v1.0.0!

kung-foo · Jan 18, 2017 · b28db56 · b28db56
1 parent 601514b
commit b28db56
Show file tree

Hide file tree

Showing 1,220 changed files with 256,174 additions and 6,322 deletions.
diff --git a/Makefile b/Makefile
@@ -1,9 +1,19 @@
+VERSION := 1.0.0
+BUILDSTRING := $(shell git log --pretty=format:'%h' -n 1)
+VERSIONSTRING := freki version $(VERSION)+$(BUILDSTRING)
 
 default: build
 
-build:
+OUTPUT = bin/freki
+
+$(OUTPUT): glide.lock app/main.go *.go netfilter/*
 	@mkdir -p bin/
-	go build -o bin/freki app/main.go
+	go build -o $(OUTPUT) -ldflags "-X \"main.VERSION=$(VERSIONSTRING)\"" app/main.go
+
+build: $(OUTPUT)
+
+upx: build
+	upx -1 bin/freki
 
 clean:
 	rm -rf bin/
diff --git a/app/main.go b/app/main.go
@@ -5,9 +5,9 @@ import (
 	"os/signal"
 	"sync"
 
+	log "github.com/Sirupsen/logrus"
 	docopt "github.com/docopt/docopt-go"
 	"github.com/kung-foo/freki"
-	log "github.com/sirupsen/logrus"
 )
 
 // VERSION is set by the makefile

diff --git a/app/rules.yaml b/app/rules.yaml
@@ -1,26 +1,22 @@
-# drop -- drops everything
-# logging_tcp -- establishes a connection (3 way handshake), attempts to read X bytes, then closes the connnection. log everything
-# ignore -- simply mark the packets as accepted
-# spoof-- pretend to be something else. could come in multiple flavors like http or telnet
-# rewrite -- rewrite the destination port to target a 3rd party honeypot. we would need to expose the original source port via an api such that the external process could log it.
-# proxy -- this is slightly different from rewrite in that we could proxy the connection to an off-box addr (i.e. google.com)
 rules:
-    - match: tcp dst port 10022
-      type: rewrite
-      target: 22
-    - match: tcp dst port 9200
-      type: proxy
-      target: docker://elasticsearch:9200
-    - match: tcp dst port 666
-      type: proxy
-      target: tcp://portquiz.net:666
-    - match: tcp port 80 or tcp port 8080
-      type: log_http
-    - match: tcp portrange 5000-5010
-      type: drop
-    - match: tcp port 8888
-      type: drop
-    - match: tcp
-      type: log_tcp
-    - match:
-      type: passthrough
+  - match: tcp dst port 22 and src host 1.2.3.4
+    type: passthrough
+  - match: tcp dst port 10022
+    type: rewrite
+    target: 22
+  - match: tcp dst port 6379
+    type: proxy
+    target: docker://redis:6379
+  - match: tcp dst port 666
+    type: proxy
+    target: tcp://portquiz.net:666
+  - match: tcp port 80 or tcp port 8080
+    type: log_http
+  - match: tcp portrange 5000-5010
+    type: drop
+  - match: tcp port 8888
+    type: drop
+  - match: tcp
+    type: log_tcp
+  - match:
+    type: passthrough
diff --git a/freki.go b/freki.go
@@ -1,6 +1,7 @@
 package freki
 
 import (
+	"context"
 	"fmt"
 	"net"
 	"strings"
@@ -10,6 +11,9 @@ import (
 
 	"golang.org/x/net/bpf"
 
+	"github.com/docker/engine-api/client"
+	"github.com/docker/engine-api/types"
+
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
@@ -131,6 +135,41 @@ func (p *Processor) resetIPTables() (err error) {
 }
 
 func (p *Processor) Init() (err error) {
+	for _, rule := range p.rules {
+		if rule.ruleType == ProxyTCP {
+			if rule.targetURL.Scheme == "docker" {
+				p.log.Debugf("[freki   ] Creating Docker client with version: %v", client.DefaultVersion)
+				var cli *client.Client
+				cli, err = client.NewEnvClient()
+				if err != nil {
+					return err
+				}
+
+				var containers []types.Container
+				containers, err = cli.ContainerList(context.Background(), types.ContainerListOptions{})
+				if err != nil {
+					return err
+				}
+
+				found := false
+				for _, container := range containers {
+					name := container.Names[0][1:]
+					if name == rule.host {
+						addr := container.NetworkSettings.Networks["bridge"].IPAddress
+						p.log.Debugf("[freki   ] mapping docker://%s:%d to tcp://%s:%d", rule.host, rule.port, addr, rule.port)
+						rule.targetURL.Host = fmt.Sprintf("%s:%s", addr, rule.targetURL.Port())
+						rule.host = addr
+						found = true
+					}
+				}
+
+				if !found {
+					return fmt.Errorf("unabled to find a container named: %s", rule.host)
+				}
+			}
+		}
+	}
+
 	p.ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	if err != nil {
 		return
@@ -143,7 +182,6 @@ func (p *Processor) Init() (err error) {
 	}
 
 	// TODO: check for conflicting rules
-
 	err = p.initIPTables()
 	if err != nil {
 		return

diff --git a/glide.lock b/glide.lock
diff --git a/glide.yaml b/glide.yaml
@@ -6,20 +6,23 @@ owners:
 ignore:
 - golang.org/x/sys
 - golang.org/x/net
+- github.com/Microsoft/go-winio
+- github.com/opencontainers/go-digest
 import:
 - package: github.com/google/gopacket
   version: ^1.1.12
   subpackages:
   - layers
-- package: github.com/sirupsen/logrus
+- package: github.com/Sirupsen/logrus
   version: ^0.11.0
 - package: github.com/coreos/go-iptables
-- package: github.com/davecgh/go-spew
-  version: ^1.1.0
-  subpackages:
-  - spew
+  version: 5463fbac3bcc6b990663941c2e12660d19f6b36d
 - package: gopkg.in/yaml.v2
 - package: github.com/pkg/errors
   version: ^0.8.0
 - package: github.com/docopt/docopt-go
   version: ^0.6.2
+- package: github.com/docker/go-connections
+- package: github.com/docker/engine-api
+  subpackages:
+  - client
diff --git a/proxy_tcp.go b/proxy_tcp.go
@@ -65,7 +65,7 @@ func (p *TCPProxy) handleConnection(conn net.Conn) {
 
 	target := md.Rule.targetURL
 
-	if target.Scheme != "tcp" {
+	if target.Scheme != "tcp" && target.Scheme != "docker" {
 		p.log.Error(fmt.Errorf("unsuppported scheme: %s", target.Scheme))
 		return
 	}

diff --git a/vendor/github.com/sirupsen/logrus/.gitignore → vendor/github.com/Sirupsen/logrus/.gitignore b/vendor/github.com/sirupsen/logrus/.gitignore → vendor/github.com/Sirupsen/logrus/.gitignore
diff --git a/...or/github.com/sirupsen/logrus/.travis.yml → ...or/github.com/Sirupsen/logrus/.travis.yml b/...or/github.com/sirupsen/logrus/.travis.yml → ...or/github.com/Sirupsen/logrus/.travis.yml
diff --git a/...r/github.com/sirupsen/logrus/CHANGELOG.md → ...r/github.com/Sirupsen/logrus/CHANGELOG.md b/...r/github.com/sirupsen/logrus/CHANGELOG.md → ...r/github.com/Sirupsen/logrus/CHANGELOG.md
diff --git a/vendor/github.com/sirupsen/logrus/LICENSE → vendor/github.com/Sirupsen/logrus/LICENSE b/vendor/github.com/sirupsen/logrus/LICENSE → vendor/github.com/Sirupsen/logrus/LICENSE
diff --git a/vendor/github.com/sirupsen/logrus/README.md → vendor/github.com/Sirupsen/logrus/README.md b/vendor/github.com/sirupsen/logrus/README.md → vendor/github.com/Sirupsen/logrus/README.md
diff --git a/...or/github.com/sirupsen/logrus/alt_exit.go → ...or/github.com/Sirupsen/logrus/alt_exit.go b/...or/github.com/sirupsen/logrus/alt_exit.go → ...or/github.com/Sirupsen/logrus/alt_exit.go
diff --git a/...thub.com/sirupsen/logrus/alt_exit_test.go → ...thub.com/Sirupsen/logrus/alt_exit_test.go b/...thub.com/sirupsen/logrus/alt_exit_test.go → ...thub.com/Sirupsen/logrus/alt_exit_test.go
diff --git a/vendor/github.com/sirupsen/logrus/doc.go → vendor/github.com/Sirupsen/logrus/doc.go b/vendor/github.com/sirupsen/logrus/doc.go → vendor/github.com/Sirupsen/logrus/doc.go
diff --git a/vendor/github.com/sirupsen/logrus/entry.go → vendor/github.com/Sirupsen/logrus/entry.go b/vendor/github.com/sirupsen/logrus/entry.go → vendor/github.com/Sirupsen/logrus/entry.go
diff --git a/.../github.com/sirupsen/logrus/entry_test.go → .../github.com/Sirupsen/logrus/entry_test.go b/.../github.com/sirupsen/logrus/entry_test.go → .../github.com/Sirupsen/logrus/entry_test.go
diff --git a/...m/sirupsen/logrus/examples/basic/basic.go → ...m/Sirupsen/logrus/examples/basic/basic.go b/...m/sirupsen/logrus/examples/basic/basic.go → ...m/Sirupsen/logrus/examples/basic/basic.go
diff --git a/...com/sirupsen/logrus/examples/hook/hook.go → ...com/Sirupsen/logrus/examples/hook/hook.go b/...com/sirupsen/logrus/examples/hook/hook.go → ...com/Sirupsen/logrus/examples/hook/hook.go
diff --git a/...or/github.com/sirupsen/logrus/exported.go → ...or/github.com/Sirupsen/logrus/exported.go b/...or/github.com/sirupsen/logrus/exported.go → ...or/github.com/Sirupsen/logrus/exported.go
diff --git a/...r/github.com/sirupsen/logrus/formatter.go → ...r/github.com/Sirupsen/logrus/formatter.go b/...r/github.com/sirupsen/logrus/formatter.go → ...r/github.com/Sirupsen/logrus/formatter.go
diff --git a/...m/sirupsen/logrus/formatter_bench_test.go → ...m/Sirupsen/logrus/formatter_bench_test.go b/...m/sirupsen/logrus/formatter_bench_test.go → ...m/Sirupsen/logrus/formatter_bench_test.go
diff --git a/...r/github.com/sirupsen/logrus/hook_test.go → ...r/github.com/Sirupsen/logrus/hook_test.go b/...r/github.com/sirupsen/logrus/hook_test.go → ...r/github.com/Sirupsen/logrus/hook_test.go
diff --git a/vendor/github.com/sirupsen/logrus/hooks.go → vendor/github.com/Sirupsen/logrus/hooks.go b/vendor/github.com/sirupsen/logrus/hooks.go → vendor/github.com/Sirupsen/logrus/hooks.go
diff --git a/...om/sirupsen/logrus/hooks/syslog/README.md → ...om/Sirupsen/logrus/hooks/syslog/README.md b/...om/sirupsen/logrus/hooks/syslog/README.md → ...om/Sirupsen/logrus/hooks/syslog/README.md
diff --git a/...om/sirupsen/logrus/hooks/syslog/syslog.go → ...om/Sirupsen/logrus/hooks/syslog/syslog.go b/...om/sirupsen/logrus/hooks/syslog/syslog.go → ...om/Sirupsen/logrus/hooks/syslog/syslog.go
diff --git a/...rupsen/logrus/hooks/syslog/syslog_test.go → ...rupsen/logrus/hooks/syslog/syslog_test.go b/...rupsen/logrus/hooks/syslog/syslog_test.go → ...rupsen/logrus/hooks/syslog/syslog_test.go
diff --git a/...ub.com/sirupsen/logrus/hooks/test/test.go → ...ub.com/Sirupsen/logrus/hooks/test/test.go b/...ub.com/sirupsen/logrus/hooks/test/test.go → ...ub.com/Sirupsen/logrus/hooks/test/test.go
diff --git a/...m/sirupsen/logrus/hooks/test/test_test.go → ...m/Sirupsen/logrus/hooks/test/test_test.go b/...m/sirupsen/logrus/hooks/test/test_test.go → ...m/Sirupsen/logrus/hooks/test/test_test.go
diff --git a/...hub.com/sirupsen/logrus/json_formatter.go → ...hub.com/Sirupsen/logrus/json_formatter.go b/...hub.com/sirupsen/logrus/json_formatter.go → ...hub.com/Sirupsen/logrus/json_formatter.go
diff --git a/...om/sirupsen/logrus/json_formatter_test.go → ...om/Sirupsen/logrus/json_formatter_test.go b/...om/sirupsen/logrus/json_formatter_test.go → ...om/Sirupsen/logrus/json_formatter_test.go
diff --git a/vendor/github.com/sirupsen/logrus/logger.go → vendor/github.com/Sirupsen/logrus/logger.go b/vendor/github.com/sirupsen/logrus/logger.go → vendor/github.com/Sirupsen/logrus/logger.go
diff --git a/....com/sirupsen/logrus/logger_bench_test.go → ....com/Sirupsen/logrus/logger_bench_test.go b/....com/sirupsen/logrus/logger_bench_test.go → ....com/Sirupsen/logrus/logger_bench_test.go
diff --git a/vendor/github.com/sirupsen/logrus/logrus.go → vendor/github.com/Sirupsen/logrus/logrus.go b/vendor/github.com/sirupsen/logrus/logrus.go → vendor/github.com/Sirupsen/logrus/logrus.go
diff --git a/...github.com/sirupsen/logrus/logrus_test.go → ...github.com/Sirupsen/logrus/logrus_test.go b/...github.com/sirupsen/logrus/logrus_test.go → ...github.com/Sirupsen/logrus/logrus_test.go
diff --git a/...com/sirupsen/logrus/terminal_appengine.go → ...com/Sirupsen/logrus/terminal_appengine.go b/...com/sirupsen/logrus/terminal_appengine.go → ...com/Sirupsen/logrus/terminal_appengine.go
diff --git a/...ithub.com/sirupsen/logrus/terminal_bsd.go → ...ithub.com/Sirupsen/logrus/terminal_bsd.go b/...ithub.com/sirupsen/logrus/terminal_bsd.go → ...ithub.com/Sirupsen/logrus/terminal_bsd.go
diff --git a/...hub.com/sirupsen/logrus/terminal_linux.go → ...hub.com/Sirupsen/logrus/terminal_linux.go b/...hub.com/sirupsen/logrus/terminal_linux.go → ...hub.com/Sirupsen/logrus/terminal_linux.go
diff --git a/...om/sirupsen/logrus/terminal_notwindows.go → ...om/Sirupsen/logrus/terminal_notwindows.go b/...om/sirupsen/logrus/terminal_notwindows.go → ...om/Sirupsen/logrus/terminal_notwindows.go
diff --git a/...b.com/sirupsen/logrus/terminal_solaris.go → ...b.com/Sirupsen/logrus/terminal_solaris.go b/...b.com/sirupsen/logrus/terminal_solaris.go → ...b.com/Sirupsen/logrus/terminal_solaris.go
diff --git a/...b.com/sirupsen/logrus/terminal_windows.go → ...b.com/Sirupsen/logrus/terminal_windows.go b/...b.com/sirupsen/logrus/terminal_windows.go → ...b.com/Sirupsen/logrus/terminal_windows.go
diff --git a/...hub.com/sirupsen/logrus/text_formatter.go → ...hub.com/Sirupsen/logrus/text_formatter.go b/...hub.com/sirupsen/logrus/text_formatter.go → ...hub.com/Sirupsen/logrus/text_formatter.go
diff --git a/...om/sirupsen/logrus/text_formatter_test.go → ...om/Sirupsen/logrus/text_formatter_test.go b/...om/sirupsen/logrus/text_formatter_test.go → ...om/Sirupsen/logrus/text_formatter_test.go
diff --git a/vendor/github.com/sirupsen/logrus/writer.go → vendor/github.com/Sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go → vendor/github.com/Sirupsen/logrus/writer.go
diff --git a/vendor/github.com/davecgh/go-spew/.travis.yml b/vendor/github.com/davecgh/go-spew/.travis.yml
diff --git a/vendor/github.com/davecgh/go-spew/LICENSE b/vendor/github.com/davecgh/go-spew/LICENSE