Initial Commit

naxsi-0.55.3/nxapi/nxtool.py

@@ -0,0 +1,479 @@
+#!/usr/bin/env python
+
+import glob, fcntl, termios
+import sys
+import socket
+import elasticsearch
+import time
+import os
+import tempfile
+import subprocess
+import json
+
+from collections import defaultdict
+from optparse import OptionParser, OptionGroup
+from nxapi.nxtransform import *
+from nxapi.nxparse import *
+
+F_SETPIPE_SZ = 1031  # Linux 2.6.35+
+F_GETPIPE_SZ = 1032  # Linux 2.6.35+
+
+
+def open_fifo(fifo):
+    try:
+        os.mkfifo(fifo)
+    except OSError:
+        print "Fifo ["+fifo+"] already exists (non fatal)."
+    except Exception, e:
+        print "Unable to create fifo ["+fifo+"]"
+    try:
+        print "Opening fifo ... will return when data is available."
+        fifo_fd = open(fifo, 'r')
+        fcntl.fcntl(fifo_fd, F_SETPIPE_SZ, 1000000)
+        print "Pipe (modified) size : "+str(fcntl.fcntl(fifo_fd, F_GETPIPE_SZ))
+    except Exception, e:
+        print "Unable to create fifo, error: "+str(e)
+        return None
+    return fifo_fd
+
+def macquire(line):
+    z = parser.parse_raw_line(line)
+    # add data str and country
+    if z is not None:
+        for event in z['events']:
+            event['date'] = z['date']
+            try:
+                event['coords'] = geoloc.ip2ll(event['ip'])
+                event['country'] = geoloc.ip2cc(event['ip'])
+            except NameError:
+                pass
+        # print "Got data :)"
+        # pprint.pprint(z)
+        #print ".",
+        print z
+        injector.insert(z)
+    else:
+        pass
+        #print "No data ? "+line
+    #print ""
+
+
+
+opt = OptionParser()
+# group : config
+p = OptionGroup(opt, "Configuration options")
+p.add_option('-c', '--config', dest="cfg_path", default="/usr/local/etc/nxapi.json", help="Path to nxapi.json (config).")
+p.add_option('--colors', dest="colors", action="store_false", default="true", help="Disable output colorz.")
+# p.add_option('-q', '--quiet', dest="quiet_flag", action="store_true", help="Be quiet.")
+# p.add_option('-v', '--verbose', dest="verb_flag", action="store_true", help="Be verbose.")
+opt.add_option_group(p)
+# group : in option
+p = OptionGroup(opt, "Input options (log acquisition)")
+p.add_option('--files', dest="files_in", help="Path to log files to parse.")
+p.add_option('--fifo', dest="fifo_in", help="Path to a FIFO to be created & read from. [infinite]")
+p.add_option('--stdin', dest="stdin", action="store_true", help="Read from stdin.")
+p.add_option('--no-timeout', dest="infinite_flag", action="store_true", help="Disable timeout on read operations (stdin/fifo).")
+p.add_option('--syslog', dest="syslog_in", action="store_true", help="Listen on tcp port for syslog logging.")
+opt.add_option_group(p)
+# group : filtering
+p = OptionGroup(opt, "Filtering options (for whitelist generation)")
+p.add_option('-s', '--server', dest="server", help="FQDN to which we should restrict operations.")
+p.add_option('--filter', dest="filter", action="append", help="This option specify a filter for each type of filter, filter are merge with existing templates/filters. (--filter 'uri /foobar')")
+opt.add_option_group(p)
+# group : tagging
+p = OptionGroup(opt, "Tagging options (tag existing events in database)")
+p.add_option('-w', '--whitelist-path', dest="wl_file", help="A path to whitelist file, will find matching events in DB.")
+p.add_option('-i', '--ip-path', dest="ips", help="A path to IP list file, will find matching events in DB.")
+p.add_option('--tag', dest="tag", action="store_true", help="Actually tag matching items in DB.")
+opt.add_option_group(p)
+# group : whitelist generation
+p = OptionGroup(opt, "Whitelist Generation")
+p.add_option('-f', '--full-auto', dest="full_auto", action="store_true", help="Attempt fully automatic whitelist generation process.")
+p.add_option('-t', '--template', dest="template", help="Path to template to apply.")
+p.add_option('--slack', dest="slack", action="store_false", help="Enables less strict mode.")
+p.add_option('--type', dest="type_wl", action="store_true", help="Generate whitelists based on param type")
+opt.add_option_group(p)
+# group : statistics
+p = OptionGroup(opt, "Statistics Generation")
+p.add_option('-x', '--stats', dest="stats", action="store_true", help="Generate statistics about current's db content.")
+opt.add_option_group(p)
+# group : interactive generation
+p = OptionGroup(opt, "Interactive Whitelists Generation")
+p.add_option('-g', '--interactive-generation', dest="int_gen", action="store_true", help="Use your favorite text editor for whitelist generation.")
+opt.add_option_group(p)
+
+(options, args) = opt.parse_args()
+
+
+try:
+    cfg = NxConfig(options.cfg_path)
+except ValueError:
+    sys.exit(-1)
+
+if options.server is not None:
+    cfg.cfg["global_filters"]["server"] = options.server
+
+# https://github.com/nbs-system/naxsi/issues/231
+mutally_exclusive = ['stats', 'full_auto', 'template', 'wl_file', 'ips', 'files_in', 'fifo_in', 'syslog_in']
+count=0
+for x in mutally_exclusive:
+    if options.ensure_value(x, None) is not None:
+        count += 1
+if count > 1:
+    print "Mutually exclusive options are present (ie. import and stats), aborting."
+    sys.exit(-1)
+
+
+cfg.cfg["output"]["colors"] = "false" if options.int_gen else str(options.colors).lower()
+cfg.cfg["naxsi"]["strict"] = str(options.slack).lower()
+
+def get_filter(arg_filter):
+    x = {}
+    to_parse = []
+    kwlist = ['server', 'uri', 'zone', 'var_name', 'ip', 'id', 'content', 'country', 'date',
+              '?server', '?uri', '?var_name', '?content']
+    try:
+        for argstr in arg_filter:
+            argstr = ' '.join(argstr.split())
+            to_parse += argstr.split(' ')
+        if [a for a in kwlist if a in to_parse]:
+            for kw in to_parse:
+                if kw in kwlist:
+                    x[kw] = to_parse[to_parse.index(kw)+1]
+        else:
+            raise
+    except:
+        logging.critical('option --filter must have at least one option')
+        sys.exit(-1)
+    return x
+
+if options.filter is not None:
+    cfg.cfg["global_filters"].update(get_filter(options.filter))
+
+try:
+    use_ssl = bool(cfg.cfg["elastic"]["use_ssl"])
+except KeyError:
+    use_ssl = False
+    
+es = elasticsearch.Elasticsearch(cfg.cfg["elastic"]["host"], use_ssl=use_ssl)
+# Get ES version from the client and avail it at cfg
+es_version =  es.info()['version'].get('number', None)
+if es_version is not None:
+    cfg.cfg["elastic"]["version"] = es_version.split(".")[0]
+if cfg.cfg["elastic"].get("version", None) is None:
+    print "Failed to get version from ES, Specify version ['1'/'2'/'5'] in [elasticsearch] section"
+    sys.exit(-1)
+
+translate = NxTranslate(es, cfg)
+
+
+
+if options.type_wl is True:
+    translate.wl_on_type()
+    sys.exit(0)
+
+# whitelist generation options
+if options.full_auto is True:
+    translate.load_cr_file(translate.cfg["naxsi"]["rules_path"])
+    results = translate.full_auto()
+    if results:
+        for result in results:
+            print "{0}".format(result)
+    else:
+        print "No hits for this filter."
+        sys.exit(1)
+    sys.exit(0)
+
+if options.template is not None:
+    scoring = NxRating(cfg.cfg, es, translate)
+
+    tpls = translate.expand_tpl_path(options.template)
+    gstats = {}
+    if len(tpls) <= 0:
+        print "No template matching"
+        sys.exit(1)
+    # prepare statistics for global scope
+    scoring.refresh_scope('global', translate.tpl2esq(cfg.cfg["global_filters"]))
+    for tpl_f in tpls:
+        scoring.refresh_scope('rule', {})
+        scoring.refresh_scope('template', {})
+
+        print translate.grn.format("#Loading tpl '"+tpl_f+"'")
+        tpl = translate.load_tpl_file(tpl_f)
+        # prepare statistics for filter scope
+        scoring.refresh_scope('template', translate.tpl2esq(tpl))
+        #pprint.pprint(tpl)
+        print "Hits of template : "+str(scoring.get('template', 'total'))
+
+        whitelists = translate.gen_wl(tpl, rule={})
+        print str(len(whitelists))+" whitelists ..."
+        for genrule in whitelists:
+            #pprint.pprint(genrule)
+            scoring.refresh_scope('rule', genrule['rule'])
+            scores = scoring.check_rule_score(tpl)
+            if (len(scores['success']) > len(scores['warnings']) and scores['deny'] == False) or cfg.cfg["naxsi"]["strict"] == "false":
+                #print "?deny "+str(scores['deny'])
+                print translate.fancy_display(genrule, scores, tpl)
+                print translate.grn.format(translate.tpl2wl(genrule['rule'], tpl)).encode('utf-8')
+    sys.exit(0)
+
+# tagging options
+
+if options.wl_file is not None and options.server is None:
+    print translate.red.format("Cannot tag events in database without a server name !")
+    sys.exit(2)
+
+if options.wl_file is not None:
+    wl_files = []
+    wl_files.extend(glob.glob(options.wl_file))
+    count = 0
+    for wlf in wl_files:
+        print translate.grn.format("#Loading tpl '"+wlf+"'")
+        try:
+            wlfd = open(wlf, "r")
+        except:
+            print translate.red.format("Unable to open wl file '"+wlf+"'")
+            sys.exit(-1)
+        for wl in wlfd:
+            [res, esq] = translate.wl2esq(wl)
+            if res is True:
+                count = 0
+                while True:
+                    x = translate.tag_events(esq, "Whitelisted", tag=options.tag)
+                    count += x
+                    if x == 0:
+                        break
+
+        print translate.grn.format(str(count)) + " items tagged ..."
+        count = 0
+    sys.exit(0)
+
+if options.ips is not None:
+    ip_files = []
+    ip_files.extend(glob.glob(options.ips))
+    tpl = {}
+    count = 0
+#    esq = translate.tpl2esq(cfg.cfg["global_filters"])
+
+    for wlf in ip_files:
+        try:
+            wlfd = open(wlf, "r")
+        except:
+            print "Unable to open ip file '"+wlf+"'"
+            sys.exit(-1)
+        for wl in wlfd:
+            print "=>"+wl
+            tpl["ip"] = wl.strip('\n')
+            esq = translate.tpl2esq(tpl)
+            pprint.pprint(esq)
+            pprint.pprint(tpl)
+            count += translate.tag_events(esq, "BadIPS", tag=options.tag)
+        print translate.grn.format(str(count)) + " items to be tagged ..."
+        count = 0
+    sys.exit(0)
+
+# statistics
+if options.stats is True:
+    print translate.red.format("# Whitelist(ing) ratio :")
+    translate.fetch_top(cfg.cfg["global_filters"], "whitelisted", limit=2)
+    print translate.red.format("# Top servers :")
+    for e in translate.fetch_top(cfg.cfg["global_filters"], "server", limit=10):
+        try:
+            list_e = e.split()
+            print '# {0} {1} {2}{3}'.format(translate.grn.format(list_e[0]), list_e[1], list_e[2], list_e[3])
+        except:
+            print "--malformed--"
+    print translate.red.format("# Top URI(s) :")
+    for e in translate.fetch_top(cfg.cfg["global_filters"], "uri", limit=10):
+        try:
+            list_e = e.split()
+            print '# {0} {1} {2}{3}'.format(translate.grn.format(list_e[0]), list_e[1], list_e[2], list_e[3])
+        except:
+            print "--malformed--"
+    print translate.red.format("# Top Zone(s) :")
+    for e in translate.fetch_top(cfg.cfg["global_filters"], "zone", limit=10):
+        try:
+            list_e = e.split()
+            print '# {0} {1} {2}{3}'.format(translate.grn.format(list_e[0]), list_e[1], list_e[2], list_e[3])
+        except:
+            print "--malformed--"
+    print translate.red.format("# Top Peer(s) :")
+    for e in translate.fetch_top(cfg.cfg["global_filters"], "ip", limit=10):
+        try:
+            list_e = e.split()
+            print '# {0} {1} {2}{3}'.format(translate.grn.format(list_e[0]), list_e[1], list_e[2], list_e[3])
+        except:
+            print "--malformed--"
+    sys.exit(0)
+
+
+def write_generated_wl(filename, results):
+
+    with open('/tmp/{0}'.format(filename), 'w') as wl_file:
+        for result in results:
+            for key, items in result.iteritems():
+                if items:
+                    print "{} {}".format(key, items)
+                    if key == 'genrule':
+                        wl_file.write("# {}\n{}\n".format(key, items))
+                    else:
+                        wl_file.write("# {} {}\n".format(key, items))
+        wl_file.flush()
+
+def ask_user_for_server_selection(editor, welcome_sentences, selection):
+    with tempfile.NamedTemporaryFile(suffix='.tmp') as temporary_file:
+        top_selection = translate.fetch_top(cfg.cfg["global_filters"],
+                            selection,
+                            limit=10
+                        )
+        temporary_file.write(welcome_sentences)
+        for line in top_selection:
+            temporary_file.write('{0}\n'.format(line))
+        temporary_file.flush()
+        subprocess.call([editor, temporary_file.name])
+        temporary_file.seek(len(welcome_sentences))
+        ret = []
+        for line in temporary_file:
+            if not line.startswith('#'):
+                ret.append(line.strip().split()[0])
+    return ret
+
+def ask_user_for_selection(editor, welcome_sentences, selection, servers):
+    regex_message = "# as in the --filter option you can add ? for regex\n"
+    ret = {}
+    for server in servers:
+        server_reminder = "server: {0}\n\n".format(server)
+        ret[server] = []
+        with tempfile.NamedTemporaryFile(suffix='.tmp') as temporary_file:
+            temporary_file.write(welcome_sentences + regex_message + server_reminder)
+            cfg.cfg["global_filters"]["server"] = server
+            top_selection = translate.fetch_top(cfg.cfg["global_filters"],
+                                selection,
+                                limit=10
+                            )
+            for line in top_selection:
+                temporary_file.write('{0} {1}\n'.format(selection, line))
+            temporary_file.flush()
+            subprocess.call([editor, temporary_file.name])
+            temporary_file.seek(len(welcome_sentences) + len(server_reminder) + len(regex_message))
+            for line in temporary_file:
+                if not line.startswith('#'):
+                    res = line.strip().split()
+                    ret[server].append((res[0], res[1]))
+    return ret
+
+def generate_wl(selection_dict):
+    for key, items in selection_dict.iteritems():
+        if not items:
+            return False
+        global_filters_context = cfg.cfg["global_filters"]
+        global_filters_context["server"] = key
+        for idx, (selection, item) in enumerate(items):
+           global_filters_context[selection] = item
+           translate.cfg["global_filters"] = global_filters_context
+           print 'generating wl with filters {0}'.format(global_filters_context)
+           wl_dict_list = []
+           res = translate.full_auto(wl_dict_list)
+           del global_filters_context[selection]
+           write_generated_wl(
+               "server_{0}_{1}.wl".format(
+                                    key,
+                                    idx if (selection == "uri") else "zone_{0}".format(item),
+                                ),
+               wl_dict_list
+           )
+
+if options.int_gen is True:
+    editor = os.environ.get('EDITOR', 'vi')
+
+    welcome_sentences = '{0}\n{1}\n'.format(
+        '# all deleted line or starting with a # will be ignore',
+        '# if you want to use slack option you have to specify it on the command line options'
+    )
+
+    servers = ask_user_for_server_selection(editor, welcome_sentences, "server")
+
+    uris = ask_user_for_selection(editor, welcome_sentences, "uri", servers)
+    zones = ask_user_for_selection(editor, welcome_sentences, "zone", servers)
+
+    if uris:
+        generate_wl(uris)
+    if zones:
+        generate_wl(zones)
+    # in case the user let uri and zone files empty generate wl for all
+    # selected server(s)
+    if not uris and not zones:
+        for server in servers:
+            translate.cfg["global_filters"]["server"] = server
+            print 'generating with filters: {0}'.format(translate.cfg["global_filters"])
+            res = translate.full_auto()
+            writing_generated_wl("server_{0}.wl".format(server), res)
+
+    sys.exit(0)
+
+# input options, only setup injector if one input option is present
+if options.files_in is not None or options.fifo_in is not None or options.stdin is not None or options.syslog_in is not None:
+    if options.fifo_in is not None or options.syslog_in is not None:
+        injector = ESInject(es, cfg.cfg, auto_commit_limit=1)
+    else:
+        injector = ESInject(es, cfg.cfg)
+    parser = NxParser()
+    offset = time.timezone if (time.localtime().tm_isdst == 0) else time.altzone
+    offset = offset / 60 / 60 * -1
+    if offset < 0:
+        offset = str(-offset)
+    else:
+        offset = str(offset)
+    offset = offset.zfill(2)
+    parser.out_date_format = "%Y-%m-%dT%H:%M:%S+"+offset #ES-friendly
+    try:
+        geoloc = NxGeoLoc(cfg.cfg)
+    except:
+        print "Unable to get GeoIP"
+
+if options.files_in is not None:
+    reader = NxReader(macquire, lglob=[options.files_in])
+    reader.read_files()
+    injector.stop()
+    sys.exit(0)
+
+if options.fifo_in is not None:
+    fd = open_fifo(options.fifo_in)
+    if options.infinite_flag is True:
+        reader = NxReader(macquire, fd=fd, stdin_timeout=None)
+    else:
+        reader = NxReader(macquire, fd=fd)
+    while True:
+        print "start-",
+        if reader.read_files() == False:
+            break
+        print "stop"
+    print 'End of fifo input...'
+    injector.stop()
+    sys.exit(0)
+
+if options.syslog_in is not None:
+    sysloghost = cfg.cfg["syslogd"]["host"]
+    syslogport = cfg.cfg["syslogd"]["port"]
+    while 1:
+      reader = NxReader(macquire, syslog=True, syslogport=syslogport, sysloghost=sysloghost)
+      reader.read_files()
+    injector.stop()
+    sys.exit(0)
+
+if options.stdin is True:
+    if options.infinite_flag:
+        reader = NxReader(macquire, lglob=[], fd=sys.stdin, stdin_timeout=None)
+    else:
+        reader = NxReader(macquire, lglob=[], fd=sys.stdin)
+    while True:
+        print "start-",
+        if reader.read_files() == False:
+            break
+        print "stop"
+    print 'End of stdin input...'
+    injector.stop()
+    sys.exit(0)
+
+opt.print_help()
+sys.exit(0)