[WIP] Add packet attribute triage function

[kimhanbeom]

@sehkone
Regarding the addition of packet attribute functionality, I have added this functionality to DnsCovertChannel as follows. I would appreciate any feedback on this modification.

closes #354

Summary by CodeRabbit

• New Features

  • Introduced functions for enhanced attribute comparison, supporting various data types and comparison scenarios.
  • Added dynamic scoring for DNS attributes, improving the accuracy of attribute evaluations.

• Bug Fixes

  • Updated method to log warnings for invalid DNS attribute fields, enhancing error handling.

• Documentation

  • Clarified method signatures for improved usability and understanding of the API.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The changes introduce new functions and modify existing logic in the src/event.rs and src/event/dns.rs files. A deserialize function is added for handling byte array deserialization, alongside several functions for attribute comparison based on the AttrCmpKind enum. Additionally, the score_by_packet_attr method in the DnsCovertChannel struct is updated to dynamically calculate scores based on DNS attributes, enhancing its functionality.

Changes

Files	Change Summary
src/event.rs	Added functions for deserialization and attribute comparison, including deserialize, check_second_value, compare_all_attr_cmp_kind, and specific processing functions.
src/event/dns.rs	Updated score_by_packet_attr method to compute scores dynamically based on DNS attributes, with constant definitions added for DNS attributes.

Poem

In the meadow where bytes hop,
Functions dance and comparisons swap.
With scores that now dynamically flow,
Our code's a garden, watch it grow!
Hooray for changes, bright and new,
A rabbit's cheer, just for you! 🐇✨

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 4

🧹 Outside diff range and nitpick comments (2)

src/event/dns.rs (2)

245-246: Enhance warning message for invalid DNS attribute fields

The current warning message does not specify which attribute is invalid, which may make debugging difficult. Including the invalid attribute's name in the log will provide more context.

Propose the following change:

     _ => {
-        warn!("invalid dns's attribute field");
+        warn!("Invalid DNS attribute field: {}", attr.attr_name);
         false
     }

---

250-250: Typographical Error in Comment

There's a grammatical error in the comment. It should read "weight always exists."

Propose the following change:

         if result {
-            score = attr.weight.unwrap(); //weight always exist.
+            score = attr.weight.unwrap(); // weight always exists.
         }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 6209a19 and d708f78.

📒 Files selected for processing (2)

• src/event.rs (3 hunks)
• src/event/dns.rs (2 hunks)

🔇 Additional comments (1)

src/event/dns.rs (1)

221-248: Attribute Comparison Logic Verified

The match arms for attribute comparisons correctly handle each DNS attribute using the appropriate comparison functions. The logic for processing each attribute is sound and aligns with expected behavior.

[coderabbitai]

⚠️ Potential issue

Potential Logic Error: attr_total_score is overwritten instead of accumulated

In the score_by_packet_attr method, attr_total_score is being overwritten in each iteration of the loop. This means that only the score from the last attribute is considered. If the intention is to accumulate the scores from all matching attributes, you should sum the scores instead.

Apply the following diff to fix the accumulation:

     for attr in &triage.packet_attr {
         let mut score = 0.0;
         let result = match attr.attr_name.as_str() {
             // attribute comparisons
         };
         if result {
             score = attr.weight.unwrap(); // weight always exists.
         }
-        attr_total_score = score;
+        attr_total_score += score;
     }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	fn score_by_packet_attr(&self, triage: &TriagePolicy) -> f64 {
	let mut attr_total_score = 0.0;
	for attr in &triage.packet_attr {
	let mut score = 0.0;
	let result = match attr.attr_name.as_str() {
	DNS_S_IP => process_attr_compare_addr(self.src_addr, attr),
	DNS_S_PORT => process_attr_compare_number::<u16, i64>(self.src_port, attr),
	DNS_D_IP => process_attr_compare_addr(self.dst_addr, attr),
	DNS_D_PORT => process_attr_compare_number::<u16, i64>(self.dst_port, attr),
	DNS_PROTO => process_attr_compare_number::<u8, i64>(self.proto, attr),
	DNS_QUERY => process_attr_compare_string(&self.query, attr),
	DNS_ANSWER => self
	.answer
	.iter()
	.any(|answer| process_attr_compare_string(answer, attr)),
	DNS_TRANS_ID => process_attr_compare_number::<u16, i64>(self.trans_id, attr),
	DNS_RTT => process_attr_compare_number::<i64, i64>(self.rtt, attr),
	DNS_QCLASS => process_attr_compare_number::<u16, i64>(self.qclass, attr),
	DNS_QTYPE => process_attr_compare_number::<u16, i64>(self.qtype, attr),
	DNS_RCODE => process_attr_compare_number::<u16, i64>(self.rcode, attr),
	DNS_AA_FLAG => process_attr_compare_bool(self.aa_flag, attr),
	DNS_TC_FLAG => process_attr_compare_bool(self.tc_flag, attr),
	DNS_RD_FLAG => process_attr_compare_bool(self.rd_flag, attr),
	DNS_RA_FLAG => process_attr_compare_bool(self.ra_flag, attr),
	DNS_TTL => self
	.ttl
	.iter()
	.any(|ttl| process_attr_compare_number::<i32, i64>(*ttl, attr)),
	_ => {
	warn!("invalid dns's attribute field");
	false
	}
	};
	if result {
	score = attr.weight.unwrap(); //weight always exist.
	}
	attr_total_score = score;
	}
	attr_total_score
	fn score_by_packet_attr(&self, triage: &TriagePolicy) -> f64 {
	let mut attr_total_score = 0.0;
	for attr in &triage.packet_attr {
	let mut score = 0.0;
	let result = match attr.attr_name.as_str() {
	DNS_S_IP => process_attr_compare_addr(self.src_addr, attr),
	DNS_S_PORT => process_attr_compare_number::<u16, i64>(self.src_port, attr),
	DNS_D_IP => process_attr_compare_addr(self.dst_addr, attr),
	DNS_D_PORT => process_attr_compare_number::<u16, i64>(self.dst_port, attr),
	DNS_PROTO => process_attr_compare_number::<u8, i64>(self.proto, attr),
	DNS_QUERY => process_attr_compare_string(&self.query, attr),
	DNS_ANSWER => self
	.answer
	.iter()
	.any(|answer| process_attr_compare_string(answer, attr)),
	DNS_TRANS_ID => process_attr_compare_number::<u16, i64>(self.trans_id, attr),
	DNS_RTT => process_attr_compare_number::<i64, i64>(self.rtt, attr),
	DNS_QCLASS => process_attr_compare_number::<u16, i64>(self.qclass, attr),
	DNS_QTYPE => process_attr_compare_number::<u16, i64>(self.qtype, attr),
	DNS_RCODE => process_attr_compare_number::<u16, i64>(self.rcode, attr),
	DNS_AA_FLAG => process_attr_compare_bool(self.aa_flag, attr),
	DNS_TC_FLAG => process_attr_compare_bool(self.tc_flag, attr),
	DNS_RD_FLAG => process_attr_compare_bool(self.rd_flag, attr),
	DNS_RA_FLAG => process_attr_compare_bool(self.ra_flag, attr),
	DNS_TTL => self
	.ttl
	.iter()
	.any(|ttl| process_attr_compare_number::<i32, i64>(*ttl, attr)),
	_ => {
	warn!("invalid dns's attribute field");
	false
	}
	};
	if result {
	score = attr.weight.unwrap(); //weight always exist.
	}
	attr_total_score += score;
	}
	attr_total_score

[coderabbitai]

🛠️ Refactor suggestion

Simplify closures by removing unnecessary return statements

In the function process_attr_compare_string, the return statements within the closure are unnecessary. Since they are the last expressions in their match arms, they can be omitted to make the code cleaner.

Apply this diff to refine the function:

 fn process_attr_compare_string(attr_val: &str, packet_attr: &PacketAttr) -> bool {
     deserialize::<String>(&packet_attr.first_value).is_some_and(|compare_val| {
         let cmp_result = attr_val.contains(&compare_val);
         match packet_attr.cmp_kind {
-            AttrCmpKind::Contain => return cmp_result,
-            AttrCmpKind::NotContain => return !cmp_result,
+            AttrCmpKind::Contain => cmp_result,
+            AttrCmpKind::NotContain => !cmp_result,
             _ => false,
         }
     })
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	fn process_attr_compare_string(attr_val: &str, packet_attr: &PacketAttr) -> bool {
	deserialize::<String>(&packet_attr.first_value).is_some_and(|compare_val| {
	let cmp_result = attr_val.contains(&compare_val);
	match packet_attr.cmp_kind {
	AttrCmpKind::Contain => return cmp_result,
	AttrCmpKind::NotContain => return !cmp_result,
	_ => false,
	}
	})
	}
	fn process_attr_compare_string(attr_val: &str, packet_attr: &PacketAttr) -> bool {
	deserialize::<String>(&packet_attr.first_value).is_some_and(|compare_val| {
	let cmp_result = attr_val.contains(&compare_val);
	match packet_attr.cmp_kind {
	AttrCmpKind::Contain => cmp_result,
	AttrCmpKind::NotContain => !cmp_result,
	_ => false,
	}
	})
	}

[coderabbitai]

🛠️ Refactor suggestion

Remove unnecessary return statements inside closures

In the function process_attr_compare_bool, the return statements inside the closure are unnecessary because they are the last expressions in their respective match arms. Removing them improves code readability.

Apply this diff to simplify the code:

 fn process_attr_compare_bool(attr_val: bool, packet_attr: &PacketAttr) -> bool {
     deserialize::<bool>(&packet_attr.first_value).is_some_and(|compare_val| {
         match packet_attr.cmp_kind {
-            AttrCmpKind::Equal => return attr_val == compare_val,
-            AttrCmpKind::NotEqual => return attr_val != compare_val,
+            AttrCmpKind::Equal => attr_val == compare_val,
+            AttrCmpKind::NotEqual => attr_val != compare_val,
             _ => false,
         }
     })
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	fn process_attr_compare_bool(attr_val: bool, packet_attr: &PacketAttr) -> bool {
	deserialize::<bool>(&packet_attr.first_value).is_some_and(|compare_val| {
	match packet_attr.cmp_kind {
	AttrCmpKind::Equal => return attr_val == compare_val,
	AttrCmpKind::NotEqual => return attr_val != compare_val,
	_ => false,
	}
	})
	}
	fn process_attr_compare_bool(attr_val: bool, packet_attr: &PacketAttr) -> bool {
	deserialize::<bool>(&packet_attr.first_value).is_some_and(|compare_val| {
	match packet_attr.cmp_kind {
	AttrCmpKind::Equal => attr_val == compare_val,
	AttrCmpKind::NotEqual => attr_val != compare_val,
	_ => false,
	}
	})
	}

[coderabbitai]

🛠️ Refactor suggestion

Refactor check_second_value to use the ? operator

The function check_second_value can be simplified by using the ? operator for error handling. This refactoring enhances code clarity and removes the need for the #[allow(clippy::question_mark)] attribute.

Apply this diff to refactor the function:

-#[allow(clippy::question_mark)]
 fn check_second_value<'de, T, K>(kind: AttrCmpKind, value: &'de Option<Vec<u8>>) -> Option<T>
 where
     T: TryFrom<K> + std::cmp::PartialOrd,
     K: Deserialize<'de>,
 {
-    match kind {
-        AttrCmpKind::CloseRange
-        | AttrCmpKind::LeftOpenRange
-        | AttrCmpKind::RightOpenRange
-        | AttrCmpKind::NotOpenRange
-        | AttrCmpKind::NotCloseRange
-        | AttrCmpKind::NotLeftOpenRange
-        | AttrCmpKind::NotRightOpenRange => {
-            let Some(value_result) = value else {
-                return None;
-            };
-            let Some(de_second_value) = deserialize::<K>(value_result) else {
-                return None;
-            };
-            let Ok(convert_second_value) = T::try_from(de_second_value) else {
-                return None;
-            };
-            return Some(convert_second_value);
-        }
-        _ => {}
-    }
-    None
+    if matches!(
+        kind,
+        AttrCmpKind::CloseRange
+            | AttrCmpKind::LeftOpenRange
+            | AttrCmpKind::RightOpenRange
+            | AttrCmpKind::NotOpenRange
+            | AttrCmpKind::NotCloseRange
+            | AttrCmpKind::NotLeftOpenRange
+            | AttrCmpKind::NotRightOpenRange
+    ) {
+        let value_result = value.as_ref()?;
+        let de_second_value = deserialize::<K>(value_result)?;
+        let convert_second_value = T::try_from(de_second_value).ok()?;
+        Some(convert_second_value)
+    } else {
+        None
+    }
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	#[allow(clippy::question_mark)]
	fn check_second_value<'de, T, K>(kind: AttrCmpKind, value: &'de Option<Vec<u8>>) -> Option<T>
	where
	T: TryFrom<K> + std::cmp::PartialOrd,
	K: Deserialize<'de>,
	{
	match kind {
	AttrCmpKind::CloseRange
	| AttrCmpKind::LeftOpenRange
	| AttrCmpKind::RightOpenRange
	| AttrCmpKind::NotOpenRange
	| AttrCmpKind::NotCloseRange
	| AttrCmpKind::NotLeftOpenRange
	| AttrCmpKind::NotRightOpenRange => {
	let Some(value_result) = value else {
	return None;
	};
	let Some(de_second_value) = deserialize::<K>(value_result) else {
	return None;
	};
	let Ok(convert_second_value) = T::try_from(de_second_value) else {
	return None;
	};
	return Some(convert_second_value);
	}
	_ => {}
	}
	None
	}
	fn check_second_value<'de, T, K>(kind: AttrCmpKind, value: &'de Option<Vec<u8>>) -> Option<T>
	where
	T: TryFrom<K> + std::cmp::PartialOrd,
	K: Deserialize<'de>,
	{
	if matches!(
	kind,
	AttrCmpKind::CloseRange
	| AttrCmpKind::LeftOpenRange
	| AttrCmpKind::RightOpenRange
	| AttrCmpKind::NotOpenRange
	| AttrCmpKind::NotCloseRange
	| AttrCmpKind::NotLeftOpenRange
	| AttrCmpKind::NotRightOpenRange
	) {
	let value_result = value.as_ref()?;
	let de_second_value = deserialize::<K>(value_result)?;
	let convert_second_value = T::try_from(de_second_value).ok()?;
	Some(convert_second_value)
	} else {
	None
	}
	}

[codecov]

Codecov Report

Attention: Patch coverage is 74.66063% with 168 lines in your changes missing coverage. Please review.

Project coverage is 68.00%. Comparing base (61daf7b) to head (b8d9cc7).

Files with missing lines	Patch %	Lines
src/event/common.rs	90.83%	32 Missing ⚠️
src/event/conn.rs	0.00%	30 Missing ⚠️
src/event/http.rs	84.18%	28 Missing ⚠️
src/event/ftp.rs	0.00%	14 Missing ⚠️
src/event/ldap.rs	0.00%	13 Missing ⚠️
src/event/rdp.rs	0.00%	10 Missing ⚠️
src/event/tls.rs	0.00%	7 Missing ⚠️
src/event/dns.rs	33.33%	6 Missing ⚠️
src/event/log.rs	0.00%	5 Missing ⚠️
src/event/mqtt.rs	0.00%	3 Missing ⚠️
... and 10 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #353      +/-   ##
==========================================
+ Coverage   67.71%   68.00%   +0.28%     
==========================================
  Files          95       94       -1     
  Lines       19897    20301     +404     
==========================================
+ Hits        13474    13805     +331     
- Misses       6423     6496      +73     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sehkone]

I think it would be much better to define the attributes of the enum type. Since the definition is likely to be shared across our modules, we can manage it in a new repository.

[kimhanbeom]

@sehkone
Are there any issues with the implementation other than moving the enum defined for the attributes to a separate repository? If not, I would like to continue with the implementation of packet attribute triage for the remaining detection events.

[kimhanbeom]

@sehkone

Since aicers/attrievent#2 was merged into the main branch of the attrievent repository, I have modified the code to use the enum from that repository.
Now that we are ready to merge this PR into the review-database main branch, could you kindly review the code?

[sehkone]

@kimhanbeom, I think it would be better to rename PacketAttr to RawEventAttr, because other raw events rather than packets are now handled.

[sehkone]

How about using its corresponding enum instead of a String?

[kimhanbeom]

done

[sehkone]

I suspect there might be a typo.

[kimhanbeom]

done

[sehkone]

• Could you add some comments to explain the range of these values?
• If SInteger means i32, don't we need i64?
• If SInteger is i32 and UInteger is u32, I think the pair of Integer and UInteger would be better.

[kimhanbeom]

SInteger means i64 and UInteger means u64. I'll add a comment about that.

[sehkone]

SInteger means i64 and UInteger means u64.

In this case, I think the pair of Integer and UInteger is still better. Besides, SInteger even seems to mean "Small Integer".

[kimhanbeom]

done

[sehkone]

If you mean HttpThreat::post_body, I suggest the following:

  - `HttpThreat::post_body`: `Vec<u8>` to `String`.

[kimhanbeom]

This part represents the post_body field of all detection events of the HTTP protocol type.

[sehkone]

- `post_body` inside structs of `event::http`: `Vec<u8>` to `String`.

How about the above for clarity?

[sehkone]

I think the target_attribute method should be renamed to to_attr_value, because it literally returns AttrValue.

[kimhanbeom]

done

[sehkone]

I think the following is a better choice:

    class_id: std::str::from_utf8(&fields.class_id).unwrap_or_default().to_string(),

[kimhanbeom]

done

[sehkone]

I suggest:

    std::str::from_utf8(&fields.class_id).unwrap_or_default().to_string(),

[sehkone]

Since str has an advantage over String in terms of performance, and there will be virtually no cloning if unwrap fails, I believe this approach is slightly better.

[kimhanbeom]

done

[sehkone]

For the Petabi team, I think I need to explain why this new crate attrievent has been introduced.

The kinds of raw events and their attributes change as our software evolves. The purpose of attrievent is to provide a comprehensive list of attributes for both the REview and the UI simultaneously.

[msk]

It would be beneficial to break down this PR into smaller, more focused ones. The formatting fixes for old CHANGELOG entries and spelling fixes in the code are great, but they're not directly related to the main changes in this PR.

Would you mind separating those into their own PRs? That way, we can review and merge them independently, making it easier to track changes and test the main functionality of this PR. It'll also make it smaller and more manageable.

[sehkone]

The formatting fixes for old CHANGELOG entries and spelling fixes in the code are great, but they're not directly related to the main changes in this PR.

Regarding the changes to the CHANGELOG, I think I need to share how the team in Seoul recently adopted a method for handling text files such as CHANGELOG and README. The team is now using an extension for VS Code, Prettier, to format these files. As a result, even a small change to either file causes the entire content to be reformatted, automatically on save.

[sehkone]

This needs to be rebased, updated to use the release of attrievent, and modified according to the reviewers' comments. Once that is done and [WIP] is removed, the review can proceed.