Merge pull request gojue#58 from ehids/event-dispatcher

code refactoring: event dispatcher

user/event_bash.go

@@ -18,11 +18,12 @@ import (
 const MAX_DATA_SIZE_BASH = 256
 
 type bashEvent struct {
-	module IModule
-	Pid    uint32
-	Line   [MAX_DATA_SIZE_BASH]uint8
-	Retval uint32
-	Comm   [16]byte
+	module     IModule
+	event_type EVENT_TYPE
+	Pid        uint32
+	Line       [MAX_DATA_SIZE_BASH]uint8
+	Retval     uint32
+	Comm       [16]byte
 }
 
 func (this *bashEvent) Decode(payload []byte) (err error) {
@@ -62,5 +63,12 @@ func (this *bashEvent) Module() IModule {
 }
 
 func (this *bashEvent) Clone() IEventStruct {
-	return new(bashEvent)
+	event := new(bashEvent)
+	event.module = this.module
+	event.event_type = EVENT_TYPE_OUTPUT
+	return event
+}
+
+func (this *bashEvent) EventType() EVENT_TYPE {
+	return this.event_type
 }

user/event_gnutls.go

@@ -12,7 +12,8 @@ import (
 
 type GnutlsDataEvent struct {
 	module       IModule
-	EventType    int64
+	event_type   EVENT_TYPE
+	DataType     int64
 	Timestamp_ns uint64
 	Pid          uint32
 	Tid          uint32
@@ -23,7 +24,7 @@ type GnutlsDataEvent struct {
 
 func (this *GnutlsDataEvent) Decode(payload []byte) (err error) {
 	buf := bytes.NewBuffer(payload)
-	if err = binary.Read(buf, binary.LittleEndian, &this.EventType); err != nil {
+	if err = binary.Read(buf, binary.LittleEndian, &this.DataType); err != nil {
 		return
 	}
 	if err = binary.Read(buf, binary.LittleEndian, &this.Timestamp_ns); err != nil {
@@ -49,15 +50,15 @@ func (this *GnutlsDataEvent) Decode(payload []byte) (err error) {
 
 func (this *GnutlsDataEvent) StringHex() string {
 	var perfix, packetType string
-	switch AttachType(this.EventType) {
+	switch AttachType(this.DataType) {
 	case PROBE_ENTRY:
 		packetType = fmt.Sprintf("%sRecived%s", COLORGREEN, COLORRESET)
 		perfix = COLORGREEN
 	case PROBE_RET:
 		packetType = fmt.Sprintf("%sSend%s", COLORPURPLE, COLORRESET)
 		perfix = fmt.Sprintf("%s\t", COLORPURPLE)
 	default:
-		perfix = fmt.Sprintf("UNKNOW_%d", this.EventType)
+		perfix = fmt.Sprintf("UNKNOW_%d", this.DataType)
 	}
 
 	b := dumpByteSlice(this.Data[:this.Data_len], perfix)
@@ -68,15 +69,15 @@ func (this *GnutlsDataEvent) StringHex() string {
 
 func (this *GnutlsDataEvent) String() string {
 	var perfix, packetType string
-	switch AttachType(this.EventType) {
+	switch AttachType(this.DataType) {
 	case PROBE_ENTRY:
 		packetType = fmt.Sprintf("%sRecived%s", COLORGREEN, COLORRESET)
 		perfix = COLORGREEN
 	case PROBE_RET:
 		packetType = fmt.Sprintf("%sSend%s", COLORPURPLE, COLORRESET)
 		perfix = COLORPURPLE
 	default:
-		packetType = fmt.Sprintf("%sUNKNOW_%d%s", COLORRED, this.EventType, COLORRESET)
+		packetType = fmt.Sprintf("%sUNKNOW_%d%s", COLORRED, this.DataType, COLORRESET)
 	}
 	s := fmt.Sprintf(" PID:%d, Comm:%s, TID:%d, TYPE:%s, DataLen:%d bytes, Payload:\n%s%s%s", this.Pid, this.Comm, this.Tid, packetType, this.Data_len, perfix, string(this.Data[:this.Data_len]), COLORRESET)
 	return s
@@ -91,5 +92,12 @@ func (this *GnutlsDataEvent) Module() IModule {
 }
 
 func (this *GnutlsDataEvent) Clone() IEventStruct {
-	return new(GnutlsDataEvent)
+	event := new(GnutlsDataEvent)
+	event.module = this.module
+	event.event_type = EVENT_TYPE_OUTPUT
+	return event
+}
+
+func (this *GnutlsDataEvent) EventType() EVENT_TYPE {
+	return this.event_type
 }

user/event_mysqld.go

@@ -51,14 +51,15 @@ func (this dispatch_command_return) String() string {
 }
 
 type mysqldEvent struct {
-	module    IModule
-	Pid       uint64
-	Timestamp uint64
-	query     [MYSQLD_MAX_DATA_SIZE]uint8
-	alllen    uint64
-	len       uint64
-	comm      [16]uint8
-	retval    dispatch_command_return
+	module     IModule
+	event_type EVENT_TYPE
+	Pid        uint64
+	Timestamp  uint64
+	query      [MYSQLD_MAX_DATA_SIZE]uint8
+	alllen     uint64
+	len        uint64
+	comm       [16]uint8
+	retval     dispatch_command_return
 }
 
 func (this *mysqldEvent) Decode(payload []byte) (err error) {
@@ -106,5 +107,12 @@ func (this *mysqldEvent) Module() IModule {
 }
 
 func (this *mysqldEvent) Clone() IEventStruct {
-	return new(mysqldEvent)
+	event := new(mysqldEvent)
+	event.module = this.module
+	event.event_type = EVENT_TYPE_OUTPUT
+	return event
+}
+
+func (this *mysqldEvent) EventType() EVENT_TYPE {
+	return this.event_type
 }

user/event_nspr.go

@@ -13,7 +13,8 @@ import (
 
 type NsprDataEvent struct {
 	module       IModule
-	EventType    int64
+	event_type   EVENT_TYPE
+	DataType     int64
 	Timestamp_ns uint64
 	Pid          uint32
 	Tid          uint32
@@ -24,7 +25,7 @@ type NsprDataEvent struct {
 
 func (this *NsprDataEvent) Decode(payload []byte) (err error) {
 	buf := bytes.NewBuffer(payload)
-	if err = binary.Read(buf, binary.LittleEndian, &this.EventType); err != nil {
+	if err = binary.Read(buf, binary.LittleEndian, &this.DataType); err != nil {
 		return
 	}
 	if err = binary.Read(buf, binary.LittleEndian, &this.Timestamp_ns); err != nil {
@@ -50,15 +51,15 @@ func (this *NsprDataEvent) Decode(payload []byte) (err error) {
 
 func (this *NsprDataEvent) StringHex() string {
 	var perfix, packetType string
-	switch AttachType(this.EventType) {
+	switch AttachType(this.DataType) {
 	case PROBE_ENTRY:
 		packetType = fmt.Sprintf("%sRecived%s", COLORGREEN, COLORRESET)
 		perfix = COLORGREEN
 	case PROBE_RET:
 		packetType = fmt.Sprintf("%sSend%s", COLORPURPLE, COLORRESET)
 		perfix = fmt.Sprintf("%s\t", COLORPURPLE)
 	default:
-		perfix = fmt.Sprintf("UNKNOW_%d", this.EventType)
+		perfix = fmt.Sprintf("UNKNOW_%d", this.DataType)
 	}
 
 	var b *bytes.Buffer
@@ -81,15 +82,15 @@ func (this *NsprDataEvent) StringHex() string {
 
 func (this *NsprDataEvent) String() string {
 	var perfix, packetType string
-	switch AttachType(this.EventType) {
+	switch AttachType(this.DataType) {
 	case PROBE_ENTRY:
 		packetType = fmt.Sprintf("%sRecived%s", COLORGREEN, COLORRESET)
 		perfix = COLORGREEN
 	case PROBE_RET:
 		packetType = fmt.Sprintf("%sSend%s", COLORPURPLE, COLORRESET)
 		perfix = COLORPURPLE
 	default:
-		packetType = fmt.Sprintf("%sUNKNOW_%d%s", COLORRED, this.EventType, COLORRESET)
+		packetType = fmt.Sprintf("%sUNKNOW_%d%s", COLORRED, this.DataType, COLORRESET)
 	}
 
 	var b *bytes.Buffer
@@ -113,5 +114,12 @@ func (this *NsprDataEvent) Module() IModule {
 }
 
 func (this *NsprDataEvent) Clone() IEventStruct {
-	return new(NsprDataEvent)
+	event := new(NsprDataEvent)
+	event.module = this.module
+	event.event_type = EVENT_TYPE_OUTPUT
+	return event
+}
+
+func (this *NsprDataEvent) EventType() EVENT_TYPE {
+	return this.event_type
 }

user/event_openssl.go

@@ -23,7 +23,8 @@ const SA_DATA_LEN = 14
 
 type SSLDataEvent struct {
 	module       IModule
-	EventType    int64
+	event_type   EVENT_TYPE
+	DataType     int64
 	Timestamp_ns uint64
 	Pid          uint32
 	Tid          uint32
@@ -35,7 +36,7 @@ type SSLDataEvent struct {
 
 func (this *SSLDataEvent) Decode(payload []byte) (err error) {
 	buf := bytes.NewBuffer(payload)
-	if err = binary.Read(buf, binary.LittleEndian, &this.EventType); err != nil {
+	if err = binary.Read(buf, binary.LittleEndian, &this.DataType); err != nil {
 		return
 	}
 	if err = binary.Read(buf, binary.LittleEndian, &this.Timestamp_ns); err != nil {
@@ -67,15 +68,15 @@ func (this *SSLDataEvent) StringHex() string {
 	addr := this.module.(*MOpenSSLProbe).GetConn(this.Pid, this.Fd)
 
 	var perfix, connInfo string
-	switch AttachType(this.EventType) {
+	switch AttachType(this.DataType) {
 	case PROBE_ENTRY:
 		connInfo = fmt.Sprintf("%sRecived %d%s bytes from %s%s%s", COLORGREEN, this.Data_len, COLORRESET, COLORYELLOW, addr, COLORRESET)
 		perfix = COLORGREEN
 	case PROBE_RET:
 		connInfo = fmt.Sprintf("%sSend %d%s bytes to %s%s%s", COLORPURPLE, this.Data_len, COLORRESET, COLORYELLOW, addr, COLORRESET)
 		perfix = fmt.Sprintf("%s\t", COLORPURPLE)
 	default:
-		perfix = fmt.Sprintf("UNKNOW_%d", this.EventType)
+		perfix = fmt.Sprintf("UNKNOW_%d", this.DataType)
 	}
 
 	b := dumpByteSlice(this.Data[:this.Data_len], perfix)
@@ -89,15 +90,15 @@ func (this *SSLDataEvent) String() string {
 	addr := this.module.(*MOpenSSLProbe).GetConn(this.Pid, this.Fd)
 
 	var perfix, connInfo string
-	switch AttachType(this.EventType) {
+	switch AttachType(this.DataType) {
 	case PROBE_ENTRY:
 		connInfo = fmt.Sprintf("%sRecived %d%s bytes from %s%s%s", COLORGREEN, this.Data_len, COLORRESET, COLORYELLOW, addr, COLORRESET)
 		perfix = COLORGREEN
 	case PROBE_RET:
 		connInfo = fmt.Sprintf("%sSend %d%s bytes to %s%s%s", COLORPURPLE, this.Data_len, COLORRESET, COLORYELLOW, addr, COLORRESET)
 		perfix = COLORPURPLE
 	default:
-		connInfo = fmt.Sprintf("%sUNKNOW_%d%s", COLORRED, this.EventType, COLORRESET)
+		connInfo = fmt.Sprintf("%sUNKNOW_%d%s", COLORRED, this.DataType, COLORRESET)
 	}
 	s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, %s, Payload:\n%s%s%s", this.Pid, this.Comm, this.Tid, connInfo, perfix, string(this.Data[:this.Data_len]), COLORRESET)
 	return s
@@ -114,9 +115,14 @@ func (this *SSLDataEvent) Module() IModule {
 func (this *SSLDataEvent) Clone() IEventStruct {
 	event := new(SSLDataEvent)
 	event.module = this.module
+	event.event_type = EVENT_TYPE_OUTPUT
 	return event
 }
 
+func (this *SSLDataEvent) EventType() EVENT_TYPE {
+	return this.event_type
+}
+
 //  connect_events map
 /*
 uint64_t timestamp_ns;
@@ -128,13 +134,14 @@ uint64_t timestamp_ns;
 */
 type ConnDataEvent struct {
 	module      IModule
+	event_type  EVENT_TYPE
 	TimestampNs uint64
 	Pid         uint32
 	Tid         uint32
 	Fd          uint32
 	SaData      [SA_DATA_LEN]byte
 	Comm        [16]byte
-	addr        string
+	Addr        string
 }
 
 func (this *ConnDataEvent) Decode(payload []byte) (err error) {
@@ -159,23 +166,17 @@ func (this *ConnDataEvent) Decode(payload []byte) (err error) {
 	}
 	port := binary.BigEndian.Uint16(this.SaData[0:2])
 	ip := net.IPv4(this.SaData[2], this.SaData[3], this.SaData[4], this.SaData[5])
-	this.addr = fmt.Sprintf("%s:%d", ip, port)
-
-	// save event to this.module
-	module := this.module.(*MOpenSSLProbe)
-	module.AddConn(this.Pid, this.Fd, this.addr)
+	this.Addr = fmt.Sprintf("%s:%d", ip, port)
 	return nil
 }
 
 func (this *ConnDataEvent) StringHex() string {
-	return ""
-	s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, FD:%d, Addr: %s", this.Pid, this.Comm, this.Tid, this.Fd, this.addr)
+	s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, FD:%d, Addr: %s", this.Pid, this.Comm, this.Tid, this.Fd, this.Addr)
 	return s
 }
 
 func (this *ConnDataEvent) String() string {
-	return ""
-	s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, FD:%d, Addr: %s ", this.Pid, this.Comm, this.Tid, this.Fd, this.addr)
+	s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, FD:%d, Addr: %s", this.Pid, this.Comm, this.Tid, this.Fd, this.Addr)
 	return s
 }
 
@@ -190,5 +191,10 @@ func (this *ConnDataEvent) Module() IModule {
 func (this *ConnDataEvent) Clone() IEventStruct {
 	event := new(ConnDataEvent)
 	event.module = this.module
+	event.event_type = EVENT_TYPE_MODULE_DATA
 	return event
 }
+
+func (this *ConnDataEvent) EventType() EVENT_TYPE {
+	return this.event_type
+}

user/event_postgres.go

@@ -21,11 +21,12 @@ import (
 const POSTGRES_MAX_DATA_SIZE = 256
 
 type postgresEvent struct {
-	module    IModule
-	Pid       uint64
-	Timestamp uint64
-	query     [POSTGRES_MAX_DATA_SIZE]uint8
-	comm      [16]uint8
+	module     IModule
+	event_type EVENT_TYPE
+	Pid        uint64
+	Timestamp  uint64
+	query      [POSTGRES_MAX_DATA_SIZE]uint8
+	comm       [16]uint8
 }
 
 func (this *postgresEvent) Decode(payload []byte) (err error) {
@@ -64,5 +65,11 @@ func (this *postgresEvent) Module() IModule {
 }
 
 func (this *postgresEvent) Clone() IEventStruct {
-	return new(postgresEvent)
+	event := new(postgresEvent)
+	event.event_type = EVENT_TYPE_OUTPUT
+	return event
+}
+
+func (this *postgresEvent) EventType() EVENT_TYPE {
+	return this.event_type
 }

user/ievent.go

@@ -1,10 +1,21 @@
 package user
 
+type EVENT_TYPE uint8
+
+const (
+	// upload to server or write to logfile.
+	EVENT_TYPE_OUTPUT EVENT_TYPE = iota
+
+	// set as module cache data
+	EVENT_TYPE_MODULE_DATA
+)
+
 type IEventStruct interface {
 	Decode(payload []byte) (err error)
 	String() string
 	StringHex() string
 	Clone() IEventStruct
 	Module() IModule
 	SetModule(IModule)
+	EventType() EVENT_TYPE
 }