add packet attribute triage function

petabi · Sep 27, 2024 · d708f78 · d708f78
1 parent 714de1a
commit d708f78
Show file tree

Hide file tree

Showing 2 changed files with 200 additions and 3 deletions.
diff --git a/src/event.rs b/src/event.rs
@@ -33,6 +33,7 @@ use std::{
 
 use aho_corasick::AhoCorasickBuilder;
 use anyhow::{bail, Context, Result};
+use bincode::Options;
 use chrono::{serde::ts_nanoseconds, DateTime, TimeZone, Utc};
 use num_derive::{FromPrimitive, ToPrimitive};
 use num_traits::{FromPrimitive, ToPrimitive};
@@ -79,6 +80,7 @@ use super::{
     types::{Endpoint, HostNetworkGroup},
     Customer, EventCategory, Network, TriagePolicy,
 };
+use crate::{AttrCmpKind, PacketAttr};
 
 // event levels (currently unused ones commented out)
 // const VERY_LOW: NonZeroU8 = unsafe { NonZeroU8::new_unchecked(1) };
@@ -2571,6 +2573,140 @@ fn get_record_country_short_name(record: &ip2location::Record) -> Option<String>
     }
 }
 
+fn deserialize<'de, T>(value: &'de [u8]) -> Option<T>
+where
+    T: Deserialize<'de>,
+{
+    bincode::DefaultOptions::new().deserialize::<T>(value).ok()
+}
+
+#[allow(clippy::question_mark)]
+fn check_second_value<'de, T, K>(kind: AttrCmpKind, value: &'de Option<Vec<u8>>) -> Option<T>
+where
+    T: TryFrom<K> + std::cmp::PartialOrd,
+    K: Deserialize<'de>,
+{
+    match kind {
+        AttrCmpKind::CloseRange
+        | AttrCmpKind::LeftOpenRange
+        | AttrCmpKind::RightOpenRange
+        | AttrCmpKind::NotOpenRange
+        | AttrCmpKind::NotCloseRange
+        | AttrCmpKind::NotLeftOpenRange
+        | AttrCmpKind::NotRightOpenRange => {
+            let Some(value_result) = value else {
+                return None;
+            };
+            let Some(de_second_value) = deserialize::<K>(value_result) else {
+                return None;
+            };
+            let Ok(convert_second_value) = T::try_from(de_second_value) else {
+                return None;
+            };
+            return Some(convert_second_value);
+        }
+        _ => {}
+    }
+    None
+}
+
+fn compare_all_attr_cmp_kind<T>(
+    cmp_kind: AttrCmpKind,
+    attr_val: T,
+    first_val: T,
+    second_val: Option<T>,
+) -> bool
+where
+    T: PartialOrd,
+{
+    match (cmp_kind, second_val) {
+        (AttrCmpKind::Less, _) => attr_val < first_val,
+        (AttrCmpKind::LessOrEqual, _) => attr_val <= first_val,
+        (AttrCmpKind::Equal, _) => attr_val == first_val,
+        (AttrCmpKind::NotEqual, _) => attr_val != first_val,
+        (AttrCmpKind::Greater, _) => attr_val > first_val,
+        (AttrCmpKind::GreaterOrEqual, _) => attr_val >= first_val,
+        (AttrCmpKind::OpenRange, Some(second_val)) => {
+            (first_val < attr_val) && (second_val > attr_val)
+        }
+        (AttrCmpKind::CloseRange, Some(second_val)) => {
+            (first_val <= attr_val) && (second_val >= attr_val)
+        }
+        (AttrCmpKind::LeftOpenRange, Some(second_val)) => {
+            (first_val < attr_val) && (second_val >= attr_val)
+        }
+        (AttrCmpKind::RightOpenRange, Some(second_val)) => {
+            (first_val <= attr_val) && (second_val > attr_val)
+        }
+        (AttrCmpKind::NotOpenRange, Some(second_val)) => {
+            !((first_val < attr_val) && (second_val > attr_val))
+        }
+        (AttrCmpKind::NotCloseRange, Some(second_val)) => {
+            !((first_val <= attr_val) && (second_val >= attr_val))
+        }
+        (AttrCmpKind::NotLeftOpenRange, Some(second_val)) => {
+            !((first_val < attr_val) && (second_val >= attr_val))
+        }
+        (AttrCmpKind::NotRightOpenRange, Some(second_val)) => {
+            !((first_val <= attr_val) && (second_val > attr_val))
+        }
+        _ => false,
+    }
+}
+
+fn process_attr_compare_bool(attr_val: bool, packet_attr: &PacketAttr) -> bool {
+    deserialize::<bool>(&packet_attr.first_value).is_some_and(|compare_val| {
+        match packet_attr.cmp_kind {
+            AttrCmpKind::Equal => return attr_val == compare_val,
+            AttrCmpKind::NotEqual => return attr_val != compare_val,
+            _ => false,
+        }
+    })
+}
+
+fn process_attr_compare_string(attr_val: &str, packet_attr: &PacketAttr) -> bool {
+    deserialize::<String>(&packet_attr.first_value).is_some_and(|compare_val| {
+        let cmp_result = attr_val.contains(&compare_val);
+        match packet_attr.cmp_kind {
+            AttrCmpKind::Contain => return cmp_result,
+            AttrCmpKind::NotContain => return !cmp_result,
+            _ => false,
+        }
+    })
+}
+
+fn process_attr_compare_addr(attr_val: IpAddr, packet_attr: &PacketAttr) -> bool {
+    if let Some(first_val) = deserialize::<IpAddr>(&packet_attr.first_value) {
+        let second_val = if let Some(serde_val) = &packet_attr.second_value {
+            deserialize::<IpAddr>(serde_val)
+        } else {
+            None
+        };
+        return compare_all_attr_cmp_kind(packet_attr.cmp_kind, attr_val, first_val, second_val);
+    }
+    false
+}
+
+fn process_attr_compare_number<'de, T, K>(attr_val: T, packet_attr: &'de PacketAttr) -> bool
+where
+    T: TryFrom<K> + PartialOrd,
+    K: Deserialize<'de>,
+{
+    if let Some(first_val) = deserialize::<K>(&packet_attr.first_value) {
+        if let Ok(first_val) = T::try_from(first_val) {
+            let second_val =
+                check_second_value::<T, K>(packet_attr.cmp_kind, &packet_attr.second_value);
+            return compare_all_attr_cmp_kind(
+                packet_attr.cmp_kind,
+                attr_val,
+                first_val,
+                second_val,
+            );
+        }
+    };
+    return false;
+}
+
 #[cfg(test)]
 mod tests {
     use std::{

diff --git a/src/event/dns.rs b/src/event/dns.rs
@@ -3,10 +3,33 @@ use std::{fmt, net::IpAddr, num::NonZeroU8};
 
 use chrono::{serde::ts_nanoseconds, DateTime, Utc};
 use serde::{Deserialize, Serialize};
+use tracing::warn;
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, HIGH, MEDIUM};
+use super::{
+    common::Match, process_attr_compare_addr, process_attr_compare_bool,
+    process_attr_compare_number, process_attr_compare_string, EventCategory, TriagePolicy,
+    TriageScore, HIGH, MEDIUM,
+};
 use crate::event::common::{triage_scores_to_string, vector_to_string};
 
+const DNS_S_IP: &str = "dns-id.orig_h";
+const DNS_S_PORT: &str = "dns-id.orig_p";
+const DNS_D_IP: &str = "dns-id.resp_h";
+const DNS_D_PORT: &str = "dns-id.resp_p";
+const DNS_PROTO: &str = "dns-proto";
+const DNS_QUERY: &str = "dns-query";
+const DNS_ANSWER: &str = "dns-answers";
+const DNS_TRANS_ID: &str = "dns-trans_id";
+const DNS_RTT: &str = "dns-rtt";
+const DNS_QCLASS: &str = "dns-qclass";
+const DNS_QTYPE: &str = "dns-qtype";
+const DNS_RCODE: &str = "dns-rcode";
+const DNS_AA_FLAG: &str = "dns-AA";
+const DNS_TC_FLAG: &str = "dns-TC";
+const DNS_RD_FLAG: &str = "dns-RD";
+const DNS_RA_FLAG: &str = "dns-RA";
+const DNS_TTL: &str = "dns-TTLs";
+
 #[derive(Deserialize, Serialize)]
 pub struct DnsEventFields {
     pub source: String,
@@ -189,8 +212,46 @@ impl Match for DnsCovertChannel {
         Some(self.confidence)
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn score_by_packet_attr(&self, triage: &TriagePolicy) -> f64 {
+        let mut attr_total_score = 0.0;
+
+        for attr in &triage.packet_attr {
+            let mut score = 0.0;
+            let result = match attr.attr_name.as_str() {
+                DNS_S_IP => process_attr_compare_addr(self.src_addr, attr),
+                DNS_S_PORT => process_attr_compare_number::<u16, i64>(self.src_port, attr),
+                DNS_D_IP => process_attr_compare_addr(self.dst_addr, attr),
+                DNS_D_PORT => process_attr_compare_number::<u16, i64>(self.dst_port, attr),
+                DNS_PROTO => process_attr_compare_number::<u8, i64>(self.proto, attr),
+                DNS_QUERY => process_attr_compare_string(&self.query, attr),
+                DNS_ANSWER => self
+                    .answer
+                    .iter()
+                    .any(|answer| process_attr_compare_string(answer, attr)),
+                DNS_TRANS_ID => process_attr_compare_number::<u16, i64>(self.trans_id, attr),
+                DNS_RTT => process_attr_compare_number::<i64, i64>(self.rtt, attr),
+                DNS_QCLASS => process_attr_compare_number::<u16, i64>(self.qclass, attr),
+                DNS_QTYPE => process_attr_compare_number::<u16, i64>(self.qtype, attr),
+                DNS_RCODE => process_attr_compare_number::<u16, i64>(self.rcode, attr),
+                DNS_AA_FLAG => process_attr_compare_bool(self.aa_flag, attr),
+                DNS_TC_FLAG => process_attr_compare_bool(self.tc_flag, attr),
+                DNS_RD_FLAG => process_attr_compare_bool(self.rd_flag, attr),
+                DNS_RA_FLAG => process_attr_compare_bool(self.ra_flag, attr),
+                DNS_TTL => self
+                    .ttl
+                    .iter()
+                    .any(|ttl| process_attr_compare_number::<i32, i64>(*ttl, attr)),
+                _ => {
+                    warn!("invalid dns's attribute field");
+                    false
+                }
+            };
+            if result {
+                score = attr.weight.unwrap(); //weight always exist.
+            }
+            attr_total_score = score;
+        }
+        attr_total_score
     }
 }