Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new query language plugin #2074

Merged
merged 12 commits into from
Feb 11, 2022
Merged

Add new query language plugin #2074

merged 12 commits into from
Feb 11, 2022

Conversation

mavam
Copy link
Member

@mavam mavam commented Feb 9, 2022
edited
Loading

This PR adds a new query language plugin that allows for specifying a "frontend" language to VAST. The vision is that VAST can execute queries from multiple languages and uses a unified intermediate representation (such as substrait internally. The VAST language then becomes one frontend of many others.

As an example frontend, we use Sigma, for which VAST already has (syntactical) parser support.

📝 Checklist

  • Add new plugin type
  • Rewrite Sigma rule parser as query language frontend
  • Move Sigma-specific logic into plugin
  • Move unit tests into plugin
  • Move integration tests into plugin
  • Review CI (unit & integration tests) @dominiklohmann
  • Write README
  • Update docs.tenzir.com/vast
  • Enable in Nix build
  • Support configuration of query language frontends in vast.yaml (separate PR?)

🎯 Review Instructions

File-by-file.

@mavam
Add new query language plugin
0206cd7 
This commit adds a new query language plugin that allows for specifying
"frontend" languages.

We rewrote the Sigma rule parser as an example plugin to demonstrate the
use.
@mavam mavam self-assigned this Feb 9, 2022
@mavam mavam requested a review from dominiklohmann February 9, 2022 19:19
@mavam
Copy link
Member Author

mavam commented Feb 9, 2022

@dominiklohmann I need a review from you at some point to figure out if I added the plugin to CI properly, or whether it should be part of the matrix like the examples.

@mavam mavam mentioned this pull request Feb 9, 2022
Closed
9 tasks
@dominiklohmann
Copy link
Member

I'd prefer for it to be part of the matrix, that's quicker to build. The only reason why the PCAP plugin isn't added that way is because we use it for testing bundled plugin builds.

@mavam
Copy link
Member Author

mavam commented Feb 10, 2022
edited
Loading

I'd prefer for it to be part of the matrix, that's quicker to build. The only reason why the PCAP plugin isn't added that way is because we use it for testing bundled plugin builds.

Okay, changed. Do I need to do anything to invoke the unit and integration tests from CI? Or is this handled by the plugin framework?

@mavam
Copy link
Member Author

mavam commented Feb 10, 2022

@dominiklohmann any idea why the PR checks do not include the plugin, even though I changed vast.yaml to add another plugin?

@dominiklohmann
Copy link
Member

dominiklohmann commented Feb 10, 2022
edited
Loading

Okay, changed. Do I need to do anything to invoke the unit and integration tests from CI? Or is this handled by the plugin framework?

Should be handled automatically.

@dominiklohmann any idea why the PR checks do not include the plugin, even though I changed vast.yaml to add another plugin?

It's not made required yet in the branch protections, so it'll only show up once it's actually running. It is now.

@mavam mavam requested a review from lava February 10, 2022 08:46
@mavam mavam marked this pull request as ready for review February 10, 2022 08:46
dominiklohmann
dominiklohmann approved these changes Feb 10, 2022
View reviewed changes
Copy link
Member

@dominiklohmann dominiklohmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great. Obviously documentation is missing, but I'm happy to approve of the code.

After merging this has to be added to our branch protections. Can you add a task for that somewhere?

libvast/src/system/spawn_arguments.cpp Outdated Show resolved Hide resolved
plugins/sigma/integration/data/zeek Show resolved Hide resolved
plugins/sigma/README.md Outdated Show resolved Hide resolved
plugins/sigma/CHANGELOG.md Outdated Show resolved Hide resolved
@mavam mavam enabled auto-merge February 11, 2022 05:11
@mavam mavam disabled auto-merge February 11, 2022 05:12
@mavam mavam force-pushed the topic/query-language-plugin branch from f41d76c to 0fab1f3 Compare February 11, 2022 05:46
@mavam mavam force-pushed the topic/query-language-plugin branch from 0fab1f3 to b1f85dc Compare February 11, 2022 05:50
lava
lava approved these changes Feb 11, 2022
View reviewed changes
Copy link
Member

@lava lava left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, but there are still debug messages in the code.

libvast/src/system/spawn_arguments.cpp Outdated Show resolved Hide resolved
libvast/src/system/spawn_arguments.cpp Show resolved Hide resolved
changelog/unreleased/features/2074--query-language-plugin.md Outdated Show resolved Hide resolved
@mavam mavam enabled auto-merge February 11, 2022 09:53
@mavam mavam merged commit 6e7a4ef into master Feb 11, 2022
@mavam mavam deleted the topic/query-language-plugin branch February 11, 2022 10:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dominiklohmann dominiklohmann dominiklohmann approved these changes

@lava lava lava approved these changes

Assignees

@mavam mavam

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mavam @dominiklohmann @lava