Skip to content

Commit

Permalink
Add block list event to all protocols (#77)
Browse files Browse the repository at this point in the history
  • Loading branch information
@dayeon5470
dayeon5470 authored Oct 11, 2023
1 parent 4056cb9 commit c5a3b82
Show file tree
Hide file tree
Showing 20 changed files with 1,872 additions and 40 deletions.
14 changes: 14 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,20 @@ Versioning](https://semver.org/spec/v2.0.0.html).
### Added

- Added `processList` graphql query to get the host's list of processes.
- Add block list event.
- DceRpc: `BlockListDceRpc`
- Ftp: `BlockListFtp`
- Http: `BlockListHttp`
- Kerberos: `BlockListKerberos`
- Ldap: `BlockListLdap`
- Mqtt: `BlockListMqtt`
- Nfs: `BlockListNfs`
- Ntlm: `BlockListNtlm`
- Rdp: `BlockListRdp`
- Smb: `BlockListSmb`
- Smtp: `BlockListSmtp`
- Ssh: `BlockListSsh`
- tls: `BlockListTls`

### Changed

Expand Down
2 changes: 1 addition & 1 deletion Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ oinq = { git = "https://github.com/petabi/oinq.git", tag = "0.9.1" }
reqwest = { version = "0.11", default-features = false, features = [
"rustls-tls-native-roots",
] }
review-database = { git = "https://github.com/petabi/review-database.git", tag = "0.18.0" }
review-database = { git = "https://github.com/petabi/review-database.git", tag = "0.20.0" }
roxy = { git = "https://github.com/aicers/roxy.git", tag = "0.2.1" }
rustls = "0.21"
rustls-native-certs = "0.6"
Expand Down
2 changes: 1 addition & 1 deletion src/graphql/data_source.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ impl TryFrom<DataSourceInsertInput> for database::DataSource {
server_name,
address,
data_type,
source: input.source.unwrap_or(String::new()),
source: input.source.unwrap_or_default(),
kind: input.kind,
description: input.description,
})
Expand Down
210 changes: 176 additions & 34 deletions src/graphql/event.rs
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,30 @@
mod conn;
mod dcerpc;
mod dns;
mod ftp;
mod group;
mod http;
mod kerberos;
mod ldap;
mod mqtt;
mod nfs;
mod ntlm;
mod rdp;
mod smb;
mod smtp;
mod ssh;
mod tls;

pub(super) use self::group::EventGroupQuery;
use self::{
conn::BlockListConn, conn::ExternalDdos, conn::MultiHostPortScan, conn::PortScan,
dns::BlockListDns, dns::CryptocurrencyMiningPool, dns::DnsCovertChannel, ftp::FtpBruteForce,
ftp::FtpPlainText, http::DomainGenerationAlgorithm, http::HttpThreat, http::NonBrowser,
http::RepeatedHttpSessions, http::TorConnection, ldap::LdapBruteForce, ldap::LdapPlainText,
rdp::RdpBruteForce,
dcerpc::BlockListDceRpc, dns::BlockListDns, dns::CryptocurrencyMiningPool,
dns::DnsCovertChannel, ftp::BlockListFtp, ftp::FtpBruteForce, ftp::FtpPlainText,
http::BlockListHttp, http::DomainGenerationAlgorithm, http::HttpThreat, http::NonBrowser,
http::RepeatedHttpSessions, http::TorConnection, kerberos::BlockListKerberos,
ldap::BlockListLdap, ldap::LdapBruteForce, ldap::LdapPlainText, mqtt::BlockListMqtt,
nfs::BlockListNfs, ntlm::BlockListNtlm, rdp::BlockListRdp, rdp::RdpBruteForce,
smb::BlockListSmb, smtp::BlockListSmtp, ssh::BlockListSsh, tls::BlockListTls,
};
use super::{
customer::{Customer, HostNetworkGroupInput},
Expand Down Expand Up @@ -120,41 +132,54 @@ async fn fetch_events(
let mut cryptocurrency_time = start_time;
let mut block_list_conn_time = start_time;
let mut block_list_dns_time = start_time;
let mut block_list_dcerpc_time = start_time;
let mut block_list_ftp_time = start_time;
let mut block_list_http_time = start_time;
let mut block_list_kerberos_time = start_time;
let mut block_list_ldap_time = start_time;
let mut block_list_mqtt_time = start_time;
let mut block_list_nfs_time = start_time;
let mut block_list_ntlm_time = start_time;
let mut block_list_rdp_time = start_time;
let mut block_list_smb_time = start_time;
let mut block_list_smtp_time = start_time;
let mut block_list_ssh_time = start_time;
let mut block_list_tls_time = start_time;

loop {
itv.tick().await;

// Select the minimum time for DB search
let start = dns_covert_time.min(
http_threat_time.min(
rdp_brute_time.min(
repeat_http_time.min(
tor_time.min(
dga_time.min(
ftp_brute_time.min(
ftp_plain_time.min(
port_scan_time.min(
multi_host_time.min(
ldap_brute_time.min(
ldap_plain_time.min(
non_browser_time.min(
external_ddos_time
.min(cryptocurrency_time)
.min(block_list_conn_time)
.min(block_list_dns_time),
),
),
),
),
),
),
),
),
),
),
),
),
);
let start = dns_covert_time
.min(http_threat_time)
.min(rdp_brute_time)
.min(repeat_http_time)
.min(tor_time)
.min(dga_time)
.min(ftp_brute_time)
.min(ftp_plain_time)
.min(port_scan_time)
.min(multi_host_time)
.min(ldap_brute_time)
.min(ldap_plain_time)
.min(non_browser_time)
.min(external_ddos_time)
.min(cryptocurrency_time)
.min(block_list_conn_time)
.min(block_list_dns_time)
.min(block_list_dcerpc_time)
.min(block_list_ftp_time)
.min(block_list_http_time)
.min(block_list_kerberos_time)
.min(block_list_ldap_time)
.min(block_list_mqtt_time)
.min(block_list_nfs_time)
.min(block_list_ntlm_time)
.min(block_list_rdp_time)
.min(block_list_smb_time)
.min(block_list_smtp_time)
.min(block_list_ssh_time)
.min(block_list_tls_time);

// Fetch event iterator based on time
let start = i128::from(start) << 64;
Expand Down Expand Up @@ -273,6 +298,84 @@ async fn fetch_events(
block_list_dns_time = event_time + ADD_TIME_FOR_NEXT_COMPARE;
}
}
EventKind::BlockListDceRpc => {
if event_time >= block_list_dcerpc_time {
tx.unbounded_send(value.into())?;
block_list_dcerpc_time = event_time + ADD_TIME_FOR_NEXT_COMPARE;
}
}
EventKind::BlockListFtp => {
if event_time >= block_list_ftp_time {
tx.unbounded_send(value.into())?;
block_list_ftp_time = event_time + ADD_TIME_FOR_NEXT_COMPARE;
}
}
EventKind::BlockListHttp => {
if event_time >= block_list_http_time {
tx.unbounded_send(value.into())?;
block_list_http_time = event_time + ADD_TIME_FOR_NEXT_COMPARE;
}
}
EventKind::BlockListKerberos => {
if event_time >= block_list_kerberos_time {
tx.unbounded_send(value.into())?;
block_list_kerberos_time = event_time + ADD_TIME_FOR_NEXT_COMPARE;
}
}
EventKind::BlockListLdap => {
if event_time >= block_list_ldap_time {
tx.unbounded_send(value.into())?;
block_list_ldap_time = event_time + ADD_TIME_FOR_NEXT_COMPARE;
}
}
EventKind::BlockListMqtt => {
if event_time >= block_list_mqtt_time {
tx.unbounded_send(value.into())?;
block_list_mqtt_time = event_time + ADD_TIME_FOR_NEXT_COMPARE;
}
}
EventKind::BlockListNfs => {
if event_time >= block_list_nfs_time {
tx.unbounded_send(value.into())?;
block_list_nfs_time = event_time + ADD_TIME_FOR_NEXT_COMPARE;
}
}
EventKind::BlockListNtlm => {
if event_time >= block_list_ntlm_time {
tx.unbounded_send(value.into())?;
block_list_ntlm_time = event_time + ADD_TIME_FOR_NEXT_COMPARE;
}
}
EventKind::BlockListRdp => {
if event_time >= block_list_rdp_time {
tx.unbounded_send(value.into())?;
block_list_rdp_time = event_time + ADD_TIME_FOR_NEXT_COMPARE;
}
}
EventKind::BlockListSmb => {
if event_time >= block_list_smb_time {
tx.unbounded_send(value.into())?;
block_list_smb_time = event_time + ADD_TIME_FOR_NEXT_COMPARE;
}
}
EventKind::BlockListSmtp => {
if event_time >= block_list_smtp_time {
tx.unbounded_send(value.into())?;
block_list_smtp_time = event_time + ADD_TIME_FOR_NEXT_COMPARE;
}
}
EventKind::BlockListSsh => {
if event_time >= block_list_ssh_time {
tx.unbounded_send(value.into())?;
block_list_ssh_time = event_time + ADD_TIME_FOR_NEXT_COMPARE;
}
}
EventKind::BlockListTls => {
if event_time >= block_list_tls_time {
tx.unbounded_send(value.into())?;
block_list_tls_time = event_time + ADD_TIME_FOR_NEXT_COMPARE;
}
}
EventKind::Log => continue,
}
}
Expand Down Expand Up @@ -371,6 +474,32 @@ enum Event {
BlockListConn(BlockListConn),

BlockListDns(BlockListDns),

BlockListDceRpc(BlockListDceRpc),

BlockListFtp(BlockListFtp),

BlockListHttp(BlockListHttp),

BlockListKerberos(BlockListKerberos),

BlockListLdap(BlockListLdap),

BlockListMqtt(BlockListMqtt),

BlockListNfs(BlockListNfs),

BlockListNtlm(BlockListNtlm),

BlockListRdp(BlockListRdp),

BlockListSmb(BlockListSmb),

BlockListSmtp(BlockListSmtp),

BlockListSsh(BlockListSsh),

BlockListTls(BlockListTls),
}

impl From<database::Event> for Event {
Expand Down Expand Up @@ -400,6 +529,19 @@ impl From<database::Event> for Event {
database::Event::BlockList(record_type) => match record_type {
RecordType::Conn(event) => Event::BlockListConn(event.into()),
RecordType::Dns(event) => Event::BlockListDns(event.into()),
RecordType::DceRpc(event) => Event::BlockListDceRpc(event.into()),
RecordType::Ftp(event) => Event::BlockListFtp(event.into()),
RecordType::Http(event) => Event::BlockListHttp(event.into()),
RecordType::Kerberos(event) => Event::BlockListKerberos(event.into()),
RecordType::Ldap(event) => Event::BlockListLdap(event.into()),
RecordType::Mqtt(event) => Event::BlockListMqtt(event.into()),
RecordType::Nfs(event) => Event::BlockListNfs(event.into()),
RecordType::Ntlm(event) => Event::BlockListNtlm(event.into()),
RecordType::Rdp(event) => Event::BlockListRdp(event.into()),
RecordType::Smb(event) => Event::BlockListSmb(event.into()),
RecordType::Smtp(event) => Event::BlockListSmtp(event.into()),
RecordType::Ssh(event) => Event::BlockListSsh(event.into()),
RecordType::Tls(event) => Event::BlockListTls(event.into()),
},
}
}
Expand Down
Loading

0 comments on commit c5a3b82

Please sign in to comment.