[medium] netstat module take 3: connected IP & listening ports on Linux

mozilla · Sep 17, 2014 · 01a7a9e · 01a7a9e
1 parent 72c0778
commit 01a7a9e
Show file tree

Hide file tree

Showing 5 changed files with 454 additions and 27 deletions.
diff --git a/examples/actions/example_v2.json b/examples/actions/example_v2.json
@@ -128,32 +128,23 @@
         {
             "module": "netstat",
             "parameters": {
-                "maclocal": [
-                    "8c:70:5a:c8:be:50"
+                "connectedip": [
+                    "173.194.0.0/16"
                 ],
-                "macpeer": [
-                    "30:05:5c:00:80:3a"
-                ],
-                "cidrlocal": [
-                    "10.1.2.3/32",
-                    "fe80::8e70:5aff:fec8:be50/32"
+                "listeningport": [
+                    "631"
                 ],
-                "cidrpeer": [
-                    "98.143.145.80/32",
-                    "96.46.4.0/24",
-                    "FE80:0000:0000:0000:0202:B3FF:FE1E:8329/128"
+                "localip": [
+                    "172.21.0.0/24"
                 ],
-                "udplisten": [
-                    "0.0.0.0:53"
+                "localmac": [
+                    "^8c:70:"
                 ],
-                "udppeer": [
-                    "192.168.1.2->0.0.0.0:53"
+                "neighborip": [
+                    "172.21.0.6"
                 ],
-                "tcplisten": [
-                    "10.1.2.3:443"
-                ],
-                "tcppeer": [
-                    "18.32.25.65->10.1.2.3:80"
+                "neighbormac": [
+                    "30:05:5c:00:80:3a"
                 ]
             }
         },

diff --git a/src/mig/modules/netstat/netstat.go b/src/mig/modules/netstat/netstat.go
@@ -17,6 +17,7 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
+	"time"
 )
 
 func init() {
@@ -39,6 +40,76 @@ type params struct {
 	ListeningPort []string `json:"listeningport,omitempty"`
 }
 
+// Sample results:
+// {
+//     "foundanything": true,
+//     "connectedip": {
+//         "173.194.0.0/16": {
+//             "element": [
+//                 {
+//                     "localaddr": "172.21.0.3",
+//                     "localport": 51376,
+//                     "remoteaddr": "173.194.37.115",
+//                     "remoteport": 80
+//                 },
+//                 {
+//                     "localaddr": "172.21.0.3",
+//                     "localport": 40577,
+//                     "remoteaddr": "173.194.37.7",
+//                     "remoteport": 80
+//                 }
+//             ],
+//             "found": true
+//         }
+//     },
+//     "listeningport": {
+//         "631": {
+//             "element": [
+//                 {
+//                     "localaddr": "127.0.0.1",
+//                     "localport": 631
+//                 },
+//                 {
+//                     "localaddr": "0:1::",
+//                     "localport": 631
+//                 }
+//             ],
+//             "found": true
+//         }
+//     },
+//     "localip": {
+//         "172.21.0.0/24": {
+//             "element": [
+//                 {
+//                     "localaddr": "172.21.0.3"
+//                 }
+//             ],
+//             "found": true
+//         }
+//     },
+//     "localmac": {
+//         "^8c:70:": {
+//             "element": [
+//                 {
+//                     "localmacaddr": "8c:70:5a:c8:be:50"
+//                 }
+//             ],
+//             "found": true
+//         }
+//     },
+//     "neighbormac": {
+//         "30:05:5c:00:80:3a": {
+//             "element": [
+//                 {
+//                     "remoteaddr": "172.21.0.6",
+//                     "remotemacaddr": "30:05:5c:00:80:3a"
+//                 }
+//             ],
+//             "found": true
+//         }
+//     },
+//     "success": true
+// }
 type results struct {
 	LocalMAC      map[string]result `json:"localmac,omitempty"`
 	LocalIP       map[string]result `json:"localip,omitempty"`
@@ -49,6 +120,7 @@ type results struct {
 	FoundAnything bool              `json:"foundanything"`
 	Success       bool              `json:"success"`
 	Errors        []string          `json:"errors,omitempty"`
+	Statistics    statistics        `json:"statistics"`
 }
 
 type result struct {
@@ -76,6 +148,14 @@ func newResults() *results {
 	return &r
 }
 
+// stats is a global variable
+var stats statistics
+
+type statistics struct {
+	Examined float64 `json:"examined"`
+	Exectime string  `json:"exectime"`
+}
+
 func (r Runner) ValidateParameters() (err error) {
 	for _, val := range r.Parameters.LocalMAC {
 		err = validateMAC(val)
@@ -156,6 +236,7 @@ func (r Runner) Run(args []byte) (resStr string) {
 			return
 		}
 	}()
+	t0 := time.Now()
 
 	err := json.Unmarshal(args, &r.Parameters)
 	if err != nil {
@@ -225,6 +306,11 @@ func (r Runner) Run(args []byte) (resStr string) {
 		}
 	}
 
+	// calculate execution time
+	t1 := time.Now()
+	stats.Exectime = t1.Sub(t0).String()
+	r.Results.Statistics = stats
+
 	r.Results.Success = true
 	jsonOutput, err := json.Marshal(r.Results)
 	if err != nil {
@@ -257,6 +343,7 @@ func HasLocalMAC(macstr string) (found bool, elements []element, err error) {
 			el.LocalMACAddr = iface.HardwareAddr.String()
 			elements = append(elements, el)
 		}
+		stats.Examined++
 	}
 	return
 }
@@ -287,6 +374,7 @@ func HasLocalIP(ipStr string) (found bool, elements []element, err error) {
 				el.LocalAddr = addr
 				elements = append(elements, el)
 			}
+			stats.Examined++
 		}
 		return found, elements, err
 	}
@@ -302,6 +390,68 @@ func HasLocalIP(ipStr string) (found bool, elements []element, err error) {
 			el.LocalAddr = addr
 			elements = append(elements, el)
 		}
+		stats.Examined++
+	}
+	return
+}
+
+func (r Runner) PrintResults(rawResults []byte, foundOnly bool) (prints []string, err error) {
+	var results results
+	err = json.Unmarshal(rawResults, &results)
+	if err != nil {
+		panic(err)
+	}
+	for val, res := range results.LocalMAC {
+		if foundOnly && !res.Found {
+			continue
+		}
+		for _, el := range res.Elements {
+			resStr := fmt.Sprintf("found local mac %s for netstat localmac:'%s'", el.LocalMACAddr, val)
+			prints = append(prints, resStr)
+		}
+	}
+	for val, res := range results.NeighborMAC {
+		if foundOnly && !res.Found {
+			continue
+		}
+		for _, el := range res.Elements {
+			resStr := fmt.Sprintf("found neighbor mac %s %s for netstat neighbormac:'%s'",
+				el.RemoteMACAddr, el.RemoteAddr, val)
+			prints = append(prints, resStr)
+		}
+	}
+	for val, res := range results.LocalIP {
+		if foundOnly && !res.Found {
+			continue
+		}
+		for _, el := range res.Elements {
+			resStr := fmt.Sprintf("found local ip %s for netstat localip:'%s'", el.LocalAddr, val)
+			prints = append(prints, resStr)
+		}
+	}
+	for val, res := range results.ConnectedIP {
+		if foundOnly && !res.Found {
+			continue
+		}
+		for _, el := range res.Elements {
+			resStr := fmt.Sprintf("found connected tuple %s:%.0f with local tuple %s:%.0f for netstat connectedip:'%s'",
+				el.RemoteAddr, el.RemotePort, el.LocalAddr, el.LocalPort, val)
+			prints = append(prints, resStr)
+		}
+	}
+	for val, res := range results.ListeningPort {
+		if foundOnly && !res.Found {
+			continue
+		}
+		for _, el := range res.Elements {
+			resStr := fmt.Sprintf("found listening port %.0f for netstat listeningport:'%s'", el.LocalPort, val)
+			prints = append(prints, resStr)
+		}
+	}
+	if !foundOnly {
+		resStr := fmt.Sprintf("Statistics: examined %.0f items in %s",
+			results.Statistics.Examined, results.Statistics.Exectime)
+		prints = append(prints, resStr)
 	}
 	return
 }
diff --git a/src/mig/modules/netstat/netstat_darwin.go b/src/mig/modules/netstat/netstat_darwin.go
@@ -40,7 +40,7 @@ func HasSeenMac(val string) (found bool, elements []element, err error) {
 	for {
 		lineBytes, _, err := reader.ReadLine()
 		if err != nil {
-			panic(err)
+			continue
 		}
 		line := fmt.Sprintf("%s", lineBytes)
 		fields := strings.Fields(line)
@@ -57,6 +57,7 @@ func HasSeenMac(val string) (found bool, elements []element, err error) {
 			el.RemoteMACAddr = fields[3]
 			elements = append(elements, el)
 		}
+		stats.Examined++
 	}
 	return
 }