refactor: Trim the k prefix from types and packages

Historically, Fibratus has been envisioned as a tool to exclusively
interact with the NT Kernel Logger ETW provider. Since then, more
providers have been integrated, some of them operating in userspace.
Thus, the assumption that the provenance of all events is coming out
the kernel is no longer valid. It is semantically more correct to represent
all types, packages, and identifier in a generic way. The most prominent
example is the `Kevent` structure being renamed to `Event`.

Author: rabbitstack

.github/workflows/master.yml

@@ -84,7 +84,7 @@ jobs:
           ./make.bat mc
           ./make.bat
         env:
-          TAGS: kcap,filament,yara,yara_static
+          TAGS: cap,filament,yara,yara_static
       - uses: actions/upload-artifact@v4
         with:
           name: "fibratus-amd64.exe"
@@ -176,7 +176,7 @@ jobs:
            export PKG_CONFIG_PATH=$(pwd)/pkg-config
            ./make.bat test
         env:
-          TAGS: kcap,yara,yara_static
+          TAGS: cap,yara,yara_static
 
   lint:
     runs-on: windows-latest

.github/workflows/pr.yml

@@ -86,7 +86,7 @@ jobs:
           ./make.bat mc
           ./make.bat
         env:
-          TAGS: kcap,filament,yara,yara_static
+          TAGS: cap,filament,yara,yara_static
       - uses: actions/upload-artifact@v4
         with:
           name: "fibratus-amd64.exe"
@@ -158,7 +158,7 @@ jobs:
            export PKG_CONFIG_PATH=$(pwd)/pkg-config
            ./make.bat test
         env:
-          TAGS: kcap,yara,yara_static
+          TAGS: cap,yara,yara_static
 
   lint:
     runs-on: windows-latest

.github/workflows/release.yml

@@ -85,7 +85,7 @@ jobs:
           ./make.bat mc
           ./make.bat
         env:
-          TAGS: kcap,filament,yara,yara_static
+          TAGS: cap,filament,yara,yara_static
       - name: Install Wix
         shell: bash
         run: |

.golangci.yml

@@ -1,6 +1,6 @@
 run:
   build-tags:
-    - kcap
+    - cap
     - filament
   deadline: 10m
 

cmd/fibratus/app/capture/capture_windows.go

@@ -29,7 +29,7 @@ import (
 
 var Command = &cobra.Command{
 	Use:   "capture [filter]",
-	Short: "Capture event stream to the kcap (capture) file",
+	Short: "Capture event stream to the cap (capture) file",
 	RunE:  capture,
 }
 

cmd/fibratus/app/list/list.go

@@ -24,8 +24,8 @@ import (
 	"github.com/jedib0t/go-pretty/v6/table"
 	"github.com/rabbitstack/fibratus/internal/bootstrap"
 	"github.com/rabbitstack/fibratus/pkg/config"
+	"github.com/rabbitstack/fibratus/pkg/event"
 	"github.com/rabbitstack/fibratus/pkg/filter/fields"
-	"github.com/rabbitstack/fibratus/pkg/kevent/ktypes"
 	"github.com/spf13/cobra"
 	"os"
 	"path/filepath"
@@ -34,7 +34,7 @@ import (
 
 var Command = &cobra.Command{
 	Use:   "list",
-	Short: "Show info about filaments, filter fields or kernel event types",
+	Short: "Show info about filaments, filter fields or event types",
 }
 
 var listFilamentsCmd = &cobra.Command{
@@ -50,10 +50,9 @@ var listFieldsCmd = &cobra.Command{
 }
 
 var listEventsCmd = &cobra.Command{
-	Use:     "kevents",
-	Aliases: []string{"events"},
-	Short:   "List supported kernel event types",
-	Run:     listEvents,
+	Use:   "events",
+	Short: "List supported event types",
+	Run:   listEvents,
 }
 
 var cfg = config.NewWithOpts(config.WithList())
@@ -131,8 +130,8 @@ func listEvents(cmd *cobra.Command, args []string) {
 	t.AppendHeader(table.Row{"Name", "Category", "Description"})
 	t.SetStyle(table.StyleLight)
 
-	for _, ktyp := range ktypes.GetKtypesMeta() {
-		t.AppendRow(table.Row{ktyp.Name, ktyp.Category, ktyp.Description})
+	for _, ev := range event.GetTypesMeta() {
+		t.AppendRow(table.Row{ev.Name, ev.Category, ev.Description})
 	}
 
 	t.Render()

cmd/fibratus/app/replay/replay_windows.go

@@ -28,7 +28,7 @@ import (
 
 var Command = &cobra.Command{
 	Use:   "replay",
-	Short: "Replay event stream from the kcap (capture) file",
+	Short: "Replay event stream from the cap (capture) file",
 	RunE:  replay,
 }
 

cmd/fibratus/app/stats/stats.go

@@ -47,13 +47,13 @@ func init() {
 type Stats struct {
 	AggregatorBatchEvents               int            `json:"aggregator.batch.events"`
 	AggregatorFlushesCount              int            `json:"aggregator.flushes.count"`
-	AggregatorKeventErrors              int            `json:"aggregator.kevent.errors"`
+	AggregatorEventErrors               int            `json:"aggregator.event.errors"`
 	AggregatorTransformerErrors         map[string]int `json:"aggregator.transformer.errors"`
 	AggregatorWorkerClientPublishErrors int            `json:"aggregator.worker.client.publish.errors"`
-	FilamentKdictErrors                 int            `json:"filament.kdict.errors"`
-	FilamentKeventBatchFlushes          int            `json:"filament.kevent.batch.flushes"`
-	FilamentKeventErrors                map[string]int `json:"filament.kevent.errors"`
-	FilamentKeventProcessErrors         int            `json:"filament.kevent.process.errors"`
+	FilamentDictErrors                  int            `json:"filament.dict.errors"`
+	FilamentEventBatchFlushes           int            `json:"filament.event.batch.flushes"`
+	FilamentEventErrors                 map[string]int `json:"filament.event.errors"`
+	FilamentEventProcessErrors          int            `json:"filament.event.process.errors"`
 	FilterAccessorErrors                map[string]int `json:"filter.accessor.errors"`
 	FsFileObjectHandleHits              int            `json:"fs.file.object.handle.hits"`
 	FsFileObjectMisses                  int            `json:"fs.file.object.misses"`
@@ -67,28 +67,27 @@ type Stats struct {
 	HandleTypeNameMisses                int            `json:"handle.type.name.misses"`
 	HandleWaitTimeouts                  int            `json:"handle.wait.timeouts"`
 	HostnameErrors                      map[string]int `json:"hostname.errors"`
-	KcapFlusherErrors                   map[string]int `json:"kcap.flusher.errors"`
-	KcapHandleWriteErrors               int            `json:"kcap.handle.write.errors"`
-	KcapKeventUnmarshalErrors           int            `json:"kcap.kevent.unmarshal.errors"`
-	KcapKeventWriteErrors               int            `json:"kcap.kevent.write.errors"`
-	KcapKstreamConsumerErrors           int            `json:"kcap.kstream.consumer.errors"`
-	KcapOverflowErrors                  int            `json:"kcap.overflow.errors"`
-	KcapReadBytes                       int            `json:"kcap.read.bytes"`
-	KcapReadKevents                     int            `json:"kcap.read.kevents"`
-	KcapReaderDroppedByFilter           int            `json:"kcap.reader.dropped.by.filter"`
-	KcapReaderHandleUnmarshalErrors     int            `json:"kcap.reader.handle.unmarshal.errors"`
-	KeventPrcoessorFailures             int            `json:"kevent.processor.failures"`
-	KeventSeqInitErrors                 map[string]int `json:"kevent.seq.init.errors"`
-	KeventSeqStoreErrors                int            `json:"kevent.seq.store.errors"`
-	KeventTimestampUnmarshalErrors      int            `json:"kevent.timestamp.unmarshal.errors"`
-	KstreamDroppedKevents               int            `json:"kstream.dropped.kevents"`
-	KstreamKbuffersRead                 int            `json:"kstream.kbuffers.read"`
-	KstreamKeventsEnqueued              int            `json:"kstream.kevents.enqueued"`
-	KstreamKeventsDequeued              int            `json:"kstream.kevents.dequeued"`
-	KstreamUnknownKevents               int            `json:"kstream.kevents.unknown"`
-	KstreamKeventsProcessed             int            `json:"kstream.kevents.processed"`
-	KstreamExcludedKevents              int            `json:"kstream.excluded.kevents"`
-	KstreamKeventsFailures              map[string]int `json:"kstream.kevents.failures"`
+	CapFlusherErrors                    map[string]int `json:"cap.flusher.errors"`
+	CapHandleWriteErrors                int            `json:"cap.handle.write.errors"`
+	CapEventUnmarshalErrors             int            `json:"cap.event.unmarshal.errors"`
+	CapEventWriteErrors                 int            `json:"cap.event.write.errors"`
+	CapEventSourceConsumerErrors        int            `json:"cap.eventsource.consumer.errors"`
+	CapOverflowErrors                   int            `json:"cap.overflow.errors"`
+	CapReadBytes                        int            `json:"cap.read.bytes"`
+	CapReadEvents                       int            `json:"cap.read.events"`
+	CapReaderDroppedByFilter            int            `json:"cap.reader.dropped.by.filter"`
+	CapReaderHandleUnmarshalErrors      int            `json:"cap.reader.handle.unmarshal.errors"`
+	EventProcessorFailures              int            `json:"event.processor.failures"`
+	EventSeqInitErrors                  map[string]int `json:"event.seq.init.errors"`
+	EventSeqStoreErrors                 int            `json:"event.seq.store.errors"`
+	EventTimestampUnmarshalErrors       int            `json:"event.timestamp.unmarshal.errors"`
+	EventSourceBuffersRead              int            `json:"eventsource.buffers.read"`
+	EventSourceEventsEnqueued           int            `json:"eventsource.events.enqueued"`
+	EventSourceEventsDequeued           int            `json:"eventsource.events.dequeued"`
+	EventSourceUnknownEvents            int            `json:"eventsource.events.unknown"`
+	EventSourceEventsProcessed          int            `json:"eventsource.events.processed"`
+	EventSourceExcludedEvents           int            `json:"eventsource.excluded.events"`
+	EventSourceEventsFailures           map[string]int `json:"eventsource.events.failures"`
 	LoggerErrors                        map[string]int `json:"logger.errors"`
 	OutputAMQPChannelFailures           int            `json:"output.amqp.channel.failures"`
 	OutputAMQPConnectionFailures        int            `json:"output.amqp.connection.failures"`

filaments/fishy_netio.py

@@ -29,24 +29,23 @@
 
 
 def on_init():
-    kfilter("kevt.category = 'net' and ps.name in (%s)" % (', '.join([f'\'{ps}\'' for ps in __procs__])))
+    set_filter("evt.category = 'net' and ps.name in (%s)" % (', '.join([f'\'{ps}\'' for ps in __procs__])))
 
 
 @dotdictify
-def on_next_kevent(kevent):
-    print(kevent)
-    notify = True if kevent.pid in __pids__ else False
+def on_next_event(event):
+    notify = True if event.pid in __pids__ else False
     if not notify:
         emit_alert(
-            f'Anomalous network I/O detected to {kevent.kparams.dip}:{kevent.kparams.dport}',
-            text(kevent),
+            f'Anomalous network I/O detected to {event.params.dip}:{event.params.dport}',
+            text(Event),
             severity='critical',
             tags=['anomalous netio']
         )
-        __pids__.append(kevent.pid)
+        __pids__.append(event.pid)
 
 
-def text(kevent):
+def text(event):
     return """
         
         Source IP:        %s
@@ -63,11 +62,11 @@ def text(kevent):
         User: %s
 
         """ % (
-        kevent.kparams.sip,
-        kevent.kparams.sport,
-        kevent.kparams.dip,
-        kevent.kparams.dport,
-        kevent.kparams.dport_name,
-        kevent.exe,
-        kevent.comm,
-        kevent.cwd, kevent.sid)
+        event.params.sip,
+        event.params.sport,
+        event.params.dip,
+        event.params.dport,
+        event.params.dport_name,
+        event.exe,
+        event.comm,
+        event.cwd, event.sid)

filaments/teamviewer_remote_file_copy.py

@@ -52,16 +52,16 @@
 
 
 def on_init():
-    kfilter("kevt.name = 'CreateFile' and ps.name = 'TeamViewer.exe' and file.operation = 'create' "
+    kfilter("evt.name = 'CreateFile' and ps.name = 'TeamViewer.exe' and file.operation = 'create' "
             "and file.extension in (%s)"
             % (', '.join([f'\'{ext}\'' for ext in extensions])))
 
 
 @dotdictify
-def on_next_kevent(kevent):
+def on_next_kevent(event):
     emit_alert(
         f'Remote File Copy via TeamViewer',
-        f'TeamViewer downloaded an executable or script file {kevent.kparams.file_name} via transfer session',
+        f'TeamViewer downloaded an executable or script file {event.params.file_name} via transfer session',
         severity=__severity__,
         tags=[__tags__]
     )