API tools faq
paste
Guest User

Untitled

a guest
Nov 22nd, 2017
91
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.79 KB | None | 0 0
raw download clone embed print report
  1. orgLevelFlow_blacklistedServers_check: function(orgLevelPolicy, flow) {
  2.  
  3.  
  4. var Addr = require('netaddr').Addr;
  5. var rangeCheck = require('range_check');
  6.  
  7. // General rules to check for blacklisted server activity:
  8. // 1: if client is in org's IP subnets && server is in org's blacklisted IP
  9. // ==> raise alert as this means that an org's entiry is trying to talk to a blacklisted entitiy
  10. // 2: if server is in org's IP subnets && client is in org's blacklisted IP
  11. // ==> raise alert as this means that an outside blacklisted entitiy is trying to talk to an org's entitiy
  12. //
  13. //get orgLevelPolicy's IP subnets & convert it to array
  14. var orgLevelIpSubnets = orgLevelPolicy.ipSubnets.split(",");
  15. //get orgLevelPolicy's blacklistedServers & convert it to array
  16. var orgLevelBlacklistedServers = orgLevelPolicy.blacklistedServers.split(",");
  17.  
  18. // only check for ipv4 addresses for now.
  19. // @TODO: Implement ipv6 range check also. Note: netAddr does not support ipv6 range owing to JS int 64bit / 128bit not existing
  20. if (rangeCheck.isV4(flow.netflow.client_addr) && rangeCheck.isV4(flow.netflow.server_addr)) {
  21.  
  22. for (var i = 0; i < orgLevelIpSubnets.length; i++) {
  23.  
  24. // if client_addr is part of ipSubnet:
  25. if (Addr(orgLevelIpSubnets[i]).contains(Addr(flow.netflow.client_addr))) {
  26.  
  27. for (var j = 0; j < orgLevelBlacklistedServers.length; j++) {
  28. if (Addr(orgLevelBlacklistedServers[j]).contains(Addr(flow.netflow.server_addr))) {
  29. // console.log("client: " + flow.netflow.client_addr + " Server: " + flow.netflow.server_addr);
  30. // if there exists an open alert, then append to that alert.
  31.  
  32. if (alerts.findOne({
  33. alertLevel: "orgLevelAlert",
  34. alertCategory: "blacklistedServersViolationAlert",
  35. alertState: "open"
  36. })) {
  37. // append
  38. // console.log("Appending to existing open alert");
  39. alerts.update({
  40. alertLevel: "orgLevelAlert",
  41. alertCategory: "blacklistedServersViolationAlert",
  42. alertState: "open"
  43. }, {
  44. $set: {
  45. "misc.updatedTime": new Date()
  46. },
  47. $inc: {
  48. flowCount: 1
  49. },
  50. $addToSet: {
  51. blacklistedCommunication: {
  52. client: flow.netflow.client_addr,
  53. server: flow.netflow.server_addr
  54. }
  55. }
  56. });
  57. }
  58. // if there is a closed alert, then open a new alert.
  59. // if there is no alert, create a new one. (No need to check this condition)
  60. else {
  61. console.log("Creating new alert");
  62. alerts.insert({
  63. alertLevel: "orgLevelAlert",
  64. alertCategory: "blacklistedServersViolationAlert",
  65. alertState: "open",
  66. flowCount: 1,
  67. blacklistedCommunication: [{
  68. client: flow.netflow.client_addr,
  69. server: flow.netflow.server_addr,
  70. }],
  71. misc: {
  72. createdBy: "system",
  73. updatedBy: "system",
  74. createdTime: new Date(),
  75. updatedTime: new Date()
  76. }
  77. });
  78. }
  79. }
  80.  
  81. }
  82.  
  83. } // client server pair 1
  84.  
  85.  
  86. //if server_addr is part of the ipSubnet:
  87. else if (Addr(orgLevelIpSubnets[i]).contains(Addr(flow.netflow.server_addr))) {
  88. for (var j = 0; j < orgLevelBlacklistedServers.length; j++) {
  89. if (Addr(orgLevelBlacklistedServers[j]).contains(Addr(flow.netflow.client_addr))) {
  90. // console.log("client: " + flow.netflow.client_addr + " Server: " + flow.netflow.server_addr);
  91. // if there exists an open alert, then append to that alert.
  92.  
  93. if (alerts.findOne({
  94. alertLevel: "orgLevelAlert",
  95. alertCategory: "blacklistedServersViolationAlert",
  96. alertState: "open"
  97. })) {
  98. // append
  99. // console.log("Appending to existing open alert");
  100. alerts.update({
  101. alertLevel: "orgLevelAlert",
  102. alertCategory: "blacklistedServersViolationAlert",
  103. alertState: "open"
  104. }, {
  105. $set: {
  106. "misc.updatedTime": new Date()
  107. },
  108. $inc: {
  109. flowCount: 1
  110. },
  111. $addToSet: {
  112. blacklistedCommunication: {
  113. client: flow.netflow.client_addr,
  114. server: flow.netflow.server_addr
  115. }
  116. }
  117. });
  118. }
  119. // if there is a closed alert, then open a new alert.
  120. // if there is no alert, create a new one. (No need to check this condition)
  121. else {
  122. console.log("Creating new alert");
  123. alerts.insert({
  124. alertLevel: "orgLevelAlert",
  125. alertCategory: "blacklistedServersViolationAlert",
  126. alertState: "open",
  127. flowCount: 1,
  128. blacklistedCommunication: [{
  129. client: flow.netflow.client_addr,
  130. server: flow.netflow.server_addr
  131. }],
  132. misc: {
  133. createdBy: "system",
  134. updatedBy: "system",
  135. createdTime: new Date(),
  136. updatedTime: new Date()
  137. }
  138. });
  139. }
  140. }
  141. }
  142. } //client server pair 2
  143. }
  144. } //end of if it's an ipv4
  145. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!