Beispiel #1
0
def get_all_IPs(conn, region):
    sec_grps = conn.get_all_dbsecurity_groups()
    for grp in sec_grps:
        for ip in grp.ip_ranges:
            IPs = list(netaddr.IPNetwork(ip.cidr_ip))
            for IP in IPs:
                list_ips.append(str(IP))
        for ec2_group in grp.ec2_groups:
            try:
                conn_ec2 = boto.ec2.connect_to_region(region, aws_access_key_id = idsConfig.id, aws_secret_access_key = idsConfig.key)
                for server in conn_ec2.get_all_security_groups(group_ids=[ec2_group.EC2SecurityGroupId])[0].instances():
                    if server.state == "running":
                        list_ips.append(server.ip_address)
                        list_ips.append(server.private_ip_address)
            except Exception as e:
                idsNotify.send_alert("AWS IDS: \n"+str(e))
                sys.exit(1)
    return list(set(list_ips))
Beispiel #2
0
                idsNotify.send_alert("AWS IDS: \n"+str(e))
                sys.exit(1)
    return list(set(list_ips))

parser = argparse.ArgumentParser(description='Process some integers.')
parser.add_argument("-r", "--region", action="store", dest="region", help="region in which rds is running")
parser.add_argument("-l", "--list-rds", action="store", dest="list_rds", help="list trusted rds data file")
args = parser.parse_args()

try:
    conn = boto.rds.connect_to_region(args.region, aws_access_key_id = idsConfig.id, aws_secret_access_key = idsConfig.key)
    for db in conn.get_all_dbinstances():
        list_instances.append(db.id)
    ip_data = get_all_IPs(conn, args.region)
except Exception as e:
    idsNotify.send_alert("AWS IDS: \n"+str(e))
    sys.exit(1)

rds_trusted_file = ConfigParser.ConfigParser()
rds_trusted_file.read(os.path.expanduser(args.list_rds))
trusted_instances = rds_trusted_file.get("verified_instances", "ids", raw=True).split(',')
trusted_ips = rds_trusted_file.get("verified_ips", "ips", raw=True).split(',')

diff = list(set(list_ips) - set(trusted_ips))
if len(diff) > 0:
    idsNotify.send_alert("AWS IDS: \nUnknown IP in RDS: "+diff)

diff = list(set(list_instances) - set(trusted_instances))
if len(diff) > 0:
    idsNotify.send_alert("AWS IDS: \nUnknown instance in RDS: "+diff)
Beispiel #3
0
import ConfigParser
import sys
import os.path
import argparse
import idsConfig
import idsNotify

list_user=""

parser = argparse.ArgumentParser(description='IAM intrusion detection')
parser.add_argument("-l", "--list-user", action="store", dest="list_user", help="list trusted user file")
args = parser.parse_args()

try:
    conn = boto.iam.connection.IAMConnection(aws_access_key_id = idsConfig.id, aws_secret_access_key = idsConfig.key)
    data = conn.get_all_users()
except Exception as e:
    idsNotify.send_alert("AWS IDS: \n"+str(e))
    sys.exit(1)

user_list=[]
for user in data['list_users_response']['list_users_result']['users']:
    user_list.append(user['user_name'])

user_list_file = ConfigParser.ConfigParser()
user_list_file.read(os.path.expanduser(args.list_user))
local_user_names = user_list_file.get("verified_users", "unames", raw=True).split(',')
diff = list(set(user_list) - set(local_user_names))
if len(diff) > 0:
    idsNotify.send_alert("AWS IDS: \nUnknown user detected: "+diff)