def test(self, test_file): # read test file test_file = self.load_file(test_file) # build attack range self.build() # simulate attack self.simulate(test_file['target'], test_file['simulation_technique']) # wait self.log.info('Wait for 500 seconds before running the detections.') time.sleep(500) # run detection result = [] for detection_obj in test_file['detections']: detection_file_name = detection_obj['name'].replace( '-', '_').replace(' ', '_').lower() + '.yml' detection = self.load_file('../security-content/detections/' + detection_file_name) result_obj = dict() result_obj['detection'] = detection_obj['name'] instance = aws_service.get_instance_by_name( "attack-range-splunk-server", self.config) if instance['State']['Name'] == 'running': result_obj['error'], result_obj[ 'results'] = splunk_sdk.test_search( instance['NetworkInterfaces'][0] ['Association']['PublicIp'], str(self.config['splunk_admin_password']), detection['search'], detection_obj['pass_condition'], detection['name'], self.log) else: self.log.error('ERROR: Splunk server is not running.') result.append(result_obj) #print(result) # store attack data if self.config['capture_attack_data'] == '1': self.store_attack_data(result, test_file) # destroy attack range self.destroy() #result_cond = False for result_obj in result: if result_obj['error']: self.log.error('Detection Testing failed: ' + result_obj['results']['detection_name']) if self.config['automated_testing'] == '1': github_service.create_issue( result_obj['results']['detection_name'], self.config) #result_cond |= result_obj['error'] sys.exit(0)
def test(self, test_file): # read test file test_file = self.load_file(test_file) # build attack range self.build() random_number = str(randrange(10000)) folder_name = "attack_data_" + random_number os.mkdir( os.path.join(os.path.dirname(__file__), '../attack_data/' + folder_name)) simulation = False output = 'loaded attack data' if 'attack_data' in test_file: for data in test_file['attack_data']: dumps_yml = self.load_file( os.path.join(os.path.dirname(__file__), '../attack_data/dumps.yml')) url = data['data'] r = requests.get(url, allow_redirects=True) open( os.path.join( os.path.dirname(__file__), '../attack_data/' + folder_name + '/' + data['file_name']), 'wb').write(r.content) if self.config['cloud_provider'] == 'aws': splunk_ip = aws_service.get_single_instance_public_ip( 'ar-splunk-' + self.config['range_name'] + '-' + self.config['key_name'], self.config) elif self.config['cloud_provider'] == 'azure': splunk_ip = azure_service.get_instance( self.config, "ar-splunk-" + self.config['range_name'] + "-" + self.config['key_name'], self.log)['public_ip'] # Upload the replay logs to the Splunk server ansible_vars = {} ansible_vars['dump_name'] = folder_name ansible_vars['ansible_user'] = '******' ansible_vars['ansible_ssh_private_key_file'] = self.config[ 'private_key_path'] ansible_vars['splunk_password'] = self.config[ 'attack_range_password'] ansible_vars['out'] = data['file_name'] ansible_vars['sourcetype'] = data['sourcetype'] ansible_vars['source'] = data['source'] ansible_vars['index'] = 'test' cmdline = "-i %s, -u ubuntu" % (splunk_ip) runner = ansible_runner.run( private_data_dir=os.path.join(os.path.dirname(__file__), '../'), cmdline=cmdline, roles_path=os.path.join(os.path.dirname(__file__), '../ansible/roles'), playbook=os.path.join( os.path.dirname(__file__), '../ansible/playbooks/attack_replay.yml'), extravars=ansible_vars) else: simulation = True # update ESCU if self.config['update_escu_app'] == '1': # upload package if self.config['cloud_provider'] == 'aws': splunk_ip = aws_service.get_single_instance_public_ip( 'ar-splunk-' + self.config['range_name'] + '-' + self.config['key_name'], self.config) elif self.config['cloud_provider'] == 'azure': splunk_ip = azure_service.get_instance( self.config, "ar-splunk-" + self.config['range_name'] + "-" + self.config['key_name'], self.log)['public_ip'] # Upload the replay logs to the Splunk server ansible_vars = {} ansible_vars['ansible_user'] = '******' ansible_vars['ansible_ssh_private_key_file'] = self.config[ 'private_key_path'] ansible_vars['splunk_password'] = self.config[ 'attack_range_password'] ansible_vars['security_content_path'] = self.config[ 'security_content_path'] cmdline = "-i %s, -u ubuntu" % (splunk_ip) runner = ansible_runner.run( private_data_dir=os.path.join(os.path.dirname(__file__), '../'), cmdline=cmdline, roles_path=os.path.join(os.path.dirname(__file__), '../ansible/roles'), playbook=os.path.join(os.path.dirname(__file__), '../ansible/playbooks/update_escu.yml'), extravars=ansible_vars) if simulation: # wait self.log.info('Wait for 200 seconds before running simulations.') time.sleep(200) # simulate attack # create vars string for custom vars: if 'vars' in test_file: var_str = '$myArgs = @{ ' i = 0 for key, value in test_file['vars'].items(): if i == 0: var_str += '"' + key + '" = "' + value + '"' i += 1 else: var_str += '; "' + key + '" = "' + value + '"' i += 1 var_str += ' }' print(var_str) output = self.simulate(test_file['target'], test_file['simulation_technique'], 'no', var_str) else: output = self.simulate(test_file['target'], test_file['simulation_technique'], 'no') # wait self.log.info('Wait for 200 seconds before running the detections.') time.sleep(200) # run detection result = [] for detection_obj in test_file['detections']: detection_file_name = detection_obj['file'] detection = self.load_file( os.path.join( os.path.dirname(__file__), '../../security-content/detections/' + detection_file_name)) result_obj = dict() result_obj['detection'] = detection_obj['name'] result_obj['detection_file'] = detection_obj['file'] if self.config['cloud_provider'] == 'aws': instance = aws_service.get_instance_by_name( 'ar-splunk-' + self.config['range_name'] + '-' + self.config['key_name'], self.config) if instance['State']['Name'] == 'running': result_obj['error'], result_obj[ 'results'] = splunk_sdk.test_search( instance['NetworkInterfaces'][0]['Association'] ['PublicIp'], str(self.config['attack_range_password']), detection['search'], detection_obj['pass_condition'], detection['name'], detection_obj['file'], self.log) else: self.log.error('ERROR: Splunk server is not running.') elif self.config['cloud_provider'] == 'azure': instance = azure_service.get_instance( self.config, "ar-splunk-" + self.config['range_name'] + "-" + self.config['key_name'], self.log) if instance['vm_obj'].instance_view.statuses[ 1].display_status == "VM running": result_obj['error'], result_obj[ 'results'] = splunk_sdk.test_search( instance['public_ip'], str(self.config['attack_range_password']), detection['search'], detection_obj['pass_condition'], detection['name'], detection_obj['file'], self.log) result.append(result_obj) # destroy attack range self.destroy() # return results return {'results': result, 'simulation_output': output}