加maat扫描日志

2019-06-04 15:38:27 +08:00
parent f89c0cf902
commit 55cd850403
5 changed files with 90 additions and 18 deletions
--- a/conf/kni.conf
+++ b/conf/kni.conf
@@ -5,7 +5,8 @@ tfe_count = 1
 local_eth = enp8s0
 [maat]
-readconf_mode = 2
+#readconf_mode: 0 = iris, 1 = json, 2 = redis
 readconf_mode = 1
 tableinfo_path = ./conf/kni/maat_tableinfo.conf
 maatjson_path = ./conf/kni/maat_test.json
 redis_ip = 192.168.10.120
@@ -14,6 +15,8 @@ redis_index = 4
 tablename_intercept_ip = PXY_INTERCEPT_IP
 tablename_intercept_domain = PXY_INTERCEPT_DOMAIN
 compile_alias = COMPILE_ALIAS
 #default_action: 0x80 = bypass, 0x02 = intercept
 default_action = 128
 [marsio]
 appsym = knifw
@@ -38,7 +41,7 @@ stat_path = ./fs2_kni.status
 [send_logger]
 switch = 1
 kafka_topic = SESSION-RECORD-LOG
-kafka_brokerlist = 192.168.10.121:9092,192.168.10.122:9092,192.168.10.123:9092
+kafka_brokerlist = 192.168.10.119:9092,192.168.10.122:9092,192.168.10.123:9092
 [kafka]
 queue.buffering.max.messages = 1000000
--- a/conf/maat/maat_test.json
+++ b/conf/maat/maat_test.json
@@ -33,7 +33,7 @@
        {
            "compile_id": 1,
            "service": 1,
-            "action":2,
+            "action": 2,
            "do_blacklist": 1,
            "do_log": 1,
            "effective_rage": 0,
@@ -48,7 +48,7 @@
                            "table_type": "ip",
                            "table_content": {
                                "addr_type": "ipv4",
-                                "src_ip": "192.168.11.135",
+                                "src_ip": "192.168.50.156",
                                "mask_src_ip": "255.255.255.255",
                                "src_port": "0",
                                "mask_src_port": "65535",
--- a/entry/include/kni_maat.h
+++ b/entry/include/kni_maat.h
@@ -5,6 +5,16 @@
 #define KNI_MAAT_RULE_NUM_MAX           8
 struct kni_maat_handle;
 /* action
 	0x00: none
 	0x01: monitor
 	0x02: intercept
 	0x10: reject
 	0x30: Manipulate
 	0x60: steer
 	0x80: bypass
 */
 enum kni_action{
 	KNI_ACTION_NONE = 0x00,
 	KNI_ACTION_INTERCEPT = 0x02,
@@ -13,5 +23,6 @@ enum kni_action{
 struct kni_maat_handle* kni_maat_init(const char* profile, void *logger);
 void kni_maat_destroy(struct kni_maat_handle *handle);
-int kni_maat_scan_ip(struct kni_maat_handle* handle, struct ipaddr *addr, int thread_seq, int *policy_id);
+int kni_maat_scan_ip(struct kni_maat_handle* handle, struct ipaddr *addr, int thread_seq, int *policy_id, int *maat_hit);
-int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq, int *policy_id);
+int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq, int *policy_id, int *maat_hit);
 int kni_maat_action_trans(int action, char *action_str);
--- a/entry/src/kni_entry.cpp
+++ b/entry/src/kni_entry.cpp
@@ -66,6 +66,7 @@ struct http_project{
 struct pme_info{
    int protocol;
 	int policy_id;
 	int maat_hit;
 	int action;
 	int service;
 	struct kni_tcpopt_info *client_tcpopt;
@@ -509,14 +510,14 @@ static char pending_opstate(const struct streaminfo *stream, struct pme_info *pm
 	return APP_STATE_FAWPKT | APP_STATE_GIVEME;	
 }
-static int get_action(struct ipaddr *addr, char *domain, int domain_len, int thread_seq, int *policy_id){
+static int get_action(struct ipaddr *addr, char *domain, int domain_len, int thread_seq, int *policy_id, int *maat_hit){
 	//return KNI_ACTION_INTERCEPT;
-	int action = kni_maat_scan_ip(g_kni_handle->maat_handle, addr, thread_seq, policy_id);
+	int ret = kni_maat_scan_ip(g_kni_handle->maat_handle, addr, thread_seq, policy_id, maat_hit);
 	if(action == KNI_ACTION_BYPASS){
 		return action;
 	}
 	if(domain_len != 0){
-		action = kni_maat_scan_domain(g_kni_handle->maat_handle, domain, domain_len, thread_seq, policy_id);
+		action = kni_maat_scan_domain(g_kni_handle->maat_handle, domain, domain_len, thread_seq, policy_id, maat_hit);
 	}
 	return action;
 }
@@ -592,12 +593,15 @@ static char data_opstate(const struct streaminfo *stream, struct pme_info *pmein
 		memcpy(pmeinfo->host, result->domain, result->domain_len);
 		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_HTTP_STM], 0, FS_OP_ADD, 1);
 	}
-	pmeinfo->action = get_action((struct ipaddr*)(&stream->addr), result->domain, result->domain_len, thread_seq, &(pmeinfo->policy_id));
+	pmeinfo->action = get_action((struct ipaddr*)(&stream->addr), result->domain, result->domain_len, 
 				thread_seq, &(pmeinfo->policy_id), &(pmeinfo->maat_hit));
 	//输出maat拦截日志
 	char domain_str[KNI_DOMAIN_MAX] = "";
 	memcpy(domain_str, result->domain, result->domain_len);
-	KNI_LOG_DEBUG(logger, "get_action: %s, %s, policy_id = %d, action = %s", 
+	char action_str[KNI_SYMBOL_MAX];
-			stream_addr, domain_str, pmeinfo->policy_id, pmeinfo->action == KNI_ACTION_BYPASS ? "bypass" : "intercept");
+	kni_maat_action_trans(pmeinfo->action, action_str);
 	KNI_LOG_DEBUG(logger, "get_action: %s, %s, policy_id = %d, action = %d(%s), maat_hit = %d", 
 			stream_addr, domain_str, pmeinfo->policy_id, pmeinfo->action, action_str, pmeinfo->maat_hit);
 	FREE(&result);
 	//TODO: 这块比较奇怪, 收到client hello, 但是没有syn/ack包, 直接bypass了
 	if(pmeinfo->client_tcpopt == NULL || pmeinfo->server_tcpopt == NULL){
--- a/entry/src/kni_maat.cpp
+++ b/entry/src/kni_maat.cpp
@@ -5,11 +5,11 @@ extern int g_iThreadNum;
 /* 关于没有命中配置情况下的默认配置
-	1. g_maat_default_action = KNI_ACTION_INTERCEPT， policy_id = 0
+	1. g_maat_default_action: 读配置文件, policy_id = 0
 	2. 如果maat的编译配置表中有policy_id = 0的配置，则将 g_maat_default_action设为对应的action, policy_id = 0
 */
-int g_maat_default_action = KNI_ACTION_INTERCEPT;
+int g_maat_default_action;
 struct kni_maat_handle{
 	Maat_feather_t feather;
@@ -89,8 +89,14 @@ struct kni_maat_handle* kni_maat_init(const char* profile, void *logger){
 		KNI_LOG_ERROR(logger, "MESA_prof_load: compile_alias not set, profile is %s, section is %s", profile, section);
 		goto error_out;
 	}
 	ret = MESA_load_profile_int_nodef(profile, section, "default_action", &g_maat_default_action);
 	if(ret < 0){
 		KNI_LOG_ERROR(logger, "MESA_prof_load: default_action not set, profile is %s, section is %s", profile, section);
 		goto error_out;
 	}
 	KNI_LOG_INFO(logger, "MESA_prof_load, [%s]:\n readconf_mode: %d\n tableinfo_path: %s\n tablename_intercept_ip: %s\n tablename_intercept_domain: %s\n"
-				"compile_alias: %s\n", section, readconf_mode, tableinfo_path, tablename_intercept_ip, tablename_intercept_domain, compile_alias);
+		"compile_alias: %s\n default_action: %d", section, readconf_mode, tableinfo_path, tablename_intercept_ip, 
 		tablename_intercept_domain, compile_alias, g_maat_default_action);
 	feather = Maat_feather(g_iThreadNum, tableinfo_path, logger);
 	handle = ALLOC(struct kni_maat_handle, 1);
 	handle->feather = feather;
@@ -171,7 +177,7 @@ error_out:
 static int maat_process_scan_result(struct kni_maat_handle *handle, int num, struct Maat_rule_t *result, int *policy_id){
 	//void *logger = handle->logger;
 	int action = g_maat_default_action;
-	*policy_id = 0;  //默认动作是编译表中policy_id=0的字段，所以默认policy_id=0;
+	*policy_id = 0;      //默认动作是编译表中policy_id=0的字段，所以默认policy_id=0;
 	for(int i = 0; i < num; i++){
 		action = result[i].action;
 		*policy_id = result[i].config_id;
@@ -184,7 +190,7 @@ static int maat_process_scan_result(struct kni_maat_handle *handle, int num, str
 //TODO: Maat_rule_get_ex_new_index   compile_ex_param_new: config_id = 0, 取action即为全局变量, 一旦配置更新就回调, tableinfo怎么写，回调表， 编译配置表 
-int kni_maat_scan_ip(struct kni_maat_handle *handle, struct ipaddr *addr, int thread_seq, int *policy_id){
+int kni_maat_scan_ip(struct kni_maat_handle *handle, struct ipaddr *addr, int thread_seq, int *policy_id, int *maat_hit){
 	//printf("default action is %d\n", g_maat_default_action);
 	void *logger = handle->logger;
 	struct Maat_rule_t result[KNI_MAAT_RULE_NUM_MAX];
@@ -195,6 +201,10 @@ int kni_maat_scan_ip(struct kni_maat_handle *handle, struct ipaddr *addr, int th
 		KNI_LOG_ERROR(logger, "Failed at Maat_scan_proto_addr, ret is %d", ret);
 		return g_maat_default_action;
 	}
 	if(ret == 0){
 		return g_maat_default_action;
 	}
 	*maat_hit = 1;
 	int action = maat_process_scan_result(handle, ret, result, policy_id);
 	/*for debug
@@ -206,7 +216,7 @@ int kni_maat_scan_ip(struct kni_maat_handle *handle, struct ipaddr *addr, int th
 	return action;
 }
-int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq, int *policy_id){
+int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq, int *policy_id, int *maat_hit){
 	void *logger = handle->logger;
 	struct Maat_rule_t result[KNI_MAAT_RULE_NUM_MAX];
 	//必须要初始化为NULL, 不懂为什么
@@ -217,6 +227,10 @@ int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domai
 		KNI_LOG_ERROR(logger, "Failed at Maat_full_scan_string, ret is %d", ret);
 		return g_maat_default_action;
 	}
 	if(ret == 0){
 		return g_maat_default_action;
 	}
 	*maat_hit = 1;
 	int action = maat_process_scan_result(handle, ret, result, policy_id);
 	//for debug
@@ -229,3 +243,43 @@ int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domai
 }
 /* action
 	0x00: none
 	0x01: monitor
 	0x02: intercept
 	0x10: reject
 	0x30: Manipulate
 	0x60: steer
 	0x80: bypass
 */
 int kni_maat_action_trans(int action, char *action_str){
 	switch(action){
 		case 0x00:
 			strcpy(action_str, "none");
 			break;
 		case 0x01:
 			strcpy(action_str, "monitor");
 			break;
 		case 0x02:
 			strcpy(action_str, "intercept");
 			break;
 		case 0x10:
 			strcpy(action_str, "reject");
 			break;
 		case 0x30:
 			strcpy(action_str, "manipulate");
 			break;
 		case 0x60:
 			strcpy(action_str, "steer");
 			break;
 		case 0x80:
 			strcpy(action_str, "bypass");
 			break;
 		default:
 			strcpy(action_str, "unknown");
 			break;
 	}
 	return 0;
 }