Signatures

In Eolh, detection rules are implemented as Signatures. Eolh's Signature is almost identical to Tracee's Signature, except that it deals with ETW Events.

`detect.Signature` Interface

type Signature interface {
    // GetMetadata allows the signature to declare information about itself
    GetMetadata() (SignatureMetadata, error)
    // GetSelectedEvents allows the signature to declare which events it subscribes to
    GetSelectedEvents() ([]SignatureEventSelector, error)
    // Init allows the signature to initialize its internal state
    Init(ctx SignatureContext) error
    // Close cleans the signature after Init operation
    Close()
    // OnEvent allows the signature to process events passed by the Engine. this is the business logic of the signature
    OnEvent(event protocol.Event) error
    // OnSignal allows the signature to handle lifecycle events of the signature
    OnSignal(signal Signal) error
}

Signatures

detect.Signature Interface​

`detect.Signature` Interface