NETOBSERV-1890: decode TCP flags (new stage/rule) (#747)

jotak · web-flow · commit 18e017f67001 · 2024-11-26T16:51:24.000+01:00
* NETOBSERV-1890: decode TCP flags (new stage/rule)

* Use flags list
diff --git a/docs/api.md b/docs/api.md
@@ -255,6 +255,7 @@ Following is the supported API format for network transformations:
                     add_kubernetes_infra: add output kubernetes isInfra field from input
                     reinterpret_direction: reinterpret flow direction at the node level (instead of net interface), to ease the deduplication process
                     add_subnet_label: categorize IPs based on known subnets configuration
+                    decode_tcp_flags: decode bitwise TCP flags into a string
                  kubernetes_infra: Kubernetes infra rule configuration
                      namespaceNameFields: entries for namespace and name input fields
                              name: name of the object
@@ -286,6 +287,9 @@ Following is the supported API format for network transformations:
                      input: entry input field
                      output: entry output field
                      protocol: entry protocol field
+                 decode_tcp_flags: Decode bitwise TCP flags into a string
+                     input: entry input field
+                     output: entry output field
          kubeConfig: global configuration related to Kubernetes (optional)
              configPath: path to kubeconfig file (optional)
              secondaryNetworks: configuration for secondary networks
diff --git a/pkg/api/transform_network.go b/pkg/api/transform_network.go
@@ -59,6 +59,7 @@ const (
 	NetworkAddKubernetesInfra   TransformNetworkOperationEnum = "add_kubernetes_infra"  // add output kubernetes isInfra field from input
 	NetworkReinterpretDirection TransformNetworkOperationEnum = "reinterpret_direction" // reinterpret flow direction at the node level (instead of net interface), to ease the deduplication process
 	NetworkAddSubnetLabel       TransformNetworkOperationEnum = "add_subnet_label"      // categorize IPs based on known subnets configuration
+	NetworkDecodeTCPFlags       TransformNetworkOperationEnum = "decode_tcp_flags"      // decode bitwise TCP flags into a string
 )
 
 type NetworkTransformRule struct {
@@ -69,6 +70,7 @@ type NetworkTransformRule struct {
 	AddLocation     *NetworkGenericRule           `yaml:"add_location,omitempty" json:"add_location,omitempty" doc:"Add location rule configuration"`
 	AddSubnetLabel  *NetworkAddSubnetLabelRule    `yaml:"add_subnet_label,omitempty" json:"add_subnet_label,omitempty" doc:"Add subnet label rule configuration"`
 	AddService      *NetworkAddServiceRule        `yaml:"add_service,omitempty" json:"add_service,omitempty" doc:"Add service rule configuration"`
+	DecodeTCPFlags  *NetworkGenericRule           `yaml:"decode_tcp_flags,omitempty" json:"decode_tcp_flags,omitempty" doc:"Decode bitwise TCP flags into a string"`
 }
 
 type K8sInfraRule struct {
diff --git a/pkg/pipeline/transform/transform_network.go b/pkg/pipeline/transform/transform_network.go
@@ -141,6 +141,13 @@ func (n *Network) Transform(inputEntry config.GenericMap) (config.GenericMap, bo
 					}
 				}
 			}
+		case api.NetworkDecodeTCPFlags:
+			if anyFlags, ok := outputEntry[rule.DecodeTCPFlags.Input]; ok && anyFlags != nil {
+				if flags, ok := anyFlags.(uint16); ok {
+					flags := util.DecodeTCPFlags(flags)
+					outputEntry[rule.DecodeTCPFlags.Output] = flags
+				}
+			}
 
 		default:
 			log.Panicf("unknown type %s for transform.Network rule: %v", rule.Type, rule)
@@ -194,7 +201,8 @@ func NewTransformNetwork(params config.StageParam, opMetrics *operational.Metric
 			if len(jsonNetworkTransform.SubnetLabels) == 0 {
 				return nil, fmt.Errorf("a rule '%s' was found, but there are no subnet labels configured", api.NetworkAddSubnetLabel)
 			}
-		case api.NetworkAddSubnet:
+		case api.NetworkAddSubnet, api.NetworkDecodeTCPFlags:
+			// nothing
 		}
 	}
 
diff --git a/pkg/utils/tcp_flags.go b/pkg/utils/tcp_flags.go
@@ -0,0 +1,30 @@
+package utils
+
+type tcpFlag struct {
+	value uint16
+	name  string
+}
+
+var tcpFlags = []tcpFlag{
+	{value: 1, name: "FIN"},
+	{value: 2, name: "SYN"},
+	{value: 4, name: "RST"},
+	{value: 8, name: "PSH"},
+	{value: 16, name: "ACK"},
+	{value: 32, name: "URG"},
+	{value: 64, name: "ECE"},
+	{value: 128, name: "CWR"},
+	{value: 256, name: "SYN_ACK"},
+	{value: 512, name: "FIN_ACK"},
+	{value: 1024, name: "RST_ACK"},
+}
+
+func DecodeTCPFlags(bitfield uint16) []string {
+	var values []string
+	for _, flag := range tcpFlags {
+		if bitfield&flag.value != 0 {
+			values = append(values, flag.name)
+		}
+	}
+	return values
+}
diff --git a/pkg/utils/tcp_flags_test.go b/pkg/utils/tcp_flags_test.go
@@ -0,0 +1,18 @@
+package utils
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDecodeFlags(t *testing.T) {
+	flags528 := DecodeTCPFlags(528)
+	assert.Equal(t, []string{"ACK", "FIN_ACK"}, flags528)
+
+	flags256 := DecodeTCPFlags(256)
+	assert.Equal(t, []string{"SYN_ACK"}, flags256)
+
+	flags666 := DecodeTCPFlags(666)
+	assert.Equal(t, []string{"SYN", "PSH", "ACK", "CWR", "FIN_ACK"}, flags666)
+}

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,7 @@ const (`
`59`	`59`	`NetworkAddKubernetesInfra TransformNetworkOperationEnum = "add_kubernetes_infra" // add output kubernetes isInfra field from input`
`60`	`60`	`NetworkReinterpretDirection TransformNetworkOperationEnum = "reinterpret_direction" // reinterpret flow direction at the node level (instead of net interface), to ease the deduplication process`
`61`	`61`	`NetworkAddSubnetLabel TransformNetworkOperationEnum = "add_subnet_label" // categorize IPs based on known subnets configuration`
	`62`	`+ NetworkDecodeTCPFlags TransformNetworkOperationEnum = "decode_tcp_flags" // decode bitwise TCP flags into a string`
`62`	`63`	`)`
`63`	`64`
`64`	`65`	`type NetworkTransformRule struct {`
`@@ -69,6 +70,7 @@ type NetworkTransformRule struct {`
`69`	`70`	AddLocation *NetworkGenericRule `yaml:"add_location,omitempty" json:"add_location,omitempty" doc:"Add location rule configuration"`
`70`	`71`	AddSubnetLabel *NetworkAddSubnetLabelRule `yaml:"add_subnet_label,omitempty" json:"add_subnet_label,omitempty" doc:"Add subnet label rule configuration"`
`71`	`72`	AddService *NetworkAddServiceRule `yaml:"add_service,omitempty" json:"add_service,omitempty" doc:"Add service rule configuration"`
	`73`	+ DecodeTCPFlags *NetworkGenericRule `yaml:"decode_tcp_flags,omitempty" json:"decode_tcp_flags,omitempty" doc:"Decode bitwise TCP flags into a string"`
`72`	`74`	`}`
`73`	`75`
`74`	`76`	`type K8sInfraRule struct {`
Original file line number	Diff line number	Diff line change
`@@ -141,6 +141,13 @@ func (n *Network) Transform(inputEntry config.GenericMap) (config.GenericMap, bo`
`141`	`141`	`}`
`142`	`142`	`}`
`143`	`143`	`}`
	`144`	`+ case api.NetworkDecodeTCPFlags:`
	`145`	`+ if anyFlags, ok := outputEntry[rule.DecodeTCPFlags.Input]; ok && anyFlags != nil {`
	`146`	`+ if flags, ok := anyFlags.(uint16); ok {`
	`147`	`+ flags := util.DecodeTCPFlags(flags)`
	`148`	`+ outputEntry[rule.DecodeTCPFlags.Output] = flags`
	`149`	`+ }`
	`150`	`+ }`
`144`	`151`
`145`	`152`	`default:`
`146`	`153`	`log.Panicf("unknown type %s for transform.Network rule: %v", rule.Type, rule)`
`@@ -194,7 +201,8 @@ func NewTransformNetwork(params config.StageParam, opMetrics *operational.Metric`
`194`	`201`	`if len(jsonNetworkTransform.SubnetLabels) == 0 {`
`195`	`202`	`return nil, fmt.Errorf("a rule '%s' was found, but there are no subnet labels configured", api.NetworkAddSubnetLabel)`
`196`	`203`	`}`
`197`		`- case api.NetworkAddSubnet:`
	`204`	`+ case api.NetworkAddSubnet, api.NetworkDecodeTCPFlags:`
	`205`	`+ // nothing`
`198`	`206`	`}`
`199`	`207`	`}`
`200`	`208`