forked from Velocidex/velociraptor
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpaths.go
89 lines (78 loc) · 2.01 KB
/
paths.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
// This file defines the schema of where various things go into the
// filestore.
package paths
import (
"regexp"
"strings"
"time"
)
const (
// The different types of artifacts.
MODE_INVALID = iota
MODE_CLIENT
MODE_CLIENT_EVENT
MODE_SERVER
MODE_SERVER_EVENT
MODE_NOTEBOOK
INTERNAL
)
func ModeNameToMode(name string) int {
name = strings.ToUpper(name)
switch name {
case "CLIENT":
return MODE_CLIENT
case "CLIENT_EVENT":
return MODE_CLIENT_EVENT
case "SERVER":
return MODE_SERVER
case "SERVER_EVENT":
return MODE_SERVER_EVENT
case "NOTEBOOK":
return MODE_NOTEBOOK
case "INTERNAL":
return INTERNAL
}
return MODE_INVALID
}
// Fully qualified source names are obtained by joining the artifact
// name to the source name. This splits them back up.
func SplitFullSourceName(artifact_source string) (artifact string, source string) {
parts := strings.Split(artifact_source, "/")
if len(parts) == 2 {
return parts[0], parts[1]
}
return artifact_source, ""
}
// When an artifact is compiled into VQL, the final query in a source
// sequence is given a name. The result set will carry this name as
// the rows belonging to the named query. QueryNameToArtifactAndSource
// will split the query name into an artifact and source. Some
// artifacts do not have a named source, in which case the source name
// will be ""
func QueryNameToArtifactAndSource(query_name string) (
artifact_name, artifact_source string) {
components := strings.Split(query_name, "/")
switch len(components) {
case 2:
return components[0], components[1]
default:
return components[0], ""
}
}
var day_name_regex = regexp.MustCompile(
`^\d\d\d\d-\d\d-\d\d`)
func DayNameToTimestamp(name string) int64 {
matches := day_name_regex.FindAllString(name, -1)
if len(matches) == 1 {
time, err := time.Parse("2006-01-02 MST",
matches[0]+" UTC")
if err == nil {
return time.Unix()
}
}
return 0
}
var pathSplit_re = regexp.MustCompile(`[/\\]`)
func GenericPathSplit(path string) []string {
return pathSplit_re.Split(path, -1)
}