in src/imds_snoop.py [0:0]
def print_imds_event(cpu, data, size):
# let bcc generate the data structure from C declaration automatically given the eBPF event reference (int) -> essentially
# generates the imds_http_data_t struct in the C code as a bcc.table object
event = b["imds_events"].event(data)
"""event object
:attribute pid: stores pids of calling processes in the communication chain (4 pids)
:type pid: int array[4] (u32 ints)
:attribute comm: communication process name
:type comm: bytes (specific encoding unknown)
:attribute parent_comm: communication process name (parent)
:type parent_comm: bytes (specific encoding unknown)
:attribute gparent_comm: communication process name (grand-parent)
:type gparent_comm: bytes (specific encoding unknown)
:attribute ggparent_comm: communication process name (great-grand-parent)
:type parent_comm: bytes (specific encoding unknown)
:attribute pkt_size: size packet request
:type pkt_size: int (u32)
:attribute pkt: the data payload contained in a network request of request
:type pkt: bytes (specific encoding unknown)
:attribute contains_payload: flag to indicate if the event has a viable payload to analyze or not
:type contains_payload: int (u32)
"""
# pass whatever data bcc has captured as the event payload to test IMDSv1/2?
is_v2 = check_v2(event.pkt[:event.pkt_size].decode())
# generate information string to be logged
log_msg = gen_log_msg(is_v2, event)
pkt_size = event.pkt_size
payload = event.pkt[:pkt_size].decode()
log_msg = log_msg + " Req details: " + ", ".join(payload.splitlines())
log_msg = recurseHideToken(log_msg)
if(event.contains_payload):
# log identifiable trace info
if(is_v2):
logger.info(log_msg)
print('[INFO] ' + log_msg, end="\n")
else:
logger.warning(log_msg)
print('[WARNING] ' + log_msg, end="\n")
else:
# unidentifiable call -> needs further attention -> hence log at error level
log_msg = "{MISSING PAYLOAD} " + log_msg
logger.error(log_msg)
print('[ERROR] ' + log_msg, end="\n")