Added the open http endpoint test
This commit is contained in:
parent
d6104bbcf9
commit
4581376d8d
|
@ -27,11 +27,11 @@ TEST_DATA_ENDPOINT_HTTP = u"unencrypted_data_endpoint_http"
|
|||
TEST_MACHINE_EXPLOITED = u"machine_exploited"
|
||||
TEST_ENDPOINT_SECURITY_EXISTS = u"endpoint_security_exists"
|
||||
TEST_SCHEDULED_EXECUTION = u"scheduled_execution"
|
||||
TEST_ACTIVITY_TIMELINE = u"malicious_activity_timeline"
|
||||
TEST_MALICIOUS_ACTIVITY_TIMELINE = u"malicious_activity_timeline"
|
||||
TEST_SEGMENTATION = u"segmentation"
|
||||
TESTS = (
|
||||
TEST_SEGMENTATION,
|
||||
TEST_ACTIVITY_TIMELINE,
|
||||
TEST_MALICIOUS_ACTIVITY_TIMELINE,
|
||||
TEST_SCHEDULED_EXECUTION,
|
||||
TEST_ENDPOINT_SECURITY_EXISTS,
|
||||
TEST_MACHINE_EXPLOITED,
|
||||
|
@ -68,7 +68,7 @@ TESTS_MAP = {
|
|||
PILLARS_KEY: [NETWORKS],
|
||||
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_POSITIVE, STATUS_CONCLUSIVE]
|
||||
},
|
||||
TEST_ACTIVITY_TIMELINE: {
|
||||
TEST_MALICIOUS_ACTIVITY_TIMELINE: {
|
||||
TEST_EXPLANATION_KEY: u"The Monkeys in the network performed malicious-looking actions, like scanning and attempting exploitation.",
|
||||
FINDING_EXPLANATION_BY_STATUS_KEY: {
|
||||
STATUS_INCONCLUSIVE: "Monkey performed malicious actions in the network. Check SOC logs and alerts."
|
||||
|
|
|
@ -23,9 +23,9 @@ class Event(EmbeddedDocument):
|
|||
|
||||
# LOGIC
|
||||
@staticmethod
|
||||
def create_event(title, message, event_type):
|
||||
def create_event(title, message, event_type, timestamp=datetime.now()):
|
||||
event = Event(
|
||||
timestamp=datetime.now(),
|
||||
timestamp=timestamp,
|
||||
title=title,
|
||||
message=message,
|
||||
event_type=event_type
|
||||
|
|
|
@ -165,7 +165,7 @@ class TestZeroTrustService(IslandTestCase):
|
|||
"tests": [
|
||||
{
|
||||
"status": STATUS_UNEXECUTED,
|
||||
"test": TESTS_MAP[TEST_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY]
|
||||
"test": TESTS_MAP[TEST_MALICIOUS_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -189,7 +189,7 @@ class TestZeroTrustService(IslandTestCase):
|
|||
"tests": [
|
||||
{
|
||||
"status": STATUS_UNEXECUTED,
|
||||
"test": TESTS_MAP[TEST_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY]
|
||||
"test": TESTS_MAP[TEST_MALICIOUS_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -1,16 +1,55 @@
|
|||
import json
|
||||
|
||||
BAD_ENDPOINTS = {
|
||||
"tcp-80": "Open HTTP server."
|
||||
}
|
||||
from common.data.zero_trust_consts import *
|
||||
from monkey_island.cc.models import Monkey
|
||||
from monkey_island.cc.models.zero_trust.event import Event
|
||||
from monkey_island.cc.models.zero_trust.finding import Finding
|
||||
|
||||
HTTP_SERVERS_SERVICES_NAMES = ['tcp-80']
|
||||
|
||||
|
||||
def test_open_data_endpoints(telemetry_json):
|
||||
services = telemetry_json["data"]["machine"]["services"]
|
||||
current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
|
||||
found_http_server_status = STATUS_POSITIVE
|
||||
|
||||
events = [
|
||||
Event.create_event(
|
||||
title="Scan Telemetry",
|
||||
message="Monkey on {} tried to perform a network scan, the target was {}.".format(
|
||||
current_monkey.hostname,
|
||||
telemetry_json["data"]["machine"]["ip_addr"]),
|
||||
event_type=EVENT_TYPE_MONKEY_NETWORK,
|
||||
timestamp=telemetry_json["timestamp"]
|
||||
)
|
||||
]
|
||||
|
||||
for service_name, service_data in services.items():
|
||||
if service_name in BAD_ENDPOINTS:
|
||||
# TODO Create finding
|
||||
print("found open {} service on address {}, details: {}".format(
|
||||
service_data["display_name"],
|
||||
telemetry_json["data"]["machine"]["ip_addr"],
|
||||
json.dumps(service_data)))
|
||||
events.append(Event.create_event(
|
||||
title="Scan telemetry analysis",
|
||||
message="Scanned service: {}.".format(service_name),
|
||||
event_type=EVENT_TYPE_ISLAND
|
||||
))
|
||||
if service_name in HTTP_SERVERS_SERVICES_NAMES:
|
||||
found_http_server_status = STATUS_CONCLUSIVE
|
||||
events.append(Event.create_event(
|
||||
title="Scan telemetry analysis",
|
||||
message="Service {} on {} recognized as an open data endpoint! Service details: {}".format(
|
||||
service_data["display_name"],
|
||||
telemetry_json["data"]["machine"]["ip_addr"],
|
||||
json.dumps(service_data)
|
||||
),
|
||||
event_type=EVENT_TYPE_ISLAND
|
||||
))
|
||||
|
||||
Finding.save_finding(
|
||||
test=TEST_DATA_ENDPOINT_HTTP,
|
||||
status=found_http_server_status,
|
||||
events=events
|
||||
)
|
||||
|
||||
Finding.save_finding(
|
||||
test=TEST_MALICIOUS_ACTIVITY_TIMELINE,
|
||||
status=STATUS_INCONCLUSIVE,
|
||||
events=events
|
||||
)
|
||||
|
|
Loading…
Reference in New Issue