Added the open http endpoint test

2019-08-22 10:52:33 +03:00 · 2019-08-22 10:52:33 +03:00 · 4581376d8d
parent d6104bbcf9
commit 4581376d8d
4 changed files with 55 additions and 16 deletions
--- a/monkey/common/data/zero_trust_consts.py
+++ b/monkey/common/data/zero_trust_consts.py
@ -27,11 +27,11 @@ TEST_DATA_ENDPOINT_HTTP = u"unencrypted_data_endpoint_http"
 TEST_MACHINE_EXPLOITED = u"machine_exploited"
 TEST_ENDPOINT_SECURITY_EXISTS = u"endpoint_security_exists"
 TEST_SCHEDULED_EXECUTION = u"scheduled_execution"
-TEST_ACTIVITY_TIMELINE = u"malicious_activity_timeline"
+TEST_MALICIOUS_ACTIVITY_TIMELINE = u"malicious_activity_timeline"
 TEST_SEGMENTATION = u"segmentation"
 TESTS = (
    TEST_SEGMENTATION,
-    TEST_ACTIVITY_TIMELINE,
+    TEST_MALICIOUS_ACTIVITY_TIMELINE,
    TEST_SCHEDULED_EXECUTION,
    TEST_ENDPOINT_SECURITY_EXISTS,
    TEST_MACHINE_EXPLOITED,
@ -68,7 +68,7 @@ TESTS_MAP = {
        PILLARS_KEY: [NETWORKS],
        POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_POSITIVE, STATUS_CONCLUSIVE]
    },
-    TEST_ACTIVITY_TIMELINE: {
+    TEST_MALICIOUS_ACTIVITY_TIMELINE: {
        TEST_EXPLANATION_KEY: u"The Monkeys in the network performed malicious-looking actions, like scanning and attempting exploitation.",
        FINDING_EXPLANATION_BY_STATUS_KEY: {
            STATUS_INCONCLUSIVE: "Monkey performed malicious actions in the network. Check SOC logs and alerts."
--- a/monkey/monkey_island/cc/models/zero_trust/event.py
+++ b/monkey/monkey_island/cc/models/zero_trust/event.py
@ -23,9 +23,9 @@ class Event(EmbeddedDocument):

    # LOGIC
    @staticmethod
-    def create_event(title, message, event_type):
+    def create_event(title, message, event_type, timestamp=datetime.now()):
        event = Event(
-            timestamp=datetime.now(),
+            timestamp=timestamp,
            title=title,
            message=message,
            event_type=event_type
--- a/monkey/monkey_island/cc/services/reporting/test_zero_trust_service.py
+++ b/monkey/monkey_island/cc/services/reporting/test_zero_trust_service.py
@ -165,7 +165,7 @@ class TestZeroTrustService(IslandTestCase):
                    "tests": [
                        {
                            "status": STATUS_UNEXECUTED,
-                            "test": TESTS_MAP[TEST_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY]
+                            "test": TESTS_MAP[TEST_MALICIOUS_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY]
                        }
                    ]
                }
@ -189,7 +189,7 @@ class TestZeroTrustService(IslandTestCase):
                    "tests": [
                        {
                            "status": STATUS_UNEXECUTED,
-                            "test": TESTS_MAP[TEST_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY]
+                            "test": TESTS_MAP[TEST_MALICIOUS_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY]
                        }
                    ]
                }
--- a/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/data_endpoints.py
+++ b/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/data_endpoints.py
@ -1,16 +1,55 @@
 import json

-BAD_ENDPOINTS = {
-    "tcp-80": "Open HTTP server."
-}
+from common.data.zero_trust_consts import *
+from monkey_island.cc.models import Monkey
+from monkey_island.cc.models.zero_trust.event import Event
+from monkey_island.cc.models.zero_trust.finding import Finding
+
+HTTP_SERVERS_SERVICES_NAMES = ['tcp-80']


 def test_open_data_endpoints(telemetry_json):
    services = telemetry_json["data"]["machine"]["services"]
+    current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
+    found_http_server_status = STATUS_POSITIVE
+
+    events = [
+        Event.create_event(
+            title="Scan Telemetry",
+            message="Monkey on {} tried to perform a network scan, the target was {}.".format(
+                current_monkey.hostname,
+                telemetry_json["data"]["machine"]["ip_addr"]),
+            event_type=EVENT_TYPE_MONKEY_NETWORK,
+            timestamp=telemetry_json["timestamp"]
+        )
+    ]
+
    for service_name, service_data in services.items():
-        if service_name in BAD_ENDPOINTS:
-            # TODO Create finding
-            print("found open {} service on address {}, details: {}".format(
+        events.append(Event.create_event(
+            title="Scan telemetry analysis",
+            message="Scanned service: {}.".format(service_name),
+            event_type=EVENT_TYPE_ISLAND
+        ))
+        if service_name in HTTP_SERVERS_SERVICES_NAMES:
+            found_http_server_status = STATUS_CONCLUSIVE
+            events.append(Event.create_event(
+                title="Scan telemetry analysis",
+                message="Service {} on {} recognized as an open data endpoint! Service details: {}".format(
                    service_data["display_name"],
                    telemetry_json["data"]["machine"]["ip_addr"],
-                json.dumps(service_data)))
+                    json.dumps(service_data)
+                ),
+                event_type=EVENT_TYPE_ISLAND
+            ))
+
+    Finding.save_finding(
+        test=TEST_DATA_ENDPOINT_HTTP,
+        status=found_http_server_status,
+        events=events
+    )
+
+    Finding.save_finding(
+        test=TEST_MALICIOUS_ACTIVITY_TIMELINE,
+        status=STATUS_INCONCLUSIVE,
+        events=events
+    )