Rename source to sensor (#377)

petabi · Dec 11, 2024 · a1905ce · a1905ce
1 parent 9de280c
commit a1905ce
Show file tree

Hide file tree

Showing 36 changed files with 436 additions and 420 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,18 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 
 - Modified `Table::get_patterns` to take a reference to a slice of tuples
   instead of taking ownership of a vector, making the function more flexible.
+- Replaced the term source with sensor, where it refers to a device or software
+  that captures or detects raw events.
+  - This update affects not only the fields in the event protocol structs such
+    as `DnsEventFields::source` to `DnsEventFields::sensor`, but also in the
+    following structs:
+    - `Cluster::event_sources` to `Cluster::sensors`
+    - `ModelBatchInfo::sources` to `ModelBatchInfo::sensors`
+    - `Outlier::event_sources` to `Outlier::sensors`
+    - `OutlierInfo::source` to `OutlierInfo::sensor`
+    - `TriageResponse::source` to `TriageResponse::sensor`
+  - With this update, the `syslog_message` function's return value reflects the
+    updated terminology, replacing "source=" with "sensor=".
 
 ## [0.32.0] - 2024-11-07
 

diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "review-database"
-version = "0.32.0"
+version = "0.33.0-alpha.1"
 edition = "2021"
 
 [dependencies]

diff --git a/src/backends/migrations/2024-12-10-015627_rename_event_sources_to_sensors/down.sql b/src/backends/migrations/2024-12-10-015627_rename_event_sources_to_sensors/down.sql
@@ -0,0 +1,2 @@
+ALTER TABLE IF EXISTS cluster
+    RENAME COLUMN sensors TO event_sources;
diff --git a/src/backends/migrations/2024-12-10-015627_rename_event_sources_to_sensors/up.sql b/src/backends/migrations/2024-12-10-015627_rename_event_sources_to_sensors/up.sql
@@ -0,0 +1,2 @@
+ALTER TABLE IF EXISTS cluster
+    RENAME COLUMN event_sources TO sensors;
diff --git a/src/backup.rs b/src/backup.rs
@@ -83,7 +83,7 @@ mod tests {
     fn example_message() -> EventMessage {
         let codec = bincode::DefaultOptions::new();
         let fields = DnsEventFields {
-            source: "collector1".to_string(),
+            sensor: "collector1".to_string(),
             session_end_time: Utc::now(),
             src_addr: IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)),
             src_port: 10000,

diff --git a/src/cluster.rs b/src/cluster.rs
@@ -25,7 +25,7 @@ struct ClusterDbSchema {
     category_id: i32,
     detector_id: i32,
     event_ids: Vec<Option<i64>>,
-    event_sources: Vec<Option<String>>,
+    sensors: Vec<Option<String>>,
     labels: Option<Vec<Option<String>>>,
     qualifier_id: i32,
     status_id: i32,
@@ -39,7 +39,7 @@ struct ClusterDbSchema {
 impl From<ClusterDbSchema> for Cluster {
     fn from(c: ClusterDbSchema) -> Self {
         let event_ids: Vec<i64> = c.event_ids.into_iter().flatten().collect();
-        let event_sources: Vec<String> = c.event_sources.into_iter().flatten().collect();
+        let sensors: Vec<String> = c.sensors.into_iter().flatten().collect();
         let labels: Option<Vec<String>> = c
             .labels
             .map(|labels| labels.into_iter().flatten().collect());
@@ -49,7 +49,7 @@ impl From<ClusterDbSchema> for Cluster {
             category_id: c.category_id,
             detector_id: c.detector_id,
             event_ids,
-            event_sources,
+            sensors,
             labels,
             qualifier_id: c.qualifier_id,
             status_id: c.status_id,
@@ -120,7 +120,7 @@ impl Database {
                 dsl::category_id,
                 dsl::detector_id,
                 dsl::event_ids,
-                dsl::event_sources,
+                dsl::sensors,
                 dsl::labels,
                 dsl::qualifier_id,
                 dsl::status_id,
@@ -276,7 +276,7 @@ async fn upsert(
 
     let query = "SELECT attempt_cluster_upsert(
         $1::text, $2::int4, $3::int8[], $4::text[], $5::int4, $6::text, $7::int8, $8::int4, $9::text[], $10::float8)";
-    let (timestamps, sources) =
+    let (timestamps, sensors) =
         cluster
             .event_ids
             .iter()
@@ -290,7 +290,7 @@ async fn upsert(
         .bind::<Text, _>(&cluster.cluster_id)
         .bind::<Integer, _>(&cluster.detector_id)
         .bind::<Array<BigInt>, _>(&timestamps)
-        .bind::<Array<Text>, _>(&sources)
+        .bind::<Array<Text>, _>(&sensors)
         .bind::<Integer, _>(&model_id)
         .bind::<Text, _>(&cluster.signature)
         .bind::<BigInt, _>(&cluster.size)

diff --git a/src/event.rs b/src/event.rs
diff --git a/src/event/bootp.rs b/src/event/bootp.rs
@@ -8,7 +8,7 @@ use crate::event::common::{to_hardware_address, triage_scores_to_string};
 
 #[derive(Serialize, Deserialize)]
 pub struct BlockListBootpFields {
-    pub source: String,
+    pub sensor: String,
     pub src_addr: IpAddr,
     pub src_port: u16,
     pub dst_addr: IpAddr,
@@ -32,8 +32,8 @@ impl fmt::Display for BlockListBootpFields {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         write!(
             f,
-            "source={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} last_time={:?} op={:?} htype={:?} hops={:?} xid={:?} ciaddr={:?} yiaddr={:?} siaddr={:?} giaddr={:?} chaddr={:?} sname={:?} file={:?}",
-            self.source,
+            "sensor={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} last_time={:?} op={:?} htype={:?} hops={:?} xid={:?} ciaddr={:?} yiaddr={:?} siaddr={:?} giaddr={:?} chaddr={:?} sname={:?} file={:?}",
+            self.sensor,
             self.src_addr.to_string(),
             self.src_port.to_string(),
             self.dst_addr.to_string(),
@@ -58,7 +58,7 @@ impl fmt::Display for BlockListBootpFields {
 #[allow(clippy::module_name_repetitions)]
 pub struct BlockListBootp {
     pub time: DateTime<Utc>,
-    pub source: String,
+    pub sensor: String,
     pub src_addr: IpAddr,
     pub src_port: u16,
     pub dst_addr: IpAddr,
@@ -83,8 +83,8 @@ impl fmt::Display for BlockListBootp {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         write!(
             f,
-            "source={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} last_time={:?} op={:?} htype={:?} hops={:?} xid={:?} ciaddr={:?} yiaddr={:?} siaddr={:?} giaddr={:?} chaddr={:?} sname={:?} file={:?} triage_scores={:?}",
-            self.source,
+            "sensor={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} last_time={:?} op={:?} htype={:?} hops={:?} xid={:?} ciaddr={:?} yiaddr={:?} siaddr={:?} giaddr={:?} chaddr={:?} sname={:?} file={:?} triage_scores={:?}",
+            self.sensor,
             self.src_addr.to_string(),
             self.src_port.to_string(),
             self.dst_addr.to_string(),
@@ -111,7 +111,7 @@ impl BlockListBootp {
     pub(super) fn new(time: DateTime<Utc>, fields: BlockListBootpFields) -> Self {
         Self {
             time,
-            source: fields.source,
+            sensor: fields.sensor,
             src_addr: fields.src_addr,
             src_port: fields.src_port,
             dst_addr: fields.dst_addr,
@@ -168,8 +168,8 @@ impl Match for BlockListBootp {
         "block list bootp"
     }
 
-    fn source(&self) -> &str {
-        self.source.as_str()
+    fn sensor(&self) -> &str {
+        self.sensor.as_str()
     }
 
     fn confidence(&self) -> Option<f32> {

diff --git a/src/event/common.rs b/src/event/common.rs
@@ -28,7 +28,7 @@ pub(super) trait Match {
     fn category(&self) -> EventCategory;
     fn level(&self) -> NonZeroU8;
     fn kind(&self) -> &str;
-    fn source(&self) -> &str;
+    fn sensor(&self) -> &str;
     fn confidence(&self) -> Option<f32>;
 
     /// Calculates a score based on packet attributes according to the triage policy.
@@ -179,7 +179,7 @@ pub(super) trait Match {
         }
 
         if let Some(sensors) = &filter.sensors {
-            if sensors.iter().all(|s| s != self.source()) {
+            if sensors.iter().all(|s| s != self.sensor()) {
                 return Ok((false, None));
             }
         }

diff --git a/src/event/conn.rs b/src/event/conn.rs
@@ -114,7 +114,7 @@ impl Match for PortScan {
         "port scan"
     }
 
-    fn source(&self) -> &str {
+    fn sensor(&self) -> &str {
         "-"
     }
 
@@ -231,7 +231,7 @@ impl Match for MultiHostPortScan {
         "multi host port scan"
     }
 
-    fn source(&self) -> &str {
+    fn sensor(&self) -> &str {
         "-"
     }
 
@@ -343,7 +343,7 @@ impl Match for ExternalDdos {
         "external ddos"
     }
 
-    fn source(&self) -> &str {
+    fn sensor(&self) -> &str {
         "-"
     }
 
@@ -358,7 +358,7 @@ impl Match for ExternalDdos {
 
 #[derive(Deserialize, Serialize)]
 pub struct BlockListConnFields {
-    pub source: String,
+    pub sensor: String,
     pub src_addr: IpAddr,
     pub src_port: u16,
     pub dst_addr: IpAddr,
@@ -380,8 +380,8 @@ impl fmt::Display for BlockListConnFields {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         write!(
             f,
-            "source={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} conn_state={:?} duration={:?} service={:?} orig_bytes={:?} resp_bytes={:?} orig_pkts={:?} resp_pkts={:?} orig_l2_bytes={:?} resp_l2_bytes={:?}",
-            self.source,
+            "sensor={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} conn_state={:?} duration={:?} service={:?} orig_bytes={:?} resp_bytes={:?} orig_pkts={:?} resp_pkts={:?} orig_l2_bytes={:?} resp_l2_bytes={:?}",
+            self.sensor,
             self.src_addr.to_string(),
             self.src_port.to_string(),
             self.dst_addr.to_string(),
@@ -402,7 +402,7 @@ impl fmt::Display for BlockListConnFields {
 
 #[allow(clippy::module_name_repetitions)]
 pub struct BlockListConn {
-    pub source: String,
+    pub sensor: String,
     pub time: DateTime<Utc>,
     pub src_addr: IpAddr,
     pub src_port: u16,
@@ -426,8 +426,8 @@ impl fmt::Display for BlockListConn {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         write!(
             f,
-            "source={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} conn_state={:?} duration={:?} service={:?} orig_bytes={:?} resp_bytes={:?} orig_pkts={:?} resp_pkts={:?} orig_l2_bytes={:?} resp_l2_bytes={:?} triage_scores={:?}",
-            self.source,
+            "sensor={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} conn_state={:?} duration={:?} service={:?} orig_bytes={:?} resp_bytes={:?} orig_pkts={:?} resp_pkts={:?} orig_l2_bytes={:?} resp_l2_bytes={:?} triage_scores={:?}",
+            self.sensor,
             self.src_addr.to_string(),
             self.src_port.to_string(),
             self.dst_addr.to_string(),
@@ -451,7 +451,7 @@ impl BlockListConn {
     pub(super) fn new(time: DateTime<Utc>, fields: BlockListConnFields) -> Self {
         Self {
             time,
-            source: fields.source,
+            sensor: fields.sensor,
             src_addr: fields.src_addr,
             src_port: fields.src_port,
             dst_addr: fields.dst_addr,
@@ -505,8 +505,8 @@ impl Match for BlockListConn {
         "block list conn"
     }
 
-    fn source(&self) -> &str {
-        self.source.as_str()
+    fn sensor(&self) -> &str {
+        self.sensor.as_str()
     }
 
     fn confidence(&self) -> Option<f32> {

diff --git a/src/event/dcerpc.rs b/src/event/dcerpc.rs
@@ -8,7 +8,7 @@ use crate::event::common::triage_scores_to_string;
 
 #[derive(Serialize, Deserialize)]
 pub struct BlockListDceRpcFields {
-    pub source: String,
+    pub sensor: String,
     pub src_addr: IpAddr,
     pub src_port: u16,
     pub dst_addr: IpAddr,
@@ -26,8 +26,8 @@ impl fmt::Display for BlockListDceRpcFields {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         write!(
             f,
-            "source={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} last_time={:?} rtt={:?} named_pipe={:?} endpoint={:?} operation={:?}",
-            self.source,
+            "sensor={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} last_time={:?} rtt={:?} named_pipe={:?} endpoint={:?} operation={:?}",
+            self.sensor,
             self.src_addr.to_string(),
             self.src_port.to_string(),
             self.dst_addr.to_string(),
@@ -44,7 +44,7 @@ impl fmt::Display for BlockListDceRpcFields {
 
 pub struct BlockListDceRpc {
     pub time: DateTime<Utc>,
-    pub source: String,
+    pub sensor: String,
     pub src_addr: IpAddr,
     pub src_port: u16,
     pub dst_addr: IpAddr,
@@ -63,8 +63,8 @@ impl fmt::Display for BlockListDceRpc {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         write!(
             f,
-            "source={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} last_time={:?} rtt={:?} named_pipe={:?} endpoint={:?} operation={:?} triage_scores={:?}",
-            self.source,
+            "sensor={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} last_time={:?} rtt={:?} named_pipe={:?} endpoint={:?} operation={:?} triage_scores={:?}",
+            self.sensor,
             self.src_addr.to_string(),
             self.src_port.to_string(),
             self.dst_addr.to_string(),
@@ -84,7 +84,7 @@ impl BlockListDceRpc {
     pub(super) fn new(time: DateTime<Utc>, fields: BlockListDceRpcFields) -> Self {
         Self {
             time,
-            source: fields.source,
+            sensor: fields.sensor,
             src_addr: fields.src_addr,
             src_port: fields.src_port,
             dst_addr: fields.dst_addr,
@@ -134,8 +134,8 @@ impl Match for BlockListDceRpc {
         "block list dcerpc"
     }
 
-    fn source(&self) -> &str {
-        self.source.as_str()
+    fn sensor(&self) -> &str {
+        self.sensor.as_str()
     }
 
     fn confidence(&self) -> Option<f32> {

diff --git a/src/event/dhcp.rs b/src/event/dhcp.rs
@@ -8,7 +8,7 @@ use crate::event::common::{to_hardware_address, triage_scores_to_string, vector_
 
 #[derive(Serialize, Deserialize)]
 pub struct BlockListDhcpFields {
-    pub source: String,
+    pub sensor: String,
     pub src_addr: IpAddr,
     pub src_port: u16,
     pub dst_addr: IpAddr,
@@ -45,8 +45,8 @@ impl fmt::Display for BlockListDhcpFields {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         write!(
             f,
-            "source={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} last_time={:?} msg_type={:?} ciaddr={:?} yiaddr={:?} siaddr={:?} giaddr={:?} subnet_mask={:?} router={:?} domain_name_server={:?} req_ip_addr={:?} lease_time={:?} server_id={:?} param_req_list={:?} message={:?} renewal_time={:?} rebinding_time={:?} class_id={:?} client_id_type={:?} client_id={:?}",
-            self.source,
+            "sensor={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} last_time={:?} msg_type={:?} ciaddr={:?} yiaddr={:?} siaddr={:?} giaddr={:?} subnet_mask={:?} router={:?} domain_name_server={:?} req_ip_addr={:?} lease_time={:?} server_id={:?} param_req_list={:?} message={:?} renewal_time={:?} rebinding_time={:?} class_id={:?} client_id_type={:?} client_id={:?}",
+            self.sensor,
             self.src_addr.to_string(),
             self.src_port.to_string(),
             self.dst_addr.to_string(),
@@ -78,7 +78,7 @@ impl fmt::Display for BlockListDhcpFields {
 #[allow(clippy::module_name_repetitions)]
 pub struct BlockListDhcp {
     pub time: DateTime<Utc>,
-    pub source: String,
+    pub sensor: String,
     pub src_addr: IpAddr,
     pub src_port: u16,
     pub dst_addr: IpAddr,
@@ -110,8 +110,8 @@ impl fmt::Display for BlockListDhcp {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         write!(
             f,
-            "source={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} last_time={:?} msg_type={:?} ciaddr={:?} yiaddr={:?} siaddr={:?} giaddr={:?} subnet_mask={:?} router={:?} domain_name_server={:?} req_ip_addr={:?} lease_time={:?} server_id={:?} param_req_list={:?} message={:?} renewal_time={:?} rebinding_time={:?} class_id={:?} client_id_type={:?} client_id={:?} triage_scores={:?}",
-            self.source,
+            "sensor={:?} src_addr={:?} src_port={:?} dst_addr={:?} dst_port={:?} proto={:?} last_time={:?} msg_type={:?} ciaddr={:?} yiaddr={:?} siaddr={:?} giaddr={:?} subnet_mask={:?} router={:?} domain_name_server={:?} req_ip_addr={:?} lease_time={:?} server_id={:?} param_req_list={:?} message={:?} renewal_time={:?} rebinding_time={:?} class_id={:?} client_id_type={:?} client_id={:?} triage_scores={:?}",
+            self.sensor,
             self.src_addr.to_string(),
             self.src_port.to_string(),
             self.dst_addr.to_string(),
@@ -145,7 +145,7 @@ impl BlockListDhcp {
     pub(super) fn new(time: DateTime<Utc>, fields: BlockListDhcpFields) -> Self {
         Self {
             time,
-            source: fields.source,
+            sensor: fields.sensor,
             src_addr: fields.src_addr,
             src_port: fields.src_port,
             dst_addr: fields.dst_addr,
@@ -209,8 +209,8 @@ impl Match for BlockListDhcp {
         "block list dhcp"
     }
 
-    fn source(&self) -> &str {
-        self.source.as_str()
+    fn sensor(&self) -> &str {
+        self.sensor.as_str()
     }
 
     fn confidence(&self) -> Option<f32> {
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		ALTER TABLE IF EXISTS cluster
		RENAME COLUMN sensors TO event_sources;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		ALTER TABLE IF EXISTS cluster
		RENAME COLUMN event_sources TO sensors;