Merge pull request #358 from kubescape/feature/dns

Adding a map to prevent duplicate dns events
kubescape · Sep 2, 2024 · 1fc3466 · 1fc3466
2 parents 07caefc + 899b122
commit 1fc3466
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 1 deletion.
diff --git a/pkg/ruleengine/v1/r0005_unexpected_domain_request.go b/pkg/ruleengine/v1/r0005_unexpected_domain_request.go
@@ -5,6 +5,7 @@ import (
 	"slices"
 	"strings"
 
+	"github.com/goradd/maps"
 	"github.com/kubescape/node-agent/pkg/objectcache"
 	"github.com/kubescape/node-agent/pkg/ruleengine"
 	"github.com/kubescape/node-agent/pkg/utils"
@@ -36,6 +37,7 @@ var _ ruleengine.RuleEvaluator = (*R0005UnexpectedDomainRequest)(nil)
 
 type R0005UnexpectedDomainRequest struct {
 	BaseRule
+	alertedDomains maps.SafeMap[string, bool]
 }
 
 func CreateRuleR0005UnexpectedDomainRequest() *R0005UnexpectedDomainRequest {
@@ -45,6 +47,7 @@ func CreateRuleR0005UnexpectedDomainRequest() *R0005UnexpectedDomainRequest {
 func (rule *R0005UnexpectedDomainRequest) Name() string {
 	return R0005Name
 }
+
 func (rule *R0005UnexpectedDomainRequest) ID() string {
 	return R0005ID
 }
@@ -68,6 +71,10 @@ func (rule *R0005UnexpectedDomainRequest) ProcessEvent(eventType utils.EventType
 		return nil
 	}
 
+	if rule.alertedDomains.Has(domainEvent.DNSName) {
+		return nil
+	}
+
 	// TODO: fix this, currently we are ignoring in-cluster communication
 	if strings.HasSuffix(domainEvent.DNSName, "svc.cluster.local.") {
 		return nil
@@ -123,6 +130,8 @@ func (rule *R0005UnexpectedDomainRequest) ProcessEvent(eventType utils.EventType
 		RuleID: rule.ID(),
 	}
 
+	rule.alertedDomains.Set(domainEvent.DNSName, true)
+
 	return &ruleFailure
 }
 

diff --git a/pkg/ruleengine/v1/r0005_unexpected_domain_request_test.go b/pkg/ruleengine/v1/r0005_unexpected_domain_request_test.go
@@ -30,6 +30,7 @@ func TestR0005UnexpectedDomainRequest(t *testing.T) {
 			},
 		},
 		DNSName: "test.com",
+		Qr:      tracerdnstype.DNSPktTypeQuery,
 	}
 
 	// Test with nil appProfileAccess
@@ -60,5 +61,4 @@ func TestR0005UnexpectedDomainRequest(t *testing.T) {
 	if ruleResult != nil {
 		t.Errorf("Expected ruleResult to be nil since domain is whitelisted")
 	}
-
 }
diff --git a/pkg/ruleengine/v1/r0011_unexpected_egress_network_traffic.go b/pkg/ruleengine/v1/r0011_unexpected_egress_network_traffic.go
@@ -76,6 +76,10 @@ func (rule *R0011UnexpectedEgressNetworkTraffic) handleNetworkEvent(networkEvent
 
 		domain := objCache.DnsCache().ResolveIpToDomain(networkEvent.DstEndpoint.Addr)
 
+		if domain != "" {
+			return nil
+		}
+
 		// Check if the address is in the egress list and isn't in cluster.
 		for _, egress := range nnContainer.Egress {
 			if egress.IPAddress == networkEvent.DstEndpoint.Addr {
@@ -154,6 +158,11 @@ func isPrivateIP(ip string) bool {
 		return false
 	}
 
+	// Check if IP is localhost
+	if parsedIP.IsLoopback() {
+		return true
+	}
+
 	// Check if IP is in private IP ranges
 	privateIPRanges := []struct {
 		start net.IP

diff --git a/pkg/ruleengine/v1/r1008_crypto_mining_domain.go b/pkg/ruleengine/v1/r1008_crypto_mining_domain.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"slices"
 
+	"github.com/goradd/maps"
 	"github.com/kubescape/node-agent/pkg/objectcache"
 	"github.com/kubescape/node-agent/pkg/ruleengine"
 	"github.com/kubescape/node-agent/pkg/utils"
@@ -145,6 +146,7 @@ var _ ruleengine.RuleEvaluator = (*R1008CryptoMiningDomainCommunication)(nil)
 
 type R1008CryptoMiningDomainCommunication struct {
 	BaseRule
+	alertedDomains maps.SafeMap[string, bool]
 }
 
 func CreateRuleR1008CryptoMiningDomainCommunication() *R1008CryptoMiningDomainCommunication {
@@ -168,6 +170,10 @@ func (rule *R1008CryptoMiningDomainCommunication) ProcessEvent(eventType utils.E
 	}
 
 	if dnsEvent, ok := event.(*tracerdnstype.Event); ok {
+		if rule.alertedDomains.Has(dnsEvent.DNSName) {
+			return nil
+		}
+
 		if slices.Contains(commonlyUsedCryptoMinersDomains, dnsEvent.DNSName) {
 			ruleFailure := GenericRuleFailure{
 				BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
@@ -196,6 +202,8 @@ func (rule *R1008CryptoMiningDomainCommunication) ProcessEvent(eventType utils.E
 				RuleID: rule.ID(),
 			}
 
+			rule.alertedDomains.Set(dnsEvent.DNSName, true)
+
 			return &ruleFailure
 		}
 	}