feat: remap port fields to ECS type

wazuh · Nov 15, 2024 · 38cfbb1 · 38cfbb1
1 parent 211362b
commit 38cfbb1
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 5 deletions.
diff --git a/src/modules/inventory/include/inventory.hpp b/src/modules/inventory/include/inventory.hpp
@@ -54,6 +54,7 @@ class Inventory {
         nlohmann::json GetOSData();
         nlohmann::json EcsHardwareData(const nlohmann::json& originalData);
         nlohmann::json EcsPackageData(const nlohmann::json& originalData);
+        nlohmann::json EcsPortData(const nlohmann::json& originalData);
         nlohmann::json GetHardwareData();
         nlohmann::json GetNetworkData();
         nlohmann::json GetPortsData();

diff --git a/src/modules/inventory/src/inventoryImp.cpp b/src/modules/inventory/src/inventoryImp.cpp
@@ -271,6 +271,10 @@ nlohmann::json Inventory::EcsData(const nlohmann::json& data, const std::string&
     {
         ret = EcsProcessesData(data);
     }
+    else if (table == PACKAGES_TABLE)
+    {
+        ret = EcsPortData(data);
+    }
     return ret;
 }
 
@@ -293,6 +297,10 @@ std::string Inventory::GetPrimaryKeys([[maybe_unused]] const nlohmann::json& dat
     {
         ret = data["process"]["pid"];
     }
+    else if (table == PACKAGES_TABLE)
+    {
+        ret = data["file"]["inode"].get<std::string>() + ":" + data["network"]["protocol"].get<std::string>() + ":" + data["source"]["ip"].get<std::string>() + ":" + data["source"]["port"].get<std::string>();
+    }
     return ret;
 }
 
@@ -515,6 +523,27 @@ nlohmann::json Inventory::EcsProcessesData(const nlohmann::json& originalData)
     return ret;
 }
 
+nlohmann::json Inventory::EcsPortData(const nlohmann::json& originalData)
+{
+    nlohmann::json ret;
+
+    ret["network"]["protocol"] = originalData.contains("protocol") ? originalData["protocol"] : "";
+    ret["source"]["ip"] = originalData.contains("local_ip") ? originalData["local_ip"] : "";
+    ret["source"]["port"] = originalData.contains("local_port") ? originalData["local_port"] : "";
+    ret["destination"]["ip"] = originalData.contains("remote_ip") ? originalData["remote_ip"] : "";
+    ret["destination"]["port"] = originalData.contains("remote_port") ? originalData["remote_port"] : "";
+    ret["host"]["network"]["egress"]["queue"] = originalData.contains("tx_queue") ? originalData["tx_queue"] : "";
+    ret["host"]["network"]["ingress"]["queue"] = originalData.contains("rx_queue") ? originalData["rx_queue"] : "";
+    ret["file"]["inode"] = originalData.contains("inode") ? originalData["inode"] : "";
+    ret["interface"]["state"] = originalData.contains("state") ? originalData["state"] : "";
+    ret["process"]["pid"] = originalData.contains("pid") ? originalData["pid"] : "";
+    ret["process"]["name"] = originalData.contains("process") ? originalData["process"] : nlohmann::json(0);
+    ret["device"]["id"] = originalData.contains("item_id") ? originalData["item_id"] : "";
+    ret["@ŧimestamp"] = originalData.contains("scan_time") ? originalData["scan_time"] : "";
+
+    return ret;
+}
+
 nlohmann::json Inventory::GetHardwareData()
 {
     nlohmann::json ret;
@@ -782,7 +811,6 @@ nlohmann::json Inventory::GetPortsData()
 
                     if (!IsElementDuplicated(ret, std::make_pair("item_id", itemId)))
                     {
-                        item["checksum"] = GetItemChecksum(item);
                         item["item_id"] = itemId;
                         ret.push_back(item);
                     }
@@ -798,7 +826,6 @@ nlohmann::json Inventory::GetPortsData()
 
                         if (!IsElementDuplicated(ret, std::make_pair("item_id", itemId)))
                         {
-                            item["checksum"] = GetItemChecksum(item);
                             item["item_id"] = itemId;
                             ret.push_back(item);
                         }
@@ -811,7 +838,6 @@ nlohmann::json Inventory::GetPortsData()
 
                 if (!IsElementDuplicated(ret, std::make_pair("item_id", itemId)))
                 {
-                    item["checksum"] = GetItemChecksum(item);
                     item["item_id"] = itemId;
                     ret.push_back(item);
                 }
@@ -877,11 +903,11 @@ void Inventory::Scan()
     TryCatchTask([&]() { ScanOs(); });
     TryCatchTask([&]() { ScanPackages(); });
     TryCatchTask([&]() { ScanProcesses(); });
+    TryCatchTask([&]() { ScanPorts(); });
 
     // TO DO: enable each scan once the ECS translation is done
     //TryCatchTask([&]() { ScanNetwork(); });
-    //TryCatchTask([&]() { ScanHotfixes(); });
-    //TryCatchTask([&]() { ScanPorts(); });
+    //TryCatchTask([&]() { ScanHotfixes(); });;
     m_notify = true;
     LogInfo("Evaluation finished.");
 }