def test_get_ip_in_src_and_not_in_dst(self):
self.fail_if_not_testing_env()
source = CidrRange("1.1.1.0/24")
target = CidrRange("2.2.2.0/24")
# IP not in both
self.assertIsNone(
get_ip_in_src_and_not_in_dst(
[text_type("3.3.3.3"),
text_type("4.4.4.4")], source, target))
# IP not in source, in target
self.assertIsNone(
get_ip_in_src_and_not_in_dst([text_type("2.2.2.2")], source,
target))
# IP in source, not in target
self.assertIsNotNone(
get_ip_in_src_and_not_in_dst(
[text_type("8.8.8.8"),
text_type("1.1.1.1")], source, target))
# IP in both subnets
self.assertIsNone(
get_ip_in_src_and_not_in_dst(
[text_type("8.8.8.8"),
text_type("1.1.1.1")], source, source))
def test_get_ip_in_src_and_not_in_dst(self):
source = CidrRange("1.1.1.0/24")
target = CidrRange("2.2.2.0/24")
# IP not in both
assert get_ip_in_src_and_not_in_dst(["3.3.3.3", "4.4.4.4"], source, target) is None
# IP not in source, in target
assert (get_ip_in_src_and_not_in_dst(["2.2.2.2"], source, target)) is None
# IP in source, not in target
assert get_ip_in_src_and_not_in_dst(["8.8.8.8", "1.1.1.1"], source, target)
# IP in both subnets
assert (get_ip_in_src_and_not_in_dst(["8.8.8.8", "1.1.1.1"], source, source)) is None
def get_cross_segment_issues_per_subnet_pair(scans, source_subnet,
target_subnet):
"""
Gets list of cross segment issues from source_subnet to target_subnet.
:param scans: List of all scan telemetry entries. Must have monkey_guid,
ip_addr and services.
This should be a PyMongo cursor object.
:param source_subnet: The subnet which shouldn't be able to access target_subnet.
:param target_subnet: The subnet which shouldn't be accessible from source_subnet.
:return:
"""
if source_subnet == target_subnet:
return []
source_subnet_range = NetworkRange.get_range_obj(source_subnet)
target_subnet_range = NetworkRange.get_range_obj(target_subnet)
cross_segment_issues = []
scans.rewind() # If we iterated over scans already we need to rewind.
for scan in scans:
target_ip = scan["data"]["machine"]["ip_addr"]
if target_subnet_range.is_in_range(str(target_ip)):
monkey = NodeService.get_monkey_by_guid(scan["monkey_guid"])
cross_segment_ip = get_ip_in_src_and_not_in_dst(
monkey["ip_addresses"], source_subnet_range,
target_subnet_range)
if cross_segment_ip is not None:
cross_segment_issues.append({
"source":
cross_segment_ip,
"hostname":
monkey["hostname"],
"target":
target_ip,
"services":
scan["data"]["machine"]["services"],
"icmp":
scan["data"]["machine"]["icmp"],
"is_self":
False,
})
return cross_segment_issues + ReportService.get_cross_segment_issues_of_single_machine(
source_subnet_range, target_subnet_range)
def get_cross_segment_issues_per_subnet_pair(scans, source_subnet,
target_subnet):
"""
Gets list of cross segment issues from source_subnet to target_subnet.
:param scans: List of all scan telemetry entries. Must have monkey_guid, ip_addr and services.
This should be a PyMongo cursor object.
:param source_subnet: The subnet which shouldn't be able to access target_subnet.
:param target_subnet: The subnet which shouldn't be accessible from source_subnet.
:return:
"""
if source_subnet == target_subnet:
return []
source_subnet_range = NetworkRange.get_range_obj(source_subnet)
target_subnet_range = NetworkRange.get_range_obj(target_subnet)
cross_segment_issues = []
scans.rewind() # If we iterated over scans already we need to rewind.
for scan in scans:
target_ip = scan['data']['machine']['ip_addr']
if target_subnet_range.is_in_range(text_type(target_ip)):
monkey = NodeService.get_monkey_by_guid(scan['monkey_guid'])
cross_segment_ip = get_ip_in_src_and_not_in_dst(
monkey['ip_addresses'], source_subnet_range,
target_subnet_range)
if cross_segment_ip is not None:
cross_segment_issues.append({
'source':
cross_segment_ip,
'hostname':
monkey['hostname'],
'target':
target_ip,
'services':
scan['data']['machine']['services'],
'is_self':
False
})
return cross_segment_issues + ReportService.get_cross_segment_issues_of_single_machine(
source_subnet_range, target_subnet_range)
def is_segmentation_violation(current_monkey: Monkey, target_ip: str,
source_subnet: str, target_subnet: str) -> bool:
"""
Checks is a specific communication is a segmentation violation.
:param current_monkey: The source monkey which originated the communication.
:param target_ip: The target with which the current monkey communicated with.
:param source_subnet: The segment the monkey belongs to.
:param target_subnet: Another segment which the monkey isn't supposed to communicate with.
:return: True if this is a violation of segmentation between source_subnet and target_subnet; Otherwise, False.
"""
if source_subnet == target_subnet:
return False
source_subnet_range = NetworkRange.get_range_obj(source_subnet)
target_subnet_range = NetworkRange.get_range_obj(target_subnet)
if target_subnet_range.is_in_range(str(target_ip)):
cross_segment_ip = get_ip_in_src_and_not_in_dst(
current_monkey.ip_addresses, source_subnet_range,
target_subnet_range)
return cross_segment_ip is not None