Capture source and destination addresses as byte arrays
- update necessary tests This removes a lot of complexity because IPv4 and IPv6 addresses can be handled the same way. To distinguish between them it's enough to take their length into account. Parsing should be straight forward in any language.
This commit is contained in:
parent
66f2aab9af
commit
af0a7a2375
GPG key ID:
C1DB5D2E8DB512F9
|
|
@ -42,20 +42,10 @@ message EventEntity {
|
|||
google.protobuf.Timestamp timestamp = 2;
|
||||
TransportProtocol transport = 3;
|
||||
AppProtocol application = 4;
|
||||
|
||||
oneof sourceIP {
|
||||
uint32 sourceIPv4 = 5;
|
||||
uint64 sourceIPv6 = 6;
|
||||
}
|
||||
|
||||
oneof destinationIP {
|
||||
uint32 destinationIPv4 = 7;
|
||||
uint64 destinationIPv6 = 8;
|
||||
}
|
||||
|
||||
uint32 sourcePort = 9;
|
||||
uint32 destinationPort = 10;
|
||||
|
||||
TLSDetailsEntity tls = 11;
|
||||
google.protobuf.Any protocolDetails = 12;
|
||||
bytes sourceIP = 5;
|
||||
bytes destinationIP = 6;
|
||||
uint32 sourcePort = 7;
|
||||
uint32 destinationPort = 8;
|
||||
TLSDetailsEntity tls = 9;
|
||||
google.protobuf.Any protocolDetails = 10;
|
||||
}
|
||||
|
|
@ -30,20 +30,6 @@ type Event struct {
|
|||
}
|
||||
|
||||
func (e *Event) ProtoMessage() *EventEntity {
|
||||
var sourceIP isEventEntity_SourceIP
|
||||
if ipv4 := e.SourceIP.To4(); ipv4 != nil {
|
||||
sourceIP = &EventEntity_SourceIPv4{SourceIPv4: ipv4ToUint32(ipv4)}
|
||||
} else {
|
||||
sourceIP = &EventEntity_SourceIPv6{SourceIPv6: ipv6ToBytes(e.SourceIP)}
|
||||
}
|
||||
|
||||
var destinationIP isEventEntity_DestinationIP
|
||||
if ipv4 := e.DestinationIP.To4(); ipv4 != nil {
|
||||
destinationIP = &EventEntity_DestinationIPv4{DestinationIPv4: ipv4ToUint32(ipv4)}
|
||||
} else {
|
||||
destinationIP = &EventEntity_DestinationIPv6{DestinationIPv6: ipv6ToBytes(e.DestinationIP)}
|
||||
}
|
||||
|
||||
var tlsDetails *TLSDetailsEntity = nil
|
||||
if e.TLS != nil {
|
||||
tlsDetails = e.TLS.ProtoMessage()
|
||||
|
|
@ -61,8 +47,8 @@ func (e *Event) ProtoMessage() *EventEntity {
|
|||
Timestamp: timestamppb.New(e.Timestamp),
|
||||
Transport: e.Transport,
|
||||
Application: e.Application,
|
||||
SourceIP: sourceIP,
|
||||
DestinationIP: destinationIP,
|
||||
SourceIP: e.SourceIP,
|
||||
DestinationIP: e.DestinationIP,
|
||||
SourcePort: uint32(e.SourcePort),
|
||||
DestinationPort: uint32(e.DestinationPort),
|
||||
Tls: tlsDetails,
|
||||
|
|
@ -91,29 +77,13 @@ func (e *Event) SetDestinationIPFromAddr(localAddr net.Addr) {
|
|||
}
|
||||
|
||||
func NewEventFromProto(msg *EventEntity) (ev Event) {
|
||||
var sourceIP net.IP
|
||||
switch ip := msg.GetSourceIP().(type) {
|
||||
case *EventEntity_SourceIPv4:
|
||||
sourceIP = uint32ToIP(ip.SourceIPv4)
|
||||
case *EventEntity_SourceIPv6:
|
||||
sourceIP = uint64ToIP(ip.SourceIPv6)
|
||||
}
|
||||
|
||||
var destinationIP net.IP
|
||||
switch ip := msg.GetDestinationIP().(type) {
|
||||
case *EventEntity_DestinationIPv4:
|
||||
destinationIP = uint32ToIP(ip.DestinationIPv4)
|
||||
case *EventEntity_DestinationIPv6:
|
||||
destinationIP = uint64ToIP(ip.DestinationIPv6)
|
||||
}
|
||||
|
||||
ev = Event{
|
||||
ID: msg.GetId(),
|
||||
Timestamp: msg.GetTimestamp().AsTime(),
|
||||
Transport: msg.GetTransport(),
|
||||
Application: msg.GetApplication(),
|
||||
SourceIP: sourceIP,
|
||||
DestinationIP: destinationIP,
|
||||
SourceIP: msg.SourceIP,
|
||||
DestinationIP: msg.DestinationIP,
|
||||
SourcePort: uint16(msg.GetSourcePort()),
|
||||
DestinationPort: uint16(msg.GetDestinationPort()),
|
||||
ProtocolDetails: guessDetailsFromApp(msg.GetProtocolDetails()),
|
||||
|
|
|
|||
|
|
@ -1,33 +0,0 @@
|
|||
package audit
|
||||
|
||||
import (
|
||||
"encoding/binary"
|
||||
"math/big"
|
||||
"net"
|
||||
)
|
||||
|
||||
func ipv4ToUint32(ip net.IP) uint32 {
|
||||
if len(ip) == 16 {
|
||||
return binary.BigEndian.Uint32(ip[12:16])
|
||||
}
|
||||
return binary.BigEndian.Uint32(ip)
|
||||
}
|
||||
|
||||
func ipv6ToBytes(ip net.IP) uint64 {
|
||||
ipv6 := big.NewInt(0)
|
||||
ipv6.SetBytes(ip)
|
||||
return ipv6.Uint64()
|
||||
}
|
||||
|
||||
func uint32ToIP(i uint32) (ip net.IP) {
|
||||
buf := make([]byte, 4)
|
||||
binary.BigEndian.PutUint32(buf, i)
|
||||
ip = buf
|
||||
ip = ip.To4()
|
||||
return
|
||||
}
|
||||
|
||||
func uint64ToIP(i uint64) (ip net.IP) {
|
||||
ip = big.NewInt(int64(i)).FillBytes(make([]byte, 16))
|
||||
return
|
||||
}
|
||||
|
|
@ -13,11 +13,13 @@ import (
|
|||
|
||||
var (
|
||||
//nolint:lll
|
||||
httpPayloadBytesLittleEndian = `dd000000120b088092b8c398feffffff011801200248d8fc0150505a3308041224544c535f45434448455f45434453415f574954485f4145535f3235365f4342435f5348411a096c6f63616c686f73746282010a34747970652e676f6f676c65617069732e636f6d2f696e65746d6f636b2e61756469742e4854545044657461696c73456e74697479124a12096c6f63616c686f73741a15687474703a2f2f6c6f63616c686f73742f6173646622084854545020312e312a1c0a0641636365707412120a106170706c69636174696f6e2f6a736f6e28818080f80738818080f807`
|
||||
httpPayloadBytesLittleEndian = `dd000000120b088092b8c398feffffff01180120022a047f00000132047f00000138d8fc0140504a3308041224544c535f45434448455f45434453415f574954485f4145535f3235365f4342435f5348411a096c6f63616c686f73745282010a34747970652e676f6f676c65617069732e636f6d2f696e65746d6f636b2e61756469742e4854545044657461696c73456e74697479124a12096c6f63616c686f73741a15687474703a2f2f6c6f63616c686f73742f6173646622084854545020312e312a1c0a0641636365707412120a106170706c69636174696f6e2f6a736f6e`
|
||||
//nolint:lll
|
||||
httpPayloadBytesBigEndian = `000000dd120b088092b8c398feffffff011801200248d8fc0150505a3308041224544c535f45434448455f45434453415f574954485f4145535f3235365f4342435f5348411a096c6f63616c686f73746282010a34747970652e676f6f676c65617069732e636f6d2f696e65746d6f636b2e61756469742e4854545044657461696c73456e74697479124a12096c6f63616c686f73741a15687474703a2f2f6c6f63616c686f73742f6173646622084854545020312e312a1c0a0641636365707412120a106170706c69636174696f6e2f6a736f6e28818080f80738818080f807`
|
||||
dnsPayloadBytesLittleEndian = `1b000000120b088092b8c398feffffff011801200148d8fc01505030014001`
|
||||
dnsPayloadBytesBigEndian = `0000001b120b088092b8c398feffffff011801200148d8fc01505030014001`
|
||||
httpPayloadBytesBigEndian = `000000dd120b088092b8c398feffffff01180120022a047f00000132047f00000138d8fc0140504a3308041224544c535f45434448455f45434453415f574954485f4145535f3235365f4342435f5348411a096c6f63616c686f73745282010a34747970652e676f6f676c65617069732e636f6d2f696e65746d6f636b2e61756469742e4854545044657461696c73456e74697479124a12096c6f63616c686f73741a15687474703a2f2f6c6f63616c686f73742f6173646622084854545020312e312a1c0a0641636365707412120a106170706c69636174696f6e2f6a736f6e`
|
||||
//nolint:lll
|
||||
dnsPayloadBytesLittleEndian = `3b000000120b088092b8c398feffffff01180120012a100000000000000000000000000000000132100000000000000000000000000000000138d8fc014050`
|
||||
//nolint:lll
|
||||
dnsPayloadBytesBigEndian = `0000003b120b088092b8c398feffffff01180120012a100000000000000000000000000000000132100000000000000000000000000000000138d8fc014050`
|
||||
)
|
||||
|
||||
func mustDecodeHex(hexBytes string) io.Reader {
|
||||
|
|
|
|||
Loading…
Reference in a new issue