Add packet attribute triage function

- Add triage functionality for scoring with attributes of each raw event. - Introduced a new crate attrievent. The kinds of raw events and their attributes change as our software evolves. The purpose of attrievent is to provide a comprehensive list of attributes for both review and the UI simultaneously. - Add the `to_attr_value` to the `Match` trait. - Implement `score_by_attr` under `Match` trait. - Modify the `ValueKind` enum to support different types of input. - Remove the `tor` module file. The structures (`HttpEventFields`, `TorConnection`) and implementations within that module have been moved to `crate::event::http`. - Change the type of fields in the detection event structure for some raw event. - `post_body`: `Vec<u8>` to `String`. - `chaddr`: `Vec<u8>` to `String`. - `class_id`: `Vec<u8>` to `String`. - `client_id`: `Vec<u8>` to `String`. Close: petabi#354
kimhanbeom · Jan 8, 2025 · 61dbbf6 · 61dbbf6
1 parent edc648a
commit 61dbbf6
Show file tree

Hide file tree

Showing 26 changed files with 1,463 additions and 402 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,12 +14,35 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 - Added kind keywords for detailed searching of `RepeatedHttpSessions`,
   `NonBrowser`,`ExternalDdos`, `CryptocurrencyMiningPool`, `BlockListDceRpc`
   detection events.
+- Added triage functionality for scoring with attributes of each raw event.
+  - Introduced a new crate attrievent. The kinds of raw events and their
+    attributes change as our software evolves. The purpose of attrievent is to
+    provide a comprehensive list of attributes for both review and the UI
+    simultaneously.
+  - Added a new enum type `AttrValue`. This type is used to convert the
+    attribute value of each raw event to its corresponding type to perform
+    comparison operations.
+  - Added the `to_attr_value` to the `Match` trait to generate an `AttrValue`
+    from the field in all detection event.
+  - Implemented `score_by_attr` under `Match` trait.
 
 ### Changed
 
 - The APIs taking an ip2location database non longer requires a mutable
   reference to the database. This change improves the ergonomics of the API and
   removes the need for locking the database.
+- Removed the `tor` module file. The structures (`HttpEventFields`,
+  `TorConnection`) and implementations within that module have been moved to
+  `crate::event::http`.
+- Modified the `ValueKind` enum to support different types of input for packet
+  attribute triage.
+- Changed the type of fields in the detection event structure for some raw
+  event. This change allows users to see meaningful values directly without
+  having to do any special conversion for that field.
+  - `post_body` inside structs of `event::http`: `Vec<u8>` to `String`.
+  - `chaddr` inside structs of `event::bootp`: `Vec<u8>` to `String`.
+  - `class_id`, `client_id` inside structs of `event::dhcp`: `Vec<u8>` to
+    `String`.
 
 ## [0.33.1] - 2024-12-20
 

diff --git a/Cargo.toml b/Cargo.toml
@@ -52,6 +52,7 @@ tokio = { version = "1", features = ["macros"] }
 tokio-postgres-rustls = "0.13"
 toml = "0.8.13"
 tracing = "0.1"
+attrievent = { git = "https://github.com/aicers/attrievent.git", tag = "0.1.0" }
 
 [dev-dependencies]
 tempfile = "3"

diff --git a/src/event.rs b/src/event.rs
@@ -20,7 +20,6 @@ mod smtp;
 mod ssh;
 mod sysmon;
 mod tls;
-mod tor;
 
 use std::{
     collections::HashMap,
@@ -56,8 +55,9 @@ pub use self::{
     },
     ftp::{BlockListFtp, FtpBruteForce, FtpBruteForceFields, FtpEventFields, FtpPlainText},
     http::{
-        BlockListHttp, BlockListHttpFields, DgaFields, DomainGenerationAlgorithm, HttpThreat,
-        HttpThreatFields, NonBrowser, RepeatedHttpSessions, RepeatedHttpSessionsFields,
+        BlockListHttp, BlockListHttpFields, DgaFields, DomainGenerationAlgorithm, HttpEventFields,
+        HttpThreat, HttpThreatFields, NonBrowser, RepeatedHttpSessions, RepeatedHttpSessionsFields,
+        TorConnection,
     },
     kerberos::{BlockListKerberos, BlockListKerberosFields},
     ldap::{BlockListLdap, LdapBruteForce, LdapBruteForceFields, LdapEventFields, LdapPlainText},
@@ -72,7 +72,6 @@ pub use self::{
     ssh::{BlockListSsh, BlockListSshFields},
     sysmon::WindowsThreat,
     tls::{BlockListTls, BlockListTlsFields, SuspiciousTlsTraffic},
-    tor::{HttpEventFields, TorConnection},
 };
 use super::{
     types::{Endpoint, HostNetworkGroup},
@@ -3404,7 +3403,7 @@ mod tests {
             message: "message".to_string(),
             renewal_time: 100,
             rebinding_time: 200,
-            class_id: vec![4, 5, 6],
+            class_id: "MSFT 5.0".to_string().into_bytes(),
             client_id_type: 1,
             client_id: vec![7, 8, 9],
             category: EventCategory::InitialAccess,
@@ -3423,7 +3422,7 @@ mod tests {
         let syslog_message = message.to_string();
         assert_eq!(
             &syslog_message,
-            r#"time="1970-01-01T01:01:01+00:00" event_kind="BlockListDhcp" category="InitialAccess" sensor="collector1" src_addr="127.0.0.1" src_port="68" dst_addr="127.0.0.2" dst_port="67" proto="17" last_time="100" msg_type="1" ciaddr="127.0.0.5" yiaddr="127.0.0.6" siaddr="127.0.0.7" giaddr="127.0.0.8" subnet_mask="255.255.255.0" router="127.0.0.1" domain_name_server="127.0.0.1" req_ip_addr="127.0.0.100" lease_time="100" server_id="127.0.0.1" param_req_list="1,2,3" message="message" renewal_time="100" rebinding_time="200" class_id="04:05:06" client_id_type="1" client_id="07:08:09""#,
+            r#"time="1970-01-01T01:01:01+00:00" event_kind="BlockListDhcp" category="InitialAccess" sensor="collector1" src_addr="127.0.0.1" src_port="68" dst_addr="127.0.0.2" dst_port="67" proto="17" last_time="100" msg_type="1" ciaddr="127.0.0.5" yiaddr="127.0.0.6" siaddr="127.0.0.7" giaddr="127.0.0.8" subnet_mask="255.255.255.0" router="127.0.0.1" domain_name_server="127.0.0.1" req_ip_addr="127.0.0.100" lease_time="100" server_id="127.0.0.1" param_req_list="1,2,3" message="message" renewal_time="100" rebinding_time="200" class_id="MSFT 5.0" client_id_type="1" client_id="07:08:09""#,
         );
 
         let block_list_dhcp = Event::BlockList(RecordType::Dhcp(BlockListDhcp::new(
@@ -3434,7 +3433,7 @@ mod tests {
 
         assert_eq!(
             &block_list_dhcp,
-            r#"time="1970-01-01T01:01:01+00:00" event_kind="BlockListDhcp" category="InitialAccess" sensor="collector1" src_addr="127.0.0.1" src_port="68" dst_addr="127.0.0.2" dst_port="67" proto="17" last_time="100" msg_type="1" ciaddr="127.0.0.5" yiaddr="127.0.0.6" siaddr="127.0.0.7" giaddr="127.0.0.8" subnet_mask="255.255.255.0" router="127.0.0.1" domain_name_server="127.0.0.1" req_ip_addr="127.0.0.100" lease_time="100" server_id="127.0.0.1" param_req_list="1,2,3" message="message" renewal_time="100" rebinding_time="200" class_id="04:05:06" client_id_type="1" client_id="07:08:09" triage_scores="""#
+            r#"time="1970-01-01T01:01:01+00:00" event_kind="BlockListDhcp" category="InitialAccess" sensor="collector1" src_addr="127.0.0.1" src_port="68" dst_addr="127.0.0.2" dst_port="67" proto="17" last_time="100" msg_type="1" ciaddr="127.0.0.5" yiaddr="127.0.0.6" siaddr="127.0.0.7" giaddr="127.0.0.8" subnet_mask="255.255.255.0" router="127.0.0.1" domain_name_server="127.0.0.1" req_ip_addr="127.0.0.100" lease_time="100" server_id="127.0.0.1" param_req_list="1,2,3" message="message" renewal_time="100" rebinding_time="200" class_id="MSFT 5.0" client_id_type="1" client_id="07:08:09" triage_scores="""#
         );
     }
 

diff --git a/src/event/bootp.rs b/src/event/bootp.rs
@@ -1,10 +1,39 @@
 use std::{fmt, net::IpAddr, num::NonZeroU8};
 
+use attrievent::attribute::{BootpAttr, RawEventAttrKind};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 
-use super::{common::Match, EventCategory, TriagePolicy, TriageScore, MEDIUM};
-use crate::event::common::{to_hardware_address, triage_scores_to_string};
+use super::{common::Match, EventCategory, TriageScore, MEDIUM};
+use crate::event::common::{to_hardware_address, triage_scores_to_string, AttrValue};
+
+macro_rules! bootp_target_attr {
+    ($event: expr, $raw_event_attr: expr) => {{
+        if let RawEventAttrKind::Bootp(attr) = $raw_event_attr {
+            let target_value = match attr {
+                BootpAttr::SrcAddr => AttrValue::Addr($event.src_addr),
+                BootpAttr::SrcPort => AttrValue::UInt($event.src_port.into()),
+                BootpAttr::DstAddr => AttrValue::Addr($event.dst_addr),
+                BootpAttr::DstPort => AttrValue::UInt($event.dst_port.into()),
+                BootpAttr::Proto => AttrValue::UInt($event.proto.into()),
+                BootpAttr::Op => AttrValue::UInt($event.op.into()),
+                BootpAttr::Htype => AttrValue::UInt($event.htype.into()),
+                BootpAttr::Hops => AttrValue::UInt($event.hops.into()),
+                BootpAttr::Xid => AttrValue::UInt($event.xid.into()),
+                BootpAttr::CiAddr => AttrValue::Addr($event.ciaddr),
+                BootpAttr::YiAddr => AttrValue::Addr($event.yiaddr),
+                BootpAttr::SiAddr => AttrValue::Addr($event.siaddr),
+                BootpAttr::GiAddr => AttrValue::Addr($event.giaddr),
+                BootpAttr::ChAddr => AttrValue::String(&$event.chaddr),
+                BootpAttr::SName => AttrValue::String(&$event.sname),
+                BootpAttr::File => AttrValue::String(&$event.file),
+            };
+            Some(target_value)
+        } else {
+            None
+        }
+    }};
+}
 
 #[derive(Serialize, Deserialize)]
 pub struct BlockListBootpFields {
@@ -73,7 +102,7 @@ pub struct BlockListBootp {
     pub yiaddr: IpAddr,
     pub siaddr: IpAddr,
     pub giaddr: IpAddr,
-    pub chaddr: Vec<u8>,
+    pub chaddr: String,
     pub sname: String,
     pub file: String,
     pub category: EventCategory,
@@ -99,7 +128,7 @@ impl fmt::Display for BlockListBootp {
             self.yiaddr.to_string(),
             self.siaddr.to_string(),
             self.giaddr.to_string(),
-            to_hardware_address(&self.chaddr),
+            self.chaddr,
             self.sname.to_string(),
             self.file.to_string(),
             triage_scores_to_string(self.triage_scores.as_ref())
@@ -126,7 +155,7 @@ impl BlockListBootp {
             yiaddr: fields.yiaddr,
             siaddr: fields.siaddr,
             giaddr: fields.giaddr,
-            chaddr: fields.chaddr,
+            chaddr: to_hardware_address(&fields.chaddr),
             sname: fields.sname,
             file: fields.file,
             category: fields.category,
@@ -176,7 +205,7 @@ impl Match for BlockListBootp {
         None
     }
 
-    fn score_by_packet_attr(&self, _triage: &TriagePolicy) -> f64 {
-        0.0
+    fn to_attr_value(&self, raw_event_attr: RawEventAttrKind) -> Option<AttrValue> {
+        bootp_target_attr!(self, raw_event_attr)
     }
 }