Added segmentation violation test

This commit is contained in:
Shay Nehmad 2019-08-25 18:08:21 +03:00
parent 9dfb250d59
commit 470806f3bc
3 changed files with 76 additions and 3 deletions

View File

@ -10,9 +10,12 @@ def get_ip_in_src_and_not_in_dst(ip_addresses, source_subnet, target_subnet):
:param target_subnet: Subnet we want an IP to be in.
:return: The cross segment IP if in source but not in target, else None.
"""
for ip_address in ip_addresses:
if target_subnet.is_in_range(ip_address):
if get_ip_if_in_subnet(ip_addresses, target_subnet) is not None:
return None
return get_ip_if_in_subnet(ip_addresses, source_subnet)
def get_ip_if_in_subnet(ip_addresses, source_subnet):
for ip_address in ip_addresses:
if source_subnet.is_in_range(ip_address):
return ip_address

View File

@ -3,11 +3,13 @@ import copy
from monkey_island.cc.database import mongo
from monkey_island.cc.services.telemetry.processing.utils import get_edge_by_scan_or_exploit_telemetry
from monkey_island.cc.services.telemetry.zero_trust_tests.data_endpoints import test_open_data_endpoints
from monkey_island.cc.services.telemetry.zero_trust_tests.segmentation import test_segmentation_violation
def process_scan_telemetry(telemetry_json):
update_edges_and_nodes_based_on_scan_telemetry(telemetry_json)
test_open_data_endpoints(telemetry_json)
test_segmentation_violation(telemetry_json)
def update_edges_and_nodes_based_on_scan_telemetry(telemetry_json):

View File

@ -0,0 +1,68 @@
import itertools
from six import text_type
from common.data.zero_trust_consts import STATUS_CONCLUSIVE, EVENT_TYPE_MONKEY_NETWORK
from common.network.network_range import NetworkRange
from common.network.segmentation_utils import get_ip_in_src_and_not_in_dst, get_ip_if_in_subnet
from monkey_island.cc.models import Monkey
from monkey_island.cc.models.zero_trust.event import Event
from monkey_island.cc.models.zero_trust.segmentation_finding import SegmentationFinding
from monkey_island.cc.services.configuration.utils import get_config_network_segments_as_subnet_groups
SEGMENTATION_VIOLATION_EVENT_TEXT = \
"Segmentation violation! Monkey on '{hostname}', with the {source_ip} IP address (in segment {source_seg}) " \
"managed to communicate cross segment to {target_ip} (in segment {target_seg})."
def is_segmentation_violation(current_monkey, target_ip, source_subnet, target_subnet):
if source_subnet == target_subnet:
return False
source_subnet_range = NetworkRange.get_range_obj(source_subnet)
target_subnet_range = NetworkRange.get_range_obj(target_subnet)
if target_subnet_range.is_in_range(text_type(target_ip)):
cross_segment_ip = get_ip_in_src_and_not_in_dst(
current_monkey.ip_addresses,
source_subnet_range,
target_subnet_range)
return cross_segment_ip is not None
def test_segmentation_violation(telemetry_json):
"""
:param telemetry_json: A SCAN telemetry sent from a Monkey.
"""
# TODO - lower code duplication between this and report.py.
# TODO - single machine
current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
target_ip = telemetry_json['data']['machine']['ip_addr']
subnet_groups = get_config_network_segments_as_subnet_groups()
for subnet_group in subnet_groups:
subnet_pairs = itertools.product(subnet_group, subnet_group)
for subnet_pair in subnet_pairs:
source_subnet = subnet_pair[0]
target_subnet = subnet_pair[1]
if is_segmentation_violation(current_monkey, target_ip, source_subnet, target_subnet):
event = get_segmentation_violation_event(current_monkey, source_subnet, target_ip, target_subnet)
SegmentationFinding.create_or_add_to_existing_finding(
subnets=[source_subnet, target_subnet],
status=STATUS_CONCLUSIVE,
segmentation_event=event
)
def get_segmentation_violation_event(current_monkey, source_subnet, target_ip, target_subnet):
return Event.create_event(
title="Segmentation event",
message=SEGMENTATION_VIOLATION_EVENT_TEXT.format(
hostname=current_monkey.hostname,
source_ip=get_ip_if_in_subnet(current_monkey.ip_addresses, NetworkRange.get_range_obj(source_subnet)),
source_seg=source_subnet,
target_ip=target_ip,
target_seg=target_subnet
),
event_type=EVENT_TYPE_MONKEY_NETWORK
)