, SiemField, SiemLog};

use super::{field_dictionary::*, ip::SiemIp};
use serde::{Deserialize, Serialize};

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct DnsEvent {
    /// Client that queried
    pub source_ip: SiemIp,
    /// Server that answered the question
    pub destination_ip: SiemIp,
    /// Answer or question
    pub op_code: DnsEventType,
    /// dns.question.type or dns.answer.type
    pub record_type: DnsRecordType,
    /// dns.question.name or dns.answer.name
    pub record_name: LogString,
    pub data: Option<LogString>,
}

impl DnsEvent {
    pub fn source_ip(&self) -> &SiemIp {
        &self.source_ip
    }
    pub fn destination_ip(&self) -> &SiemIp {
        &self.destination_ip
    }
    pub fn op_code(&self) -> &DnsEventType {
        &self.op_code
    }
    pub fn record_type(&self) -> &DnsRecordType {
        &self.record_type
    }
    pub fn record_name(&self) -> &str {
        &self.record_name
    }
    pub fn data(&self) -> &Option<LogString> {
        &self.data
    }
}

#[derive(Serialize, Deserialize, Debug, PartialEq, Clone)]
pub enum DnsEventType {
    ANSWER,
    QUERY,
}

impl std::fmt::Display for DnsEventType {
    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
        write!(f, "{:?}", self)
        // or, alternatively:
        // fmt::Debug::fmt(self, f)
    }
}

#[derive(Serialize, Deserialize, Debug, PartialEq, Clone)]
pub enum DnsRecordType {
    A,
    AAAA,
    CNAME,
    MX,
    NS,
    PTR,
    CERT,
    SRV,
    TXT,
    SOA,
}

impl std::fmt::Display for DnsRecordType {
    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
        write!(f, "{:?}", self)
        // or, alternatively:
        // fmt::Debug::fmt(self, f)
    }
}

impl DnsRecordType {
    pub fn as_cow(&self) -> LogString {
        match self {
            DnsRecordType::A => LogString::Borrowed("A"),
            DnsRecordType::AAAA => LogString::Borrowed("AAAA"),
            DnsRecordType::CNAME => LogString::Borrowed("CNAME"),
            DnsRecordType::MX => LogString::Borrowed("MX"),
            DnsRecordType::NS => LogString::Borrowed("NS"),
            DnsRecordType::PTR => LogString::Borrowed("PTR"),
            DnsRecordType::CERT => LogString::Borrowed("CERT"),
            DnsRecordType::SRV => LogString::Borrowed("SRV"),
            DnsRecordType::TXT => LogString::Borrowed("TXT"),
            DnsRecordType::SOA => LogString::Borrowed("SOA"),
        }
    }
}
impl From<DnsEvent> for SiemLog {
    fn from(val: DnsEvent) -> Self {
        let mut log = SiemLog::new("", 0, "");
        log.add_field(SOURCE_IP, SiemField::IP(val.source_ip));
        log.add_field(DESTINATION_IP, SiemField::IP(val.destination_ip));
        match val.op_code {
            DnsEventType::ANSWER => {
                log.add_field(DNS_OP_CODE, SiemField::Text(LogString::Borrowed("ANSWER")));
                log.add_field(DNS_ANSWER_NAME, SiemField::Text(val.record_name));
                if let Some(data) = val.data {
                    log.add_field(DNS_ANSWER_DATA, data.to_string().into());
                };
                log.add_field(DNS_ANSWER_TYPE, SiemField::Text(val.record_type.as_cow()));
            }
            DnsEventType::QUERY => {
                log.add_field(DNS_OP_CODE, SiemField::Text(LogString::Borrowed("QUERY")));

                log.add_field(DNS_QUESTION_NAME, SiemField::Text(val.record_name));
                log.add_field(DNS_QUESTION_TYPE, SiemField::Text(val.record_type.as_cow()));
            }
        };
        log
    }
}