From f9c107ff266d7153a6b1e573ed294dc69c9e63a2 Mon Sep 17 00:00:00 2001 From: Rohan Prabhu Date: Thu, 20 Nov 2025 17:07:46 +0530 Subject: [PATCH 1/3] feat: enhance network monitoring for UDP packets Added support for monitoring UDP packets in the NetworkMonitor by introducing handling for the sendto and sendmsg syscalls. Updated logging to reflect the addition of UDP monitoring alongside existing TCP functionality. --- netmon.go | 8 +++++++- procmon_linux.go | 26 +++++++++++++++++++++++++- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/netmon.go b/netmon.go index 7f71a47..ce482fd 100644 --- a/netmon.go +++ b/netmon.go @@ -71,6 +71,7 @@ func (netMonitor *NetworkMonitor) handlePacket(attrs nflog.Attribute) { packet := gopacket.NewPacket(data, layers.LayerTypeIPv4, gopacket.Default) port := "" isSYN := false + isUDP := false // Get the TCP layer from this packet if tcpLayer := packet.Layer(layers.LayerTypeTCP); tcpLayer != nil { // Get actual TCP data from this layer @@ -78,6 +79,11 @@ func (netMonitor *NetworkMonitor) handlePacket(attrs nflog.Attribute) { port = tcp.DstPort.String() isSYN = tcp.SYN + } else if udpLayer := packet.Layer(layers.LayerTypeUDP); udpLayer != nil { + // Get actual UDP data from this layer + udp, _ := udpLayer.(*layers.UDP) + port = udp.DstPort.String() + isUDP = true } // Get the IP layer from this packet @@ -90,7 +96,7 @@ func (netMonitor *NetworkMonitor) handlePacket(attrs nflog.Attribute) { if !found { ipAddresses[ipv4Address] = 1 - if isSYN { + if isSYN || isUDP { if netMonitor.Status == "Dropped" { netMonitor.ApiClient.sendNetConnection(netMonitor.CorrelationId, netMonitor.Repo, diff --git a/procmon_linux.go b/procmon_linux.go index 297782b..b858cee 100644 --- a/procmon_linux.go +++ b/procmon_linux.go @@ -107,7 +107,31 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) { errc <- errors.Wrap(err, "failed to add audit rule for syscall connect") } - WriteLog("Net monitor added") + WriteLog("Net monitor added for TCP (connect)") + + // syscall sendto (for UDP) + r, _ = flags.Parse(fmt.Sprintf("-a exit,always -S sendto -k %s", netMonitorTag)) + + actualBytes, _ = rule.Build(r) + + if err = client.AddRule(actualBytes); err != nil { + WriteLog(fmt.Sprintf("failed to add audit rule for sendto %v", err)) + errc <- errors.Wrap(err, "failed to add audit rule for syscall sendto") + } + + WriteLog("Net monitor added for UDP (sendto)") + + // syscall sendmsg (for UDP) + r, _ = flags.Parse(fmt.Sprintf("-a exit,always -S sendmsg -k %s", netMonitorTag)) + + actualBytes, _ = rule.Build(r) + + if err = client.AddRule(actualBytes); err != nil { + WriteLog(fmt.Sprintf("failed to add audit rule for sendmsg %v", err)) + errc <- errors.Wrap(err, "failed to add audit rule for syscall sendmsg") + } + + WriteLog("Net monitor added for UDP (sendmsg)") // syscall process start r, _ = flags.Parse(fmt.Sprintf("-a exit,always -S execve -k %s", processMonitorTag)) From 82112355a02b7169846267b6ef56ffda0a3537bf Mon Sep 17 00:00:00 2001 From: Rohan Prabhu Date: Thu, 20 Nov 2025 17:30:23 +0530 Subject: [PATCH 2/3] fix: consolidate UDP monitoring logging Updated the UDP monitoring implementation to combine logging for the sendto and sendmsg syscalls into a single log entry, enhancing clarity in network monitoring outputs. --- procmon_linux.go | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/procmon_linux.go b/procmon_linux.go index b858cee..9f87550 100644 --- a/procmon_linux.go +++ b/procmon_linux.go @@ -110,7 +110,7 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) { WriteLog("Net monitor added for TCP (connect)") // syscall sendto (for UDP) - r, _ = flags.Parse(fmt.Sprintf("-a exit,always -S sendto -k %s", netMonitorTag)) + r, _ = flags.Parse(fmt.Sprintf("-a exit,always -S sendto -S sendmsg -k %s", netMonitorTag)) actualBytes, _ = rule.Build(r) @@ -119,19 +119,7 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) { errc <- errors.Wrap(err, "failed to add audit rule for syscall sendto") } - WriteLog("Net monitor added for UDP (sendto)") - - // syscall sendmsg (for UDP) - r, _ = flags.Parse(fmt.Sprintf("-a exit,always -S sendmsg -k %s", netMonitorTag)) - - actualBytes, _ = rule.Build(r) - - if err = client.AddRule(actualBytes); err != nil { - WriteLog(fmt.Sprintf("failed to add audit rule for sendmsg %v", err)) - errc <- errors.Wrap(err, "failed to add audit rule for syscall sendmsg") - } - - WriteLog("Net monitor added for UDP (sendmsg)") + WriteLog("Net monitor added for UDP (sendto & sendmsg)") // syscall process start r, _ = flags.Parse(fmt.Sprintf("-a exit,always -S execve -k %s", processMonitorTag)) From f9bac987833f41b605854b293b1f65c8961b892f Mon Sep 17 00:00:00 2001 From: Rohan Prabhu Date: Fri, 9 Jan 2026 14:43:16 +0530 Subject: [PATCH 3/3] feat: add UDP NFLOG rule for blocked traffic logging --- firewall.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/firewall.go b/firewall.go index f3d0ced..e6e6bbf 100644 --- a/firewall.go +++ b/firewall.go @@ -152,6 +152,13 @@ func addBlockRules(firewall *Firewall, endpoints []ipAddressEndpoint, chain, net return errors.Wrap(err, "failed to add rule") } + // Log blocked traffic - UDP packets + err = ipt.Append(filterTable, chain, direction, netInterface, protocol, "udp", "-j", "NFLOG", "--nflog-group", "100") + + if err != nil { + return errors.Wrap(err, "failed to add UDP NFLOG rule") + } + // Block all other traffic err = ipt.Append(filterTable, chain, direction, netInterface, protocol, allProtocols, target, reject)