TEST_F(AuditTests, test_parse_sock_addr) {
Row r;
std::string msg = "02001F907F0000010000000000000000";
parseSockAddr(msg, r);
ASSERT_FALSE(r["remote_address"].empty());
EXPECT_EQ(r["remote_address"], "127.0.0.1");
EXPECT_EQ(r["family"], "2");
EXPECT_EQ(r["remote_port"], "8080");
Row r3;
std::string msg2 = "0A001F9100000000FE80000000000000022522FFFEB03684000000";
parseSockAddr(msg2, r3);
ASSERT_FALSE(r3["remote_address"].empty());
EXPECT_EQ(r3["remote_address"], "fe80:0000:0000:0000:0225:22ff:feb0:3684");
EXPECT_EQ(r3["remote_port"], "8081");
Row r4;
std::string msg3 = "01002F746D702F6F7371756572792E656D0000";
parseSockAddr(msg3, r4);
ASSERT_FALSE(r4["socket"].empty());
EXPECT_EQ(r4["socket"], "/tmp/osquery.em");
msg3 = "0100002F746D702F6F7371756572792E656D";
parseSockAddr(msg3, r4);
EXPECT_EQ(r4["socket"], "/tmp/osquery.em");
}
bool SocketUpdate(size_t type, const AuditFields& fields, AuditFields& r) {
if (type == AUDIT_TYPE_SOCKADDR) {
const auto& saddr = fields.at("saddr");
if (saddr.size() < 4 || saddr[0] == '1') {
return false;
}
r["protocol"] = '0';
r["local_port"] = '0';
r["remote_port"] = '0';
// Parse the struct and emit the row.
if (!parseSockAddr(saddr, r)) {
return false;
}
return true;
}
r["auid"] = fields.at("auid");
r["pid"] = fields.at("pid");
r["path"] = decodeAuditValue(fields.at("exe"));
// TODO: This is a hex value.
r["fd"] = fields.at("a0");
// The open/bind success status.
r["success"] = (fields.at("success") == "yes") ? "1" : "0";
r["uptime"] = std::to_string(tables::getUptime());
return true;
}
