Lib.rs

Text processing
#security #log-processing #threat-detection #signature-engine

gene

Crate providing a log matching framework written in Rust

Owned by qjerome.

3 releases

0.1.2 Apr 11, 2024
0.1.1 Apr 11, 2024
0.1.0 Apr 11, 2024

#306 in Text processing

Download history 277/week @ 2024-04-08 10/week @ 2024-04-15

287 downloads per month

GPL-3.0 license

5.5MB
4.5K SLoC

Crates.io Version GitHub Workflow Status (with event)

Description

This project is a Rust implementation of the Gene project initially written in Go. The main objective of this project is to embed a security event scanning engine to Kunai. Even though it has been built for a specific use case, the code in this library is completely re-usable for other log scanning purposes.

This re-implementation was also the occasion to completely rework the rule format, to make it simpler, better structured and easier to write. It is now using the YAML document format to encode rule information.

name: mimic.kthread
meta:
    tags: [ 'os:linux' ]
    attack: [ T1036 ]
    authors: [ 0xrawsec ]
    comments:
        - tries to catch binaries masquerading kernel threads
match-on:
    events:
        # we match kunai events execve and execve_script
        kunai: [1,2]
matches:
    # 0x200000 is the flag for KTHREAD
    $task_is_kthread: .info.task.flags &= '0x200000'
    # common kthread names 
    $kthread_names: .info.task.name ~= '^(kworker)'
# if task is NOT a KTHREAD but we have a name that looks like one
condition: not $task_is_kthread and $kthread_names
severity: 10

Benchmarks

Even though the following benchmarks were made with real detection rules and real security events performances are indicative. I would say that the throughput is not bad, at least to fulfill the main objective of this project. The most important aspect being that this library does not become the bottleneck of the program in which it is embedded.

To determine whether this library might be a bottleneck for your application, try to evaluate the number of events you want to scan per second and see if it is above the processing throughput.

Engine loaded with hundred-ish rules (1 thread)

Number of scanned events: 1001600 -> 1327.72 MB
Number of loaded rules: 127
Scan duration: 1.279534249s -> 1037.66 MB/s -> 782784.83 events/s
Number of detections: 550

Engine loaded with thousand-ish rules (1 thread)

Number of scanned events: 1001600 -> 1327.72 MB
Number of loaded rules: 1016
Scan duration: 9.535205107s -> 139.24 MB/s -> 105042.31 events/s
Number of detections: 550

Dependencies

~6–8MB
~154K SLoC