parser: Recognize TTY records; cleanup

threathunters-io · Dec 27, 2023 · 9ee19d8 · 9ee19d8
1 parent fba5f29
commit 9ee19d8
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 18 deletions.
diff --git a/src/parser.rs b/src/parser.rs
@@ -177,8 +177,10 @@ fn parse_body(
     ty: MessageType,
     skip_enriched: bool,
 ) -> IResult<&[u8], Vec<(Key, PValue)>> {
-    let (input, special) = opt(alt((
-        map(
+    // Skip. overe start of message doesn't fit the key=value
+    // scheme and does not contain useful information.
+    let (input, special) = match ty {
+        msg_type::AVC => opt(map(
             tuple((
                 preceded(
                     pair(tag("avc:"), space0),
@@ -191,17 +193,19 @@ fn parse_body(
                 ),
             )),
             |(k, v)| (Key::Name(NVec::from(k)), PValue::List(v)),
-        ),
-        map(terminated(tag("netlabel"), pair(tag(":"), space0)), |s| {
-            (Key::Name(NVec::from(s)), PValue::Empty)
-        }),
-    )))(input)?;
-
-    let (input, _) = match ty {
-        // Skip. overe start of message doesn't fit the key=value
-        // scheme and does not contain useful information.
-        msg_type::MAC_POLICY_LOAD => opt(tag("policy loaded "))(input)?,
-        _ => (input, None),
+        ))(input)?,
+        msg_type::TTY => {
+            let (input, _) = opt(tag("tty "))(input)?;
+            (input, None)
+        }
+        msg_type::MAC_POLICY_LOAD => {
+            let (input, _) = opt(tag("policy loaded "))(input)?;
+            (input, None)
+        }
+        _ => opt(map(
+            terminated(tag("netlabel"), pair(tag(":"), space0)),
+            |s| (Key::Name(NVec::from(s)), PValue::Empty),
+        ))(input)?,
     };
 
     let (input, mut kv) = if skip_enriched {
@@ -878,16 +882,13 @@ mod test {
         do_parse(include_bytes!("testdata/line-sockaddr-unix.txt")).unwrap();
         do_parse(include_bytes!("testdata/line-sockaddr-unix-2.txt")).unwrap();
         do_parse(include_bytes!("testdata/line-user-auth-2.txt")).unwrap();
+        do_parse(include_bytes!("testdata/line-mac-policy-load.txt")).unwrap();
+        do_parse(include_bytes!("testdata/line-tty.txt")).unwrap();
     }
 
     #[test]
     #[should_panic]
     fn breakage_sockaddr_unknown() {
         do_parse(include_bytes!("testdata/line-sockaddr-unknown.txt")).unwrap();
     }
-
-    #[test]
-    fn breakage_mac_policy_load() {
-        do_parse(include_bytes!("testdata/line-mac-policy-load.txt")).unwrap();
-    }
 }
diff --git a/src/testdata/line-tty.txt b/src/testdata/line-tty.txt
@@ -0,0 +1 @@
+type=TTY msg=audit(1702500511.459:370948): tty pid=260398 uid=0 auid=4294967295 ses=4294967295 major=136 minor=1 comm="bash" data=72706D202D7161207C2067726570207379736C6F670DUID="root" AUID="unset"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		type=TTY msg=audit(1702500511.459:370948): tty pid=260398 uid=0 auid=4294967295 ses=4294967295 major=136 minor=1 comm="bash" data=72706D202D7161207C2067726570207379736C6F670DUID="root" AUID="unset"