Feature/adjust qname aggregation (#242)

leoparente · web-flow · commit c1e78fff393d · 2022-04-01T12:51:47.000-04:00
* Threat static sufix on DNS Qnames

* compare without casting

* add only_qname_suffix validation on unit tests

* replace string_view with size_t for suffix

* Fix aggregation tests
diff --git a/src/handlers/dns/DnsStreamHandler.cpp b/src/handlers/dns/DnsStreamHandler.cpp
@@ -163,7 +163,8 @@ void DnsStreamHandler::process_udp_packet_cb(pcpp::Packet &payload, PacketDirect
     if (metric_port) {
         DnsLayer dnsLayer(udpLayer, &payload);
         if (!_filtering(dnsLayer, dir, l3, pcpp::UDP, metric_port, stamp)) {
-            _metrics->process_dns_layer(dnsLayer, dir, l3, pcpp::UDP, flowkey, metric_port, stamp);
+            _metrics->process_dns_layer(dnsLayer, dir, l3, pcpp::UDP, flowkey, metric_port, _static_suffix_size, stamp);
+            _static_suffix_size = 0;
             // signal for chained stream handlers, if we have any
             udp_signal(payload, dir, l3, flowkey, stamp);
         }
@@ -243,7 +244,8 @@ void DnsStreamHandler::tcp_message_ready_cb(int8_t side, const pcpp::TcpStreamDa
         pcpp::Packet dummy_packet;
         DnsLayer dnsLayer(data.get(), size, nullptr, &dummy_packet);
         if (!_filtering(dnsLayer, dir, l3Type, pcpp::UDP, port, stamp)) {
-            _metrics->process_dns_layer(dnsLayer, dir, l3Type, pcpp::TCP, flowKey, port, stamp);
+            _metrics->process_dns_layer(dnsLayer, dir, l3Type, pcpp::TCP, flowKey, port, _static_suffix_size, stamp);
+            _static_suffix_size = 0;
         }
         // data is freed upon return
     };
@@ -319,9 +321,10 @@ bool DnsStreamHandler::_filtering(DnsLayer &payload, [[maybe_unused]] PacketDire
         std::string qname_ci{payload.getFirstQuery()->getName()};
         std::transform(qname_ci.begin(), qname_ci.end(), qname_ci.begin(),
             [](unsigned char c) { return std::tolower(c); });
-        for (auto fqn : _f_qnames) {
+        for (const auto &fqn : _f_qnames) {
             // if it matched, we know we are not filtering
             if (endsWith(qname_ci, fqn)) {
+                _static_suffix_size = fqn.size();
                 goto will_not_filter;
             }
         }
@@ -532,7 +535,7 @@ void DnsMetricsBucket::process_dnstap(bool deep, const dnstap::Dnstap &payload)
         process_dns_layer(deep, dpayload, l3, l4, port);
     }
 }
-void DnsMetricsBucket::process_dns_layer(bool deep, DnsLayer &payload, pcpp::ProtocolType l3, Protocol l4, uint16_t port)
+void DnsMetricsBucket::process_dns_layer(bool deep, DnsLayer &payload, pcpp::ProtocolType l3, Protocol l4, uint16_t port, size_t suffix_size)
 {
     std::unique_lock lock(_mutex);
 
@@ -626,7 +629,7 @@ void DnsMetricsBucket::process_dns_layer(bool deep, DnsLayer &payload, pcpp::Pro
                 }
             }
 
-            auto aggDomain = aggregateDomain(name);
+            auto aggDomain = aggregateDomain(name, suffix_size);
             _dns_topQname2.update(std::string(aggDomain.first));
             if (aggDomain.second.size()) {
                 _dns_topQname3.update(std::string(aggDomain.second));
@@ -788,12 +791,12 @@ void DnsMetricsBucket::process_filtered()
 }
 
 // the general metrics manager entry point (both UDP and TCP)
-void DnsMetricsManager::process_dns_layer(DnsLayer &payload, PacketDirection dir, pcpp::ProtocolType l3, pcpp::ProtocolType l4, uint32_t flowkey, uint16_t port, timespec stamp)
+void DnsMetricsManager::process_dns_layer(DnsLayer &payload, PacketDirection dir, pcpp::ProtocolType l3, pcpp::ProtocolType l4, uint32_t flowkey, uint16_t port, size_t suffix_size, timespec stamp)
 {
     // base event
     new_event(stamp);
     // process in the "live" bucket. this will parse the resources if we are deep sampling
-    live_bucket()->process_dns_layer(_deep_sampling_now, payload, l3, static_cast<Protocol>(l4), port);
+    live_bucket()->process_dns_layer(_deep_sampling_now, payload, l3, static_cast<Protocol>(l4), port, suffix_size);
 
     if (group_enabled(group::DnsMetrics::DnsTransactions)) {
         // handle dns transactions (query/response pairs)
diff --git a/src/handlers/dns/DnsStreamHandler.h b/src/handlers/dns/DnsStreamHandler.h
@@ -158,7 +158,7 @@ class DnsMetricsBucket final : public visor::AbstractMetricsBucket
     void to_prometheus(std::stringstream &out, Metric::LabelMap add_labels = {}) const override;
 
     void process_filtered();
-    void process_dns_layer(bool deep, DnsLayer &payload, pcpp::ProtocolType l3, Protocol l4, uint16_t port);
+    void process_dns_layer(bool deep, DnsLayer &payload, pcpp::ProtocolType l3, Protocol l4, uint16_t port, size_t suffix_size = 0);
     void process_dns_layer(pcpp::ProtocolType l3, Protocol l4, QR side, uint16_t port);
     void process_dnstap(bool deep, const dnstap::Dnstap &payload);
 
@@ -200,7 +200,7 @@ class DnsMetricsManager final : public visor::AbstractMetricsManager<DnsMetricsB
     }
 
     void process_filtered(timespec stamp);
-    void process_dns_layer(DnsLayer &payload, PacketDirection dir, pcpp::ProtocolType l3, pcpp::ProtocolType l4, uint32_t flowkey, uint16_t port, timespec stamp);
+    void process_dns_layer(DnsLayer &payload, PacketDirection dir, pcpp::ProtocolType l3, pcpp::ProtocolType l4, uint32_t flowkey, uint16_t port, size_t suffix_size, timespec stamp);
     void process_dnstap(const dnstap::Dnstap &payload, bool filtered);
 };
 
@@ -287,6 +287,7 @@ class DnsStreamHandler final : public visor::StreamMetricsHandler<DnsMetricsMana
     std::bitset<Filters::FiltersMAX> _f_enabled;
     uint16_t _f_rcode{0};
     std::vector<std::string> _f_qnames;
+    size_t _static_suffix_size{0};
     std::bitset<DNSTAP_TYPE_SIZE> _f_dnstap_types;
 
     static const inline StreamMetricsHandler::GroupDefType _group_defs = {
diff --git a/src/handlers/dns/dns.cpp b/src/handlers/dns/dns.cpp
@@ -6,7 +6,7 @@
 
 namespace visor::handler::dns {
 
-AggDomainResult aggregateDomain(const std::string &domain)
+AggDomainResult aggregateDomain(const std::string &domain, size_t suffix_size)
 {
 
     std::string_view qname2(domain);
@@ -18,7 +18,9 @@ AggDomainResult aggregateDomain(const std::string &domain)
         return AggDomainResult(qname2, qname3);
     }
     std::size_t endDot = std::string::npos;
-    if (domain.back() == '.') {
+    if (suffix_size > 0 && domain.size() > suffix_size) {
+        endDot = domain.size() - suffix_size;
+    } else if (domain.back() == '.') {
         endDot = domain.size() - 2;
     }
     auto first_dot = domain.rfind('.', endDot);
diff --git a/src/handlers/dns/dns.h b/src/handlers/dns/dns.h
@@ -13,7 +13,7 @@
 namespace visor::handler::dns {
 
 typedef std::pair<std::string_view, std::string_view> AggDomainResult;
-AggDomainResult aggregateDomain(const std::string &domain);
+AggDomainResult aggregateDomain(const std::string &domain, size_t suffix_size = 0);
 
 enum QR {
     query = 0,
diff --git a/src/handlers/dns/tests/test_dns.cpp b/src/handlers/dns/tests/test_dns.cpp
@@ -72,4 +72,47 @@ TEST_CASE("DNS Utilities", "[dns]")
         CHECK(result.first == ".b.c");
         CHECK(result.second == "");
     }
+
+    SECTION("aggregateDomain with static suffix")
+    {
+        AggDomainResult result;
+        std::string domain;
+        std::string static_suffix;
+
+        domain = "biz.foo.bar.com";
+        static_suffix = ".bar.com";
+        result = aggregateDomain(domain, static_suffix.size());
+        CHECK(result.first == ".foo.bar.com");
+        CHECK(result.second == "biz.foo.bar.com");
+
+        domain = "biz.foo.bar.com";
+        static_suffix = "bar.com";
+        result = aggregateDomain(domain, static_suffix.size());
+        CHECK(result.first == ".foo.bar.com");
+        CHECK(result.second == "biz.foo.bar.com");
+
+        domain = "biz.foo.bar.com";
+        static_suffix = "foo.bar.com";
+        result = aggregateDomain(domain, static_suffix.size());
+        CHECK(result.first == "biz.foo.bar.com");
+        CHECK(result.second == "");
+
+        domain = "foo.bar.com.";
+        static_suffix = "biz.foo.bar.com";
+        result = aggregateDomain(domain, static_suffix.size());
+        CHECK(result.first == ".bar.com.");
+        CHECK(result.second == "foo.bar.com.");
+
+        domain = "www.google.co.uk";
+        static_suffix = ".co.uk";
+        result = aggregateDomain(domain, static_suffix.size());
+        CHECK(result.first == ".google.co.uk");
+        CHECK(result.second == "www.google.co.uk");
+
+        domain = "www.google.co.uk";
+        static_suffix = "google.co.uk";
+        result = aggregateDomain(domain, static_suffix.size());
+        CHECK(result.first == "www.google.co.uk");
+        CHECK(result.second == "");
+    }
 }
diff --git a/src/handlers/dns/tests/test_dns_layer.cpp b/src/handlers/dns/tests/test_dns_layer.cpp
@@ -374,6 +374,12 @@ TEST_CASE("DNS Filters: only_qname_suffix", "[pcap][dns]")
     CHECK(counters.REFUSED.value() == 0);
     CHECK(counters.NX.value() == 1);
     CHECK(counters.filtered.value() == 14);
+
+    nlohmann::json j;
+    dns_handler.metrics()->bucket(0)->to_json(j);
+
+    CHECK(j["top_qname2"][0]["name"].get<std::string>().find("google.com") != std::string::npos);
+    CHECK(j["top_qname3"][0]["name"] == nullptr);
 }
 
 TEST_CASE("DNS groups", "[pcap][dns]")

Original file line number	Diff line number	Diff line change
`@@ -163,7 +163,8 @@ void DnsStreamHandler::process_udp_packet_cb(pcpp::Packet &payload, PacketDirect`
`163`	`163`	`if (metric_port) {`
`164`	`164`	`DnsLayer dnsLayer(udpLayer, &payload);`
`165`	`165`	`if (!_filtering(dnsLayer, dir, l3, pcpp::UDP, metric_port, stamp)) {`
`166`		`- _metrics->process_dns_layer(dnsLayer, dir, l3, pcpp::UDP, flowkey, metric_port, stamp);`
	`166`	`+ _metrics->process_dns_layer(dnsLayer, dir, l3, pcpp::UDP, flowkey, metric_port, _static_suffix_size, stamp);`
	`167`	`+ _static_suffix_size = 0;`
`167`	`168`	`// signal for chained stream handlers, if we have any`
`168`	`169`	`udp_signal(payload, dir, l3, flowkey, stamp);`
`169`	`170`	`}`
`@@ -243,7 +244,8 @@ void DnsStreamHandler::tcp_message_ready_cb(int8_t side, const pcpp::TcpStreamDa`
`243`	`244`	`pcpp::Packet dummy_packet;`
`244`	`245`	`DnsLayer dnsLayer(data.get(), size, nullptr, &dummy_packet);`
`245`	`246`	`if (!_filtering(dnsLayer, dir, l3Type, pcpp::UDP, port, stamp)) {`
`246`		`- _metrics->process_dns_layer(dnsLayer, dir, l3Type, pcpp::TCP, flowKey, port, stamp);`
	`247`	`+ _metrics->process_dns_layer(dnsLayer, dir, l3Type, pcpp::TCP, flowKey, port, _static_suffix_size, stamp);`
	`248`	`+ _static_suffix_size = 0;`
`247`	`249`	`}`
`248`	`250`	`// data is freed upon return`
`249`	`251`	`};`
`@@ -319,9 +321,10 @@ bool DnsStreamHandler::_filtering(DnsLayer &payload, [[maybe_unused]] PacketDire`
`319`	`321`	`std::string qname_ci{payload.getFirstQuery()->getName()};`
`320`	`322`	`std::transform(qname_ci.begin(), qname_ci.end(), qname_ci.begin(),`
`321`	`323`	`[](unsigned char c) { return std::tolower(c); });`
`322`		`- for (auto fqn : _f_qnames) {`
	`324`	`+ for (const auto &fqn : _f_qnames) {`
`323`	`325`	`// if it matched, we know we are not filtering`
`324`	`326`	`if (endsWith(qname_ci, fqn)) {`
	`327`	`+ _static_suffix_size = fqn.size();`
`325`	`328`	`goto will_not_filter;`
`326`	`329`	`}`
`327`	`330`	`}`
`@@ -532,7 +535,7 @@ void DnsMetricsBucket::process_dnstap(bool deep, const dnstap::Dnstap &payload)`
`532`	`535`	`process_dns_layer(deep, dpayload, l3, l4, port);`
`533`	`536`	`}`
`534`	`537`	`}`
`535`		`-void DnsMetricsBucket::process_dns_layer(bool deep, DnsLayer &payload, pcpp::ProtocolType l3, Protocol l4, uint16_t port)`
	`538`	`+void DnsMetricsBucket::process_dns_layer(bool deep, DnsLayer &payload, pcpp::ProtocolType l3, Protocol l4, uint16_t port, size_t suffix_size)`
`536`	`539`	`{`
`537`	`540`	`std::unique_lock lock(_mutex);`
`538`	`541`
`@@ -626,7 +629,7 @@ void DnsMetricsBucket::process_dns_layer(bool deep, DnsLayer &payload, pcpp::Pro`
`626`	`629`	`}`
`627`	`630`	`}`
`628`	`631`
`629`		`- auto aggDomain = aggregateDomain(name);`
	`632`	`+ auto aggDomain = aggregateDomain(name, suffix_size);`
`630`	`633`	`_dns_topQname2.update(std::string(aggDomain.first));`
`631`	`634`	`if (aggDomain.second.size()) {`
`632`	`635`	`_dns_topQname3.update(std::string(aggDomain.second));`
`@@ -788,12 +791,12 @@ void DnsMetricsBucket::process_filtered()`
`788`	`791`	`}`
`789`	`792`
`790`	`793`	`// the general metrics manager entry point (both UDP and TCP)`
`791`		`-void DnsMetricsManager::process_dns_layer(DnsLayer &payload, PacketDirection dir, pcpp::ProtocolType l3, pcpp::ProtocolType l4, uint32_t flowkey, uint16_t port, timespec stamp)`
	`794`	`+void DnsMetricsManager::process_dns_layer(DnsLayer &payload, PacketDirection dir, pcpp::ProtocolType l3, pcpp::ProtocolType l4, uint32_t flowkey, uint16_t port, size_t suffix_size, timespec stamp)`
`792`	`795`	`{`
`793`	`796`	`// base event`
`794`	`797`	`new_event(stamp);`
`795`	`798`	`// process in the "live" bucket. this will parse the resources if we are deep sampling`
`796`		`- live_bucket()->process_dns_layer(_deep_sampling_now, payload, l3, static_cast<Protocol>(l4), port);`
	`799`	`+ live_bucket()->process_dns_layer(_deep_sampling_now, payload, l3, static_cast<Protocol>(l4), port, suffix_size);`
`797`	`800`
`798`	`801`	`if (group_enabled(group::DnsMetrics::DnsTransactions)) {`
`799`	`802`	`// handle dns transactions (query/response pairs)`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@`
`6`	`6`
`7`	`7`	`namespace visor::handler::dns {`
`8`	`8`
`9`		`-AggDomainResult aggregateDomain(const std::string &domain)`
	`9`	`+AggDomainResult aggregateDomain(const std::string &domain, size_t suffix_size)`
`10`	`10`	`{`
`11`	`11`
`12`	`12`	`std::string_view qname2(domain);`
`@@ -18,7 +18,9 @@ AggDomainResult aggregateDomain(const std::string &domain)`
`18`	`18`	`return AggDomainResult(qname2, qname3);`
`19`	`19`	`}`
`20`	`20`	`std::size_t endDot = std::string::npos;`
`21`		`- if (domain.back() == '.') {`
	`21`	`+ if (suffix_size > 0 && domain.size() > suffix_size) {`
	`22`	`+ endDot = domain.size() - suffix_size;`
	`23`	`+ } else if (domain.back() == '.') {`
`22`	`24`	`endDot = domain.size() - 2;`
`23`	`25`	`}`
`24`	`26`	`auto first_dot = domain.rfind('.', endDot);`