Skip to content

Commit

Permalink
check for nil values in evt.time and proc.pid
Browse files Browse the repository at this point in the history 
Signed-off-by: Guy Duchatelet <[email protected]>
  • Loading branch information
@spyder-guy @poiana
spyder-guy authored and poiana committed Jun 21, 2023
1 parent 8de9c35 commit 6adc57e
Showing 1 changed file with 16 additions and 2 deletions.
18 changes: 16 additions & 2 deletions outputs/spyderbat.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"bytes"
"encoding/json"
"errors"
"fmt"
"io/ioutil"
"log"
"net/http"
Expand Down Expand Up @@ -131,15 +132,28 @@ type spyderbatPayload struct {

func newSpyderbatPayload(falcopayload types.FalcoPayload) (spyderbatPayload, error) {
nowTime := float64(time.Now().UnixNano()) / 1000000000
jsonTime, err := falcopayload.OutputFields["evt.time"].(json.Number).Int64()

timeStr := falcopayload.OutputFields["evt.time"]
if timeStr == nil {
errStr := fmt.Sprintf("evt.time is nil for rule %s", falcopayload.Rule)
return spyderbatPayload{}, errors.New(errStr)
}
jsonTime, err := timeStr.(json.Number).Int64()
if err != nil {
return spyderbatPayload{}, err
}
eventTime := float64(jsonTime / 1000000000.0)
pid, err := falcopayload.OutputFields["proc.pid"].(json.Number).Int64()

pidStr := falcopayload.OutputFields["proc.pid"]
if pidStr == nil {
errStr := fmt.Sprintf("proc.pid is nil for rule %s", falcopayload.Rule)
return spyderbatPayload{}, errors.New(errStr)
}
pid, err := pidStr.(json.Number).Int64()
if err != nil {
return spyderbatPayload{}, err
}

level := PriorityMap[falcopayload.Priority]
args := strings.Split(falcopayload.Output, " ")
var message []string
Expand Down

0 comments on commit 6adc57e

Please sign in to comment.