feat: refactor event types to use unified Type structure across events #814
Conversation
Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
|
Failed to generate code suggestions for PR |
There was a problem hiding this comment.
Pull Request Overview
This PR refactors the event type system by replacing EventType with Type across all event structures and introduces a unified Base structure for common event metadata. The changes standardize event handling and improve code consistency throughout the event processing system.
Key changes:
- Renamed
EventTypetoTypeacross all event structures and constants - Added a
Basestructure containing common metadata fields (timestamp, UUID, PID, process name, etc.) - Updated all event types to implement a new
Base()method returning the unified metadata structure
Reviewed Changes
Copilot reviewed 17 out of 17 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| user/module/imodule.go | Updated event type constants from EventType* to Type* |
| user/event/ievent.go | Renamed EventType to Type and added Base() method to interface |
| user/event/event_*.go | Updated all event structures to use Type instead of EventType and implement Base() method |
| user/event/event_base.go | Changed PID field type from int32 to int64 in Base structure |
| pkg/event_processor/*.go | Updated event processor to use new Type naming and Base structure |
| func (be *BashEvent) EventType() EventType { | ||
| func (be *BashEvent) Base() Base { | ||
| be.base = Base{ | ||
| Timestamp: time.Now().Unix(), |
There was a problem hiding this comment.
Using time.Now().Unix() in the Base() method creates inconsistent timestamps. Each call to Base() will return a different timestamp, which could cause issues if the method is called multiple times for the same event. Consider storing the timestamp when the event is created or use a field from the event structure.
Copilot uses AI. Check for mistakes.
| DstIP: "127.0.0.1", // Nspr events do not have DstIP | ||
| DstPort: 0, // Nspr events do not have DstPort | ||
| PID: int64(ne.Pid), | ||
| PName: string(ne.Comm[:]), |
There was a problem hiding this comment.
Converting ne.Comm[:] directly to string may include null bytes and garbage data. Use the commStr() helper function that properly handles C-style null-terminated strings, similar to other event implementations.
| PName: string(ne.Comm[:]), | |
| PName: commStr(ne.Comm[:]), |
Copilot uses AI. Check for mistakes.
| Timestamp: int64(me.Timestamp), | ||
| UUID: me.GetUUID(), | ||
| PID: int64(me.Pid), | ||
| PName: string(me.Comm[:]), |
There was a problem hiding this comment.
Converting me.Comm[:] directly to string may include null bytes and garbage data. Use the commStr() helper function that properly handles C-style null-terminated strings, similar to other event implementations.
| PName: string(me.Comm[:]), | |
| PName: commStr(me.Comm[:]), |
Copilot uses AI. Check for mistakes.
| DstIP: "127.0.0.1", // Bash events do not have DstIP | ||
| DstPort: 0, // Bash events do not have DstPort | ||
| PID: int64(be.Pid), | ||
| PName: string(be.Comm[:]), |
There was a problem hiding this comment.
Converting be.Comm[:] directly to string may include null bytes and garbage data. Use the commStr() helper function that properly handles C-style null-terminated strings, similar to other event implementations.
Copilot uses AI. Check for mistakes.
| DstIP: "127.0.0.1", // Gnutls events do not have DstIP | ||
| DstPort: 0, // Gnutls events do not have DstPort | ||
| PID: int64(ge.Pid), | ||
| PName: string(ge.Comm[:]), |
There was a problem hiding this comment.
Converting ge.Comm[:] directly to string may include null bytes and garbage data. Use the commStr() helper function that properly handles C-style null-terminated strings, similar to other event implementations.
| PName: string(ge.Comm[:]), | |
| PName: commStr(ge.Comm[:]), |
Copilot uses AI. Check for mistakes.
| DstIP: "127.0.0.1", // GoTLS events do not have DstIP | ||
| DstPort: 0, // GoTLS events do not have DstPort | ||
| PID: int64(ge.Pid), | ||
| PName: string(ge.Comm[:]), |
There was a problem hiding this comment.
Converting ge.Comm[:] directly to string may include null bytes and garbage data. Use the commStr() helper function that properly handles C-style null-terminated strings, similar to other event implementations.
| PName: string(ge.Comm[:]), | |
| PName: commStr(ge.Comm[:]), |
Copilot uses AI. Check for mistakes.
Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
…loads Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
This pull request introduces significant refactoring and enhancements to the event processing system. The primary focus is on standardizing the event type representation, adding a
Basestructure to events for common metadata, and improving type consistency across the codebase. These changes aim to improve maintainability, readability, and extensibility of the code.Standardization of Event Type Representation:
EventTypewithTypeacross all event structures for consistency. (pkg/event_processor/base_event.go,user/event/event_bash.go,user/event/event_gnutls.go,user/event/event_masterkey.go, etc.) [1] [2] [3] [4] [5] [6] [7] [8] [9]Introduction of
BaseStructure for Common Metadata:Basestructure to encapsulate common metadata fields such asTimestamp,UUID,PID, andPName. This structure is now included in various event types (e.g.,BashEvent,GnutlsDataEvent,MasterSecretEvent, etc.). (user/event/event_bash.go,user/event/event_gnutls.go,user/event/event_masterkey.go, etc.) [1] [2] [3] [4] [5] [6] [7] [8] [9]Enhancements to Event Processing Logic:
BaseEventandeventWorkerlogic to utilize the newBasestructure, ensuring consistent handling of event metadata. (pkg/event_processor/base_event.go,pkg/event_processor/iworker.go) [1] [2] [3]Type Consistency and Field Updates:
PIDfromint32toint64in theBasestructure. (user/event/event_base.go)timefor timestamp handling. (user/event/event_bash.go)Event-Specific Refactoring:
Base()andEventType()) to align with the newBasestructure andTyperepresentation. This was done across multiple event types such asBashEvent,GoTLSEvent,MysqldEvent, and others. (user/event/event_bash.go,user/event/event_gotls.go,user/event/event_mysqld.go, etc.) [1] [2] [3]These changes collectively improve the modularity and scalability of the event processing system, making it easier to add new event types or modify existing ones in the future.