Make feature simpler

Change config value phrasing
This commit is contained in:
Itay Mizeretz 2018-08-21 11:34:26 +03:00
parent d831769d1f
commit bafa0e42a0
4 changed files with 18 additions and 27 deletions

View File

@ -185,7 +185,7 @@ class Configuration(object):
local_network_scan = True
subnet_scan_list = ['', ]
inaccessible_subnet_groups = []
inaccessible_subnets = []
blocked_ips = ['', ]

View File

@ -41,18 +41,18 @@ class NetworkScanner(object):
def _get_inaccessible_subnets_ips(self):
"""
For each of the machine's IPs, checks if it's in one of the subnet groups specified in the
'inaccessible_subnet_groups' config value. If so, all other subnets in the same group shouldn't be accessible.
For each of the machine's IPs, checks if it's in one of the subnets specified in the
'inaccessible_subnets' config value. If so, all other subnets in the config value shouldn't be accessible.
All these subnets are returned.
:return: A list of subnets that shouldn't be accessible from the machine the monkey is running on.
"""
subnets_to_scan = []
for subnet_group in WormConfiguration.inaccessible_subnet_groups:
for subnet_str in subnet_group:
if len(WormConfiguration.inaccessible_subnets) > 1:
for subnet_str in WormConfiguration.inaccessible_subnets:
if NetworkScanner._is_any_ip_in_subnet([unicode(x) for x in self._ip_addresses], subnet_str):
# If machine has IPs from 2 different subnets in the same group, there's no point checking the other
# subnet.
for other_subnet_str in subnet_group:
for other_subnet_str in WormConfiguration.inaccessible_subnets:
if other_subnet_str == subnet_str:
continue
if not NetworkScanner._is_any_ip_in_subnet([unicode(x) for x in self._ip_addresses],

View File

@ -222,33 +222,24 @@ SCHEMA = {
"title": "Network Analysis",
"type": "object",
"properties": {
"inaccessible_subnet_groups": {
"title": "Inaccessible IP/subnet groups",
"inaccessible_subnets": {
"title": "Network segmentation testing",
"type": "array",
"uniqueItems": True,
"items": {
"type": "array",
"title": "Subnet group",
"items": {
"type": "string"
},
"minItems": 2,
"uniqueItems": True,
"description": "List of IPs/subnets."
" Examples: \"192.168.0.1\", \"192.168.0.5-192.168.0.20\","
" \"192.168.0.5/24\""
},
"default": [
],
"description":
"You can use this feature to test for network segmentation, by proving lists of"
" IP/subnet groups that should not be accessible to each other. Each input group"
" consists of subnets that should not be accessible to each other. If the Monkey"
" is inside of one of the subnets it will attempt to connect to machines in the"
" other subnet."
" Example, by providing input 192.168.1.0/24, 192.168.2.0/24, 192.168.3.1-192.168.3.10,"
" a Monkey with the IP address 192.168.2.5 will try to access machines inside"
" 192.168.1.0/24 or 192.168.3.1-192.168.3.10."
"Test for network segmentation by providing a list of"
" subnets that should NOT be accessible to each other."
" For example, given the following configuration:"
" '10.0.0.0/24, 11.0.0.2/32, 12.2.3.0/24'"
" a Monkey running on 10.0.0.5 will try to access machines in the following"
" subnets: 11.0.0.2/32, 12.2.3.0/24."
" An alert on successful connections will be shown in the report"
" Additional subnet formats include: 13.0.0.1, 13.0.0.1-13.0.0.5"
}
}
}

View File

@ -442,7 +442,7 @@ class ReportService:
cross_segment_issues = []
subnet_groups = ConfigService.get_config_value(
['basic_network', 'network_analysis', 'inaccessible_subnet_groups'])
['basic_network', 'network_analysis', 'inaccessible_subnets'])
for subnet_group in subnet_groups:
cross_segment_issues += ReportService.get_cross_segment_issues_per_subnet_group(scans, subnet_group)