/
convert.go
97 lines (88 loc) · 2.09 KB
/
convert.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
package detect
import (
"errors"
"io/fs"
"syscall"
api "github.com/chaitin/libveinmind/go"
"github.com/chaitin/veinmind-common-go/service/report/event"
)
func Convert2ReportEvent(fs api.FileSystem, info FileInfo, res Result) (*event.Event, error) {
if res.Data.RiskLevel == 0 {
return nil, nil
}
var reportLevel event.Level
switch level := res.Data.RiskLevel; {
case level <= 5:
reportLevel = event.Low
break
case level <= 10:
reportLevel = event.Medium
break
case level <= 15:
reportLevel = event.High
break
case level <= 20:
reportLevel = event.Critical
break
default:
return nil, nil
}
fileDetail, err := file2FileDetail(info.RawFileInfo, info.Path)
if err != nil {
return nil, err
}
switch obj := fs.(type) {
case api.Image:
return &event.Event{
BasicInfo: &event.BasicInfo{
ID: obj.ID(),
Object: event.NewObject(obj),
Level: reportLevel,
DetectType: event.Image,
EventType: event.Invasion,
AlertType: event.Webshell,
},
DetailInfo: &event.DetailInfo{
AlertDetail: &event.WebshellDetail{
FileDetail: fileDetail,
Type: res.Data.Type,
Engine: res.Data.Engine,
Reason: res.Data.Reason,
},
},
}, nil
case api.Container:
return &event.Event{
BasicInfo: &event.BasicInfo{
ID: obj.ID(),
Object: event.NewObject(obj),
Level: reportLevel,
DetectType: event.Container,
EventType: event.Invasion,
AlertType: event.Webshell,
},
DetailInfo: &event.DetailInfo{
AlertDetail: &event.WebshellDetail{
FileDetail: fileDetail,
Type: res.Data.Type,
Engine: res.Data.Engine,
Reason: res.Data.Reason,
},
},
}, nil
}
return nil, errors.New("not supported")
}
func file2FileDetail(info fs.FileInfo, path string) (event.FileDetail, error) {
sys := info.Sys().(*syscall.Stat_t)
return event.FileDetail{
Path: path,
Perm: info.Mode(),
Size: info.Size(),
Uid: int64(sys.Uid),
Gid: int64(sys.Gid),
Ctim: int64(sys.Ctim.Sec),
Mtim: int64(sys.Mtim.Sec),
Atim: int64(sys.Mtim.Sec),
}, nil
}