mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 08:34:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
opensnitch/daemon/conman/connection.go

343 lines
9.5 KiB
Go
Raw Permalink Normal View History

misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
package conman
import (
fixed errors when IPv6 is not enabled in the system If IPv6 was not enabled we failed to add IPv6 rules. closes #96
2020-11-26 16:25:48 +01:00
"errors"
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
"fmt"
"net"
misc: small fix or general refactoring i did not bother commenting
2018-04-07 03:28:44 +02:00
"os"
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
updated import paths
2020-12-09 18:18:42 +01:00
"github.com/evilsocket/opensnitch/daemon/core"
"github.com/evilsocket/opensnitch/daemon/dns"
"github.com/evilsocket/opensnitch/daemon/log"
"github.com/evilsocket/opensnitch/daemon/netfilter"
"github.com/evilsocket/opensnitch/daemon/netlink"
"github.com/evilsocket/opensnitch/daemon/netstat"
"github.com/evilsocket/opensnitch/daemon/procmon"
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
"github.com/evilsocket/opensnitch/daemon/procmon/audit"
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
"github.com/evilsocket/opensnitch/daemon/procmon/ebpf"
updated import paths
2020-12-09 18:18:42 +01:00
"github.com/evilsocket/opensnitch/daemon/ui/protocol"
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
"github.com/google/gopacket/layers"
)
Fix random typos Found via `codespell v2.1.dev0` `codespell -q 3 -L ans`
2020-12-23 13:24:59 -05:00
// Connection represents an outgoing connection.
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
type Connection struct {
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
Pkt *netfilter.Packet
Entry *netstat.Entry
Process *procmon.Process
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
Protocol string
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
DstHost string
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
SrcIP net.IP
DstIP net.IP
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
SrcPort uint
DstPort uint
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
}
allow to configure unknown conns interception /etc/opensnitchd/default-config.json can now contain "intercept_unknown": true|false
2019-11-01 01:00:10 +01:00
var showUnknownCons = false
formatted connman/
2020-03-06 21:44:47 +01:00
// Parse extracts the IP layers from a network packet to determine what
// process generated a connection.
allow to configure unknown conns interception /etc/opensnitchd/default-config.json can now contain "intercept_unknown": true|false
2019-11-01 01:00:10 +01:00
func Parse(nfp netfilter.Packet, interceptUnknown bool) *Connection {
formatted connman/
2020-03-06 21:44:47 +01:00
showUnknownCons = interceptUnknown
added trace logs for packets and ebpf - Log packets. - Log special case. - Updated information on some rare cases when intercepting connections via eBPF.
2025-01-22 01:06:10 +01:00
log.Trace("Connection.Parse(): %v", nfp)
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
fixed errors when IPv6 is not enabled in the system If IPv6 was not enabled we failed to add IPv6 rules. closes #96
2020-11-26 16:25:48 +01:00
if nfp.IsIPv4() {
con, err := NewConnection(&nfp)
IPv6 support
2018-11-21 00:25:47 +01:00
if err != nil {
log.Debug("%s", err)
return nil
} else if con == nil {
return nil
}
return con
formatted connman/
2020-03-06 21:44:47 +01:00
}
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
fixed errors when IPv6 is not enabled in the system If IPv6 was not enabled we failed to add IPv6 rules. closes #96
2020-11-26 16:25:48 +01:00
if core.IPv6Enabled == false {
return nil
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
}
fixed errors when IPv6 is not enabled in the system If IPv6 was not enabled we failed to add IPv6 rules. closes #96
2020-11-26 16:25:48 +01:00
con, err := NewConnection6(&nfp)
if err != nil {
log.Debug("%s", err)
return nil
} else if con == nil {
return nil
}
return con
formatted connman/
2020-03-06 21:44:47 +01:00
IPv6 support
2018-11-21 00:25:47 +01:00
}
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
improved packets parsing We were checking several times if a packet was IPv6. Additionally we were itereating over all the layers of the packet, when in reality we're only interested in network layer and transport layer. This change brings down packets parsing from ~200µs to ~2µs.
2020-11-24 01:35:36 +01:00
func newConnectionImpl(nfp *netfilter.Packet, c *Connection, protoType string) (cr *Connection, err error) {
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
// no errors but not enough info neither
improved packets parsing We were checking several times if a packet was IPv6. Additionally we were itereating over all the layers of the packet, when in reality we're only interested in network layer and transport layer. This change brings down packets parsing from ~200µs to ~2µs.
2020-11-24 01:35:36 +01:00
if c.parseDirection(protoType) == false {
added trace logs for packets and ebpf - Log packets. - Log special case. - Updated information on some rare cases when intercepting connections via eBPF.
2025-01-22 01:06:10 +01:00
log.Trace("discarding connection (proto %s): %+v", protoType, c)
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
return nil, nil
}
added more logs for better issues debugging - Log packet mark, which may help debugging VPN connections for example. - Log the nfqueue number when we fail to setup the queue. * Suggest to restart the computer on one particular case (#912).
2023-04-21 23:28:13 +02:00
log.Debug("new connection %s => %d:%v -> %v (%s):%d uid: %d, mark: %x", c.Protocol, c.SrcPort, c.SrcIP, c.DstIP, c.DstHost, c.DstPort, nfp.UID, nfp.Mark)
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
netlink: get active connections by source port + protocol - Dump connections from kernel querying by source port + protocol. - Prioritize responses which match the outgoing connection. - If we don't get any response, apply the default action configured in /etc/opensnitchd/default-config.json -- A connection can be considered unique if: protocol + source port + source ip + destination ip + destination port We can be quite sure that only one process has created the connection. However, many times, querying the kernel for the connection details by all these parameters results in no response. A regular query and normal response would be: query: TCP:47344:192.168.1.106 -> 151.101.65.140:443 response: 47344:192.168.1.106 -> 151.101.65.140:443, inode: 1234567, ... But in another cases, the details of the outgoing connection differs from the kernel response, or it even doesn't exist. However, if we query by protocol+source port, we can get more entries, and somewhat guess what program opened the outgoing connection. Some examples of querying by outgoing connection and response from kernel: query: 8612:192.168.1.5 -> 192.168.1.255:8612 response: 8612:192.168.1.105 -> 0.0.0.0:0 query: 123:192.168.1.5 -> 217.144.138.234:123 response: 123:0.0.0.0 -> 0.0.0.0:0 query: 45015:127.0.0.1 -> 239.255.255.250:1900 response: 45015:127.0.0.1 -> 0.0.0.0:0 query: 50416:fe80::9fc2:ddcf:df22:aa50 -> fe80::1:53 response: 50416:254.128.0.0 -> 254.128.0.0:53 query: 51413:192.168.1.106 -> 103.224.182.250:1337 response: 51413:0.0.0.0 -> 0.0.0.0:0
2020-04-05 19:14:51 +02:00
c.Entry = &netstat.Entry{
Proto: c.Protocol,
SrcIP: c.SrcIP,
SrcPort: c.SrcPort,
DstIP: c.DstIP,
DstPort: c.DstPort,
UserId: -1,
INode: -1,
}
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
pid := -1
improved connections parsing Under certain conditions, when we dumped inodes via netlink, we were linking network connections to wrong applications. - To improve this situation: 1) Use netfilter's UID by default: Sometimes the UID reported via netlink was different than the one reported by libnetfilter. libnetfilter UID is always correct. If you had a rule that filtered by UID, this problem could cause to prompt you again to allow the connection. 2) Use the netlink entry that matches exactly the properties of an outgoing connection: There're some in-kernel sockets that doesn't match 1:1 outgoing connections (daemon/netlink/socket.go#L22). In order to identify the applications that initiate these network connections we use a workaround. But under certain conditions (source port reuse), we were associating connections to wrong applications. So in order to avoid this problem, if there's a 1:1 match use that netlink entry. If not, fallback to the workaround. - misc: added more logs to better debug these issues.
2021-11-15 13:26:52 +01:00
uid := -1
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
if procmon.MethodIsEbpf() {
find connections with connection fields swapped Under certain situations, like when using systemd-resolved as DNS resolver, we receive outbound connections with the fields swapped: Instead of: local-port:local-ip -> public-ip:public-port we receive: public-port:public-ip -> local-ip:local-port Sometimes this behaviour causes network slowdowns, or no network at all. If we swap the fields of these connections, then we're able to get the process and keep functioning as usual. But what causes this behaviour is yet unknown, and needs further analysis. See these issues for more information: #779 , #711
2022-12-20 17:16:20 +01:00
swap := false
c.Process, swap, err = ebpf.GetPid(c.Protocol, c.SrcPort, c.SrcIP, c.DstIP, c.DstPort)
if swap {
c.swapFields()
}
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
if c.Process != nil {
c.Entry.UserId = c.Process.UID
return c, nil
}
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
if err != nil {
find connections with connection fields swapped Under certain situations, like when using systemd-resolved as DNS resolver, we receive outbound connections with the fields swapped: Instead of: local-port:local-ip -> public-ip:public-port we receive: public-port:public-ip -> local-ip:local-port Sometimes this behaviour causes network slowdowns, or no network at all. If we swap the fields of these connections, then we're able to get the process and keep functioning as usual. But what causes this behaviour is yet unknown, and needs further analysis. See these issues for more information: #779 , #711
2022-12-20 17:16:20 +01:00
log.Debug("ebpf warning: %v", err)
netlink: get active connections by source port + protocol - Dump connections from kernel querying by source port + protocol. - Prioritize responses which match the outgoing connection. - If we don't get any response, apply the default action configured in /etc/opensnitchd/default-config.json -- A connection can be considered unique if: protocol + source port + source ip + destination ip + destination port We can be quite sure that only one process has created the connection. However, many times, querying the kernel for the connection details by all these parameters results in no response. A regular query and normal response would be: query: TCP:47344:192.168.1.106 -> 151.101.65.140:443 response: 47344:192.168.1.106 -> 151.101.65.140:443, inode: 1234567, ... But in another cases, the details of the outgoing connection differs from the kernel response, or it even doesn't exist. However, if we query by protocol+source port, we can get more entries, and somewhat guess what program opened the outgoing connection. Some examples of querying by outgoing connection and response from kernel: query: 8612:192.168.1.5 -> 192.168.1.255:8612 response: 8612:192.168.1.105 -> 0.0.0.0:0 query: 123:192.168.1.5 -> 217.144.138.234:123 response: 123:0.0.0.0 -> 0.0.0.0:0 query: 45015:127.0.0.1 -> 239.255.255.250:1900 response: 45015:127.0.0.1 -> 0.0.0.0:0 query: 50416:fe80::9fc2:ddcf:df22:aa50 -> fe80::1:53 response: 50416:254.128.0.0 -> 254.128.0.0:53 query: 51413:192.168.1.106 -> 103.224.182.250:1337 response: 51413:0.0.0.0 -> 0.0.0.0:0
2020-04-05 19:14:51 +02:00
}
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
log.Debug("[ebpf conn] PID not found via eBPF, falling back to proc")
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
} else if procmon.MethodIsAudit() {
if aevent := audit.GetEventByPid(pid); aevent != nil {
audit.Lock.RLock()
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
c.Process = procmon.NewProcessEmpty(pid, aevent.ProcName)
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
c.Process.Path = aevent.ProcPath
c.Process.ReadCmdline()
c.Process.CWD = aevent.ProcDir
audit.Lock.RUnlock()
// if the proc dir contains non alhpa-numeric chars the field is empty
if c.Process.CWD == "" {
c.Process.ReadCwd()
}
c.Process.ReadEnv()
c.Process.CleanPath()
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
procmon.EventsCache.Add(c.Process)
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
return c, nil
}
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
log.Debug("[auditd conn] PID not found via auditd, falling back to proc")
find PID: use legacy methods if the PID is not found. Some times, processes that establish connections to localhost are only found in /proc/net/* files. So if we fail to get the PID of a connection, fallback to legacy method to find it.
2021-06-08 14:11:19 +02:00
}
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
// Sometimes when using eBPF, the PID is not found by the connection's parameters,
// but falling back to legacy methods helps to find it and avoid "unknown/kernel pop-ups".
//
// One of the reasons is because after coming back from suspend state, for some reason (bug?),
// gobpf/libbpf is unable to delete ebpf map entries, so when they reach the maximum capacity no
// more entries are added, nor updated.
find PID: use legacy methods if the PID is not found. Some times, processes that establish connections to localhost are only found in /proc/net/* files. So if we fail to get the PID of a connection, fallback to legacy method to find it.
2021-06-08 14:11:19 +02:00
if pid < 0 {
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
// 0. lookup uid and inode via netlink. Can return several inodes.
// 1. lookup uid and inode using /proc/net/(udp|tcp|udplite)
// 2. lookup pid by inode
// 3. if this is coming from us, just accept
// 4. lookup process info by pid
var inodeList []int
uid, inodeList = netlink.GetSocketInfo(c.Protocol, c.SrcIP, c.SrcPort, c.DstIP, c.DstPort)
if len(inodeList) == 0 {
improved connections parsing, minor refactoring When using proc monitor method + interceptUnknown, allow to ask the user about connections not associated with a process. Usually they're safe to discard, but on some special cases it helps not disrupt some services. Block of code to find connections via netstat moved to procmon/
2023-02-04 16:43:24 +01:00
procmon.GetInodeFromNetstat(c.Entry, &inodeList, c.Protocol, c.SrcIP, c.SrcPort, c.DstIP, c.DstPort)
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
}
for n, inode := range inodeList {
pid = procmon.GetPIDFromINode(inode, fmt.Sprint(inode, c.SrcIP, c.SrcPort, c.DstIP, c.DstPort))
if pid != -1 {
improved connections parsing Under certain conditions, when we dumped inodes via netlink, we were linking network connections to wrong applications. - To improve this situation: 1) Use netfilter's UID by default: Sometimes the UID reported via netlink was different than the one reported by libnetfilter. libnetfilter UID is always correct. If you had a rule that filtered by UID, this problem could cause to prompt you again to allow the connection. 2) Use the netlink entry that matches exactly the properties of an outgoing connection: There're some in-kernel sockets that doesn't match 1:1 outgoing connections (daemon/netlink/socket.go#L22). In order to identify the applications that initiate these network connections we use a workaround. But under certain conditions (source port reuse), we were associating connections to wrong applications. So in order to avoid this problem, if there's a 1:1 match use that netlink entry. If not, fallback to the workaround. - misc: added more logs to better debug these issues.
2021-11-15 13:26:52 +01:00
log.Debug("[%d] PID found %d [%d]", n, pid, inode)
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
c.Entry.INode = inode
break
}
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
}
netlink: get active connections by source port + protocol - Dump connections from kernel querying by source port + protocol. - Prioritize responses which match the outgoing connection. - If we don't get any response, apply the default action configured in /etc/opensnitchd/default-config.json -- A connection can be considered unique if: protocol + source port + source ip + destination ip + destination port We can be quite sure that only one process has created the connection. However, many times, querying the kernel for the connection details by all these parameters results in no response. A regular query and normal response would be: query: TCP:47344:192.168.1.106 -> 151.101.65.140:443 response: 47344:192.168.1.106 -> 151.101.65.140:443, inode: 1234567, ... But in another cases, the details of the outgoing connection differs from the kernel response, or it even doesn't exist. However, if we query by protocol+source port, we can get more entries, and somewhat guess what program opened the outgoing connection. Some examples of querying by outgoing connection and response from kernel: query: 8612:192.168.1.5 -> 192.168.1.255:8612 response: 8612:192.168.1.105 -> 0.0.0.0:0 query: 123:192.168.1.5 -> 217.144.138.234:123 response: 123:0.0.0.0 -> 0.0.0.0:0 query: 45015:127.0.0.1 -> 239.255.255.250:1900 response: 45015:127.0.0.1 -> 0.0.0.0:0 query: 50416:fe80::9fc2:ddcf:df22:aa50 -> fe80::1:53 response: 50416:254.128.0.0 -> 254.128.0.0:53 query: 51413:192.168.1.106 -> 103.224.182.250:1337 response: 51413:0.0.0.0 -> 0.0.0.0:0
2020-04-05 19:14:51 +02:00
}
fixed getting process uid under certain situations
2020-04-12 01:38:39 +02:00
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
if pid == os.Getpid() {
// return a Process object with our PID, to be able to exclude our own connections
// (to the UI on a local socket for example)
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
c.Process = procmon.NewProcessEmpty(pid, "")
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
return c, nil
netlink: get active connections by source port + protocol - Dump connections from kernel querying by source port + protocol. - Prioritize responses which match the outgoing connection. - If we don't get any response, apply the default action configured in /etc/opensnitchd/default-config.json -- A connection can be considered unique if: protocol + source port + source ip + destination ip + destination port We can be quite sure that only one process has created the connection. However, many times, querying the kernel for the connection details by all these parameters results in no response. A regular query and normal response would be: query: TCP:47344:192.168.1.106 -> 151.101.65.140:443 response: 47344:192.168.1.106 -> 151.101.65.140:443, inode: 1234567, ... But in another cases, the details of the outgoing connection differs from the kernel response, or it even doesn't exist. However, if we query by protocol+source port, we can get more entries, and somewhat guess what program opened the outgoing connection. Some examples of querying by outgoing connection and response from kernel: query: 8612:192.168.1.5 -> 192.168.1.255:8612 response: 8612:192.168.1.105 -> 0.0.0.0:0 query: 123:192.168.1.5 -> 217.144.138.234:123 response: 123:0.0.0.0 -> 0.0.0.0:0 query: 45015:127.0.0.1 -> 239.255.255.250:1900 response: 45015:127.0.0.1 -> 0.0.0.0:0 query: 50416:fe80::9fc2:ddcf:df22:aa50 -> fe80::1:53 response: 50416:254.128.0.0 -> 254.128.0.0:53 query: 51413:192.168.1.106 -> 103.224.182.250:1337 response: 51413:0.0.0.0 -> 0.0.0.0:0
2020-04-05 19:14:51 +02:00
}
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
if nfp.UID != 0xffffffff {
uid = int(nfp.UID)
}
c.Entry.UserId = uid
if c.Process == nil {
if c.Process = procmon.FindProcess(pid, showUnknownCons); c.Process == nil {
return nil, fmt.Errorf("Could not find process by its pid %d for: %s", pid, c)
}
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
}
netlink: get active connections by source port + protocol - Dump connections from kernel querying by source port + protocol. - Prioritize responses which match the outgoing connection. - If we don't get any response, apply the default action configured in /etc/opensnitchd/default-config.json -- A connection can be considered unique if: protocol + source port + source ip + destination ip + destination port We can be quite sure that only one process has created the connection. However, many times, querying the kernel for the connection details by all these parameters results in no response. A regular query and normal response would be: query: TCP:47344:192.168.1.106 -> 151.101.65.140:443 response: 47344:192.168.1.106 -> 151.101.65.140:443, inode: 1234567, ... But in another cases, the details of the outgoing connection differs from the kernel response, or it even doesn't exist. However, if we query by protocol+source port, we can get more entries, and somewhat guess what program opened the outgoing connection. Some examples of querying by outgoing connection and response from kernel: query: 8612:192.168.1.5 -> 192.168.1.255:8612 response: 8612:192.168.1.105 -> 0.0.0.0:0 query: 123:192.168.1.5 -> 217.144.138.234:123 response: 123:0.0.0.0 -> 0.0.0.0:0 query: 45015:127.0.0.1 -> 239.255.255.250:1900 response: 45015:127.0.0.1 -> 0.0.0.0:0 query: 50416:fe80::9fc2:ddcf:df22:aa50 -> fe80::1:53 response: 50416:254.128.0.0 -> 254.128.0.0:53 query: 51413:192.168.1.106 -> 103.224.182.250:1337 response: 51413:0.0.0.0 -> 0.0.0.0:0
2020-04-05 19:14:51 +02:00
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
return c, nil
IPv6 support
2018-11-21 00:25:47 +01:00
}
formatted connman/
2020-03-06 21:44:47 +01:00
// NewConnection creates a new Connection object, and returns the details of it.
fixed errors when IPv6 is not enabled in the system If IPv6 was not enabled we failed to add IPv6 rules. closes #96
2020-11-26 16:25:48 +01:00
func NewConnection(nfp *netfilter.Packet) (c *Connection, err error) {
ipv4 := nfp.Packet.Layer(layers.LayerTypeIPv4)
if ipv4 == nil {
return nil, errors.New("Error getting IPv4 layer")
}
ip, ok := ipv4.(*layers.IPv4)
if !ok {
return nil, errors.New("Error getting IPv4 layer data")
}
IPv6 support
2018-11-21 00:25:47 +01:00
c = &Connection{
SrcIP: ip.SrcIP,
DstIP: ip.DstIP,
do not assign an IP to the DstHost field In case we're connecting to an IP directly, or if an IP is not resolved, leave the DstHost field empty and format it appropiately on the UIs. Otherwise we can't know (easily) if the field DstHost of a connection is an IP or a domain.
2020-10-19 01:29:00 +02:00
DstHost: dns.HostOr(ip.DstIP, ""),
rules: allow to filter by network interface name Now you can create rules to filter network interface name. Regular expresions allowed: "eth[0-9]" Closes #726
2022-09-24 17:12:09 +02:00
Pkt: nfp,
IPv6 support
2018-11-21 00:25:47 +01:00
}
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
improved packets parsing We were checking several times if a packet was IPv6. Additionally we were itereating over all the layers of the packet, when in reality we're only interested in network layer and transport layer. This change brings down packets parsing from ~200µs to ~2µs.
2020-11-24 01:35:36 +01:00
return newConnectionImpl(nfp, c, "")
IPv6 support
2018-11-21 00:25:47 +01:00
}
formatted connman/
2020-03-06 21:44:47 +01:00
// NewConnection6 creates a IPv6 new Connection object, and returns the details of it.
fixed errors when IPv6 is not enabled in the system If IPv6 was not enabled we failed to add IPv6 rules. closes #96
2020-11-26 16:25:48 +01:00
func NewConnection6(nfp *netfilter.Packet) (c *Connection, err error) {
ipv6 := nfp.Packet.Layer(layers.LayerTypeIPv6)
if ipv6 == nil {
return nil, errors.New("Error getting IPv6 layer")
}
ip, ok := ipv6.(*layers.IPv6)
if !ok {
return nil, errors.New("Error getting IPv6 layer data")
}
IPv6 support
2018-11-21 00:25:47 +01:00
c = &Connection{
SrcIP: ip.SrcIP,
DstIP: ip.DstIP,
do not assign an IP to the DstHost field In case we're connecting to an IP directly, or if an IP is not resolved, leave the DstHost field empty and format it appropiately on the UIs. Otherwise we can't know (easily) if the field DstHost of a connection is an IP or a domain.
2020-10-19 01:29:00 +02:00
DstHost: dns.HostOr(ip.DstIP, ""),
rules: allow to filter by network interface name Now you can create rules to filter network interface name. Regular expresions allowed: "eth[0-9]" Closes #726
2022-09-24 17:12:09 +02:00
Pkt: nfp,
IPv6 support
2018-11-21 00:25:47 +01:00
}
improved packets parsing We were checking several times if a packet was IPv6. Additionally we were itereating over all the layers of the packet, when in reality we're only interested in network layer and transport layer. This change brings down packets parsing from ~200µs to ~2µs.
2020-11-24 01:35:36 +01:00
return newConnectionImpl(nfp, c, "6")
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
}
improved packets parsing We were checking several times if a packet was IPv6. Additionally we were itereating over all the layers of the packet, when in reality we're only interested in network layer and transport layer. This change brings down packets parsing from ~200µs to ~2µs.
2020-11-24 01:35:36 +01:00
func (c *Connection) parseDirection(protoType string) bool {
IPv6 support
2018-11-21 00:25:47 +01:00
ret := false
rules: allow to filter by network interface name Now you can create rules to filter network interface name. Regular expresions allowed: "eth[0-9]" Closes #726
2022-09-24 17:12:09 +02:00
if tcpLayer := c.Pkt.Packet.Layer(layers.LayerTypeTCP); tcpLayer != nil {
improved packets parsing We were checking several times if a packet was IPv6. Additionally we were itereating over all the layers of the packet, when in reality we're only interested in network layer and transport layer. This change brings down packets parsing from ~200µs to ~2µs.
2020-11-24 01:35:36 +01:00
if tcp, ok := tcpLayer.(*layers.TCP); ok == true && tcp != nil {
c.Protocol = "tcp" + protoType
c.DstPort = uint(tcp.DstPort)
c.SrcPort = uint(tcp.SrcPort)
ret = true
if tcp.DstPort == 53 {
rules: allow to filter by network interface name Now you can create rules to filter network interface name. Regular expresions allowed: "eth[0-9]" Closes #726
2022-09-24 17:12:09 +02:00
c.getDomains(c.Pkt, c)
Intercept and parse UDPLite connections /proc/net/udplite[6]
2019-10-29 20:01:45 +01:00
}
misc: small fix or general refactoring i did not bother commenting
2018-04-16 19:28:28 +02:00
}
rules: allow to filter by network interface name Now you can create rules to filter network interface name. Regular expresions allowed: "eth[0-9]" Closes #726
2022-09-24 17:12:09 +02:00
} else if udpLayer := c.Pkt.Packet.Layer(layers.LayerTypeUDP); udpLayer != nil {
improved packets parsing We were checking several times if a packet was IPv6. Additionally we were itereating over all the layers of the packet, when in reality we're only interested in network layer and transport layer. This change brings down packets parsing from ~200µs to ~2µs.
2020-11-24 01:35:36 +01:00
if udp, ok := udpLayer.(*layers.UDP); ok == true && udp != nil {
c.Protocol = "udp" + protoType
c.DstPort = uint(udp.DstPort)
c.SrcPort = uint(udp.SrcPort)
ret = true
if udp.DstPort == 53 {
rules: allow to filter by network interface name Now you can create rules to filter network interface name. Regular expresions allowed: "eth[0-9]" Closes #726
2022-09-24 17:12:09 +02:00
c.getDomains(c.Pkt, c)
IPv6 support
2018-11-21 00:25:47 +01:00
}
}
rules: allow to filter by network interface name Now you can create rules to filter network interface name. Regular expresions allowed: "eth[0-9]" Closes #726
2022-09-24 17:12:09 +02:00
} else if udpliteLayer := c.Pkt.Packet.Layer(layers.LayerTypeUDPLite); udpliteLayer != nil {
improved packets parsing We were checking several times if a packet was IPv6. Additionally we were itereating over all the layers of the packet, when in reality we're only interested in network layer and transport layer. This change brings down packets parsing from ~200µs to ~2µs.
2020-11-24 01:35:36 +01:00
if udplite, ok := udpliteLayer.(*layers.UDPLite); ok == true && udplite != nil {
c.Protocol = "udplite" + protoType
c.DstPort = uint(udplite.DstPort)
c.SrcPort = uint(udplite.SrcPort)
ret = true
}
added initial support for ICMP and SCTP Closes: 714
2022-12-18 00:41:06 +01:00
} else if sctpLayer := c.Pkt.Packet.Layer(layers.LayerTypeSCTP); sctpLayer != nil {
if sctp, ok := sctpLayer.(*layers.SCTP); ok == true && sctp != nil {
c.Protocol = "sctp" + protoType
c.DstPort = uint(sctp.DstPort)
c.SrcPort = uint(sctp.SrcPort)
ret = true
}
} else if icmpLayer := c.Pkt.Packet.Layer(layers.LayerTypeICMPv4); icmpLayer != nil {
if icmp, ok := icmpLayer.(*layers.ICMPv4); ok == true && icmp != nil {
c.Protocol = "icmp"
c.DstPort = 0
c.SrcPort = 0
ret = true
}
} else if icmp6Layer := c.Pkt.Packet.Layer(layers.LayerTypeICMPv6); icmp6Layer != nil {
if icmp6, ok := icmp6Layer.(*layers.ICMPv6); ok == true && icmp6 != nil {
c.Protocol = "icmp" + protoType
c.DstPort = 0
c.SrcPort = 0
ret = true
}
IPv6 support
2018-11-21 00:25:47 +01:00
}
improved packets parsing We were checking several times if a packet was IPv6. Additionally we were itereating over all the layers of the packet, when in reality we're only interested in network layer and transport layer. This change brings down packets parsing from ~200µs to ~2µs.
2020-11-24 01:35:36 +01:00
IPv6 support
2018-11-21 00:25:47 +01:00
return ret
misc: small fix or general refactoring i did not bother commenting
2018-04-16 19:28:28 +02:00
}
find connections with connection fields swapped Under certain situations, like when using systemd-resolved as DNS resolver, we receive outbound connections with the fields swapped: Instead of: local-port:local-ip -> public-ip:public-port we receive: public-port:public-ip -> local-ip:local-port Sometimes this behaviour causes network slowdowns, or no network at all. If we swap the fields of these connections, then we're able to get the process and keep functioning as usual. But what causes this behaviour is yet unknown, and needs further analysis. See these issues for more information: #779 , #711
2022-12-20 17:16:20 +01:00
// swapFields swaps connection's fields.
// Used to workaround an issue where outbound connections
// have the fields swapped (procmon/ebpf/find.go).
func (c *Connection) swapFields() {
oEntry := c.Entry
c.Entry = &netstat.Entry{
Proto: c.Protocol,
SrcIP: oEntry.DstIP,
DstIP: oEntry.SrcIP,
SrcPort: oEntry.DstPort,
DstPort: oEntry.SrcPort,
UserId: oEntry.UserId,
INode: oEntry.INode,
}
c.SrcIP = oEntry.DstIP
c.DstIP = oEntry.SrcIP
c.DstPort = oEntry.SrcPort
c.SrcPort = oEntry.DstPort
}
Allow to see which domain a process is trying to resolve Ideally this information should go in a different Connection field, but for now lets use DstHost.
2019-11-08 01:38:26 +01:00
func (c *Connection) getDomains(nfp *netfilter.Packet, con *Connection) {
domains := dns.GetQuestions(nfp)
improved connections parsing, minor refactoring When using proc monitor method + interceptUnknown, allow to ask the user about connections not associated with a process. Usually they're safe to discard, but on some special cases it helps not disrupt some services. Block of code to find connections via netstat moved to procmon/
2023-02-04 16:43:24 +01:00
if len(domains) < 1 {
return
}
for _, dns := range domains {
con.DstHost = dns
Allow to see which domain a process is trying to resolve Ideally this information should go in a different Connection field, but for now lets use DstHost.
2019-11-08 01:38:26 +01:00
}
}
improved packets parsing We were checking several times if a packet was IPv6. Additionally we were itereating over all the layers of the packet, when in reality we're only interested in network layer and transport layer. This change brings down packets parsing from ~200µs to ~2µs.
2020-11-24 01:35:36 +01:00
// To returns the destination host of a connection.
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
func (c *Connection) To() string {
if c.DstHost == "" {
return c.DstIP.String()
}
logging: better connections logging - in DEBUG level log dst_host(dst_ip), instead of only dst_host.
2023-03-10 22:02:02 +01:00
return fmt.Sprintf("%s (%s)", c.DstHost, c.DstIP)
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
}
func (c *Connection) String() string {
if c.Entry == nil {
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
return fmt.Sprintf("%d:%s ->(%s)-> %s:%d", c.SrcPort, c.SrcIP, c.Protocol, c.To(), c.DstPort)
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
}
if c.Process == nil {
ebpf: improved process detection/new events module Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed.
2022-06-24 01:09:45 +02:00
return fmt.Sprintf("%d:%s (uid:%d) ->(%s)-> %s:%d", c.SrcPort, c.SrcIP, c.Entry.UserId, c.Protocol, c.To(), c.DstPort)
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
}
return fmt.Sprintf("%s (%d) -> %s:%d (proto:%s uid:%d)", c.Process.Path, c.Process.ID, c.To(), c.DstPort, c.Protocol, c.Entry.UserId)
}
ui service to test and benchmark gRPC IPC
2018-04-02 19:10:42 +02:00
formatted connman/
2020-03-06 21:44:47 +01:00
// Serialize returns a connection serialized.
when the thc kicks in and you find a better logic, better naming, better design and new ideas
2018-04-08 15:32:20 +02:00
func (c *Connection) Serialize() *protocol.Connection {
getparents code reorganization Deoptimizing GetParents() until we figure out how to do it without leaking mem.
2023-10-04 00:58:17 +02:00
c.Process.RLock()
defer c.Process.RUnlock()
when the thc kicks in and you find a better logic, better naming, better design and new ideas
2018-04-08 15:32:20 +02:00
return &protocol.Connection{
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
Protocol: c.Protocol,
SrcIp: c.SrcIP.String(),
SrcPort: uint32(c.SrcPort),
DstIp: c.DstIP.String(),
DstHost: c.DstHost,
DstPort: uint32(c.DstPort),
UserId: uint32(c.Entry.UserId),
ProcessId: uint32(c.Process.ID),
ProcessPath: c.Process.Path,
ProcessArgs: c.Process.Args,
ProcessEnv: c.Process.Env,
ProcessCwd: c.Process.CWD,
ProcessChecksums: c.Process.Checksums,
obtain process's parent hierarchy, checksums improvements - Obtain the process's parent hierarchy. - Display the hierarchy on the pop-ups and the process dialog. - [pop-ups] Added a Detailed view with all the metadata of the process. - [cache-events] Improved the cache of processes. - [ruleseditor] Fixed enabling md5 checksum widget. Related: #413, #406
2023-09-30 18:31:19 +02:00
ProcessTree: c.Process.Tree,
ui service to test and benchmark gRPC IPC
2018-04-02 19:10:42 +02:00
}
}
Reference in a new issue Copy permalink