1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
package processing
// DCSO FEVER
// Copyright (c) 2019, 2020, DCSO GmbH
import (
"fmt"
"net"
"sync"
"github.com/DCSO/fever/types"
"github.com/DCSO/fever/util"
"github.com/buger/jsonparser"
log "github.com/sirupsen/logrus"
"github.com/yl2chen/cidranger"
)
// RDNSHandler is a handler that enriches events with reverse DNS
// information looked up on the sensor, for both source and destination
// IP addresses.
type RDNSHandler struct {
sync.Mutex
Logger *log.Entry
HostNamer util.HostNamer
PrivateRanges cidranger.Ranger
PrivateRangesOnly bool
}
// MakeRDNSHandler returns a new RDNSHandler, backed by the passed HostNamer.
func MakeRDNSHandler(hn util.HostNamer) *RDNSHandler {
rh := &RDNSHandler{
Logger: log.WithFields(log.Fields{
"domain": "rdns",
}),
PrivateRanges: cidranger.NewPCTrieRanger(),
HostNamer: hn,
}
for _, cidr := range []string{
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
"fc00::/7",
} {
_, block, err := net.ParseCIDR(cidr)
if err != nil {
log.Fatalf("cannot parse fixed private IP range %v", cidr)
}
rh.PrivateRanges.Insert(cidranger.NewBasicRangerEntry(*block))
}
return rh
}
// EnableOnlyPrivateIPRanges ensures that only private (RFC1918) IP ranges
// are enriched
func (a *RDNSHandler) EnableOnlyPrivateIPRanges() {
a.PrivateRangesOnly = true
}
// Consume processes an Entry and enriches it
func (a *RDNSHandler) Consume(e *types.Entry) error {
var res []string
var err error
var isPrivate bool
if e.SrcIP != "" {
ip := net.ParseIP(e.SrcIP)
if ip != nil {
isPrivate, err = a.PrivateRanges.Contains(ip)
if err != nil {
return err
}
if !a.PrivateRangesOnly || isPrivate {
res, err = a.HostNamer.GetHostname(e.SrcIP)
if err == nil {
for i, v := range res {
hostname, err := util.EscapeJSON(v)
if err != nil {
log.Warningf("cannot escape hostname: %s", v)
continue
}
newJSON, err := jsonparser.Set([]byte(e.JSONLine), hostname,
"src_host", fmt.Sprintf("[%d]", i), "rdns")
if err != nil {
log.Warningf("cannot set hostname: %s", hostname)
continue
} else {
e.JSONLine = string(newJSON)
}
}
}
}
} else {
log.Error("IP not valid")
}
}
if e.DestIP != "" {
ip := net.ParseIP(e.DestIP)
if ip != nil {
isPrivate, err = a.PrivateRanges.Contains(ip)
if err != nil {
return err
}
if !a.PrivateRangesOnly || isPrivate {
res, err = a.HostNamer.GetHostname(e.DestIP)
if err == nil {
for i, v := range res {
hostname, err := util.EscapeJSON(v)
if err != nil {
log.Warningf("cannot escape hostname: %s", v)
continue
}
newJSON, err := jsonparser.Set([]byte(e.JSONLine), hostname,
"dest_host", fmt.Sprintf("[%d]", i), "rdns")
if err != nil {
log.Warningf("cannot set hostname: %s", hostname)
continue
} else {
e.JSONLine = string(newJSON)
}
}
}
}
} else {
log.Error("IP not valid")
}
}
return nil
}
// GetName returns the name of the handler
func (a *RDNSHandler) GetName() string {
return "reverse DNS handler"
}
// GetEventTypes returns a slice of event type strings that this handler
// should be applied to
func (a *RDNSHandler) GetEventTypes() []string {
return []string{"http", "dns", "tls", "smtp", "flow", "ssh", "tls", "smb", "alert"}
}
|
