feat: enhance network monitoring for UDP packets

rohan-stepsecurity · rohan-stepsecurity · commit f9c107ff266d · 2025-11-20T17:07:46.000+05:30
Added support for monitoring UDP packets in the NetworkMonitor by introducing handling for the sendto and sendmsg syscalls. Updated logging to reflect the addition of UDP monitoring alongside existing TCP functionality.
diff --git a/netmon.go b/netmon.go
@@ -71,13 +71,19 @@ func (netMonitor *NetworkMonitor) handlePacket(attrs nflog.Attribute) {
 	packet := gopacket.NewPacket(data, layers.LayerTypeIPv4, gopacket.Default)
 	port := ""
 	isSYN := false
+	isUDP := false
 	// Get the TCP layer from this packet
 	if tcpLayer := packet.Layer(layers.LayerTypeTCP); tcpLayer != nil {
 		// Get actual TCP data from this layer
 		tcp, _ := tcpLayer.(*layers.TCP)
 		port = tcp.DstPort.String()
 		isSYN = tcp.SYN
 
+	} else if udpLayer := packet.Layer(layers.LayerTypeUDP); udpLayer != nil {
+		// Get actual UDP data from this layer
+		udp, _ := udpLayer.(*layers.UDP)
+		port = udp.DstPort.String()
+		isUDP = true
 	}
 
 	// Get the IP layer from this packet
@@ -90,7 +96,7 @@ func (netMonitor *NetworkMonitor) handlePacket(attrs nflog.Attribute) {
 		if !found {
 			ipAddresses[ipv4Address] = 1
 
-			if isSYN {
+			if isSYN || isUDP {
 				if netMonitor.Status == "Dropped" {
 
 					netMonitor.ApiClient.sendNetConnection(netMonitor.CorrelationId, netMonitor.Repo,
diff --git a/procmon_linux.go b/procmon_linux.go
@@ -107,7 +107,31 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) {
 		errc <- errors.Wrap(err, "failed to add audit rule for syscall connect")
 	}
 
-	WriteLog("Net monitor added")
+	WriteLog("Net monitor added for TCP (connect)")
+
+	// syscall sendto (for UDP)
+	r, _ = flags.Parse(fmt.Sprintf("-a exit,always -S sendto -k %s", netMonitorTag))
+
+	actualBytes, _ = rule.Build(r)
+
+	if err = client.AddRule(actualBytes); err != nil {
+		WriteLog(fmt.Sprintf("failed to add audit rule for sendto %v", err))
+		errc <- errors.Wrap(err, "failed to add audit rule for syscall sendto")
+	}
+
+	WriteLog("Net monitor added for UDP (sendto)")
+
+	// syscall sendmsg (for UDP)
+	r, _ = flags.Parse(fmt.Sprintf("-a exit,always -S sendmsg -k %s", netMonitorTag))
+
+	actualBytes, _ = rule.Build(r)
+
+	if err = client.AddRule(actualBytes); err != nil {
+		WriteLog(fmt.Sprintf("failed to add audit rule for sendmsg %v", err))
+		errc <- errors.Wrap(err, "failed to add audit rule for syscall sendmsg")
+	}
+
+	WriteLog("Net monitor added for UDP (sendmsg)")
 
 	// syscall process start
 	r, _ = flags.Parse(fmt.Sprintf("-a exit,always -S execve -k %s", processMonitorTag))
