|
|
|
package procsnitch
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/binary"
|
|
|
|
"encoding/hex"
|
|
|
|
"errors"
|
|
|
|
"fmt"
|
|
|
|
"github.com/op/go-logging"
|
|
|
|
"io/ioutil"
|
|
|
|
"net"
|
|
|
|
"strconv"
|
|
|
|
"strings"
|
|
|
|
"unsafe"
|
|
|
|
// "github.com/godbus/dbus"
|
|
|
|
)
|
|
|
|
|
|
|
|
var log = logging.MustGetLogger("go-procsockets")
|
|
|
|
var isLittleEndian = -1
|
|
|
|
|
|
|
|
// SetLogger allows setting a custom go-logging instance
|
|
|
|
func SetLogger(logger *logging.Logger) {
|
|
|
|
log = logger
|
|
|
|
}
|
|
|
|
|
|
|
|
var pcache = &pidCache{}
|
|
|
|
|
|
|
|
// ProcInfo represents an api that can be used to query process information about
|
|
|
|
// the far side of a network connection
|
|
|
|
// Note: this can aid in the construction of unit tests.
|
|
|
|
type ProcInfo interface {
|
|
|
|
LookupTCPSocketProcess(srcPort uint16, dstAddr net.IP, dstPort uint16) *Info
|
|
|
|
LookupTCPSocketProcessAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort uint16, custdata []string) *Info
|
|
|
|
LookupUNIXSocketProcess(socketFile string) *Info
|
|
|
|
LookupUDPSocketProcess(srcPort uint16) *Info
|
|
|
|
}
|
|
|
|
|
|
|
|
// SystemProcInfo represents our real system ProcInfo api.
|
|
|
|
type SystemProcInfo struct {
|
|
|
|
}
|
|
|
|
|
|
|
|
// LookupTCPSocketProcess returns the process information for a given TCP connection.
|
|
|
|
func (r SystemProcInfo) LookupTCPSocketProcess(srcPort uint16, dstAddr net.IP, dstPort uint16) *Info {
|
|
|
|
return LookupTCPSocketProcess(srcPort, dstAddr, dstPort)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r SystemProcInfo) LookupTCPSocketProcessAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort uint16, custdata []string) *Info {
|
|
|
|
return LookupTCPSocketProcessAll(srcAddr, srcPort, dstAddr, dstPort, custdata)
|
|
|
|
}
|
|
|
|
|
|
|
|
// LookupUNIXSocketProcess returns the process information for a given UNIX socket connection.
|
|
|
|
func (r SystemProcInfo) LookupUNIXSocketProcess(socketFile string) *Info {
|
|
|
|
return LookupUNIXSocketProcess(socketFile)
|
|
|
|
}
|
|
|
|
|
|
|
|
// LookupUDPSocketProcess returns the process information for a given UDP socket connection.
|
|
|
|
func (r SystemProcInfo) LookupUDPSocketProcess(srcPort uint16) *Info {
|
|
|
|
return LookupUDPSocketProcess(srcPort)
|
|
|
|
}
|
|
|
|
|
|
|
|
// FindProcessForConnection returns the process information for a given connection.
|
|
|
|
// So far only TCP and UNIX domain socket connections are supported.
|
|
|
|
func FindProcessForConnection(conn net.Conn, procInfo ProcInfo) *Info {
|
|
|
|
var info *Info
|
|
|
|
if conn.LocalAddr().Network() == "tcp" {
|
|
|
|
fields := strings.Split(conn.RemoteAddr().String(), ":")
|
|
|
|
dstPortStr := fields[1]
|
|
|
|
srcIP := net.ParseIP(fields[0]);
|
|
|
|
fields = strings.Split(conn.LocalAddr().String(), ":")
|
|
|
|
dstIP := net.ParseIP(fields[0])
|
|
|
|
srcP, _ := strconv.ParseUint(dstPortStr, 10, 16)
|
|
|
|
dstP, _ := strconv.ParseUint(fields[1], 10, 16)
|
|
|
|
info = procInfo.LookupTCPSocketProcessAll(srcIP, uint16(srcP), dstIP, uint16(dstP), nil)
|
|
|
|
} else if conn.LocalAddr().Network() == "unix" {
|
|
|
|
info = procInfo.LookupUNIXSocketProcess(conn.LocalAddr().String())
|
|
|
|
}
|
|
|
|
return info
|
|
|
|
}
|
|
|
|
|
|
|
|
// LookupICMPSocketProcessAll searches for a ICMP socket a given source host, destination IP, and type
|
|
|
|
func LookupICMPSocketProcessAll(srcAddr net.IP, dstAddr net.IP, code int, custdata []string) *Info {
|
|
|
|
ss := findICMPSocketAll(srcAddr, dstAddr, code, custdata)
|
|
|
|
if ss == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return pcache.lookup(ss.inode)
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// LookupUDPSocketProcessAll searches for a UDP socket a given source port, destination IP, and destination port - AND source destination
|
|
|
|
func LookupUDPSocketProcessAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort uint16, custdata []string, strictness int) *Info {
|
|
|
|
ss := findUDPSocketAll(srcAddr, srcPort, dstAddr, dstPort, custdata, strictness)
|
|
|
|
if ss == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return pcache.lookup(ss.inode)
|
|
|
|
}
|
|
|
|
|
|
|
|
// LookupUDPSocketProcess searches for a UDP socket with a source port
|
|
|
|
func LookupUDPSocketProcess(srcPort uint16) *Info {
|
|
|
|
ss := findUDPSocket(srcPort)
|
|
|
|
if ss == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return pcache.lookup(ss.inode)
|
|
|
|
}
|
|
|
|
|
|
|
|
// LookupTCPSocketProcessAll searches for a TCP socket a given source port, destination IP, and destination port - AND source destination
|
|
|
|
func LookupTCPSocketProcessAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort uint16, custdata []string) *Info {
|
|
|
|
ss := findTCPSocketAll(srcAddr, srcPort, dstAddr, dstPort, custdata)
|
|
|
|
if ss == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return pcache.lookup(ss.inode)
|
|
|
|
}
|
|
|
|
|
|
|
|
// LookupTCPSocketProcess searches for a TCP socket with a given source port, destination IP, and destination port
|
|
|
|
func LookupTCPSocketProcess(srcPort uint16, dstAddr net.IP, dstPort uint16) *Info {
|
|
|
|
ss := findTCPSocket(srcPort, dstAddr, dstPort)
|
|
|
|
if ss == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return pcache.lookup(ss.inode)
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func L2(srcPort uint16, dstAddr net.IP, dstPort uint16, custdata []string) *Info {
|
|
|
|
ss := f2(srcPort, dstAddr, dstPort, custdata)
|
|
|
|
if ss == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return pcache.lookup(ss.inode)
|
|
|
|
}
|
|
|
|
|
|
|
|
// LookupUNIXSocketProcess searches for a UNIX domain socket with a given filename
|
|
|
|
func LookupUNIXSocketProcess(socketFile string) *Info {
|
|
|
|
ss := findUNIXSocket(socketFile)
|
|
|
|
if ss == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return pcache.lookup(ss.inode)
|
|
|
|
}
|
|
|
|
|
|
|
|
type connectionInfo struct {
|
|
|
|
pinfo *Info
|
|
|
|
local *socketAddr
|
|
|
|
remote *socketAddr
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ci *connectionInfo) String() string {
|
|
|
|
return fmt.Sprintf("%v %s %s", ci.pinfo, ci.local, ci.remote)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (sa *socketAddr) parse(s string) error {
|
|
|
|
ipPort := strings.Split(s, ":")
|
|
|
|
if len(ipPort) != 2 {
|
|
|
|
return fmt.Errorf("badly formatted socket address field: %s", s)
|
|
|
|
}
|
|
|
|
ip, err := ParseIP(ipPort[0])
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("error parsing ip field [%s]: %v", ipPort[0], err)
|
|
|
|
}
|
|
|
|
port, err := ParsePort(ipPort[1])
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("error parsing port field [%s]: %v", ipPort[1], err)
|
|
|
|
}
|
|
|
|
sa.ip = ip
|
|
|
|
sa.port = port
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// ParseIP parses a string ip to a net.IP
|
|
|
|
func ParseIP(ip string) (net.IP, error) {
|
|
|
|
var result net.IP
|
|
|
|
dst, err := hex.DecodeString(ip)
|
|
|
|
if err != nil {
|
|
|
|
return result, fmt.Errorf("Error parsing IP: %s", err)
|
|
|
|
}
|
|
|
|
// Reverse byte order -- /proc/net/tcp etc. is little-endian
|
|
|
|
// TODO: Does this vary by architecture?
|
|
|
|
if isLittleEndian == -1 {
|
|
|
|
setEndian()
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(dst) != 4 && len(dst) != 16 {
|
|
|
|
return result, errors.New("Unsupported address type (not IPv4 or IPv16)")
|
|
|
|
}
|
|
|
|
|
|
|
|
if isLittleEndian > 0 {
|
|
|
|
for i := 0; i < len(dst)/4; i++ {
|
|
|
|
start, end := i*4, (i+1)*4
|
|
|
|
word := dst[start:end]
|
|
|
|
lval := binary.LittleEndian.Uint32(word)
|
|
|
|
binary.BigEndian.PutUint32(dst[start:], lval)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* if len(dst) == 16 {
|
|
|
|
dst2 := []byte{dst[3], dst[2], dst[1], dst[0], dst[7], dst[6], dst[5], dst[4], dst[11], dst[10], dst[9], dst[8], dst[15], dst[14], dst[13], dst[12]}
|
|
|
|
return net.IP(dst2), nil
|
|
|
|
}
|
|
|
|
for i, j := 0, len(dst)-1; i < j; i, j = i+1, j-1 {
|
|
|
|
dst[i], dst[j] = dst[j], dst[i]
|
|
|
|
} */
|
|
|
|
|
|
|
|
return net.IP(dst), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// ParsePort parses a base16 port represented as a string to a uint16
|
|
|
|
func ParsePort(port string) (uint16, error) {
|
|
|
|
p64, err := strconv.ParseInt(port, 16, 32)
|
|
|
|
if err != nil {
|
|
|
|
return 0, fmt.Errorf("Error parsing port: %s", err)
|
|
|
|
}
|
|
|
|
return uint16(p64), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func getConnections() ([]*connectionInfo, error) {
|
|
|
|
conns, err := readConntrack()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
resolveProcinfo(conns)
|
|
|
|
return conns, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func resolveProcinfo(conns []*connectionInfo) {
|
|
|
|
var sockets []*socketStatus
|
|
|
|
//conn, _ := dbus.SystemBus()
|
|
|
|
|
|
|
|
/* m := make(map[string]string)
|
|
|
|
|
|
|
|
for _, ci := range conns {
|
|
|
|
if _, ok := m[ci.local.ip.String()]; !ok {
|
|
|
|
var leaderpid string
|
|
|
|
obj := conn.Object("com.subgraph.realms", "/")
|
|
|
|
call := obj.Call("com.subgraph.realms.Manager.LeaderPidFromIP", 0, ci.local.ip.String()).Store(&leaderpid);
|
|
|
|
m[ci.local.ip.String()] = leaderpid;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
for ip, pid := range m {
|
|
|
|
if pid != "" {
|
|
|
|
for _, line := range getSocketLinesPid("tcp", pid) {
|
|
|
|
if len(strings.TrimSpace(line)) == 0 {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
ss := new(socketStatus)
|
|
|
|
if err := ss.parseLine(line); err != nil {
|
|
|
|
log.Warningf("Unable to parse line [%s]: %v", line, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
for _, line := range getSocketLines("tcp") {
|
|
|
|
if len(strings.TrimSpace(line)) == 0 {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
ss := new (socketStatus)
|
|
|
|
if err := ss.parseLine(line); err != nil {
|
|
|
|
log.Warningf("Unable to parse line [%s]: %v", line, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/*
|
|
|
|
for _, line := range getSocketLines("tcp") {
|
|
|
|
if len(strings.TrimSpace(line)) == 0 {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
ss := new(socketStatus)
|
|
|
|
if err := ss.parseLine(line); err != nil {
|
|
|
|
log.Warningf("Unable to parse line [%s]: %v", line, err)
|
|
|
|
} /* else {
|
|
|
|
/*
|
|
|
|
pid := findPidForInode(ss.inode)
|
|
|
|
if pid > 0 {
|
|
|
|
ss.pid = pid
|
|
|
|
fmt.Println("Socket", ss)
|
|
|
|
sockets = append(sockets, ss)
|
|
|
|
}
|
|
|
|
|
|
|
|
}*/
|
|
|
|
// }
|
|
|
|
for _, ci := range conns {
|
|
|
|
ss := findContrackSocket(ci, sockets)
|
|
|
|
if ss == nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
pinfo := pcache.lookup(ss.inode)
|
|
|
|
if pinfo != nil {
|
|
|
|
ci.pinfo = pinfo
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func findContrackSocket(ci *connectionInfo, sockets []*socketStatus) *socketStatus {
|
|
|
|
for _, ss := range sockets {
|
|
|
|
if ss.local.port == ci.local.port && ss.remote.ip.Equal(ci.remote.ip) && ss.remote.port == ci.remote.port {
|
|
|
|
return ss
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func readConntrack() ([]*connectionInfo, error) {
|
|
|
|
path := fmt.Sprintf("/proc/net/ip_conntrack")
|
|
|
|
data, err := ioutil.ReadFile(path)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
var result []*connectionInfo
|
|
|
|
lines := strings.Split(string(data), "\n")
|
|
|
|
for _, line := range lines {
|
|
|
|
ci, err := parseConntrackLine(line)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if ci != nil {
|
|
|
|
result = append(result, ci)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return result, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func parseConntrackLine(line string) (*connectionInfo, error) {
|
|
|
|
parts := strings.Fields(line)
|
|
|
|
if len(parts) < 8 || parts[0] != "tcp" || parts[3] != "ESTABLISHED" {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
local, err := conntrackAddr(parts[4], parts[6])
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
remote, err := conntrackAddr(parts[5], parts[7])
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &connectionInfo{
|
|
|
|
local: local,
|
|
|
|
remote: remote,
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func conntrackAddr(ipStr, portStr string) (*socketAddr, error) {
|
|
|
|
ip := net.ParseIP(stripLabel(ipStr))
|
|
|
|
if ip == nil {
|
|
|
|
return nil, errors.New("Could not parse IP: " + ipStr)
|
|
|
|
}
|
|
|
|
i64, err := strconv.Atoi(stripLabel(portStr))
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &socketAddr{
|
|
|
|
ip: ip,
|
|
|
|
port: uint16(i64),
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func stripLabel(s string) string {
|
|
|
|
idx := strings.Index(s, "=")
|
|
|
|
if idx == -1 {
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
return s[idx+1:]
|
|
|
|
}
|
|
|
|
|
|
|
|
// stolen from github.com/virtao/GoEndian
|
|
|
|
const INT_SIZE int = int(unsafe.Sizeof(0))
|
|
|
|
|
|
|
|
func setEndian() {
|
|
|
|
var i int = 0x1
|
|
|
|
bs := (*[INT_SIZE]byte)(unsafe.Pointer(&i))
|
|
|
|
if bs[0] == 0 {
|
|
|
|
isLittleEndian = 0
|
|
|
|
} else {
|
|
|
|
isLittleEndian = 1
|
|
|
|
}
|
|
|
|
}
|