refactor(filter): Introduce *.path filter fields

rabbitstack · rabbitstack · commit 0677c5e2b475 · 2024-12-20T17:24:17.000+01:00
Historically, the file.name/image.name/registry.key.name filter fields were used to yield the full file
path, image path, or registry key respectively. However, a better way to convey the referenced field
is actually returning a fully-qualified path is to introduce a new set of fields. As a side effect, the
previous fields return the base file/image/key names.
diff --git a/pkg/aggregator/transformers/replace/replace_test.go b/pkg/aggregator/transformers/replace/replace_test.go
@@ -34,17 +34,17 @@ func TestTransform(t *testing.T) {
 		Tid:  2484,
 		PID:  859,
 		Kparams: kevent.Kparams{
-			kparams.RegKeyName:   {Name: kparams.RegKeyName, Type: kparams.UnicodeString, Value: `HKEY_LOCAL_MACHINE\SYSTEM\Setup\Pid`},
+			kparams.RegPath:      {Name: kparams.RegPath, Type: kparams.UnicodeString, Value: `HKEY_LOCAL_MACHINE\SYSTEM\Setup\Pid`},
 			kparams.RegKeyHandle: {Name: kparams.RegKeyHandle, Type: kparams.Address, Value: uint64(18446666033449935464)},
 		},
 	}
 
-	transf, err := transformers.Load(transformers.Config{Type: transformers.Replace, Transformer: Config{Replacements: []Replacement{{Kpar: "key_name", Old: "HKEY_LOCAL_MACHINE", New: "HKLM"}}}})
+	transf, err := transformers.Load(transformers.Config{Type: transformers.Replace, Transformer: Config{Replacements: []Replacement{{Kpar: "key_path", Old: "HKEY_LOCAL_MACHINE", New: "HKLM"}}}})
 	require.NoError(t, err)
 
 	require.NoError(t, transf.Transform(kevt))
 
-	keyName, _ := kevt.Kparams.GetString(kparams.RegKeyName)
+	keyName, _ := kevt.Kparams.GetString(kparams.RegPath)
 
 	assert.Equal(t, `HKLM\SYSTEM\Setup\Pid`, keyName)
 }
diff --git a/pkg/aggregator/transformers/trim/trim_test.go b/pkg/aggregator/transformers/trim/trim_test.go
@@ -42,7 +42,7 @@ func TestTransform(t *testing.T) {
 		Description: "Creates or opens a new file, directory, I/O device, pipe, console",
 		Kparams: kevent.Kparams{
 			kparams.FileObject:    {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)},
-			kparams.FileName:      {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"},
+			kparams.FilePath:      {Name: kparams.FilePath, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"},
 			kparams.FileType:      {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"},
 			kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "overwriteif"},
 			kparams.BasePrio:      {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)},
@@ -54,11 +54,11 @@ func TestTransform(t *testing.T) {
 		Metadata: map[kevent.MetadataKey]any{"foo": "bar", "fooz": "barz"},
 	}
 
-	transf, err := transformers.Load(transformers.Config{Type: transformers.Trim, Transformer: Config{Prefixes: []Trim{{Name: "file_name", Trim: "\\Device"}}, Suffixes: []Trim{{Name: "create_disposition", Trim: "if"}}}})
+	transf, err := transformers.Load(transformers.Config{Type: transformers.Trim, Transformer: Config{Prefixes: []Trim{{Name: "file_path", Trim: "\\Device"}}, Suffixes: []Trim{{Name: "create_disposition", Trim: "if"}}}})
 	require.NoError(t, err)
 
 	require.NoError(t, transf.Transform(kevt))
-	filename, _ := kevt.Kparams.GetString(kparams.FileName)
+	filename, _ := kevt.Kparams.GetString(kparams.FilePath)
 	dispo, _ := kevt.Kparams.GetString(kparams.FileOperation)
 
 	assert.Equal(t, "\\HarddiskVolume2\\Windows\\system32\\user32.dll", filename)
diff --git a/pkg/kevent/queue_test.go b/pkg/kevent/queue_test.go
@@ -77,7 +77,7 @@ func TestQueuePush(t *testing.T) {
 				Category:  ktypes.File,
 				Kparams: Kparams{
 					kparams.FileObject:    {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)},
-					kparams.FileName:      {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\user32.dll"},
+					kparams.FilePath:      {Name: kparams.FilePath, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\user32.dll"},
 					kparams.FileType:      {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"},
 					kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.Enum, Value: uint32(1), Enum: fs.FileCreateDispositions},
 				},
@@ -104,7 +104,7 @@ func TestQueuePush(t *testing.T) {
 				Category:  ktypes.File,
 				Kparams: Kparams{
 					kparams.FileObject:    {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)},
-					kparams.FileName:      {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\user32.dll"},
+					kparams.FilePath:      {Name: kparams.FilePath, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\user32.dll"},
 					kparams.FileType:      {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"},
 					kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.Enum, Value: uint32(1), Enum: fs.FileCreateDispositions},
 				},
@@ -131,7 +131,7 @@ func TestQueuePush(t *testing.T) {
 				Category:  ktypes.File,
 				Kparams: Kparams{
 					kparams.FileObject:    {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)},
-					kparams.FileName:      {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\user32.dll"},
+					kparams.FilePath:      {Name: kparams.FilePath, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\user32.dll"},
 					kparams.FileType:      {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"},
 					kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.Enum, Value: uint32(1), Enum: fs.FileCreateDispositions},
 				},
@@ -159,7 +159,7 @@ func TestQueuePush(t *testing.T) {
 				Category:  ktypes.File,
 				Kparams: Kparams{
 					kparams.FileObject:    {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)},
-					kparams.FileName:      {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\user32.dll"},
+					kparams.FilePath:      {Name: kparams.FilePath, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\user32.dll"},
 					kparams.FileType:      {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"},
 					kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.Enum, Value: uint32(1), Enum: fs.FileCreateDispositions},
 				},
diff --git a/pkg/yara/config/config_test.go b/pkg/yara/config/config_test.go
@@ -115,7 +115,7 @@ func TestAlertTitle(t *testing.T) {
 		},
 		{
 			&kevent.Kevent{Type: ktypes.MapViewFile, Category: ktypes.File,
-				Kparams: kevent.Kparams{kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "C:\\Windows\\System32\\wusa.exe"}},
+				Kparams: kevent.Kparams{kparams.FilePath: {Name: kparams.FilePath, Type: kparams.UnicodeString, Value: "C:\\Windows\\System32\\wusa.exe"}},
 			},
 			FileThreatAlertTitle,
 		},

Original file line number	Diff line number	Diff line change
`@@ -115,7 +115,7 @@ func TestAlertTitle(t *testing.T) {`
`115`	`115`	`},`
`116`	`116`	`{`
`117`	`117`	`&kevent.Kevent{Type: ktypes.MapViewFile, Category: ktypes.File,`
`118`		`- Kparams: kevent.Kparams{kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "C:\\Windows\\System32\\wusa.exe"}},`
	`118`	`+ Kparams: kevent.Kparams{kparams.FilePath: {Name: kparams.FilePath, Type: kparams.UnicodeString, Value: "C:\\Windows\\System32\\wusa.exe"}},`
`119`	`119`	`},`
`120`	`120`	`FileThreatAlertTitle,`
`121`	`121`	`},`