diff --git a/hids/hids.go b/hids/hids.go index 5766462..ad24aa9 100644 --- a/hids/hids.go +++ b/hids/hids.go @@ -707,7 +707,7 @@ func (h *HIDS) handleManagerCommand(cmd *api.Command) { case "report": cmd.Unrunnable() cmd.ExpectJSON = true - cmd.Stdout = h.Report() + cmd.Stdout = h.Report(false) case "processes": h.processTracker.RLock() cmd.Unrunnable() @@ -834,7 +834,7 @@ func (h *HIDS) IsHIDSEvent(e *event.EdrEvent) bool { // Report generate a forensic ready report (meant to be dumped) // this method is blocking as it runs commands and wait after those -func (h *HIDS) Report() (r Report) { +func (h *HIDS) Report(light bool) (r Report) { r.StartTime = time.Now() // generate a report for running processes or those terminated still having one child or more @@ -847,10 +847,13 @@ func (h *HIDS) Report() (r Report) { // Drivers loaded r.Drivers = h.processTracker.Drivers - // run all the commands configured to inculde in the report - r.Commands = h.config.Report.PrepareCommands() - for i := range r.Commands { - r.Commands[i].Run() + // if this is a light report, we don't run the commands + if !light { + // run all the commands configured to include in the report + r.Commands = h.config.Report.PrepareCommands() + for i := range r.Commands { + r.Commands[i].Run() + } } r.StopTime = time.Now() diff --git a/hids/hookdefs.go b/hids/hookdefs.go index 35af20d..446c0c5 100644 --- a/hids/hookdefs.go +++ b/hids/hookdefs.go @@ -40,6 +40,7 @@ const ( ActionFiledump = "filedump" ActionRegdump = "regdump" ActionReport = "report" + ActionBrief = "brief" ) var ( @@ -359,7 +360,9 @@ func hookHandleActions(h *HIDS, e *event.EdrEvent) { case ActionFiledump: dumpFilesRtn(h, e) case ActionReport: - dumpReportRtn(h, e) + dumpReportRtn(h, e, false) + case ActionBrief: + dumpReportRtn(h, e, true) default: log.Errorf("Cannot handle %s action as it is unknown", action) } @@ -1153,7 +1156,7 @@ func dumpFilesRtn(h *HIDS, e *event.EdrEvent) { }() } -func hookDumpReport(h *HIDS, e *event.EdrEvent) { +/*func hookDumpReport(h *HIDS, e *event.EdrEvent) { // We have to check that if we are handling one of // our event and we don't want to dump ourself if h.IsHIDSEvent(e) { @@ -1171,9 +1174,9 @@ func hookDumpReport(h *HIDS, e *event.EdrEvent) { } dumpReportRtn(h, e) -} +}*/ -func dumpReportRtn(h *HIDS, e *event.EdrEvent) { +func dumpReportRtn(h *HIDS, e *event.EdrEvent, light bool) { // make it non blocking go func() { h.hookSemaphore.Acquire() @@ -1188,11 +1191,10 @@ func dumpReportRtn(h *HIDS, e *event.EdrEvent) { return } reportPath := dumpPrepareDumpFilename(e, h.config.Dump.Dir, guid, "report.json") - //psPath := dumpPrepareDumpFilename(e, h.config.Dump.Dir, guid, "ps.json") dumpEventAndCompress(h, e, guid) if c.EnableReporting { log.Infof("Generating IR report: %s", guid) - if b, err := json.Marshal(h.Report()); err != nil { + if b, err := json.Marshal(h.Report(light)); err != nil { log.Errorf("Failed to JSONĀ encode report: %s", guid) } else { utils.HidsWriteFile(reportPath, b) @@ -1200,6 +1202,5 @@ func dumpReportRtn(h *HIDS, e *event.EdrEvent) { } log.Infof("Finished generating report: %s", guid) } - }() }