From 949166bbb72860bc4fa41ff656ee608f6c04e947 Mon Sep 17 00:00:00 2001 From: Alan Lam Date: Wed, 31 Oct 2018 10:15:48 -0700 Subject: [PATCH 1/4] use dnstap info if sockaddr --- lib/parsers/goAuditParser.js | 12 ++++++++---- test/parsers/goAuditParser.test.js | 19 +++++++++++++++++++ 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/lib/parsers/goAuditParser.js b/lib/parsers/goAuditParser.js index 2f7bcc7..c25c97d 100644 --- a/lib/parsers/goAuditParser.js +++ b/lib/parsers/goAuditParser.js @@ -27,7 +27,8 @@ module.exports = function (message) { } var uidMap = data['uid_map'] || {} - + var dnstap = data['dnstap'] || {} + result.data = { timestamp: new Date(data.timestamp * 1000), sequence: data.sequence, @@ -56,7 +57,7 @@ module.exports = function (message) { parseCwd(msgs, result) break case constants.types.sockaddr: - parseSockaddr(msgs, result) + parseSockaddr(msgs, result, dnstap) break case constants.types.proctitle: parseProctitle(msgs, result) @@ -220,11 +221,14 @@ var parseCwd = function (msgs, result) { result.data.cwd = convertValue(data.cwd || '', true) } -var parseSockaddr = function (msgs, result) { +var parseSockaddr = function (msgs, result, dnstap) { var msg = msgs.join(' '), data = splitFields(msg) - result.data.socket_address = parseAddr(data.saddr) + addr = parseAddr(data.saddr) + + result.data.socket_address = addr + result.data.dnstap = dnstap[addr.ip] } var parseProctitle = function (msgs, result) { diff --git a/test/parsers/goAuditParser.test.js b/test/parsers/goAuditParser.test.js index a2e7c59..92c4d13 100644 --- a/test/parsers/goAuditParser.test.js +++ b/test/parsers/goAuditParser.test.js @@ -249,6 +249,25 @@ describe('goAuditParser', function () { result.data.execve.command.should.eql("stuff=") }) + it('Should get dnstap info', function () { + var data = { + "sequence": 4734103, + "timestamp": "1541004016.778", + "messages": [ + {"type": 1306, "data": "saddr=02000050ACD91D8E0000000000000000"}, + ], + "dnstap": { + "172.217.29.142": "google.com" + } + } + + assertParserResult( + StreamStash.parsers.goAuditParser.raw, + JSON.stringify(data), + {"timestamp":new Date('1541004016.778' * 1000),"sequence":4734103,"unknown":[],"socket_address":{"family":"inet","port":80,"ip":"172.217.29.142","unknown":"0000000000000000"},"dnstap":"google.com","message":""} + ) + }) + it('Should parse a sockaddr', function () { var data = {"sequence":10453717,"timestamp":"1462897538.564","messages":[{"type":1306,"data":"saddr=0200270F000000000000000000000000"}]}, result = StreamStash.parsers.goAuditParser.raw(JSON.stringify(data)) From 306d8f0b1d2792cb18f318c32d4c6faa3742eac3 Mon Sep 17 00:00:00 2001 From: Alan Lam Date: Wed, 31 Oct 2018 10:37:35 -0700 Subject: [PATCH 2/4] output the whole map --- lib/parsers/goAuditParser.js | 2 +- test/parsers/goAuditParser.test.js | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/parsers/goAuditParser.js b/lib/parsers/goAuditParser.js index c25c97d..0a11967 100644 --- a/lib/parsers/goAuditParser.js +++ b/lib/parsers/goAuditParser.js @@ -228,7 +228,7 @@ var parseSockaddr = function (msgs, result, dnstap) { addr = parseAddr(data.saddr) result.data.socket_address = addr - result.data.dnstap = dnstap[addr.ip] + result.data.dnstap = dnstap } var parseProctitle = function (msgs, result) { diff --git a/test/parsers/goAuditParser.test.js b/test/parsers/goAuditParser.test.js index 92c4d13..d9e7ba6 100644 --- a/test/parsers/goAuditParser.test.js +++ b/test/parsers/goAuditParser.test.js @@ -264,7 +264,11 @@ describe('goAuditParser', function () { assertParserResult( StreamStash.parsers.goAuditParser.raw, JSON.stringify(data), - {"timestamp":new Date('1541004016.778' * 1000),"sequence":4734103,"unknown":[],"socket_address":{"family":"inet","port":80,"ip":"172.217.29.142","unknown":"0000000000000000"},"dnstap":"google.com","message":""} + {"timestamp":new Date('1541004016.778' * 1000),"sequence":4734103,"unknown":[],"socket_address":{"family":"inet","port":80,"ip":"172.217.29.142","unknown":"0000000000000000"},"message":"", + "dnstap": { + "172.217.29.142": "google.com" + } + } ) }) From ef6e797ea070fc2c6ecb1c1db8e148d8b421db3f Mon Sep 17 00:00:00 2001 From: Alan Lam Date: Wed, 31 Oct 2018 10:47:20 -0700 Subject: [PATCH 3/4] add dnsinfo to result earlier --- lib/parsers/goAuditParser.js | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/lib/parsers/goAuditParser.js b/lib/parsers/goAuditParser.js index 0a11967..ef47d3a 100644 --- a/lib/parsers/goAuditParser.js +++ b/lib/parsers/goAuditParser.js @@ -57,7 +57,8 @@ module.exports = function (message) { parseCwd(msgs, result) break case constants.types.sockaddr: - parseSockaddr(msgs, result, dnstap) + parseSockaddr(msgs, result) + result.data.dnstap = dnstap break case constants.types.proctitle: parseProctitle(msgs, result) @@ -221,14 +222,11 @@ var parseCwd = function (msgs, result) { result.data.cwd = convertValue(data.cwd || '', true) } -var parseSockaddr = function (msgs, result, dnstap) { +var parseSockaddr = function (msgs, result) { var msg = msgs.join(' '), data = splitFields(msg) - addr = parseAddr(data.saddr) - - result.data.socket_address = addr - result.data.dnstap = dnstap + result.data.socket_address = parseAddr(data.saddr) } var parseProctitle = function (msgs, result) { From 48ac2ed0c91205b2ed45ddaf322b87140f0fee80 Mon Sep 17 00:00:00 2001 From: Alan Lam Date: Wed, 31 Oct 2018 14:05:12 -0700 Subject: [PATCH 4/4] turn value into an array --- lib/parsers/goAuditParser.js | 11 +++++++---- test/parsers/goAuditParser.test.js | 4 ++-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/lib/parsers/goAuditParser.js b/lib/parsers/goAuditParser.js index ef47d3a..80a1035 100644 --- a/lib/parsers/goAuditParser.js +++ b/lib/parsers/goAuditParser.js @@ -57,8 +57,7 @@ module.exports = function (message) { parseCwd(msgs, result) break case constants.types.sockaddr: - parseSockaddr(msgs, result) - result.data.dnstap = dnstap + parseSockaddr(msgs, result, dnstap) break case constants.types.proctitle: parseProctitle(msgs, result) @@ -222,11 +221,15 @@ var parseCwd = function (msgs, result) { result.data.cwd = convertValue(data.cwd || '', true) } -var parseSockaddr = function (msgs, result) { +var parseSockaddr = function (msgs, result, dnstap) { var msg = msgs.join(' '), data = splitFields(msg) + + addr = parseAddr(data.saddr) + result.data.socket_address = addr + result.data.dnstap = {} + result.data.dnstap[addr.ip] = Array(dnstap[addr.ip]) - result.data.socket_address = parseAddr(data.saddr) } var parseProctitle = function (msgs, result) { diff --git a/test/parsers/goAuditParser.test.js b/test/parsers/goAuditParser.test.js index d9e7ba6..a7bbb2d 100644 --- a/test/parsers/goAuditParser.test.js +++ b/test/parsers/goAuditParser.test.js @@ -257,7 +257,7 @@ describe('goAuditParser', function () { {"type": 1306, "data": "saddr=02000050ACD91D8E0000000000000000"}, ], "dnstap": { - "172.217.29.142": "google.com" + "172.217.29.142": "google.com" } } @@ -266,7 +266,7 @@ describe('goAuditParser', function () { JSON.stringify(data), {"timestamp":new Date('1541004016.778' * 1000),"sequence":4734103,"unknown":[],"socket_address":{"family":"inet","port":80,"ip":"172.217.29.142","unknown":"0000000000000000"},"message":"", "dnstap": { - "172.217.29.142": "google.com" + "172.217.29.142": ["google.com"] } } )