Rework Communication+Link to Connection
This commit is contained in:
Daniel
@@ -31,91 +31,170 @@ import (
|
||||
// 4. DecideOnLink
|
||||
// is called when when the first packet of a link arrives only if communication has verdict UNDECIDED or CANTSAY
|
||||
|
||||
// DecideOnCommunicationBeforeDNS makes a decision about a communication before the dns query is resolved and intel is gathered.
|
||||
func DecideOnCommunicationBeforeDNS(comm *network.Communication) {
|
||||
// DecideOnConnection makes a decision about a connection.
|
||||
func DecideOnConnection(conn *network.Connection, pkt packet.Packet) {
|
||||
// update profiles and check if communication needs reevaluation
|
||||
if comm.UpdateAndCheck() {
|
||||
log.Infof("firewall: re-evaluating verdict on %s", comm)
|
||||
comm.ResetVerdict()
|
||||
}
|
||||
|
||||
// check if need to run
|
||||
if comm.GetVerdict() != network.VerdictUndecided {
|
||||
return
|
||||
if conn.UpdateAndCheck() {
|
||||
log.Infof("filter: re-evaluating verdict on %s", conn)
|
||||
conn.Verdict = network.VerdictUndecided
|
||||
}
|
||||
|
||||
// grant self
|
||||
if comm.Process().Pid == os.Getpid() {
|
||||
log.Infof("firewall: granting own communication %s", comm)
|
||||
comm.Accept("")
|
||||
if conn.Process().Pid == os.Getpid() {
|
||||
log.Infof("filter: granting own connection %s", conn)
|
||||
conn.Verdict = network.VerdictAccept
|
||||
return
|
||||
}
|
||||
|
||||
// check if process is communicating with itself
|
||||
if pkt != nil {
|
||||
if conn.Process().Pid >= 0 && pkt.Info().Src.Equal(pkt.Info().Dst) {
|
||||
// get PID
|
||||
otherPid, _, err := process.GetPidByEndpoints(
|
||||
pkt.Info().RemoteIP(),
|
||||
pkt.Info().RemotePort(),
|
||||
pkt.Info().LocalIP(),
|
||||
pkt.Info().LocalPort(),
|
||||
pkt.Info().Protocol,
|
||||
)
|
||||
if err == nil {
|
||||
|
||||
// get primary process
|
||||
otherProcess, err := process.GetOrFindPrimaryProcess(pkt.Ctx(), otherPid)
|
||||
if err == nil {
|
||||
|
||||
if otherProcess.Pid == conn.Process().Pid {
|
||||
conn.Accept("connection to self")
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// get profile
|
||||
p := comm.Process().Profile()
|
||||
|
||||
// check for any network access
|
||||
if p.BlockScopeInternet() && p.BlockScopeLAN() {
|
||||
log.Infof("firewall: denying communication %s, accessing Internet or LAN not permitted", comm)
|
||||
comm.Deny("accessing Internet or LAN not permitted")
|
||||
p := conn.Process().Profile()
|
||||
if p == nil {
|
||||
conn.Block("no profile")
|
||||
return
|
||||
}
|
||||
// continueing with access to either Internet or LAN
|
||||
|
||||
// check endpoint list
|
||||
// FIXME: comm.Entity.Lock()
|
||||
result, reason := p.MatchEndpoint(comm.Entity)
|
||||
// FIXME: comm.Entity.Unlock()
|
||||
// check conn type
|
||||
switch conn.Scope {
|
||||
case network.IncomingHost, network.IncomingLAN, network.IncomingInternet, network.IncomingInvalid:
|
||||
if p.BlockInbound() {
|
||||
if conn.Scope == network.IncomingHost {
|
||||
conn.Block("inbound connections blocked")
|
||||
} else {
|
||||
conn.Deny("inbound connections blocked")
|
||||
}
|
||||
return
|
||||
}
|
||||
case network.PeerLAN, network.PeerInternet, network.PeerInvalid:
|
||||
// Important: PeerHost is and should be missing!
|
||||
if p.BlockP2P() {
|
||||
conn.Block("direct connections (P2P) blocked")
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// check scopes
|
||||
if conn.Entity.IP != nil {
|
||||
classification := netutils.ClassifyIP(conn.Entity.IP)
|
||||
|
||||
switch classification {
|
||||
case netutils.Global, netutils.GlobalMulticast:
|
||||
if p.BlockScopeInternet() {
|
||||
conn.Deny("Internet access blocked") // Block Outbound / Drop Inbound
|
||||
return
|
||||
}
|
||||
case netutils.SiteLocal, netutils.LinkLocal, netutils.LocalMulticast:
|
||||
if p.BlockScopeLAN() {
|
||||
conn.Block("LAN access blocked") // Block Outbound / Drop Inbound
|
||||
return
|
||||
}
|
||||
case netutils.HostLocal:
|
||||
if p.BlockScopeLocal() {
|
||||
conn.Block("Localhost access blocked") // Block Outbound / Drop Inbound
|
||||
return
|
||||
}
|
||||
default: // netutils.Invalid
|
||||
conn.Deny("invalid IP") // Block Outbound / Drop Inbound
|
||||
return
|
||||
}
|
||||
} else if conn.Entity.Domain != "" {
|
||||
// DNS Query
|
||||
// DNS is expected to resolve to LAN or Internet addresses
|
||||
// TODO: handle domains mapped to localhost
|
||||
if p.BlockScopeInternet() && p.BlockScopeLAN() {
|
||||
conn.Block("Internet and LAN access blocked")
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// check endpoints list
|
||||
var result endpoints.EPResult
|
||||
var reason string
|
||||
if conn.Inbound {
|
||||
result, reason = p.MatchServiceEndpoint(conn.Entity)
|
||||
} else {
|
||||
result, reason = p.MatchEndpoint(conn.Entity)
|
||||
}
|
||||
switch result {
|
||||
case endpoints.Undeterminable:
|
||||
comm.UpdateVerdict(network.VerdictUndeterminable)
|
||||
return
|
||||
case endpoints.Denied:
|
||||
log.Infof("firewall: denying communication %s, domain is blacklisted: %s", comm, reason)
|
||||
comm.Deny(fmt.Sprintf("domain is blacklisted: %s", reason))
|
||||
conn.Deny("endpoint is blacklisted: " + reason) // Block Outbound / Drop Inbound
|
||||
return
|
||||
case endpoints.Permitted:
|
||||
log.Infof("firewall: permitting communication %s, domain is whitelisted: %s", comm, reason)
|
||||
comm.Accept(fmt.Sprintf("domain is whitelisted: %s", reason))
|
||||
conn.Accept("endpoint is whitelisted: " + reason)
|
||||
return
|
||||
}
|
||||
// continuing with result == NoMatch
|
||||
|
||||
// implicit default=block for inbound
|
||||
if conn.Inbound {
|
||||
conn.Drop("endpoint is not whitelisted (incoming is always default=block)")
|
||||
return
|
||||
}
|
||||
// continueing with result == NoMatch
|
||||
|
||||
// check default action
|
||||
if p.DefaultAction() == profile.DefaultActionPermit {
|
||||
log.Infof("firewall: permitting communication %s, domain is not blacklisted (default=permit)", comm)
|
||||
comm.Accept("domain is not blacklisted (default=permit)")
|
||||
conn.Accept("endpoint is not blacklisted (default=permit)")
|
||||
return
|
||||
}
|
||||
|
||||
// check relation
|
||||
if !p.DisableAutoPermit() {
|
||||
if checkRelation(comm) {
|
||||
related, reason := checkRelation(conn)
|
||||
if related {
|
||||
conn.Accept(reason)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// prompt
|
||||
if p.DefaultAction() == profile.DefaultActionAsk {
|
||||
prompt(comm, nil, nil)
|
||||
prompt(conn, pkt)
|
||||
return
|
||||
}
|
||||
|
||||
// DefaultAction == DefaultActionBlock
|
||||
log.Infof("firewall: denying communication %s, domain is not whitelisted (default=block)", comm)
|
||||
comm.Deny("domain is not whitelisted (default=block)")
|
||||
conn.Deny("endpoint is not whitelisted (default=block)")
|
||||
return
|
||||
}
|
||||
|
||||
// FilterDNSResponse filters a dns response according to the application profile and settings.
|
||||
func FilterDNSResponse(comm *network.Communication, q *resolver.Query, rrCache *resolver.RRCache) *resolver.RRCache { //nolint:gocognit // TODO
|
||||
func FilterDNSResponse(conn *network.Connection, q *resolver.Query, rrCache *resolver.RRCache) *resolver.RRCache { //nolint:gocognit // TODO
|
||||
// do not modify own queries - this should not happen anyway
|
||||
if comm.Process().Pid == os.Getpid() {
|
||||
if conn.Process().Pid == os.Getpid() {
|
||||
return rrCache
|
||||
}
|
||||
|
||||
// get profile
|
||||
p := comm.Process().Profile()
|
||||
p := conn.Process().Profile()
|
||||
if p == nil {
|
||||
conn.Block("no profile")
|
||||
return nil
|
||||
}
|
||||
|
||||
// check if DNS response filtering is completely turned off
|
||||
if !p.RemoveOutOfScopeDNS() && !p.RemoveBlockedDNS() {
|
||||
@@ -201,14 +280,13 @@ func FilterDNSResponse(comm *network.Communication, q *resolver.Query, rrCache *
|
||||
if addressesRemoved > 0 {
|
||||
rrCache.Filtered = true
|
||||
if addressesOk == 0 {
|
||||
comm.Deny("no addresses returned for this domain are permitted")
|
||||
log.Infof("firewall: fully dns responses for communication %s", comm)
|
||||
conn.Block("no addresses returned for this domain are permitted")
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
if rrCache.Filtered {
|
||||
log.Infof("firewall: filtered DNS replies for %s: %s", comm, strings.Join(rrCache.FilteredEntries, ", "))
|
||||
log.Infof("filter: filtered DNS replies for %s: %s", conn, strings.Join(rrCache.FilteredEntries, ", "))
|
||||
}
|
||||
|
||||
// TODO: Gate17 integration
|
||||
@@ -217,231 +295,22 @@ func FilterDNSResponse(comm *network.Communication, q *resolver.Query, rrCache *
|
||||
return rrCache
|
||||
}
|
||||
|
||||
// DecideOnCommunication makes a decision about a communication with its first packet.
|
||||
func DecideOnCommunication(comm *network.Communication) {
|
||||
// update profiles and check if communication needs reevaluation
|
||||
if comm.UpdateAndCheck() {
|
||||
log.Infof("firewall: re-evaluating verdict on %s", comm)
|
||||
comm.ResetVerdict()
|
||||
|
||||
// if communicating with a domain entity, re-evaluate with BeforeDNS
|
||||
if strings.HasSuffix(comm.Scope, ".") {
|
||||
DecideOnCommunicationBeforeDNS(comm)
|
||||
}
|
||||
}
|
||||
|
||||
// check if need to run
|
||||
if comm.GetVerdict() != network.VerdictUndecided {
|
||||
return
|
||||
}
|
||||
|
||||
// grant self
|
||||
if comm.Process().Pid == os.Getpid() {
|
||||
log.Infof("firewall: granting own communication %s", comm)
|
||||
comm.Accept("")
|
||||
return
|
||||
}
|
||||
|
||||
// get profile
|
||||
p := comm.Process().Profile()
|
||||
|
||||
// check comm type
|
||||
switch comm.Scope {
|
||||
case network.IncomingHost, network.IncomingLAN, network.IncomingInternet, network.IncomingInvalid:
|
||||
if p.BlockInbound() {
|
||||
log.Infof("firewall: denying communication %s, not a service", comm)
|
||||
if comm.Scope == network.IncomingHost {
|
||||
comm.Block("not a service")
|
||||
} else {
|
||||
comm.Deny("not a service")
|
||||
}
|
||||
return
|
||||
}
|
||||
case network.PeerLAN, network.PeerInternet, network.PeerInvalid:
|
||||
// Important: PeerHost is and should be missing!
|
||||
if p.BlockP2P() {
|
||||
log.Infof("firewall: denying communication %s, peer to peer comms (to an IP) not allowed", comm)
|
||||
comm.Deny("peer to peer comms (to an IP) not allowed")
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// check network scope
|
||||
switch comm.Scope {
|
||||
case network.IncomingHost:
|
||||
if p.BlockScopeLocal() {
|
||||
log.Infof("firewall: denying communication %s, serving localhost not allowed", comm)
|
||||
comm.Block("serving localhost not allowed")
|
||||
return
|
||||
}
|
||||
case network.IncomingLAN:
|
||||
if p.BlockScopeLAN() {
|
||||
log.Infof("firewall: denying communication %s, serving LAN not allowed", comm)
|
||||
comm.Deny("serving LAN not allowed")
|
||||
return
|
||||
}
|
||||
case network.IncomingInternet:
|
||||
if p.BlockScopeInternet() {
|
||||
log.Infof("firewall: denying communication %s, serving Internet not allowed", comm)
|
||||
comm.Deny("serving Internet not allowed")
|
||||
return
|
||||
}
|
||||
case network.IncomingInvalid:
|
||||
log.Infof("firewall: denying communication %s, invalid IP address", comm)
|
||||
comm.Drop("invalid IP address")
|
||||
return
|
||||
case network.PeerHost:
|
||||
if p.BlockScopeLocal() {
|
||||
log.Infof("firewall: denying communication %s, accessing localhost not allowed", comm)
|
||||
comm.Block("accessing localhost not allowed")
|
||||
return
|
||||
}
|
||||
case network.PeerLAN:
|
||||
if p.BlockScopeLAN() {
|
||||
log.Infof("firewall: denying communication %s, accessing the LAN not allowed", comm)
|
||||
comm.Deny("accessing the LAN not allowed")
|
||||
return
|
||||
}
|
||||
case network.PeerInternet:
|
||||
if p.BlockScopeInternet() {
|
||||
log.Infof("firewall: denying communication %s, accessing the Internet not allowed", comm)
|
||||
comm.Deny("accessing the Internet not allowed")
|
||||
return
|
||||
}
|
||||
case network.PeerInvalid:
|
||||
log.Infof("firewall: denying communication %s, invalid IP address", comm)
|
||||
comm.Deny("invalid IP address")
|
||||
return
|
||||
}
|
||||
|
||||
log.Infof("firewall: undeterminable verdict for communication %s", comm)
|
||||
comm.UpdateVerdict(network.VerdictUndeterminable)
|
||||
}
|
||||
|
||||
// DecideOnLink makes a decision about a link with the first packet.
|
||||
func DecideOnLink(comm *network.Communication, link *network.Link, pkt packet.Packet) {
|
||||
|
||||
// grant self
|
||||
if comm.Process().Pid == os.Getpid() {
|
||||
log.Infof("firewall: granting own link %s", comm)
|
||||
link.Accept("")
|
||||
return
|
||||
}
|
||||
|
||||
// check if process is communicating with itself
|
||||
if comm.Process().Pid >= 0 && pkt.Info().Src.Equal(pkt.Info().Dst) {
|
||||
// get PID
|
||||
otherPid, _, err := process.GetPidByEndpoints(
|
||||
pkt.Info().RemoteIP(),
|
||||
pkt.Info().RemotePort(),
|
||||
pkt.Info().LocalIP(),
|
||||
pkt.Info().LocalPort(),
|
||||
pkt.Info().Protocol,
|
||||
)
|
||||
if err == nil {
|
||||
|
||||
// get primary process
|
||||
otherProcess, err := process.GetOrFindPrimaryProcess(pkt.Ctx(), otherPid)
|
||||
if err == nil {
|
||||
|
||||
if otherProcess.Pid == comm.Process().Pid {
|
||||
log.Infof("firewall: permitting connection to self %s", comm)
|
||||
link.AddReason("connection to self")
|
||||
|
||||
link.Lock()
|
||||
link.Verdict = network.VerdictAccept
|
||||
link.SaveWhenFinished()
|
||||
link.Unlock()
|
||||
return
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// check if we aleady have a verdict
|
||||
switch comm.GetVerdict() {
|
||||
case network.VerdictUndecided, network.VerdictUndeterminable:
|
||||
// continue
|
||||
default:
|
||||
link.UpdateVerdict(comm.GetVerdict())
|
||||
return
|
||||
}
|
||||
|
||||
// get profile
|
||||
p := comm.Process().Profile()
|
||||
|
||||
// check endpoints list
|
||||
var result endpoints.EPResult
|
||||
var reason string
|
||||
// FIXME: link.Entity.Lock()
|
||||
if comm.Direction {
|
||||
result, reason = p.MatchServiceEndpoint(link.Entity)
|
||||
} else {
|
||||
result, reason = p.MatchEndpoint(link.Entity)
|
||||
}
|
||||
// FIXME: link.Entity.Unlock()
|
||||
switch result {
|
||||
case endpoints.Denied:
|
||||
log.Infof("firewall: denying link %s, endpoint is blacklisted: %s", link, reason)
|
||||
link.Deny(fmt.Sprintf("endpoint is blacklisted: %s", reason))
|
||||
return
|
||||
case endpoints.Permitted:
|
||||
log.Infof("firewall: permitting link %s, endpoint is whitelisted: %s", link, reason)
|
||||
link.Accept(fmt.Sprintf("endpoint is whitelisted: %s", reason))
|
||||
return
|
||||
}
|
||||
// continueing with result == NoMatch
|
||||
|
||||
// implicit default=block for incoming
|
||||
if comm.Direction {
|
||||
log.Infof("firewall: denying link %s: endpoint is not whitelisted (incoming is always default=block)", link)
|
||||
link.Deny("endpoint is not whitelisted (incoming is always default=block)")
|
||||
return
|
||||
}
|
||||
|
||||
// check default action
|
||||
if p.DefaultAction() == profile.DefaultActionPermit {
|
||||
log.Infof("firewall: permitting link %s: endpoint is not blacklisted (default=permit)", link)
|
||||
link.Accept("endpoint is not blacklisted (default=permit)")
|
||||
return
|
||||
}
|
||||
|
||||
// check relation
|
||||
if !p.DisableAutoPermit() {
|
||||
if checkRelation(comm) {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// prompt
|
||||
if p.DefaultAction() == profile.DefaultActionAsk {
|
||||
prompt(comm, link, pkt)
|
||||
return
|
||||
}
|
||||
|
||||
// DefaultAction == DefaultActionBlock
|
||||
log.Infof("firewall: denying link %s: endpoint is not whitelisted (default=block)", link)
|
||||
link.Deny("endpoint is not whitelisted (default=block)")
|
||||
return
|
||||
}
|
||||
|
||||
// checkRelation tries to find a relation between a process and a communication. This is for better out of the box experience and is _not_ meant to thwart intentional malware.
|
||||
func checkRelation(comm *network.Communication) (related bool) {
|
||||
if comm.Entity.Domain != "" {
|
||||
return false
|
||||
func checkRelation(conn *network.Connection) (related bool, reason string) {
|
||||
if conn.Entity.Domain != "" {
|
||||
return false, ""
|
||||
}
|
||||
// don't check for unknown processes
|
||||
if comm.Process().Pid < 0 {
|
||||
return false
|
||||
if conn.Process().Pid < 0 {
|
||||
return false, ""
|
||||
}
|
||||
|
||||
pathElements := strings.Split(comm.Process().Path, string(filepath.Separator))
|
||||
pathElements := strings.Split(conn.Process().Path, string(filepath.Separator))
|
||||
// only look at the last two path segments
|
||||
if len(pathElements) > 2 {
|
||||
pathElements = pathElements[len(pathElements)-2:]
|
||||
}
|
||||
domainElements := strings.Split(comm.Entity.Domain, ".")
|
||||
domainElements := strings.Split(conn.Entity.Domain, ".")
|
||||
|
||||
var domainElement string
|
||||
var processElement string
|
||||
@@ -455,21 +324,20 @@ matchLoop:
|
||||
break matchLoop
|
||||
}
|
||||
}
|
||||
if levenshtein.Match(domainElement, comm.Process().Name, nil) > 0.5 {
|
||||
if levenshtein.Match(domainElement, conn.Process().Name, nil) > 0.5 {
|
||||
related = true
|
||||
processElement = comm.Process().Name
|
||||
processElement = conn.Process().Name
|
||||
break matchLoop
|
||||
}
|
||||
if levenshtein.Match(domainElement, comm.Process().ExecName, nil) > 0.5 {
|
||||
if levenshtein.Match(domainElement, conn.Process().ExecName, nil) > 0.5 {
|
||||
related = true
|
||||
processElement = comm.Process().ExecName
|
||||
processElement = conn.Process().ExecName
|
||||
break matchLoop
|
||||
}
|
||||
}
|
||||
|
||||
if related {
|
||||
log.Infof("firewall: permitting communication %s, match to domain was found: %s is related to %s", comm, domainElement, processElement)
|
||||
comm.Accept(fmt.Sprintf("domain is related to process: %s is related to %s", domainElement, processElement))
|
||||
reason = fmt.Sprintf("domain is related to process: %s is related to %s", domainElement, processElement)
|
||||
}
|
||||
return related
|
||||
return
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user