1 files changed, 472 insertions, 0 deletions
diff --git a/src/dns_jt_audit.cpp b/src/dns_jt_audit.cpp
new file mode 100644
index 0000000..e2135c6
--- /dev/null
+++ b/src/dns_jt_audit.cpp
@@ -0,0 +1,472 @@
+/*
+ ============================================================================
+ Name        : xxx.c
+ Author      : [email protected]
+ Version     : 2016-07-30 v0.01
+ Copyright   : All right reserved by Institute of Engineer,Chinese Academic of Science 2014~2018
+ Description : ip_shift_dns_service in C++, Ansi-style
+ V0.0.2 2014-11-27 
+ ============================================================================
+ */
+#include <time.h>
+//#include <MESA/magellan_logger.h>
+
+#include "dns_jt_audit.h"
+#include "inc/dns_analyse.h"
+
+int default_dbg_level = 1;
+#define DBG(level, msg...) do {\
+		if(default_dbg_level > level) \
+			printf(msg); \
+	}while(0)
+
+#define  IP_REQ_NAME      "JT_IP_PKT"
+
+int JT_DNS_PLUG_VERSION_20170724 = 0;
+char * dj_dns_service_conf_path = (char *)"./djconf/dns_jt_audit.conf";
+const char *dns_service_module_name = "DJ_DNS_SERVICE";
+
+//const char *register_gq_dns_table_name[REGISTER_TABLE_NUM] = {"DNS_DOMAIN_PZ", "IP_GEO_PZ"};
+const char *register_gq_dns_table_name[REGISTER_TABLE_NUM] = {"DNS_DOMAIN_PZ"};
+/*char *opt_log_name[11] = { \
+//	(char *)"opt_sip", (char *)"opt_dip", (char *)"opt_sport", (char*)"opt_dport", (char*)"opt_smac", (char *)"opt_dmac", \
+//	(char *)"opt_dns_domain",(char *)"opt_dns_responseip",(char *)"opt_alarm_id", (char *)"opt_alarm_risk", (char*)"opt_rule_id"};
+*/
+dns_service_conf g_dns_service;
+
+int dns_project_req_id = 0;
+
+#ifndef atomic_read
+#define atomic_read(x) __sync_add_and_fetch((x),0)
+#endif
+
+#ifndef atomic_add
+#define atomic_add(x,y) __sync_add_and_fetch((x),(y))
+#endif
+
+#ifndef atomic_set
+#define atomic_set(x,y) __sync_lock_test_and_set((x),y)
+#endif
+
+unsigned short dns_seq = 0;
+
+int dj_dns_service_add_cache(char* opt_name, const void* opt_value, int opt_len,dj_cache_t cache_handle,APPD_MSG_TYPE status)
+{
+	int ret = 0;
+	opt_unit_t dns_service_opt = create_opt_unit(opt_name,opt_value,opt_len);
+
+	ret = add_dj_cache(cache_handle,status,dns_service_opt);
+	if(ret == -1)
+	{
+		printf("error\n");
+		MESA_handle_runtime_log(g_dns_service.log_handle, RLOG_LV_FATAL,dns_service_module_name,"Add cache failed!");
+		return ret;
+	}
+	return 0;
+}
+
+#if 0
+unsigned long long get_uniq_id()
+{
+	static unsigned short sequence=0;
+	static time_t last_second=0;
+	time_t now;
+	time(&now);
+//	time_t now=g_CurrentTime;
+	unsigned long long ADDR_OVER_ID=0;
+
+	short  dns = 2;
+
+	if(last_second!=now)
+	{
+		last_second=now;
+		sequence=0;
+	}
+	//suppose maximum 65535 logs per second
+	assert(sequence<0xffff);
+	//16bit alarm type +32bit time + 16bit sequence
+	ADDR_OVER_ID=(dns&0x00000000000000FF)<<48|now<<32|sequence;
+	sequence++;
+	return ADDR_OVER_ID;
+
+}
+#endif
+void dns_time_to_string(char *time_str, unsigned int time_str_len)
+{
+	time_t  t;
+	time(&t);
+	dj_thread_safe_ctime(&t, time_str, time_str_len);
+}
+
+int dns_set_magellan_opt(magellan_opt_t*m_opt,int opt_type,int opt_len,const void* opt_value)
+{
+	m_opt->opt_type=opt_type;
+	m_opt->opt_len=opt_len;
+	m_opt->opt_value=(void *)opt_value;
+	return 1;
+}
+
+
+int dj_dns_create_log(dns_response_t* dns_info,struct streaminfo *dns_stream, int thread_num, Maat_rule_t *presult,magellan_opt_t *m_opt,char un_id[])
+{
+	scan_status_t mid = NULL;
+	char resip[700];
+	int m_opt_cnt = 0;
+
+	if(presult->do_blacklist != DOMAIN_BLACK_CHAR )
+		return -1;
+
+	m_opt_cnt = 2;
+	m_opt[0].opt_type = MAGELLAN_OPT_DNS;
+	m_opt[1].opt_type = MAGELLAN_OPT_DOMAIN_IP;
+	memcpy(resip, m_opt[1].opt_value, m_opt[1].opt_len);
+	m_opt[1].opt_value = resip;
+        
+	time_t  captime = time(NULL);
+
+	//m_opt_cnt+=dns_set_magellan_opt(m_opt+2,MAGELLAN_OPT_CAP_TIME, sizeof(time_t),&captime);
+	m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_CAP_TIME, sizeof(time_t),&captime);
+	m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_ID,strlen(un_id),un_id);
+	m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_RISK,sizeof(char),&(presult->do_log));
+	m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_RULE_ID,sizeof(int),&(presult->config_id));
+
+	dj_magellan_write_log(dns_stream,QDJCQ_MGLL_USERID,TABID_DOMAIN_LISTEN_ALARM,m_opt,m_opt_cnt,thread_num);//TABID_DOMAIN_LISTEN_ALARM
+
+	Maat_clean_status(&mid);
+
+	return 0;
+}
+
+int dj_dns_scan_domain(dns_response_t* dns_info,struct streaminfo *dns_stream, void *a_packet,magellan_opt_t *m_opt,int thread_num)
+{
+	int ret = 0;
+	int  domain_len = 0;
+	char *domain = NULL;
+//	unsigned long long uniq_id;
+
+	time_t now;
+	short seq = 0;
+
+	int found_pos = 0;
+	Maat_rule_t  domain_scan_result[MAX_SUPPORT_RULE_SIZE];
+	scan_status_t mid = NULL;
+	//char dot_domain[256];
+
+    memset(domain_scan_result,0,MAX_SUPPORT_RULE_SIZE*sizeof(Maat_rule_t));
+
+    domain = (char*)(dns_info->question.qname);
+    domain_len = strlen(domain);
+
+/*	memset(dot_domain, 0, 256);
+	snprintf(dot_domain, domain_len+2, ".%s", domain);*/
+
+	ret = Maat_full_scan_string(g_dj_feather,g_dns_service.table_id[REGISTER_TABLE_DOMAIN],CHARSET_GBK,\
+			domain,domain_len,domain_scan_result,&found_pos,MAX_SUPPORT_RULE_SIZE,&mid,thread_num);
+    if(ret == -1)
+    {
+    	if(g_dns_service.debug_info == DJ_DEBUG_ON)
+            DBG(0, "Maat scan domain failed!\n");
+    	MESA_handle_runtime_log(g_dns_service.log_handle,RLOG_LV_FATAL,dns_service_module_name,(char *)"Maat scan domain failed!\n");
+        Maat_clean_status(&mid);
+        return ret;
+    }
+	else if(ret > 0)
+	{		
+		int i, index=0, black_flag=0;
+		int risk = 0;
+		
+		for(i=0; i<ret; i++)
+		{
+			if(domain_scan_result[i].action == DOMAIN_BLACK_CHAR)
+			{
+				if(domain_scan_result[i].do_log >= risk)
+				{
+					risk = domain_scan_result[i].do_log;
+					index = i;
+				}
+				black_flag = 1;
+			}
+		}
+
+		//add to dynamic black list
+		if(black_flag == 1)
+		{
+//			make_ip_control_wblist(dns_stream, thread_num, domain_scan_result[index].config_id,risk,IPC_BLACK_IP_TYPE);
+
+			target_tag *dns_tag = (target_tag *)dictator_malloc(thread_num, sizeof(target_tag));
+			memset(dns_tag, 0, sizeof(target_tag));
+			dns_tag->type =  domain_scan_result[index].service_id;
+			dns_tag->rule_id =  domain_scan_result[index].config_id;
+			dns_tag->risk = risk;
+//			uniq_id = get_uniq_id();
+//			sprintf(dns_tag->id,"%lld",uniq_id);
+			atomic_add(&dns_seq,1);
+			seq = atomic_read(&dns_seq);
+			now =  time(NULL);
+
+			sprintf(dns_tag->id,"%u%lu%u",DNS_BUSINESS,now,seq);
+			black_ip *dns_black_ip = NULL;
+			if(black_flag == 1) {
+				if (dns_info->ipv4_num > 0) {
+					dns_black_ip = (black_ip *) dictator_malloc(thread_num, sizeof(black_ip));
+					memset(dns_black_ip,0,sizeof(black_ip));
+					dns_black_ip->ip_num = dns_info->ipv4_num;
+					memcpy(dns_black_ip->ipv4, dns_info->ipv4, dns_info->ipv4_num * sizeof(unsigned int));
+					dns_black_ip->thread_num = thread_num;
+					dns_black_ip->ip_type = IPC_BLACK_IP_TYPE;
+
+					dns_tag->dns_ip = dns_black_ip;
+				}
+			}
+
+			int tag_ret = project_req_add_struct(dns_stream,dns_project_req_id,dns_tag);
+			if(tag_ret < 0)
+			{
+				if(g_dns_service.debug_info == DJ_DEBUG_ON)
+					DBG(0, "Add flow tag fail!\n");
+				MESA_handle_runtime_log(g_dns_service.log_handle,RLOG_LV_FATAL,dns_service_module_name,(char *)"Add flow tag fail!\n");
+			}
+
+		//if(black_flag == 1) {
+			dj_dns_create_log(dns_info,dns_stream, thread_num, &domain_scan_result[index],m_opt,dns_tag->id);
+		}
+
+//		printf("\n\ndomain hitted---%d, ser_def=%s\n\n", domain_scan_result[index].do_blacklist, domain_scan_result[index].service_defined);
+    }
+
+	//dj_dns_create_log(dns_info,dns_stream, thread_num, &domain_scan_result[0]);
+	Maat_clean_status(&mid);
+	return ret;
+}
+
+void dns_free_magellan_opt(magellan_opt_t *m_opt, int thread_seq)
+{
+	if(m_opt->opt_value != NULL)
+	{
+		dictator_free(thread_seq, (void *)m_opt->opt_value);
+		m_opt->opt_value = NULL;
+	}
+}
+
+int dns_init_process_context(process_context_t **process_context, int thread_seq)
+{
+	process_context_t *context = (process_context_t *)dictator_malloc(thread_seq, sizeof(process_context_t));
+	memset(context, 0 , sizeof(process_context_t));
+	
+	*process_context = context;
+	
+	return 1;
+}
+
+void dns_destroy_process_context(process_context_t *process_context, int thread_seq)
+{
+	int i = 0;
+	
+	if(process_context->m_opt_index != 0)
+	{
+		for(i = 0; i < process_context->m_opt_index; i++)
+		{
+			dns_free_magellan_opt(&(process_context->m_opt[i]), thread_seq);
+		}
+	}
+	
+	dictator_free(thread_seq,process_context);
+	process_context = NULL;
+}
+
+char dj_dns_service_entry (stSessionInfo *session_info,  void **pme, int thread_seq, struct streaminfo *dns_stream, void *a_packet)
+{
+	int i,len,ret = 0;
+    int domain_len = 0;
+	int m_opt_cnt = 0;
+	magellan_opt_t m_opt[MAX_MAGELLON_OPT_NUM];
+	char respip[700];
+	char ipaddr[60];
+	const char *module_name = "JT_DNS_PLUG";
+	
+	process_context_t *context = (process_context_t *)*pme;	
+	struct Maat_rule_t scan_result[MAX_RESULT_NUM];
+	int found_pos = 0;
+	scan_status_t scan_mid = NULL;
+
+	
+	if(*pme == NULL)
+		{
+			if((dns_init_process_context(&context, thread_seq)) < 0)
+			{
+				MESA_handle_runtime_log(g_dns_service.log_handle, RLOG_LV_FATAL, module_name, "<%s>%d: init_process_context failed ...", __FILE__, __LINE__);
+				return PROT_STATE_DROPME;
+			}
+			*pme = context;
+		}
+
+	
+	if(NULL == session_info)
+	{
+		dns_destroy_process_context(context,thread_seq);
+		return PROT_STATE_DROPME;
+	}
+
+	dns_response_t* dns_info = (dns_response_t *)session_info->app_info;
+	domain_len = strlen((char*)(dns_info->question.qname));
+	if(domain_len <= 0)
+	{
+		dns_destroy_process_context(context,thread_seq);
+		return PROT_STATE_DROPME;
+	}
+
+	context->hit_config_num = Maat_full_scan_string(g_dj_feather,
+												g_dns_service.table_id[REGISTER_TABLE_DOMAIN],
+												CHARSET_GBK,
+												(const char *)(dns_info->question.qname),
+												strlen((char*)(dns_info->question.qname)),
+												//sizeof(dns_info->question.qname),
+												scan_result,
+												&found_pos,
+												MAX_RESULT_NUM,
+												&scan_mid,
+												thread_seq
+											);
+	Maat_clean_status(&scan_mid);
+	
+	//如果匹配错误		
+	if(context->hit_config_num < 0)
+	{
+		MESA_handle_runtime_log(g_dns_service.log_handle,RLOG_LV_FATAL,dns_service_module_name,(char *)"Error in Maat_full_scan_string ");;
+	}
+	// 默认全是白名单
+	int flag_whitelist = 0;
+
+	for (i = 0; i < context->hit_config_num; i++)
+		{
+			//黑名单是优先
+			if(scan_result[i].action == 1)
+				{
+					flag_whitelist = 1;
+				}
+		}
+	//0是白名单，1是存在黑名单
+	//如果全是白名单，且有命中
+	if(flag_whitelist == 0 && context->hit_config_num > 0)
+	{
+		MESA_handle_runtime_log(g_dns_service.log_handle,RLOG_LV_FATAL,dns_service_module_name,"<%s> filter 。。。",(const char *)(dns_info->question.qname));
+		dns_destroy_process_context(context,thread_seq);
+		return PROT_STATE_DROPME;
+	}
+	else
+	//if(flag_whitelist == 1 || context->hit_config_num == 0)
+	//如果不是白名单
+	{
+		memset(respip, 0, 700);
+		len = 0;
+		for(i=0; i<dns_info->ipv4_num; i++)
+		{
+			context->respone_flag = 1;
+			memset(ipaddr,0,60);
+			inet_ntop(AF_INET, (const void *)(&(dns_info->ipv4[i])),ipaddr,60);
+			memcpy(respip + len, ipaddr, strlen(ipaddr));
+			len += strlen(ipaddr);
+			respip[len++] = ';';
+		}
+
+		char cur_time_str[20] = {0};
+		dns_time_to_string(cur_time_str, sizeof(cur_time_str));
+
+		m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_REQUEST,domain_len,dns_info->question.qname);
+
+		if(context->respone_flag == 1)
+		{
+			m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_RESPONSE,len,respip);
+		}
+		else
+			m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_RESPONSE,4,"NULL");
+
+		m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_TIME,sizeof(cur_time_str),cur_time_str);
+		if(dns_stream->type == STREAM_TYPE_TCP)
+			m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_PROTOCOL,3,"TCP");
+		else
+			m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_PROTOCOL,3,"UDP");
+		m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_APP,3,"dns");
+
+		if(g_dns_service.audit_level == 0)
+			dj_magellan_write_log(dns_stream,QDJCQ_MGLL_USERID,TABID_DNS_AUDIT_LOG,m_opt,m_opt_cnt,thread_seq);
+
+		//scan domain
+		ret = dj_dns_scan_domain(dns_info,dns_stream, a_packet,m_opt,thread_seq);
+	}
+
+	
+	if(ret <= 0)
+	{
+		dns_destroy_process_context(context,thread_seq);
+		return PROT_STATE_DROPME;
+	}
+
+	return PROT_STATE_GIVEME;
+}
+
+int register_table(void)
+{
+	int i = 0;
+	
+	for(i = 0; i < REGISTER_TABLE_NUM; i++)
+	{
+		g_dns_service.table_id[i] = Maat_table_register(g_dj_feather, register_gq_dns_table_name[i]);
+		if(g_dns_service.table_id[i] == -1)
+		{
+			MESA_handle_runtime_log(g_dns_service.log_handle, RLOG_LV_FATAL, dns_service_module_name, "<%s>%d: Maat_table_register failed ...", __FILE__, __LINE__);
+			return -1;
+		}
+	}
+	return 0;
+}
+
+
+void free_project_req(int thread_seq, void *project_req_value)
+{
+	if(project_req_value != NULL) {
+		target_tag *tmp = (target_tag *) project_req_value;
+		if(tmp->dns_ip != NULL)
+		{
+			dictator_free(thread_seq,tmp->dns_ip);
+			tmp->dns_ip = NULL;
+		}
+
+		dictator_free(thread_seq,tmp);
+		tmp = NULL;
+	}
+}
+
+int dj_dns_service_init()
+{
+	MESA_load_profile_int_def(dj_dns_service_conf_path,(char *)"SYSTEM",(char *)"DEBUG_INFO",&g_dns_service.debug_info,0);
+	MESA_load_profile_int_def(dj_dns_service_conf_path,(char *)"SYSTEM",(char *)"LOG_LEVEL",&g_dns_service.log_level,0);
+	MESA_load_profile_int_def(dj_dns_service_conf_path,(char *)"SYSTEM",(char *)"AUDIT_LEVEL",&g_dns_service.audit_level,0);
+	MESA_load_profile_string_def(dj_dns_service_conf_path,(char *)"SYSTEM",(char *)"LOG_PATH",g_dns_service.log_path,MAX_LOG_FILE_PATH_LENGTH,NULL);
+	g_dns_service.log_handle = MESA_create_runtime_log_handle(g_dns_service.log_path,g_dns_service.log_level);
+	if(NULL == g_dns_service.log_handle)
+		
+	{
+		DBG(0, "dj_dns_service_init---MESA_create_runtime_log_handle failed.\n");
+	}
+	
+	if((register_table()) == -1)
+		return -1;
+	dns_project_req_id = project_producer_register(IP_REQ_NAME,PROJECT_VAL_TYPE_STRUCT,free_project_req);
+
+	if(g_dns_service.debug_info == DJ_DEBUG_ON)
+	{
+		DBG(0, "Hello! This is dj_dns_service.so\n");
+	}
+
+	return 0;
+}
+
+void  dj_dns_service_destory()
+{
+	if(g_dns_service.debug_info == DJ_DEBUG_ON)
+	{
+	   DBG(0, "Hello! This is dj_dns_service.so service_destory, but i am not complete!!!\n");
+	}
+	MESA_destroy_runtime_log_handle(g_dns_service.log_handle);
+}