Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix evidence not counting for the correct profile #1044

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions config/slips.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -172,9 +172,9 @@ detection:
modules:
# List of modules to ignore. By default we always ignore the template! do not remove it from the list
# Names of other modules that you can disable (they all should be lowercase with no special characters):
# threatintelligence, blocking,
# networkdiscovery, timeline, virustotal, rnnccdetection, flowmldetection, updatemanager
disable: "[template]"
# threatintelligence, blocking, networkdiscovery, timeline, virustotal,
# rnnccdetection, flowmldetection, updatemanager
disable: [template]

# For each line in timeline file there is a timestamp.
# By default the timestamp is seconds in unix time. However
Expand Down
2 changes: 1 addition & 1 deletion modules/arp/arp.py
Original file line number Diff line number Diff line change
Expand Up @@ -433,7 +433,7 @@ def detect_mitm_arp_attack(self, twid: str, flow):
threat_level=threat_level,
confidence=confidence,
description=description,
profile=ProfileID(ip=saddr),
profile=ProfileID(ip=attackers_ip),
timewindow=TimeWindow(
number=int(twid.replace("timewindow", ""))
),
Expand Down
8 changes: 4 additions & 4 deletions modules/flowalerts/set_evidence.py
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ def doh(self, twid, flow):
victim_type=IoCType.IP,
value=flow.saddr,
),
profile=ProfileID(ip=flow.saddr),
profile=ProfileID(ip=flow.daddr),
timewindow=TimeWindow(number=twid_number),
uid=[flow.uid],
timestamp=flow.starttime,
Expand Down Expand Up @@ -199,7 +199,7 @@ def different_localnet_usage(self, twid, flow, ip_outside_localnet=""):
threat_level=threat_level,
description=description,
victim=victim,
profile=ProfileID(ip=flow.saddr),
profile=ProfileID(ip=attacker.value),
timewindow=TimeWindow(number=twid_number),
uid=[flow.uid],
timestamp=flow.starttime,
Expand Down Expand Up @@ -872,7 +872,7 @@ def self_signed_certificates(self, twid, flow) -> None:
threat_level=ThreatLevel.LOW,
confidence=confidence,
description=description,
profile=ProfileID(ip=flow.saddr),
profile=ProfileID(ip=flow.daddr),
timewindow=TimeWindow(number=twid),
uid=[flow.uid],
timestamp=flow.starttime,
Expand Down Expand Up @@ -1369,7 +1369,7 @@ def malicious_ssl(self, twid, flow, ssl_info_from_db: str) -> None:
threat_level=ThreatLevel.LOW,
confidence=confidence,
description=description,
profile=ProfileID(ip=flow.daddr),
profile=ProfileID(ip=flow.saddr),
timewindow=TimeWindow(number=int(twid.replace("timewindow", ""))),
uid=[flow.uid],
timestamp=flow.starttime,
Expand Down
2 changes: 1 addition & 1 deletion modules/threat_intelligence/threat_intelligence.py
Original file line number Diff line number Diff line change
Expand Up @@ -1132,7 +1132,7 @@ def set_evidence_malicious_hash(self, file_info: Dict[str, any]):
threat_level=threat_level,
confidence=confidence,
description=description,
profile=ProfileID(ip=srcip),
profile=ProfileID(ip=daddr),
timewindow=twid,
uid=[file_info["flow"]["uid"]],
timestamp=ts,
Expand Down
2 changes: 1 addition & 1 deletion modules/threat_intelligence/urlhaus.py
Original file line number Diff line number Diff line change
Expand Up @@ -296,7 +296,7 @@ def set_evidence_malicious_url(
confidence=0.7,
description=description,
timestamp=timestamp,
profile=ProfileID(ip=saddr),
profile=ProfileID(ip=daddr),
timewindow=TimeWindow(number=twid_int),
uid=[uid],
)
Expand Down
9 changes: 2 additions & 7 deletions slips_files/common/parsers/config_parser.py
Original file line number Diff line number Diff line change
Expand Up @@ -608,14 +608,9 @@ def get_disabled_modules(self, input_type: str) -> list:
"""
Uses input type to enable leak detector only on pcaps
"""
to_ignore: str = self.read_configuration(
"modules", "disable", "[template]"
to_ignore: List[str] = self.read_configuration(
"modules", "disable", ["template"]
)

to_ignore: list = (
to_ignore.replace("[", "").replace("]", "").split(",")
)

to_ignore = [mod.strip() for mod in to_ignore]

# Ignore exporting alerts module if export_to is empty
Expand Down
3 changes: 2 additions & 1 deletion slips_files/core/database/redis_db/alert_handler.py
Original file line number Diff line number Diff line change
Expand Up @@ -328,7 +328,8 @@ def update_accumulated_threat_level(
:param update_val: can be +ve to increase the threat level or -ve
to decrease
"""
self.r.zincrby(

return self.r.zincrby(
"accumulated_threat_levels",
update_val,
f"{profileid}_{twid}",
Expand Down
14 changes: 5 additions & 9 deletions slips_files/core/evidencehandler.py
Original file line number Diff line number Diff line change
Expand Up @@ -577,17 +577,12 @@ def update_accumulated_threat_level(self, evidence: Evidence) -> float:
update the accumulated threat level of the profileid and twid of
the given evidence and return the updated value
"""
profileid: str = str(evidence.profile)
twid: str = str(evidence.timewindow)
evidence_threat_level: float = self.get_threat_level(evidence)

self.db.update_accumulated_threat_level(
profileid, twid, evidence_threat_level
)
accumulated_threat_level: float = self.db.get_accumulated_threat_level(
profileid, twid
return self.db.update_accumulated_threat_level(
str(evidence.profile),
str(evidence.timewindow),
evidence_threat_level,
)
return accumulated_threat_level

def show_popup(self, alert: Alert):
alert_description: str = self.get_alert_time_description(alert)
Expand Down Expand Up @@ -656,6 +651,7 @@ def main(self):
profileid, twid
)
)
# filtered evidence dont add to the acc threat level
if not self.is_filtered_evidence(evidence, past_evidence_ids):
accumulated_threat_level: float = (
self.update_accumulated_threat_level(evidence)
Expand Down
2 changes: 1 addition & 1 deletion tests/integration_tests/test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ detection:

modules:
# List of modules to ignore. By default we always ignore the template! do not remove it from the list
disable : "[template , ensembling, Flow ML Detection, Update Manager]"
disable : [template, ensembling, Flow ML Detection, Update Manager]
# Names of other modules that you can disable: ensembling, threat_intelligence, blocking,
# portscan_detector, timeline, virustotal, rnn-cc-detection, flowmldetection

Expand Down
2 changes: 1 addition & 1 deletion tests/integration_tests/test2.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,7 @@ modules:
# Names of other modules that you can disable (they all should be lowercase with no special characters):
# ensembling, threatintelligence, blocking,
# networkdiscovery, timeline, virustotal, rnnccdetection, flowmldetection, updatemanager
disable: "[template , ensembling, Flow ML Detection, Update Manager]"
disable: [template, ensembling, Flow ML Detection, Update Manager]

# For each line in timeline file there is a timestamp.
# By default the timestamp is seconds in unix time. However
Expand Down
12 changes: 9 additions & 3 deletions tests/test_set_evidence.py
Original file line number Diff line number Diff line change
Expand Up @@ -223,7 +223,8 @@ def test_different_localnet_usage(
expected_threat_level,
expected_description,
):
"""Testing different scenarios for different_localnet_usage method:
"""
Testing different scenarios for different_localnet_usage method:
- src IP outside localnet
- dst IP outside localnet using ARP
- dst IP outside localnet using port
Expand Down Expand Up @@ -251,6 +252,11 @@ def test_different_localnet_usage(
state="Established",
history="",
)
if expected_attacker_direction == Direction.SRC:
profile_ip = flow.saddr
else:
profile_ip = flow.daddr

set_ev.different_localnet_usage(
"timewindow3",
flow,
Expand All @@ -264,7 +270,7 @@ def test_different_localnet_usage(
assert evidence.attacker.direction == expected_attacker_direction
assert evidence.victim.direction == expected_victim_direction
assert evidence.threat_level == expected_threat_level
assert evidence.profile.ip == flow.saddr
assert evidence.profile.ip == profile_ip
assert evidence.timewindow.number == 3
assert evidence.uid == [flow.uid]
assert evidence.description == expected_description
Expand Down Expand Up @@ -1787,7 +1793,7 @@ def test_doh(attacker_ip, victim_ip, profile_ip):
assert evidence.attacker.value == attacker_ip
assert evidence.victim.value == victim_ip
assert evidence.threat_level == ThreatLevel.INFO
assert evidence.profile.ip == profile_ip
assert evidence.profile.ip == attacker_ip
assert evidence.timewindow.number == 1
assert evidence.uid == [flow.uid]

Expand Down
Loading