v1.4.8 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Sep 27, 2023 License: AGPL-3.0 Imports: 29 Imported by: 2



Package process fetches process and socket information from the operating system. It can find the process owning a network connection.



View Source
const (
	// UndefinedProcessID is not used by any (virtual) process and signifies that
	// the PID is unset.
	UndefinedProcessID = -1

	// UnidentifiedProcessID is the PID used for outgoing connections that could
	// not be attributed to a PID for any reason.
	UnidentifiedProcessID = -2

	// UnsolicitedProcessID is the PID used for incoming connections that could
	// not be attributed to a PID for any reason.
	UnsolicitedProcessID = -3

	// NetworkHostProcessID is the PID used for requests served to the network.
	NetworkHostProcessID = -255
View Source
const SystemProcessID = 0

SystemProcessID is the PID of the System/Kernel itself.


View Source
var (
	CfgOptionEnableProcessDetectionKey = "core/enableProcessDetection"

Configuration Keys.


func All

func All() map[int]*Process

All returns a copy of all process objects.

func CleanProcessStorage

func CleanProcessStorage(activePIDs map[int]struct{})

CleanProcessStorage cleans the storage from old processes.

func GetPidOfConnection added in v1.2.0

func GetPidOfConnection(ctx context.Context, pktInfo *packet.Info) (pid int, connInbound bool, err error)

GetPidOfConnection returns the PID of the process that owns the described connection. Always returns valid data. Errors are logged and returned for information or special handling purposes.

func RegisterTagHandler added in v0.9.9

func RegisterTagHandler(th TagHandler) error

RegisterTagHandler registers a tag handler.

func SetDBController

func SetDBController(controller *database.Controller)

SetDBController sets the database controller and allows the package to push database updates on a save. It must be set by the package that registers the "network" database.


type MatchingData added in v0.9.9

type MatchingData struct {
	// contains filtered or unexported fields

MatchingData provides a interface compatible view on the process for profile matching.

func (*MatchingData) Cmdline added in v0.9.9

func (md *MatchingData) Cmdline() string

Cmdline returns the command line of the process.

func (*MatchingData) Env added in v0.9.9

func (md *MatchingData) Env() map[string]string

Env returns process.Env.

func (*MatchingData) MatchingPath added in v0.9.9

func (md *MatchingData) MatchingPath() string

MatchingPath returns process.MatchingPath.

func (*MatchingData) Path added in v0.9.9

func (md *MatchingData) Path() string

Path returns process.Path.

func (*MatchingData) Tags added in v0.9.9

func (md *MatchingData) Tags() []profile.Tag

Tags returns process.Tags.

type Process

type Process struct {

	Name            string
	UserID          int
	UserName        string
	UserHome        string
	Pid             int
	CreatedAt       int64
	ParentPid       int
	ParentCreatedAt int64
	Path            string
	ExecName        string
	Cwd             string
	CmdLine         string
	FirstArg        string
	Env             map[string]string

	// Tags holds extended information about the (virtual) process, which is used
	// to find a profile.
	Tags []profile.Tag
	// MatchingPath holds an alternative binary path that can be used to find a
	// profile.
	MatchingPath string

	// PrimaryProfileID holds the scoped ID of the primary profile.
	PrimaryProfileID string

	FirstSeen int64
	LastSeen  int64
	Error     string // Cache errors

	ExecHashes map[string]string
	// contains filtered or unexported fields

A Process represents a process running on the operating system.

func GetNetworkHost added in v0.6.5

func GetNetworkHost(ctx context.Context, remoteIP net.IP) (process *Process, err error)

GetNetworkHost returns a *Process that represents a host on the network.

func GetOrFindProcess

func GetOrFindProcess(ctx context.Context, pid int) (*Process, error)

GetOrFindProcess returns the process for the given PID.

func GetProcessByRequestOrigin added in v0.9.1

func GetProcessByRequestOrigin(ar *api.Request) (*Process, error)

GetProcessByRequestOrigin returns the process that initiated the API request ar.

func GetProcessFromStorage

func GetProcessFromStorage(key string) (*Process, bool)

GetProcessFromStorage returns a process from the internal storage.

func GetProcessWithProfile added in v1.2.0

func GetProcessWithProfile(ctx context.Context, pid int) (process *Process, err error)

GetProcessWithProfile returns the process, including the profile. Always returns valid data. Errors are logged and returned for information or special handling purposes.

func GetSystemProcess added in v0.4.1

func GetSystemProcess(ctx context.Context) *Process

GetSystemProcess returns the special process used for the Kernel.

func GetUnidentifiedProcess added in v0.4.1

func GetUnidentifiedProcess(ctx context.Context) *Process

GetUnidentifiedProcess returns the special process assigned to non-attributed outgoing connections.

func GetUnsolicitedProcess added in v0.8.6

func GetUnsolicitedProcess(ctx context.Context) *Process

GetUnsolicitedProcess returns the special process assigned to non-attributed incoming connections.

func (*Process) CreateProfileCallback added in v0.9.9

func (p *Process) CreateProfileCallback() *profile.Profile

CreateProfileCallback attempts to create a profile on special attributes of the process.

func (*Process) Delete

func (p *Process) Delete()

Delete deletes a process from the storage and propagates the change.

func (*Process) Equal added in v0.8.13

func (p *Process) Equal(other *Process) bool

Equal returns if the two processes are both identified and have the same PID.

func (*Process) GetExecHash

func (p *Process) GetExecHash(algorithm string) (string, error)

GetExecHash returns the hash of the executable with the given algorithm.

func (*Process) GetKey added in v1.3.4

func (p *Process) GetKey() string

GetKey returns the key that is used internally to identify the process. The key consists of the PID and the start time of the process as reported by the system.

func (*Process) GetLastSeen added in v0.6.0

func (p *Process) GetLastSeen() int64

GetLastSeen returns the unix timestamp when the process was last seen.

func (*Process) GetProfile added in v0.4.0

func (p *Process) GetProfile(ctx context.Context) (changed bool, err error)

GetProfile finds and assigns a profile set to the process.

func (*Process) GetTag added in v0.9.9

func (p *Process) GetTag(tagID string) (profile.Tag, bool)

GetTag returns the process tag with the given ID.

func (*Process) HasValidPID added in v1.4.4

func (p *Process) HasValidPID() bool

HasValidPID returns whether the process has valid PID of an actual process.

func (*Process) IsIdentified added in v0.8.13

func (p *Process) IsIdentified() bool

IsIdentified returns whether the process has been identified or if it represents some kind of unidentified process.

func (*Process) IsSystemResolver added in v0.6.7

func (p *Process) IsSystemResolver() bool

IsSystemResolver is a shortcut to check if the process is or belongs to the system resolver and needs special handling.

func (*Process) MatchingData added in v0.9.9

func (p *Process) MatchingData() *MatchingData

MatchingData returns the matching data for the process.

func (*Process) Profile added in v0.4.0

func (p *Process) Profile() *profile.LayeredProfile

Profile returns the assigned layered profile.

func (*Process) Save

func (p *Process) Save()

Save saves the process to the internal state and pushes an update.

func (*Process) SetLastSeen added in v0.6.0

func (p *Process) SetLastSeen(lastSeen int64)

SetLastSeen sets the unix timestamp when the process was last seen.

func (*Process) String

func (p *Process) String() string

String returns a string representation of process.

type TagDescription added in v0.9.9

type TagDescription struct {
	ID          string
	Name        string
	Description string

TagDescription describes a tag.

type TagHandler added in v0.9.9

type TagHandler interface {
	// Name returns the tag handler name.
	Name() string

	// TagDescriptions returns a list of all possible tags and their description
	// of this handler.
	TagDescriptions() []TagDescription

	// AddTags adds tags to the given process.
	AddTags(p *Process)

	// CreateProfile creates a profile based on the tags of the process.
	// Returns nil to skip.
	CreateProfile(p *Process) *profile.Profile

TagHandler is a collection of process tag related interfaces.


Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL