Merge pull request #124 from step-security/int

varunsh-coder · web-flow · commit db323b1389f2 · 2021-12-25T20:24:32.000-08:00
Use reverse lookup for domain name
diff --git a/agent.go b/agent.go
@@ -82,14 +82,16 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 		ApiClient:        apiclient,
 		EgressPolicy:     config.EgressPolicy,
 		AllowedEndpoints: allowedEndpoints,
+		ReverseIPLookup:  make(map[string]string),
 	}
 
-	go startDNSServer(dnsProxy, hostDNSServer, errc)
-	go startDNSServer(dnsProxy, dockerDNSServer, errc) // this is for the docker bridge
+	go startDNSServer(&dnsProxy, hostDNSServer, errc)
+	go startDNSServer(&dnsProxy, dockerDNSServer, errc) // this is for the docker bridge
 
 	// start proc mon
 	if cmd == nil {
-		procMon := &ProcessMonitor{CorrelationId: config.CorrelationId, Repo: config.Repo, ApiClient: apiclient, WorkingDirectory: config.WorkingDirectory}
+		procMon := &ProcessMonitor{CorrelationId: config.CorrelationId, Repo: config.Repo,
+			ApiClient: apiclient, WorkingDirectory: config.WorkingDirectory, DNSProxy: &dnsProxy}
 		go procMon.MonitorProcesses(errc)
 		WriteLog("started process monitor")
 	}
@@ -237,8 +239,6 @@ func refreshDNSEntries(ctx context.Context, iptables *Firewall, allowedEndpoints
 							// add to cache with new TTL
 							dnsProxy.Cache.Set(domainName, answer)
 
-							go dnsProxy.ApiClient.sendDNSRecord(dnsProxy.CorrelationId, dnsProxy.Repo, domainName, answer.Data)
-
 							WriteLog(fmt.Sprintf("domain resolved: %s, ip address: %s, TTL: %d", domainName, answer.Data, answer.TTL))
 						}
 					}
diff --git a/apiclient.go b/apiclient.go
@@ -27,11 +27,12 @@ type FileEvent struct {
 }
 
 type NetworkConnection struct {
-	IPAddress string    `json:"ipAddress,omitempty"`
-	Port      string    `json:"port,omitempty"`
-	TimeStamp time.Time `json:"timestamp"`
-	Tool      Tool      `json:"tool"`
-	Status    string    `json:"status,omitempty"`
+	IPAddress  string    `json:"ipAddress,omitempty"`
+	Port       string    `json:"port,omitempty"`
+	DomainName string    `json:"domainName,omitempty"`
+	TimeStamp  time.Time `json:"timestamp"`
+	Tool       Tool      `json:"tool"`
+	Status     string    `json:"status,omitempty"`
 }
 
 type ApiClient struct {
@@ -54,12 +55,13 @@ func (apiclient *ApiClient) sendDNSRecord(correlationId, repo, domainName, ipAdd
 	return apiclient.sendApiRequest("POST", url, dnsRecord)
 }
 
-func (apiclient *ApiClient) sendNetConnection(correlationId, repo, ipAddress, port, status string, timestamp time.Time, tool Tool) error {
+func (apiclient *ApiClient) sendNetConnection(correlationId, repo, ipAddress, port, domainName, status string, timestamp time.Time, tool Tool) error {
 
 	networkConnection := &NetworkConnection{}
 
 	networkConnection.IPAddress = ipAddress
 	networkConnection.Port = port
+	networkConnection.DomainName = domainName
 	networkConnection.Status = status
 	networkConnection.TimeStamp = timestamp
 	networkConnection.Tool = tool
diff --git a/dnsproxy.go b/dnsproxy.go
@@ -5,18 +5,21 @@ import (
 	"fmt"
 	"io/ioutil"
 	"math"
+	"sync"
 
 	"github.com/miekg/dns"
 	"github.com/pkg/errors"
 )
 
 type DNSProxy struct {
-	Cache            *Cache
-	CorrelationId    string
-	Repo             string
-	ApiClient        *ApiClient
-	EgressPolicy     string
-	AllowedEndpoints map[string][]Endpoint
+	Cache                *Cache
+	CorrelationId        string
+	Repo                 string
+	ApiClient            *ApiClient
+	EgressPolicy         string
+	AllowedEndpoints     map[string][]Endpoint
+	ReverseIPLookup      map[string]string
+	ReverseIPLookupMutex sync.RWMutex
 }
 
 type DNSResponse struct {
@@ -70,6 +73,25 @@ func (proxy *DNSProxy) getResponse(requestMsg *dns.Msg) (*dns.Msg, error) {
 	return responseMsg, nil
 }
 
+func (proxy *DNSProxy) SetReverseIPLookup(domain, ipAddress string) {
+	proxy.ReverseIPLookupMutex.Lock()
+
+	proxy.ReverseIPLookup[ipAddress] = domain
+
+	proxy.ReverseIPLookupMutex.Unlock()
+}
+
+func (proxy *DNSProxy) GetReverseIPLookup(ipAddress string) string {
+	proxy.ReverseIPLookupMutex.RLock()
+	domain, found := proxy.ReverseIPLookup[ipAddress]
+	proxy.ReverseIPLookupMutex.RUnlock()
+	if found {
+		return domain
+	} else {
+		return ""
+	}
+}
+
 func (proxy *DNSProxy) processOtherTypes(q *dns.Question, requestMsg *dns.Msg) (*dns.RR, error) {
 	queryMsg := new(dns.Msg)
 	requestMsg.CopyTo(queryMsg)
@@ -79,7 +101,7 @@ func (proxy *DNSProxy) processOtherTypes(q *dns.Question, requestMsg *dns.Msg) (
 }
 
 func (proxy *DNSProxy) isAllowedDomain(domain string) bool {
-	for domainName, _ := range proxy.AllowedEndpoints {
+	for domainName := range proxy.AllowedEndpoints {
 		if dns.Fqdn(domainName) == dns.Fqdn(domain) {
 			return true
 		}
@@ -191,11 +213,12 @@ func (proxy *DNSProxy) processTypeA(q *dns.Question, requestMsg *dns.Msg) (*dns.
 		return nil, err
 	}
 
-	return &rr, nil
+	proxy.SetReverseIPLookup(q.Name, ip)
 
+	return &rr, nil
 }
 
-func startDNSServer(dnsProxy DNSProxy, server DNSServer, errc chan error) {
+func startDNSServer(dnsProxy *DNSProxy, server DNSServer, errc chan error) {
 	dns.HandleFunc(".", func(w dns.ResponseWriter, r *dns.Msg) {
 		switch r.Opcode {
 		case dns.OpcodeQuery:
diff --git a/dnsproxy_test.go b/dnsproxy_test.go
@@ -102,6 +102,7 @@ func TestDNSProxy_getResponse(t *testing.T) {
 				ApiClient:        apiclient,
 				EgressPolicy:     tt.fields.EgressPolicy,
 				AllowedEndpoints: tt.fields.AllowedEndpoints,
+				ReverseIPLookup:  make(map[string]string),
 			}
 			got, err := proxy.getResponse(tt.args.requestMsg)
 			if (err != nil) != tt.wantErr {
@@ -131,9 +132,10 @@ func TestDNSProxy_auditCacheTTL(t *testing.T) {
 	cache := InitCache(EgressPolicyAudit)
 
 	proxy := &DNSProxy{
-		Cache:        &cache,
-		ApiClient:    apiclient,
-		EgressPolicy: EgressPolicyAudit,
+		Cache:           &cache,
+		ApiClient:       apiclient,
+		EgressPolicy:    EgressPolicyAudit,
+		ReverseIPLookup: make(map[string]string),
 	}
 
 	// should call httpmock
diff --git a/eventhandler.go b/eventhandler.go
@@ -21,6 +21,7 @@ type EventHandler struct {
 	CorrelationId        string
 	Repo                 string
 	ApiClient            *ApiClient
+	DNSProxy             *DNSProxy
 	ProcessConnectionMap map[string]bool
 	ProcessFileMap       map[string]bool
 	ProcessMap           map[string]*Process
@@ -102,7 +103,8 @@ func (eventHandler *EventHandler) handleNetworkEvent(event *Event) {
 				tool = Tool{Name: image, SHA256: image} // TODO: Set container image checksum
 			}
 
-			eventHandler.ApiClient.sendNetConnection(eventHandler.CorrelationId, eventHandler.Repo, event.IPAddress, event.Port, "", event.Timestamp, tool)
+			reverseLookUp := eventHandler.DNSProxy.GetReverseIPLookup(event.IPAddress)
+			eventHandler.ApiClient.sendNetConnection(eventHandler.CorrelationId, eventHandler.Repo, event.IPAddress, event.Port, reverseLookUp, "", event.Timestamp, tool)
 			eventHandler.ProcessConnectionMap[cacheKey] = true
 		}
 	}
diff --git a/eventhandler_test.go b/eventhandler_test.go
@@ -44,6 +44,13 @@ func TestEventHandler_HandleEvent(t *testing.T) {
 			args: args{event: &Event{EventType: fileMonitorTag, Exe: "/path/to/exe", FileName: ".git/objects"}}},
 	}
 	for _, tt := range tests {
+		cache := InitCache(EgressPolicyAudit)
+		proxy := &DNSProxy{
+			Cache:           &cache,
+			ApiClient:       apiclient,
+			EgressPolicy:    EgressPolicyAudit,
+			ReverseIPLookup: make(map[string]string),
+		}
 		t.Run(tt.name, func(t *testing.T) {
 			eventHandler := &EventHandler{
 				CorrelationId:        tt.fields.CorrelationId,
@@ -52,6 +59,7 @@ func TestEventHandler_HandleEvent(t *testing.T) {
 				ProcessConnectionMap: tt.fields.ProcessConnectionMap,
 				ProcessFileMap:       tt.fields.ProcessFileMap,
 				ProcessMap:           tt.fields.ProcessMap,
+				DNSProxy:             proxy,
 			}
 			eventHandler.HandleEvent(tt.args.event)
 		})
diff --git a/netmon.go b/netmon.go
@@ -92,7 +92,7 @@ func (netMonitor *NetworkMonitor) handlePacket(attrs nflog.Attribute) {
 
 			if isSYN {
 				netMonitor.ApiClient.sendNetConnection(netMonitor.CorrelationId, netMonitor.Repo,
-					ipv4Address, port, netMonitor.Status, timestamp, Tool{Name: Unknown, SHA256: Unknown})
+					ipv4Address, port, "", netMonitor.Status, timestamp, Tool{Name: Unknown, SHA256: Unknown})
 
 				if netMonitor.Status == "Dropped" {
 					go WriteLog(fmt.Sprintf("ip address dropped: %s", ipv4Address))
diff --git a/procmon.go b/procmon.go
@@ -17,6 +17,7 @@ type ProcessMonitor struct {
 	CorrelationId    string
 	Repo             string
 	ApiClient        *ApiClient
+	DNSProxy         *DNSProxy
 	WorkingDirectory string
 	Events           map[int]*Event
 	mutex            sync.RWMutex
diff --git a/procmon_linux.go b/procmon_linux.go
@@ -111,7 +111,7 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) {
 func (p *ProcessMonitor) receive(r *libaudit.AuditClient) error {
 
 	p.Events = make(map[int]*Event)
-	eventHandler := EventHandler{CorrelationId: p.CorrelationId, Repo: p.Repo, ApiClient: p.ApiClient}
+	eventHandler := EventHandler{CorrelationId: p.CorrelationId, Repo: p.Repo, ApiClient: p.ApiClient, DNSProxy: p.DNSProxy}
 	eventHandler.ProcessConnectionMap = make(map[string]bool)
 	eventHandler.ProcessFileMap = make(map[string]bool)
 	eventHandler.ProcessMap = make(map[string]*Process)

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ type EventHandler struct {`
`21`	`21`	`CorrelationId string`
`22`	`22`	`Repo string`
`23`	`23`	`ApiClient *ApiClient`
	`24`	`+ DNSProxy *DNSProxy`
`24`	`25`	`ProcessConnectionMap map[string]bool`
`25`	`26`	`ProcessFileMap map[string]bool`
`26`	`27`	`ProcessMap map[string]*Process`
`@@ -102,7 +103,8 @@ func (eventHandler EventHandler) handleNetworkEvent(event Event) {`
`102`	`103`	`tool = Tool{Name: image, SHA256: image} // TODO: Set container image checksum`
`103`	`104`	`}`
`104`	`105`
`105`		`- eventHandler.ApiClient.sendNetConnection(eventHandler.CorrelationId, eventHandler.Repo, event.IPAddress, event.Port, "", event.Timestamp, tool)`
	`106`	`+ reverseLookUp := eventHandler.DNSProxy.GetReverseIPLookup(event.IPAddress)`
	`107`	`+ eventHandler.ApiClient.sendNetConnection(eventHandler.CorrelationId, eventHandler.Repo, event.IPAddress, event.Port, reverseLookUp, "", event.Timestamp, tool)`
`106`	`108`	`eventHandler.ProcessConnectionMap[cacheKey] = true`
`107`	`109`	`}`
`108`	`110`	`}`