Feature: Add 'targets' section into timeline (Redmine issue: #6257)

ffdb1f60 · Jakub Maloštík · 730adabb · ffdb1f60 · ffdb1f60 · ffdb1f60
Commit ffdb1f60 authored 2 years ago by Jakub Maloštík
--- a/lib/hawat/blueprints/design_bs3/templates/_macros_chart.html
+++ b/lib/hawat/blueprints/design_bs3/templates/_macros_chart.html
@@ -814,6 +814,7 @@
        ('detectorsws',    _('detector software')),
        ('detector_types', _('detector tags')),
        ('sources',        _('sources')),
+        ('targets',        _('targets')),
        ('source_ports',   _('source ports')),
        ('target_ports',   _('target ports')),
        ('protocols',      _('protocols')),
@@ -923,6 +924,13 @@
            'multi',
            'ips'
        ),
+        (
+            'targets',
+            _('Number of events per target IP'),
+            _('This view shows total numbers of IDEA events aggregated according to a <em>target IP address</em>. Because an event may contain multiple <em>target IP addresses</em>, the total numbers in these charts may differ from the total number of events displayed in the table above.'),
+            'multi',
+            'ips'
+        ),
        (
            'source_ports',
            _('Number of events per source port'),

--- a/lib/hawat/blueprints/timeline/__init__.py
+++ b/lib/hawat/blueprints/timeline/__init__.py
@@ -47,7 +47,7 @@ BLUEPRINT_NAME = 'timeline'
 AGGREGATIONS = (
    (mentat.stats.idea.ST_SKEY_CATEGORIES, {}, {"aggr_set": "category"}),
    (mentat.stats.idea.ST_SKEY_SOURCES, {}, {"aggr_set": "source_ip"}),
-    # ('', {"aggr_set": "target_ip"}),
+    (mentat.stats.idea.ST_SKEY_TARGETS, {}, {"aggr_set": "target_ip"}),
    (mentat.stats.idea.ST_SKEY_SRCPORTS, {}, {"aggr_set": "source_port"}),
    (mentat.stats.idea.ST_SKEY_TGTPORTS, {}, {"aggr_set": "target_port"}),
    (mentat.stats.idea.ST_SKEY_SRCTYPES, {}, {"aggr_set": "source_type"}),

--- a/lib/mentat/stats/idea.py
+++ b/lib/mentat/stats/idea.py
@@ -40,6 +40,7 @@ ST_OVERALL  = 'stats_overall'
 # Literal constants for keywords of calculated statistics.
 #
 ST_SKEY_SOURCES     = 'sources'
+ST_SKEY_TARGETS     = 'targets'
 ST_SKEY_IP4S        = 'ip4s'
 ST_SKEY_IP6S        = 'ip6s'
 ST_SKEY_ANALYZERS   = 'analyzers'
@@ -91,6 +92,7 @@ LIST_STAT_GROUPS = (
 LIST_AGGREGATIONS = (
    [ST_SKEY_SOURCES,    ('Source.IP4', 'Source.IP6'),                                   KEY_UNKNOWN],
+    [ST_SKEY_TARGETS,    ('Target.IP4', 'Target.IP6'),                                   KEY_UNKNOWN],
    #[ST_SKEY_IP4S,      ('Source.IP4',),                                                KEY_UNKNOWN],
    #[ST_SKEY_IP6S,      ('Source.IP6',),                                                KEY_UNKNOWN],
    [ST_SKEY_ANALYZERS,  ('Node[#].SW',),                                                KEY_UNKNOWN],

--- a/lib/mentat/stats/test_idea.py
+++ b/lib/mentat/stats/test_idea.py
@@ -40,6 +40,12 @@ class TestMentatStatsIdea(unittest.TestCase):
                    "IP6": ["2001:db8::ff00:42:0/112"]
                }
            ],
+            "Target": [
+                {
+                    "IP4": ["192.168.1.2-192.168.1.5", "192.168.1.0/25"],
+                    "IP6": ["2001:db8::ff01:42:0/112"]
+                }
+            ],
            "Node": [
                {
                    "Name": "org.example.kippo",
@@ -92,6 +98,12 @@ class TestMentatStatsIdea(unittest.TestCase):
                    "IP6": ["2001:db8::ff00:42:0/112"]
                }
            ],
+            "Target": [
+                {
+                    "IP4": ["192.168.1.2-192.168.1.5", "192.168.1.0/25"],
+                    "IP6": ["2001:db8::ff01:42:0/112"]
+                }
+            ],
            "Node": [
                {
                    "Name": "org.example.dionaea",
@@ -137,6 +149,11 @@ class TestMentatStatsIdea(unittest.TestCase):
                    "IP4": ["192.168.0.109", "192.168.0.200"]
                }
            ],
+            "Target": [
+                {
+                    "IP4": ["192.168.1.109", "192.168.1.200"]
+                }
+            ],
            "Node": [
                {
                    "Name": "org.example.labrea",
@@ -400,6 +417,14 @@ class TestMentatStatsIdea(unittest.TestCase):
                '192.172.0.200': 1,
                '2001:db8::ff00:42:0/112': 3
            },
+            'targets': {
+                '192.168.1.2-192.168.1.5': 2,
+                '192.168.1.0/25': 2,
+                '2001:db8::ff01:42:0/112': 2,
+                '192.168.1.109': 1,
+                '192.168.1.200': 1,
+                '__unknown__': 3
+            },
            'list_ids': ['msg01', 'msg02', 'msg03', 'msg04', 'msg05', 'msg06'],
            'severities': {'__unknown__': 6}
        })
@@ -429,6 +454,7 @@ class TestMentatStatsIdea(unittest.TestCase):
                                'cz.cesnet.holly/Beekeeper': 1,
                                'org.example.kippo/Kippo': 2},
                'sources': {'192.168.0.0/25': 3, '192.168.0.2-192.168.0.5': 3, '__REST__': 9},
+                'targets': {'__unknown__': 3, '192.168.1.0/25': 2, '__REST__': 6},
                'severities': {'__unknown__': 6}
            }
        )
@@ -457,6 +483,7 @@ class TestMentatStatsIdea(unittest.TestCase):
                                'org.example.kippo/Kippo': 2,
                                'org.example.labrea/LaBrea': 1},
                'sources': {'192.168.0.0/25': 3, '__REST__': 12},
+                'targets': {'__unknown__': 3, '__REST__': 8},
                'severities': {'__unknown__': 6}
            }
        )
@@ -510,6 +537,8 @@ class TestMentatStatsIdea(unittest.TestCase):
                        'Source': [{'IP4': ['192.168.0.2-192.168.0.5', '192.168.0.0/25'],
                                    'IP6': ['2001:db8::ff00:42:0/112'],
                                    'Type': ['Phishing']}],
+                        'Target': [{'IP4': ['192.168.1.2-192.168.1.5', '192.168.1.0/25'],
+                                    'IP6': ['2001:db8::ff01:42:0/112']}],
                        '_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
                    },
                    {
@@ -538,6 +567,8 @@ class TestMentatStatsIdea(unittest.TestCase):
                        'Source': [{'IP4': ['192.168.0.2-192.168.0.5', '192.168.0.0/25'],
                                    'IP6': ['2001:db8::ff00:42:0/112'],
                                    'Type': ['Phishing']}],
+                        'Target': [{'IP4': ['192.168.1.2-192.168.1.5', '192.168.1.0/25'],
+                                    'IP6': ['2001:db8::ff01:42:0/112']}],
                        '_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
                    },
                    {
@@ -551,6 +582,7 @@ class TestMentatStatsIdea(unittest.TestCase):
                                  'Tags': ['Protocol', 'Honeypot']}],
                        'Source': [{'IP4': ['192.168.0.109', '192.168.0.200'],
                                    'Type': ['Exploit']}],
+                        'Target': [{"IP4": ["192.168.1.109", "192.168.1.200"]}],
                        '_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
                    }
                ],
@@ -567,6 +599,8 @@ class TestMentatStatsIdea(unittest.TestCase):
                        'Source': [{'IP4': ['192.168.0.2-192.168.0.5', '192.168.0.0/25'],
                                    'IP6': ['2001:db8::ff00:42:0/112'],
                                    'Type': ['Phishing']}],
+                        'Target': [{'IP4': ['192.168.1.2-192.168.1.5', '192.168.1.0/25'],
+                                    'IP6': ['2001:db8::ff01:42:0/112']}],
                        '_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
                    },
                    {
@@ -595,6 +629,8 @@ class TestMentatStatsIdea(unittest.TestCase):
                        'Source': [{'IP4': ['192.168.0.2-192.168.0.5', '192.168.0.0/25'],
                                    'IP6': ['2001:db8::ff00:42:0/112'],
                                    'Type': ['Phishing']}],
+                        'Target': [{'IP4': ['192.168.1.2-192.168.1.5', '192.168.1.0/25'],
+                                    'IP6': ['2001:db8::ff01:42:0/112']}],
                        '_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
                    },
                    {
@@ -620,6 +656,7 @@ class TestMentatStatsIdea(unittest.TestCase):
                                  'Tags': ['Protocol', 'Honeypot']}],
                        'Source': [{'IP4': ['192.168.0.109', '192.168.0.200'],
                                    'Type': ['Exploit']}],
+                        'Target': [{'IP4': ['192.168.1.109', '192.168.1.200']}],
                        '_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
                    },
                    {
@@ -699,6 +736,12 @@ class TestMentatStatsIdea(unittest.TestCase):
                            '192.172.0.109': 3,
                            '192.172.0.200': 3,
                            '2001:db8::ff00:42:0/112': 9},
+                'targets': {'192.168.1.2-192.168.1.5': 6,
+                            '192.168.1.0/25': 6,
+                            '2001:db8::ff01:42:0/112': 6,
+                            '192.168.1.109': 3,
+                            '192.168.1.200': 3,
+                            '__unknown__': 9},
                'severities': {'__unknown__': 18}
            }
        )