Documentation ¶
Index ¶
- Constants
- Variables
- func Proxy(reg *DecoyRegistration, clientConn net.Conn, logger *log.Logger)
- func SelectAddrFromSubnet(seed []byte, net1 *net.IPNet) (net.IP, error)
- func SelectAddrFromSubnetOffset(net1 *net.IPNet, offset *big.Int) (net.IP, error)
- func V4Only(obj []*net.IPNet) ([]*net.IPNet, error)
- func V6Only(obj []*net.IPNet) ([]*net.IPNet, error)
- type Config
- type ConjurePhantomSubnet
- type ConjureSharedKeys
- type ConnectingTransport
- type DecoyRegistration
- func (reg *DecoyRegistration) GenerateC2SWrapper() *pb.C2SWrapper
- func (reg *DecoyRegistration) GenerateClientToStation() *pb.ClientToStation
- func (reg *DecoyRegistration) GetDstPort() uint16
- func (reg *DecoyRegistration) GetRegistrationAddress() string
- func (reg *DecoyRegistration) GetSrcPort() uint16
- func (reg *DecoyRegistration) IDString() string
- func (reg *DecoyRegistration) PreScanned() bool
- func (reg *DecoyRegistration) String() string
- type DecoyTimeout
- type Obfs4Keys
- type PhantomIPSelector
- func (p *PhantomIPSelector) AddGeneration(gen int, subnets *SubnetConfig) uint
- func (p *PhantomIPSelector) GetSubnetsByGeneration(generation uint) *SubnetConfig
- func (p *PhantomIPSelector) IsTakenGeneration(gen uint) bool
- func (p *PhantomIPSelector) RemoveGeneration(generation uint) bool
- func (p *PhantomIPSelector) Select(seed []byte, generation uint, clientLibVer uint, v6Support bool) (net.IP, error)
- func (p *PhantomIPSelector) UpdateGeneration(generation uint, subnets *SubnetConfig) bool
- type ProxyStats
- type RegConfig
- type RegisteredDecoys
- type RegistrationManager
- func (regManager *RegistrationManager) AddRegistration(d *DecoyRegistration)
- func (regManager *RegistrationManager) AddTransport(index pb.TransportType, t Transport) error
- func (regManager *RegistrationManager) Cleanup()
- func (regManager *RegistrationManager) CountRegistrations(phantomAddr net.IP) int
- func (regManager *RegistrationManager) GetRegistrations(phantomAddr net.IP) map[string]*DecoyRegistration
- func (regManager *RegistrationManager) GetWrappingTransports() map[pb.TransportType]WrappingTransport
- func (rm *RegistrationManager) HandleRegUpdates(ctx context.Context, regChan <-chan interface{}, parentWG *sync.WaitGroup)
- func (regManager *RegistrationManager) IsEnabledTransport(index pb.TransportType) bool
- func (regManager *RegistrationManager) MarkActive(reg *DecoyRegistration)
- func (rm *RegistrationManager) NewRegistration(c2s *pb.ClientToStation, conjureKeys *ConjureSharedKeys, includeV6 bool, ...) (*DecoyRegistration, error)
- func (rm *RegistrationManager) NewRegistrationC2SWrapper(c2sw *pb.C2SWrapper, includeV6 bool) (*DecoyRegistration, error)
- func (regManager *RegistrationManager) OnReload(conf *RegConfig)
- func (regManager *RegistrationManager) PhantomIsLive(addr string, port uint16) (bool, error)
- func (s *RegistrationManager) PrintAndReset(logger *log.Logger)
- func (regManager *RegistrationManager) RegistrationExists(reg *DecoyRegistration) bool
- func (regManager *RegistrationManager) RemoveOldRegistrations()
- func (regManager *RegistrationManager) TrackRegistration(d *DecoyRegistration) error
- func (regManager *RegistrationManager) ValidateRegistration(reg *DecoyRegistration) (bool, error)
- type RegistrationStats
- func (s *RegistrationStats) AddBlocklistedPhantomReg()
- func (s *RegistrationStats) AddDupReg()
- func (s *RegistrationStats) AddErrReg()
- func (s *RegistrationStats) AddExpiredRegs(total, valid int64)
- func (s *RegistrationStats) AddRegStats(reg *DecoyRegistration)
- func (s *RegistrationStats) PrintAndReset(logger *log.Logger)
- func (s *RegistrationStats) Reset()
- type Stats
- func (s *Stats) AddBytes(n int64, dir string)
- func (s *Stats) AddBytesDown(n int64)
- func (s *Stats) AddBytesUp(n int64)
- func (s *Stats) AddConn()
- func (s *Stats) AddDupReg()
- func (s *Stats) AddErrReg()
- func (s *Stats) AddLivenessCached()
- func (s *Stats) AddLivenessFail()
- func (s *Stats) AddLivenessPass()
- func (s *Stats) AddMissedReg()
- func (s *Stats) AddReg(generation uint32, source *pb.RegistrationSource)
- func (s *Stats) AddStatsModule(sm stats, isVerbose bool)
- func (s *Stats) CloseConn()
- func (s *Stats) ConnErr()
- func (s *Stats) ExpireReg(generation uint32, source *pb.RegistrationSource)
- func (s *Stats) PrintStats(isVerbose bool)
- func (s *Stats) Reset()
- func (s *Stats) ResetAll()
- type SubnetConfig
- type SubnetFilter
- type Transport
- type WrappingTransport
- type ZMQConfig
- type ZMQIngester
Constants ¶
const AES_GCM_TAG_SIZE = 16
AES_GCM_TAG_SIZE the size of the aesgcm tag used when generating the client to station message.
const DETECTOR_REG_CHANNEL string = "dark_decoy_map"
DETECTOR_REG_CHANNEL is a constant that defines the name of the redis map that we send validated registrations over in order to notify all detector cores.
const PrivateKeyLength = 32
PrivateKeyLength is the expected length of the station (ed25519) private key in bytes.
Variables ¶
var ( // ErrLegacyAddrSelectBug indicates that we have hit a corner case in a legacy address selection // algorithm that causes phantom address selection to fail. ErrLegacyAddrSelectBug = errors.New("no valid addresses specified") // ErrMissingAddrs indicates that no subnets were provided with addresses to select from. This // is only valid for phantomHkdfMinVersion and newer. ErrMissingAddrs = errors.New("no valid addresses specified to select") )
Functions ¶
func Proxy ¶
func Proxy(reg *DecoyRegistration, clientConn net.Conn, logger *log.Logger)
Proxy take a registration and a net.Conn and forwards client traffic to the clients covert destination.
func SelectAddrFromSubnet ¶
SelectAddrFromSubnet - given a seed and a CIDR block choose an address.
This is done by generating a seeded random bytes up to teh length of the full address then using the net mask to zero out any bytes that are already specified by the CIDR block. Tde masked random value is then added to the cidr block base giving the final randomly selected address.
func SelectAddrFromSubnetOffset ¶
SelectAddrFromSubnetOffset given a CIDR block and offset, return the net.IP
Version 2: HKDF-based
Types ¶
type Config ¶
type Config struct { *ZMQConfig *RegConfig // Log verbosity level LogLevel string `toml:"log_level"` // Path to private key file PrivateKeyPath string `toml:"privkey_path"` // PrefixFilePath provides a path to a file containing supported prefix specifications for the // prefix transport. // [TODO] refactor into a more general transport config object PrefixFilePath string `toml:"supplemental_prefix_path"` DisableDefaultPrefixes bool `toml:"disable_default_prefixes"` }
Config - Station golang configuration struct
func ParseConfig ¶
ParseConfig parses the config from the CJ_STATION_CONFIG environment variable.
func (*Config) ParsePrivateKey ¶
ParsePrivateKey tries to use either the PrivateKeyPath (`privkey_path`) config variable or the CJ_PRIVKEY environment variable to locate the file from which it can parse the station private key
type ConjurePhantomSubnet ¶
ConjurePhantomSubnet - Weighted option to choose phantom address from.
type ConjureSharedKeys ¶
type ConjureSharedKeys struct {
ConjureSharedKeys contains keys that the station is required to keep.
func GenSharedKeys ¶
func GenSharedKeys(clientLibVer uint, sharedSecret []byte, tt pb.TransportType) (ConjureSharedKeys, error)
GenSharedKeys generates the keys requires to form a Conjure connection based on the SharedSecret
type ConnectingTransport ¶
type ConnectingTransport interface { Transport // Connect attempts to connect to the client from the phantom address derived in the // registration. Connect(context.Context, *DecoyRegistration) (net.Conn, error) }
ConnectingTransport describes transports that actively form an outgoing connection to clients to initiate the conversation.
type DecoyRegistration ¶
type DecoyRegistration struct { PhantomIp net.IP PhantomPort uint16 PhantomProto pb.IPProto Keys *ConjureSharedKeys Covert, Mask string Flags *pb.RegistrationFlags Transport pb.TransportType TransportPtr *Transport TransportParams any RegistrationTime time.Time RegistrationSource *pb.RegistrationSource DecoyListVersion uint32 // validity marks whether the registration has been validated through liveness and other checks. // This also denotes whether the registration has been shared with the detector. Valid bool // contains filtered or unexported fields }
DecoyRegistration is a struct for tracking individual sessions that are expecting or tracking connections.
func (*DecoyRegistration) GenerateC2SWrapper ¶
func (reg *DecoyRegistration) GenerateC2SWrapper() *pb.C2SWrapper
GenerateC2SWrapper creates a C2SWrapper struct. This is used in registration sharing between stations where the station notifies other stations of a registration.
func (*DecoyRegistration) GenerateClientToStation ¶
func (reg *DecoyRegistration) GenerateClientToStation() *pb.ClientToStation
GenerateClientToStation creates a clientToStation struct. This is used in registration sharing between stations where the station notifies other stations of a registration.
func (*DecoyRegistration) GetDstPort ¶
func (reg *DecoyRegistration) GetDstPort() uint16
GetDstPort returns the destination port of the phantom flow selected when the registration was created. For now there is no extra fancy-ness needed here because every valid registration will have selected a uint16 destination port on creation.
func (*DecoyRegistration) GetRegistrationAddress ¶
func (reg *DecoyRegistration) GetRegistrationAddress() string
GetRegistrationAddress returns the address that was used to create this registration. This should almost never be used - it exists to get the address for debugging and for logging misbehaving client IPs.
func (*DecoyRegistration) GetSrcPort ¶
func (reg *DecoyRegistration) GetSrcPort() uint16
GetSrcPort returns a source port if one was registered. Currently this is not supported -- for now this is intended as plumbing for potentially supporting seeded source port selection for the client.
func (*DecoyRegistration) IDString ¶
func (reg *DecoyRegistration) IDString() string
IDString - return a short version of the id (HMAC-ID) of a registration for logging
func (*DecoyRegistration) PreScanned ¶
func (reg *DecoyRegistration) PreScanned() bool
PreScanned returns true if a regisration has been pre-scanned - i.e scanned by another station before being shared
func (*DecoyRegistration) String ¶
func (reg *DecoyRegistration) String() string
String -- Print a digest of the important identifying information for this registration. [TODO]{priority:soon} Find a way to add the client IP to this logging for now it is logged in the detector associating registrant IP with shared secret.
type DecoyTimeout ¶
type DecoyTimeout struct {
// contains filtered or unexported fields
}
DecoyTimeout contains all fields required to track registration validity / expiration.
type PhantomIPSelector ¶
type PhantomIPSelector struct {
Networks map[uint]*SubnetConfig
}
PhantomIPSelector - Object for tracking current generation to SubnetConfig Mapping.
func GetPhantomSubnetSelector ¶
func GetPhantomSubnetSelector() (*PhantomIPSelector, error)
GetPhantomSubnetSelector gets the location of the configuration file from an environment variable and returns the parsed configuration.
func NewPhantomIPSelector ¶
func NewPhantomIPSelector() (*PhantomIPSelector, error)
NewPhantomIPSelector - create object currently populated with a static map of generation number to SubnetConfig, but this may be loaded dynamically in the future.
func SubnetsFromTomlFile ¶
func SubnetsFromTomlFile(path string) (*PhantomIPSelector, error)
SubnetsFromTomlFile takes a path and parses the toml config file
func (*PhantomIPSelector) AddGeneration ¶
func (p *PhantomIPSelector) AddGeneration(gen int, subnets *SubnetConfig) uint
AddGeneration - add a subnet config as a new new generation, if the requested generation index is taken then it uses (and returns) the next available number.
func (*PhantomIPSelector) GetSubnetsByGeneration ¶
func (p *PhantomIPSelector) GetSubnetsByGeneration(generation uint) *SubnetConfig
GetSubnetsByGeneration - provide a generation index. If the generation exists the associated SubnetConfig is returned. If it is not defined the default subnets are returned.
func (*PhantomIPSelector) IsTakenGeneration ¶
func (p *PhantomIPSelector) IsTakenGeneration(gen uint) bool
IsTakenGeneration - check if the generation index is already in use.
func (*PhantomIPSelector) RemoveGeneration ¶
func (p *PhantomIPSelector) RemoveGeneration(generation uint) bool
RemoveGeneration - remove a generation from the mapping
func (*PhantomIPSelector) Select ¶
func (p *PhantomIPSelector) Select(seed []byte, generation uint, clientLibVer uint, v6Support bool) (net.IP, error)
Select - select an ip address from the list of subnets associated with the specified generation
func (*PhantomIPSelector) UpdateGeneration ¶
func (p *PhantomIPSelector) UpdateGeneration(generation uint, subnets *SubnetConfig) bool
UpdateGeneration - Update the subnet list associated with a specific generation
type ProxyStats ¶
ProxyStats track metrics about byte transfer.
func GetProxyStats ¶
func GetProxyStats() *ProxyStats
GetProxyStats returns our singleton for proxy stats
func (*ProxyStats) PrintAndReset ¶
func (s *ProxyStats) PrintAndReset(logger *log.Logger)
PrintAndReset implements the stats interface
type RegConfig ¶
type RegConfig struct { *liveness.Config *geoip.DBConfig // number of worker threads for ingesting incoming registrations. IngestWorkerCount int `toml:"ingest_worker_count"` EnableShareOverAPI bool `toml:"enable_share_over_api"` PreshareEndpoint string `toml:"preshare_endpoint"` // isthe station capable of handling v4 / v6 with independent toggles. EnableIPv4 bool `toml:"enable_v4"` EnableIPv6 bool `toml:"enable_v6"` // Local list of disallowed subnets for covert addresses. CovertBlocklistSubnets []string `toml:"covert_blocklist_subnets"` // At launch add all public addresses from machine to blocklist. CovertBlocklistPublicAddrs bool `toml:"covert_blocklist_public_addrs"` // Local list of allowed subnets for covert addresses. CovertAllowlistSubnets []string `toml:"covert_allowlist_subnets"` // Local list of disallowed domain patterns for covert addresses. CovertBlocklistDomains []string `toml:"covert_blocklist_domains"` // Local list of disallowed subnets patterns for phantom addresses. PhantomBlocklist []string `toml:"phantom_blocklist"` // contains filtered or unexported fields }
RegConfig contains all configuration options directly related to processing registrations lifecycle (ingest, validity, and eviction).
func (*RegConfig) IsBlocklistedPhantom ¶
IsBlocklistedPhantom checks if the provided address should be denied by on of the blocklisted Phantom subnets.
func (*RegConfig) ParseBlocklists ¶
func (c *RegConfig) ParseBlocklists()
ParseBlocklists converts string arrays of blocklisted domains, addresses and subnets and parses them into a usable format
func (*RegConfig) ParseOrResolveBlocklisted ¶
ParseOrResolveBlocklisted attempts to return an IP:port string whenever possible either by parsing the IP to ensure correct format or resolving domain names. It also checks the configuration blocklists for both domain name and IP address. The intention of this function is that it be used to prevent SSRF DNS rebinding by doing resolution to final address to be used by net.Dial and checking blocklists in the same step.
If a bad address / domain is given and empty string will be returned The bool return indicates whether the station resolved the domain name or not
type RegisteredDecoys ¶
type RegisteredDecoys struct {
// contains filtered or unexported fields
}
RegisteredDecoys provides a container struct for tracking all registrations and their expiration.
func NewRegisteredDecoys ¶
func NewRegisteredDecoys() *RegisteredDecoys
NewRegisteredDecoys returns a new struct with which to track registrations.
func (*RegisteredDecoys) RegistrationExists ¶
func (r *RegisteredDecoys) RegistrationExists(d *DecoyRegistration) *DecoyRegistration
RegistrationExists - For use outside of this struct only (so there are no data races.)
func (*RegisteredDecoys) TotalRegistrations ¶
func (r *RegisteredDecoys) TotalRegistrations() int
TotalRegistrations return the total number of current registrations
func (*RegisteredDecoys) Track ¶
func (r *RegisteredDecoys) Track(d *DecoyRegistration) error
Track informs the registered decoys struct of a new registration to track.
For use outside of this struct (so there are no data races.)
type RegistrationManager ¶
type RegistrationManager struct { *RegConfig *RegistrationStats Logger *log.Logger PhantomSelector *PhantomIPSelector LivenessTester liveness.Tester GeoIP geoip.Database // contains filtered or unexported fields }
RegistrationManager manages registration tracking for the station.
func NewRegistrationManager ¶
func NewRegistrationManager(conf *RegConfig) *RegistrationManager
NewRegistrationManager returns a newly initialized registration Manager
func (*RegistrationManager) AddRegistration ¶
func (regManager *RegistrationManager) AddRegistration(d *DecoyRegistration)
AddRegistration officially adds the registration to usage by marking it as valid.
func (*RegistrationManager) AddTransport ¶
func (regManager *RegistrationManager) AddTransport(index pb.TransportType, t Transport) error
AddTransport initializes a transport so that it can be tracked by the manager when clients register.
func (*RegistrationManager) Cleanup ¶
func (regManager *RegistrationManager) Cleanup()
Cleanup sends a signal to the detector to empty cached sessions. This ensures that the detector does not forward traffic for sessions that it knows about for a previous launch of the station that the current session doesn't know about.
func (*RegistrationManager) CountRegistrations ¶
func (regManager *RegistrationManager) CountRegistrations(phantomAddr net.IP) int
CountRegistrations counts the number of registrations tracked that are using a specific phantom address.
func (*RegistrationManager) GetRegistrations ¶
func (regManager *RegistrationManager) GetRegistrations(phantomAddr net.IP) map[string]*DecoyRegistration
GetRegistrations returns registrations associated with a specific phantom address.
func (*RegistrationManager) GetWrappingTransports ¶
func (regManager *RegistrationManager) GetWrappingTransports() map[pb.TransportType]WrappingTransport
GetWrappingTransports Returns a map of the wrapping transport types to their transports. This return value can be mutated freely.
func (*RegistrationManager) HandleRegUpdates ¶
func (rm *RegistrationManager) HandleRegUpdates(ctx context.Context, regChan <-chan interface{}, parentWG *sync.WaitGroup)
HandleRegUpdates is responsible for launching and managing registration ingest from the perspective of the RegistrationManager. The keys to success in this job are:
- Launch a fixed number of workers to process registration messages
- read from the registration channel as though it is blocking
- write jobs to works non-blocking. any time a registration is received, but a worker is not available the registration is simple dropped and counted for metrics
- Keep a shallow buffer to drop as few registrations as possible. The buffer must be shallow so that registrations that end up buffered are still relevant when they make it out of the buffer.
func (*RegistrationManager) IsEnabledTransport ¶
func (regManager *RegistrationManager) IsEnabledTransport(index pb.TransportType) bool
IsEnabledTransport checks if the provided transport ID is enabled in the regisrtar
func (*RegistrationManager) MarkActive ¶
func (regManager *RegistrationManager) MarkActive(reg *DecoyRegistration)
MarkActive indicates that an incoming connection has successfully been make with the registration provided in the argument.
func (*RegistrationManager) NewRegistration ¶
func (rm *RegistrationManager) NewRegistration(c2s *pb.ClientToStation, conjureKeys *ConjureSharedKeys, includeV6 bool, registrationSource *pb.RegistrationSource) (*DecoyRegistration, error)
NewRegistration creates a new registration from details provided. Adds the registration to tracking map, But marks it as not valid. This is a utility function, it its not used in the ingest pipeline
func (*RegistrationManager) NewRegistrationC2SWrapper ¶
func (rm *RegistrationManager) NewRegistrationC2SWrapper(c2sw *pb.C2SWrapper, includeV6 bool) (*DecoyRegistration, error)
NewRegistrationC2SWrapper creates a new registration from details provided. Adds the registration to tracking map, But marks it as not valid.
func (*RegistrationManager) OnReload ¶
func (regManager *RegistrationManager) OnReload(conf *RegConfig)
OnReload is meant to be used when Reloading Configuration while things are already running. Only reloads phantom selector and blocklists. Does not (yet) modify ingest worker pipeline or liveness testing configuration.
func (*RegistrationManager) PhantomIsLive ¶
func (regManager *RegistrationManager) PhantomIsLive(addr string, port uint16) (bool, error)
PhantomIsLive - Test whether the phantom is live using 8 syns which returns syn-acks from 99% of sites within 1 second. see ZMap: Fast Internet-wide Scanning and Its Security Applications https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_durumeric.pdf
return: bool true - host is live
false - host is not liev error reason decision was made
func (*RegistrationManager) PrintAndReset ¶
func (s *RegistrationManager) PrintAndReset(logger *log.Logger)
PrintAndReset implements the stats interface. Overrides the Registration stats implementation of PrintAndReset so we have access to the current state of the registration manager.
func (*RegistrationManager) RegistrationExists ¶
func (regManager *RegistrationManager) RegistrationExists(reg *DecoyRegistration) bool
RegistrationExists checks if the registration is already tracked by the manager, this is independent of the validity tag, this just checks to see if the registration exists.
func (*RegistrationManager) RemoveOldRegistrations ¶
func (regManager *RegistrationManager) RemoveOldRegistrations()
RemoveOldRegistrations garbage collects old registrations
func (*RegistrationManager) TrackRegistration ¶
func (regManager *RegistrationManager) TrackRegistration(d *DecoyRegistration) error
TrackRegistration adds the registration to the map WITHOUT marking it valid.
func (*RegistrationManager) ValidateRegistration ¶
func (regManager *RegistrationManager) ValidateRegistration(reg *DecoyRegistration) (bool, error)
ValidateRegistration checks expected fields and combinations for common errors to prevent wasted time on registration ingest.
type RegistrationStats ¶
type RegistrationStats struct {
// contains filtered or unexported fields
}
RegistrationStats track metrics relating to registration management and lifecycle
func (*RegistrationStats) AddBlocklistedPhantomReg ¶
func (s *RegistrationStats) AddBlocklistedPhantomReg()
AddBlocklistedPhantomReg adds one to the count of registrations that errored this epoch
func (*RegistrationStats) AddDupReg ¶
func (s *RegistrationStats) AddDupReg()
AddDupReg adds one to the count of registrations that saw duplicated this epoch
func (*RegistrationStats) AddErrReg ¶
func (s *RegistrationStats) AddErrReg()
AddErrReg adds one to the count of registrations that errored this epoch
func (*RegistrationStats) AddExpiredRegs ¶
func (s *RegistrationStats) AddExpiredRegs(total, valid int64)
AddExpiredRegs updates registration stats count.
func (*RegistrationStats) AddRegStats ¶
func (s *RegistrationStats) AddRegStats(reg *DecoyRegistration)
AddRegStats updates registration stats. Will only be called for registrations marked valid
func (*RegistrationStats) PrintAndReset ¶
func (s *RegistrationStats) PrintAndReset(logger *log.Logger)
PrintAndReset implements the stats interface
func (*RegistrationStats) Reset ¶
func (s *RegistrationStats) Reset()
Reset implements the stats interface
type Stats ¶
type Stats struct {
// contains filtered or unexported fields
}
Stats contains counts of many things we want to keep track of in any given epoch as well as reference to modular metrics interfaces from related modules. These are used to print usage in a regulated and consumable way.
fields are int64 because we occasionally need to atomically subtract, which is not supported for uint64
func (*Stats) AddBytesDown ¶
func (*Stats) AddBytesUp ¶
func (*Stats) AddLivenessCached ¶
func (s *Stats) AddLivenessCached()
func (*Stats) AddLivenessFail ¶
func (s *Stats) AddLivenessFail()
func (*Stats) AddLivenessPass ¶
func (s *Stats) AddLivenessPass()
func (*Stats) AddMissedReg ¶
func (s *Stats) AddMissedReg()
func (*Stats) AddReg ¶
func (s *Stats) AddReg(generation uint32, source *pb.RegistrationSource)
will only be called for registrations marked valid
func (*Stats) AddStatsModule ¶
func (*Stats) ExpireReg ¶
func (s *Stats) ExpireReg(generation uint32, source *pb.RegistrationSource)
should only be called for registrations marked valid
func (*Stats) PrintStats ¶
type SubnetConfig ¶
type SubnetConfig struct {
WeightedSubnets []ConjurePhantomSubnet
}
SubnetConfig - Configuration of subnets for Conjure to choose a Phantom out of.
type SubnetFilter ¶
SubnetFilter - Filter IP subnets based on whatever to prevent specific subnets from inclusion in choice. See v4Only and v6Only for reference.
type Transport ¶
type Transport interface { // The human-friendly name of the transport. Name() string // The prefix used when including this transport in logs. LogPrefix() string // GetIdentifier takes in a registration and returns an identifier for it. This identifier // should be unique for each registration on a given phantom; registrations on different // phantoms can have the same identifier. GetIdentifier(*DecoyRegistration) string // GetProto returns the IP protocol used by the transport. Typical transports will use TCP or // UDP, if something beyond these is required you will need to update the enum in the protobuf // file and change the packet processing in the detector. GetProto() pb.IPProto // GetDstPort Given the library version, a seed, and a generic object containing parameters the // transport should be able to return the destination port that a clients phantom connection // will attempt to reach. The libVersion is provided incase of version dependent changes in the // transports port selection algorithm. GetDstPort(libVersion uint, seed []byte, parameters any) (uint16, error) // ParseParams gives the specific transport an option to parse a generic object into parameters // provided by the client during registration. The libVersion is provided incase of version // dependent changes in the transport params or param parsing. ParseParams(libVersion uint, data *anypb.Any) (any, error) // ParamStrings returns an array of tag string that will be added to tunStats when a proxy // session is closed. ParamStrings(p any) []string }
Transport defines the interface for the manager to interface with variable transports that wrap the traffic sent by clients.
type WrappingTransport ¶
type WrappingTransport interface { Transport // WrapConnection attempts to wrap the given connection in the transport. It takes the // information gathered so far on the connection in data, attempts to identify itself, and if it // positively identifies itself wraps the connection in the transport, returning a connection // that's ready to be used by others. // // If the returned error is nil or non-nil and non-{ transports.ErrTryAgain, // transports.ErrNotTransport }, the caller may no longer use data or conn. // // Implementations should not Read from conn unless they have positively identified that the // transport exists and are in the process of wrapping the connection. // // Implementations should not Read from data unless they are are attempting to wrap the // connection. Use data.Bytes() to get all of the data that has been seen on the connection. // // If implementations cannot tell if the transport exists on the connection (e.g. there hasn't // yet been enough data sent to be conclusive), they should return transports.ErrTryAgain. If // the transport can be conclusively determined to not exist on the connection, implementations // should return transports.ErrNotTransport. WrapConnection(data *bytes.Buffer, conn net.Conn, phantom net.IP, rm *RegistrationManager) (reg *DecoyRegistration, wrapped net.Conn, err error) }
WrappingTransport describes any transport that is able to passively listen to incoming network connections and identify itself, then actively wrap the connection.
type ZMQConfig ¶
type ZMQConfig struct { SocketName string `toml:"socket_name"` ConnectSockets []socketConfig `toml:"connect_sockets"` HeartbeatInterval int `toml:"heartbeat_interval"` HeartbeatTimeout int `toml:"heartbeat_timeout"` }
ZMQConfig - Configuration options relevant to the ZMQ Proxy utility
type ZMQIngester ¶
type ZMQIngester struct { *ZMQConfig // contains filtered or unexported fields }
ZMQIngester manages registration ingest over ZMQ.
func NewZMQIngest ¶
func NewZMQIngest(connectAddr string, regchan chan<- interface{}, privkey [32]byte, conf *ZMQConfig) (*ZMQIngester, error)
NewZMQIngest returns a struct that manages registration ingest over ZMQ.
func (*ZMQIngester) PrintAndReset ¶
func (zi *ZMQIngester) PrintAndReset(logger *log.Logger)
PrintAndReset implements the Stats interface
func (*ZMQIngester) RunZMQ ¶
func (zi *ZMQIngester) RunZMQ(ctx context.Context)
RunZMQ start the receive loop that writes into the provided message receive channel