diff options
Diffstat (limited to 'src/deal.go')
| -rw-r--r-- | src/deal.go | 35 |
1 files changed, 4 insertions, 31 deletions
diff --git a/src/deal.go b/src/deal.go index 3119fff..ae69003 100644 --- a/src/deal.go +++ b/src/deal.go | |||
| @@ -55,31 +55,25 @@ func deal() { | |||
| 55 | break | 55 | break |
| 56 | } | 56 | } |
| 57 | 57 | ||
| 58 | // fmt.Printf("%v\n", cooked) | ||
| 59 | |||
| 60 | switch cooked.tag { | 58 | switch cooked.tag { |
| 61 | case NEWPID: | 59 | case NEWPID: |
| 62 | dealNewPid(cooked) | 60 | dealNewPid(cooked) |
| 63 | case EXECVE: | 61 | case EXECVE: |
| 64 | check(cooked) | ||
| 65 | dealExecve(cooked) | 62 | dealExecve(cooked) |
| 66 | case PIDEXIT: | 63 | case PIDEXIT: |
| 67 | check(cooked) | ||
| 68 | deletePid(cooked) | 64 | deletePid(cooked) |
| 69 | case FILEOPEN: | 65 | case FILEOPEN: |
| 70 | check(cooked) | ||
| 71 | fileOpen(cooked) | 66 | fileOpen(cooked) |
| 72 | case FILEWRITE: | 67 | case FILEWRITE: |
| 73 | check(cooked) | ||
| 74 | fileWrite(cooked) | 68 | fileWrite(cooked) |
| 75 | case FILECLOSE: | 69 | case FILECLOSE: |
| 76 | check(cooked) | ||
| 77 | fileClose(cooked) | 70 | fileClose(cooked) |
| 78 | } | 71 | } |
| 79 | } | 72 | } |
| 80 | } | 73 | } |
| 81 | 74 | ||
| 82 | func deletePid(cooked Event) { | 75 | func deletePid(cooked Event) { |
| 76 | // TODO: 是否还需要延时? | ||
| 83 | // time.Sleep(1 * time.Second) | 77 | // time.Sleep(1 * time.Second) |
| 84 | mongoMutex.Lock() | 78 | mongoMutex.Lock() |
| 85 | // 先从老爹那里销户 | 79 | // 先从老爹那里销户 |
| @@ -197,6 +191,7 @@ func dealExecve(cooked Event) { | |||
| 197 | } | 191 | } |
| 198 | 192 | ||
| 199 | func fileOpen(cooked Event) { | 193 | func fileOpen(cooked Event) { |
| 194 | fmt.Printf("Open: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName) | ||
| 200 | // 查看是否记录了该进程 | 195 | // 查看是否记录了该进程 |
| 201 | res, err := pidCol.Finddoc(bson.M{"pid": cooked.pid}) | 196 | res, err := pidCol.Finddoc(bson.M{"pid": cooked.pid}) |
| 202 | if err != nil { | 197 | if err != nil { |
| @@ -228,6 +223,7 @@ func fileOpen(cooked Event) { | |||
| 228 | } | 223 | } |
| 229 | 224 | ||
| 230 | func fileClose(cooked Event) { | 225 | func fileClose(cooked Event) { |
| 226 | fmt.Printf("Close: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName) | ||
| 231 | // 直接看文件表有无记录 | 227 | // 直接看文件表有无记录 |
| 232 | res, err := fdCol.Finddoc(bson.M{ | 228 | res, err := fdCol.Finddoc(bson.M{ |
| 233 | "pid": cooked.pid, | 229 | "pid": cooked.pid, |
| @@ -248,6 +244,7 @@ func fileClose(cooked Event) { | |||
| 248 | } | 244 | } |
| 249 | 245 | ||
| 250 | func fileWrite(cooked Event) { | 246 | func fileWrite(cooked Event) { |
| 247 | fmt.Printf("Write: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName) | ||
| 251 | // 直接看文件表有无记录 | 248 | // 直接看文件表有无记录 |
| 252 | res, err := fdCol.Finddoc(bson.M{ | 249 | res, err := fdCol.Finddoc(bson.M{ |
| 253 | "pid": cooked.pid, | 250 | "pid": cooked.pid, |
| @@ -266,27 +263,3 @@ func fileWrite(cooked Event) { | |||
| 266 | "close_timestamp": bson.M{"$exists": false}, | 263 | "close_timestamp": bson.M{"$exists": false}, |
| 267 | }, bson.M{"$push": bson.M{"written": cooked.timestamp}}) | 264 | }, bson.M{"$push": bson.M{"written": cooked.timestamp}}) |
| 268 | } | 265 | } |
| 269 | |||
| 270 | func check(cooked Event) { | ||
| 271 | // 检查进程是否需要记录 | ||
| 272 | // 有无父进程在观察中 | ||
| 273 | docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid}) | ||
| 274 | if err != nil || len(docRes) != 1 { | ||
| 275 | return | ||
| 276 | } | ||
| 277 | |||
| 278 | // 自身是否已经记录 | ||
| 279 | docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid}) | ||
| 280 | if err != nil { | ||
| 281 | fmt.Printf("Err finding: %v\n", err) | ||
| 282 | return | ||
| 283 | } | ||
| 284 | if len(docRes) == 0 { | ||
| 285 | pidCol.InsertOne(bson.M{ | ||
| 286 | "ppid": cooked.ppid, | ||
| 287 | "pid": cooked.pid, | ||
| 288 | "children": []bson.M{}, | ||
| 289 | "start_timestamp": cooked.timestamp, | ||
| 290 | }) | ||
| 291 | } | ||
| 292 | } | ||