def test_ipset_with_iprange(): s1 = IPSet(['10.0.0.0/25', '10.0.0.128/25']) assert s1.iprange() == IPRange('10.0.0.0', '10.0.0.255') assert s1.iscontiguous() s1.remove('10.0.0.16') assert s1 == IPSet([ '10.0.0.0/28', '10.0.0.17/32', '10.0.0.18/31', '10.0.0.20/30', '10.0.0.24/29', '10.0.0.32/27', '10.0.0.64/26', '10.0.0.128/25', ]) assert not s1.iscontiguous() with pytest.raises(ValueError): s1.iprange() assert list(s1.iter_ipranges()) == [ IPRange('10.0.0.0', '10.0.0.15'), IPRange('10.0.0.17', '10.0.0.255'), ] s2 = IPSet(['0.0.0.0/0']) assert s2.iscontiguous() assert s2.iprange() == IPRange('0.0.0.0', '255.255.255.255') # s3 = IPSet() assert s3.iscontiguous() assert s3.iprange() is None s4 = IPSet(IPRange('10.0.0.0', '10.0.0.8')) assert s4.iscontiguous()
def create_event(): """ Updating event descriptions for an app_sha256. Assuming all IPs are good untl at least a range of IPs reaches 14 (/28 network block). Once a range of IPs reaches a total of 14, all other IPs are considered bad. If multiple ranges of IPs reach 14, this simple processing will not be able to determine while /28 block is the valid one. """ if 'application/octet-stream' in request.headers['Content-Type']: # Protobuf decoding event = IpEvent() event.ParseFromString(request.data) sha_id = str(event.app_sha256) ip = str(IPAddress(event.ip)) # Update event description of an existing app_sha256 if sha_id in app_shas: app_shas[sha_id]['count'] = app_shas[sha_id]['count'] + 1 # Only add if IP is not already in the list if str(ip) not in app_shas[sha_id]['good_ips']: app_shas[sha_id]['good_ips'].append(str(ip)) # Create an event description instance for a new app_sha256 else: app_shas[sha_id] = {'count': 1, 'good_ips': [], 'bad_ips': []} # Only add if IP is not already in the list if str(ip) not in app_shas[sha_id]['good_ips']: app_shas[sha_id]['good_ips'].append(str(ip)) # Combined list of all IPs good and bad ips = app_shas[sha_id]['good_ips'] + app_shas[sha_id]['bad_ips'] # Convert to a set ip_set = IPSet(ips) # Get the minimal number of IP ranges for ip_range in ip_set.iter_ipranges(): # Does one of te ranges have 14 IP address in it? if ip_range.size == 14: # Thas is now our good /28 block of IP addresses good_range = ip_range app_shas[sha_id]['good_ips'] = [] for ip in ip_set: # Populate good_ips with the range of 14 'good' IP addresses if ip in good_range: if str(ip) not in app_shas[sha_id]['good_ips']: app_shas[sha_id]['good_ips'].append(str(ip)) # Put the rest of IP addresses in bad_ips else: if str(ip) not in app_shas[sha_id]['bad_ips']: app_shas[sha_id]['bad_ips'].append(str(ip)) return 'Received event...' else: abort(400)