Add resolver module

Makefile.am

@@ -19,6 +19,7 @@ natpair \
 proto_traffic \
 pdns_exporter \
 report2idea \
+resolver \
 topn \
 traffic_repeater \
 unirec2json \

README.md

@@ -27,6 +27,8 @@ functionality/purposes are:
   from detectors and store them into database (MongoDB), file or send
   them into Warden
 
+* [resolver](resolver): amend flow records with resolved fields
+
 * [merger](merger): module for joining multiple input streams of
   messages into one output stream of messages
 

configure.ac

@@ -262,6 +262,7 @@ AC_CONFIG_FILES([Makefile
                  report2idea/venom/Makefile
                  report2idea/voipfraud/Makefile
                  report2idea/vportscan/Makefile
+                 resolver/Makefile
                  scalar-aggregator/Makefile
                  topn/Makefile
                  traffic_repeater/Makefile

nemea-modules.spec.in

@@ -1,3 +1,11 @@
+%if 0%{?el6}%{?el7}
+%global python3_pkgversion 34
+%endif
+
+%if x%{?python3_pkgversion} == x
+%global python3_pkgversion 3
+%endif
+
 Summary: Package with basic NEMEA modules
 Name: nemea-modules
 Version: @PACKAGE_VERSION@
@@ -14,6 +22,7 @@ Requires: libnf
 Requires: openssl
 Requires: libpcap
 Requires: libcurl
+Requires: python%{python3_pkgversion}-nemea-pytrap
 Provides: nemea-modules
 BuildRequires: gcc gcc-c++ make doxygen pkgconfig nemea-framework-devel bison flex
 BuildRequires: libpcap-devel openssl-devel libnf-devel bzip2-devel libcurl-devel
@@ -80,6 +89,7 @@ ldconfig
 %{_bindir}/nemea/nfwriter
 %{_bindir}/nemea/proto_traffic
 %{_bindir}/nemea/pdns_exporter.py
+%{_bindir}/nemea/resolver.py
 %{_bindir}/nemea/scalar_agg
 %{_bindir}/nemea/sipbf2idea.py
 %{_bindir}/nemea/svm-tools

resolver/Makefile.am

@@ -0,0 +1,18 @@
+EXTRA_DIST=resolver.py readme.md pylintrc
+bin_SCRIPTS=resolver.py
+
+pkgdocdir=${docdir}/resolver
+pkgdoc_DATA=readme.md
+
+pylint:
+	pylint-3 resolver.py
+
+flake8:
+	flake8 resolver.py
+
+pycodestyle:
+	pycodestyle-3 resolver.py
+
+lint: pylint flake8 pycodestyle
+
+include ../aminclude.am

resolver/pylintrc

@@ -0,0 +1,16 @@
+# -*- mode: conf; -*-
+
+[MASTER]
+ignore: .git
+
+[REPORTS]
+output-format: parseable
+reports: no
+
+[MESSAGES CONTROL]
+disable: locally-disabled, no-self-use, bad-continuation
+
+[DESIGN]
+max-statements: 200
+max-branches: 40
+max-locals: 30

resolver/readme.md

@@ -0,0 +1,59 @@
+# Resolver
+
+## Module description
+
+This module amends flow records with resolved fields.
+
+
+## Input data
+
+This module expects flow records in Unirec format. The required fields
+are determined by run time parameters.
+
+
+## Output data
+
+Flows are sent on the output interface, also in Unirec format, they
+contain all the fields of the input interface plus the configured
+resolved fields from the resolvspec parameter.
+
+
+## Available resolutions
+
+These resolutions are available:
+
+* dns_ptr: ip address (ipaddr) -> domain name (string)
+* dns_a: domain name (string) -> ip address (ipaddr)
+* dns_aaaa: domain name (string) -> ip address (ipaddr)
+* ent_services: port (uint16)/protocol (uint8) -> service name
+  (string)
+
+
+## Module parameters
+
+In addition to the implicit *libtrap* parameters `-i IFC_SPEC`, `-h`
+and `-v` (see [Execute a
+module](https://github.com/CESNET/Nemea#try-out-nemea-modules)) this
+module takes the following parameters:
+
+* `-u` `--urformat` urformat
+  Specify unirec input format.
+
+* `-r` `--resolvspec` infield[/infield] resolution outfield
+  Specify field(s), what lookup to do of it/them and where to put the
+  result.
+
+For more detailed information see above under [available
+resolutions](#available-resolutions).
+
+All fields specified as infields in resolvspec parameters must be
+supplied in the urformat parameter for this module to start. Note
+though that the downstream module will fail if it requires non
+resolved fields you do not specify in the uformat parameter.
+
+<!--- Local variables: -->
+<!--- mode: markdown; -->
+<!--- mode: auto-fill; -->
+<!--- mode: flyspell; -->
+<!--- ispell-local-dictionary: "british"; -->
+<!--- End: -->