Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- orgLevelFlow_blacklistedServers_check: function(orgLevelPolicy, flow) {
- var Addr = require('netaddr').Addr;
- var rangeCheck = require('range_check');
- // General rules to check for blacklisted server activity:
- // 1: if client is in org's IP subnets && server is in org's blacklisted IP
- // ==> raise alert as this means that an org's entiry is trying to talk to a blacklisted entitiy
- // 2: if server is in org's IP subnets && client is in org's blacklisted IP
- // ==> raise alert as this means that an outside blacklisted entitiy is trying to talk to an org's entitiy
- //
- //get orgLevelPolicy's IP subnets & convert it to array
- var orgLevelIpSubnets = orgLevelPolicy.ipSubnets.split(",");
- //get orgLevelPolicy's blacklistedServers & convert it to array
- var orgLevelBlacklistedServers = orgLevelPolicy.blacklistedServers.split(",");
- // only check for ipv4 addresses for now.
- // @TODO: Implement ipv6 range check also. Note: netAddr does not support ipv6 range owing to JS int 64bit / 128bit not existing
- if (rangeCheck.isV4(flow.netflow.client_addr) && rangeCheck.isV4(flow.netflow.server_addr)) {
- for (var i = 0; i < orgLevelIpSubnets.length; i++) {
- // if client_addr is part of ipSubnet:
- if (Addr(orgLevelIpSubnets[i]).contains(Addr(flow.netflow.client_addr))) {
- for (var j = 0; j < orgLevelBlacklistedServers.length; j++) {
- if (Addr(orgLevelBlacklistedServers[j]).contains(Addr(flow.netflow.server_addr))) {
- // console.log("client: " + flow.netflow.client_addr + " Server: " + flow.netflow.server_addr);
- // if there exists an open alert, then append to that alert.
- if (alerts.findOne({
- alertLevel: "orgLevelAlert",
- alertCategory: "blacklistedServersViolationAlert",
- alertState: "open"
- })) {
- // append
- // console.log("Appending to existing open alert");
- alerts.update({
- alertLevel: "orgLevelAlert",
- alertCategory: "blacklistedServersViolationAlert",
- alertState: "open"
- }, {
- $set: {
- "misc.updatedTime": new Date()
- },
- $inc: {
- flowCount: 1
- },
- $addToSet: {
- blacklistedCommunication: {
- client: flow.netflow.client_addr,
- server: flow.netflow.server_addr
- }
- }
- });
- }
- // if there is a closed alert, then open a new alert.
- // if there is no alert, create a new one. (No need to check this condition)
- else {
- console.log("Creating new alert");
- alerts.insert({
- alertLevel: "orgLevelAlert",
- alertCategory: "blacklistedServersViolationAlert",
- alertState: "open",
- flowCount: 1,
- blacklistedCommunication: [{
- client: flow.netflow.client_addr,
- server: flow.netflow.server_addr,
- }],
- misc: {
- createdBy: "system",
- updatedBy: "system",
- createdTime: new Date(),
- updatedTime: new Date()
- }
- });
- }
- }
- }
- } // client server pair 1
- //if server_addr is part of the ipSubnet:
- else if (Addr(orgLevelIpSubnets[i]).contains(Addr(flow.netflow.server_addr))) {
- for (var j = 0; j < orgLevelBlacklistedServers.length; j++) {
- if (Addr(orgLevelBlacklistedServers[j]).contains(Addr(flow.netflow.client_addr))) {
- // console.log("client: " + flow.netflow.client_addr + " Server: " + flow.netflow.server_addr);
- // if there exists an open alert, then append to that alert.
- if (alerts.findOne({
- alertLevel: "orgLevelAlert",
- alertCategory: "blacklistedServersViolationAlert",
- alertState: "open"
- })) {
- // append
- // console.log("Appending to existing open alert");
- alerts.update({
- alertLevel: "orgLevelAlert",
- alertCategory: "blacklistedServersViolationAlert",
- alertState: "open"
- }, {
- $set: {
- "misc.updatedTime": new Date()
- },
- $inc: {
- flowCount: 1
- },
- $addToSet: {
- blacklistedCommunication: {
- client: flow.netflow.client_addr,
- server: flow.netflow.server_addr
- }
- }
- });
- }
- // if there is a closed alert, then open a new alert.
- // if there is no alert, create a new one. (No need to check this condition)
- else {
- console.log("Creating new alert");
- alerts.insert({
- alertLevel: "orgLevelAlert",
- alertCategory: "blacklistedServersViolationAlert",
- alertState: "open",
- flowCount: 1,
- blacklistedCommunication: [{
- client: flow.netflow.client_addr,
- server: flow.netflow.server_addr
- }],
- misc: {
- createdBy: "system",
- updatedBy: "system",
- createdTime: new Date(),
- updatedTime: new Date()
- }
- });
- }
- }
- }
- } //client server pair 2
- }
- } //end of if it's an ipv4
- }
Add Comment
Please, Sign In to add comment