Allow sendto/recvfrom events for falco, add fd.name_changed filtercheck #1052
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mstemm
added a commit
to falcosecurity/falco
that referenced
this pull request
Jan 30, 2018
Expand the inbound/outbound macros to handle sendfrom/recvto events, so they can work on unconnected udp sockets. In order to avoid a flood of events, they also depend on is_different_addr to only consider sendto/recvfrom when the address changes. This depends on draios/sysdig#1052.
We'll be using this to expand coverage for udp traffic, some of which can be sent using sendto/recvfrom/sendmsg/recvmsg.
mstemm
force-pushed
the
allow-sendto-recvfrom-falco
branch
from
a2d205f
to
5dfb914
Compare
mattpag
reviewed
Jan 31, 2018
There was a problem hiding this comment.
UDP connections can use connect multiple times to change the remote peer, so you're not actually monitoring those changes, but just the first recv{from,msg}/send{to,msg} of not-connected UDP sockets. What about calling it "is_first_udp_event" or something like that?
|
I hadn't thought of the case of connect() being called multiple times. I was trying to address the case of a single socket being used for different sets of to/from addresses at different times. The idea is that is_different_addr would be true each time the set of to/from addresses changed for a given socket. |
mstemm
force-pushed
the
allow-sendto-recvfrom-falco
branch
2 times, most recently
from
b12e034
to
58f4795
Compare
|
I changed the filtercheck a bit so it's not as tied to recvfrom/sendto. It also works for cases like bind/connect/etc where the "name" of a fd changes. Does this seem better. I have some unit test changes on the agent side that I'm getting ready as well. |
Add a filtercheck fd.name_changed which is true when parsing an event changes the "name" of a fd. This mostly occurs when a bind/connect/sendto/recvfrom/etc changes the ip/port information associated with a socket fd, and is useful if you want to track when a stream of sendto/recvfroms on a single socket changes addresses. This is done by adding a m_oldname to fdinfo, which is set when threadinfo returns a fd and associates it with an event. If after parsing, the name changes, the filtercheck will return true. Whether the name changed or not is an event property and set at the end of sinsp_parser::process_event(). It does this by checking the original fd name and comparing it to the fd name that exists after parsing the event.
mstemm
force-pushed
the
allow-sendto-recvfrom-falco
branch
from
6bb8ce6
to
6b35e44
Compare
mattpag
approved these changes
Feb 2, 2018
mstemm
changed the title
mstemm
added a commit
to falcosecurity/falco
that referenced
this pull request
Feb 2, 2018
Expand the inbound/outbound macros to handle sendfrom/recvto events, so they can work on unconnected udp sockets. In order to avoid a flood of events, they also depend on fd.name_changed to only consider sendto/recvfrom when the connection tuple changes. Also make the check for protocol a positive check for udp instead of not tcp, to avoid a warning about event type filters potentially appearing before a negative condition. This makes filtering rules by event type easier. This depends on draios/sysdig#1052.
mstemm
added a commit
to falcosecurity/falco
that referenced
this pull request
Apr 13, 2018
Expand the inbound/outbound macros to handle sendfrom/recvto events, so they can work on unconnected udp sockets. In order to avoid a flood of events, they also depend on fd.name_changed to only consider sendto/recvfrom when the connection tuple changes. Also make the check for protocol a positive check for udp instead of not tcp, to avoid a warning about event type filters potentially appearing before a negative condition. This makes filtering rules by event type easier. This depends on draios/sysdig#1052.
mstemm
added a commit
to falcosecurity/falco
that referenced
this pull request
Apr 18, 2018
Expand the inbound/outbound macros to handle sendfrom/recvto events, so they can work on unconnected udp sockets. In order to avoid a flood of events, they also depend on fd.name_changed to only consider sendto/recvfrom when the connection tuple changes. Also make the check for protocol a positive check for udp instead of not tcp, to avoid a warning about event type filters potentially appearing before a negative condition. This makes filtering rules by event type easier. This depends on draios/sysdig#1052.
mstemm
added a commit
to falcosecurity/falco
that referenced
this pull request
Apr 18, 2018
* Add Rule for unexpected udp traffic New rule Unexpected UDP Traffic checks for udp traffic not on a list of expected ports. Currently blocked on #308. * Add sendto/recvfrom in inbound/outbound macros Expand the inbound/outbound macros to handle sendfrom/recvto events, so they can work on unconnected udp sockets. In order to avoid a flood of events, they also depend on fd.name_changed to only consider sendto/recvfrom when the connection tuple changes. Also make the check for protocol a positive check for udp instead of not tcp, to avoid a warning about event type filters potentially appearing before a negative condition. This makes filtering rules by event type easier. This depends on draios/sysdig#1052. * Add additional restrictions for inbound/outbound - only look for fd.name_changed on unconnected sockets. - skip connections where both ips are 0.0.0.0 or localhost network. - only look for successful or non-blocking actions that are in progress * Add a combined inbound/outbound macro Add a combined inbound/outbound macro so you don't have to do all the other net/result related tests more than once. * Fix evt generator for new in/outbound restrictions The new rules skip localhost, so instead connect a udp socket to a non-local port. That still triggers the inbound/outbound macros. * Address FPs in regression tests In some cases, an app may make a udp connection to an address with a port of 0, or to an address with an application's port, before making a tcp connection that actually sends/receives traffic. Allow these connects. Also, check both the server and client port and only consider the traffic unexpected if neither port is in range.
leogr
pushed a commit
to falcosecurity/rules
that referenced
this pull request
Dec 21, 2022
* Add Rule for unexpected udp traffic New rule Unexpected UDP Traffic checks for udp traffic not on a list of expected ports. Currently blocked on falcosecurity/falco#308. * Add sendto/recvfrom in inbound/outbound macros Expand the inbound/outbound macros to handle sendfrom/recvto events, so they can work on unconnected udp sockets. In order to avoid a flood of events, they also depend on fd.name_changed to only consider sendto/recvfrom when the connection tuple changes. Also make the check for protocol a positive check for udp instead of not tcp, to avoid a warning about event type filters potentially appearing before a negative condition. This makes filtering rules by event type easier. This depends on draios/sysdig#1052. * Add additional restrictions for inbound/outbound - only look for fd.name_changed on unconnected sockets. - skip connections where both ips are 0.0.0.0 or localhost network. - only look for successful or non-blocking actions that are in progress * Add a combined inbound/outbound macro Add a combined inbound/outbound macro so you don't have to do all the other net/result related tests more than once. * Fix evt generator for new in/outbound restrictions The new rules skip localhost, so instead connect a udp socket to a non-local port. That still triggers the inbound/outbound macros. * Address FPs in regression tests In some cases, an app may make a udp connection to an address with a port of 0, or to an address with an application's port, before making a tcp connection that actually sends/receives traffic. Allow these connects. Also, check both the server and client port and only consider the traffic unexpected if neither port is in range.
leogr
pushed a commit
to falcosecurity/rules
that referenced
this pull request
Dec 21, 2022
* Add Rule for unexpected udp traffic New rule Unexpected UDP Traffic checks for udp traffic not on a list of expected ports. Currently blocked on falcosecurity/falco#308. * Add sendto/recvfrom in inbound/outbound macros Expand the inbound/outbound macros to handle sendfrom/recvto events, so they can work on unconnected udp sockets. In order to avoid a flood of events, they also depend on fd.name_changed to only consider sendto/recvfrom when the connection tuple changes. Also make the check for protocol a positive check for udp instead of not tcp, to avoid a warning about event type filters potentially appearing before a negative condition. This makes filtering rules by event type easier. This depends on draios/sysdig#1052. * Add additional restrictions for inbound/outbound - only look for fd.name_changed on unconnected sockets. - skip connections where both ips are 0.0.0.0 or localhost network. - only look for successful or non-blocking actions that are in progress * Add a combined inbound/outbound macro Add a combined inbound/outbound macro so you don't have to do all the other net/result related tests more than once. * Fix evt generator for new in/outbound restrictions The new rules skip localhost, so instead connect a udp socket to a non-local port. That still triggers the inbound/outbound macros. * Address FPs in regression tests In some cases, an app may make a udp connection to an address with a port of 0, or to an address with an application's port, before making a tcp connection that actually sends/receives traffic. Allow these connects. Also, check both the server and client port and only consider the traffic unexpected if neither port is in range.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We'll be using this to expand coverage for udp traffic, some of which
can be send using sendto/recvfrom.