Skip to content

Commit

Permalink
Ndjson bug (#1663)
Browse files Browse the repository at this point in the history 
* Rename to display name of component

* Improve zed.Record#has function
  • Loading branch information
@jameskerr
jameskerr authored May 20, 2021
1 parent 294c7be commit db9cf97
Show file tree
Hide file tree
Showing 7 changed files with 39 additions and 28 deletions.
4 changes: 2 additions & 2 deletions app/detail/Pane.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import {SuricataEvent} from "ppl/detail/models/SuricataEvent"
import {ZeekEvent} from "ppl/detail/models/ZeekEvent"
import RelatedAlerts from "ppl/detail/RelatedAlerts"
import RelatedConns from "ppl/detail/RelatedConns"
import CorrelationPanel from "ppl/detail/Correlation"
import UidPanel from "ppl/detail/UidPanel"
import React, {useLayoutEffect, memo, useMemo, useRef} from "react"
import {useSelector} from "react-redux"
import ConnPanel from "src/js/components/LogDetails/ConnPanel"
Expand Down Expand Up @@ -41,7 +41,7 @@ const Content = memo<Props>(function Content({record}) {
<Fields record={record} />
</div>
<div className="column">
{isZeek && uid && <CorrelationPanel record={record} />}
{isZeek && uid && <UidPanel record={record} />}
{isSuricata && cid && <RelatedAlerts record={record} />}
{isSuricata && cid && <RelatedConns record={record} />}
{isConn && <ConnPanel record={record} />}
Expand Down
12 changes: 4 additions & 8 deletions ppl/detail/RelatedAlerts.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ import {BrimEvent} from "ppl/detail/models/BrimEvent"
import React, {memo, useCallback, useMemo} from "react"
import brim from "src/js/brim"
import {showContextMenu} from "src/js/lib/System"
import zql from "src/js/zql"
import {relatedAlerts} from "src/js/searches/programs"
import {zed} from "zealot"
import EventLimit from "./EventLimit"
import EventTimeline from "./EventTimeline"
Expand All @@ -20,14 +20,10 @@ type Props = {
}

const LIMIT = 100
const getQuery = (r: zed.Record, limit?: number) => {
const cid = r.get("community_id")
const base = zql`event_type=alert community_id=${cid} | sort ts`
return limit ? `${base} | head ${limit}` : base
}

export default memo(function RelatedAlerts({record}: Props) {
const [records, isLoading] = useSearch(getQuery(record, LIMIT), [record])
const cid = record.get("community_id").toString()
const [records, isLoading] = useSearch(relatedAlerts(cid, LIMIT), [record])
const events = useMemo(() => records.map(BrimEvent.build), [records])
const [first, last] = firstLast(events)
const current = useMemo(
Expand All @@ -51,7 +47,7 @@ export default memo(function RelatedAlerts({record}: Props) {
<Panel>
<ChartWrap>
<EventTimeline events={events} current={current}></EventTimeline>
<EventLimit count={events.length} query={getQuery(record)} />
<EventLimit count={events.length} query={relatedAlerts(cid)} />
</ChartWrap>
<TableWrap>
{data.map(([name, value]) => (
Expand Down
12 changes: 4 additions & 8 deletions ppl/detail/RelatedConns.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import {BrimEvent, BrimEventInterface} from "ppl/detail/models/BrimEvent"
import React, {memo, useCallback, useMemo} from "react"
import brim from "src/js/brim"
import {showContextMenu} from "src/js/lib/System"
import zql from "src/js/zql"
import {relatedConns} from "src/js/searches/programs"
import {zed} from "zealot"
import EventLimit from "./EventLimit"
import EventTimeline from "./EventTimeline"
Expand All @@ -19,14 +19,10 @@ type Props = {
}

const LIMIT = 100
const getQuery = (r: zed.Record, limit?: number) => {
const cid = r.get("community_id")
const base = zql`_path=conn community_id=${cid} | sort ts`
return limit ? `${base} | head ${limit}` : base
}

export default memo(function RelatedConns({record}: Props) {
const [records, isFetching] = useSearch(getQuery(record, LIMIT), [record])
const cid = record.get("community_id").toString()
const [records, isFetching] = useSearch(relatedConns(cid, LIMIT), [record])
const events = useMemo(() => records.map(BrimEvent.build), [records])
const [first, last] = firstLast<BrimEventInterface>(events)
const data = [
Expand All @@ -46,7 +42,7 @@ export default memo(function RelatedConns({record}: Props) {
<Panel>
<ChartWrap>
<EventTimeline events={events} />
<EventLimit query={getQuery(record)} count={events.length} />
<EventLimit query={relatedConns(cid)} count={events.length} />
</ChartWrap>
<TableWrap>
{data.map(([name, value]) => (
Expand Down
0 ppl/detail/Correlation.tsx → ppl/detail/UidPanel.tsx
View file
File renamed without changes.
10 changes: 8 additions & 2 deletions ppl/detail/models/BrimEvent.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,15 @@ export interface BrimEventInterface {

export class BrimEvent {
static build(r: zed.Record) {
if (r.has("_path") && r.has("ts")) {
if (
r.has("_path", zed.TypeString, zed.TypeBString) &&
r.has("ts", zed.TypeTime)
) {
return new ZeekEvent(r)
} else if (r.has("event_type") && r.has("ts")) {
} else if (
r.has("event_type", zed.TypeString, zed.TypeBString) &&
r.has("ts", zed.TypeTime)
) {
return new SuricataEvent(r)
} else {
return new UnknownEvent(r)
Expand Down
18 changes: 14 additions & 4 deletions src/js/searches/programs.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,19 @@ import {zed} from "zealot"
import zql from "../zql"

export function md5Correlation(md5: string) {
return `md5==${md5} | count() by md5 | sort -r | head 5`
return zql`md5==${md5} | count() by md5 | sort -r | head 5`
}

export function txHostsCorrelation(md5: string) {
return `md5==${md5} | count() by tx_hosts | sort -r | head 5`
return zql`md5==${md5} | count() by tx_hosts | sort -r | head 5`
}

export function rxHostsCorrelation(md5: string) {
return `md5==${md5} | count() by rx_hosts | sort -r | head 5`
return zql`md5==${md5} | count() by rx_hosts | sort -r | head 5`
}

export function filenameCorrelation(md5: string) {
return `md5==${md5} | count() by filename, mime_type | sort -r | head 5`
return zql`md5==${md5} | count() by filename, mime_type | sort -r | head 5`
}

export function uidFilter(uid: string | zed.Primitive) {
Expand Down Expand Up @@ -62,3 +62,13 @@ export function connCorrelation(
const cidFilter = zql`community_id == ${cid} and ts >= ${tsDate} and ts < ${endTsDate}`
return `${uidFilter(uid)} or (${cidFilter}) | ${correlationLimit()}`
}

export function relatedAlerts(cid: string, limit?: number) {
const base = zql`event_type=="alert" community_id==${cid} | sort ts`
return limit ? `${base} | head ${limit}` : base
}

export function relatedConns(cid: string, limit?: number) {
const base = zql`_path=="conn" community_id==${cid} | sort ts`
return limit ? `${base} | head ${limit}` : base
}
11 changes: 7 additions & 4 deletions zealot/zed/values/record.ts
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
import {isNull} from "../utils"
import {TypeAlias} from "../types/type-alias"
import {TypeField, TypeRecord} from "../types/type-record"
import {ZedType} from "../types/types"
import {isNull, trueType} from "../utils"
import {Field} from "./field"
import {ZedValue, ZedValueInterface} from "./types"
import {trueType} from "../utils"
export class Record implements ZedValueInterface {
constructor(
public type: TypeRecord | TypeAlias,
Expand Down Expand Up @@ -50,8 +50,11 @@ export class Record implements ZedValueInterface {
return this.fields[index]
}

has(name: string) {
return this.columns.includes(name)
has(name: string, ...types: ZedType[]) {
return (
this.columns.includes(name) &&
(types.length > 0 ? types.some((t) => this.get(name).type === t) : true)
)
}

get<T extends ZedValue>(name: string): T {
Expand Down

0 comments on commit db9cf97

Please sign in to comment.