def getDetails(deviceIP): details = {} evidence = dbManager.select(E_DB_FILE, deviceIP) details["DEVICE_PROFILE"] = getDeviceProfile(evidence) details["VENDOR_PROFILE"] = getVendorProfile(evidence) details["CHILDREN"] = getChildren(evidence) details["VULNERABILITIES"] = getVulnerabilities(evidence, details["DEVICE_PROFILE"], details["VENDOR_PROFILE"]) details["TOTAL_VULNERABILITIES"] = 0 details["HIGH_VULNS"] = 0 details["MED_VULNS"] = 0 details["LOW_VULNS"] = 0 for vulnerabilityID in details["VULNERABILITIES"]: details["TOTAL_VULNERABILITIES"] = details["TOTAL_VULNERABILITIES"] + 1 vulnerability = dbManager.select(VULN_DB_FILE, vulnerabilityID) if helper.singleInList("high", vulnerability["SEVERITY"]): details["HIGH_VULNS"] = details["HIGH_VULNS"] + 1 if helper.singleInList("medium", vulnerability["SEVERITY"]): details["MED_VULNS"] = details["MED_VULNS"] + 1 if helper.singleInList("low", vulnerability["SEVERITY"]): details["LOW_VULNS"] = details["LOW_VULNS"] + 1 details["CHARTS"] = getCharts(deviceIP, evidence) details["TIMELINES"] = getTimelines(deviceIP) return details
def getCharts(deviceIP, evidence): charts = {} charts["DEVICE"] = {} charts["VENDOR"] = {} allDevices = dbManager.allIdentifiers(D_DB_FILE) allVendors = dbManager.allIdentifiers(V_DB_FILE) # TO BE IMPLEMENTED - low priority for device in allDevices: charts["DEVICE"][device] = {} charts["DEVICE"][device]["EVIDENCE"] = dbManager.select( E_DB_FILE, deviceIP) charts["DEVICE"][device]["PROFILE"] = dbManager.select( D_DB_FILE, device) charts["DEVICE"][device][ "SIMILARITY"] = similarityScore.jaccardSimilarity( charts["DEVICE"][device]["EVIDENCE"], charts["DEVICE"][device]["PROFILE"]) for vendor in allVendors: charts["VENDOR"][vendor] = {} charts["VENDOR"][vendor]["EVIDENCE"] = dbManager.select( E_DB_FILE, deviceIP) charts["VENDOR"][vendor]["PROFILE"] = dbManager.select( V_DB_FILE, vendor) charts["VENDOR"][vendor][ "SIMILARITY"] = similarityScore.jaccardSimilarity( charts["VENDOR"][vendor]["EVIDENCE"], charts["VENDOR"][vendor]["PROFILE"]) return charts
def getVulnerabilities(evidence, deviceProfile, vendorProfile): vulnerabilities = {} if "VULNERABILITIES" in evidence.keys(): for vulnID in evidence["VULNERABILITIES"]: vuln = dbManager.select(VULN_DB_FILE, vulnID) vulnerabilities[vulnID] = vuln if "VULNERABILITIES" in deviceProfile.keys(): for vulnID in deviceProfile["VULNERABILITIES"]: vuln = dbManager.select(VULN_DB_FILE, vulnID) vulnerabilities[vulnID] = vuln if "VULNERABILITIES" in vendorProfile.keys(): for vulnID in vendorProfile["VULNERABILITIES"]: vuln = dbManager.select(VULN_DB_FILE, vulnID) vulnerabilities[vulnID] = vuln return vulnerabilities
def getRequests(): requestsDict = {} allRequestTimeStamps = dbManager.allIdentifiers(R_DB_FILE) for requestTimeStamp in allRequestTimeStamps: request = dbManager.select(R_DB_FILE, requestTimeStamp) if "RESPONSE" not in request: requestsDict[requestTimeStamp] = request return requestsDict
def getVendorProfile(evidence): vendorProfile = {} vendors = dbManager.allIdentifiers(V_DB_FILE) if "VENDOR" in evidence.keys(): for vendor in evidence["VENDOR"]: if vendor in vendors: vendorProfile = dbManager.select(V_DB_FILE, vendor) break return vendorProfile
def getDeviceProfile(evidence): deviceProfile = {} devices = dbManager.allIdentifiers(D_DB_FILE) if "MODEL" in evidence.keys(): for model in evidence["MODEL"]: if model in devices: deviceProfile = dbManager.select(D_DB_FILE, model) break return deviceProfile
def getTimelines(deviceIP): timelines = {} timelines["IDENTIFICATION"] = {} timelines["VULNERABILITY"] = {} allEvents = dbManager.allIdentifiers(EVENTS_DB_FILE) for eventID in allEvents: event = dbManager.select(EVENTS_DB_FILE, eventID) if "TARGET_IPADDR" in event.keys( ) and deviceIP in event["TARGET_IPADDR"]: if "TYPE" in event.keys() and "IDENTIFICATION" in event["TYPE"]: timelines["IDENTIFICATION"][eventID] = event if "TYPE" in event.keys() and "VULNERABILITY" in event["TYPE"]: timelines["VULNERABILITY"][eventID] = event return timelines
def getSummary(): summary = {} summary["AGGREGATE"] = {} summary["AGGREGATE"]["TOTAL_DEVICES"] = 0 summary["AGGREGATE"]["IDENTIFIED"] = 0 summary["AGGREGATE"]["UNIDENTIFIED"] = 0 summary["AGGREGATE"]["TOTAL_VULNERABILITIES"] = 0 summary["AGGREGATE"]["HIGH_VULNS"] = 0 summary["AGGREGATE"]["MED_VULNS"] = 0 summary["AGGREGATE"]["LOW_VULNS"] = 0 summary["TABLE"] = {} summary["REQUESTS"] = getRequests() allIPs = dbManager.allIdentifiers(E_DB_FILE) for deviceIP in allIPs: summary["AGGREGATE"][ "TOTAL_DEVICES"] = summary["AGGREGATE"]["TOTAL_DEVICES"] + 1 summary["TABLE"][deviceIP] = {} summary["TABLE"][deviceIP]["VENDOR"] = "NA" summary["TABLE"][deviceIP]["MODEL"] = "NA" summary["TABLE"][deviceIP]["FIRMWARE_ID"] = "NA" summary["TABLE"][deviceIP]["DEVICE_TYPE"] = "NA" summary["TABLE"][deviceIP]["HIGH_VULNS"] = 0 summary["TABLE"][deviceIP]["MED_VULNS"] = 0 summary["TABLE"][deviceIP]["LOW_VULNS"] = 0 evidence = dbManager.select(E_DB_FILE, deviceIP) # count identified if "MODEL" in evidence.keys(): summary["AGGREGATE"][ "IDENTIFIED"] = summary["AGGREGATE"]["IDENTIFIED"] + 1 summary["TABLE"][deviceIP]["MODEL"] = evidence["MODEL"] else: summary["AGGREGATE"][ "UNIDENTIFIED"] = summary["AGGREGATE"]["UNIDENTIFIED"] + 1 # fill table if "VENDOR" in evidence.keys(): summary["TABLE"][deviceIP]["VENDOR"] = evidence["VENDOR"] if "FIRMWARE_ID" in evidence.keys(): summary["TABLE"][deviceIP]["FIRMWARE_ID"] = evidence["FIRMWARE_ID"] if "DEVICE_TYPE" in evidence.keys(): summary["TABLE"][deviceIP]["DEVICE_TYPE"] = evidence["DEVICE_TYPE"] # find children children = getChildren(evidence) for key, val in children.items(): summary["TABLE"][deviceIP + ":" + key] = {} summary["TABLE"][deviceIP + ":" + key]["VENDOR"] = val.get( "VENDOR", "NA") summary["TABLE"][deviceIP + ":" + key]["MODEL"] = val.get( "MODEL", "NA") summary["TABLE"][deviceIP + ":" + key]["FIRMWARE_ID"] = "-" summary["TABLE"][deviceIP + ":" + key]["DEVICE_TYPE"] = "-" summary["TABLE"][deviceIP + ":" + key]["HIGH_VULNS"] = "-" summary["TABLE"][deviceIP + ":" + key]["MED_VULNS"] = "-" summary["TABLE"][deviceIP + ":" + key]["LOW_VULNS"] = "-" # count vulns if "VULNERABILITIES" in evidence.keys(): for vulnerabilityID in evidence["VULNERABILITIES"]: summary["AGGREGATE"]["TOTAL_VULNERABILITIES"] = summary[ "AGGREGATE"]["TOTAL_VULNERABILITIES"] + 1 vulnerability = dbManager.select(VULN_DB_FILE, vulnerabilityID) if helper.singleInList("high", vulnerability["SEVERITY"]): summary["AGGREGATE"][ "HIGH_VULNS"] = summary["AGGREGATE"]["HIGH_VULNS"] + 1 summary["TABLE"][deviceIP]["HIGH_VULNS"] = summary[ "TABLE"][deviceIP]["HIGH_VULNS"] + 1 if helper.singleInList("medium", vulnerability["SEVERITY"]): summary["AGGREGATE"][ "MED_VULNS"] = summary["AGGREGATE"]["MED_VULNS"] + 1 summary["TABLE"][deviceIP]["MED_VULNS"] = summary["TABLE"][ deviceIP]["MED_VULNS"] + 1 if helper.singleInList("low", vulnerability["SEVERITY"]): summary["AGGREGATE"][ "LOW_VULNS"] = summary["AGGREGATE"]["LOW_VULNS"] + 1 summary["TABLE"][deviceIP]["LOW_VULNS"] = summary["TABLE"][ deviceIP]["LOW_VULNS"] + 1 return summary
maskedIPs = {} maskedMACs = {} ipCounter = 0 macCounter = 0 # find all IPs and map them to masked allIPs = dbManager.allIdentifiers(E_DB_FILE) for deviceIP in allIPs: if deviceIP not in maskedIPs.keys(): maskedIPs[deviceIP] = "IP_{0}".format(ipCounter) ipCounter = ipCounter + 1 evidence = dbManager.select(E_DB_FILE, deviceIP) if "TARGET_IPADDR" in evidence.keys(): for targetIP in evidence["TARGET_IPADDR"]: ipKey = helper.singleInList(targetIP, maskedIPs.keys()) if ipKey == False: maskedIPs[targetIP] = "IP_{0}".format(ipCounter) ipCounter = ipCounter + 1 if "DEST_IPADDR" in evidence.keys(): for destIP in evidence["DEST_IPADDR"]: ipKey = helper.singleInList(destIP, maskedIPs.keys()) if ipKey == False: maskedIPs[destIP] = "IP_{0}".format(ipCounter) ipCounter = ipCounter + 1
import multiprocessing from ssasse_platform.InferenceEngine import helper database_path = "/" profiles_path = "../Profiles/" E_DB_FILE = "e_db.sqlite" # evidence D_DB_FILE = "d_db.sqlite" # devices V_DB_FILE = "v_db.sqlite" # vendors VULN_DB_FILE = "vuln_db.sqlite" # vulnerabilities EVENTS_DB_FILE = "events_db.sqlite" # events S_DB_FILE = "s_db.sqlite" DBManager = dbManager.DBManager() fr = open("known_cves.json", "r", encoding="utf-8") knownDict = json.loads(fr.read()) fr.close() IPs = dbManager.allIdentifiers(E_DB_FILE) for ip in IPs: models = dbManager.select(E_DB_FILE, ip).get("MODEL", []) for model in knownDict.keys(): if model in models: for cveDict in knownDict[model]: #print("Inserting vuln {0} into {1}".format(cveDict,ip)) DBManager.insertVulnerabilityTableEntry( E_DB_FILE, VULN_DB_FILE, ip, cveDict) break