diff options
Diffstat (limited to 'src/deal.go')
| -rw-r--r-- | src/deal.go | 57 |
1 files changed, 44 insertions, 13 deletions
diff --git a/src/deal.go b/src/deal.go index aaac8c5..717344c 100644 --- a/src/deal.go +++ b/src/deal.go | |||
| @@ -55,18 +55,25 @@ func deal() { | |||
| 55 | break | 55 | break |
| 56 | } | 56 | } |
| 57 | 57 | ||
| 58 | // fmt.Printf("%v\n", cooked) | ||
| 59 | |||
| 58 | switch cooked.tag { | 60 | switch cooked.tag { |
| 59 | case NEWPID: | 61 | case NEWPID: |
| 60 | dealNewPid(cooked) | 62 | dealNewPid(cooked) |
| 61 | case EXECVE: | 63 | case EXECVE: |
| 64 | check(cooked) | ||
| 62 | dealExecve(cooked) | 65 | dealExecve(cooked) |
| 63 | case PIDEXIT: | 66 | case PIDEXIT: |
| 67 | check(cooked) | ||
| 64 | deletePid(cooked) | 68 | deletePid(cooked) |
| 65 | case FILEOPEN: | 69 | case FILEOPEN: |
| 70 | check(cooked) | ||
| 66 | fileOpen(cooked) | 71 | fileOpen(cooked) |
| 67 | case FILEWRITE: | 72 | case FILEWRITE: |
| 73 | check(cooked) | ||
| 68 | fileWrite(cooked) | 74 | fileWrite(cooked) |
| 69 | case FILECLOSE: | 75 | case FILECLOSE: |
| 76 | check(cooked) | ||
| 70 | fileClose(cooked) | 77 | fileClose(cooked) |
| 71 | } | 78 | } |
| 72 | } | 79 | } |
| @@ -168,19 +175,19 @@ func dealExecve(cooked Event) { | |||
| 168 | }, | 175 | }, |
| 169 | }, | 176 | }, |
| 170 | }) | 177 | }) |
| 171 | } else { | 178 | // } else { |
| 172 | // 先fork抵达,插入 | 179 | // // 先fork抵达,插入 |
| 173 | pidCol.InsertOne(bson.M{ | 180 | // pidCol.InsertOne(bson.M{ |
| 174 | "ppid": cooked.ppid, | 181 | // "ppid": cooked.ppid, |
| 175 | "pid": cooked.pid, | 182 | // "pid": cooked.pid, |
| 176 | "children": []bson.M{}, | 183 | // "children": []bson.M{}, |
| 177 | "execve": []bson.M{ | 184 | // "execve": []bson.M{ |
| 178 | { | 185 | // { |
| 179 | "timestamp": cooked.timestamp, | 186 | // "timestamp": cooked.timestamp, |
| 180 | "execArgs": cooked.argv, | 187 | // "execArgs": cooked.argv, |
| 181 | }, | 188 | // }, |
| 182 | }, | 189 | // }, |
| 183 | }) | 190 | // }) |
| 184 | } | 191 | } |
| 185 | mongoMutex.Unlock() | 192 | mongoMutex.Unlock() |
| 186 | } | 193 | } |
| @@ -255,3 +262,27 @@ func fileWrite(cooked Event) { | |||
| 255 | "close_timestamp": bson.M{"$exists": false}, | 262 | "close_timestamp": bson.M{"$exists": false}, |
| 256 | }, bson.M{"$push": bson.M{"written": cooked.timestamp}}) | 263 | }, bson.M{"$push": bson.M{"written": cooked.timestamp}}) |
| 257 | } | 264 | } |
| 265 | |||
| 266 | func check(cooked Event) { | ||
| 267 | // 检查进程是否需要记录 | ||
| 268 | // 有无父进程在观察中 | ||
| 269 | docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid}) | ||
| 270 | if err != nil || len(docRes) != 1 { | ||
| 271 | return | ||
| 272 | } | ||
| 273 | |||
| 274 | // 自身是否已经记录 | ||
| 275 | docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid}) | ||
| 276 | if err != nil { | ||
| 277 | fmt.Printf("Err finding: %v\n", err) | ||
| 278 | return | ||
| 279 | } | ||
| 280 | if len(docRes) == 0 { | ||
| 281 | pidCol.InsertOne(bson.M{ | ||
| 282 | "ppid": cooked.ppid, | ||
| 283 | "pid": cooked.pid, | ||
| 284 | "children": []bson.M{}, | ||
| 285 | "start_timestamp": cooked.timestamp, | ||
| 286 | }) | ||
| 287 | } | ||
| 288 | } | ||