Skip to content

refactor(filter): Deprecate file.share.mask field #672

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rabbitstack wants to merge 1 commit into
base: master
Choose a base branch
from
Open

refactor(filter): Deprecate file.share.mask field #672

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion pkg/event/flags.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,10 @@
package event

import (
"strings"

"github.com/rabbitstack/fibratus/pkg/sys"
"golang.org/x/sys/windows"
"strings"
)

// ParamFlag defines the mapping between the flag value and its symbolical name.
Expand Down Expand Up @@ -178,6 +179,7 @@ var FileCreateOptionsFlags = []ParamFlag{

// FileShareModeFlags describes file share mask flags
var FileShareModeFlags = []ParamFlag{
{"DENY", 0},
{"READ", windows.FILE_SHARE_READ},
{"WRITE", windows.FILE_SHARE_WRITE},
{"DELETE", windows.FILE_SHARE_DELETE},
Expand Down
2 changes: 1 addition & 1 deletion pkg/filter/accessor_windows.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -691,7 +691,7 @@ func (l *fileAccessor) Get(f Field, e *event.Event) (params.Value, error) {
return e.Params.GetUint64(params.FileOffset)
case fields.FileIOSize:
return e.Params.GetUint32(params.FileIoSize)
case fields.FileShareMask:
case fields.FileShareMode, fields.FileShareMask:
return e.GetParamAsString(params.FileShareMask), nil
case fields.FileOperation:
return e.GetParamAsString(params.FileOperation), nil
Expand Down
5 changes: 4 additions & 1 deletion pkg/filter/fields/fields_windows.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -457,6 +457,8 @@ const (
FileOperation Field = "file.operation"
// FileShareMask represents the file share mask
FileShareMask Field = "file.share.mask"
// FileShareMode represents the file share mode field
FileShareMode Field = "file.share_mode"
// FileIOSize represents the number of read/written bytes
FileIOSize Field = "file.io.size"
// FileOffset represents the read/write offset
Expand Down Expand Up @@ -1177,7 +1179,8 @@ var fields = map[Field]FieldInfo{
FilePathStem: {FilePathStem, "full file path without extension", params.UnicodeString, []string{"file.path.stem = 'C:\\Windows\\System32\\cmd'"}, nil, nil},
FileName: {FileName, "full file name", params.UnicodeString, []string{"file.name contains 'mimikatz'"}, nil, nil},
FileOperation: {FileOperation, "file operation", params.AnsiString, []string{"file.operation = 'open'"}, nil, nil},
FileShareMask: {FileShareMask, "file share mask", params.AnsiString, []string{"file.share.mask = 'rw-'"}, nil, nil},
FileShareMask: {FileShareMask, "file share mask", params.AnsiString, []string{"file.share.mask = 'READ'"}, &Deprecation{Since: "3.1.0", Fields: []Field{FileShareMode}}, nil},
FileShareMode: {FileShareMask, "file share mode", params.AnsiString, []string{"file.share_mode = 'DENY'"}, nil, nil},
FileIOSize: {FileIOSize, "file I/O size", params.Uint32, []string{"file.io.size > 512"}, nil, nil},
FileOffset: {FileOffset, "file offset", params.Uint64, []string{"file.offset = 1024"}, nil, nil},
FileType: {FileType, "file type", params.AnsiString, []string{"file.type = 'directory'"}, nil, nil},
Expand Down
4 changes: 3 additions & 1 deletion pkg/filter/filter_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -630,6 +630,7 @@ func TestFileFilter(t *testing.T) {
params.FilePath: {Name: params.FilePath, Type: params.UnicodeString, Value: "C:\\Windows\\system32\\user32.dll"},
params.FileType: {Name: params.FileType, Type: params.AnsiString, Value: "file"},
params.FileOperation: {Name: params.FileOperation, Type: params.AnsiString, Value: "open"},
params.FileShareMask: {Name: params.FileShareMask, Type: params.Flags, Value: uint32(1), Flags: event.FileShareModeFlags},
},
Metadata: map[event.MetadataKey]any{"foo": "bar", "fooz": "barzz"},
}
Expand All @@ -641,7 +642,7 @@ func TestFileFilter(t *testing.T) {

{`file.name = 'user32.dll'`, true},
{`file.path = 'C:\\Windows\\system32\\user32.dll'`, true},
{`file.extension = '.dll'`, true},
{`file.extension = '.dll'`, true},
{`file.extension not contains '.exe'`, true},
{`file.extension contains '.exe' or (file.extension contains '.dll' and file.name endswith 'user32.dll')`, true},
{`file.extension = '.dll' or (file.extension contains '.exe' and file.name endswith 'kernel32.dll')`, true},
Expand Down Expand Up @@ -670,6 +671,7 @@ func TestFileFilter(t *testing.T) {
{`file.path fuzzy ('C:\\Windows\\system32\\kernel', 'C:\\Windows\\system32\\ser3ll')`, true},
{`file.path ifuzzynorm 'C:\\WINDOWS\\sÝS\\32dll'`, true},
{`file.path.stem = 'C:\\Windows\\system32\\user32'`, true},
{`file.share_mode = 'READ'`, true},
{`base(file.path) = 'user32.dll'`, true},
{`ext(base(file.path)) = '.dll'`, true},
{`base(file.path, false) = 'user32'`, true},
Expand Down
Loading