u-siem 0.7.0

A framework for building custom SIEMs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140

use crate::prelude::{
    holder::DatasetHolder, FieldSchema, GeneratorConfig, LogGenerator, LogParser, LogParsingError,
    SiemField, SiemLog,
};

pub struct DummyLogGenerator {}

impl LogGenerator for DummyLogGenerator {
    fn log(&self) -> String {
        "This is a dummy log".to_string()
    }

    fn weight(&self) -> u8 {
        1
    }

    fn configure(&mut self, _config: GeneratorConfig) {}
}

/// Parser that only parses a log if the message contains the word "DUMMY".
///
/// Adds an extra field called "parser" with the content "DummyParserText"
#[derive(Clone, Default)]
pub struct DummyParserText {
    schema: FieldSchema,
}
impl DummyParserText {
    pub fn new() -> Self {
        Self {
            schema: FieldSchema::new(),
        }
    }
}

impl LogParser for DummyParserText {
    fn parse_log(
        &self,
        mut log: SiemLog,
        _datasets: &DatasetHolder,
    ) -> Result<SiemLog, LogParsingError> {
        if !log.message().contains("DUMMY") {
            return Err(LogParsingError::NoValidParser(log));
        }
        log.add_field("parser", SiemField::from_str_slice("DummyParserText"));
        Ok(log)
    }
    fn name(&self) -> &'static str {
        "DummyParserText"
    }
    fn description(&self) -> &'static str {
        "This is a dummy that parsers if contains DUMMY in text"
    }
    fn schema(&self) -> &FieldSchema {
        &self.schema
    }

    fn generator(&self) -> Box<dyn LogGenerator> {
        Box::new(DummyLogGenerator {})
    }
}

/// A simple parser that always parses logs.
///
/// Adds an extra field called "parser" with the content "DummyParserAll"
#[derive(Clone, Default)]
pub struct DummyParserAll {
    schema: FieldSchema,
}
impl DummyParserAll {
    pub fn new() -> Self {
        Self {
            schema: FieldSchema::new(),
        }
    }
}

impl LogParser for DummyParserAll {
    fn parse_log(
        &self,
        mut log: SiemLog,
        _datasets: &DatasetHolder,
    ) -> Result<SiemLog, LogParsingError> {
        log.add_field("parser", "DummyParserAll".into());
        Ok(log)
    }
    fn name(&self) -> &'static str {
        "DummyParserAll"
    }
    fn description(&self) -> &'static str {
        "This is a dummy parser that always parses logs"
    }
    fn schema(&self) -> &FieldSchema {
        &self.schema
    }

    fn generator(&self) -> Box<dyn LogGenerator> {
        Box::new(DummyLogGenerator {})
    }
}

/// Parser that always returns a parser error
#[derive(Clone)]
pub struct DummyParserError {
    schema: FieldSchema,
}
impl Default for DummyParserError {
    fn default() -> Self {
        Self {
            schema: FieldSchema::new(),
        }
    }
}
impl DummyParserError {
    pub fn new() -> Self {
        Self::default()
    }
}

impl LogParser for DummyParserError {
    fn parse_log(
        &self,
        log: SiemLog,
        _datasets: &DatasetHolder,
    ) -> Result<SiemLog, LogParsingError> {
        Err(LogParsingError::ParserError(log, "Bug in parser".into()))
    }
    fn name(&self) -> &'static str {
        "DummyParserError"
    }
    fn description(&self) -> &'static str {
        "This is a parser that cannot parse because it has a bug"
    }
    fn schema(&self) -> &FieldSchema {
        &self.schema
    }

    fn generator(&self) -> Box<dyn LogGenerator> {
        Box::new(DummyLogGenerator {})
    }
}