TEST_F(AuditTests, test_parse_sock_addr) { Row r; std::string msg = "02001F907F0000010000000000000000"; parseSockAddr(msg, r); ASSERT_FALSE(r["remote_address"].empty()); EXPECT_EQ(r["remote_address"], "127.0.0.1"); EXPECT_EQ(r["family"], "2"); EXPECT_EQ(r["remote_port"], "8080"); Row r3; std::string msg2 = "0A001F9100000000FE80000000000000022522FFFEB03684000000"; parseSockAddr(msg2, r3); ASSERT_FALSE(r3["remote_address"].empty()); EXPECT_EQ(r3["remote_address"], "fe80:0000:0000:0000:0225:22ff:feb0:3684"); EXPECT_EQ(r3["remote_port"], "8081"); Row r4; std::string msg3 = "01002F746D702F6F7371756572792E656D0000"; parseSockAddr(msg3, r4); ASSERT_FALSE(r4["socket"].empty()); EXPECT_EQ(r4["socket"], "/tmp/osquery.em"); msg3 = "0100002F746D702F6F7371756572792E656D"; parseSockAddr(msg3, r4); EXPECT_EQ(r4["socket"], "/tmp/osquery.em"); }
bool SocketUpdate(size_t type, const AuditFields& fields, AuditFields& r) { if (type == AUDIT_TYPE_SOCKADDR) { const auto& saddr = fields.at("saddr"); if (saddr.size() < 4 || saddr[0] == '1') { return false; } r["protocol"] = '0'; r["local_port"] = '0'; r["remote_port"] = '0'; // Parse the struct and emit the row. if (!parseSockAddr(saddr, r)) { return false; } return true; } r["auid"] = fields.at("auid"); r["pid"] = fields.at("pid"); r["path"] = decodeAuditValue(fields.at("exe")); // TODO: This is a hex value. r["fd"] = fields.at("a0"); // The open/bind success status. r["success"] = (fields.at("success") == "yes") ? "1" : "0"; r["uptime"] = std::to_string(tables::getUptime()); return true; }