Skip to content

Commit

Permalink
Added parent_id parameter to ruleevent
Browse files Browse the repository at this point in the history
  • Loading branch information
@okynos
okynos committed Apr 29, 2024
1 parent b3065f2 commit af351b3
Show file tree
Hide file tree
Showing 6 changed files with 33 additions and 18 deletions.
10 changes: 8 additions & 2 deletions config/index_template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,10 @@
"egid": { "type": "keyword" },
"fsgid": { "type": "keyword" },
"exe": { "type": "keyword" },
"source": { "type": "keyword" }
"source": { "type": "keyword" },
"parent_id": { "type": "keyword" },
"message": { "type": "keyword" },
"rule": { "type": "keyword" }
}
},
"settings": {
Expand Down Expand Up @@ -120,7 +123,10 @@
"egid",
"fsgid",
"exe",
"source"
"source",
"parent_id",
"message",
"rule"
]
}
}
Expand Down
2 changes: 1 addition & 1 deletion src/auditevent.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -410,7 +410,7 @@ impl Event {
_ => self.log(&cfg.get_events_file())
}
let filepath = PathBuf::from(self.path.clone());
ruleset.match_rule(cfg, filepath.join(self.file.clone())).await;
ruleset.match_rule(cfg, filepath.join(self.file.clone()), self.id.clone()).await;
}
}

Expand Down
2 changes: 1 addition & 1 deletion src/monitorevent.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,7 @@ impl Event for MonitorEvent {
// Function to manage event destination
async fn process(&self, cfg: AppConfig, _ruleset: Ruleset) {
route(self, cfg.clone()).await;
_ruleset.match_rule(cfg, self.path.clone()).await;
_ruleset.match_rule(cfg, self.path.clone(), self.id.clone()).await;
}

// ------------------------------------------------------------------------
Expand Down
1 change: 0 additions & 1 deletion src/rotator.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,6 @@ fn rotate_file(filepath: &str, iteration: u32, lock: Mutex<bool>){
};

*lock.lock().unwrap() = false;
lock.clear_poison();
info!("File {} rotated.", filepath);
info!("Compressing rotated file {}", file_rotated);
#[cfg(windows)]
Expand Down
23 changes: 16 additions & 7 deletions src/ruleevent.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,8 @@ pub struct RuleEvent {
pub path: PathBuf,
pub fpid: u32,
pub system: String,
pub message: String
pub message: String,
pub parent_id: String
}

// ----------------------------------------------------------------------------
Expand All @@ -39,7 +40,8 @@ impl Event for RuleEvent {
"fpid": self.fpid.clone(),
"version": self.version.clone(),
"system": self.system.clone(),
"message": self.message.clone()
"message": self.message.clone(),
"parent_id": self.parent_id.clone()
});
to_string(&obj).unwrap()
}
Expand All @@ -56,7 +58,8 @@ impl Event for RuleEvent {
path: self.path.clone(),
fpid: self.fpid,
system: self.system.clone(),
message: self.message.clone()
message: self.message.clone(),
parent_id: self.parent_id.clone()
}
}

Expand Down Expand Up @@ -96,7 +99,8 @@ impl Event for RuleEvent {
"fpid": self.fpid.clone(),
"version": self.version.clone(),
"system": self.system.clone(),
"message": self.message.clone()
"message": self.message.clone(),
"parent_id": self.parent_id.clone()
}),
"index": "fim_events"
});
Expand Down Expand Up @@ -125,7 +129,8 @@ impl Event for RuleEvent {
"fpid": self.fpid.clone(),
"version": self.version.clone(),
"system": self.system.clone(),
"message": self.message.clone()
"message": self.message.clone(),
"parent_id": self.parent_id.clone()
});
let request_url = format!("{}/{}/_doc/{}", cfg.endpoint_address, index, self.id);
let client = Client::builder()
Expand Down Expand Up @@ -172,6 +177,7 @@ impl Event for RuleEvent {
"version" => self.version.clone(),
"system" => self.system.clone(),
"message" => self.message.clone(),
"parent_id" => self.parent_id.clone(),
_ => "".to_string()
}
}
Expand Down Expand Up @@ -204,6 +210,7 @@ mod tests {
fpid: 0,
system: "test".to_string(),
message: "This is a message".to_string(),
parent_id: "0000".to_string()
}
}

Expand All @@ -221,6 +228,7 @@ mod tests {
assert_eq!(event.fpid, cloned.fpid);
assert_eq!(event.system, cloned.system);
assert_eq!(event.message, cloned.message);
assert_eq!(event.parent_id, cloned.parent_id);
}

// ------------------------------------------------------------------------
Expand All @@ -236,6 +244,7 @@ mod tests {
assert_eq!(evt.fpid, 0);
assert_eq!(evt.system, String::from("test"));
assert_eq!(evt.message, String::from("This is a message"));
assert_eq!(evt.parent_id, String::from("0000"));
}

// ------------------------------------------------------------------------
Expand Down Expand Up @@ -272,7 +281,7 @@ mod tests {
#[test]
fn test_format_json() {
let expected = "{\"fpid\":0,\"hostname\":\"Hostname\",\"id\":0,\"message\":\"This is a message\",\
\"rule\":\"\\\\.php$\",\"system\":\"test\",\"timestamp\":\"Timestamp\",\"version\":\"x.x.x\"}";
\"parent_id\":\"0000\",\"rule\":\"\\\\.php$\",\"system\":\"test\",\"timestamp\":\"Timestamp\",\"version\":\"x.x.x\"}";
assert_eq!(create_test_event().format_json(), expected);
}

Expand All @@ -286,7 +295,7 @@ mod tests {
evt.log(filename.clone());
let contents = fs::read_to_string(filename.clone());
let expected = "{\"fpid\":0,\"hostname\":\"Hostname\",\"id\":0,\"message\":\"This is a message\",\
\"rule\":\"\\\\.php$\",\"system\":\"test\",\"timestamp\":\"Timestamp\",\"version\":\"x.x.x\"}\n";
\"parent_id\":\"0000\",\"rule\":\"\\\\.php$\",\"system\":\"test\",\"timestamp\":\"Timestamp\",\"version\":\"x.x.x\"}\n";
assert_eq!(contents.unwrap(), expected);
remove_test_file(filename.clone());
}
Expand Down
13 changes: 7 additions & 6 deletions src/ruleset.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ impl Ruleset {

// ------------------------------------------------------------------------

pub async fn match_rule(&self, cfg: AppConfig, filepath: PathBuf) -> (bool, usize) {
pub async fn match_rule(&self, cfg: AppConfig, filepath: PathBuf, ruleid: String) -> (bool, usize) {
let path = match filepath.parent() {
Some(p) => p.to_str().unwrap(),
None => {
Expand Down Expand Up @@ -142,7 +142,8 @@ impl Ruleset {
path: filepath,
fpid: utils::get_pid(),
system: cfg.clone().system,
message: self.rules.get(&id).unwrap().get("message").unwrap().clone()
message: self.rules.get(&id).unwrap().get("message").unwrap().clone(),
parent_id: ruleid
};
event.process(cfg, self.clone()).await;
(true, id)
Expand Down Expand Up @@ -299,11 +300,11 @@ mod tests {
let cfg = AppConfig::new(&utils::get_os(), None);
let ruleset = Ruleset::new(&utils::get_os(), None);

let (result, id) = block_on(ruleset.match_rule(cfg.clone(), PathBuf::from("/etc/file.sh")));
let (result, id) = block_on(ruleset.match_rule(cfg.clone(), PathBuf::from("/etc/file.sh"), String::from("0000")));
assert_eq!(id, 1);
assert_eq!(result, true);

let (result, id) = block_on(ruleset.match_rule(cfg, PathBuf::from("/etc/file.php")));
let (result, id) = block_on(ruleset.match_rule(cfg, PathBuf::from("/etc/file.php"), String::from("0000")));
assert_eq!(id, usize::MAX);
assert_eq!(result, false);
}
Expand All @@ -316,11 +317,11 @@ mod tests {
let cfg = AppConfig::new(&utils::get_os(), None);
let ruleset = Ruleset::new(&utils::get_os(), None);

let (result, id) = block_on(ruleset.match_rule(cfg.clone(), PathBuf::from("C:\\file.ps1")));
let (result, id) = block_on(ruleset.match_rule(cfg.clone(), PathBuf::from("C:\\file.ps1"), String::from("0000")));
assert_eq!(id, 1);
assert_eq!(result, true);

let (result, id) = block_on(ruleset.match_rule(cfg, PathBuf::from("C:\\file.php")));
let (result, id) = block_on(ruleset.match_rule(cfg, PathBuf::from("C:\\file.php"), String::from("0000")));
assert_eq!(id, usize::MAX);
assert_eq!(result, false);
}
Expand Down

0 comments on commit af351b3

Please sign in to comment.