Capture source and destination addresses as byte arrays

- update necessary tests This removes a lot of complexity because IPv4 and IPv6 addresses can be handled the same way. To distinguish between them it's enough to take their length into account. Parsing should be straight forward in any language.
2021-01-20 18:43:00 +01:00 · 2021-01-20 18:43:00 +01:00 · af0a7a2375
commit af0a7a2375
parent 66f2aab9af
4 changed files with 16 additions and 87 deletions
--- a/api/proto/pkg/audit/event_entity.proto
+++ b/api/proto/pkg/audit/event_entity.proto
@ -42,20 +42,10 @@ message EventEntity {
    google.protobuf.Timestamp timestamp = 2;
    TransportProtocol transport = 3;
    AppProtocol application = 4;
-
+    bytes sourceIP = 5;
-    oneof sourceIP {
+    bytes destinationIP = 6;
-        uint32 sourceIPv4 = 5;
+    uint32 sourcePort = 7;
-        uint64 sourceIPv6 = 6;
+    uint32 destinationPort = 8;
-    }
+    TLSDetailsEntity tls = 9;
-
+    google.protobuf.Any protocolDetails = 10;
    oneof destinationIP {
        uint32 destinationIPv4 = 7;
        uint64 destinationIPv6 = 8;
    }
    uint32 sourcePort = 9;
    uint32 destinationPort = 10;
    TLSDetailsEntity tls = 11;
    google.protobuf.Any protocolDetails = 12;
 }
--- a/pkg/audit/event.go
+++ b/pkg/audit/event.go
@ -30,20 +30,6 @@ type Event struct {
 }
 func (e *Event) ProtoMessage() *EventEntity {
 	var sourceIP isEventEntity_SourceIP
 	if ipv4 := e.SourceIP.To4(); ipv4 != nil {
 		sourceIP = &EventEntity_SourceIPv4{SourceIPv4: ipv4ToUint32(ipv4)}
 	} else {
 		sourceIP = &EventEntity_SourceIPv6{SourceIPv6: ipv6ToBytes(e.SourceIP)}
 	}
 	var destinationIP isEventEntity_DestinationIP
 	if ipv4 := e.DestinationIP.To4(); ipv4 != nil {
 		destinationIP = &EventEntity_DestinationIPv4{DestinationIPv4: ipv4ToUint32(ipv4)}
 	} else {
 		destinationIP = &EventEntity_DestinationIPv6{DestinationIPv6: ipv6ToBytes(e.DestinationIP)}
 	}
 	var tlsDetails *TLSDetailsEntity = nil
 	if e.TLS != nil {
 		tlsDetails = e.TLS.ProtoMessage()
@ -61,8 +47,8 @@ func (e *Event) ProtoMessage() *EventEntity {
 		Timestamp:       timestamppb.New(e.Timestamp),
 		Transport:       e.Transport,
 		Application:     e.Application,
-		SourceIP:        sourceIP,
+		SourceIP:        e.SourceIP,
-		DestinationIP:   destinationIP,
+		DestinationIP:   e.DestinationIP,
 		SourcePort:      uint32(e.SourcePort),
 		DestinationPort: uint32(e.DestinationPort),
 		Tls:             tlsDetails,
@ -91,29 +77,13 @@ func (e *Event) SetDestinationIPFromAddr(localAddr net.Addr) {
 }
 func NewEventFromProto(msg *EventEntity) (ev Event) {
 	var sourceIP net.IP
 	switch ip := msg.GetSourceIP().(type) {
 	case *EventEntity_SourceIPv4:
 		sourceIP = uint32ToIP(ip.SourceIPv4)
 	case *EventEntity_SourceIPv6:
 		sourceIP = uint64ToIP(ip.SourceIPv6)
 	}
 	var destinationIP net.IP
 	switch ip := msg.GetDestinationIP().(type) {
 	case *EventEntity_DestinationIPv4:
 		destinationIP = uint32ToIP(ip.DestinationIPv4)
 	case *EventEntity_DestinationIPv6:
 		destinationIP = uint64ToIP(ip.DestinationIPv6)
 	}
 	ev = Event{
 		ID:              msg.GetId(),
 		Timestamp:       msg.GetTimestamp().AsTime(),
 		Transport:       msg.GetTransport(),
 		Application:     msg.GetApplication(),
-		SourceIP:        sourceIP,
+		SourceIP:        msg.SourceIP,
-		DestinationIP:   destinationIP,
+		DestinationIP:   msg.DestinationIP,
 		SourcePort:      uint16(msg.GetSourcePort()),
 		DestinationPort: uint16(msg.GetDestinationPort()),
 		ProtocolDetails: guessDetailsFromApp(msg.GetProtocolDetails()),
--- a/pkg/audit/ip_conversion.go
+++ b/pkg/audit/ip_conversion.go
@ -1,33 +0,0 @@
 package audit
 import (
 	"encoding/binary"
 	"math/big"
 	"net"
 )
 func ipv4ToUint32(ip net.IP) uint32 {
 	if len(ip) == 16 {
 		return binary.BigEndian.Uint32(ip[12:16])
 	}
 	return binary.BigEndian.Uint32(ip)
 }
 func ipv6ToBytes(ip net.IP) uint64 {
 	ipv6 := big.NewInt(0)
 	ipv6.SetBytes(ip)
 	return ipv6.Uint64()
 }
 func uint32ToIP(i uint32) (ip net.IP) {
 	buf := make([]byte, 4)
 	binary.BigEndian.PutUint32(buf, i)
 	ip = buf
 	ip = ip.To4()
 	return
 }
 func uint64ToIP(i uint64) (ip net.IP) {
 	ip = big.NewInt(int64(i)).FillBytes(make([]byte, 16))
 	return
 }
--- a/pkg/audit/reader_test.go
+++ b/pkg/audit/reader_test.go
@ -13,11 +13,13 @@ import (
 var (
 	//nolint:lll
-	httpPayloadBytesLittleEndian = `dd000000120b088092b8c398feffffff011801200248d8fc0150505a3308041224544c535f45434448455f45434453415f574954485f4145535f3235365f4342435f5348411a096c6f63616c686f73746282010a34747970652e676f6f676c65617069732e636f6d2f696e65746d6f636b2e61756469742e4854545044657461696c73456e74697479124a12096c6f63616c686f73741a15687474703a2f2f6c6f63616c686f73742f6173646622084854545020312e312a1c0a0641636365707412120a106170706c69636174696f6e2f6a736f6e28818080f80738818080f807`
+	httpPayloadBytesLittleEndian = `dd000000120b088092b8c398feffffff01180120022a047f00000132047f00000138d8fc0140504a3308041224544c535f45434448455f45434453415f574954485f4145535f3235365f4342435f5348411a096c6f63616c686f73745282010a34747970652e676f6f676c65617069732e636f6d2f696e65746d6f636b2e61756469742e4854545044657461696c73456e74697479124a12096c6f63616c686f73741a15687474703a2f2f6c6f63616c686f73742f6173646622084854545020312e312a1c0a0641636365707412120a106170706c69636174696f6e2f6a736f6e`
 	//nolint:lll
-	httpPayloadBytesBigEndian   = `000000dd120b088092b8c398feffffff011801200248d8fc0150505a3308041224544c535f45434448455f45434453415f574954485f4145535f3235365f4342435f5348411a096c6f63616c686f73746282010a34747970652e676f6f676c65617069732e636f6d2f696e65746d6f636b2e61756469742e4854545044657461696c73456e74697479124a12096c6f63616c686f73741a15687474703a2f2f6c6f63616c686f73742f6173646622084854545020312e312a1c0a0641636365707412120a106170706c69636174696f6e2f6a736f6e28818080f80738818080f807`
+	httpPayloadBytesBigEndian = `000000dd120b088092b8c398feffffff01180120022a047f00000132047f00000138d8fc0140504a3308041224544c535f45434448455f45434453415f574954485f4145535f3235365f4342435f5348411a096c6f63616c686f73745282010a34747970652e676f6f676c65617069732e636f6d2f696e65746d6f636b2e61756469742e4854545044657461696c73456e74697479124a12096c6f63616c686f73741a15687474703a2f2f6c6f63616c686f73742f6173646622084854545020312e312a1c0a0641636365707412120a106170706c69636174696f6e2f6a736f6e`
-	dnsPayloadBytesLittleEndian = `1b000000120b088092b8c398feffffff011801200148d8fc01505030014001`
+	//nolint:lll
-	dnsPayloadBytesBigEndian    = `0000001b120b088092b8c398feffffff011801200148d8fc01505030014001`
+	dnsPayloadBytesLittleEndian = `3b000000120b088092b8c398feffffff01180120012a100000000000000000000000000000000132100000000000000000000000000000000138d8fc014050`
 	//nolint:lll
 	dnsPayloadBytesBigEndian = `0000003b120b088092b8c398feffffff01180120012a100000000000000000000000000000000132100000000000000000000000000000000138d8fc014050`
 )
 func mustDecodeHex(hexBytes string) io.Reader {