forked from p15670423/monkey
Added segmentation violation test
This commit is contained in:
parent
9dfb250d59
commit
470806f3bc
|
@ -10,9 +10,12 @@ def get_ip_in_src_and_not_in_dst(ip_addresses, source_subnet, target_subnet):
|
|||
:param target_subnet: Subnet we want an IP to be in.
|
||||
:return: The cross segment IP if in source but not in target, else None.
|
||||
"""
|
||||
for ip_address in ip_addresses:
|
||||
if target_subnet.is_in_range(ip_address):
|
||||
if get_ip_if_in_subnet(ip_addresses, target_subnet) is not None:
|
||||
return None
|
||||
return get_ip_if_in_subnet(ip_addresses, source_subnet)
|
||||
|
||||
|
||||
def get_ip_if_in_subnet(ip_addresses, source_subnet):
|
||||
for ip_address in ip_addresses:
|
||||
if source_subnet.is_in_range(ip_address):
|
||||
return ip_address
|
||||
|
|
|
@ -3,11 +3,13 @@ import copy
|
|||
from monkey_island.cc.database import mongo
|
||||
from monkey_island.cc.services.telemetry.processing.utils import get_edge_by_scan_or_exploit_telemetry
|
||||
from monkey_island.cc.services.telemetry.zero_trust_tests.data_endpoints import test_open_data_endpoints
|
||||
from monkey_island.cc.services.telemetry.zero_trust_tests.segmentation import test_segmentation_violation
|
||||
|
||||
|
||||
def process_scan_telemetry(telemetry_json):
|
||||
update_edges_and_nodes_based_on_scan_telemetry(telemetry_json)
|
||||
test_open_data_endpoints(telemetry_json)
|
||||
test_segmentation_violation(telemetry_json)
|
||||
|
||||
|
||||
def update_edges_and_nodes_based_on_scan_telemetry(telemetry_json):
|
||||
|
|
|
@ -0,0 +1,68 @@
|
|||
import itertools
|
||||
from six import text_type
|
||||
|
||||
from common.data.zero_trust_consts import STATUS_CONCLUSIVE, EVENT_TYPE_MONKEY_NETWORK
|
||||
from common.network.network_range import NetworkRange
|
||||
from common.network.segmentation_utils import get_ip_in_src_and_not_in_dst, get_ip_if_in_subnet
|
||||
from monkey_island.cc.models import Monkey
|
||||
from monkey_island.cc.models.zero_trust.event import Event
|
||||
from monkey_island.cc.models.zero_trust.segmentation_finding import SegmentationFinding
|
||||
from monkey_island.cc.services.configuration.utils import get_config_network_segments_as_subnet_groups
|
||||
|
||||
SEGMENTATION_VIOLATION_EVENT_TEXT = \
|
||||
"Segmentation violation! Monkey on '{hostname}', with the {source_ip} IP address (in segment {source_seg}) " \
|
||||
"managed to communicate cross segment to {target_ip} (in segment {target_seg})."
|
||||
|
||||
|
||||
def is_segmentation_violation(current_monkey, target_ip, source_subnet, target_subnet):
|
||||
if source_subnet == target_subnet:
|
||||
return False
|
||||
source_subnet_range = NetworkRange.get_range_obj(source_subnet)
|
||||
target_subnet_range = NetworkRange.get_range_obj(target_subnet)
|
||||
|
||||
if target_subnet_range.is_in_range(text_type(target_ip)):
|
||||
cross_segment_ip = get_ip_in_src_and_not_in_dst(
|
||||
current_monkey.ip_addresses,
|
||||
source_subnet_range,
|
||||
target_subnet_range)
|
||||
|
||||
return cross_segment_ip is not None
|
||||
|
||||
|
||||
def test_segmentation_violation(telemetry_json):
|
||||
"""
|
||||
|
||||
:param telemetry_json: A SCAN telemetry sent from a Monkey.
|
||||
"""
|
||||
# TODO - lower code duplication between this and report.py.
|
||||
# TODO - single machine
|
||||
current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
|
||||
target_ip = telemetry_json['data']['machine']['ip_addr']
|
||||
subnet_groups = get_config_network_segments_as_subnet_groups()
|
||||
for subnet_group in subnet_groups:
|
||||
subnet_pairs = itertools.product(subnet_group, subnet_group)
|
||||
for subnet_pair in subnet_pairs:
|
||||
source_subnet = subnet_pair[0]
|
||||
target_subnet = subnet_pair[1]
|
||||
if is_segmentation_violation(current_monkey, target_ip, source_subnet, target_subnet):
|
||||
event = get_segmentation_violation_event(current_monkey, source_subnet, target_ip, target_subnet)
|
||||
SegmentationFinding.create_or_add_to_existing_finding(
|
||||
subnets=[source_subnet, target_subnet],
|
||||
status=STATUS_CONCLUSIVE,
|
||||
segmentation_event=event
|
||||
)
|
||||
|
||||
|
||||
def get_segmentation_violation_event(current_monkey, source_subnet, target_ip, target_subnet):
|
||||
return Event.create_event(
|
||||
title="Segmentation event",
|
||||
message=SEGMENTATION_VIOLATION_EVENT_TEXT.format(
|
||||
hostname=current_monkey.hostname,
|
||||
source_ip=get_ip_if_in_subnet(current_monkey.ip_addresses, NetworkRange.get_range_obj(source_subnet)),
|
||||
source_seg=source_subnet,
|
||||
target_ip=target_ip,
|
||||
target_seg=target_subnet
|
||||
),
|
||||
event_type=EVENT_TYPE_MONKEY_NETWORK
|
||||
)
|
||||
|
Loading…
Reference in New Issue