Improve endpoint/rule lists and filtering of DNS requests
This commit is contained in:
Daniel
@@ -22,9 +22,18 @@ type EndpointASN struct {
|
||||
|
||||
// Matches checks whether the given entity matches this endpoint definition.
|
||||
func (ep *EndpointASN) Matches(ctx context.Context, entity *intel.Entity) (EPResult, Reason) {
|
||||
if entity.IP == nil {
|
||||
return NoMatch, nil
|
||||
}
|
||||
|
||||
if !entity.IPScope.IsGlobal() {
|
||||
return NoMatch, nil
|
||||
}
|
||||
|
||||
asn, ok := entity.GetASN(ctx)
|
||||
if !ok {
|
||||
return Undeterminable, nil
|
||||
asnStr := strconv.Itoa(int(ep.ASN))
|
||||
return MatchError, ep.makeReason(ep, asnStr, "ASN data not available to match")
|
||||
}
|
||||
|
||||
if asn == ep.ASN {
|
||||
|
||||
@@ -21,9 +21,17 @@ type EndpointCountry struct {
|
||||
|
||||
// Matches checks whether the given entity matches this endpoint definition.
|
||||
func (ep *EndpointCountry) Matches(ctx context.Context, entity *intel.Entity) (EPResult, Reason) {
|
||||
if entity.IP == nil {
|
||||
return NoMatch, nil
|
||||
}
|
||||
|
||||
if !entity.IPScope.IsGlobal() {
|
||||
return NoMatch, nil
|
||||
}
|
||||
|
||||
country, ok := entity.GetCountry(ctx)
|
||||
if !ok {
|
||||
return Undeterminable, nil
|
||||
return MatchError, ep.makeReason(ep, country, "country data not available to match")
|
||||
}
|
||||
|
||||
if country == ep.Country {
|
||||
|
||||
@@ -17,7 +17,7 @@ type EndpointIP struct {
|
||||
// Matches checks whether the given entity matches this endpoint definition.
|
||||
func (ep *EndpointIP) Matches(_ context.Context, entity *intel.Entity) (EPResult, Reason) {
|
||||
if entity.IP == nil {
|
||||
return Undeterminable, nil
|
||||
return NoMatch, nil
|
||||
}
|
||||
|
||||
if ep.IP.Equal(entity.IP) {
|
||||
|
||||
@@ -17,8 +17,9 @@ type EndpointIPRange struct {
|
||||
// Matches checks whether the given entity matches this endpoint definition.
|
||||
func (ep *EndpointIPRange) Matches(_ context.Context, entity *intel.Entity) (EPResult, Reason) {
|
||||
if entity.IP == nil {
|
||||
return Undeterminable, nil
|
||||
return NoMatch, nil
|
||||
}
|
||||
|
||||
if ep.Net.Contains(entity.IP) {
|
||||
return ep.match(ep, entity, ep.Net.String(), "IP is in")
|
||||
}
|
||||
|
||||
@@ -33,7 +33,7 @@ type EndpointScope struct {
|
||||
// Matches checks whether the given entity matches this endpoint definition.
|
||||
func (ep *EndpointScope) Matches(_ context.Context, entity *intel.Entity) (EPResult, Reason) {
|
||||
if entity.IP == nil {
|
||||
return Undeterminable, nil
|
||||
return NoMatch, nil
|
||||
}
|
||||
|
||||
var scope uint8
|
||||
|
||||
@@ -27,7 +27,7 @@ type EndpointBase struct { //nolint:maligned // TODO
|
||||
|
||||
func (ep *EndpointBase) match(s fmt.Stringer, entity *intel.Entity, value, desc string, keyval ...interface{}) (EPResult, Reason) {
|
||||
result := ep.matchesPPP(entity)
|
||||
if result == Undeterminable || result == NoMatch {
|
||||
if result == NoMatch {
|
||||
return result, nil
|
||||
}
|
||||
|
||||
@@ -57,10 +57,6 @@ func (ep *EndpointBase) makeReason(s fmt.Stringer, value, desc string, keyval ..
|
||||
func (ep *EndpointBase) matchesPPP(entity *intel.Entity) (result EPResult) {
|
||||
// only check if protocol is defined
|
||||
if ep.Protocol > 0 {
|
||||
// if protocol is unknown, return Undeterminable
|
||||
if entity.Protocol == 0 {
|
||||
return Undeterminable
|
||||
}
|
||||
// if protocol does not match, return NoMatch
|
||||
if entity.Protocol != ep.Protocol {
|
||||
return NoMatch
|
||||
@@ -69,10 +65,6 @@ func (ep *EndpointBase) matchesPPP(entity *intel.Entity) (result EPResult) {
|
||||
|
||||
// only check if port is defined
|
||||
if ep.StartPort > 0 {
|
||||
// if port is unknown, return Undeterminable
|
||||
if entity.DstPort() == 0 {
|
||||
return Undeterminable
|
||||
}
|
||||
// if port does not match, return NoMatch
|
||||
if entity.DstPort() < ep.StartPort || entity.DstPort() > ep.EndPort {
|
||||
return NoMatch
|
||||
|
||||
@@ -17,7 +17,7 @@ type EPResult uint8
|
||||
// Endpoint matching return values
|
||||
const (
|
||||
NoMatch EPResult = iota
|
||||
Undeterminable
|
||||
MatchError
|
||||
Denied
|
||||
Permitted
|
||||
)
|
||||
@@ -25,7 +25,7 @@ const (
|
||||
// IsDecision returns true if result represents a decision
|
||||
// and false if result is NoMatch or Undeterminable.
|
||||
func IsDecision(result EPResult) bool {
|
||||
return result == Denied || result == Permitted || result == Undeterminable
|
||||
return result == Denied || result == Permitted || result == MatchError
|
||||
}
|
||||
|
||||
// ParseEndpoints parses a list of endpoints and returns a list of Endpoints for matching.
|
||||
@@ -88,8 +88,8 @@ func (epr EPResult) String() string {
|
||||
switch epr {
|
||||
case NoMatch:
|
||||
return "No Match"
|
||||
case Undeterminable:
|
||||
return "Undeterminable"
|
||||
case MatchError:
|
||||
return "Match Error"
|
||||
case Denied:
|
||||
return "Denied"
|
||||
case Permitted:
|
||||
|
||||
Reference in New Issue
Block a user