Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: DNS and IP Database Processing #39

Merged
merged 16 commits into from
Dec 9, 2022
Merged

feat: DNS and IP Database Processing #39

merged 16 commits into from
Dec 9, 2022

Conversation

jshlbrd
Copy link
Collaborator

@jshlbrd jshlbrd commented Dec 2, 2022

Description

  • Adds a Close method to the Applicator and BatchApplicator interfaces
  • Adds an internal package for supporting IP address enrichment from multiple enrichment database providers (internal/ip/database)
  • Adds an IP address database processor that applies enrichment to IP addresses from local databases
  • Adds a DNS processor

Motivation and Context

Currently the team at Brex runs DNS and IP address enrichment in a separate sub-system of our threat detection platform, but we identified an opportunity to migrate this into Substation. IP address enrichment is the most complex of these for two reasons:

  • it relies on having the ability to retrieve and load enrichment databases into the system at runtime
  • we don't know what enrichment database providers users may use

The project's use of lazy loading, configuration through environment variables, and the ability to contextually retrieve files from local disk, HTTP(S), and AWS S3 solve many of these issues. As a starting point, I've added support for the free MaxMind and IP2Location databases.

The handling of open files in the IPDatabase processor required the addition of a Close method to each applicator interface; this allows each processor to define it's own teardown process (in the case of IPDatabase, it's closing the open database readers).

How Has This Been Tested?

The changes were integration tested using the two new examples files. I can provide a link to a privately hosted MaxMind database so that the reviewer(s) can check that the code is working as expected.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.

@jshlbrd jshlbrd changed the title feat: IP Address Enrichment feat: DNS and IP Database Processing Dec 5, 2022
@jshlbrd jshlbrd marked this pull request as ready for review December 5, 2022 17:44
@jshlbrd jshlbrd requested a review from a team as a code owner December 5, 2022 17:44
internal/ip/database/example_test.go Show resolved Hide resolved
internal/ip/database/example_test.go Show resolved Hide resolved
internal/ip/database/database.go Outdated Show resolved Hide resolved
internal/ip/database/maxmind.go Show resolved Hide resolved
process/dns.go Show resolved Hide resolved
process/dns.go Show resolved Hide resolved
process/for_each.go Outdated Show resolved Hide resolved
ipdb "github.com/brexhq/substation/internal/ip/database"
)

var ipDatabasers = make(map[string]ipdb.OpenCloser)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style: rename to ipDatabases after the interface change?

Copy link
Contributor

@shellcromancer shellcromancer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

@jshlbrd jshlbrd merged commit 0e43886 into main Dec 9, 2022
@jshlbrd jshlbrd deleted the jshlbrd/ipinfo branch December 9, 2022 23:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants