fix(agent,installer): hybrid NetFlow decoder and postgres email via docker exec

Author: Kbayero

agent/go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/glebarez/sqlite v1.11.0
 	github.com/google/uuid v1.6.0
 	github.com/kardianos/service v1.2.4
+	github.com/netsampler/goflow2 v1.3.7
 	github.com/tehmaze/netflow v0.0.0-20240303214733-8c13bb004068
 	github.com/threatwinds/go-sdk v1.1.7
 	github.com/threatwinds/logger v1.2.3

agent/go.sum

@@ -87,6 +87,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
 github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
+github.com/netsampler/goflow2 v1.3.7 h1:XZaTy8kkMnGXpJ9hS3KbO1McyrFTpVNhVFEx9rNhMmc=
+github.com/netsampler/goflow2 v1.3.7/go.mod h1:4UZsVGVAs//iMCptUHn3WNScztJeUhZH7kDW2+/vDdQ=
 github.com/opensearch-project/opensearch-go/v4 v4.6.0 h1:Ac8aLtDSmLEyOmv0r1qhQLw3b4vcUhE42NE9k+Z4cRc=
 github.com/opensearch-project/opensearch-go/v4 v4.6.0/go.mod h1:3iZtb4SNt3IzaxavKq0dURh1AmtVgYW71E4XqmYnIiQ=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=

agent/main.go

@@ -3,6 +3,7 @@ package main
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 	"time"
 
 	pb "github.com/utmstack/UTMStack/agent/agent"
@@ -214,6 +215,20 @@ func main() {
 		case "uninstall":
 			fmt.Println("Uninstalling UTMStackAgent service ...")
 
+			fmt.Print("Stopping UTMStackUpdater service... ")
+			updaterPath := filepath.Join(utils.GetMyPath(), fmt.Sprintf(config.UpdaterFile, ""))
+			if utils.CheckIfPathExist(updaterPath) {
+				err := utils.Execute(updaterPath, utils.GetMyPath(), "uninstall")
+				if err != nil {
+					fmt.Printf("Warning: %v\n", err)
+				} else {
+					fmt.Println("[OK]")
+				}
+				time.Sleep(2 * time.Second)
+			} else {
+				fmt.Println("[SKIPPED - not found]")
+			}
+
 			cnf, err := config.GetCurrentConfig()
 			if err != nil {
 				fmt.Println("Error getting config: ", err)

agent/modules/configuration.go

@@ -77,7 +77,7 @@ func ChangeIntegrationStatus(logTyp string, proto string, isEnabled bool, tlsOpt
 				mod := GetModule(logTyp)
 				if mod != nil && mod.IsPortListen(proto) {
 					mod.DisablePort(proto)
-					time.Sleep(100 * time.Millisecond)
+					time.Sleep(200 * time.Millisecond)
 					err := mod.EnablePort(proto, true)
 					if err != nil {
 						return "", fmt.Errorf("error enabling TLS on running module: %v", err)
@@ -89,7 +89,7 @@ func ChangeIntegrationStatus(logTyp string, proto string, isEnabled bool, tlsOpt
 				mod := GetModule(logTyp)
 				if mod != nil && mod.IsPortListen(proto) {
 					mod.DisablePort(proto)
-					time.Sleep(100 * time.Millisecond)
+					time.Sleep(200 * time.Millisecond)
 					err := mod.EnablePort(proto, false)
 					if err != nil {
 						return "", fmt.Errorf("error disabling TLS on running module: %v", err)
@@ -248,7 +248,7 @@ func EnableTLSForIntegration(logTyp string, proto string) (string, error) {
 		mod := GetModule(logTyp)
 		if mod != nil && mod.IsPortListen(proto) {
 			mod.DisablePort(proto)
-			time.Sleep(100 * time.Millisecond)
+			time.Sleep(200 * time.Millisecond)
 			err := mod.EnablePort(proto, true)
 			if err != nil {
 				return port, fmt.Errorf("error enabling TLS on running module: %v", err)
@@ -278,7 +278,7 @@ func DisableTLSForIntegration(logTyp string, proto string) error {
 		mod := GetModule(logTyp)
 		if mod != nil && mod.IsPortListen(proto) {
 			mod.DisablePort(proto)
-			time.Sleep(100 * time.Millisecond)
+			time.Sleep(200 * time.Millisecond)
 			err := mod.EnablePort(proto, false)
 			if err != nil {
 				return fmt.Errorf("error disabling TLS on running module: %v", err)

agent/modules/modules.go

@@ -84,6 +84,9 @@ func StartModules() {
 				}
 				if conf[0] {
 					moCache[index].DisablePort(proto)
+					if conf[1] {
+						time.Sleep(200 * time.Millisecond)
+					}
 				}
 				if changeAllowed {
 					moCache[index].SetNewPort(proto, port)

agent/modules/netflow.go

@@ -3,14 +3,18 @@ package modules
 import (
 	"bytes"
 	"context"
+	"encoding/binary"
 	"errors"
 	"fmt"
 	"net"
 	"strconv"
+	"strings"
 	"sync"
 	"time"
 
-	"github.com/tehmaze/netflow"
+	"github.com/netsampler/goflow2/decoders/netflow"
+	"github.com/netsampler/goflow2/decoders/netflowlegacy"
+	tehmaze "github.com/tehmaze/netflow"
 	"github.com/tehmaze/netflow/session"
 	"github.com/utmstack/UTMStack/agent/config"
 	"github.com/utmstack/UTMStack/agent/logservice"
@@ -23,44 +27,128 @@ var (
 	netflowOnce   sync.Once
 )
 
+// templateSystem implements netflow.NetFlowTemplateSystem for goflow2
+type templateSystem struct {
+	templates map[uint16]map[uint32]map[uint16]interface{}
+	mu        sync.RWMutex
+}
+
+func newTemplateSystem() *templateSystem {
+	return &templateSystem{
+		templates: make(map[uint16]map[uint32]map[uint16]interface{}),
+	}
+}
+
+func (t *templateSystem) GetTemplate(version uint16, obsDomainId uint32, templateId uint16) (interface{}, error) {
+	t.mu.RLock()
+	defer t.mu.RUnlock()
+
+	if versionMap, ok := t.templates[version]; ok {
+		if domainMap, ok := versionMap[obsDomainId]; ok {
+			if template, ok := domainMap[templateId]; ok {
+				return template, nil
+			}
+		}
+	}
+	return nil, fmt.Errorf("template not found: version=%d, obsDomainId=%d, templateId=%d", version, obsDomainId, templateId)
+}
+
+func (t *templateSystem) AddTemplate(version uint16, obsDomainId uint32, template interface{}) {
+	t.mu.Lock()
+	defer t.mu.Unlock()
+
+	if _, ok := t.templates[version]; !ok {
+		t.templates[version] = make(map[uint32]map[uint16]interface{})
+	}
+	if _, ok := t.templates[version][obsDomainId]; !ok {
+		t.templates[version][obsDomainId] = make(map[uint16]interface{})
+	}
+
+	// Extract template ID based on type
+	var templateId uint16
+	switch tmpl := template.(type) {
+	case netflow.TemplateRecord:
+		templateId = tmpl.TemplateId
+	case netflow.IPFIXOptionsTemplateRecord:
+		templateId = tmpl.TemplateId
+	case netflow.NFv9OptionsTemplateRecord:
+		templateId = tmpl.TemplateId
+	default:
+		return
+	}
+
+	t.templates[version][obsDomainId][templateId] = template
+}
+
 type NetflowModule struct {
-	DataType  string
-	Parser    parser.Parser
-	Decoders  map[string]*netflow.Decoder
-	Listener  *net.UDPConn
-	CTX       context.Context
-	Cancel    context.CancelFunc
-	IsEnabled bool
+	DataType        string
+	Parser          parser.Parser
+	LegacyDecoders  map[string]*tehmaze.Decoder  // For v1, v6, v7 (tehmaze/netflow)
+	TemplateSystem  map[string]*templateSystem   // For v5, v9, IPFIX (goflow2)
+	Listener        *net.UDPConn
+	CTX             context.Context
+	Cancel          context.CancelFunc
+	IsEnabled       bool
+	mu              sync.RWMutex
 }
 
 func GetNetflowModule() *NetflowModule {
 	netflowOnce.Do(func() {
 		netflowModule = &NetflowModule{
-			Parser:    parser.GetParser("netflow"),
-			DataType:  "netflow",
-			IsEnabled: false,
-			Decoders:  make(map[string]*netflow.Decoder),
+			Parser:         parser.GetParser("netflow"),
+			DataType:       "netflow",
+			IsEnabled:      false,
+			LegacyDecoders: make(map[string]*tehmaze.Decoder),
+			TemplateSystem: make(map[string]*templateSystem),
 		}
 	})
 	return netflowModule
 }
 
+func (m *NetflowModule) getOrCreateTemplateSystem(addr string) *templateSystem {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	if ts, ok := m.TemplateSystem[addr]; ok {
+		return ts
+	}
+	ts := newTemplateSystem()
+	m.TemplateSystem[addr] = ts
+	return ts
+}
+
+func (m *NetflowModule) getOrCreateLegacyDecoder(addr string) *tehmaze.Decoder {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	if d, ok := m.LegacyDecoders[addr]; ok {
+		return d
+	}
+	s := session.New()
+	d := tehmaze.NewDecoder(s)
+	m.LegacyDecoders[addr] = d
+	return d
+}
+
+func (m *NetflowModule) removeLegacyDecoder(addr string) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	delete(m.LegacyDecoders, addr)
+}
+
 func (m *NetflowModule) EnablePort(proto string, enableTLS bool) error {
 	if enableTLS {
 		return fmt.Errorf("TLS not supported for NetFlow protocol")
 	}
 
 	if proto == "udp" && !m.IsEnabled {
-		utils.Logger.Info("Server %s listening in port: %s protocol: UDP", m.DataType, config.ProtoPorts[config.DataTypeNetflow].UDP)
-		m.IsEnabled = true
-
 		port, err := strconv.Atoi(config.ProtoPorts[config.DataTypeNetflow].UDP)
 		if err != nil {
 			utils.Logger.ErrorF("error converting port to int: %v", err)
 			return err
 		}
 
-		m.Listener, err = net.ListenUDP("udp", &net.UDPAddr{
+		listener, err := net.ListenUDP("udp", &net.UDPAddr{
 			Port: port,
 			IP:   net.ParseIP("0.0.0.0"),
 		})
@@ -69,9 +157,13 @@ func (m *NetflowModule) EnablePort(proto string, enableTLS bool) error {
 			return err
 		}
 
+		m.IsEnabled = true
+		m.Listener = listener
 		m.CTX, m.Cancel = context.WithCancel(context.Background())
 
-		buffer := make([]byte, 2048)
+		utils.Logger.Info("Server %s listening in port: %s protocol: UDP", m.DataType, config.ProtoPorts[config.DataTypeNetflow].UDP)
+
+		buffer := make([]byte, 65535)
 
 		go func() {
 			for {
@@ -97,16 +189,54 @@ func (m *NetflowModule) EnablePort(proto string, enableTLS bool) error {
 						continue
 					}
 
-					d, found := m.Decoders[addr.String()]
-					if !found {
-						s := session.New()
-						d = netflow.NewDecoder(s)
-						m.Decoders[addr.String()] = d
+					// Validate packet structure before attempting to decode
+					packetData := buffer[:length]
+					packetInfo, validationErr := validateNetflowPacket(packetData)
+					if validationErr != nil {
+						utils.Logger.ErrorF("invalid NetFlow packet from %s (length: %d bytes): %v", addr.String(), length, validationErr)
+						continue
 					}
 
-					message, err := d.Read(bytes.NewBuffer(buffer[:length]))
-					if err != nil {
-						utils.Logger.ErrorF("error decoding NetFlow message: %v", err)
+					var message interface{}
+
+					// Use hybrid approach: goflow2 for v5/v9/IPFIX, tehmaze for v1/v6/v7
+					switch packetInfo.version {
+					case 5:
+						// Use goflow2 for NetFlow v5
+						msg, err := netflowlegacy.DecodeMessage(bytes.NewBuffer(packetData))
+						if err != nil {
+							utils.Logger.ErrorF("error decoding %s message from %s: %v", packetInfo.versionName, addr.String(), err)
+							continue
+						}
+						message = msg
+
+					case 9, 10:
+						// Use goflow2 for NetFlow v9 and IPFIX
+						ts := m.getOrCreateTemplateSystem(addr.String())
+						msg, err := netflow.DecodeMessage(bytes.NewBuffer(packetData), ts)
+						if err != nil {
+							// Template not found is expected when data arrives before template
+							// This is normal NetFlow v9/IPFIX behavior, don't log as error
+							if !strings.Contains(err.Error(), "template not found") {
+								utils.Logger.ErrorF("error decoding %s message from %s: %v", packetInfo.versionName, addr.String(), err)
+							}
+							continue
+						}
+						message = msg
+
+					case 1, 6, 7:
+						// Use tehmaze/netflow for legacy versions (v1, v6, v7)
+						d := m.getOrCreateLegacyDecoder(addr.String())
+						msg, err := d.Read(bytes.NewBuffer(packetData))
+						if err != nil {
+							utils.Logger.ErrorF("error decoding %s message from %s: %v", packetInfo.versionName, addr.String(), err)
+							m.removeLegacyDecoder(addr.String())
+							continue
+						}
+						message = msg
+
+					default:
+						utils.Logger.ErrorF("unsupported NetFlow version %d from %s", packetInfo.version, addr.String())
 						continue
 					}
 
@@ -159,3 +289,64 @@ func (m *NetflowModule) GetPort(proto string) string {
 		return ""
 	}
 }
+
+// netflowPacketInfo contains basic information about a NetFlow packet for validation
+type netflowPacketInfo struct {
+	version     uint16
+	count       uint16
+	minSize     int
+	versionName string
+}
+
+// validateNetflowPacket checks if a NetFlow packet has valid structure before decoding
+// Returns packet info if valid, error otherwise
+func validateNetflowPacket(data []byte) (*netflowPacketInfo, error) {
+	if len(data) < 4 {
+		return nil, fmt.Errorf("packet too small: %d bytes (minimum 4 bytes for version and count)", len(data))
+	}
+
+	version := binary.BigEndian.Uint16(data[0:2])
+	count := binary.BigEndian.Uint16(data[2:4])
+
+	info := &netflowPacketInfo{
+		version: version,
+		count:   count,
+	}
+
+	switch version {
+	case 1:
+		info.versionName = "NetFlow v1"
+		info.minSize = 24 + int(count)*48 // header (24) + records (48 each)
+	case 5:
+		info.versionName = "NetFlow v5"
+		info.minSize = 24 + int(count)*48 // header (24) + records (48 each)
+	case 6:
+		info.versionName = "NetFlow v6"
+		info.minSize = 24 + int(count)*52 // header (24) + records (52 each)
+	case 7:
+		info.versionName = "NetFlow v7"
+		info.minSize = 24 + int(count)*52 // header (24) + records (52 each)
+	case 9:
+		info.versionName = "NetFlow v9"
+		// NetFlow v9 header is 20 bytes, minimum packet size is just the header
+		info.minSize = 20
+	case 10:
+		info.versionName = "IPFIX"
+		// IPFIX header is 16 bytes, field at offset 2-4 is the total message length
+		info.minSize = 16
+		ipfixLength := binary.BigEndian.Uint16(data[2:4])
+		if int(ipfixLength) != len(data) {
+			return nil, fmt.Errorf("IPFIX length mismatch: header says %d bytes, received %d bytes", ipfixLength, len(data))
+		}
+		return info, nil
+	default:
+		return nil, fmt.Errorf("unsupported NetFlow version: %d", version)
+	}
+
+	if len(data) < info.minSize {
+		return nil, fmt.Errorf("%s packet too small: received %d bytes, minimum expected %d bytes (count=%d)",
+			info.versionName, len(data), info.minSize, count)
+	}
+
+	return info, nil
+}