Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix network iface data type handling #23209

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Fix network iface data type handling #23209

wants to merge 4 commits into from

Conversation

MiguelazoDS
Copy link
Member

@MiguelazoDS MiguelazoDS commented May 1, 2024
edited

Related issue
#21296

Description (WIP)

This PR adds the changes to solve the following issues:

  • Avoid casting uint to int when storing values in syscollector local database.
  • Avoid overflow uint when storing values in syscollector local database.
  • Avoid casting uint to int during syscollector delta event (manager side).
  • Avoid casting uint to int during syscollector sync event (manager side).

The findings are mentioned here #21296 (comment)

Logs/Alerts example

Fix syscollector local database binding

The field affected for being greater than the UINT_MAX limit is fixed now.
2024-05-01_19-21

UINT values are now cast to int64_t
image

Note

#21340

image

Fix data type handling for delta events

Correctly stored in database

image
image

Delta messages

2024/05/02 10:18:54 wazuh-modulesd:syscollector[3770] logging_helper.c:40 at taggedLogFunction(): DEBUG: Delta sent: {"data":{"adapter":null,"checksum":"805a5d2ea89c38cc35d38c66738c4620a143a589","item_id":"7a60750dd3c25c53f21ff7f44b4743664ddbb66a","mac":"02:d0:f1:1a:d8:67","mtu":1500,"name":"enp0s3","rx_bytes":3341848418,"rx_dropped":0,"rx_errors":0,"rx_packets":2382203,"scan_time":"2024/05/02 13:18:53","state":"up","tx_bytes":40075805,"tx_dropped":0,"tx_errors":0,"tx_packets":506967,"type":"ethernet"},"operation":"MODIFIED","type":"dbsync_network_iface"}
2024/05/02 10:18:54 wazuh-modulesd:syscollector[3770] logging_helper.c:40 at taggedLogFunction(): DEBUG: Delta sent: {"data":{"adapter":null,"checksum":"75278474a82e63c3b80905b2dd08ec606149b004","item_id":"989b6a387c8b314c67793584881c06393b32923e","mac":"08:00:27:af:c0:42","mtu":1500,"name":"enp0s8","rx_bytes":79699938,"rx_dropped":0,"rx_errors":0,"rx_packets":510663,"scan_time":"2024/05/02 13:18:53","state":"up","tx_bytes":8627671553,"tx_dropped":0,"tx_errors":0,"tx_packets":5968446,"type":"ethernet"},"operation":"MODIFIED","type":"dbsync_network_iface"}

Fix data type handling for sync events

WDB query after sync message from agent 2. mtu value is correct.

2024/05/02 11:52:12 wazuh-db[23284] wdb_parser.c:261 at wdb_parse(): DEBUG: Agent 002 query: syscollector_network_iface save2 {"attributes":{"adapter":"Software Loopback Interface 1","checksum":"e4a92faeea2613dab29a772ec7f3540be951b478","item_id":"56e07d1bb3aeca5febd3a26616defa115f6a881b","mac":"00:00:00:00:00:00","mtu":4294967295,"name":"Loopback Pseudo-Interface 1","rx_bytes":0,"rx_dropped":0,"rx_errors":0,"rx_packets":0,"scan_time":"2024/05/02 14:52:12","state":"up","tx_bytes":0,"tx_dropped":0,"tx_errors":0,"tx_packets":0,"type":" "},"index":"56e07d1bb3aeca5febd3a26616defa115f6a881b","timestamp":""}

WDB query after sync messages from agent 1. rx_bytes, and tx_bytes are correct.

2024/05/02 11:52:23 wazuh-db[23284] wdb_parser.c:261 at wdb_parse(): DEBUG: Agent 001 query: syscollector_network_iface save2 {"attributes":{"adapter":null,"checksum":"805a5d2ea89c38cc35d38c66738c4620a143a589","item_id":"7a60750dd3c25c53f21ff7f44b4743664ddbb66a","mac":"02:d0:f1:1a:d8:67","mtu":1500,"name":"enp0s3","rx_bytes":3341848418,"rx_dropped":0,"rx_errors":0,"rx_packets":2382203,"scan_time":"2024/05/02 14:52:23","state":"up","tx_bytes":40075805,"tx_dropped":0,"tx_errors":0,"tx_packets":506967,"type":"ethernet"},"index":"7a60750dd3c25c53f21ff7f44b4743664ddbb66a","timestamp":""}
2024/05/02 11:52:23 wazuh-db[23284] wdb_parser.c:261 at wdb_parse(): DEBUG: Agent 001 query: syscollector_network_iface save2 {"attributes":{"adapter":null,"checksum":"75278474a82e63c3b80905b2dd08ec606149b004","item_id":"989b6a387c8b314c67793584881c06393b32923e","mac":"08:00:27:af:c0:42","mtu":1500,"name":"enp0s8","rx_bytes":79699938,"rx_dropped":0,"rx_errors":0,"rx_packets":510663,"scan_time":"2024/05/02 14:52:23","state":"up","tx_bytes":8627671553,"tx_dropped":0,"tx_errors":0,"tx_packets":5968446,"type":"ethernet"},"index":"989b6a387c8b314c67793584881c06393b32923e","timestamp":""}

Values properly stored in agent database
image

Tests

  • Cmocka server
    image
10:14:56  c++: fatal error: Killed signal terminated program cc1plus
10:14:56  compilation terminated.
10:14:56  make[4]: *** [wazuh_modules/vulnerability_scanner/tests/unit/CMakeFiles/vulnerability_scanner_unit_tests.dir/build.make:160: wazuh_modules/vulnerability_scanner/tests/unit/CMakeFiles/vulnerability_scanner_unit_tests.dir/databaseFeedManager_test.cpp.o] Error 1
10:14:56  make[4]: *** Waiting for unfinished jobs....
10:14:56  make[4]: Leaving directory '/tmp/build/wazuh/src/build'
10:14:56  make[3]: Leaving directory '/tmp/build/wazuh/src/build'
10:14:56  make[3]: *** [CMakeFiles/Makefile2:1485: wazuh_modules/vulnerability_scanner/tests/unit/CMakeFiles/vulnerability_scanner_unit_tests.dir/all] Error 2
10:14:56  make[2]: *** [Makefile:101: all] Error 2
10:14:56  make[2]: Leaving directory '/tmp/build/wazuh/src/build'
10:14:56  make[1]: *** [Makefile:1800: build_wazuh_cmake] Error 2
10:14:56  make[1]: Leaving directory '/tmp/build/wazuh/src'
10:14:56  make: *** [Makefile:813: server] Error 2

wazuh/src/wazuh_modules/vulnerability_scanner/src/databaseFeedManager/databaseFeedManager.hpp

Lines 659 to 672 in 71d5e64

std::string getCnaNameByPrefix(std::string_view vendor, std::string_view platform) const
{
if (const auto& vendorMap = GlobalData::instance().vendorMaps(); vendorMap.contains("prefix"))
{
for (const auto& item : vendorMap.at("prefix"))
{
if (const auto& platforms = item.begin().value().at("platforms");
Utils::startsWith(vendor.data(), item.begin().key()) &&
std::find(platforms.begin(), platforms.end(), platform) != platforms.end())
{
return item.begin().value().at("cna");
}
}
}

  • Compilation without warnings in every supported platform
    • Linux
    • Windows
  • Source installation
  • Review logs syntax and correct language

@MiguelazoDS MiguelazoDS self-assigned this May 1, 2024
@MiguelazoDS MiguelazoDS linked an issue May 1, 2024 that may be closed by this pull request
Bad syscollector network iface values handling #21296
Open
3 tasks
@MiguelazoDS MiguelazoDS changed the title Fix network iface data type handling agent side Fix network iface data type handling May 1, 2024
@MiguelazoDS MiguelazoDS changed the base branch from 4.9.0 to master May 2, 2024 15:05
@MiguelazoDS MiguelazoDS force-pushed the enhancement/21296-network-iface-wrong-datatypes branch from 6d9a7bd to f2f6c54 Compare May 2, 2024 15:06
@MiguelazoDS MiguelazoDS marked this pull request as ready for review May 2, 2024 15:07
@MiguelazoDS MiguelazoDS force-pushed the enhancement/21296-network-iface-wrong-datatypes branch from 7d14dee to 106876f Compare May 3, 2024 12:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sebasfalcone sebasfalcone Awaiting requested review from sebasfalcone

@GabrielEValenzuela GabrielEValenzuela Awaiting requested review from GabrielEValenzuela

@pereyra-m pereyra-m Awaiting requested review from pereyra-m

At least 1 approving review is required to merge this pull request.

Assignees

@MiguelazoDS MiguelazoDS

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Bad syscollector network iface values handling
1 participant
@MiguelazoDS