Skip to content

Commit

Permalink
fix correlation bug because of new clone event
Browse files Browse the repository at this point in the history
Signed-off-by: Quentin JEROME <[email protected]>
  • Loading branch information
qjerome committed Oct 5, 2023
1 parent aef896d commit b5c08e0
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 15 deletions.
4 changes: 4 additions & 0 deletions kunai-common/src/events/correlation.rs
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ pub type CorrelationEvent = Event<CorrelationData>;
// the data in this structure should always be serializable
// to a byte array, it should not contain any pointers
pub struct CorrelationData {
pub origin: Type, // event type it is comming from
pub argv: Buffer<MAX_ARGV_SIZE>,
pub exe: Path,
pub paths: [Option<Path>; 1],
Expand All @@ -29,6 +30,7 @@ impl From<&ExecveEvent> for CorrelationEvent {
Self {
info: value.info,
data: CorrelationData {
origin: value.ty(),
argv: value.data.argv,
exe: value.data.executable,
paths: [Some(value.data.interpreter)],
Expand All @@ -44,6 +46,7 @@ impl From<&CloneEvent> for CorrelationEvent {
Self {
info: value.info,
data: CorrelationData {
origin: value.ty(),
argv: value.data.argv,
exe: value.data.executable,
paths: [None],
Expand All @@ -59,6 +62,7 @@ impl From<&ScheduleEvent> for CorrelationEvent {
Self {
info: value.info,
data: CorrelationData {
origin: value.ty(),
argv: value.data.argv,
exe: value.data.exe,
paths: [None],
Expand Down
29 changes: 14 additions & 15 deletions kunai/src/bin/main.rs
Original file line number Diff line number Diff line change
Expand Up @@ -660,6 +660,12 @@ impl EventProcessor {
fn handle_correlation_event(&mut self, info: StdEventInfo, event: &CorrelationEvent) {
let ck = info.correlation_key();

// Execve must remove any previous correlation (i.e. coming from
// clone or tasksched for instance)
if matches!(event.data.origin, Type::Execve | Type::ExecveScript) {
self.correlations.remove(&ck);
}

// early return if correlation key exists
if self.correlations.contains_key(&ck) {
return;
Expand Down Expand Up @@ -732,6 +738,9 @@ impl EventProcessor {
events::Type::Execve | events::Type::ExecveScript => {
match event!(enc_event, ExecveEvent) {
Ok(e) => {
// this event is used for correlation but cannot be processed
// asynchronously so we have to handle correlation here
self.handle_correlation_event(std_info.clone(), &CorrelationEvent::from(e));
let e = self.json_execve(std_info, e);
self.output_json(e);
}
Expand All @@ -741,6 +750,9 @@ impl EventProcessor {

events::Type::Clone => match event!(enc_event, CloneEvent) {
Ok(e) => {
// this event is used for correlation but cannot be processed
// asynchronously so we have to handle correlation here
self.handle_correlation_event(std_info.clone(), &CorrelationEvent::from(e));
let e = self.json_clone(std_info, e);
self.output_json(e);
}
Expand Down Expand Up @@ -1027,24 +1039,11 @@ impl EventReader {
}

/// this method pass through some events directly to the event processor
/// only events that can be processed asynchronously should be passed through
fn pass_through_events(&self, e: &EncodedEvent) {
let i = unsafe { e.info() }.unwrap();

match i.etype {
Type::Execve | Type::ExecveScript => {
let execve = event!(e, ExecveEvent).unwrap();
self.send_event(CorrelationEvent::from(execve)).unwrap();

for h in HashEvent::all_from_execve(execve) {
self.send_event(h).unwrap();
}
}

Type::Clone => {
let event = event!(e, CloneEvent).unwrap();
self.send_event(CorrelationEvent::from(event)).unwrap();
}

Type::MmapExec => {
let event = event!(e, MmapExecEvent).unwrap();
self.send_event(HashEvent::from(event)).unwrap();
Expand Down Expand Up @@ -1161,7 +1160,7 @@ impl EventReader {

// pre-processing events
// we eventually change event type in this function
// example: Excve -> ExcveScript if necessary
// example: Execve -> ExecveScript if necessary
er.pre_process_events(&mut dec);
// passing through some events used for correlation
er.pass_through_events(&dec);
Expand Down

0 comments on commit b5c08e0

Please sign in to comment.