Merge pull request #28 from deepfence/sensor-plugin-output

sensor: Add a posssibility to output directly to plugins

Author: vadorovsky

cmd/sensor.go

@@ -1,7 +1,11 @@
 package cmd
 
 import (
+	"context"
 	"log"
+	"os"
+	"os/signal"
+	"syscall"
 
 	"github.com/spf13/cobra"
 
@@ -19,17 +23,20 @@ var sensorCmd = &cobra.Command{
 			log.Fatalf("Invalid configuration: %v", err)
 		}
 
-		mainSignalChannel := make(chan bool)
-
 		proto := "tcp"
 		if err := streamer.InitOutput(cfg, proto); err != nil {
 			log.Fatalf("Failed to connect: %v", err)
 		}
 
+		sigs := make(chan os.Signal, 1)
+		signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)
+		ctx, cancel := context.WithCancel(context.Background())
+
 		log.Println("Start sending")
-		streamer.StartSensor(cfg, mainSignalChannel)
+		streamer.StartSensor(ctx, cfg)
 		log.Println("Now waiting in main")
-		<-mainSignalChannel
+		<-sigs
+		cancel()
 	},
 }
 

contrib/config/receiver-s3.yaml

@@ -2,8 +2,6 @@ input:
   address: 0.0.0.0
   port: 8081
 output:
-  file:
-    path: /dev/null
   plugins:
     s3:
       region: eu-west-1

contrib/config/sensor-s3.yaml

@@ -0,0 +1,10 @@
+output:
+  plugins:
+    s3:
+      region: eu-west-1
+      bucket: foo-pcap
+      totalFileSize: 10MB
+      uploadChunkSize: 5MB
+      uploadTimeout: 1m
+      cannedACL: bucket-owner-full-control
+pcapMode: all

docs/src/SUMMARY.md

@@ -7,6 +7,8 @@
   - [Using with Docker](./quickstart/docker.md)
   - [Using on Kubernetes](./quickstart/kubernetes.md)
   - [Using on Vagrant](./quickstart/vagrant.md)
+- [Plugins](./plugins/README.md)
+  - [S3](./plugins/s3.md)
 - [Using with other tools](./tools/README.md)
   - [Suricata](./tools/suricata.md)
 - [Configuration](./configuration.md)

docs/src/configuration.md

@@ -3,29 +3,37 @@
 `packetstreamer` is configured using a yaml-formatted configuration file.
 
 ```yaml
-input:                         # required in 'receiver' mode
+input:                             # required in 'receiver' mode
   address: _ip-address_
   port: _listen-port_
 output:
-  server:                      # required in 'sensor' mode
+  server:                          # required in 'sensor' mode
     address: _ip-address_
     port: _listen-port_
-  file:                        # required in 'receiver' mode
-    path: _filename_|stdout    # 'stdout' is a reserved name. Receiver will write to stdout
-tls:                           # optional
+  file:                            # required in 'receiver' mode
+    path: _filename_|stdout        # 'stdout' is a reserved name. Receiver will write to stdout
+  plugins:                         # optional
+    s3:
+      bucket: _string_
+      region: _string_
+      totalFileSize: _file_size_   # optional; default: 10 MB
+      uploadChunkSize: _file_size_ # optional; default: 5 MB
+      uploadTimeout: _timeout_     # optional; default: 1m
+      cannedACL: _acl_             # optional; default: Bucket owner enforced
+tls:                               # optional
   enable: _true_|_false_
   certfile: _filename_
   keyfile: _filename_
-auth:                          # optional; receiver and sensor must use same shared key
+auth:                              # optional; receiver and sensor must use same shared key
   enable: _true_|_false_
   key: _string_
-compressBlockSize: _integer_   # optional; default: 65
-inputPacketLen: _integer_      # optional; default: 65535
-logFilename: _filename_        # optional
-pcapMode: _Allow_|_Deny_|_All_ # optional
-capturePorts: _list-of-ports_  # optional
+compressBlockSize: _integer_       # optional; default: 65
+inputPacketLen: _integer_          # optional; default: 65535
+logFilename: _filename_            # optional
+pcapMode: _Allow_|_Deny_|_All_     # optional
+capturePorts: _list-of-ports_      # optional
 captureInterfacesPorts: _map: interface-name:port_ # optional
-ignorePorts: _list-of-ports_   # optional
+ignorePorts: _list-of-ports_       # optional
 ```
 
 You can find example configuration files in the [`/contrib/config/`](https://github.com/deepfence/PacketStreamer/tree/main/contrib/config)

docs/src/plugins/README.md

@@ -0,0 +1,15 @@
+# Plugins
+
+This documentation section is about plugins which allow to stream packets to
+various external storage services.
+
+Plugins can be used both from:
+
+- **sensor** - in that case, locally captured packets are streamed through the
+  plugin
+- **receiver** - all packets retrieved from (potentially multiple) sensors are
+  streamed through the plugin
+
+Currently the plugins are:
+
+- [S3](./s3.md)

docs/src/plugins/s3.md

@@ -0,0 +1,62 @@
+# S3
+
+The S3 plugins allows to stream packets to the given S3 buckets.
+
+## Configuration
+
+### AWS credentials
+
+Before running PacketStreamer, AWS credentials need to be configured by one of
+the following ways:
+
+- `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables
+- `~/.aws/config` file - it can be created by `aws configure`
+
+The first way might be more convenient when running as root (required when
+running a sensor).
+
+### Configuration scheme
+
+S3 plugin configuration has the following syntax:
+
+```yaml
+output:
+  plugins:                         # optional
+    s3:
+      bucket: _string_
+      region: _string_
+      totalFileSize: _file_size_   # optional; default: 10 MB
+      uploadChunkSize: _file_size_ # optional; default: 5 MB
+      uploadTimeout: _timeout_     # optional; default: 1m
+      cannedACL: _acl_             # optional; default: Bucket owner enforced
+```
+
+### Sensor configuration
+
+If you want to stream locally captured packets from sensor to S3, you can use
+the following example configuration from
+[contrib/config/sensor-s3.yaml](https://raw.githubusercontent.com/deepfence/PacketStreamer/main/contrib/config/sensor-s3.yaml):
+
+```yaml
+{{#rustdoc_include ../../../contrib/config/sensor-s3.yaml}}
+```
+
+And run PacketStreamer with it:
+
+```bash
+sudo packetstreamer sensor --config ./contrib/config/sensor-s3.yaml
+```
+
+### Receiver configuration
+
+If you want to stream packets from receiver to S3, you can use the following
+example configuration from
+[contrib/config/receiver-s3.yaml]
+
+```yaml
+{{#rustdoc_include ../../../contrib/config/receiver-s3.yaml}}
+```
+
+```bash
+packetstreamer receiver --config ./contrib/config/receiver-s3.yaml
+```

go.mod

@@ -3,7 +3,7 @@ module github.com/deepfence/PacketStreamer
 go 1.17
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.16.2
+	github.com/aws/aws-sdk-go-v2 v1.16.4
 	github.com/aws/aws-sdk-go-v2/config v1.15.3
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.26.3
 	github.com/confluentinc/confluent-kafka-go v1.8.2

go.sum

@@ -1,5 +1,7 @@
 github.com/aws/aws-sdk-go-v2 v1.16.2 h1:fqlCk6Iy3bnCumtrLz9r3mJ/2gUT0pJ0wLFVIdWh+JA=
 github.com/aws/aws-sdk-go-v2 v1.16.2/go.mod h1:ytwTPBG6fXTZLxxeeCCWj2/EMYp/xDUgX+OET6TLNNU=
+github.com/aws/aws-sdk-go-v2 v1.16.4 h1:swQTEQUyJF/UkEA94/Ga55miiKFoXmm/Zd67XHgmjSg=
+github.com/aws/aws-sdk-go-v2 v1.16.4/go.mod h1:ytwTPBG6fXTZLxxeeCCWj2/EMYp/xDUgX+OET6TLNNU=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.1 h1:SdK4Ppk5IzLs64ZMvr6MrSficMtjY2oS0WOORXTlxwU=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.1/go.mod h1:n8Bs1ElDD2wJ9kCRTczA83gYbBmjSwZp3umc6zF4EeM=
 github.com/aws/aws-sdk-go-v2/config v1.15.3 h1:5AlQD0jhVXlGzwo+VORKiUuogkG7pQcLJNzIzK7eodw=

pkg/config/sensor.go

@@ -10,7 +10,9 @@ var (
 )
 
 func ValidateSensorConfig(config *Config) error {
-	if config.Output.File == nil && config.Output.Server == nil {
+	if config.Output.File == nil && config.Output.Server == nil &&
+		(config.Output.Plugins == nil ||
+			(config.Output.Plugins.S3 == nil && config.Output.Plugins.Kafka == nil)) {
 		return ErrNoOutputConfigured
 	}
 	if config.Output.Server != nil && config.Output.Server.Port == nil {