def getDetails(deviceIP):
details = {}
evidence = dbManager.select(E_DB_FILE, deviceIP)
details["DEVICE_PROFILE"] = getDeviceProfile(evidence)
details["VENDOR_PROFILE"] = getVendorProfile(evidence)
details["CHILDREN"] = getChildren(evidence)
details["VULNERABILITIES"] = getVulnerabilities(evidence,
details["DEVICE_PROFILE"],
details["VENDOR_PROFILE"])
details["TOTAL_VULNERABILITIES"] = 0
details["HIGH_VULNS"] = 0
details["MED_VULNS"] = 0
details["LOW_VULNS"] = 0
for vulnerabilityID in details["VULNERABILITIES"]:
details["TOTAL_VULNERABILITIES"] = details["TOTAL_VULNERABILITIES"] + 1
vulnerability = dbManager.select(VULN_DB_FILE, vulnerabilityID)
if helper.singleInList("high", vulnerability["SEVERITY"]):
details["HIGH_VULNS"] = details["HIGH_VULNS"] + 1
if helper.singleInList("medium", vulnerability["SEVERITY"]):
details["MED_VULNS"] = details["MED_VULNS"] + 1
if helper.singleInList("low", vulnerability["SEVERITY"]):
details["LOW_VULNS"] = details["LOW_VULNS"] + 1
details["CHARTS"] = getCharts(deviceIP, evidence)
details["TIMELINES"] = getTimelines(deviceIP)
return details
def getCharts(deviceIP, evidence):
charts = {}
charts["DEVICE"] = {}
charts["VENDOR"] = {}
allDevices = dbManager.allIdentifiers(D_DB_FILE)
allVendors = dbManager.allIdentifiers(V_DB_FILE)
# TO BE IMPLEMENTED - low priority
for device in allDevices:
charts["DEVICE"][device] = {}
charts["DEVICE"][device]["EVIDENCE"] = dbManager.select(
E_DB_FILE, deviceIP)
charts["DEVICE"][device]["PROFILE"] = dbManager.select(
D_DB_FILE, device)
charts["DEVICE"][device][
"SIMILARITY"] = similarityScore.jaccardSimilarity(
charts["DEVICE"][device]["EVIDENCE"],
charts["DEVICE"][device]["PROFILE"])
for vendor in allVendors:
charts["VENDOR"][vendor] = {}
charts["VENDOR"][vendor]["EVIDENCE"] = dbManager.select(
E_DB_FILE, deviceIP)
charts["VENDOR"][vendor]["PROFILE"] = dbManager.select(
V_DB_FILE, vendor)
charts["VENDOR"][vendor][
"SIMILARITY"] = similarityScore.jaccardSimilarity(
charts["VENDOR"][vendor]["EVIDENCE"],
charts["VENDOR"][vendor]["PROFILE"])
return charts
def getVulnerabilities(evidence, deviceProfile, vendorProfile):
vulnerabilities = {}
if "VULNERABILITIES" in evidence.keys():
for vulnID in evidence["VULNERABILITIES"]:
vuln = dbManager.select(VULN_DB_FILE, vulnID)
vulnerabilities[vulnID] = vuln
if "VULNERABILITIES" in deviceProfile.keys():
for vulnID in deviceProfile["VULNERABILITIES"]:
vuln = dbManager.select(VULN_DB_FILE, vulnID)
vulnerabilities[vulnID] = vuln
if "VULNERABILITIES" in vendorProfile.keys():
for vulnID in vendorProfile["VULNERABILITIES"]:
vuln = dbManager.select(VULN_DB_FILE, vulnID)
vulnerabilities[vulnID] = vuln
return vulnerabilities
def getRequests():
requestsDict = {}
allRequestTimeStamps = dbManager.allIdentifiers(R_DB_FILE)
for requestTimeStamp in allRequestTimeStamps:
request = dbManager.select(R_DB_FILE, requestTimeStamp)
if "RESPONSE" not in request:
requestsDict[requestTimeStamp] = request
return requestsDict
def getVendorProfile(evidence):
vendorProfile = {}
vendors = dbManager.allIdentifiers(V_DB_FILE)
if "VENDOR" in evidence.keys():
for vendor in evidence["VENDOR"]:
if vendor in vendors:
vendorProfile = dbManager.select(V_DB_FILE, vendor)
break
return vendorProfile
def getDeviceProfile(evidence):
deviceProfile = {}
devices = dbManager.allIdentifiers(D_DB_FILE)
if "MODEL" in evidence.keys():
for model in evidence["MODEL"]:
if model in devices:
deviceProfile = dbManager.select(D_DB_FILE, model)
break
return deviceProfile
def getTimelines(deviceIP):
timelines = {}
timelines["IDENTIFICATION"] = {}
timelines["VULNERABILITY"] = {}
allEvents = dbManager.allIdentifiers(EVENTS_DB_FILE)
for eventID in allEvents:
event = dbManager.select(EVENTS_DB_FILE, eventID)
if "TARGET_IPADDR" in event.keys(
) and deviceIP in event["TARGET_IPADDR"]:
if "TYPE" in event.keys() and "IDENTIFICATION" in event["TYPE"]:
timelines["IDENTIFICATION"][eventID] = event
if "TYPE" in event.keys() and "VULNERABILITY" in event["TYPE"]:
timelines["VULNERABILITY"][eventID] = event
return timelines
def getSummary():
summary = {}
summary["AGGREGATE"] = {}
summary["AGGREGATE"]["TOTAL_DEVICES"] = 0
summary["AGGREGATE"]["IDENTIFIED"] = 0
summary["AGGREGATE"]["UNIDENTIFIED"] = 0
summary["AGGREGATE"]["TOTAL_VULNERABILITIES"] = 0
summary["AGGREGATE"]["HIGH_VULNS"] = 0
summary["AGGREGATE"]["MED_VULNS"] = 0
summary["AGGREGATE"]["LOW_VULNS"] = 0
summary["TABLE"] = {}
summary["REQUESTS"] = getRequests()
allIPs = dbManager.allIdentifiers(E_DB_FILE)
for deviceIP in allIPs:
summary["AGGREGATE"][
"TOTAL_DEVICES"] = summary["AGGREGATE"]["TOTAL_DEVICES"] + 1
summary["TABLE"][deviceIP] = {}
summary["TABLE"][deviceIP]["VENDOR"] = "NA"
summary["TABLE"][deviceIP]["MODEL"] = "NA"
summary["TABLE"][deviceIP]["FIRMWARE_ID"] = "NA"
summary["TABLE"][deviceIP]["DEVICE_TYPE"] = "NA"
summary["TABLE"][deviceIP]["HIGH_VULNS"] = 0
summary["TABLE"][deviceIP]["MED_VULNS"] = 0
summary["TABLE"][deviceIP]["LOW_VULNS"] = 0
evidence = dbManager.select(E_DB_FILE, deviceIP)
# count identified
if "MODEL" in evidence.keys():
summary["AGGREGATE"][
"IDENTIFIED"] = summary["AGGREGATE"]["IDENTIFIED"] + 1
summary["TABLE"][deviceIP]["MODEL"] = evidence["MODEL"]
else:
summary["AGGREGATE"][
"UNIDENTIFIED"] = summary["AGGREGATE"]["UNIDENTIFIED"] + 1
# fill table
if "VENDOR" in evidence.keys():
summary["TABLE"][deviceIP]["VENDOR"] = evidence["VENDOR"]
if "FIRMWARE_ID" in evidence.keys():
summary["TABLE"][deviceIP]["FIRMWARE_ID"] = evidence["FIRMWARE_ID"]
if "DEVICE_TYPE" in evidence.keys():
summary["TABLE"][deviceIP]["DEVICE_TYPE"] = evidence["DEVICE_TYPE"]
# find children
children = getChildren(evidence)
for key, val in children.items():
summary["TABLE"][deviceIP + ":" + key] = {}
summary["TABLE"][deviceIP + ":" + key]["VENDOR"] = val.get(
"VENDOR", "NA")
summary["TABLE"][deviceIP + ":" + key]["MODEL"] = val.get(
"MODEL", "NA")
summary["TABLE"][deviceIP + ":" + key]["FIRMWARE_ID"] = "-"
summary["TABLE"][deviceIP + ":" + key]["DEVICE_TYPE"] = "-"
summary["TABLE"][deviceIP + ":" + key]["HIGH_VULNS"] = "-"
summary["TABLE"][deviceIP + ":" + key]["MED_VULNS"] = "-"
summary["TABLE"][deviceIP + ":" + key]["LOW_VULNS"] = "-"
# count vulns
if "VULNERABILITIES" in evidence.keys():
for vulnerabilityID in evidence["VULNERABILITIES"]:
summary["AGGREGATE"]["TOTAL_VULNERABILITIES"] = summary[
"AGGREGATE"]["TOTAL_VULNERABILITIES"] + 1
vulnerability = dbManager.select(VULN_DB_FILE, vulnerabilityID)
if helper.singleInList("high", vulnerability["SEVERITY"]):
summary["AGGREGATE"][
"HIGH_VULNS"] = summary["AGGREGATE"]["HIGH_VULNS"] + 1
summary["TABLE"][deviceIP]["HIGH_VULNS"] = summary[
"TABLE"][deviceIP]["HIGH_VULNS"] + 1
if helper.singleInList("medium", vulnerability["SEVERITY"]):
summary["AGGREGATE"][
"MED_VULNS"] = summary["AGGREGATE"]["MED_VULNS"] + 1
summary["TABLE"][deviceIP]["MED_VULNS"] = summary["TABLE"][
deviceIP]["MED_VULNS"] + 1
if helper.singleInList("low", vulnerability["SEVERITY"]):
summary["AGGREGATE"][
"LOW_VULNS"] = summary["AGGREGATE"]["LOW_VULNS"] + 1
summary["TABLE"][deviceIP]["LOW_VULNS"] = summary["TABLE"][
deviceIP]["LOW_VULNS"] + 1
return summary
maskedIPs = {}
maskedMACs = {}
ipCounter = 0
macCounter = 0
# find all IPs and map them to masked
allIPs = dbManager.allIdentifiers(E_DB_FILE)
for deviceIP in allIPs:
if deviceIP not in maskedIPs.keys():
maskedIPs[deviceIP] = "IP_{0}".format(ipCounter)
ipCounter = ipCounter + 1
evidence = dbManager.select(E_DB_FILE, deviceIP)
if "TARGET_IPADDR" in evidence.keys():
for targetIP in evidence["TARGET_IPADDR"]:
ipKey = helper.singleInList(targetIP, maskedIPs.keys())
if ipKey == False:
maskedIPs[targetIP] = "IP_{0}".format(ipCounter)
ipCounter = ipCounter + 1
if "DEST_IPADDR" in evidence.keys():
for destIP in evidence["DEST_IPADDR"]:
ipKey = helper.singleInList(destIP, maskedIPs.keys())
if ipKey == False:
maskedIPs[destIP] = "IP_{0}".format(ipCounter)
ipCounter = ipCounter + 1
import multiprocessing
from ssasse_platform.InferenceEngine import helper
database_path = "/"
profiles_path = "../Profiles/"
E_DB_FILE = "e_db.sqlite" # evidence
D_DB_FILE = "d_db.sqlite" # devices
V_DB_FILE = "v_db.sqlite" # vendors
VULN_DB_FILE = "vuln_db.sqlite" # vulnerabilities
EVENTS_DB_FILE = "events_db.sqlite" # events
S_DB_FILE = "s_db.sqlite"
DBManager = dbManager.DBManager()
fr = open("known_cves.json", "r", encoding="utf-8")
knownDict = json.loads(fr.read())
fr.close()
IPs = dbManager.allIdentifiers(E_DB_FILE)
for ip in IPs:
models = dbManager.select(E_DB_FILE, ip).get("MODEL", [])
for model in knownDict.keys():
if model in models:
for cveDict in knownDict[model]:
#print("Inserting vuln {0} into {1}".format(cveDict,ip))
DBManager.insertVulnerabilityTableEntry(
E_DB_FILE, VULN_DB_FILE, ip, cveDict)
break