Capture source and destination addresses as byte arrays

- update necessary tests

This removes a lot of complexity because IPv4 and IPv6 addresses can be handled the same way.
To distinguish between them it's enough to take their length into account.
Parsing should be straight forward in any language.
This commit is contained in:
Peter 2021-01-20 18:43:00 +01:00
parent 66f2aab9af
commit af0a7a2375
Signed by: prskr
GPG key ID: C1DB5D2E8DB512F9
4 changed files with 16 additions and 87 deletions

View file

@ -42,20 +42,10 @@ message EventEntity {
google.protobuf.Timestamp timestamp = 2;
TransportProtocol transport = 3;
AppProtocol application = 4;
oneof sourceIP {
uint32 sourceIPv4 = 5;
uint64 sourceIPv6 = 6;
}
oneof destinationIP {
uint32 destinationIPv4 = 7;
uint64 destinationIPv6 = 8;
}
uint32 sourcePort = 9;
uint32 destinationPort = 10;
TLSDetailsEntity tls = 11;
google.protobuf.Any protocolDetails = 12;
bytes sourceIP = 5;
bytes destinationIP = 6;
uint32 sourcePort = 7;
uint32 destinationPort = 8;
TLSDetailsEntity tls = 9;
google.protobuf.Any protocolDetails = 10;
}

View file

@ -30,20 +30,6 @@ type Event struct {
}
func (e *Event) ProtoMessage() *EventEntity {
var sourceIP isEventEntity_SourceIP
if ipv4 := e.SourceIP.To4(); ipv4 != nil {
sourceIP = &EventEntity_SourceIPv4{SourceIPv4: ipv4ToUint32(ipv4)}
} else {
sourceIP = &EventEntity_SourceIPv6{SourceIPv6: ipv6ToBytes(e.SourceIP)}
}
var destinationIP isEventEntity_DestinationIP
if ipv4 := e.DestinationIP.To4(); ipv4 != nil {
destinationIP = &EventEntity_DestinationIPv4{DestinationIPv4: ipv4ToUint32(ipv4)}
} else {
destinationIP = &EventEntity_DestinationIPv6{DestinationIPv6: ipv6ToBytes(e.DestinationIP)}
}
var tlsDetails *TLSDetailsEntity = nil
if e.TLS != nil {
tlsDetails = e.TLS.ProtoMessage()
@ -61,8 +47,8 @@ func (e *Event) ProtoMessage() *EventEntity {
Timestamp: timestamppb.New(e.Timestamp),
Transport: e.Transport,
Application: e.Application,
SourceIP: sourceIP,
DestinationIP: destinationIP,
SourceIP: e.SourceIP,
DestinationIP: e.DestinationIP,
SourcePort: uint32(e.SourcePort),
DestinationPort: uint32(e.DestinationPort),
Tls: tlsDetails,
@ -91,29 +77,13 @@ func (e *Event) SetDestinationIPFromAddr(localAddr net.Addr) {
}
func NewEventFromProto(msg *EventEntity) (ev Event) {
var sourceIP net.IP
switch ip := msg.GetSourceIP().(type) {
case *EventEntity_SourceIPv4:
sourceIP = uint32ToIP(ip.SourceIPv4)
case *EventEntity_SourceIPv6:
sourceIP = uint64ToIP(ip.SourceIPv6)
}
var destinationIP net.IP
switch ip := msg.GetDestinationIP().(type) {
case *EventEntity_DestinationIPv4:
destinationIP = uint32ToIP(ip.DestinationIPv4)
case *EventEntity_DestinationIPv6:
destinationIP = uint64ToIP(ip.DestinationIPv6)
}
ev = Event{
ID: msg.GetId(),
Timestamp: msg.GetTimestamp().AsTime(),
Transport: msg.GetTransport(),
Application: msg.GetApplication(),
SourceIP: sourceIP,
DestinationIP: destinationIP,
SourceIP: msg.SourceIP,
DestinationIP: msg.DestinationIP,
SourcePort: uint16(msg.GetSourcePort()),
DestinationPort: uint16(msg.GetDestinationPort()),
ProtocolDetails: guessDetailsFromApp(msg.GetProtocolDetails()),

View file

@ -1,33 +0,0 @@
package audit
import (
"encoding/binary"
"math/big"
"net"
)
func ipv4ToUint32(ip net.IP) uint32 {
if len(ip) == 16 {
return binary.BigEndian.Uint32(ip[12:16])
}
return binary.BigEndian.Uint32(ip)
}
func ipv6ToBytes(ip net.IP) uint64 {
ipv6 := big.NewInt(0)
ipv6.SetBytes(ip)
return ipv6.Uint64()
}
func uint32ToIP(i uint32) (ip net.IP) {
buf := make([]byte, 4)
binary.BigEndian.PutUint32(buf, i)
ip = buf
ip = ip.To4()
return
}
func uint64ToIP(i uint64) (ip net.IP) {
ip = big.NewInt(int64(i)).FillBytes(make([]byte, 16))
return
}

View file

@ -13,11 +13,13 @@ import (
var (
//nolint:lll
httpPayloadBytesLittleEndian = `dd000000120b088092b8c398feffffff011801200248d8fc0150505a3308041224544c535f45434448455f45434453415f574954485f4145535f3235365f4342435f5348411a096c6f63616c686f73746282010a34747970652e676f6f676c65617069732e636f6d2f696e65746d6f636b2e61756469742e4854545044657461696c73456e74697479124a12096c6f63616c686f73741a15687474703a2f2f6c6f63616c686f73742f6173646622084854545020312e312a1c0a0641636365707412120a106170706c69636174696f6e2f6a736f6e28818080f80738818080f807`
httpPayloadBytesLittleEndian = `dd000000120b088092b8c398feffffff01180120022a047f00000132047f00000138d8fc0140504a3308041224544c535f45434448455f45434453415f574954485f4145535f3235365f4342435f5348411a096c6f63616c686f73745282010a34747970652e676f6f676c65617069732e636f6d2f696e65746d6f636b2e61756469742e4854545044657461696c73456e74697479124a12096c6f63616c686f73741a15687474703a2f2f6c6f63616c686f73742f6173646622084854545020312e312a1c0a0641636365707412120a106170706c69636174696f6e2f6a736f6e`
//nolint:lll
httpPayloadBytesBigEndian = `000000dd120b088092b8c398feffffff011801200248d8fc0150505a3308041224544c535f45434448455f45434453415f574954485f4145535f3235365f4342435f5348411a096c6f63616c686f73746282010a34747970652e676f6f676c65617069732e636f6d2f696e65746d6f636b2e61756469742e4854545044657461696c73456e74697479124a12096c6f63616c686f73741a15687474703a2f2f6c6f63616c686f73742f6173646622084854545020312e312a1c0a0641636365707412120a106170706c69636174696f6e2f6a736f6e28818080f80738818080f807`
dnsPayloadBytesLittleEndian = `1b000000120b088092b8c398feffffff011801200148d8fc01505030014001`
dnsPayloadBytesBigEndian = `0000001b120b088092b8c398feffffff011801200148d8fc01505030014001`
httpPayloadBytesBigEndian = `000000dd120b088092b8c398feffffff01180120022a047f00000132047f00000138d8fc0140504a3308041224544c535f45434448455f45434453415f574954485f4145535f3235365f4342435f5348411a096c6f63616c686f73745282010a34747970652e676f6f676c65617069732e636f6d2f696e65746d6f636b2e61756469742e4854545044657461696c73456e74697479124a12096c6f63616c686f73741a15687474703a2f2f6c6f63616c686f73742f6173646622084854545020312e312a1c0a0641636365707412120a106170706c69636174696f6e2f6a736f6e`
//nolint:lll
dnsPayloadBytesLittleEndian = `3b000000120b088092b8c398feffffff01180120012a100000000000000000000000000000000132100000000000000000000000000000000138d8fc014050`
//nolint:lll
dnsPayloadBytesBigEndian = `0000003b120b088092b8c398feffffff01180120012a100000000000000000000000000000000132100000000000000000000000000000000138d8fc014050`
)
func mustDecodeHex(hexBytes string) io.Reader {