evebox 0.13.0

A web based Suricata event manager
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106

// Copyright (C) 2020 Jason Ish
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

use crate::eve;
use crate::logger::log;
use serde::{Deserialize, Serialize};
use std::io::prelude::*;
#[cfg(unix)]
use std::os::unix::fs::MetadataExt;
use std::path::PathBuf;

#[derive(Serialize, Deserialize, Debug)]
pub struct Bookmark {
    pub path: String,
    pub offset: u64,
    pub size: u64,
    pub sys: BookmarkSys,
}

#[derive(Serialize, Deserialize, Debug)]
pub struct BookmarkSys {
    pub inode: Option<u64>,
}

impl Bookmark {
    pub fn from_metadata(meta: &eve::reader::Metadata) -> Bookmark {
        Bookmark {
            path: meta.filename.clone(),
            offset: meta.lineno,
            size: meta.size,
            sys: BookmarkSys { inode: meta.inode },
        }
    }

    pub fn from_file(filename: &PathBuf) -> Result<Bookmark, Box<dyn std::error::Error>> {
        let mut file = std::fs::File::open(filename)?;
        let mut body = String::new();
        file.read_to_string(&mut body)?;
        let bookmark: Bookmark = serde_json::from_str(&body)?;
        Ok(bookmark)
    }

    pub fn write(
        &self,
        filename: &PathBuf,
    ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
        log::trace!("Writing bookmark {}", filename.to_str().unwrap());
        let mut file = std::fs::File::create(filename)?;
        file.write_all(serde_json::to_string(self).unwrap().as_bytes())?;
        file.write_all(b"\n")?;
        Ok(())
    }

    pub fn is_valid(&self) -> Result<(), Box<dyn std::error::Error>> {
        let m = std::fs::metadata(&self.path)?;
        if !self.check_inode(&m) {
            return Err("inode mismatch".into());
        }
        if m.len() < self.size {
            return Err("current file size less than bookmark".into());
        }
        Ok(())
    }

    #[cfg(unix)]
    fn check_inode(&self, meta: &std::fs::Metadata) -> bool {
        if let Some(inode) = self.sys.inode {
            if inode != meta.ino() {
                return false;
            }
        }
        return true;
    }

    #[cfg(not(unix))]
    fn check_inode(&self, _meta: &std::fs::Metadata) -> bool {
        return true;
    }
}

pub fn bookmark_filename(input_filename: &str, bookmark_dir: &str) -> std::path::PathBuf {
    let directory = match std::fs::canonicalize(bookmark_dir) {
        Ok(directory) => directory,
        Err(err) => {
            log::warn!("Failed to canonicalize directory {}: {}", bookmark_dir, err);
            std::path::PathBuf::from(bookmark_dir)
        }
    };

    let hash = md5::compute(&input_filename);
    let filename = format!("{:x}.bookmark", hash);
    let path = directory.join(filename);
    return path;
}