def outputNetConn(self, proc, netconn):
"""
output a single netconn event from a process document
the caller is responsible for ensuring that the document
meets start time and subnet criteria
"""
# for convenience, use locals for some process metadata fields
hostname = proc.get("hostname", "<unknown>")
process_name = proc.get("process_name", "<unknown>")
user_name = proc.get("username", "<unknown>")
process_md5 = proc.get("process_md5", "<unknown>")
cmdline = proc.get("cmdline", "<unknown>")
path = proc.get("path", "<unknown>")
procstarttime = proc.get("start", "<unknown>")
proclastupdate = proc.get("last_update", "<unknown>")
# split the netconn into component parts
ts, ip, port, proto, domain, dir = netconn.split("|")
# get the dotted-quad string representation of the ip
str_ip = socket.inet_ntoa(struct.pack("!i", int(ip)))
# the underlying data model provides the protocol number
# convert this to human-readable strings (tcp or udp)
if "6" == proto:
proto = "tcp"
elif "17" == proto:
proto = "udp"
# the underlying data model provides a boolean indication as to
# if this is an inbound or outbound network connection
if "true" == dir:
dir = "out"
else:
dir = "in"
# print the record, using pipes as a delimiter
print "%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|" % (procstarttime,proclastupdate,hostname, user_name, proto, str_ip, port, dir, domain, process_name, process_md5, path, cmdline)
评论列表
文章目录
