Merge pull request #465 from step-security/rp/cherry/udp

feat: enhance network monitoring for UDP packets

Author: varunsh-coder

firewall.go

@@ -152,6 +152,13 @@ func addBlockRules(firewall *Firewall, endpoints []ipAddressEndpoint, chain, net
 		return errors.Wrap(err, "failed to add rule")
 	}
 
+	// Log blocked traffic - UDP packets
+	err = ipt.Append(filterTable, chain, direction, netInterface, protocol, "udp", "-j", "NFLOG", "--nflog-group", "100")
+
+	if err != nil {
+		return errors.Wrap(err, "failed to add UDP NFLOG rule")
+	}
+
 	// Block all other traffic
 	err = ipt.Append(filterTable, chain, direction, netInterface, protocol, allProtocols, target, reject)
 

netmon.go

@@ -71,13 +71,19 @@ func (netMonitor *NetworkMonitor) handlePacket(attrs nflog.Attribute) {
 	packet := gopacket.NewPacket(data, layers.LayerTypeIPv4, gopacket.Default)
 	port := ""
 	isSYN := false
+	isUDP := false
 	// Get the TCP layer from this packet
 	if tcpLayer := packet.Layer(layers.LayerTypeTCP); tcpLayer != nil {
 		// Get actual TCP data from this layer
 		tcp, _ := tcpLayer.(*layers.TCP)
 		port = tcp.DstPort.String()
 		isSYN = tcp.SYN
 
+	} else if udpLayer := packet.Layer(layers.LayerTypeUDP); udpLayer != nil {
+		// Get actual UDP data from this layer
+		udp, _ := udpLayer.(*layers.UDP)
+		port = udp.DstPort.String()
+		isUDP = true
 	}
 
 	// Get the IP layer from this packet
@@ -90,7 +96,7 @@ func (netMonitor *NetworkMonitor) handlePacket(attrs nflog.Attribute) {
 		if !found {
 			ipAddresses[ipv4Address] = 1
 
-			if isSYN {
+			if isSYN || isUDP {
 				if netMonitor.Status == "Dropped" {
 
 					netMonitor.ApiClient.sendNetConnection(netMonitor.CorrelationId, netMonitor.Repo,

procmon_linux.go

@@ -107,7 +107,19 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) {
 		errc <- errors.Wrap(err, "failed to add audit rule for syscall connect")
 	}
 
-	WriteLog("Net monitor added")
+	WriteLog("Net monitor added for TCP (connect)")
+
+	// syscall sendto (for UDP)
+	r, _ = flags.Parse(fmt.Sprintf("-a exit,always -S sendto -S sendmsg -k %s", netMonitorTag))
+
+	actualBytes, _ = rule.Build(r)
+
+	if err = client.AddRule(actualBytes); err != nil {
+		WriteLog(fmt.Sprintf("failed to add audit rule for sendto %v", err))
+		errc <- errors.Wrap(err, "failed to add audit rule for syscall sendto")
+	}
+
+	WriteLog("Net monitor added for UDP (sendto & sendmsg)")
 
 	// syscall process start
 	r, _ = flags.Parse(fmt.Sprintf("-a exit,always -S execve -k %s", processMonitorTag))