-
-
Notifications
You must be signed in to change notification settings - Fork 482
/
rfc3164.go
71 lines (64 loc) · 1.74 KB
/
rfc3164.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
package formats
import (
"fmt"
"log/syslog"
"os"
"strconv"
"strings"
"time"
"github.com/evilsocket/opensnitch/daemon/core"
"github.com/evilsocket/opensnitch/daemon/ui/protocol"
)
// RFC3164 name of the output format, used in our json config
const RFC3164 = "rfc3164"
// Rfc3164 object
type Rfc3164 struct {
seq int
}
// NewRfc3164 returns a new Rfc3164 object, that transforms a message to
// RFC3164 format.
func NewRfc3164() *Rfc3164 {
return &Rfc3164{}
}
// Transform takes input arguments and formats them to RFC3164 format.
func (r *Rfc3164) Transform(args ...interface{}) (out string) {
hostname := ""
tag := ""
arg1 := args[0]
// we can do this better. Think.
if len(args) > 1 {
hostname = args[1].(string)
tag = args[2].(string)
}
values := arg1.([]interface{})
for n, val := range values {
switch val.(type) {
case *protocol.Connection:
con := val.(*protocol.Connection)
out = core.ConcatStrings(out,
" SRC=\"", con.SrcIp, "\"",
" SPT=\"", strconv.FormatUint(uint64(con.SrcPort), 10), "\"",
" DST=\"", con.DstIp, "\"",
" DSTHOST=\"", con.DstHost, "\"",
" DPT=\"", strconv.FormatUint(uint64(con.DstPort), 10), "\"",
" PROTO=\"", con.Protocol, "\"",
" PID=\"", strconv.FormatUint(uint64(con.ProcessId), 10), "\"",
" UID=\"", strconv.FormatUint(uint64(con.UserId), 10), "\"",
//" COMM=", con.ProcessComm, "\"",
" PATH=\"", con.ProcessPath, "\"",
" CMDLINE=\"", strings.Join(con.ProcessArgs, " "), "\"",
" CWD=\"", con.ProcessCwd, "\"",
)
default:
out = fmt.Sprint(out, " ARG", n, "=\"", val, "\"")
}
}
out = fmt.Sprintf("<%d>%s %s %s[%d]: [%s]\n",
syslog.LOG_NOTICE|syslog.LOG_DAEMON,
time.Now().Format(time.RFC3339),
hostname,
tag,
os.Getpid(),
out[1:])
return
}