Network Events: Implement EBPF_EVENT_NETWORK_IPV4_CONNECTION_ATTEMPTED - Githubissues

elastic / ebpf

Elastic's eBPF

Other

67 stars 11 forks source link

Network Events: Implement EBPF_EVENT_NETWORK_IPV4_CONNECTION_ATTEMPTED #61

Closed fntlnz closed 2 years ago

fntlnz commented 2 years ago

Stories

As a user of the EventsTrace program I want to be able to see printed on screen when an IPv4 Connection attempt happens
As a user of the libebpf library I want to be able to receive ipv4 connection attempt events when calling ebpf_event_ctx__next

Data needed

Field	Type	Description
Destination port	uint32_t	Destination port of the attempted connection
Destination Address	char[16]	String representation of the IPv4 of the destination
Socket pointer (sk)	uint64_t	The kernel socket pointer

Probe

Some possible approaches could be:

fexit on int inet_stream_connect(struct socket *sock, struct sockaddr *uaddr, int addr_len, int flags)

Action items

[ ] Write one or more probes that can catch when an IPv4 connection is attempted
[ ] Write BPF_PROG_TEST_RUN tests for the probes (if supported)
[ ] Write integration tests for the probes
[ ] Hook the event to be printed by the EventsTrace program