Skip to content

Commit

Permalink
Merge pull request #114 from kunai-project/fix-process-event
Browse files Browse the repository at this point in the history
fix: event processing
  • Loading branch information
qjerome authored Oct 8, 2024
2 parents 7ebea35 + fc1dbd7 commit f214014
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 17 deletions.
11 changes: 6 additions & 5 deletions kunai-common/src/bpf_events.rs
Original file line number Diff line number Diff line change
Expand Up @@ -61,10 +61,11 @@ pub enum Type {
Execve,
#[str("execve_script")]
ExecveScript,
#[str("task_sched")]
TaskSched,
// there is hole here on purpose
// it used to be the spot of task_sched
// but it didn't aim at being configurable
#[str("exit")]
Exit,
Exit = 4, // we start at 4 as we moved one event type
#[str("exit_group")]
ExitGroup,
#[str("clone")]
Expand All @@ -81,8 +82,6 @@ pub enum Type {
BpfProgLoad,
#[str("bpf_socket_filter")]
BpfSocketFilter,
//#[str("bpf_socket_prog")]
//BpfSocketProg,

// memory stuffs
#[str("mprotect_exec")]
Expand Down Expand Up @@ -125,6 +124,8 @@ pub enum Type {
EndConfigurable = 1000,

// specific events
#[str("task_sched")]
TaskSched,
#[str("correlation")]
Correlation,
#[str("cache_hash")]
Expand Down
8 changes: 8 additions & 0 deletions kunai-common/src/config.rs
Original file line number Diff line number Diff line change
Expand Up @@ -41,17 +41,25 @@ impl Filter {
}
}

#[inline(always)]
pub fn disable(&mut self, ty: bpf_events::Type) {
self.enabled[ty as usize] = false;
}

#[inline(always)]
pub fn enable(&mut self, ty: bpf_events::Type) {
self.enabled[ty as usize] = true;
}

#[inline(always)]
pub fn is_enabled(&self, ty: bpf_events::Type) -> bool {
self.enabled[ty as usize]
}

#[inline(always)]
pub fn is_disabled(&self, ty: bpf_events::Type) -> bool {
!self.is_enabled(ty)
}
}

/// Structure holding configuration to use in eBPF programs
Expand Down
38 changes: 26 additions & 12 deletions kunai/src/bin/main.rs
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,7 @@ impl std::fmt::Display for Actions {
struct EventConsumer<'s> {
system_info: SystemInfo,
config: Config,
filter: Filter,
engine: gene::Engine,
iocs: HashMap<String, u8>,
random: u32,
Expand Down Expand Up @@ -270,9 +271,12 @@ impl<'s> EventConsumer<'s> {

let output = Self::prepare_output(&config)?;

let filter = Filter::try_from(&config)?;

let mut ep = Self {
system_info,
config,
filter,
engine: Engine::new(),
iocs: HashMap::new(),
random: util::getrandom::<u32>().unwrap(),
Expand Down Expand Up @@ -1565,12 +1569,15 @@ impl<'s> EventConsumer<'s> {
std_info.clone(),
&bpf_events::CorrelationEvent::from(e),
);
// we have to rebuild std_info as it has it is uses correlation
// information
let std_info = self.build_std_event_info(std_info.info);
let mut e = self.execve_event(std_info, e);

self.scan_and_print(&mut e);
if self.filter.is_enabled(std_info.info.etype) {
// we have to rebuild std_info as it has it is uses correlation
// information
let std_info = self.build_std_event_info(std_info.info);
let mut e = self.execve_event(std_info, e);

self.scan_and_print(&mut e);
}
}
Err(e) => error!("failed to decode {} event: {:?}", etype, e),
}
Expand All @@ -1584,11 +1591,15 @@ impl<'s> EventConsumer<'s> {
std_info.clone(),
&bpf_events::CorrelationEvent::from(e),
);
// we have to rebuild std_info as it has it is uses correlation
// information
let std_info = self.build_std_event_info(std_info.info);
let mut e = self.clone_event(std_info, e);
self.scan_and_print(&mut e);

// we let clone event go in EventProducer not to break correlation
if self.filter.is_enabled(Type::Clone) {
// we have to rebuild std_info as it has it is uses correlation
// information
let std_info = self.build_std_event_info(std_info.info);
let mut e = self.clone_event(std_info, e);
self.scan_and_print(&mut e);
}
}
Err(e) => error!("failed to decode {} event: {:?}", etype, e),
},
Expand Down Expand Up @@ -2041,8 +2052,11 @@ impl EventProducer {
// info_unchecked can be used here as we are sure info is valid
let etype = unsafe { dec.info_unchecked() }.etype;

// filtering out unwanted events
if !ep.filter.is_enabled(etype) {
// filtering out unwanted events but let Clone go as it is used
// for correlation on consumer side.
if ep.filter.is_disabled(etype)
&& !matches!(etype, Type::Execve | Type::ExecveScript | Type::Clone)
{
continue;
}

Expand Down

0 comments on commit f214014

Please sign in to comment.