Merge pull request #1582 from guardicore/1535-netstat-info-collector-removal

1535 netstat info collector removal

.swm/OwcKMnALpn7tuBaJY1US.swm

@@ -14,7 +14,7 @@
     "content": [
         {
             "type": "text",
-            "text": "# What are system info collectors?\n\nWell, the name pretty much explains it. They are Monkey classes which collect various information regarding the victim system, such as Environment, SSH Info, Process List, Netstat and more. \n\n## What should I add? \n\nA system info collector which collects the hostname of the system.\n\n## Test manually\n\nOnce you're done, make sure that your collector:\n* Appears in the Island configuration, and is enabled by default\n* The collector actually runs when executing a Monkey.\n* Results show up in the relevant places:\n  * The infection map.\n  * The security report.\n  * The relevant MITRE techniques.\n\n**There are a lot of hints for this unit - don't be afraid to use them!**"
+            "text": "# What are system info collectors?\n\nWell, the name pretty much explains it. They are Monkey classes which collect various information regarding the victim system, such as Environment, SSH Info, Process List and more. \n\n## What should I add? \n\nA system info collector which collects the hostname of the system.\n\n## Test manually\n\nOnce you're done, make sure that your collector:\n* Appears in the Island configuration, and is enabled by default\n* The collector actually runs when executing a Monkey.\n* Results show up in the relevant places:\n  * The infection map.\n  * The security report.\n  * The relevant MITRE techniques.\n\n**There are a lot of hints for this unit - don't be afraid to use them!**"
         },
         {
             "type": "snippet",

CHANGELOG.md

@@ -15,8 +15,9 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Removed
 - The VSFTPD exploiter. #1533
 - Manual agent run command for CMD. #1570
-- Sambacry exploiter #1567
+- Sambacry exploiter. #1567
 - "Kill file" option in the config. #1536
+- Netstat collector, because network connection information wasn't used anywhere. #1535
 
 ### Fixed
 - A bug in network map page that caused delay of telemetry log loading. #1545

monkey/infection_monkey/system_info/__init__.py

@@ -7,7 +7,6 @@ import psutil
 from common.common_consts.system_info_collectors_names import AZURE_CRED_COLLECTOR
 from infection_monkey.network.info import get_host_subnets
 from infection_monkey.system_info.azure_cred_collector import AzureCollector
-from infection_monkey.system_info.netstat_collector import NetstatCollector
 from infection_monkey.system_info.system_info_collectors_handler import SystemInfoCollectorsHandler
 
 logger = logging.getLogger(__name__)
@@ -72,15 +71,12 @@ class InfoCollector(object):
     def get_network_info(self):
         """
         Adds network information from the host to the system information.
-        Currently updates with netstat and a list of networks accessible from host
+        Currently updates with list of networks accessible from host
         containing host ip and the subnet range
         :return: None. Updates class information
         """
         logger.debug("Reading subnets")
-        self.info["network_info"] = {
-            "networks": get_host_subnets(),
-            "netstat": NetstatCollector.get_netstat_info(),
-        }
+        self.info["network_info"] = {"networks": get_host_subnets()}
 
     def get_azure_info(self):
         """

monkey/infection_monkey/system_info/netstat_collector.py

@@ -1,42 +0,0 @@
-# Inspired by Giampaolo Rodola's psutil example from
-# https://github.com/giampaolo/psutil/blob/master/scripts/netstat.py
-
-import logging
-import socket
-from socket import AF_INET, SOCK_DGRAM, SOCK_STREAM
-
-import psutil
-
-logger = logging.getLogger(__name__)
-
-
-class NetstatCollector(object):
-    """
-    Extract netstat info
-    """
-
-    AF_INET6 = getattr(socket, "AF_INET6", object())
-
-    proto_map = {
-        (AF_INET, SOCK_STREAM): "tcp",
-        (AF_INET6, SOCK_STREAM): "tcp6",
-        (AF_INET, SOCK_DGRAM): "udp",
-        (AF_INET6, SOCK_DGRAM): "udp6",
-    }
-
-    @staticmethod
-    def get_netstat_info():
-        logger.info("Collecting netstat info")
-        return [NetstatCollector._parse_connection(c) for c in psutil.net_connections(kind="inet")]
-
-    @staticmethod
-    def _parse_connection(c):
-        return {
-            "proto": NetstatCollector.proto_map[(c.family, c.type)],
-            "local_address": c.laddr[0],
-            "local_port": c.laddr[1],
-            "remote_address": c.raddr[0] if c.raddr else None,
-            "remote_port": c.raddr[1] if c.raddr else None,
-            "status": c.status,
-            "pid": c.pid,
-        }

monkey/monkey_island/cc/services/attack/technique_reports/T1016.py

@@ -16,21 +16,13 @@ class T1016(AttackTechnique):
             "$project": {
                 "machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"},
                 "networks": "$data.network_info.networks",
-                "netstat": "$data.network_info.netstat",
             }
         },
         {
             "$addFields": {
                 "_id": 0,
-                "netstat": 0,
                 "networks": 0,
                 "info": [
-                    {
-                        "used": {
-                            "$and": [{"$ifNull": ["$netstat", False]}, {"$gt": ["$netstat", {}]}]
-                        },
-                        "name": {"$literal": "Network connections (netstat)"},
-                    },
                     {
                         "used": {
                             "$and": [{"$ifNull": ["$networks", False]}, {"$gt": ["$networks", {}]}]

monkey/monkey_island/cc/services/attack/technique_reports/T1082.py

@@ -16,7 +16,6 @@ class T1082(AttackTechnique):
             "$project": {
                 "machine": {"hostname": "$data.hostname", "ips": "$data.network_info.networks"},
                 "aws": "$data.aws",
-                "netstat": "$data.network_info.netstat",
                 "process_list": "$data.process_list",
                 "ssh_info": "$data.ssh_info",
                 "azure_info": "$data.Azure",
@@ -28,7 +27,7 @@ class T1082(AttackTechnique):
                 "machine": 1,
                 "collections": [
                     {
-                        "used": {"$and": [{"$ifNull": ["$netstat", False]}, {"$gt": ["$aws", {}]}]},
+                        "used": {"$and": [{"$gt": ["$aws", {}]}]},
                         "name": {"$literal": "Amazon Web Services info"},
                     },
                     {
@@ -40,12 +39,6 @@ class T1082(AttackTechnique):
                         },
                         "name": {"$literal": "Running process list"},
                     },
-                    {
-                        "used": {
-                            "$and": [{"$ifNull": ["$netstat", False]}, {"$ne": ["$netstat", []]}]
-                        },
-                        "name": {"$literal": "Network connections"},
-                    },
                     {
                         "used": {
                             "$and": [{"$ifNull": ["$ssh_info", False]}, {"$ne": ["$ssh_info", []]}]
@@ -61,6 +54,7 @@ class T1082(AttackTechnique):
                         },
                         "name": {"$literal": "Azure info"},
                     },
+                    {"used": True, "name": {"$literal": "Network interfaces"}},
                 ],
             }
         },