utils

package
v0.0.0-...-e27b971 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 30, 2025 License: AGPL-3.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	TC_CONTROL_PROG                = "exfil_sec"                       // CLSACT  QDISC
	TC_CONTROL_PROG_BRIDGE_INGRESS = "exfil_sec_bridge_ingress_filter" // CLSACT  QDISC
	TC_CONTROL_PROG_BRIDGE_EGRESS  = "exfil_sec_bridge_ingress_filter" // CLSACT  QDISC

	TRACEPOINT_PROC_KILL_TRACEPOINT = "handle_mal_c2_proc_exit" // sched_process_exit
	SOCK_OPS_PROC_UDP_TRACEPOINT    = "dns_udp_sock_ops"        // cgroups_skb/egress
	XDP_CONTROL_PROG                = "xdp"                     // XDP Non Offloaded BXDINAUB Fkiid orevebtuib '

	LSM_CRYPTO_VERIFY_PROG        = "bpf" // runs over lsm crypto for bpf_prog load lsm.o
	TC_CLSACT_PARENT_QDISC_HANDLE = 0xffff
	TC_CLSACT_PARENT_QDISC_PRIO   = 1
	DEFAULT_SK_BUFF_NUONCE        = 0xffff
)

kernel network traffic control and xdp ingress layer

View Source 
const (
	SUSPICIOUS_NETNS_IPV6 = "fe80::d091:3cff:fe25:6d96"
	MALICIOUS_NETNS_IPV6  = "fe80::d091:3cff:fe25:6d97"
)
View Source 
const (
	PINPATH  = "/sys/fs/bpf"
	CGROUPFS = "/sys/fs/cgroup"
)

map pin vfs for bpf to mount pinned maps

View Source 
const (
	TCX_KERNEL_SUPPORT_MAJOR_RELEASE = 6
	TCX_KERNEL_SUPPORT_PATCH_RELEASE = 6
	TCX_KERNEL_SUPPORT_SUB_RELEASE   = 10
)
View Source 
const (
	BRIDGE_IPAM_IPV4_CIDR          = "10.200.0.0/24"
	BRIDGE_IPAM_IPV4_IP            = "10.200.0."
	BRIDGE_IPAM_MAL_TUNNEL_IPV4_IP = "10.210.0.0" // send to the router bridge gateway for now
)
View Source 
const (
	DNS_EGRESS_PORT                   uint16 = 53
	DOT_EGRESS_PORT                   uint16 = 853
	DNS_EGRESS_MULTICAST_PORT         uint16 = 5353
	LLMNR_EGRESS_LOCAL_MULTICAST_PORT uint16 = 5355
)
View Source 
const (
	MAX_NODE_AGENT_CACHE_SIZE           = 1000
	INFERENED_DOMAIN_CACHE_SIZE_PER_TLD = 1000
	MAX_NODE_AGENT_CACHE_LOOKUP_SIZE    = 1000
)

node agent caching from the userspace memory and not kernel heap pointed onto the kernel map FD

View Source 
const (
	DEFAULT_IPV6_CHECKSUM_MAP = 0xff
)
View Source 
const (
	DEFAULT_SIGKILL_MALICIOUS_EXFIL_THRESHOLD = 5
)
View Source 
const (
	ENABLE_KERNEL_DPI_IMPACT_MEASURE_TIME = true
)

capture performance benchmark details

View Source 
const (
	NODE_CONFIG_FILE = "config.yaml"
)
View Source 
const (
	REDIRECT_SKB_MARK = 0xff
)

kernel skb makr from tc qdisc over netns filter or netfilter chain

Variables

View Source 
var (
	NODE_AGENT_BLACKLISTED_DOMAINS                 *expirable.LRU[string, *expirable.LRU[string, bool]]
	NODE_AGENT_INGRESS_BACKLISTED_DOMAINS          *expirable.LRU[string, bool]
	NODE_AGENT_REMOTE_INFERENCE_READ_THROUGH_CACHE *lru.Cache[string, *lru.Cache[string, bool]] // the SLD send for remote inference --> actual fqdn inferred result, must always contain benign domains sent and cached for lookup, considering malicious domain are stored in malicious cache
)

all the LRU caches for eBPF agent in userspace, must reside in the agent userspace heap memory apart from the eBPF maps in the kernel prceossing packet payload over kernel datapath, the userspace caches accelerate inference and per packet processing speed

View Source 
var (
	TC_EGRESS_ROOT_NETIFACE_INT    = "ebpf/tc.o"
	NF_EGRESS_BRIDGE_NETIFACE_INT  = "ebpf/bridge_ing.o"
	NF_INGRESS_BRIDGE_NETIFACE_INT = "ebpf/bridge_ing.o"
	TC_EGRESS_TUNNEL_NETIFACE_INT  = "ebpf/tun.o"
	SOCK_TUNNEL_CODE_EBPF          = "ebpf/netlink.o"
	TRACEPOINT_KERNEL_PROG         = "ebpf/tracepoint.o"

	LSM_CRYPTO_BPF_VERIFER_PROG = "ebpf/lsm_bpf.o"

	SOCK_SKB_OP_CODE_EBPF = "ebpf/sock.o" // kernel egress sock prog for sock op over a cgroup
	// sdr sock_ops and sock_filter for skb_buff
	SDR_SOCK_NETIFACT_FILTER = "ebpf/sock.o"
)

used to guard exfiltration against host net_device for egress traffic

View Source 
var (
	// google DNS servers
	GLOBAL_ROUTE_IPV6_TRANSFER_LINKS = []string{
		"2001:4860:4860::8888",
		"2001:4860:4860::8844",
		"2606:4700:4700::1111",
		"2606:4700:4700::1001",
	}
	GLOBAL_ROUTE_IPV4_TRANSFER_LINKS = []string{
		"8.8.8.8",
		"8.8.4.4",
		"1.1.1.1",
	}
)
View Source 
var (
	EXFIL_PROCESS_CACHE_CLEAN_INTERVAL              = time.Second * 10                          // use to prune the map which ensure the required
	EXFIL_PROCESS_CACHE_CLEAN_THRESHOLD             = DEFAULT_SIGKILL_MALICIOUS_EXFIL_THRESHOLD // ideally the c2 implant malware would starve and kill itself, but if keeps retrying the security node agent will kill the process, used for overlayed DNS over random UDP port
	EXFIL_PROCESS_CACHE_CLEAN_THRESHOLD_BENIGN_PORT = DEFAULT_SIGKILL_MALICIOUS_EXFIL_THRESHOLD // higher threshold compared to tunnelle c2 for random DNS tunnel which must be lower to stop breach asap

	EXFIL_PROCESS_CACHE_CLEAN_MALICIOUS_PORT_INGRESS_SNIF_THRESHOLD = 5
)
View Source 
var DEBUG = false
View Source 
var (
	Logger *log.Logger = nil
)

Functions

func BigEndianToIPv4 

func BigEndianToIPv4(ipInt uint32) string

func ConfigureCustomEBPFProgOutputPath 

func ConfigureCustomEBPFProgOutputPath(path string) error

func CpuArch 

func CpuArch() string

func DeleteAllBlacklistforSLDInEgressCache 

func DeleteAllBlacklistforSLDInEgressCache(tld string)

func DeleteDomainBlackListInEgressCache 

func DeleteDomainBlackListInEgressCache(tld, fqdn string) error

Delete the tld and fqdn from the egress cache

func ForceGc 

func ForceGc()

func GenerateBigEndianIpv4 

func GenerateBigEndianIpv4(ipv4 string) uint32

func GenerateBigEndianIpv6 

func GenerateBigEndianIpv6(ipv6 string) (uint64, uint64)

func GenerateBpfFIlterForDNS 

func GenerateBpfFIlterForDNS(isEgress bool, isudp bool) string

Generate the bpf filter for sniff in zero copy of DNS over udp or TCP

func GenerateC2BlacklistAddressChannels 

func GenerateC2BlacklistAddressChannels() (chan net.IP, chan net.IP)

generate the required chanel for controller to stream those remote ipv4 / ipv6 c2 server addresses

func GenerateLittelEndianIpv4 

func GenerateLittelEndianIpv4(ipv4 string) uint32

func GenerateUniqueConsumerGroupId 

func GenerateUniqueConsumerGroupId() string

func GetBlaclistedDomainsEgressCache 

func GetBlaclistedDomainsEgressCache() []string

Get the blacklisted domains from the egress cache

func GetBlaclistedDomainsIngressCache 

func GetBlaclistedDomainsIngressCache() []string

Get the list of tld present in the ingress cache

func GetCPUCores 

func GetCPUCores() int

func GetIpv4AddressUserSpaceDpIString 

func GetIpv4AddressUserSpaceDpIString(id int) string

func GetIpv4AddressUserspaceDPI 

func GetIpv4AddressUserspaceDPI(id int) net.IP

func GetKernelRelease 

func GetKernelRelease() (string, error)

func GetKernelReleaseSubVersions 

func GetKernelReleaseSubVersions(release string) []string

func GetKeyPresentInEgressBenignRemoteInferCache 

func GetKeyPresentInEgressBenignRemoteInferCache(tld, fqdn string) bool

func GetKeyPresentInEgressCache 

func GetKeyPresentInEgressCache(tld string) bool

Get the tld from the egress cache

func GetNodeHostName 

func GetNodeHostName() (string, error)

func GetPacketPayloadSize 

func GetPacketPayloadSize(layer gopacket.Layer, protocol string) int

func IngDeleteDomainBlackListInCache 

func IngDeleteDomainBlackListInCache(tld string) bool

Delete the tld from the ingress cache

func IngGetKeyPresentInCache 

func IngGetKeyPresentInCache(tld string) bool

Check if the tld is present in the ingress cache and return value if present

func IngUpdateDomainBlacklistInCache 

func IngUpdateDomainBlacklistInCache(tld string)

Ingress cache processing for the eBPF node-agent LRU cache Add the tld to the ingress cache

func InitCMS 

func InitCMS(ip string, ct int) error

offload heavy task loaded lookup for performance to countminsketch, only if the cache become to heavy for lookup

func InitCache 

func InitCache(conf *CacheConfig) error

Init the cache for the eBPF node agent in user space

func InitGlobalErrorControlChannel 

func InitGlobalErrorControlChannel() chan agenterr.AgentError

func InitLogger 

func InitLogger()

func IsValidProcVfsMounted 

func IsValidProcVfsMounted(procId int) (bool, error)

func KillProc 

func KillProc(procId uint32) error

func LittleEndianToIpv4 

func LittleEndianToIpv4(ipaddr uint32) string

func Log 

func Log(args ...any)

func NewLogger 

func NewLogger(ctx context.Context)

add functional optional pattern if more customized logger is required

func ParseIp 

func ParseIp(saddr uint32) string

func ParseIpV6 

func ParseIpV6(saddr uint64) string

func ReadEbpfFromSpec 

func ReadEbpfFromSpec(ctx context.Context, ebpfProgCode string) (*ebpf.CollectionSpec, error)

func ReadEbpfProgRaw 

func ReadEbpfProgRaw(path string) ([]byte, error)

func UnPinPinnedMaps 

func UnPinPinnedMaps(collection *ebpf.Collection, unupinMaps []string) error

Removes the pinned eBPF maps mounts from bpf fs

func UpdateDomainNestedEgressCache 

func UpdateDomainNestedEgressCache(tld, fqdn string, isBlackListEgress bool)

Egress cache processing for the eBPF node-agent LRU cache tld and the value

func VerifyKernelEgressTCClsactTaskCommSuppert 

func VerifyKernelEgressTCClsactTaskCommSuppert() bool

func VerifyKernelSupportTaskComms 

func VerifyKernelSupportTaskComms(processId uint32, threadId uint32) bool

func VerifyNonDnsTransportPorts 

func VerifyNonDnsTransportPorts(port uint16) bool
func VerifyTcxSupportEgressLink() bool

func VerifyTopDomainsData 

func VerifyTopDomainsData() (string, error)

Types

type CacheConfig 

type CacheConfig struct {
	IngressMaliciousCacheTTL       int
	EgressMaliciousCacheTTL        int
	GlobalMaliciousprocessCacheTTl int
}

type ChunkRange 

type ChunkRange struct {
	Start int64
	End   int64
}

type DomainNodeAgentCacheBlock 

type DomainNodeAgentCacheBlock struct {
	CompleteDomain map[string]bool
}

type Limites 

type Limites struct {
	MIN_DOMAIN_LENGTH              int
	MAX_DOMAIN_LENGTH              int
	MIN_SUBDOMAIN_LENGTH_PER_LABEL int
	MIN_LABEL_COUNT                int
}

type MaliciousKernelTaskCommExportedProcInfo 

type MaliciousKernelTaskCommExportedProcInfo struct {
	ProcessId uint32
	ThreadId  uint32
}

works as a bridge between kernel netdev (tc) layer and kernel syscall layer eBPF hooks to kill if multiple malicious count found

type ProcessInfo 

type ProcessInfo struct {
	Pid       string
	PPid      string
	ThreadId  string
	GroupId   string
	Command   string
	ProcComm  string
	OpenFiles []string
	UserOwner string
}

the same can be returned from kernel using bpf_get_curr_comm() task_struct, and bpf_get_current_pid_tgid, bpf_get_current_pid_ugid since running in user space use the kernel mounted process file system

func GetProcessInfo 

func GetProcessInfo(pid int) (*ProcessInfo, error)

Get the process infor from the kernel proces vfs

type StreamEvents 

type StreamEvents struct{}

type TopDomains 

type TopDomains struct {
	TopDomains *sync.Map
}

func ReadTldDomainsData 

func ReadTldDomainsData() (*TopDomains, error)

func (*TopDomains) UpdateDomainDomainTLDCache 

func (t *TopDomains) UpdateDomainDomainTLDCache(domain string)

type Utsname 

type Utsname struct {
	Sysname    [65]int8
	Nodename   [65]int8
	Release    [65]int8
	Version    [65]int8
	Machine    [65]int8
	Domainname [65]int8
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.