Skip to content

Commit

Permalink
refactor: translate references on rules when available (#73)
Browse files Browse the repository at this point in the history
  • Loading branch information
@mmta
mmta authored Mar 31, 2024
1 parent 0700119 commit d8687cc
Show file tree
Hide file tree
Showing 2 changed files with 72 additions and 2 deletions.
70 changes: 68 additions & 2 deletions server/src/backlog/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,8 @@ use crate::{
intel::{IntelPlugin, IntelResult},
log_writer::{FileType, LogWriterMessage},
rule::DirectiveRule,
tracer, utils,
tracer,
utils::{self, ref_to_digit},
vuln::{VulnPlugin, VulnResult},
};

Expand Down Expand Up @@ -826,7 +827,7 @@ impl Backlog {
}
}

let s = serde_json::to_string(&self)? + "\n";
let s = self.to_alarm_json()? + "\n";

if let Some(sender) = &self.log_tx {
sender.send(LogWriterMessage { data: s, file_type: FileType::Alarm })?
Expand Down Expand Up @@ -892,6 +893,67 @@ impl Backlog {
*w = combined;
Ok(())
}

fn to_alarm_json(&self) -> Result<String> {
// this replaces the ref to digit in rules with the actual referred value
// before the alarm is serialized to json

let mut rules = vec![];

let referred_event = |stage: u8| -> Option<NormalizedEvent> {
self.rules.iter().find(|x| x.stage == stage && x.is_first_event_set()).map(|x| x.get_first_event())
};

for mut r in self.rules.clone() {
if let Some(v) = ref_to_digit(&r.from) {
if let Some(e) = referred_event(v) {
r.from = e.src_ip.to_string().into();
}
}
if let Some(v) = ref_to_digit(&r.to) {
if let Some(e) = referred_event(v) {
r.to = e.dst_ip.to_string().into();
}
}
if let Some(v) = ref_to_digit(&r.port_from) {
if let Some(e) = referred_event(v) {
r.port_from = e.src_port.to_string().into();
}
}
if let Some(v) = ref_to_digit(&r.port_to) {
if let Some(e) = referred_event(v) {
r.port_to = e.dst_port.to_string().into();
}
}
if let Some(v) = ref_to_digit(&r.protocol) {
if let Some(e) = referred_event(v) {
r.protocol = e.protocol;
}
}
if let Some(v) = ref_to_digit(&r.custom_data1) {
if let Some(e) = referred_event(v) {
r.custom_data1 = e.custom_data1;
}
}
if let Some(v) = ref_to_digit(&r.custom_data2) {
if let Some(e) = referred_event(v) {
r.custom_data2 = e.custom_data2;
}
}
if let Some(v) = ref_to_digit(&r.custom_data3) {
if let Some(e) = referred_event(v) {
r.custom_data3 = e.custom_data3;
}
}
rules.push(r);
}

let r_str = serde_json::to_value(&rules)?;
let mut d_str = serde_json::to_value(self)?;
d_str["rules"] = r_str;

Ok(serde_json::to_string(&d_str)?)
}
}

#[derive(Default, Debug)]
Expand Down Expand Up @@ -1135,6 +1197,10 @@ mod test {
event_tx.send(evt.clone()).unwrap();
sleep(Duration::from_millis(1000)).await;
assert!(logs_contain("reached max stage and occurrence"));

let s = arc_backlog.to_alarm_json().unwrap();

info!("alarm json:\n{}", s);
}

#[tokio::test]
Expand Down
4 changes: 4 additions & 0 deletions server/src/rule.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,11 +131,15 @@ impl DirectiveRule {
};
let mut w = self.first_event.lock();
*w = e;
self.first_event_set_flag.store(true, std::sync::atomic::Ordering::Relaxed);
Ok(())
}
pub fn is_first_event_set(&self) -> bool {
self.first_event_set_flag.load(std::sync::atomic::Ordering::Relaxed)
}
pub fn get_first_event(&self) -> NormalizedEvent {
self.first_event.lock().clone()
}

pub fn does_event_match(
&self,
Expand Down

0 comments on commit d8687cc

Please sign in to comment.