/// <summary>
/// Returns families that are not relevant for the security log we collect
/// </summary>
/// <returns>True if the given LinuxAddressFamily should be ignored</returns>
public static bool IsToIgnore(this LinuxAddressFamily addrFamily)
{
return(addrFamily == LinuxAddressFamily.AF_UNSPEC ||
addrFamily == LinuxAddressFamily.AF_UNIX ||
addrFamily == LinuxAddressFamily.AF_LOCAL ||
addrFamily == LinuxAddressFamily.AF_KEY ||
addrFamily == LinuxAddressFamily.AF_NETLINK ||
addrFamily == LinuxAddressFamily.AF_ROUTE ||
addrFamily == LinuxAddressFamily.AF_ALG);
}
//For other famlies (non INET) that are required more investigation - send event with raw data (hex string)
private ConnectionsPayload CreateNonInetConnPayloadFromAuditEvent(LinuxAddressFamily family, AuditEvent auditEvent)
{
ConnectionsPayload connectionPayload = CreateConnPayloadFromAuditEvent(auditEvent);
string hexStringSaddr = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.SocketAddress);
connectionPayload.ExtraDetails = new Dictionary <string, string>
{
{ "familyName", family.ToString() },
{ "saddr", hexStringSaddr }
};
return(connectionPayload);
}
/// <summary>
/// The function parse the saddr structure used by Linux connect and accept APIs
/// It parses only saddr that represent INET or INET6 family type
/// </summary>
/// This function receives saddr in hex and translate it
/// Note: the translation will be done only if the family name is of type INET for other families null will be returned
/// <param name="saddrHexString">Saddr hex dump</param>
/// <returns>ConnectionSaddr</returns>
public static ConnectionSaddr ParseSaddrToInetConnection(string saddrHexString)
{
ConnectionSaddr retSaddr = null;
LinuxAddressFamily family = ExtractFamilyFromSaddr(saddrHexString);
// Saddr Template:
// 0-1 bytes - family,
// 2-3 bytes - port
// 4-7 byte - ip
//Extract port
var bytes = ByteExtensions.GetBytesFromFromHexString(saddrHexString);
var port = bytes.ToUshort(2, false);
if (family == LinuxAddressFamily.AF_INET)
{
var ip = bytes.Skip(4).Take(4);
retSaddr = new ConnectionSaddr
{
Ip = string.Join('.', ip),
Port = port
};
}
else if (family == LinuxAddressFamily.AF_INET6)
{
// Saddr for IPv6:
// 0-1 bytes - family,
// 2-3 bytes - port
// 4-7 byte - flowinfo
// 8-23 24 - ip
var ip = BitConverter.ToString(bytes.Skip(8).Take(16).ToArray()).Replace("-", "");
ip = Regex.Replace(ip, "(.{4})", "$1:");
ip = ip.Remove(ip.Length - 1, 1);
retSaddr = new ConnectionSaddr
{
Ip = ip,
Port = port
};
}
return(retSaddr);
}
/// <summary>
/// This function recieve an event from the audit log file
/// It filters out connections that are not relevant for security (e.g. local connects)
/// It then returns "ConnectionCreate" event type that represent a succefull open connection from/to the internet
/// </summary>
/// <param name="auditEvent">A log event from the the audit event</param>
/// <returns>A device event based on the input</returns>
private IEvent CreateEventFromAuditRecord(AuditEvent auditEvent)
{
ConnectionsPayload connectionPayload = null;
ConnectionCreate retConnection = null;
string saddr = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.SocketAddress, throwIfNotExist: false);
if (!string.IsNullOrEmpty(saddr))
{
//Check the address family of the connection - extract from the saddr
LinuxAddressFamily family = ConnectionSaddr.ExtractFamilyFromSaddr(saddr);
//According to the family type we create/don't create the event
if (!family.IsToIgnore()) //irelevant connections - don't create events
{
if (ConnectionSaddr.IsInetFamliy(family)) //internet connections - create correlated event
{
connectionPayload = CreateInetConnPayloadFromAuditEvent(auditEvent);
}
else //For other famlies (non INET) that are required more investigation - send event with raw data (hex string)
{
connectionPayload = CreateNonInetConnPayloadFromAuditEvent(family, auditEvent);
}
}
}
else
{
SimpleLogger.Debug($"{nameof(GetType)}: Saddr is null or empty, dropping event");
}
if (connectionPayload != null)
{
retConnection = new ConnectionCreate(Priority, connectionPayload, auditEvent.TimeUTC);
}
return(retConnection);
}
/// <summary>
/// Return true if the family indicates internet connection (i.e. INET)
/// Note: we currently don't support IPV6 so AF_INET6 is ignored
/// </summary>
/// <param name="addressFamily">The address family to check</param>
/// <returns>LinuxAddressFamily type</returns>
public static bool IsInetFamliy(LinuxAddressFamily addressFamily)
{
return(addressFamily == LinuxAddressFamily.AF_INET || addressFamily == LinuxAddressFamily.AF_INET6);
}
