Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support OFFICE_NETWORKS and format title with [] #48

Merged
merged 2 commits into from
Apr 28, 2020
Merged

support OFFICE_NETWORKS and format title with [] #48

merged 2 commits into from
Apr 28, 2020

Conversation

jacknagz
Copy link
Contributor

Background

Just doing some tuning

Changes

  • Support multiple office networks from non-office-logins
  • Support /32 networks
  • Tune the alert titles

Testing

  • Panther Analysis Tool

austinbyers
austinbyers reviewed Apr 20, 2020
View reviewed changes
osquery_rules/linux/osquery_linux_logins_non_office.py Outdated

return False
return any(non_office_logins)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I'm understanding this correctly, we're creating a list of bools and then checking for any True values in that list? Makes more sense (and more efficient) to just return True immediately when we find one:

for office_network in OFFICE_NETWORKS:
    # Check the case where the OFFICE_NETWORK is a /32
    if office_network.num_addresses == 1 and office_network.network_address != host_ipaddr:
        return True
    elif host_ipaddr not in office_network.hosts():
        return True

return False

Copy link
Contributor

@nhakmiller nhakmiller Apr 20, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we actually want to have return not any(non_office_logins), because as long as the IP address is from one of the office IP spaces we're happy right? So maybe:

for office_network in OFFICE_NETWORKS:
    # Check the case where the OFFICE_NETWORK is a /32
    if office_network.num_addresses == 1 and office_network.network_address == host_ipaddr:
        return False
    elif host_ipaddr in office_network.hosts():
        return False

return True

nhakmiller
nhakmiller approved these changes Apr 20, 2020
View reviewed changes
Copy link
Contributor

@nhakmiller nhakmiller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor suggestion.

osquery_rules/linux/osquery_linux_logins_non_office.py Outdated
Comment on lines 21 to 28
for office_network in OFFICE_NETWORKS:
# Check the case where the OFFICE_NETWORK is a /32
if office_network.num_addresses == 1:
non_office_logins.append(
office_network.network_address != host_ipaddr)
# Check all possible hosts in the office subnet
else:
non_office_logins.append(host_ipaddr not in office_network.hosts())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you just check for host_ipaddr not in office_network on as opposed to host_ipaddr not in office_network.hosts() on line 28, you don't need the special case for a /32:

>>> import ipaddress
>>> office_networks = [ipaddress.ip_network('192.168.1.100/32'), ipaddress.ip_network('192.168.1.0/24')]
>>> host_ipaddr = ipaddress.IPv4Address('192.168.1.100')
>>> for office_network in office_networks:
...     print(host_ipaddr in office_network)
...
True
True
>>>

I'm not sure which one if more memory/time efficient under the hood for large subnets, I imagine they are about similar though. But I think without the special case the code is more clear.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also holds true for public IP address spaces:

>>> office_networks = [ipaddress.ip_network('100.100.100.100/32'), ipaddress.ip_network('100.100.100.0/24')]
>>> host_ipaddr = ipaddress.IPv4Address('100.100.100.100')
>>> for office_network in office_networks:
...     print(host_ipaddr in office_network)
...
True
True
>>>

@jacknagz jacknagz force-pushed the jacknaglieri-osquery-tuning-420 branch from d8c27b2 to d46d8ff Compare April 28, 2020 23:01
@jacknagz jacknagz force-pushed the jacknaglieri-osquery-tuning-420 branch from d46d8ff to 5f3e911 Compare April 28, 2020 23:02
@jacknagz jacknagz merged commit 5bfd817 into master Apr 28, 2020
@jacknagz jacknagz deleted the jacknaglieri-osquery-tuning-420 branch April 28, 2020 23:04
melenevskyi pushed a commit that referenced this pull request Dec 12, 2023
@lindsey-w
Update to yaml verification (#48)
e5c970d 
* add a check for invalid json/yaml, add file with errors to the invalid specs list

* remove unnecessary else

* convert to ruamel, which more strictly conforms to yaml spec

* replace pyyaml with ruamel in setup script

* remove duplicate error check
egibs pushed a commit that referenced this pull request Jan 23, 2024
Revert changes to aws_ami_modified_for_public_access.py/.yml (#48)
207d3fc
egibs pushed a commit that referenced this pull request Jan 23, 2024
[sync] Revert changes to aws_ami_modified_for_public_access.py/.yml (#48
5aa65f5 
) (#1067)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nhakmiller nhakmiller nhakmiller approved these changes

@austinbyers austinbyers austinbyers left review comments

@kostaspap kostaspap Awaiting requested review from kostaspap

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jacknagz @austinbyers @nhakmiller