diff --git a/bpf/flows.c b/bpf/flows.c index 6602c1904..44e06011b 100644 --- a/bpf/flows.c +++ b/bpf/flows.c @@ -93,6 +93,17 @@ static __always_inline void update_existing_flow(flow_metrics *aggregate_flow, p aggregate_flow->flags |= pkt->flags; aggregate_flow->dscp = pkt->dscp; aggregate_flow->sampling = sampling; + if (pkt->ssl_version != 0 && aggregate_flow->ssl_version != pkt->ssl_version) { + if (aggregate_flow->ssl_version == 0) { + aggregate_flow->ssl_version = pkt->ssl_version; + } else { + // If several SSL versions are found, keep just the smallest and set the "mismatch" flag + if (pkt->ssl_version < aggregate_flow->ssl_version) { + aggregate_flow->ssl_version = pkt->ssl_version; + } + aggregate_flow->misc_flags |= MISC_FLAGS_SSL_MISMATCH; + } + } } else if (if_index != 0) { // Only add info that we've seen this interface (we can also update end time & flags) aggregate_flow->end_mono_time_ts = pkt->current_ts; @@ -197,6 +208,7 @@ static inline int flow_monitor(struct __sk_buff *skb, u8 direction) { new_flow.sampling = flow_sampling; __builtin_memcpy(new_flow.dst_mac, eth->h_dest, ETH_ALEN); __builtin_memcpy(new_flow.src_mac, eth->h_source, ETH_ALEN); + new_flow.ssl_version = pkt.ssl_version; long ret = bpf_map_update_elem(&aggregated_flows, &id, &new_flow, BPF_NOEXIST); if (ret != 0) { diff --git a/bpf/types.h b/bpf/types.h index 500620de4..4bb41e09e 100644 --- a/bpf/types.h +++ b/bpf/types.h @@ -71,6 +71,8 @@ typedef __u64 u64; #define MAX_PAYLOAD_SIZE 256 +#define MISC_FLAGS_SSL_MISMATCH 0x01 + // according to field 61 in https://www.iana.org/assignments/ipfix/ipfix.xhtml typedef enum direction_t { INGRESS, @@ -110,6 +112,8 @@ typedef struct flow_metrics_t { u8 nb_observed_intf; u8 observed_direction[MAX_OBSERVED_INTERFACES]; u32 observed_intf[MAX_OBSERVED_INTERFACES]; + u16 ssl_version; + u8 misc_flags; } flow_metrics; // Force emitting enums/structs into the ELF @@ -192,6 +196,7 @@ typedef struct pkt_info_t { u16 dns_id; u16 dns_flags; u64 dns_latency; + u16 ssl_version; } pkt_info; // Structure for payload metadata diff --git a/bpf/utils.h b/bpf/utils.h index 09a6b8533..a58713073 100644 --- a/bpf/utils.h +++ b/bpf/utils.h @@ -50,6 +50,22 @@ static inline void set_flags(struct tcphdr *th, u16 *flags) { } } +// Extract TLS info +static inline void fill_tls_info(struct tcphdr *tcp, void *data_end, pkt_info *pkt) { + void *start_payload = ((void *)tcp) + (tcp->doff * 4); + if (start_payload + 5 <= data_end) { + if (((u8 *)start_payload)[0] == 0x16) { + // TODO handshake special case, see https://www.netmeister.org/blog/tcpdump-ssl-and-tls.html + pkt->ssl_version = + ((u16)(((u8 *)start_payload)[1])) << 8 | (u16)(((u8 *)start_payload)[2]); + } else if (((u8 *)start_payload)[0] == 0x14 || ((u8 *)start_payload)[0] == 0x15 || + ((u8 *)start_payload)[0] == 0x17) { + pkt->ssl_version = + ((u16)(((u8 *)start_payload)[1])) << 8 | (u16)(((u8 *)start_payload)[2]); + } + } +} + // Extract L4 info for the supported protocols static inline void fill_l4info(void *l4_hdr_start, void *data_end, u8 protocol, pkt_info *pkt) { flow_id *id = pkt->id; @@ -62,6 +78,7 @@ static inline void fill_l4info(void *l4_hdr_start, void *data_end, u8 protocol, id->dst_port = bpf_ntohs(tcp->dest); set_flags(tcp, &pkt->flags); pkt->l4_hdr = (void *)tcp; + fill_tls_info(tcp, data_end, pkt); } } break; case IPPROTO_UDP: { diff --git a/pkg/decode/decode_protobuf.go b/pkg/decode/decode_protobuf.go index 784330059..3d7f400aa 100644 --- a/pkg/decode/decode_protobuf.go +++ b/pkg/decode/decode_protobuf.go @@ -148,6 +148,12 @@ func RecordToMap(fr *model.Record) config.GenericMap { out["IPSecRetCode"] = int32(0) out["IPSecStatus"] = "success" } + if tlsVersion := fr.Metrics.SSLVersionToString(); tlsVersion != "" { + out["TLSVersion"] = tlsVersion + } + if fr.Metrics.HasSSLMismatch() { + out["TLSMismatch"] = true + } } if fr.TimeFlowRtt != 0 { diff --git a/pkg/decode/decode_protobuf_test.go b/pkg/decode/decode_protobuf_test.go index 503a3177d..4a16884cc 100644 --- a/pkg/decode/decode_protobuf_test.go +++ b/pkg/decode/decode_protobuf_test.go @@ -98,6 +98,7 @@ func TestPBFlowToMap(t *testing.T) { }, IpsecEncrypted: 1, IpsecEncryptedRet: 0, + SslVersion: 0x0303, } out := PBFlowToMap(flow) @@ -155,5 +156,6 @@ func TestPBFlowToMap(t *testing.T) { "ZoneId": uint16(100), "IPSecRetCode": int32(0), "IPSecStatus": "success", + "TLSVersion": "TLS 1.2", }, out) } diff --git a/pkg/ebpf/bpf_arm64_bpfel.go b/pkg/ebpf/bpf_arm64_bpfel.go index 400595e5e..bd69b0ddf 100644 --- a/pkg/ebpf/bpf_arm64_bpfel.go +++ b/pkg/ebpf/bpf_arm64_bpfel.go @@ -138,7 +138,9 @@ type BpfFlowMetricsT struct { ObservedDirection [6]uint8 _ [2]byte ObservedIntf [6]uint32 - _ [4]byte + SslVersion uint16 + MiscFlags uint8 + _ [1]byte } type BpfFlowRecordT struct { diff --git a/pkg/ebpf/bpf_arm64_bpfel.o b/pkg/ebpf/bpf_arm64_bpfel.o index 54d7d1d9d..047e96555 100644 Binary files a/pkg/ebpf/bpf_arm64_bpfel.o and b/pkg/ebpf/bpf_arm64_bpfel.o differ diff --git a/pkg/ebpf/bpf_powerpc_bpfel.go b/pkg/ebpf/bpf_powerpc_bpfel.go index dd023874b..123ce0eae 100644 --- a/pkg/ebpf/bpf_powerpc_bpfel.go +++ b/pkg/ebpf/bpf_powerpc_bpfel.go @@ -138,7 +138,9 @@ type BpfFlowMetricsT struct { ObservedDirection [6]uint8 _ [2]byte ObservedIntf [6]uint32 - _ [4]byte + SslVersion uint16 + MiscFlags uint8 + _ [1]byte } type BpfFlowRecordT struct { diff --git a/pkg/ebpf/bpf_powerpc_bpfel.o b/pkg/ebpf/bpf_powerpc_bpfel.o index ae6a7fe2c..0f703e404 100644 Binary files a/pkg/ebpf/bpf_powerpc_bpfel.o and b/pkg/ebpf/bpf_powerpc_bpfel.o differ diff --git a/pkg/ebpf/bpf_s390_bpfeb.go b/pkg/ebpf/bpf_s390_bpfeb.go index fc25078be..646e1b9a5 100644 --- a/pkg/ebpf/bpf_s390_bpfeb.go +++ b/pkg/ebpf/bpf_s390_bpfeb.go @@ -138,7 +138,9 @@ type BpfFlowMetricsT struct { ObservedDirection [6]uint8 _ [2]byte ObservedIntf [6]uint32 - _ [4]byte + SslVersion uint16 + MiscFlags uint8 + _ [1]byte } type BpfFlowRecordT struct { diff --git a/pkg/ebpf/bpf_s390_bpfeb.o b/pkg/ebpf/bpf_s390_bpfeb.o index aa38ced8a..ea199582e 100644 Binary files a/pkg/ebpf/bpf_s390_bpfeb.o and b/pkg/ebpf/bpf_s390_bpfeb.o differ diff --git a/pkg/ebpf/bpf_x86_bpfel.go b/pkg/ebpf/bpf_x86_bpfel.go index 22c157d7a..37f3f9848 100644 --- a/pkg/ebpf/bpf_x86_bpfel.go +++ b/pkg/ebpf/bpf_x86_bpfel.go @@ -138,7 +138,9 @@ type BpfFlowMetricsT struct { ObservedDirection [6]uint8 _ [2]byte ObservedIntf [6]uint32 - _ [4]byte + SslVersion uint16 + MiscFlags uint8 + _ [1]byte } type BpfFlowRecordT struct { diff --git a/pkg/ebpf/bpf_x86_bpfel.o b/pkg/ebpf/bpf_x86_bpfel.o index a1fdefe76..86d304026 100644 Binary files a/pkg/ebpf/bpf_x86_bpfel.o and b/pkg/ebpf/bpf_x86_bpfel.o differ diff --git a/pkg/exporter/converters_test.go b/pkg/exporter/converters_test.go index 0a4226d35..18fe039c8 100644 --- a/pkg/exporter/converters_test.go +++ b/pkg/exporter/converters_test.go @@ -48,6 +48,7 @@ func TestConversions(t *testing.T) { Flags: 0x100, Dscp: 64, Sampling: 1, + SslVersion: 0x0303, }, AdditionalMetrics: &ebpf.BpfAdditionalMetrics{ DnsRecord: ebpf.BpfDnsRecordT{ @@ -83,6 +84,7 @@ func TestConversions(t *testing.T) { "AgentIP": "10.11.12.13", "IPSecRetCode": 0, "IPSecStatus": "success", + "TLSVersion": "TLS 1.2", }, }, { @@ -333,6 +335,7 @@ func TestConversions(t *testing.T) { Packets: 123, Flags: 0x100, Dscp: 64, + SslVersion: 0x0200, }, AdditionalMetrics: &ebpf.BpfAdditionalMetrics{ DnsRecord: ebpf.BpfDnsRecordT{ @@ -389,6 +392,7 @@ func TestConversions(t *testing.T) { "TimeFlowRttNs": someDuration.Nanoseconds(), "IPSecRetCode": 0, "IPSecStatus": "success", + "TLSVersion": "SSL 2.0", }, }, { @@ -410,6 +414,7 @@ func TestConversions(t *testing.T) { Packets: 1, Flags: 0x100, Dscp: 64, + SslVersion: 0x0303, }, AdditionalMetrics: &ebpf.BpfAdditionalMetrics{ DnsRecord: ebpf.BpfDnsRecordT{ @@ -447,6 +452,7 @@ func TestConversions(t *testing.T) { "AgentIP": "10.11.12.13", "IPSecRetCode": 0, "IPSecStatus": "success", + "TLSVersion": "TLS 1.2", }, }, } diff --git a/pkg/model/record.go b/pkg/model/record.go index 9ff2b315a..60d164050 100644 --- a/pkg/model/record.go +++ b/pkg/model/record.go @@ -1,6 +1,7 @@ package model import ( + "crypto/tls" "encoding/binary" "fmt" "io" @@ -25,6 +26,8 @@ const ( NetworkEventsMaxEventsMD = 8 MaxNetworkEvents = 4 MaxObservedInterfaces = 6 + + MiscFlagsSSLMismatch = 0x01 ) var recordLog = logrus.WithField("component", "model") @@ -222,3 +225,14 @@ func AllZeroIP(ip net.IP) bool { } return false } + +func (r *BpfFlowContent) SSLVersionToString() string { + if r.SslVersion == 0 { + return "" + } + return tls.VersionName(r.SslVersion) +} + +func (r *BpfFlowContent) HasSSLMismatch() bool { + return r.MiscFlags&MiscFlagsSSLMismatch > 0 +} diff --git a/pkg/pbflow/flow.pb.go b/pkg/pbflow/flow.pb.go index 6c52e6f3b..9ead92e1b 100644 --- a/pkg/pbflow/flow.pb.go +++ b/pkg/pbflow/flow.pb.go @@ -299,6 +299,8 @@ type Record struct { Sampling uint32 `protobuf:"varint,29,opt,name=sampling,proto3" json:"sampling,omitempty"` IpsecEncrypted uint32 `protobuf:"varint,30,opt,name=ipsec_encrypted,json=ipsecEncrypted,proto3" json:"ipsec_encrypted,omitempty"` IpsecEncryptedRet int32 `protobuf:"varint,31,opt,name=ipsec_encrypted_ret,json=ipsecEncryptedRet,proto3" json:"ipsec_encrypted_ret,omitempty"` + SslVersion uint32 `protobuf:"varint,32,opt,name=ssl_version,json=sslVersion,proto3" json:"ssl_version,omitempty"` + SslMismatch bool `protobuf:"varint,33,opt,name=ssl_mismatch,json=sslMismatch,proto3" json:"ssl_mismatch,omitempty"` } func (x *Record) Reset() { @@ -548,6 +550,20 @@ func (x *Record) GetIpsecEncryptedRet() int32 { return 0 } +func (x *Record) GetSslVersion() uint32 { + if x != nil { + return x.SslVersion + } + return 0 +} + +func (x *Record) GetSslMismatch() bool { + if x != nil { + return x.SslMismatch + } + return false +} + type DataLink struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -909,7 +925,7 @@ var file_proto_flow_proto_rawDesc = []byte{ 0x0b, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, - 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xa1, 0x0a, 0x0a, 0x06, 0x52, 0x65, 0x63, + 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xe5, 0x0a, 0x0a, 0x06, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x65, 0x74, 0x68, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0b, 0x65, 0x74, 0x68, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x2f, 0x0a, 0x09, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, @@ -991,46 +1007,50 @@ var file_proto_flow_proto_rawDesc = []byte{ 0x73, 0x65, 0x63, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x12, 0x2e, 0x0a, 0x13, 0x69, 0x70, 0x73, 0x65, 0x63, 0x5f, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x74, 0x18, 0x1f, 0x20, 0x01, 0x28, 0x05, 0x52, 0x11, 0x69, 0x70, 0x73, 0x65, 0x63, - 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x52, 0x65, 0x74, 0x22, 0x3c, 0x0a, 0x08, - 0x44, 0x61, 0x74, 0x61, 0x4c, 0x69, 0x6e, 0x6b, 0x12, 0x17, 0x0a, 0x07, 0x73, 0x72, 0x63, 0x5f, - 0x6d, 0x61, 0x63, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x73, 0x72, 0x63, 0x4d, 0x61, - 0x63, 0x12, 0x17, 0x0a, 0x07, 0x64, 0x73, 0x74, 0x5f, 0x6d, 0x61, 0x63, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x04, 0x52, 0x06, 0x64, 0x73, 0x74, 0x4d, 0x61, 0x63, 0x22, 0x6b, 0x0a, 0x07, 0x4e, 0x65, - 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x12, 0x25, 0x0a, 0x08, 0x73, 0x72, 0x63, 0x5f, 0x61, 0x64, 0x64, - 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0a, 0x2e, 0x70, 0x62, 0x66, 0x6c, 0x6f, 0x77, - 0x2e, 0x49, 0x50, 0x52, 0x07, 0x73, 0x72, 0x63, 0x41, 0x64, 0x64, 0x72, 0x12, 0x25, 0x0a, 0x08, - 0x64, 0x73, 0x74, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0a, - 0x2e, 0x70, 0x62, 0x66, 0x6c, 0x6f, 0x77, 0x2e, 0x49, 0x50, 0x52, 0x07, 0x64, 0x73, 0x74, 0x41, - 0x64, 0x64, 0x72, 0x12, 0x12, 0x0a, 0x04, 0x64, 0x73, 0x63, 0x70, 0x18, 0x03, 0x20, 0x01, 0x28, - 0x0d, 0x52, 0x04, 0x64, 0x73, 0x63, 0x70, 0x22, 0x3d, 0x0a, 0x02, 0x49, 0x50, 0x12, 0x14, 0x0a, - 0x04, 0x69, 0x70, 0x76, 0x34, 0x18, 0x01, 0x20, 0x01, 0x28, 0x07, 0x48, 0x00, 0x52, 0x04, 0x69, - 0x70, 0x76, 0x34, 0x12, 0x14, 0x0a, 0x04, 0x69, 0x70, 0x76, 0x36, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x0c, 0x48, 0x00, 0x52, 0x04, 0x69, 0x70, 0x76, 0x36, 0x42, 0x0b, 0x0a, 0x09, 0x69, 0x70, 0x5f, - 0x66, 0x61, 0x6d, 0x69, 0x6c, 0x79, 0x22, 0x5d, 0x0a, 0x09, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, - 0x6f, 0x72, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x73, 0x72, 0x63, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x07, 0x73, 0x72, 0x63, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x19, - 0x0a, 0x08, 0x64, 0x73, 0x74, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, - 0x52, 0x07, 0x64, 0x73, 0x74, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x08, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x22, 0xa3, 0x01, 0x0a, 0x04, 0x58, 0x6c, 0x61, 0x74, 0x12, 0x25, - 0x0a, 0x08, 0x73, 0x72, 0x63, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x0a, 0x2e, 0x70, 0x62, 0x66, 0x6c, 0x6f, 0x77, 0x2e, 0x49, 0x50, 0x52, 0x07, 0x73, 0x72, - 0x63, 0x41, 0x64, 0x64, 0x72, 0x12, 0x25, 0x0a, 0x08, 0x64, 0x73, 0x74, 0x5f, 0x61, 0x64, 0x64, - 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0a, 0x2e, 0x70, 0x62, 0x66, 0x6c, 0x6f, 0x77, - 0x2e, 0x49, 0x50, 0x52, 0x07, 0x64, 0x73, 0x74, 0x41, 0x64, 0x64, 0x72, 0x12, 0x19, 0x0a, 0x08, - 0x73, 0x72, 0x63, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x07, - 0x73, 0x72, 0x63, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x64, 0x73, 0x74, 0x5f, 0x70, - 0x6f, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x07, 0x64, 0x73, 0x74, 0x50, 0x6f, - 0x72, 0x74, 0x12, 0x17, 0x0a, 0x07, 0x7a, 0x6f, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x05, 0x20, - 0x01, 0x28, 0x0d, 0x52, 0x06, 0x7a, 0x6f, 0x6e, 0x65, 0x49, 0x64, 0x2a, 0x24, 0x0a, 0x09, 0x44, - 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0b, 0x0a, 0x07, 0x49, 0x4e, 0x47, 0x52, - 0x45, 0x53, 0x53, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x45, 0x47, 0x52, 0x45, 0x53, 0x53, 0x10, - 0x01, 0x32, 0x3e, 0x0a, 0x09, 0x43, 0x6f, 0x6c, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x31, - 0x0a, 0x04, 0x53, 0x65, 0x6e, 0x64, 0x12, 0x0f, 0x2e, 0x70, 0x62, 0x66, 0x6c, 0x6f, 0x77, 0x2e, - 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x73, 0x1a, 0x16, 0x2e, 0x70, 0x62, 0x66, 0x6c, 0x6f, 0x77, - 0x2e, 0x43, 0x6f, 0x6c, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, - 0x00, 0x42, 0x0a, 0x5a, 0x08, 0x2e, 0x2f, 0x70, 0x62, 0x66, 0x6c, 0x6f, 0x77, 0x62, 0x06, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x52, 0x65, 0x74, 0x12, 0x1f, 0x0a, 0x0b, + 0x73, 0x73, 0x6c, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x20, 0x20, 0x01, 0x28, + 0x0d, 0x52, 0x0a, 0x73, 0x73, 0x6c, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x21, 0x0a, + 0x0c, 0x73, 0x73, 0x6c, 0x5f, 0x6d, 0x69, 0x73, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x18, 0x21, 0x20, + 0x01, 0x28, 0x08, 0x52, 0x0b, 0x73, 0x73, 0x6c, 0x4d, 0x69, 0x73, 0x6d, 0x61, 0x74, 0x63, 0x68, + 0x22, 0x3c, 0x0a, 0x08, 0x44, 0x61, 0x74, 0x61, 0x4c, 0x69, 0x6e, 0x6b, 0x12, 0x17, 0x0a, 0x07, + 0x73, 0x72, 0x63, 0x5f, 0x6d, 0x61, 0x63, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x73, + 0x72, 0x63, 0x4d, 0x61, 0x63, 0x12, 0x17, 0x0a, 0x07, 0x64, 0x73, 0x74, 0x5f, 0x6d, 0x61, 0x63, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x64, 0x73, 0x74, 0x4d, 0x61, 0x63, 0x22, 0x6b, + 0x0a, 0x07, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x12, 0x25, 0x0a, 0x08, 0x73, 0x72, 0x63, + 0x5f, 0x61, 0x64, 0x64, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0a, 0x2e, 0x70, 0x62, + 0x66, 0x6c, 0x6f, 0x77, 0x2e, 0x49, 0x50, 0x52, 0x07, 0x73, 0x72, 0x63, 0x41, 0x64, 0x64, 0x72, + 0x12, 0x25, 0x0a, 0x08, 0x64, 0x73, 0x74, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x0a, 0x2e, 0x70, 0x62, 0x66, 0x6c, 0x6f, 0x77, 0x2e, 0x49, 0x50, 0x52, 0x07, + 0x64, 0x73, 0x74, 0x41, 0x64, 0x64, 0x72, 0x12, 0x12, 0x0a, 0x04, 0x64, 0x73, 0x63, 0x70, 0x18, + 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x04, 0x64, 0x73, 0x63, 0x70, 0x22, 0x3d, 0x0a, 0x02, 0x49, + 0x50, 0x12, 0x14, 0x0a, 0x04, 0x69, 0x70, 0x76, 0x34, 0x18, 0x01, 0x20, 0x01, 0x28, 0x07, 0x48, + 0x00, 0x52, 0x04, 0x69, 0x70, 0x76, 0x34, 0x12, 0x14, 0x0a, 0x04, 0x69, 0x70, 0x76, 0x36, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x00, 0x52, 0x04, 0x69, 0x70, 0x76, 0x36, 0x42, 0x0b, 0x0a, + 0x09, 0x69, 0x70, 0x5f, 0x66, 0x61, 0x6d, 0x69, 0x6c, 0x79, 0x22, 0x5d, 0x0a, 0x09, 0x54, 0x72, + 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x73, 0x72, 0x63, 0x5f, 0x70, + 0x6f, 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x07, 0x73, 0x72, 0x63, 0x50, 0x6f, + 0x72, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x64, 0x73, 0x74, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x0d, 0x52, 0x07, 0x64, 0x73, 0x74, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x1a, 0x0a, + 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, + 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x22, 0xa3, 0x01, 0x0a, 0x04, 0x58, 0x6c, + 0x61, 0x74, 0x12, 0x25, 0x0a, 0x08, 0x73, 0x72, 0x63, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0a, 0x2e, 0x70, 0x62, 0x66, 0x6c, 0x6f, 0x77, 0x2e, 0x49, 0x50, + 0x52, 0x07, 0x73, 0x72, 0x63, 0x41, 0x64, 0x64, 0x72, 0x12, 0x25, 0x0a, 0x08, 0x64, 0x73, 0x74, + 0x5f, 0x61, 0x64, 0x64, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0a, 0x2e, 0x70, 0x62, + 0x66, 0x6c, 0x6f, 0x77, 0x2e, 0x49, 0x50, 0x52, 0x07, 0x64, 0x73, 0x74, 0x41, 0x64, 0x64, 0x72, + 0x12, 0x19, 0x0a, 0x08, 0x73, 0x72, 0x63, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x03, 0x20, 0x01, + 0x28, 0x0d, 0x52, 0x07, 0x73, 0x72, 0x63, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x64, + 0x73, 0x74, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x07, 0x64, + 0x73, 0x74, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x17, 0x0a, 0x07, 0x7a, 0x6f, 0x6e, 0x65, 0x5f, 0x69, + 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x7a, 0x6f, 0x6e, 0x65, 0x49, 0x64, 0x2a, + 0x24, 0x0a, 0x09, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0b, 0x0a, 0x07, + 0x49, 0x4e, 0x47, 0x52, 0x45, 0x53, 0x53, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x45, 0x47, 0x52, + 0x45, 0x53, 0x53, 0x10, 0x01, 0x32, 0x3e, 0x0a, 0x09, 0x43, 0x6f, 0x6c, 0x6c, 0x65, 0x63, 0x74, + 0x6f, 0x72, 0x12, 0x31, 0x0a, 0x04, 0x53, 0x65, 0x6e, 0x64, 0x12, 0x0f, 0x2e, 0x70, 0x62, 0x66, + 0x6c, 0x6f, 0x77, 0x2e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x73, 0x1a, 0x16, 0x2e, 0x70, 0x62, + 0x66, 0x6c, 0x6f, 0x77, 0x2e, 0x43, 0x6f, 0x6c, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x65, + 0x70, 0x6c, 0x79, 0x22, 0x00, 0x42, 0x0a, 0x5a, 0x08, 0x2e, 0x2f, 0x70, 0x62, 0x66, 0x6c, 0x6f, + 0x77, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/pkg/pbflow/proto.go b/pkg/pbflow/proto.go index b844c9a0a..2c58d1266 100644 --- a/pkg/pbflow/proto.go +++ b/pkg/pbflow/proto.go @@ -66,6 +66,8 @@ func FlowToPB(fr *model.Record) *Record { Flags: uint32(fr.Metrics.Flags), TimeFlowRtt: durationpb.New(fr.TimeFlowRtt), Sampling: fr.Metrics.Sampling, + SslVersion: uint32(fr.Metrics.SslVersion), + SslMismatch: fr.Metrics.HasSSLMismatch(), } if fr.Metrics.AdditionalMetrics != nil { pbflowRecord.PktDropBytes = fr.Metrics.AdditionalMetrics.PktDrops.Bytes @@ -148,6 +150,7 @@ func PBToFlow(pb *Record) *model.Record { Flags: uint16(pb.Flags), Dscp: uint8(pb.Network.Dscp), Sampling: pb.Sampling, + SslVersion: uint16(pb.SslVersion), }, AdditionalMetrics: &ebpf.BpfAdditionalMetrics{ PktDrops: ebpf.BpfPktDropsT{ @@ -179,6 +182,9 @@ func PBToFlow(pb *Record) *model.Record { TimeFlowRtt: pb.TimeFlowRtt.AsDuration(), DNSLatency: pb.DnsLatency.AsDuration(), } + if pb.SslMismatch { + out.Metrics.MiscFlags |= model.MiscFlagsSSLMismatch + } if pb.IpsecEncrypted != 0 { out.Metrics.AdditionalMetrics.IpsecEncrypted = true } diff --git a/proto/flow.proto b/proto/flow.proto index e1cd1ac78..6a4c121a1 100644 --- a/proto/flow.proto +++ b/proto/flow.proto @@ -69,6 +69,8 @@ message Record { uint32 sampling = 29; uint32 ipsec_encrypted = 30; int32 ipsec_encrypted_ret = 31; + uint32 ssl_version = 32; + bool ssl_mismatch = 33; } message DataLink {