Add IP and Port to IO operations on sockets

aquasecurity / tracee

Linux Runtime Security and Forensics using eBPF

https://aquasecurity.github.io/tracee/latest

Apache License 2.0

3.61k stars 416 forks source link

Add IP and Port to IO operations on sockets #2597

Closed AlonZivony closed 1 year ago

AlonZivony commented 1 year ago

When we use events like vfs_write to catch writing into a socket, the path parsed of the socket is only the protocol (for example, "TCP"). Here is a screenshot for such an event:

It would make it much more valuable if we would have added information about the IP and port of the socket written to or read from. For example, pathname: 8.8.8.8:tcp:8080 or some other format.

rafaeldtinoco commented 1 year ago

@geyslan this resembles the work you've done for the FD filename enrichment when you first join us. I remember we have set a "TODO" for this feature, no ?

geyslan commented 1 year ago

Yes, we have, it's stalled for a long time.

https://github.com/aquasecurity/tracee/issues/2087.

rafaeldtinoco commented 1 year ago

@AlonZivony should we close this and consider that one (even update its description if needed since its older).