forked from p15670423/monkey
Added segmentation violation test
This commit is contained in:
Shay Nehmad
parent
9dfb250d59
commit
470806f3bc
|
|
@ -10,9 +10,12 @@ def get_ip_in_src_and_not_in_dst(ip_addresses, source_subnet, target_subnet):
|
||||||
:param target_subnet: Subnet we want an IP to be in.
|
:param target_subnet: Subnet we want an IP to be in.
|
||||||
:return: The cross segment IP if in source but not in target, else None.
|
:return: The cross segment IP if in source but not in target, else None.
|
||||||
"""
|
"""
|
||||||
for ip_address in ip_addresses:
|
if get_ip_if_in_subnet(ip_addresses, target_subnet) is not None:
|
||||||
if target_subnet.is_in_range(ip_address):
|
|
||||||
return None
|
return None
|
||||||
|
return get_ip_if_in_subnet(ip_addresses, source_subnet)
|
||||||
|
|
||||||
|
|
||||||
|
def get_ip_if_in_subnet(ip_addresses, source_subnet):
|
||||||
for ip_address in ip_addresses:
|
for ip_address in ip_addresses:
|
||||||
if source_subnet.is_in_range(ip_address):
|
if source_subnet.is_in_range(ip_address):
|
||||||
return ip_address
|
return ip_address
|
||||||
|
|
|
||||||
|
|
@ -3,11 +3,13 @@ import copy
|
||||||
from monkey_island.cc.database import mongo
|
from monkey_island.cc.database import mongo
|
||||||
from monkey_island.cc.services.telemetry.processing.utils import get_edge_by_scan_or_exploit_telemetry
|
from monkey_island.cc.services.telemetry.processing.utils import get_edge_by_scan_or_exploit_telemetry
|
||||||
from monkey_island.cc.services.telemetry.zero_trust_tests.data_endpoints import test_open_data_endpoints
|
from monkey_island.cc.services.telemetry.zero_trust_tests.data_endpoints import test_open_data_endpoints
|
||||||
|
from monkey_island.cc.services.telemetry.zero_trust_tests.segmentation import test_segmentation_violation
|
||||||
|
|
||||||
|
|
||||||
def process_scan_telemetry(telemetry_json):
|
def process_scan_telemetry(telemetry_json):
|
||||||
update_edges_and_nodes_based_on_scan_telemetry(telemetry_json)
|
update_edges_and_nodes_based_on_scan_telemetry(telemetry_json)
|
||||||
test_open_data_endpoints(telemetry_json)
|
test_open_data_endpoints(telemetry_json)
|
||||||
|
test_segmentation_violation(telemetry_json)
|
||||||
|
|
||||||
|
|
||||||
def update_edges_and_nodes_based_on_scan_telemetry(telemetry_json):
|
def update_edges_and_nodes_based_on_scan_telemetry(telemetry_json):
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,68 @@
|
||||||
|
import itertools
|
||||||
|
from six import text_type
|
||||||
|
|
||||||
|
from common.data.zero_trust_consts import STATUS_CONCLUSIVE, EVENT_TYPE_MONKEY_NETWORK
|
||||||
|
from common.network.network_range import NetworkRange
|
||||||
|
from common.network.segmentation_utils import get_ip_in_src_and_not_in_dst, get_ip_if_in_subnet
|
||||||
|
from monkey_island.cc.models import Monkey
|
||||||
|
from monkey_island.cc.models.zero_trust.event import Event
|
||||||
|
from monkey_island.cc.models.zero_trust.segmentation_finding import SegmentationFinding
|
||||||
|
from monkey_island.cc.services.configuration.utils import get_config_network_segments_as_subnet_groups
|
||||||
|
|
||||||
|
SEGMENTATION_VIOLATION_EVENT_TEXT = \
|
||||||
|
"Segmentation violation! Monkey on '{hostname}', with the {source_ip} IP address (in segment {source_seg}) " \
|
||||||
|
"managed to communicate cross segment to {target_ip} (in segment {target_seg})."
|
||||||
|
|
||||||
|
|
||||||
|
def is_segmentation_violation(current_monkey, target_ip, source_subnet, target_subnet):
|
||||||
|
if source_subnet == target_subnet:
|
||||||
|
return False
|
||||||
|
source_subnet_range = NetworkRange.get_range_obj(source_subnet)
|
||||||
|
target_subnet_range = NetworkRange.get_range_obj(target_subnet)
|
||||||
|
|
||||||
|
if target_subnet_range.is_in_range(text_type(target_ip)):
|
||||||
|
cross_segment_ip = get_ip_in_src_and_not_in_dst(
|
||||||
|
current_monkey.ip_addresses,
|
||||||
|
source_subnet_range,
|
||||||
|
target_subnet_range)
|
||||||
|
|
||||||
|
return cross_segment_ip is not None
|
||||||
|
|
||||||
|
|
||||||
|
def test_segmentation_violation(telemetry_json):
|
||||||
|
"""
|
||||||
|
|
||||||
|
:param telemetry_json: A SCAN telemetry sent from a Monkey.
|
||||||
|
"""
|
||||||
|
# TODO - lower code duplication between this and report.py.
|
||||||
|
# TODO - single machine
|
||||||
|
current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
|
||||||
|
target_ip = telemetry_json['data']['machine']['ip_addr']
|
||||||
|
subnet_groups = get_config_network_segments_as_subnet_groups()
|
||||||
|
for subnet_group in subnet_groups:
|
||||||
|
subnet_pairs = itertools.product(subnet_group, subnet_group)
|
||||||
|
for subnet_pair in subnet_pairs:
|
||||||
|
source_subnet = subnet_pair[0]
|
||||||
|
target_subnet = subnet_pair[1]
|
||||||
|
if is_segmentation_violation(current_monkey, target_ip, source_subnet, target_subnet):
|
||||||
|
event = get_segmentation_violation_event(current_monkey, source_subnet, target_ip, target_subnet)
|
||||||
|
SegmentationFinding.create_or_add_to_existing_finding(
|
||||||
|
subnets=[source_subnet, target_subnet],
|
||||||
|
status=STATUS_CONCLUSIVE,
|
||||||
|
segmentation_event=event
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def get_segmentation_violation_event(current_monkey, source_subnet, target_ip, target_subnet):
|
||||||
|
return Event.create_event(
|
||||||
|
title="Segmentation event",
|
||||||
|
message=SEGMENTATION_VIOLATION_EVENT_TEXT.format(
|
||||||
|
hostname=current_monkey.hostname,
|
||||||
|
source_ip=get_ip_if_in_subnet(current_monkey.ip_addresses, NetworkRange.get_range_obj(source_subnet)),
|
||||||
|
source_seg=source_subnet,
|
||||||
|
target_ip=target_ip,
|
||||||
|
target_seg=target_subnet
|
||||||
|
),
|
||||||
|
event_type=EVENT_TYPE_MONKEY_NETWORK
|
||||||
|
)
|
||||||
|
|
||||||
Loading…
Reference in New Issue