c_meyer/KasperskyLab-TinyCheck
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #69 from KasperskyLab/dev

Browse Source 
Correcting issue with certificates detection
This commit is contained in:
Félix Aimé 2021-04-25 11:09:58 +02:00 committed by GitHub
commit f00a6d67b9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 79 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
analysis/classes/zeekengine.py
View File

@ -34,6 +34,22 @@ class ZeekEngine(object):
self.active_analysis = get_config(("analysis", "active")) self.active_analysis = get_config(("analysis", "active"))
self.userlang = get_config(("frontend", "user_lang")) self.userlang = get_config(("frontend", "user_lang"))
# Retreive IOCs.
if self.iocs_analysis:
self.bl_cidrs = [[IPNetwork(cidr[0]), cidr[1]]
for cidr in get_iocs("cidr")]
self.bl_hosts = get_iocs("ip4addr") + get_iocs("ip6addr")
self.bl_domains = get_iocs("domain")
self.bl_freedns = get_iocs("freedns")
self.bl_nameservers = get_iocs("ns")
self.bl_tlds = get_iocs("tld")
# Retreive whitelisted items.
if self.whitelist_analysis:
self.wl_cidrs = [IPNetwork(cidr) for cidr in get_whitelist("cidr")]
self.wl_hosts = get_whitelist("ip4addr") + get_whitelist("ip6addr")
self.wl_domains = get_whitelist("domain")
# Load template language # Load template language
if not re.match("^[a-z]{2,3}$", self.userlang): if not re.match("^[a-z]{2,3}$", self.userlang):
self.userlang = "en" self.userlang = "en"
@ -84,21 +100,17 @@ class ZeekEngine(object):
# Check for whitelisted assets, if any, delete the record. # Check for whitelisted assets, if any, delete the record.
if self.whitelist_analysis: if self.whitelist_analysis:
wl_cidrs = [IPNetwork(cidr) for cidr in get_whitelist("cidr")]
wl_hosts = get_whitelist("ip4addr") + get_whitelist("ip6addr")
wl_domains = get_whitelist("domain")
for i, c in enumerate(self.conns): for i, c in enumerate(self.conns):
if c["ip_dst"] in [ip for ip in wl_hosts]: if c["ip_dst"] in [ip for ip in self.wl_hosts]:
self.whitelist.append(self.conns[i]) self.whitelist.append(self.conns[i])
self.conns[i] = False self.conns[i] = False
elif c["resolution"] in wl_domains: elif c["resolution"] in self.wl_domains:
self.whitelist.append(self.conns[i]) self.whitelist.append(self.conns[i])
self.conns[i] = False self.conns[i] = False
elif True in [c["resolution"].endswith("." + dom) for dom in wl_domains]: elif True in [c["resolution"].endswith("." + dom) for dom in self.wl_domains]:
self.whitelist.append(self.conns[i]) self.whitelist.append(self.conns[i])
self.conns[i] = False self.conns[i] = False
elif True in [IPAddress(c["ip_dst"]) in cidr for cidr in wl_cidrs]: elif True in [IPAddress(c["ip_dst"]) in cidr for cidr in self.wl_cidrs]:
self.whitelist.append(self.conns[i]) self.whitelist.append(self.conns[i])
self.conns[i] = False self.conns[i] = False
@ -151,17 +163,9 @@ class ZeekEngine(object):
if self.iocs_analysis: if self.iocs_analysis:
bl_cidrs = [[IPNetwork(cidr[0]), cidr[1]]
for cidr in get_iocs("cidr")]
bl_hosts = get_iocs("ip4addr") + get_iocs("ip6addr")
bl_domains = get_iocs("domain")
bl_freedns = get_iocs("freedns")
bl_nameservers = get_iocs("ns")
bl_tlds = get_iocs("tld")
for c in self.conns: for c in self.conns:
# Check for blacklisted IP address. # Check for blacklisted IP address.
for host in bl_hosts: for host in self.bl_hosts:
if c["ip_dst"] == host[0]: if c["ip_dst"] == host[0]:
c["alert_tiggered"] = True c["alert_tiggered"] = True
self.alerts.append({"title": self.template["IOC-01"]["title"].format(c["resolution"], c["ip_dst"], host[1].upper()), self.alerts.append({"title": self.template["IOC-01"]["title"].format(c["resolution"], c["ip_dst"], host[1].upper()),
@ -171,7 +175,7 @@ class ZeekEngine(object):
"id": "IOC-01"}) "id": "IOC-01"})
break break
# Check for blacklisted CIDR. # Check for blacklisted CIDR.
for cidr in bl_cidrs: for cidr in self.bl_cidrs:
if IPAddress(c["ip_dst"]) in cidr[0]: if IPAddress(c["ip_dst"]) in cidr[0]:
c["alert_tiggered"] = True c["alert_tiggered"] = True
self.alerts.append({"title": self.template["IOC-02"]["title"].format(c["resolution"], cidr[0], cidr[1].upper()), self.alerts.append({"title": self.template["IOC-02"]["title"].format(c["resolution"], cidr[0], cidr[1].upper()),
@ -180,7 +184,7 @@ class ZeekEngine(object):
"level": "Moderate", "level": "Moderate",
"id": "IOC-02"}) "id": "IOC-02"})
# Check for blacklisted domain. # Check for blacklisted domain.
for domain in bl_domains: for domain in self.bl_domains:
if c["resolution"].endswith(domain[0]): if c["resolution"].endswith(domain[0]):
if domain[1] != "tracker": if domain[1] != "tracker":
c["alert_tiggered"] = True c["alert_tiggered"] = True
@ -197,7 +201,7 @@ class ZeekEngine(object):
"level": "Moderate", "level": "Moderate",
"id": "IOC-04"}) "id": "IOC-04"})
# Check for blacklisted FreeDNS. # Check for blacklisted FreeDNS.
for domain in bl_freedns: for domain in self.bl_freedns:
if c["resolution"].endswith("." + domain[0]): if c["resolution"].endswith("." + domain[0]):
c["alert_tiggered"] = True c["alert_tiggered"] = True
self.alerts.append({"title": self.template["IOC-05"]["title"].format(c["resolution"]), self.alerts.append({"title": self.template["IOC-05"]["title"].format(c["resolution"]),
@ -207,7 +211,7 @@ class ZeekEngine(object):
"id": "IOC-05"}) "id": "IOC-05"})
# Check for suspect tlds. # Check for suspect tlds.
for tld in bl_tlds: for tld in self.bl_tlds:
if c["resolution"].endswith(tld[0]): if c["resolution"].endswith(tld[0]):
c["alert_tiggered"] = True c["alert_tiggered"] = True
self.alerts.append({"title": self.template["IOC-06"]["title"].format(c["resolution"]), self.alerts.append({"title": self.template["IOC-06"]["title"].format(c["resolution"]),
@ -220,7 +224,7 @@ class ZeekEngine(object):
try: # Domain nameservers check. try: # Domain nameservers check.
name_servers = pydig.query(c["resolution"], "NS") name_servers = pydig.query(c["resolution"], "NS")
if len(name_servers): if len(name_servers):
for ns in bl_nameservers: for ns in self.bl_nameservers:
if name_servers[0].endswith(".{}.".format(ns[0])): if name_servers[0].endswith(".{}.".format(ns[0])):
c["alert_tiggered"] = True c["alert_tiggered"] = True
self.alerts.append({"title": self.template["ACT-01"]["title"].format(c["resolution"], name_servers[0]), self.alerts.append({"title": self.template["ACT-01"]["title"].format(c["resolution"], name_servers[0]),
@ -287,6 +291,7 @@ class ZeekEngine(object):
* SSL connections which doesn't use the 443. * SSL connections which doesn't use the 443.
* "Free" certificate issuer (taken from the config). * "Free" certificate issuer (taken from the config).
* Self-signed certificates. * Self-signed certificates.
* Blacklisted domain in the CN
:return: nothing - all stuff appended to self.alerts :return: nothing - all stuff appended to self.alerts
""" """
ssl_default_ports = get_config(("analysis", "ssl_default_ports")) ssl_default_ports = get_config(("analysis", "ssl_default_ports"))
@ -297,8 +302,9 @@ class ZeekEngine(object):
if record is not None: if record is not None:
c = {"host": record['id.resp_h'], c = {"host": record['id.resp_h'],
"port": record['id.resp_p'], "port": record['id.resp_p'],
"issuer": record["issuer"], "issuer": record["issuer"] if "issuer" in record else "",
"validation_status": record["validation_status"]} "validation_status": record["validation_status"],
"cn": record["server_name"] if "server_name" in record else ""}
if c not in self.ssl: if c not in self.ssl:
self.ssl.append(c) self.ssl.append(c)
@ -334,6 +340,20 @@ class ZeekEngine(object):
"level": "Moderate", "level": "Moderate",
"id": "SSL-03"}) "id": "SSL-03"})
if self.iocs_analysis:
for cert in self.ssl:
# Check if the domain in the certificate haven't been blacklisted
# This check can be good if the domain has already been cached by
# the device so it wont appear in self.dns.
for domain in self.bl_domains:
if domain[1] != "tracker":
if cert["cn"].endswith(domain[0]):
self.alerts.append({"title": self.template["SSL-04"]["title"].format(domain[0], domain[1].upper()),
"description": self.template["SSL-04"]["description"].format(domain[0]),
"host": domain[0],
"level": "High",
"id": "SSL-04"})
def alerts_check(self): def alerts_check(self):
""" """
Leverage an advice to the user based on the trigered hosts Leverage an advice to the user based on the trigered hosts

4
analysis/locales/cat.json
View File

@ -68,6 +68,10 @@
"title": "El certificat associat a {} és autosignat.", "title": "El certificat associat a {} és autosignat.",
"description": "L'ús de certificats autosignats és un element comú en infrastructures utilitzades per atacants. Recomanem comprovar el host {} que està associat a aquest certificat, especialment el seu nom de domini (en cas d'existir), el seu registre WHOIS, la seva data de creació i verificant la seva reputació a Internet. " "description": "L'ús de certificats autosignats és un element comú en infrastructures utilitzades per atacants. Recomanem comprovar el host {} que està associat a aquest certificat, especialment el seu nom de domini (en cas d'existir), el seu registre WHOIS, la seva data de creació i verificant la seva reputació a Internet. "
}, },
"SSL-04": {
"title": "Un certificat conté el nom de domini {}, classificat com a {}",
"description": "Un dels certificats intercanviats conté el nom de domini {}. Aquest nom de domini sha classificat explícitament com a maliciós. El vostre dispositiu està compromès i hauria de ser investigat amb més detall per un equip professional."
},
"ADV-01": { "ADV-01": {
"title": "Comprovi les alertes per {}", "title": "Comprovi les alertes per {}",
"description": "Si us plau, verifiqui la reputació del sistema {}, ja que sembla ser maliciós per aparèixer en {} alertes durant la sessió." "description": "Si us plau, verifiqui la reputació del sistema {}, ja que sembla ser maliciós per aparèixer en {} alertes durant la sessió."

4
analysis/locales/de.json
View File

@ -68,6 +68,10 @@
"title": "Das mit {} verknüpfte Zertifikat ist selbstsigniert.", "title": "Das mit {} verknüpfte Zertifikat ist selbstsigniert.",
"description": "Die Verwendung von selbstsignierten Zertifikaten ist in der Infrastruktur von Angreifern weit verbreitet. Wir empfehlen, den mit diesem Zertifikat verknüpften Host {} zu überprüfen. Sehen Sie sich dazu seinen Domain-Namen (falls vorhanden), den WHOIS-Eintrag und das Erstellungsdatum an und überprüfen Sie die Reputation des Hosts im Internet." "description": "Die Verwendung von selbstsignierten Zertifikaten ist in der Infrastruktur von Angreifern weit verbreitet. Wir empfehlen, den mit diesem Zertifikat verknüpften Host {} zu überprüfen. Sehen Sie sich dazu seinen Domain-Namen (falls vorhanden), den WHOIS-Eintrag und das Erstellungsdatum an und überprüfen Sie die Reputation des Hosts im Internet."
}, },
"SSL-04": {
"title": "Ein Zertifikat enthält den Domainnamen {}, der als {} kategorisiert ist",
"description": "Eines der ausgetauschten Zertifikate enthält den Domainnamen {}. Dieser Domainname wurde explizit als bösartig eingestuft. Ihr Gerät ist sicherlich kompromittiert und sollte von einem professionellen Team genauer untersucht werden."
},
"ADV-01": { "ADV-01": {
"title": "Überprüfen Sie die Warnungen für {}", "title": "Überprüfen Sie die Warnungen für {}",
"description": "Bitte überprüfen Sie die Reputation des Hosts {}. Dieser scheint bösartig zu sein, da er während der Sitzung {} Warnungen verursacht hat." "description": "Bitte überprüfen Sie die Reputation des Hosts {}. Dieser scheint bösartig zu sein, da er während der Sitzung {} Warnungen verursacht hat."

4
analysis/locales/en.json
View File

@ -68,6 +68,10 @@
"title": "The certificate associated to {} is self-signed.", "title": "The certificate associated to {} is self-signed.",
"description": "The use of self-signed certificates is a common thing for attacker infrastructure. We recommend to check the host {} which is associated to this certificate, by looking at the domain name (if any), its WHOIS record, its creation date, and by checking its reputation on the internet." "description": "The use of self-signed certificates is a common thing for attacker infrastructure. We recommend to check the host {} which is associated to this certificate, by looking at the domain name (if any), its WHOIS record, its creation date, and by checking its reputation on the internet."
}, },
"SSL-04": {
"title": "A certificate contains the domain name {}, categorized as {}",
"description": "One of the certificates exchanged contains the domain name {}. This domain name has been explicitly classified as malicious. Your device is definitely compromised and should be investigated further by a professional team."
},
"ADV-01": { "ADV-01": {
"title": "Check the alerts for {}", "title": "Check the alerts for {}",
"description": "Please, check the reputation of the host {}, this one seems to be malicious as it leveraged {} alerts during the session." "description": "Please, check the reputation of the host {}, this one seems to be malicious as it leveraged {} alerts during the session."

4
analysis/locales/es.json
View File

@ -68,6 +68,10 @@
"title": "El certificado asociado a {} es autofirmado.", "title": "El certificado asociado a {} es autofirmado.",
"description": "El uso de certificados autofirmados es un elemento común en infraestructuras utilizadas por atacantes. Recomendamos comprobar el host {} que está asociado a este certificado, especialmente su nombre de dominio (en caso de existir), su registro WHOIS, su fecha de creación y verificando su reputación en Internet." "description": "El uso de certificados autofirmados es un elemento común en infraestructuras utilizadas por atacantes. Recomendamos comprobar el host {} que está asociado a este certificado, especialmente su nombre de dominio (en caso de existir), su registro WHOIS, su fecha de creación y verificando su reputación en Internet."
}, },
"SSL-04": {
"title": "Un certificado contiene el nombre de dominio {}, categorizado como {}",
"description": "Uno de los certificados intercambiados contiene el nombre de dominio {}. Este nombre de dominio se ha clasificado explícitamente como malicioso. Su dispositivo está definitivamente comprometido y debe ser investigado más a fondo por un equipo profesional."
},
"ADV-01": { "ADV-01": {
"title": "Compruebe las alertas para {}", "title": "Compruebe las alertas para {}",
"description": "Por favor, verifique la reputación del host {}, ya que parece ser malicioso por aparecer en {} alertas durante la sesión." "description": "Por favor, verifique la reputación del host {}, ya que parece ser malicioso por aparecer en {} alertas durante la sesión."

4
analysis/locales/fr.json
View File

@ -68,6 +68,10 @@
"title": "Le certificat associé à {} est auto-signé.", "title": "Le certificat associé à {} est auto-signé.",
"description": "L'utilisation de certificats auto-signés est une chose courante pour des infrastructures d'attaque associées à des activités malveillantes. Nous vous recommandons de vérifier le serveur {} qui est associé à ce certificat, en regardant le nom de domaine (le cas échéant), son enregistrement WHOIS, sa date de création, et en vérifiant sa réputation sur Internet." "description": "L'utilisation de certificats auto-signés est une chose courante pour des infrastructures d'attaque associées à des activités malveillantes. Nous vous recommandons de vérifier le serveur {} qui est associé à ce certificat, en regardant le nom de domaine (le cas échéant), son enregistrement WHOIS, sa date de création, et en vérifiant sa réputation sur Internet."
}, },
"SSL-04": {
"title": "Un certificat contient le nom de domaine {}, catégorisé en tant que {}",
"description": "Un des certificats échangés contient le nom de domaine {}. Ce nom de domaine a été explicitement catégorisé en tant que malveillant. Votre appareil est sûrement compromis et doit être investigué plus en détails par une équipe professionnelle."
},
"ADV-01": { "ADV-01": {
"title": "Vérifiez les alertes liées au serveur {}", "title": "Vérifiez les alertes liées au serveur {}",
"description": "Merci de vérifier la réputation et les alertes liées au serveur {}, ce dernier semble malveillant, ayant engendré {} alertes durant la session de capture." "description": "Merci de vérifier la réputation et les alertes liées au serveur {}, ce dernier semble malveillant, ayant engendré {} alertes durant la session de capture."

4
analysis/locales/it.json
View File

@ -68,6 +68,10 @@
"title": "Il certificato associato a {} è autofirmato.", "title": "Il certificato associato a {} è autofirmato.",
"description": "L'utilizzo di certificati autofirmati è una consuetudine per l'infrastruttura degli autori degli attacchi. È consigliabile controllare l'host {} associato a questo certificato, prestando attenzione all'eventuale nome di dominio, al record WHOIS e alla data di creazione, nonché verificandone la reputazione in Internet." "description": "L'utilizzo di certificati autofirmati è una consuetudine per l'infrastruttura degli autori degli attacchi. È consigliabile controllare l'host {} associato a questo certificato, prestando attenzione all'eventuale nome di dominio, al record WHOIS e alla data di creazione, nonché verificandone la reputazione in Internet."
}, },
"SSL-04": {
"title": "Un certificato contiene il nome di dominio {}, classificato come {}",
"description": "Uno dei certificati scambiati contiene il nome di dominio {}. Questo nome di dominio è stato esplicitamente classificato come dannoso. Il tuo dispositivo è decisamente compromesso e dovrebbe essere esaminato ulteriormente da un team di professionisti."
},
"ADV-01": { "ADV-01": {
"title": "Controllare gli avvisi per {}", "title": "Controllare gli avvisi per {}",
"description": "Controllare la reputazione dell'host {}, che sembra di natura dannosa poiché ha sfruttato {} avvisi durante la sessione." "description": "Controllare la reputazione dell'host {}, che sembra di natura dannosa poiché ha sfruttato {} avvisi durante la sessione."

4
analysis/locales/pt.json
View File

@ -68,6 +68,10 @@
"title": "O certificado associado a {} é autoassinado.", "title": "O certificado associado a {} é autoassinado.",
"description": "O uso de certificados autoassinados é comum na infraestrutura de invasores. É recomendável analisar o host {} que está associado a esse certificado verificando o nome e o registro de domínio (se houver), a data de criação e sua reputação na internet." "description": "O uso de certificados autoassinados é comum na infraestrutura de invasores. É recomendável analisar o host {} que está associado a esse certificado verificando o nome e o registro de domínio (se houver), a data de criação e sua reputação na internet."
}, },
"SSL-04": {
"title": "Um certificado contém o nome de domínio {}, categorizado como {}",
"description": "Um dos certificados trocados contém o nome de domínio {}. Este nome de domínio foi explicitamente classificado como malicioso. Seu dispositivo está definitivamente comprometido e deve ser investigado por uma equipe profissional."
},
"ADV-01": { "ADV-01": {
"title": "Verifique os alertas para {}", "title": "Verifique os alertas para {}",
"description": "Verifique a reputação do host {}, este parece ser malicioso, pois acionou alertas para {} durante a sessão." "description": "Verifique a reputação do host {}, este parece ser malicioso, pois acionou alertas para {} durante a sessão."

4
analysis/locales/ru.json
View File

@ -68,6 +68,10 @@
"title": "Сертификат, связанный с {}, является самоподписанным.", "title": "Сертификат, связанный с {}, является самоподписанным.",
"description": "Использование самоподписанных сертификатов типично для инфраструктуры злоумышленников. Рекомендуется проверить устройство {}, связанное с этим сертификатом, изучив его доменное имя (если имеется), запись WHOIS, дату создания и репутацию в интернете." "description": "Использование самоподписанных сертификатов типично для инфраструктуры злоумышленников. Рекомендуется проверить устройство {}, связанное с этим сертификатом, изучив его доменное имя (если имеется), запись WHOIS, дату создания и репутацию в интернете."
}, },
"SSL-04": {
"title": "Сертификат содержит доменное имя {}, относящееся к категории {}",
"description": "Один из обмениваемых сертификатов содержит доменное имя {}. Это доменное имя явно классифицировано как вредоносное. Ваше устройство определенно взломано и должно быть исследовано профессиональной группой."
},
"ADV-01": { "ADV-01": {
"title": "Проверьте предупреждения для {}", "title": "Проверьте предупреждения для {}",
"description": "Проверьте репутацию устройства {}. Оно кажется вредоносным, поскольку для него сработало {} предупрежд. во время сеанса." "description": "Проверьте репутацию устройства {}. Оно кажется вредоносным, поскольку для него сработало {} предупрежд. во время сеанса."