def find_from_tuple(cls, link):
"""
Find link by providing a tuple with two ip addresses or two mac addresses
:param link: tuple with two string elements indicating source and destination (ip or mac addresses)
:returns: Link object
"""
try:
a = link[0]
b = link[1]
except IndexError:
raise ValueError('Expecting tuple with source and destination')
# find interfaces
if (valid_ipv4(a) and valid_ipv4(b)) or (valid_ipv6(a) and valid_ipv6(b)):
try:
a = Ip.objects.get(address=a).interface
b = Ip.objects.get(address=b).interface
except Ip.DoesNotExist as e:
raise LinkDataNotFound(e)
elif valid_mac(a) and valid_mac(b):
try:
a = Interface.objects.get(mac=a)
b = Interface.objects.get(mac=b)
except Interface.DoesNotExist as e:
raise LinkDataNotFound(e)
else:
raise ValueError('Expecting valid ipv4, ipv6 or mac address')
# find link with interfaces
# inverse order is also ok
q = Q(interface_a=a, interface_b=b) | Q(interface_a=b, interface_b=a)
link = Link.objects.filter(q).first()
if link is None:
raise LinkNotFound('Link matching query does not exist',
interface_a=a,
interface_b=b)
return link
def main(args):
'''
Obtain necessary input to execute ping sweep:
telnet-pingsweep [--version] [-v|--verbose] [-f|--file <file.yaml>]
<starting-address-range> <ending-address-range>
'''
parser = argparse.ArgumentParser(description='Connect to a specified router and run a '
'command')
parser.add_argument('--version', action='version', version=__version__)
parser.add_argument('-v', '--verbose', action='store_true', help='display verbose output',
default=False)
parser.add_argument('-f', '--file', help='specify YAML file to read router info from',
default=ROUTER_FILE)
parser.add_argument('-o', '--output', help='specify output file to write results to')
parser.add_argument('addr_start', help='starting address for sweep')
parser.add_argument('addr_end', help='ending address for sweep')
args = parser.parse_args()
# Pre-flight checks
myrouter_data = yaml_input(args.file, args.verbose)
# Validate IP addresses
if netaddr.valid_ipv4(args.addr_start):
addr_start = netaddr.IPAddress(args.addr_start)
else:
sys.exit('Invalid IPv4 address: {}'.format(args.start))
if netaddr.valid_ipv4(args.addr_end):
addr_end = netaddr.IPAddress(args.addr_end)
else:
sys.exit('Invalid IPv4 address: {}'.format(args.start))
if addr_end <= addr_start:
sys.exit('Ending address must be after starting address.')
if (addr_end - addr_start).value > 254:
sys.exit('Largest range of addresses which may be swept is limited to 254.')
addr_range = netaddr.IPRange(addr_start, addr_end)
myrouter = Netinfnode(myrouter_data, TELNET_TIMEOUT)
myrouter.connect(args.verbose)
myrouter.nopaging(args.verbose)
if args.output:
output1 = open(args.output, 'w')
for addr in addr_range:
full_cmd = ROUTER_CMD + ' ' + str(addr)
print 'Processing {}...'.format(full_cmd)
output = myrouter.sendcmd(full_cmd, args.verbose)
# output has extra carriage returns - remove
new_output = output.replace('\r', '')
result = 'Command ({}) output:\n{}\n'.format(full_cmd, new_output)
if args.output:
output1.write(result)
output1.write('\n')
else:
print result
# Cleanup
myrouter.connection.close()
if args.output:
output1.close()
def validate_ip_addr(addr, version=None):
"""
Validates that an IP address is valid. Returns true if valid, false if
not. Version can be "4", "6", None for "IPv4", "IPv6", or "either"
respectively.
"""
if version == 4:
return netaddr.valid_ipv4(addr)
elif version == 6:
return netaddr.valid_ipv6(addr)
else:
return netaddr.valid_ipv4(addr) or netaddr.valid_ipv6(addr)
def _is_ip(self, domain):
'''
This extra parsing handles a variety of edge cases such as:
- http://192.168.1.1
- http://192.168.1.1:81
- 192.168.1.1:81
'''
if valid_ipv4(domain):
return True
if urlparse(domain).scheme != '':
domain = urlparse(domain).netloc
if ':' in domain:
domain = domain[:domain.rindex(':')]
return valid_ipv4(domain)
def get_common_server(self):
data = {
'public_address': None,
'private_address': None,
'service_net_name_or_ip': self.get_config_option(
'service_net_name_or_ip'),
'tenant_net_name_or_ip': self.get_config_option(
'tenant_net_name_or_ip'),
}
data['instance'] = self.compute_api.server_get_by_name_or_id(
self.admin_context,
self.get_config_option('service_instance_name_or_id'))
if netaddr.valid_ipv4(data['service_net_name_or_ip']):
data['private_address'] = [data['service_net_name_or_ip']]
else:
data['private_address'] = self._get_addresses_by_network_name(
data['service_net_name_or_ip'], data['instance'])
if netaddr.valid_ipv4(data['tenant_net_name_or_ip']):
data['public_address'] = [data['tenant_net_name_or_ip']]
else:
data['public_address'] = self._get_addresses_by_network_name(
data['tenant_net_name_or_ip'], data['instance'])
if not (data['public_address'] and data['private_address']):
raise exception.ManilaException(
"Can not find one of net addresses for service instance. "
"Instance: %(instance)s, "
"private_address: %(private_address)s, "
"public_address: %(public_address)s." % data)
share_server = {
'username': self.get_config_option('service_instance_user'),
'password': self.get_config_option('service_instance_password'),
'pk_path': self.path_to_private_key,
'instance_id': data['instance']['id'],
}
for key in ('private_address', 'public_address'):
data[key + '_v4'] = None
for address in data[key]:
if netaddr.valid_ipv4(address):
data[key + '_v4'] = address
break
share_server['ip'] = data['private_address_v4']
share_server['public_address'] = data['public_address_v4']
return {'backend_details': share_server}
def _connect_tcp(self, peer_addr, conn_handler, time_out=None,
bind_address=None):
"""Creates a TCP connection to given peer address.
Tries to create a socket for `timeout` number of seconds. If
successful, uses the socket instance to start `client_factory`.
The socket is bound to `bind_address` if specified.
"""
LOG.debug('Connect TCP called for %s:%s' % (peer_addr[0],
peer_addr[1]))
if netaddr.valid_ipv4(peer_addr[0]):
family = socket.AF_INET
else:
family = socket.AF_INET6
with Timeout(time_out, socket.error):
sock = hub.connect(peer_addr, family=family, bind=bind_address)
if sock:
# Connection name for pro-active connection is made up
# of local end address + remote end address
conn_name = ('L: ' + str(sock.getsockname()) + ', R: ' +
str(sock.getpeername()))
self._asso_socket_map[conn_name] = sock
# If connection is established, we call connection handler
# in a new thread.
self._spawn(conn_name, conn_handler, sock)
return sock
def prefix_add(self, prefix, next_hop=None, route_dist=None):
""" This method adds a new prefix to be advertized.
``prefix`` must be the string representation of an IP network
(e.g., 10.1.1.0/24).
``next_hop`` specifies the next hop address for this
prefix. This parameter is necessary for only VPNv4 and VPNv6
address families.
``route_dist`` specifies a route distinguisher value. This
parameter is necessary for only VPNv4 and VPNv6 address
families.
"""
func_name = 'network.add'
networks = {}
networks[PREFIX] = prefix
if next_hop:
networks[NEXT_HOP] = next_hop
if route_dist:
func_name = 'prefix.add_local'
networks[ROUTE_DISTINGUISHER] = route_dist
rf, p = self._check_rf_and_normalize(prefix)
networks[ROUTE_FAMILY] = rf
networks[PREFIX] = p
if rf == vrfs.VRF_RF_IPV6 and netaddr.valid_ipv4(next_hop):
# convert the next_hop to IPv4-Mapped IPv6 Address
networks[NEXT_HOP] = \
str(netaddr.IPAddress(next_hop).ipv6())
call(func_name, **networks)
def neighbor_add(self, address, remote_as,
enable_ipv4=DEFAULT_CAP_MBGP_IPV4,
enable_vpnv4=DEFAULT_CAP_MBGP_VPNV4,
enable_vpnv6=DEFAULT_CAP_MBGP_VPNV6,
next_hop=None, password=None, multi_exit_disc=None):
""" This method registers a new neighbor. The BGP speaker tries to
establish a bgp session with the peer (accepts a connection
from the peer and also tries to connect to it).
``address`` specifies the IP address of the peer. It must be
the string representation of an IP address. Only IP v4 is
supported now.
``remote_as`` specifies the AS number of the peer. It must be
an integer between 1 and 65535.
``enable_ipv4`` enables IPv4 address family for this
neighbor. The default is True.
``enable_vpnv4`` enables VPNv4 address family for this
neighbor. The default is False.
``enable_vpnv6`` enables VPNv6 address family for this
neighbor. The default is False.
``next_hop`` specifies the next hop IP address. If not
specified, host's ip address to access to a peer is used.
``password`` is used for the MD5 authentication if it's
specified. By default, the MD5 authenticaiton is disabled.
``multi_exit_disc`` specifies multi exit discriminator (MED) value.
The default is None and if not specified, MED value is
not sent to the neighbor. It must be an integer.
"""
bgp_neighbor = {}
bgp_neighbor[neighbors.IP_ADDRESS] = address
bgp_neighbor[neighbors.REMOTE_AS] = remote_as
bgp_neighbor[PEER_NEXT_HOP] = next_hop
bgp_neighbor[PASSWORD] = password
# v6 advertizement is available with only v6 peering
if netaddr.valid_ipv4(address):
bgp_neighbor[CAP_MBGP_IPV4] = enable_ipv4
bgp_neighbor[CAP_MBGP_IPV6] = False
bgp_neighbor[CAP_MBGP_VPNV4] = enable_vpnv4
bgp_neighbor[CAP_MBGP_VPNV6] = enable_vpnv6
elif netaddr.valid_ipv6(address):
bgp_neighbor[CAP_MBGP_IPV4] = False
bgp_neighbor[CAP_MBGP_IPV6] = True
bgp_neighbor[CAP_MBGP_VPNV4] = False
bgp_neighbor[CAP_MBGP_VPNV6] = False
else:
# FIXME: should raise an exception
pass
if multi_exit_disc:
bgp_neighbor[MULTI_EXIT_DISC] = multi_exit_disc
call('neighbor.create', **bgp_neighbor)
def is_ip(self, ip_addr=None):
"""
Return true if valid IP address return false if invalid IP address
:param ip_addr: optional IP to pass. Takes from root class if not specified
>>> from ipinformation import IPInformation
>>> print IPInformation(ip_address='8.8.8.8').is_ip()
True
>>> print IPInformation(ip_address='NotAnIP').is_ip()
False
"""
if not ip_addr:
ip_addr = self.ip_address
valid = True
if netaddr.valid_ipv4(ip_addr): # IPv4 Address
if not re.match(valid_ip_regex, ip_addr):
valid = False
elif netaddr.valid_ipv6(ip_addr):
pass
else:
# print '"%s" is not a valid IP Address.' %ip_addr
valid = False
return valid
def take_action(self, args):
configp = self.fetch_config(args)
instance_root = configp.get('slapos','instance_root')
master_url = urlparse(configp.get('slapos','master_url'))
master_hostname = master_url.hostname
# Check that we have IPv6 ready
if configp.has_option('slapformat', 'ipv6_interface'):
ipv6_interface = configp.get('slapformat', 'ipv6_interface')
else:
ipv6_interface = configp.get('slapformat', 'interface_name')
_waitIpv6Ready(ipv6_interface)
# Check that node can ping master
if valid_ipv4(master_hostname):
_test_ping(master_hostname)
elif valid_ipv6(master_hostname):
_test_ping6(master_hostname)
else:
# hostname
_ping_hostname(master_hostname)
app = SlapOSApp()
# Make sure slapos node format returns ok
while not _runFormat(app):
print("[BOOT] [ERROR] Fail to format, try again in 15 seconds...")
sleep(15)
# Make sure slapos node bang returns ok
while not _runBang(app):
print("[BOOT] [ERROR] Fail to bang, try again in 15 seconds...")
sleep(15)
_removeTimestamp(instance_root)
def _get_address_groups(self, context, network_id, device_id, is_proxy):
filters = {'network_id': [network_id],
'device_id': [device_id]}
ports = self.nsxv_plugin.get_ports(context, filters=filters)
subnets = self.nsxv_plugin.get_subnets(context, filters=filters)
address_groups = []
for subnet in subnets:
address_group = {}
net = netaddr.IPNetwork(subnet['cidr'])
address_group['subnetMask'] = str(net.netmask)
address_group['subnetPrefixLength'] = str(net.prefixlen)
for port in ports:
fixed_ips = port['fixed_ips']
for fip in fixed_ips:
s_id = fip['subnet_id']
ip_addr = fip['ip_address']
if s_id == subnet['id'] and netaddr.valid_ipv4(ip_addr):
address_group['primaryAddress'] = ip_addr
break
# For Edge appliances which aren't the metadata proxy Edge
# we add the metadata IP address
if not is_proxy and network_id == self.internal_net:
address_group['secondaryAddresses'] = {
'type': 'secondary_addresses',
'ipAddress': [METADATA_IP_ADDR]}
address_groups.append(address_group)
return address_groups
def create_connection(address):
"""
Wrapper for socket.create_connection() function.
If *address* (a 2-tuple ``(host, port)``) contains a valid IPv4/v6
address, passes *address* to socket.create_connection().
If *host* is valid path to Unix Domain socket, tries to connect to
the server listening on the given socket.
:param address: IP address or path to Unix Domain socket.
:return: Socket instance.
"""
host, _port = address
if (netaddr.valid_ipv4(host)
or netaddr.valid_ipv6(host)):
return socket.create_connection(address)
elif os.path.exists(host):
sock = None
try:
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
sock.connect(host)
except socket.error as e:
if sock is not None:
sock.close()
raise e
return sock
else:
raise ValueError('Invalid IP address or Unix Socket: %s' % host)
def _connect_tcp(self, peer_addr, conn_handler, time_out=None,
bind_address=None, password=None):
"""Creates a TCP connection to given peer address.
Tries to create a socket for `timeout` number of seconds. If
successful, uses the socket instance to start `client_factory`.
The socket is bound to `bind_address` if specified.
"""
LOG.debug('Connect TCP called for %s:%s', peer_addr[0], peer_addr[1])
if netaddr.valid_ipv4(peer_addr[0]):
family = socket.AF_INET
else:
family = socket.AF_INET6
with Timeout(time_out, socket.error):
sock = socket.socket(family)
if bind_address:
sock.bind(bind_address)
if password:
sockopt.set_tcp_md5sig(sock, peer_addr[0], password)
sock.connect(peer_addr)
# socket.error exception is raised in case of timeout and
# the following code is executed only when the connection
# is established.
# Connection name for pro-active connection is made up of
# local end address + remote end address
local = self.get_localname(sock)[0]
remote = self.get_remotename(sock)[0]
conn_name = ('L: ' + local + ', R: ' + remote)
self._asso_socket_map[conn_name] = sock
# If connection is established, we call connection handler
# in a new thread.
self._spawn(conn_name, conn_handler, sock)
return sock
def get_ipv6_addr_by_EUI64(prefix, mac):
"""Calculate IPv6 address using EUI-64 specification.
This method calculates the IPv6 address using the EUI-64
addressing scheme as explained in rfc2373.
:param prefix: IPv6 prefix.
:param mac: IEEE 802 48-bit MAC address.
:returns: IPv6 address on success.
:raises ValueError, TypeError: For any invalid input.
.. versionadded:: 1.4
"""
# Check if the prefix is an IPv4 address
if netaddr.valid_ipv4(prefix):
msg = _("Unable to generate IP address by EUI64 for IPv4 prefix")
raise ValueError(msg)
try:
eui64 = int(netaddr.EUI(mac).eui64())
prefix = netaddr.IPNetwork(prefix)
return netaddr.IPAddress(prefix.first + eui64 ^ (1 << 57))
except (ValueError, netaddr.AddrFormatError):
raise ValueError(_('Bad prefix or mac format for generating IPv6 '
'address by EUI-64: %(prefix)s, %(mac)s:')
% {'prefix': prefix, 'mac': mac})
except TypeError:
raise TypeError(_('Bad prefix type for generating IPv6 address by '
'EUI-64: %s') % prefix)
def add_to_global_table(self, prefix, nexthop=None,
is_withdraw=False):
src_ver_num = 1
peer = None
# set mandatory path attributes
origin = BGPPathAttributeOrigin(BGP_ATTR_ORIGIN_IGP)
aspath = BGPPathAttributeAsPath([[]])
pathattrs = OrderedDict()
pathattrs[BGP_ATTR_TYPE_ORIGIN] = origin
pathattrs[BGP_ATTR_TYPE_AS_PATH] = aspath
net = netaddr.IPNetwork(prefix)
ip = str(net.ip)
masklen = net.prefixlen
if netaddr.valid_ipv4(ip):
_nlri = IPAddrPrefix(masklen, ip)
if nexthop is None:
nexthop = '0.0.0.0'
p = Ipv4Path
else:
_nlri = IP6AddrPrefix(masklen, ip)
if nexthop is None:
nexthop = '::'
p = Ipv6Path
new_path = p(peer, _nlri, src_ver_num,
pattrs=pathattrs, nexthop=nexthop,
is_withdraw=is_withdraw)
# add to global ipv4 table and propagates to neighbors
self.learn_path(new_path)
def __init__(self, ip):
"""Use the avahi (zeroconfig) tools or dig to find a host name given an
ip address.
in: ip
out: string w/ host name or 'unknown' if the host name couldn't be found
"""
# handle invalid ip address
if not valid_ipv4(ip):
print('Error: the IPv4 address {} is invalid'.format(ip))
return
# handle a localhost ip address
if ip == '127.0.0.1':
# self.name = platform.node()
self.name = socket.gethostname()
return
# ok, now do more complex stuff
name = 'unknown'
if sys.platform == 'linux' or sys.platform == 'linux2':
name = self.command("avahi-resolve-address {} | awk '{print $2}'".format(ip)).rstrip().rstrip('.')
elif sys.platform == 'darwin':
name = self.command('dig +short -x {} -p 5353 @224.0.0.251'.format(ip)).rstrip().rstrip('.')
# detect any remaining errors
if name.find('connection timed out') >= 0: name = 'unknown'
if name == '': name = 'unknown'
self.name = name
def _handle_host_snat_ip(self, host_snat_ips):
for hsi in host_snat_ips:
LOG.debug(_("Auto-allocated host SNAT IP: %s"), hsi)
es = hsi.get('external_segment_name')
if not es:
continue
nh = self.ext_seg_next_hop.setdefault(es, ExtSegNextHopInfo(es))
if nh.from_config:
continue # ignore auto-allocation if manually set
ip = hsi.get('host_snat_ip')
gw = ("%s/%s" % (hsi['gateway_ip'], hsi['prefixlen'])
if (hsi.get('gateway_ip') and hsi.get('prefixlen')) else None)
updated = False
if netaddr.valid_ipv4(ip):
if ip != nh.ip_start or gw != nh.ip_gateway:
nh.ip_start = ip
nh.ip_gateway = gw
updated = True
elif netaddr.valid_ipv6(ip):
if ip != nh.ip6_start or gw != nh.ip6_gateway:
nh.ip6_start = ip
nh.ip6_gateway = gw
updated = True
else:
LOG.info(_("Ignoring invalid auto-allocated SNAT IP %s"), ip)
if updated:
# Clear the interface so that SNAT iptables will be
# re-created as required; leave MAC as is so that it will
# be re-used
nh.next_hop_iface = None
LOG.info(_("Add/update SNAT info: %s"), nh)
def validate_config(options):
config = ConfigParser.ConfigParser()
config.readfp(options.config)
if not config.has_section(options.env):
error("Environment {} does not exist in file {}".format(options.env, options.config.name))
env = dict(config.items(options.env))
if not valid_mac(env["fuel_mac"]):
error("Wrong MAC address for Fuel node: {}".format(env["fuel_mac"]))
for key in ["fuel_ip", "fuel_netmask", "fuel_gw", "fuel_control_ip"]:
if not valid_ipv4(env[key]):
error("Wrong IP address ({}) for {} parameter".format(env[key], key))
ip = IPNetwork(env["fuel_ip"] + "/" + env["fuel_netmask"])
gw = IPAddress(env["fuel_gw"])
if gw not in ip:
error("Gateway address is not within network range")
for path in [
env["image_mount_dir"],
env["ks_files_dir"],
env["ks_patch"],
env["pxe_config_dir"],
env["esxi_private_key_file"],
]:
if not os.path.exists(path):
error("Path {} does not exist or is not accessible".format(path))
env["pxe_config_file"] = os.path.join(env["pxe_config_dir"], "01-{}".format(env["fuel_mac"].replace(":", "-")))
return env
def create_bgp_peer(self, context, bgp_peer):
bgp_peer = bgp_peer['bgp_peer']
remote_ip = bgp_peer['peer_ip']
if not netaddr.valid_ipv4(remote_ip):
err_msg = _("NSXv BGP does not support for IPv6")
raise n_exc.InvalidInput(error_message=err_msg)
self._validate_bgp_configuration_on_peer_esg(bgp_peer)
def __init__(self, iface, mode, ip=None, netmask="255.255.255.0",
network=None,
broadcast=None, gateway=None, nameserver=None, options=None):
"""
Creates a new interface object
:param iface: The name of the interface (lo, br0, eth0, eth1)
:param mode: can bee loopback, manual, dhcp, static
:param ip: The IP Address of the interface
:type ip: basestring
:param netmask: The netmask of the interface
:param network: The network of the interface. If omitted it will be
calculated from IP and netmask
:param broadcast: The broadcast of the interface. If omitted it will be
calculated from UP and netmask
:param gateway: The gateway
:param nameserver: list of nameserver
:type param: basestring
:return: an interface object
"""
self.options = options or []
self.iface = iface
self.mode = mode
if self.mode not in ["auto", "manual", "dhcp", "static"]:
raise Exception("No valid mode. Valid modes are 'auto', "
"'manual', 'dhcp' or 'static'.")
self.ip = ip
self.netmask = netmask
self.network = network
self.broadcast = broadcast
self.gateway = gateway
self.nameserver = (nameserver or "").split()
if ip and netmask:
if not netaddr.valid_ipv4(ip):
raise Exception("IP no valid IPv4 address.")
network_object = netaddr.IPNetwork("%s/%s" % (ip, netmask))
self.ip = ip
self.netmask = netmask
self.broadcast = self.broadcast or str(network_object.broadcast)
self.network = self.network or str(network_object.network)
if self.gateway:
if not netaddr.valid_ipv4(self.gateway):
raise Exception("Gateway no valid IPv4 address")
for ns in self.nameserver:
if not netaddr.valid_ipv4(ns):
raise Exception("Nameserver no valid IPv4 address")
def validate_ip_addr(ip_addr):
if netaddr.valid_ipv4(ip_addr):
return lib_consts.IP_VERSION_4
elif netaddr.valid_ipv6(ip_addr):
return lib_consts.IP_VERSION_6
else:
raise bgp_driver_exc.InvalidParamType(param=ip_addr,
param_type='ip-address')
def is_valid_ip_address(ip_address, ip_version):
if int(ip_version) == 4:
return netaddr.valid_ipv4(ip_address)
elif int(ip_version) == 6:
return netaddr.valid_ipv6(ip_address)
else:
raise exception.ManilaException(
_("Provided improper IP version '%s'.") % ip_version)
def isIP(ip):
try:
if netaddr.valid_ipv4(ip,flags=netaddr.INET_PTON) or netaddr.valid_ipv6(ip,flags=netaddr.INET_PTON):
return True
else:
return False
except:
return False
def updateMongoWithESEvents(mozdefdb, results):
attackers = mozdefdb["attackers"]
for r in results:
if "sourceipaddress" in r["_source"]["details"]:
if netaddr.valid_ipv4(r["_source"]["details"]["sourceipaddress"]):
sourceIP = netaddr.IPNetwork(r["_source"]["details"]["sourceipaddress"])
# expand it to a /24 CIDR
# todo: lookup ipwhois for asn_cidr value
# potentially with a max mask value (i.e. asn is /8, limit attackers to /24)
sourceIP.prefixlen = 24
if not sourceIP.ip.is_loopback() and not sourceIP.ip.is_private() and not sourceIP.ip.is_reserved():
esrecord = dict(
documentid=r["_id"],
documenttype=r["_type"],
documentindex=r["_index"],
documentsource=r["_source"],
)
logger.debug("searching for " + str(sourceIP))
# attacker = attackers.find_one({'events.details.sourceipaddress': str(sourceIP.ip)})
attacker = attackers.find_one({"indicators.ipv4address": str(sourceIP)})
if attacker is None:
# new attacker
# generate a meteor-compatible ID
# save the ES document type, index, id
# and add a sub list for future events
logger.debug("new attacker")
newAttacker = genNewAttacker()
# expand the source ip to a /24 for the indicator match.
sourceIP.prefixlen = 24
# str sourceIP to get the ip/cidr rather than netblock cidr.
newAttacker["indicators"].append(dict(ipv4address=str(sourceIP)))
newAttacker["events"].append(esrecord)
newAttacker["eventscount"] = len(newAttacker["events"])
attackers.insert(newAttacker)
updateAttackerGeoIP(mozdefdb, newAttacker["_id"], esrecord["documentsource"])
else:
# if event not present in this attackers events
# append this to the list of events
# todo: trim the list at X (i.e. last 100 events)
matchingevent = attackers.find_one(
{
"_id": attacker["_id"],
"events.documentid": r["_id"],
"events.documenttype": r["_type"],
"events.documentindex": r["_index"],
}
)
if matchingevent is None:
attacker["events"].append(esrecord)
attacker["eventscount"] = len(attacker["events"])
logger.debug("new event found for matching attacker")
attacker["lastseentimestamp"] = attacker["events"][-1]["documentsource"]["utctimestamp"]
attackers.save(attacker)
# geo ip could have changed, update it
updateAttackerGeoIP(mozdefdb, attacker["_id"], esrecord["documentsource"])
def handle(self, *args, **options):
print '=====SPARCS SSO USER INSPECTION TOOL====='
print 'OPTIONS: uid=%s, sid=%s, email=%s, ip=%s' \
% (options['uid'], options['sid'], options['email'], options['ip'])
print ''
if options['ip']:
ip = options['ip']
print '> INSPECT LOG WHERE IP=%s' % ip
if not netaddr.valid_ipv4(ip, netaddr.INET_PTON):
print '>> INVAILD IP'
return
target = '(' + ip + ','
elif options['uid'] or options['sid'] or options['email']:
if options['uid']:
print '> FIND USER WHERE uid=%s' % options['uid']
users = User.objects.filter(username__contains=options['uid'])
elif options['sid']:
print '> FIND USER WHERE sid=%s' % options['sid']
users = User.objects.filter(services__sid__contains=options['sid'])
elif options['email']:
print '> FIND USER WHERE email=%s' % options['email']
users = User.objects.filter(email__contains=options['email'])
if len(users) > 100:
print '>> TOO MANY USER'
return
elif not users:
print '>> NO USER'
return
for user in users:
print '>> USER: uid=%s, first_name=%s, last_name=%s, email=%s' \
% (user.username, user.first_name, user.last_name, user.email)
if len(users) != 1:
return
user = users[0]
print '> INSPECT LOG EXACT uid=%s' % user.username
target = user.username + ')'
else:
print '> NO TARGET SPECIFIED'
return
log_base = settings.LOGGING['handlers']['file']['filename']
log_ext = ['5', '4', '3', '2', '1', '']
for ext in log_ext:
log_name = log_base + ext
if not os.path.isfile(log_name):
continue
with open(log_name, 'r') as f:
for line in f:
if target in line:
print line.strip()
def __init__(self, buildout, name, options):
slap = slapos.slap.slap()
slap.initializeConnection(
options['url'],
options.get('key'),
options.get('cert'),
)
computer_partition = slap.registerComputerPartition(
options['computer'],
options['partition'],
)
parameter_dict = computer_partition.getInstanceParameterDict()
options['instance-state'] = computer_partition.getState()
# XXX: those are not partition parameters, strictly speaking.
# Make them available as individual section keys.
for his_key in (
'slap_software_type',
'slap_computer_partition_id',
'slap_computer_id',
'slap_software_release_url',
'slave_instance_list',
'timestamp',
):
try:
value = parameter_dict.pop(his_key)
except KeyError:
pass
else:
options[his_key.replace('_', '-')] = value
ipv4_set = set()
v4_add = ipv4_set.add
ipv6_set = set()
v6_add = ipv6_set.add
tap_set = set()
tap_add = tap_set.add
for tap, ip in parameter_dict.pop('ip_list'):
tap_add(tap)
if valid_ipv4(ip):
v4_add(ip)
elif valid_ipv6(ip):
v6_add(ip)
# XXX: emit warning on unknown address type ?
options['ipv4'] = ipv4_set
options['ipv6'] = ipv6_set
# also export single ip values for those recipes that don't support sets.
if ipv4_set:
options['ipv4-random'] = list(ipv4_set)[0].encode('UTF-8')
if ipv6_set:
options['ipv6-random'] = list(ipv6_set)[0].encode('UTF-8')
options['tap'] = tap_set
parameter_dict = self._expandParameterDict(options, parameter_dict)
match = self.OPTCRE_match
for key, value in parameter_dict.iteritems():
if match(key) is not None:
continue
options['configuration.' + key] = value
def general_info(self):
"""
Return IP in bits, ip_type (ie: private, multicast, loopback,etc..), time updated/returned and version for an IP Address
>>> from ipinformation import IPInformation
>>> from pprint import pprint
>>> pprint( IPInformation(ip_address='8.8.8.8').general_info() )
{'general': {'bits': '00001000000010000000100000001000',
'type': 'public',
'updated': datetime.datetime(2016, 1, 16, 18, 7, 4, 288512),
'version': '4'}}
>>> pprint( IPInformation(ip_address='127.0.0.1').general_info() )
{'general': {'bits': '01111111000000000000000000000001',
'type': 'loopback',
'updated': datetime.datetime(2016, 1, 16, 18, 10, 6, 729149),
'version': '4'}}
"""
data = {"general": {"bits": None, "type": None, "updated": None, "version": None}}
if not self.ISIP:
# print '"%s" is not a valid IP Address.' %self.ip_address
# logging_file.error( '"{0}" is not a valid IP Address.'.format(self.ip_address) )
return data
if netaddr.valid_ipv4(self.ip_address): # IPv4 Address
ip_version = "4"
data["general"].update({"version": ip_version})
ip_bits = (
netaddr.IPAddress(self.ip_address).bits().replace(".", "")
) # Set the IP bits for searching by subnet
data["general"].update({"bits": ip_bits})
ip_addr = netaddr.IPAddress(self.ip_address)
if ip_addr.is_private():
ip_type = "private"
elif ip_addr.is_multicast():
ip_type = "multicast"
elif ip_addr.is_loopback():
ip_type = "loopback"
elif ip_addr.is_netmask():
ip_type = "netmask"
elif ip_addr.is_reserved():
ip_type = "reserved"
elif ip_addr.is_link_local():
ip_type = "link_local"
elif ip_addr.is_unicast():
ip_type = "public"
else: # Unknown Type
ip_type = "unknown"
logging_file.error('"{0}" is an unknown IP Address.'.format(self.ip_address))
elif netaddr.valid_ipv6(self.ip_address): # IPv6 Address#TODO:Finish IPv6
ip_version = "6"
print "Is IPv6"
return False
data["general"].update({"type": ip_type})
data["general"].update({"updated": datetime.utcnow()})
return data
def _set_password(self, address, password):
if netaddr.valid_ipv4(address):
family = socket.AF_INET
else:
family = socket.AF_INET6
for sock in self.listen_sockets.values():
if sock.family == family:
sockopt.set_tcp_md5sig(sock, address, password)
def _parse_hosts(self, hosts):
"""Parses the list of hosts and creates corresponding objects."""
ip_list = [str(ip) for ip in list(netaddr.IPNetwork(hosts))]
if netaddr.valid_ipv4(ip_list[0]):
self.inet = socket.AF_INET
elif netaddr.valid_ipv6(ip_list[0]):
self.inet = socket.AF_INET6
return [Host(ip, self.ports) for ip in ip_list]
def check_host(host, allow_localhost=config.ALLOW_CONNECT_LOCALHOST,
allow_private=config.ALLOW_CONNECT_PRIVATE):
"""Check if a given host is a valid DNS name or IPv4 address"""
try:
ipaddr = socket.gethostbyname(host)
except UnicodeEncodeError:
raise MistError('Please provide a valid DNS name')
except socket.gaierror:
raise MistError("Not a valid IP address or resolvable DNS name: '%s'."
% host)
if host != ipaddr:
msg = "Host '%s' resolves to '%s' which" % (host, ipaddr)
else:
msg = "Host '%s'" % host
if not netaddr.valid_ipv4(ipaddr):
raise MistError(msg + " is not a valid IPv4 address.")
forbidden_subnets = {
'0.0.0.0/8': "used for broadcast messages to the current network",
'100.64.0.0/10': ("used for communications between a service provider "
"and its subscribers when using a "
"Carrier-grade NAT"),
'169.254.0.0/16': ("used for link-local addresses between two hosts "
"on a single link when no IP address is otherwise "
"specified"),
'192.0.0.0/24': ("used for the IANA IPv4 Special Purpose Address "
"Registry"),
'192.0.2.0/24': ("assigned as 'TEST-NET' for use solely in "
"documentation and example source code"),
'192.88.99.0/24': "used by 6to4 anycast relays",
'198.18.0.0/15': ("used for testing of inter-network communications "
"between two separate subnets"),
'198.51.100.0/24': ("assigned as 'TEST-NET-2' for use solely in "
"documentation and example source code"),
'203.0.113.0/24': ("assigned as 'TEST-NET-3' for use solely in "
"documentation and example source code"),
'224.0.0.0/4': "reserved for multicast assignments",
'240.0.0.0/4': "reserved for future use",
'255.255.255.255/32': ("reserved for the 'limited broadcast' "
"destination address"),
}
if not allow_localhost:
forbidden_subnets['127.0.0.0/8'] = ("used for loopback addresses "
"to the local host")
if not allow_private:
for cidr in ('10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'):
forbidden_subnets[cidr] = ("used for local communications "
"within a private network")
cidr = netaddr.smallest_matching_cidr(ipaddr, forbidden_subnets.keys())
if cidr:
raise MistError("%s is not allowed. It belongs to '%s' "
"which is %s." % (msg, cidr,
forbidden_subnets[str(cidr)]))
def all_link_data(self,
flags: MessageFlags = MessageFlags.NONE
) -> List[LinkData]:
"""
Build link data objects for this network. Each link object describes a link
between this network and a node.
:param flags: message type
:return: list of link data
"""
all_links = []
# build a link message from this network node to each node having a
# connected interface
for netif in self.netifs(sort=True):
if not hasattr(netif, "node"):
continue
linked_node = netif.node
uni = False
if linked_node is None:
# two layer-2 switches/hubs linked together via linknet()
if not hasattr(netif, "othernet"):
continue
linked_node = netif.othernet
if linked_node.id == self.id:
continue
netif.swapparams("_params_up")
upstream_params = netif.getparams()
netif.swapparams("_params_up")
if netif.getparams() != upstream_params:
uni = True
unidirectional = 0
if uni:
unidirectional = 1
interface2_ip4 = None
interface2_ip4_mask = None
interface2_ip6 = None
interface2_ip6_mask = None
for address in netif.addrlist:
ip, _sep, mask = address.partition("/")
mask = int(mask)
if netaddr.valid_ipv4(ip):
interface2_ip4 = ip
interface2_ip4_mask = mask
else:
interface2_ip6 = ip
interface2_ip6_mask = mask
link_data = LinkData(
message_type=flags,
node1_id=self.id,
node2_id=linked_node.id,
link_type=self.linktype,
unidirectional=unidirectional,
interface2_id=linked_node.getifindex(netif),
interface2_mac=netif.hwaddr,
interface2_ip4=interface2_ip4,
interface2_ip4_mask=interface2_ip4_mask,
interface2_ip6=interface2_ip6,
interface2_ip6_mask=interface2_ip6_mask,
delay=netif.getparam("delay"),
bandwidth=netif.getparam("bw"),
dup=netif.getparam("duplicate"),
jitter=netif.getparam("jitter"),
per=netif.getparam("loss"),
)
all_links.append(link_data)
if not uni:
continue
netif.swapparams("_params_up")
link_data = LinkData(
message_type=MessageFlags.NONE,
node1_id=linked_node.id,
node2_id=self.id,
link_type=self.linktype,
unidirectional=1,
delay=netif.getparam("delay"),
bandwidth=netif.getparam("bw"),
dup=netif.getparam("duplicate"),
jitter=netif.getparam("jitter"),
per=netif.getparam("loss"),
)
netif.swapparams("_params_up")
all_links.append(link_data)
return all_links
def regexIP(self, ip):
if valid_ipv4(str(ip)):
return True
return False
def searchMongoAlerts(mozdefdb):
attackers = mozdefdb['attackers']
alerts = mozdefdb['alerts']
# search the last X alerts for IP addresses
# aggregated by CIDR mask/24
# aggregate IPv4 addresses in the most recent alerts
# to find common attackers.
ipv4TopHits = alerts.aggregate([
{
"$sort": {
"utcepoch": -1
}
}, # reverse sort the current alerts
{
"$limit": 100
}, #most recent 100
{
"$match": {
"events.documentsource.details.sourceipaddress": {
"$exists": True
}
}
}, # must have an ip address
{
"$match": {
"attackerid": {
"$exists": False
}
}
}, # must not be already related to an attacker
{
"$group": {
"_id": {
"ipaddress":
"$events.documentsource.details.sourceipaddress"
}
}
}, # grab ip address from the events
{
"$unwind": "$_id.ipaddress"
}, # separate all ips from their alerts
{
"$group": {
"_id": "$_id.ipaddress",
"hitcount": {
"$sum": 1
}
}
}, # count by ip
{
"$match": {
"hitcount": {
"$gt": 10
}
}
}, # limit to those with 10 observances
{
"$sort": SON([("hitcount", -1), ("_id", -1)])
}, # sort
{
"$limit": 10
} # top 10
])
for ip in ipv4TopHits['result']:
if netaddr.valid_ipv4(ip['_id']):
ipcidr = netaddr.IPNetwork(ip['_id'])
# expand it to a /24 CIDR
# todo: lookup ipwhois for asn_cidr value
# potentially with a max mask value (i.e. asn is /8, limit attackers to /24)
ipcidr.prefixlen = 24
# append to or create attacker.
# does this match an existing attacker's indicators
if not ipcidr.ip.is_loopback() and not ipcidr.ip.is_private(
) and not ipcidr.ip.is_reserved():
logger.debug('searching for alert ip ' + str(ipcidr))
attacker = attackers.find_one(
{'indicators.ipv4address': str(ipcidr)})
if attacker is None:
# new attacker
# generate a meteor-compatible ID
# save the ES document type, index, id
# and add a sub list for future events
logger.debug('new attacker from alerts')
newAttacker = genNewAttacker()
# str to get the ip/cidr rather than netblock cidr.
# i.e. '1.2.3.4/24' not '1.2.3.0/24'
newAttacker['indicators'].append(
dict(ipv4address=str(ipcidr)))
matchingalerts = alerts.find({
"events.documentsource.details.sourceipaddress":
str(ipcidr.ip),
})
if matchingalerts is not None:
# update list of alerts this attacker matched.
for alert in matchingalerts:
newAttacker['alerts'].append(
dict(alertid=alert['_id']))
# update alert with attackerID
alert['attackerid'] = newAttacker['_id']
alerts.save(alert)
#add the events from this alert:
#add the events from this alert:
for e in alert['events']:
newAttacker['events'].append(e)
newAttacker['alertscount'] = len(newAttacker['alerts'])
newAttacker['eventscount'] = len(newAttacker['events'])
if newAttacker['eventscount'] > 0:
newAttacker['lastseentimestamp'] = toUTC(
newAttacker['events'][-1]['documentsource']
['utctimestamp'], 'UTC')
attackers.insert(newAttacker)
#upate geoIP info
latestGeoIP = [
a['events'] for a in alerts.find({
"events.documentsource.details.sourceipaddress":
str(ipcidr.ip),
})
][-1][0]['documentsource']
updateAttackerGeoIP(mozdefdb, newAttacker['_id'],
latestGeoIP)
else:
logger.debug('found existing attacker in alerts')
# if alert not present in this attackers list
# append this to the list
# todo: trim the list at X (i.e. last 100)
# search alerts without attackerid
matchingalerts = alerts.find({
"events.documentsource.details.sourceipaddress":
str(ipcidr.ip),
"attackerid": {
"$exists": False
}
})
if matchingalerts is not None:
#attacker['eventscount'] = len(attacker['events'])
logger.debug('matched alert with attacker')
# update list of alerts this attacker matched.
for alert in matchingalerts:
attacker['alerts'].append(
dict(alertid=alert['_id']))
# update alert with attackerID
alert['attackerid'] = attacker['_id']
alerts.save(alert)
#add the events from this alert:
for e in alert['events']:
attacker['events'].append(e)
# geo ip could have changed, update it
# to the latest
updateAttackerGeoIP(
mozdefdb, attacker['_id'],
alert['events'][-1]['documentsource'])
# update last seen time
attacker['lastseentimestamp'] = toUTC(
attacker['events'][-1]['documentsource']
['utctimestamp'], 'UTC')
# update counts
attacker['alertscount'] = len(attacker['alerts'])
attacker['eventscount'] = len(attacker['events'])
attackers.save(attacker)
def click_add_ip4(self) -> None:
ip4 = self.ip4_entry.get()
if not ip4 or not netaddr.valid_ipv4(ip4):
messagebox.showerror("IPv4 Error", f"Invalid IPv4 {ip4}")
else:
self.ip4_listbox.listbox.insert(tk.END, ip4)
def is_valid_ipv4(address):
"""Verify that address represents a valid IPv4 address."""
try:
return netaddr.valid_ipv4(address)
except Exception:
return False
def valid_ip_address(addr):
if not netaddr.valid_ipv4(addr) and not netaddr.valid_ipv6(addr):
return False
return True
def check(self, args):
"""Validate that all fields have valid values and sanity checks."""
# Get field information
responses = dict()
self.parent.footer.set_text("Checking data...")
for index, fieldname in enumerate(self.fields):
if fieldname == "blank" or fieldname == "ifname":
pass
elif fieldname == "bootproto":
rb_group = self.edits[index].rb_group
if rb_group[0].state:
responses["bootproto"] = "none"
else:
responses["bootproto"] = "dhcp"
elif fieldname == "onboot":
rb_group = self.edits[index].rb_group
if rb_group[0].state:
responses["onboot"] = "yes"
else:
responses["onboot"] = "no"
else:
responses[fieldname] = self.edits[index].get_edit_text()
# Validate each field
errors = []
# Check for the duplicate IP provided
for k, v in six.iteritems(self.netsettings):
if (k != self.activeiface and responses["ipaddr"] != ''
and responses["ipaddr"] == v.get('addr')):
errors.append("The same IP address {0} is assigned for "
"interfaces '{1}' and '{2}'.".format(
responses["ipaddr"], k, self.activeiface))
break
if responses["onboot"] == "no":
numactiveifaces = 0
for iface in self.netsettings:
if self.netsettings[iface]['addr'] != "":
numactiveifaces += 1
if numactiveifaces < 2 and \
self.netsettings[self.activeiface]['addr'] != "":
# Block user because puppet l23network fails if all interfaces
# are disabled.
errors.append("Cannot disable all interfaces.")
elif responses["bootproto"] == "dhcp":
self.parent.footer.set_text("Scanning for DHCP servers. "
"Please wait...")
self.parent.refreshScreen()
try:
dhcptimeout = 5
dhcp_server_data = network.search_external_dhcp(
self.activeiface, dhcptimeout)
except network.NetworkException:
self.log.warning("dhcp_checker failed to check on %s" %
self.activeiface)
dhcp_server_data = []
if len(dhcp_server_data) < 1:
errors.append("No DHCP servers found. Cannot enable DHCP")
# Check ipaddr, netmask, gateway only if static
elif responses["bootproto"] == "none":
try:
if netaddr.valid_ipv4(responses["ipaddr"]):
if not netaddr.IPAddress(responses["ipaddr"]):
raise BadIPException("Not a valid IP address")
else:
raise BadIPException("Not a valid IP address")
except (BadIPException, Exception):
errors.append("Not a valid IP address: %s" %
responses["ipaddr"])
try:
if netaddr.valid_ipv4(responses["netmask"]):
netmask = netaddr.IPAddress(responses["netmask"])
if netmask.is_netmask is False:
raise BadIPException("Not a valid IP address")
else:
raise BadIPException("Not a valid IP address")
except (BadIPException, Exception):
errors.append("Not a valid netmask: %s" % responses["netmask"])
try:
if len(responses["gateway"]) > 0:
# Check if gateway is valid
if netaddr.valid_ipv4(responses["gateway"]) is False:
raise BadIPException("Gateway IP address is not valid")
# Check if gateway is in same subnet
if network.inSameSubnet(responses["ipaddr"],
responses["gateway"],
responses["netmask"]) is False:
raise BadIPException("Gateway IP is not in same "
"subnet as IP address")
except (BadIPException, Exception) as e:
errors.append(e)
self.parent.footer.set_text("Scanning for duplicate IP address..")
if len(responses["ipaddr"]) > 0:
if self.netsettings[self.activeiface]['link'].upper() != "UP":
try:
network.upIface(self.activeiface)
except NetworkException as e:
errors.append("Cannot activate {0} to check for "
"duplicate IP.".format(self.activeiface))
# Bind arping to requested IP if it's already assigned
assigned_ips = [
v.get('addr') for v in self.netsettings.itervalues()
]
arping_bind = responses["ipaddr"] in assigned_ips
if network.duplicateIPExists(responses["ipaddr"],
self.activeiface, arping_bind):
errors.append("Duplicate host found with IP {0}.".format(
responses["ipaddr"]))
if len(errors) > 0:
self.log.error("Errors: %s %s" % (len(errors), errors))
ModuleHelper.display_failed_check_dialog(self, errors)
return False
else:
self.parent.footer.set_text("No errors found.")
return responses
def all_link_data(self,
flags: MessageFlags = MessageFlags.NONE
) -> List[LinkData]:
"""
Build CORE API TLVs for a point-to-point link. One Link message
describes this network.
:param flags: message flags
:return: list of link data
"""
all_links = []
if len(self._netif) != 2:
return all_links
if1, if2 = self._netif.values()
unidirectional = 0
if if1.getparams() != if2.getparams():
unidirectional = 1
interface1_ip4 = None
interface1_ip4_mask = None
interface1_ip6 = None
interface1_ip6_mask = None
for address in if1.addrlist:
ip, _sep, mask = address.partition("/")
mask = int(mask)
if netaddr.valid_ipv4(ip):
interface1_ip4 = ip
interface1_ip4_mask = mask
else:
interface1_ip6 = ip
interface1_ip6_mask = mask
interface2_ip4 = None
interface2_ip4_mask = None
interface2_ip6 = None
interface2_ip6_mask = None
for address in if2.addrlist:
ip, _sep, mask = address.partition("/")
mask = int(mask)
if netaddr.valid_ipv4(ip):
interface2_ip4 = ip
interface2_ip4_mask = mask
else:
interface2_ip6 = ip
interface2_ip6_mask = mask
link_data = LinkData(
message_type=flags,
node1_id=if1.node.id,
node2_id=if2.node.id,
link_type=self.linktype,
unidirectional=unidirectional,
delay=if1.getparam("delay"),
bandwidth=if1.getparam("bw"),
per=if1.getparam("loss"),
dup=if1.getparam("duplicate"),
jitter=if1.getparam("jitter"),
interface1_id=if1.node.getifindex(if1),
interface1_name=if1.name,
interface1_mac=if1.hwaddr,
interface1_ip4=interface1_ip4,
interface1_ip4_mask=interface1_ip4_mask,
interface1_ip6=interface1_ip6,
interface1_ip6_mask=interface1_ip6_mask,
interface2_id=if2.node.getifindex(if2),
interface2_name=if2.name,
interface2_mac=if2.hwaddr,
interface2_ip4=interface2_ip4,
interface2_ip4_mask=interface2_ip4_mask,
interface2_ip6=interface2_ip6,
interface2_ip6_mask=interface2_ip6_mask,
)
all_links.append(link_data)
# build a 2nd link message for the upstream link parameters
# (swap if1 and if2)
if unidirectional:
link_data = LinkData(
message_type=MessageFlags.NONE,
link_type=self.linktype,
node1_id=if2.node.id,
node2_id=if1.node.id,
delay=if2.getparam("delay"),
bandwidth=if2.getparam("bw"),
per=if2.getparam("loss"),
dup=if2.getparam("duplicate"),
jitter=if2.getparam("jitter"),
unidirectional=1,
interface1_id=if2.node.getifindex(if2),
interface2_id=if1.node.getifindex(if1),
)
all_links.append(link_data)
return all_links
def get_private_ipv4(instance):
for addr in instance.networks['private']:
if netaddr.valid_ipv4(addr):
return addr
def parse(self, inventory, loader, path,
cache=True): # Plugin interface (2)
super(InventoryModule, self).parse(inventory, loader, path)
if not HAS_REQUESTS:
raise AnsibleParserError(
'Please install "requests" Python module as this is required'
' for ServiceNow dynamic inventory plugin.')
self._read_config_data(path)
self.cache_key = self.get_cache_key(path)
self.use_cache = self.get_option('cache') and cache
self.update_cache = self.get_option('cache') and not cache
selection = self.get_option('selection_order')
fields = self.get_option('fields')
table = self.get_option('table')
filter_results = self.get_option('filter_results')
options = "?sysparm_exclude_reference_link=true&sysparm_display_value=true"
enhanced = self.get_option('enhanced')
enhanced_groups = False
if enhanced:
path = '/api/snc/ansible_inventory' + options + \
"&sysparm_fields=" + ','.join(fields) + \
"&sysparm_query=" + filter_results + \
"&table=" + table
enhanced_groups = self.get_option('enhanced_groups')
else:
path = '/api/now/table/' + table + options + \
"&sysparm_fields=" + ','.join(fields) + \
"&sysparm_query=" + filter_results
content = self.invoke('GET', path, None)
strict = self.get_option('strict')
for record in content['result']:
target = None
# select name for host
for k in selection:
if k in record:
if record[k] != '':
target = record[k]
if target is not None:
break
if target is None:
continue
# add host to inventory
if netaddr.valid_ipv4(target) or netaddr.valid_ipv6(target):
host_name = self.inventory.add_host(target)
else:
host_name = self.inventory.add_host(to_safe_group_name(target))
# set variables for host
for k in record.keys():
self.inventory.set_variable(host_name, 'sn_%s' % k, record[k])
# add relationship based groups
if enhanced and enhanced_groups:
for item in record['child_relationships']:
ci = to_safe_group_name(item['ci'])
ci_rel_type = to_safe_group_name(
item['ci_rel_type'].split('__')[0])
ci_type = to_safe_group_name(item['ci_type'])
if ci != '' and ci_rel_type != '' and ci_type != '':
child_group = "%s_%s" % (ci, ci_rel_type)
self.inventory.add_group(child_group)
self.inventory.add_child(child_group, host_name)
for item in record['parent_relationships']:
ci = to_safe_group_name(item['ci'])
ci_rel_type = to_safe_group_name(
item['ci_rel_type'].split('__')[-1])
ci_type = to_safe_group_name(item['ci_type'])
if ci != '' and ci_rel_type != '' and ci_type != '':
child_group = "%s_%s" % (ci, ci_rel_type)
self.inventory.add_group(child_group)
self.inventory.add_child(child_group, host_name)
self._set_composite_vars(
self.get_option('compose'),
self.inventory.get_host(host_name).get_vars(), host_name,
strict)
self._add_host_to_composed_groups(self.get_option('groups'),
dict(), host_name, strict)
self._add_host_to_keyed_groups(self.get_option('keyed_groups'),
dict(), host_name, strict)
def _check_ipv4(self, address):
if not netaddr.valid_ipv4(address, netaddr.core.INET_PTON):
raise ValueError("%s is not an IPv4 address" % address)
def extract_ipv4s(self, ips):
ipv4s = [str(ip) for ip in ips if netaddr.valid_ipv4(ip)]
if not ipv4s:
self.fail("No IPV4 ip found")
return ipv4s
def valid_ip(self):
if valid_ipv4(self.targetname):
self.type = "IPv4"
return True
return False
def check(self, args):
"""Validates all fields have valid values and some sanity checks."""
self.parent.footer.set_text("Checking data...")
self.parent.refreshScreen()
# Refresh networking to make sure IP matches
self.getNetwork()
# Get field information
responses = dict()
for index, fieldname in enumerate(self.fields):
if fieldname != "blank" and "label" not in fieldname:
responses[fieldname] = self.edits[index].get_edit_text()
# Validate each field
errors = []
# Set internal_{ipaddress,netmask,interface}
responses["ADMIN_NETWORK/interface"] = self.activeiface
responses["ADMIN_NETWORK/netmask"] = self.netsettings[
self.activeiface]["netmask"]
responses["ADMIN_NETWORK/mac"] = self.netsettings[
self.activeiface]["mac"]
responses["ADMIN_NETWORK/ipaddress"] = self.netsettings[
self.activeiface]["addr"]
# ensure management interface is valid
if responses["ADMIN_NETWORK/interface"] not in self.netsettings.keys():
errors.append("Management interface not valid")
else:
self.parent.footer.set_text("Scanning for DHCP servers. \
Please wait...")
self.parent.refreshScreen()
try:
dhcptimeout = 5
dhcp_server_data = network.search_external_dhcp(
self.activeiface, dhcptimeout)
except network.NetworkException:
log.warning('DHCP scan failed.')
dhcp_server_data = []
num_dhcp = len(dhcp_server_data)
if num_dhcp == 0:
log.debug("No DHCP servers found")
else:
# Problem exists, but permit user to continue
log.error("%s foreign DHCP server(s) found: %s" %
(num_dhcp, dhcp_server_data))
# Build dialog elements
dhcp_info = []
dhcp_info.append(
urwid.Padding(urwid.Text(("header", "!!! WARNING !!!")),
"center"))
dhcp_info.append(
widget.TextLabel("You have selected an \
interface that contains one or more DHCP servers. This will impact \
provisioning. You should disable these DHCP servers before you continue, or \
else deployment will likely fail."))
dhcp_info.append(widget.TextLabel(""))
for index, dhcp_server in enumerate(dhcp_server_data):
dhcp_info.append(
widget.TextLabel("DHCP Server #%s:" % (index + 1)))
dhcp_info.append(
widget.TextLabel("IP address: %-10s" %
dhcp_server['server_ip']))
dhcp_info.append(
widget.TextLabel("MAC address: %-10s" %
dhcp_server['mac']))
dhcp_info.append(widget.TextLabel(""))
dialog.display_dialog(
self, urwid.Pile(dhcp_info),
"DHCP Servers Found on %s" % self.activeiface)
# Ensure pool start and end are on the same subnet as mgmt_if
# Ensure mgmt_if has an IP first
if len(self.netsettings[responses["ADMIN_NETWORK/interface"]]
["addr"]) == 0:
errors.append("Go to Interfaces to configure management \
interface first.")
else:
# Ensure ADMIN_NETWORK/interface is not running DHCP
if self.netsettings[responses["ADMIN_NETWORK/interface"]][
"bootproto"] == "dhcp":
errors.append("%s is running DHCP. Change it to static "
"first." % self.activeiface)
# Ensure DHCP Pool Start and DHCP Pool are valid IPs
try:
if netaddr.valid_ipv4(
responses["ADMIN_NETWORK/dhcp_pool_start"]):
dhcp_start = netaddr.IPAddress(
responses["ADMIN_NETWORK/dhcp_pool_start"])
if not dhcp_start:
raise BadIPException("Not a valid IP address")
else:
raise BadIPException("Not a valid IP address")
except Exception:
errors.append("Invalid IP address for DHCP Pool Start")
try:
if netaddr.valid_ipv4(
responses["ADMIN_NETWORK/dhcp_gateway"]):
dhcp_gateway = netaddr.IPAddress(
responses["ADMIN_NETWORK/dhcp_gateway"])
if not dhcp_gateway:
raise BadIPException("Not a valid IP address")
else:
raise BadIPException("Not a valid IP address")
except Exception:
errors.append("Invalid IP address for DHCP Gateway")
try:
if netaddr.valid_ipv4(
responses["ADMIN_NETWORK/dhcp_pool_end"]):
dhcp_end = netaddr.IPAddress(
responses["ADMIN_NETWORK/dhcp_pool_end"])
if not dhcp_end:
raise BadIPException("Not a valid IP address")
else:
raise BadIPException("Not a valid IP address")
except Exception:
errors.append("Invalid IP address for DHCP Pool end")
# Ensure pool start and end are in the same
# subnet of each other
netmask = self.netsettings[
responses["ADMIN_NETWORK/interface"]]["netmask"]
if not network.inSameSubnet(
responses["ADMIN_NETWORK/dhcp_pool_start"],
responses["ADMIN_NETWORK/dhcp_pool_end"], netmask):
errors.append("DHCP Pool start and end are not in the "
"same subnet.")
# Ensure pool start and end are in the right netmask
mgmt_if_ipaddr = self.netsettings[
responses["ADMIN_NETWORK/interface"]]["addr"]
if network.inSameSubnet(
responses["ADMIN_NETWORK/dhcp_pool_start"],
mgmt_if_ipaddr, netmask) is False:
errors.append("DHCP Pool start does not match management"
" network.")
if network.inSameSubnet(
responses["ADMIN_NETWORK/dhcp_pool_end"],
mgmt_if_ipaddr, netmask) is False:
errors.append("DHCP Pool end does not match management "
"network.")
if network.inSameSubnet(
responses["ADMIN_NETWORK/dhcp_gateway"],
mgmt_if_ipaddr, netmask) is False:
errors.append("DHCP Gateway does not match management "
"network.")
self.parent.footer.set_text("Scanning for duplicate IP address"
"es. Please wait...")
# Bind arping to mgmt_if_ipaddr if it assigned
assigned_ips = [
v.get('addr') for v in self.netsettings.itervalues()
]
arping_bind = mgmt_if_ipaddr in assigned_ips
if network.duplicateIPExists(mgmt_if_ipaddr, self.activeiface,
arping_bind):
errors.append("Duplicate host found with IP {0}.".format(
mgmt_if_ipaddr))
# Extra checks for post-deployment changes
if utils.is_post_deployment():
settings = self.parent.settings
# Admin interface cannot change
if self.activeiface != settings["ADMIN_NETWORK"]["interface"]:
errors.append("Cannot change admin interface after deployment")
# PXE network range must contain previous PXE network range
old_range = network.range(
settings["ADMIN_NETWORK"]["dhcp_pool_start"],
settings["ADMIN_NETWORK"]["dhcp_pool_end"])
new_range = network.range(
responses["ADMIN_NETWORK/dhcp_pool_start"],
responses["ADMIN_NETWORK/dhcp_pool_end"])
if old_range[0] not in new_range:
errors.append("DHCP range must contain previous values.")
if old_range[-1] not in new_range:
errors.append("DHCP range can only be increased after "
"deployment.")
if len(errors) > 0:
log.error("Errors: %s %s" % (len(errors), errors))
ModuleHelper.display_failed_check_dialog(self, errors)
return False
else:
self.parent.footer.set_text("No errors found.")
return responses
def neighbor_add(self,
address,
remote_as,
enable_ipv4=DEFAULT_CAP_MBGP_IPV4,
enable_vpnv4=DEFAULT_CAP_MBGP_VPNV4,
enable_vpnv6=DEFAULT_CAP_MBGP_VPNV6,
next_hop=None,
password=None,
multi_exit_disc=None,
site_of_origins=None,
is_route_server_client=False,
is_next_hop_self=False,
local_address=None,
local_port=None,
connect_mode=DEFAULT_CONNECT_MODE):
""" This method registers a new neighbor. The BGP speaker tries to
establish a bgp session with the peer (accepts a connection
from the peer and also tries to connect to it).
``address`` specifies the IP address of the peer. It must be
the string representation of an IP address. Only IP v4 is
supported now.
``remote_as`` specifies the AS number of the peer. It must be
an integer between 1 and 65535.
``enable_ipv4`` enables IPv4 address family for this
neighbor. The default is True.
``enable_vpnv4`` enables VPNv4 address family for this
neighbor. The default is False.
``enable_vpnv6`` enables VPNv6 address family for this
neighbor. The default is False.
``next_hop`` specifies the next hop IP address. If not
specified, host's ip address to access to a peer is used.
``password`` is used for the MD5 authentication if it's
specified. By default, the MD5 authenticaiton is disabled.
``multi_exit_disc`` specifies multi exit discriminator (MED) value.
The default is None and if not specified, MED value is
not sent to the neighbor. It must be an integer.
``site_of_origins`` specifies site_of_origin values.
This parameter must be a list of string.
``is_route_server_client`` specifies whether this neighbor is a
router server's client or not.
``is_next_hop_self`` specifies whether the BGP speaker announces
its own ip address to iBGP neighbor or not as path's next_hop address.
``connect_mode`` specifies how to connect to this neighbor.
CONNECT_MODE_ACTIVE tries to connect from us.
CONNECT_MODE_PASSIVE just listens and wait for the connection.
CONNECT_MODE_BOTH use both methods.
The default is CONNECT_MODE_BOTH
``local_address`` specifies Loopback interface address for
iBGP peering.
``local_port`` specifies source TCP port for iBGP peering.
"""
bgp_neighbor = {}
bgp_neighbor[neighbors.IP_ADDRESS] = address
bgp_neighbor[neighbors.REMOTE_AS] = remote_as
bgp_neighbor[PEER_NEXT_HOP] = next_hop
bgp_neighbor[PASSWORD] = password
bgp_neighbor[IS_ROUTE_SERVER_CLIENT] = is_route_server_client
bgp_neighbor[IS_NEXT_HOP_SELF] = is_next_hop_self
bgp_neighbor[CONNECT_MODE] = connect_mode
# v6 advertizement is available with only v6 peering
if netaddr.valid_ipv4(address):
bgp_neighbor[CAP_MBGP_IPV4] = enable_ipv4
bgp_neighbor[CAP_MBGP_IPV6] = False
bgp_neighbor[CAP_MBGP_VPNV4] = enable_vpnv4
bgp_neighbor[CAP_MBGP_VPNV6] = enable_vpnv6
elif netaddr.valid_ipv6(address):
bgp_neighbor[CAP_MBGP_IPV4] = False
bgp_neighbor[CAP_MBGP_IPV6] = True
bgp_neighbor[CAP_MBGP_VPNV4] = False
bgp_neighbor[CAP_MBGP_VPNV6] = False
else:
# FIXME: should raise an exception
pass
if multi_exit_disc:
bgp_neighbor[MULTI_EXIT_DISC] = multi_exit_disc
if site_of_origins:
bgp_neighbor[SITE_OF_ORIGINS] = site_of_origins
if local_address:
bgp_neighbor[LOCAL_ADDRESS] = local_address
if local_port:
bgp_neighbor[LOCAL_PORT] = local_port
call('neighbor.create', **bgp_neighbor)
def get_public_ipv4(instance):
for addr in instance.networks['public']:
if netaddr.valid_ipv4(addr):
return addr
def _check_both_versions(self, address):
if not (netaddr.valid_ipv4(address, netaddr.core.INET_PTON)
or netaddr.valid_ipv6(address, netaddr.core.INET_PTON)):
raise ValueError("%s is not IPv4 or IPv6 address" % address)
def updateMongoWithESEvents(mozdefdb, results):
attackers = mozdefdb['attackers']
for r in results:
if 'sourceipaddress' in r['_source']['details']:
if netaddr.valid_ipv4(r['_source']['details']['sourceipaddress']):
sourceIP = netaddr.IPNetwork(
r['_source']['details']['sourceipaddress'])
# expand it to a /24 CIDR
# todo: lookup ipwhois for asn_cidr value
# potentially with a max mask value (i.e. asn is /8, limit attackers to /24)
sourceIP.prefixlen = 24
if not sourceIP.ip.is_loopback(
) and not sourceIP.ip.is_private(
) and not sourceIP.ip.is_reserved():
esrecord = dict(documentid=r['_id'],
documenttype=r['_type'],
documentindex=r['_index'],
documentsource=r['_source'])
logger.debug('searching for ' + str(sourceIP))
#attacker = attackers.find_one({'events.details.sourceipaddress': str(sourceIP.ip)})
attacker = attackers.find_one(
{'indicators.ipv4address': str(sourceIP)})
if attacker is None:
# new attacker
# generate a meteor-compatible ID
# save the ES document type, index, id
# and add a sub list for future events
logger.debug('new attacker')
newAttacker = genNewAttacker()
#expand the source ip to a /24 for the indicator match.
sourceIP.prefixlen = 24
# str sourceIP to get the ip/cidr rather than netblock cidr.
newAttacker['indicators'].append(
dict(ipv4address=str(sourceIP)))
newAttacker['events'].append(esrecord)
newAttacker['eventscount'] = len(newAttacker['events'])
attackers.insert(newAttacker)
updateAttackerGeoIP(mozdefdb, newAttacker['_id'],
esrecord['documentsource'])
else:
# if event not present in this attackers events
# append this to the list of events
# todo: trim the list at X (i.e. last 100 events)
matchingevent = attackers.find_one({
'_id':
attacker['_id'],
'events.documentid':
r['_id'],
'events.documenttype':
r['_type'],
'events.documentindex':
r['_index']
})
if matchingevent is None:
attacker['events'].append(esrecord)
attacker['eventscount'] = len(attacker['events'])
logger.debug(
'new event found for matching attacker')
attacker['lastseentimestamp'] = attacker['events'][
-1]['documentsource']['utctimestamp']
attackers.save(attacker)
# geo ip could have changed, update it
updateAttackerGeoIP(mozdefdb, attacker['_id'],
esrecord['documentsource'])
def check(self, args):
"""Validate that all fields have valid values through sanity checks."""
self.parent.footer.set_text("Checking data...")
self.parent.refreshScreen()
#Get field information
responses = dict()
for index, fieldname in enumerate(self.fields):
if fieldname == "blank":
pass
else:
responses[fieldname] = self.edits[index].get_edit_text()
###Validate each field
errors = []
#hostname must be under 60 chars
if len(responses["HOSTNAME"]) >= 60:
errors.append("Hostname must be under 60 chars.")
#hostname must not be empty
if len(responses["HOSTNAME"]) == 0:
errors.append("Hostname must not be empty.")
#hostname needs to have valid chars
if re.search('[^a-z0-9-]', responses["HOSTNAME"]):
errors.append(
"Hostname must contain only alphanumeric and hyphen.")
#domain must be under 180 chars
if len(responses["DNS_DOMAIN"]) >= 180:
errors.append("Domain must be under 180 chars.")
#domain must not be empty
if len(responses["DNS_DOMAIN"]) == 0:
errors.append("Domain must not be empty.")
#domain needs to have valid chars
if re.match('[^a-z0-9-.]', responses["DNS_DOMAIN"]):
errors.append(
"Domain must contain only alphanumeric, period and hyphen.")
#ensure external DNS is valid
if len(responses["DNS_UPSTREAM"]) == 0:
#We will allow empty if user doesn't need external networking
#and present a strongly worded warning
msg = "If you continue without DNS, you may not be able to access"\
+ " external data necessary for installation needed for " \
+ "some OpenStack Releases."
dialog.display_dialog(self, widget.TextLabel(msg),
"Empty DNS Warning")
else:
#external DNS must contain only numbers, periods, and commas
#Needs more serious ip address checking
if re.match('[^0-9.,]', responses["DNS_UPSTREAM"]):
errors.append(
"External DNS must contain only IP addresses and commas.")
#ensure test DNS name isn't empty
if len(responses["TEST_DNS"]) == 0:
errors.append("Test DNS must not be empty.")
#Validate first IP address
try:
if netaddr.valid_ipv4(responses["DNS_UPSTREAM"].split(",")[0]):
DNS_UPSTREAM = responses["DNS_UPSTREAM"].split(",")[0]
else:
errors.append(
"Not a valid IP address for External DNS: %s" %
responses["DNS_UPSTREAM"])
#Try to resolve with first address
if not self.checkDNS(DNS_UPSTREAM):
#Warn user that DNS resolution failed, but continue
msg = "Unable to resolve %s.\n\n" % responses['TEST_DNS']\
+ "Possible causes for DNS failure include:\n"\
+ "* Invalid DNS server\n"\
+ "* Invalid gateway\n"\
+ "* Other networking issue\n\n"\
+ "Fuel Setup can save this configuration, but "\
+ "you may want to correct your settings."
dialog.display_dialog(self, widget.TextLabel(msg),
"DNS Failure Warning")
self.parent.refreshScreen()
except Exception:
errors.append("Not a valid IP address for External DNS: %s" %
responses["DNS_UPSTREAM"])
if len(errors) > 0:
self.parent.footer.set_text("Error: %s" % (errors[0]))
log.error("Errors: %s %s" % (len(errors), errors))
return False
else:
self.parent.footer.set_text("No errors found.")
return responses
def _add_floating_ip(self, req, id, body):
"""Associate floating_ip to an instance."""
context = req.environ['nova.context']
authorize(context)
try:
address = body['addFloatingIp']['address']
except TypeError:
msg = _("Missing parameter dict")
raise webob.exc.HTTPBadRequest(explanation=msg)
except KeyError:
msg = _("Address not specified")
raise webob.exc.HTTPBadRequest(explanation=msg)
instance = common.get_instance(self.compute_api, context, id)
cached_nwinfo = compute_utils.get_nw_info_for_instance(instance)
if not cached_nwinfo:
LOG.warning(
_LW('Info cache is %r during associate') % instance.info_cache,
instance=instance)
msg = _('No nw_info cache associated with instance')
raise webob.exc.HTTPBadRequest(explanation=msg)
fixed_ips = cached_nwinfo.fixed_ips()
if not fixed_ips:
msg = _('No fixed ips associated to instance')
raise webob.exc.HTTPBadRequest(explanation=msg)
fixed_address = None
if self.ext_mgr.is_loaded('os-extended-floating-ips'):
if 'fixed_address' in body['addFloatingIp']:
fixed_address = body['addFloatingIp']['fixed_address']
for fixed in fixed_ips:
if fixed['address'] == fixed_address:
break
else:
msg = _('Specified fixed address not assigned to instance')
raise webob.exc.HTTPBadRequest(explanation=msg)
if not fixed_address:
try:
fixed_address = next(ip['address'] for ip in fixed_ips
if netaddr.valid_ipv4(ip['address']))
except StopIteration:
msg = _('Unable to associate floating ip %(address)s '
'to any fixed IPs for instance %(id)s. '
'Instance has no fixed IPv4 addresses to '
'associate.') % (
{'address': address, 'id': id})
raise webob.exc.HTTPBadRequest(explanation=msg)
if len(fixed_ips) > 1:
LOG.warning(_LW('multiple fixed_ips exist, using the first '
'IPv4 fixed_ip: %s'), fixed_address)
try:
self.network_api.associate_floating_ip(context, instance,
floating_address=address,
fixed_address=fixed_address)
except exception.FloatingIpAssociated:
msg = _('floating ip is already associated')
raise webob.exc.HTTPBadRequest(explanation=msg)
except exception.NoFloatingIpInterface:
msg = _('l3driver call to add floating ip failed')
raise webob.exc.HTTPBadRequest(explanation=msg)
except exception.FloatingIpNotFoundForAddress:
msg = _('floating ip not found')
raise webob.exc.HTTPNotFound(explanation=msg)
except exception.Forbidden as e:
raise webob.exc.HTTPForbidden(explanation=e.format_message())
except Exception as e:
msg = _('Unable to associate floating ip %(address)s to '
'fixed ip %(fixed_address)s for instance %(id)s. '
'Error: %(error)s') % (
{'address': address, 'fixed_address': fixed_address,
'id': id, 'error': e})
LOG.exception(msg)
raise webob.exc.HTTPBadRequest(explanation=msg)
return webob.Response(status_int=202)
def _get_address(instance_id):
result = instance_info.dbaas_admin.mgmt.instances.show(instance_id)
try:
return next(str(ip) for ip in result.ip if netaddr.valid_ipv4(ip))
except StopIteration:
fail("No IPV4 ip found")
def _validate_ipv4(name, value):
"""Check if router_id value is valid"""
if not netaddr.valid_ipv4(value):
raise wsme.exc.ClientSideError(
_("Parameter '%s' must be a valid router_id." % name))
def main():
if options.output=='syslog':
logger.addHandler(SysLogHandler(address=(options.sysloghostname,options.syslogport)))
else:
sh=logging.StreamHandler(sys.stderr)
sh.setFormatter(formatter)
logger.addHandler(sh)
logger.debug('started')
#logger.debug(options)
try:
es = ElasticsearchClient((list('{0}'.format(s) for s in options.esservers)))
s = requests.Session()
s.headers.update({'Accept': 'application/json'})
s.headers.update({'Content-type': 'application/json'})
s.headers.update({'Authorization':'SSWS {0}'.format(options.apikey)})
#capture the time we start running so next time we catch any events created while we run.
state = State(options.state_file)
lastrun = toUTC(datetime.now()).isoformat()
#in case we don't archive files..only look at today and yesterday's files.
yesterday=date.strftime(datetime.utcnow()-timedelta(days=1),'%Y/%m/%d')
today = date.strftime(datetime.utcnow(),'%Y/%m/%d')
r = s.get('https://{0}/api/v1/events?startDate={1}&limit={2}'.format(
options.oktadomain,
toUTC(state.data['lastrun']).strftime('%Y-%m-%dT%H:%M:%S.000Z'),
options.recordlimit
))
if r.status_code == 200:
oktaevents = json.loads(r.text)
for event in oktaevents:
if 'published' in event.keys():
if toUTC(event['published']) > toUTC(state.data['lastrun']):
try:
mozdefEvent = dict()
mozdefEvent['utctimestamp']=toUTC(event['published']).isoformat()
mozdefEvent['receivedtimestamp']=toUTC(datetime.now()).isoformat()
mozdefEvent['category'] = 'okta'
mozdefEvent['tags'] = ['okta']
if 'action' in event.keys() and 'message' in event['action'].keys():
mozdefEvent['summary'] = event['action']['message']
mozdefEvent['details'] = event
# Actor parsing
# While there are various objectTypes attributes, we just take any attribute that matches
# in case Okta changes it's structure around a bit
# This means the last instance of each attribute in all actors will be recorded in mozdef
# while others will be discarded
# Which ends up working out well in Okta's case.
if 'actors' in event.keys():
for actor in event['actors']:
if 'ipAddress' in actor.keys():
if netaddr.valid_ipv4(actor['ipAddress']):
mozdefEvent['details']['sourceipaddress'] = actor['ipAddress']
if 'login' in actor.keys():
mozdefEvent['details']['username'] = actor['login']
if 'requestUri' in actor.keys():
mozdefEvent['details']['source_uri'] = actor['requestUri']
# We are renaming action to activity because there are
# currently mapping problems with the details.action field
mozdefEvent['details']['activity'] = mozdefEvent['details']['action']
mozdefEvent['details'].pop('action')
jbody=json.dumps(mozdefEvent)
res = es.save_event(doc_type='okta',body=jbody)
logger.debug(res)
except Exception as e:
logger.error('Error handling log record {0} {1}'.format(r, e))
continue
else:
logger.error('Okta event does not contain published date: {0}'.format(event))
state.data['lastrun'] = lastrun
state.write_state_file()
else:
logger.error('Could not get Okta events HTTP error code {} reason {}'.format(r.status_code, r.reason))
except Exception as e:
logger.error("Unhandled exception, terminating: %r"%e)
def valid_ip(addr):
return netaddr.valid_ipv4(addr) or netaddr.valid_ipv6(addr)
