antfarm 0.3.0 → 0.4.0

data/lib/scripts/cisco/parse-pix-config.rb

@@ -97,20 +97,13 @@ def parse(file)
 #      end
 #    end
   end
-
   list.close
 
-  node = Node.create(:certainty_factor => 0.75, :name => hostname, :device_type => "FW") if hostname
-
   fw_if_ips.uniq!
   fw_if_ips.each do |address|
     ip_if = IpInterface.new :address => address
-    if node
-      ip_if.node = node
-    else
-      ip_if.node_device_type = "FW"
-    end
-    
+    ip_if.node_name = hostname
+    ip_if.node_device_type = 'FW'
     unless ip_if.save
       ip_if.errors.each_full do |msg|
         puts msg
@@ -121,8 +114,7 @@ def parse(file)
   net_obj_ips.uniq!
   net_obj_ips.each do |address|
     ip_if = IpInterface.new :address => address
-    ip_if.node_device_type = "FWGRP"
-    
+    ip_if.node_device_type = 'FW NW OBJECT'
     unless ip_if.save
       ip_if.errors.each_full do |msg|
         puts msg
@@ -133,7 +125,6 @@ def parse(file)
   net_obj_networks.uniq!
   net_obj_networks.each do |network|
     ip_net = IpNetwork.new :address => network
-    
     unless ip_net.save
       ip_net.errors.each_full do |msg|
         puts msg
@@ -223,14 +214,14 @@ def parse_tunnels(file)
         target_ip_if = IpInterface.find_by_address(addr)
 
         if target_ip_if
-          Traffic.create(:source_layer3_interface => source_ip_if.layer3_interface, :target_layer3_interface => target_ip_if.layer3_interface, :type => "Tunnel")
+          Traffic.create(:source_layer3_interface => source_ip_if.layer3_interface, :target_layer3_interface => target_ip_if.layer3_interface, :description => 'TUNNEL')
         end
       end
     end
   end
 end
 
-if ARGV[0] == '--help'
+if ['-h', '--help'].include?(ARGV[0])
   print_help
 else
   if ARGV.include?('-t')

data/lib/scripts/manipulate-dns.rb

@@ -0,0 +1,87 @@
+#!/usr/bin/ruby
+
+# Copyright (2008) Sandia Corporation.
+# Under the terms of Contract DE-AC04-94AL85000 with Sandia Corporation,
+# the U.S. Government retains certain rights in this software.
+#
+# Original Author: Michael Berg, Sandia National Laboratories <mjberg@sandia.gov>
+# Modified By: Bryan T. Richardson, Sandia National Laboratories <btricha@sandia.gov>
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or (at
+# your option) any later version.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, write to the Free Software Foundation, Inc.,
+# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
+
+def print_help
+  puts "Usage: antfarm [options] manipulate-dns [options]"
+  puts
+  puts "Script Options:"
+  puts "  --merge-entries    Find duplicate entries in the table and merge them"
+  puts "  --name-nodes       Set node names using DNS entries"
+  puts "  --merge-nodes      Find entries with the same hostname but different IP"
+  puts "                     addresses and merge the nodes for those interfaces"
+end
+
+def merge_entries
+  entries = DnsEntry.find(:all)
+  while !entries.empty?
+    entry = entries.shift
+    entries.each do |e|
+      e.destroy if entry.address == e.address && entry.hostname == e.hostname
+      entries.delete(e)
+    end
+  end
+end
+
+def name_nodes
+  entries = DnsEntry.find(:all)
+  entries.each do |entry|
+    iface = IpInterface.find :first, :conditions => { :address => entry.address }
+    if iface
+      node = iface.layer3_interface.layer2_interface.node
+      node.name = entry.hostname unless node.nil?
+      node.save false
+    end
+  end
+end
+
+def merge_nodes
+  entries = DnsEntry.find(:all)
+  while !entries.empty?
+    entry = entries.shift
+    entries.each do |e|
+      if entry.hostname == e.hostname
+        iface0 = IpInterface.find :first, :conditions => { :address => entry.address }
+        iface1 = IpInterface.find :first, :conditions => { :address => e.address }
+        l2_iface = iface1.layer3_interface.layer2_interface
+        l2_iface.node.destroy
+        l2_iface.node = iface0.layer3_interface.layer2_interface.node
+        l2_iface.save false
+        entries.delete(e)
+      end
+    end
+  end
+end
+
+if ['-h', '--help'].include?(ARGV[0])
+  print_help
+else
+  if ARGV.include?('--merge-entries')
+    merge_entries
+  end
+  if ARGV.include?('--name-nodes')
+    name_nodes
+  end
+  if ARGV.include?('--merge-nodes')
+    merge_nodes
+  end
+end

data/lib/scripts/nmap/parse-xml.rb

@@ -0,0 +1,147 @@
+#!/usr/bin/env ruby
+
+# Copyright (2008) Sandia Corporation.
+# Under the terms of Contract DE-AC04-94AL85000 with Sandia Corporation,
+# the U.S. Government retains certain rights in this software.
+#
+# Original Author: Michael Berg, Sandia National Laboratories <mjberg@sandia.gov>
+# Modified By: Bryan T. Richardson, Sandia National Laboratories <btricha@sandia.gov>
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or (at
+# your option) any later version.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, write to the Free Software Foundation, Inc.,
+# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
+
+def print_help
+  puts "Usage: antfarm [options] nmap [options] parse-xml [directories ...] [files ...]"
+  puts
+  puts "This script parses one or more Nmap xml-formatted output files and creates"
+  puts "an IP Interface object for each host detected."
+end
+
+def string_to_portlist(string)
+  result = Array.new
+  ranges = string.split(',')
+  ranges.each do |range|
+    (start, stop) = range.split('-')
+    unless stop
+      stop = start
+    end
+    for i in (start.to_i)..(stop.to_i)
+      result.push(i)
+    end
+  end
+  result.sort!
+  result.uniq!
+  result.flatten!
+  return result
+end
+
+def parse(file)
+  puts file
+  results = REXML::Document.new(File.new(file))
+  results.elements.each('nmaprun') do |scan|
+    action = Action.new
+    action.tool        = scan.attributes['scanner']
+    action.description = scan.attributes['args']
+    action.start       = scan.attributes['startstr']
+    action.end         = scan.elements['runstats/finished'].attributes['timestr']
+    action.save false
+    scanned_ports = Hash.new
+    scan.elements.each("scaninfo") do |info|
+      type = info.attributes["type"]
+      protocol = info.attributes["protocol"]
+      services = info.attributes["services"]
+      # Need to track this info since many ports are "scanned but not listed"
+      # in all of Nmap's available output formats.
+      scanned_ports[protocol] = string_to_portlist(services)
+    end
+    scan.elements.each('host') do |host|
+      host_state = host.elements['status'].attributes['state']
+      interface = IpInterface.create :address => host.elements['address'].attributes['addr']
+      host.elements.each('hostnames/hostname') do |hostname|
+        DnsEntry.create :address  => host.elements['address'].attributes['addr'],
+                        :hostname => hostname.attributes['name']
+      end
+      if host_state == 'up'
+        host_scanned_ports = scanned_ports.dup # does this create a separate hash?
+        host.elements.each("ports/port") do |port|
+          protocol = port.attributes["protocol"]
+          number = port.attributes["portid"].to_i
+          port_state = port.elements["state"].attributes["state"]
+
+          # This port was listed, so we don't need to handle it later
+          host_scanned_ports[protocol].delete(number)
+
+          # Only store service information for open ports
+          if port_state == 'open'
+            port_service = port.elements['service']
+            service = Service.new
+            service.node             = interface.layer3_interface.layer2_interface.node
+            service.action           = action
+            service.protocol         = protocol
+            service.port             = number
+            service.name             = port_service.attributes['name']
+            service.certainty_factor = 0.9 * ((port_service.attributes["conf"]).to_f / 10.0)
+            service.save false
+          end
+        end
+
+        # Handle extra ports that are "scanned but not listed" if state is open
+        if host.elements['ports/extraports'] && host.elements['ports/extraports'].attributes['state'] == 'open'
+          host_scanned_ports.each do |protocol,number|
+            service = Service.new
+            service.node             = interface.layer3_interface.layer2_interface.node
+            service.action           = action
+            service.protocol         = protocol
+            service.port             = number
+            service.certainty_factor = 0.9
+            service.save false
+          end 
+        end
+
+        if host.elements['os/osfingerprint']
+          os = OperatingSystem.new
+          os.node             = interface.layer3_interface.layer2_interface.node
+          os.action           = action
+          os.fingerprint      = host.elements['os/osfingerprint'].attributes['fingerprint']
+          os.certainty_factor = 0.9
+          os.save false
+        end
+
+        host.elements.each('trace/hop') do |hop|
+          IpInterface.create :address => hop.attributes['ipaddr']
+          if hop.attributes['host']
+            DnsEntry.create :address  => hop.attributes['ipaddr'],
+                            :hostname => hop.attributes['host']
+          end
+        end
+      end
+    end
+  end
+end
+
+if ['-h', '--help'].include?(ARGV[0])
+  print_help
+else
+  ARGV.each do |arg|
+    if File.directory?(arg)
+      Find.find(arg) do |path|
+        if File.file?(path)
+          parse(path)
+        end
+      end
+    else
+      parse(arg)
+    end
+  end
+end

data/lib/scripts/pcap/parse-pcap-file.rb

@@ -24,41 +24,103 @@
 require 'pcap'
 
 def print_help
-  puts "Usage: antfarm [options] pcap [options] parse-pcap-file <pcap file>"
+  puts "Usage: antfarm [options] pcap [options] parse-pcap-file [options] <pcap file>"
   puts
   puts "This script parses a libPcap file containing traffic capture data,"
   puts "creating an IP interface for each endpoint and a traffic object"
   puts "for the traffic between them.  Node device types are set to 'PCAP',"
   puts "as well as traffic descriptions."
+  puts 
+  puts "Script Options:"
+  puts "  --create-new-networks    Create new networks if networks containing the"
+  puts "                           source or destination address don't already exist."
 end
 
-def parse(file)
-  cap = Pcap::Capture.open_offline(ARGV[0])
+def parse(file, options = [])
+  cap = Pcap::Capture.open_offline(file)
   cap.each do |pkt|
     if pkt.ip?
-      source_ip_addr = pkt.src.to_num_s
-      target_ip_addr = pkt.dst.to_num_s
-
-      source_l3_net = Layer3Network.network_containing(source_ip_addr)
-      target_l3_net = Layer3Network.network_containing(target_ip_addr)
-
-      if source_l3_net && target_l3_net
-        puts "Added traffic -- #{source_ip_addr} ==> #{target_ip_addr}"
-
-        source_ip_iface = IpInterface.create :address => source_ip_addr, :layer3_network => source_l3_net, :node_device_type => "PCAP"
-        target_ip_iface = IpInterface.create :address => target_ip_addr, :layer3_network => target_l3_net, :node_device_type => "PCAP"
-
-        Traffic.create :source_layer3_interface => source_ip_iface.layer3_interface, \
-                       :target_layer3_interface => target_ip_iface.layer3_interface, \
-                       :description => "PCAP"
+      source_addr = pkt.src.to_num_s
+      target_addr = pkt.dst.to_num_s
+      if options.include?('--create-new-networks')
+        source_iface = IpInterface.find_or_initialize_by_address(source_addr)
+        if source_iface.new_record?
+          source_iface.node_name = source_addr
+          source_iface.node_device_type = 'PCAP'
+          source_iface.save false
+        end
+        target_iface = IpInterface.find_or_initialize_by_address(target_addr)
+        if target_iface.new_record?
+          target_iface.node_name = target_addr
+          target_iface.node_device_type = 'PCAP'
+          target_iface.save false
+        end
+        if pkt.tcp? || pkt.udp?
+          traffic = Traffic.first(:conditions => { :source_layer3_interface_id => source_iface.layer3_interface.id,
+                                                   :target_layer3_interface_id => target_iface.layer3_interface.id,
+                                                   :port => pkt.dport})
+        else
+          traffic = Traffic.first(:conditions => { :source_layer3_interface_id => source_iface.layer3_interface.id,
+                                                   :target_layer3_interface_id => target_iface.layer3_interface.id })
+        end
+        unless traffic
+          if pkt.tcp? || pkt.udp?
+            traffic = Traffic.create :source_layer3_interface => source_iface.layer3_interface,
+                                     :target_layer3_interface => target_iface.layer3_interface,
+                                     :port => pkt.dport,
+                                     :description => "PCAP"
+          else
+            traffic = Traffic.create :source_layer3_interface => source_iface.layer3_interface,
+                                     :target_layer3_interface => target_iface.layer3_interface,
+                                     :description => "PCAP"
+          end
+          puts "Added traffic -- #{source_addr} ==> #{target_addr}"
+        end
+      else
+        source_net = Layer3Network.network_containing(source_addr)
+        target_net = Layer3Network.network_containing(target_addr)
+        if source_net && target_net
+          source_iface = IpInterface.find_or_initialize_by_address(source_addr)
+          if source_iface.new_record?
+            source_iface.node_name = source_addr
+            source_iface.node_device_type = 'PCAP'
+            source_iface.save false
+          end
+          target_iface = IpInterface.find_or_initialize_by_address(target_addr)
+          if target_iface.new_record?
+            target_iface.node_name = target_addr
+            target_iface.node_device_type = 'PCAP'
+            target_iface.save false
+          end
+          if pkt.tcp? || pkt.udp?
+            traffic = Traffic.first(:conditions => { :source_layer3_interface_id => source_iface.layer3_interface.id,
+                                                     :target_layer3_interface_id => target_iface.layer3_interface.id,
+                                                     :port => pkt.dport})
+          else
+            traffic = Traffic.first(:conditions => { :source_layer3_interface_id => source_iface.layer3_interface.id,
+                                                     :target_layer3_interface_id => target_iface.layer3_interface.id })
+          end
+          unless traffic
+            if pkt.tcp? || pkt.udp?
+              traffic = Traffic.create :source_layer3_interface => source_iface.layer3_interface,
+                                       :target_layer3_interface => target_iface.layer3_interface,
+                                       :port => pkt.dport,
+                                       :description => "PCAP"
+            else
+              traffic = Traffic.create :source_layer3_interface => source_iface.layer3_interface,
+                                       :target_layer3_interface => target_iface.layer3_interface,
+                                       :description => "PCAP"
+            end
+            puts "Added traffic -- #{source_addr} ==> #{target_addr}"
+          end
+        end
       end
     end
   end
 end
 
-if ARGV.empty? || ARGV.length > 1 || ARGV[0] == '--help'
+if ['-h', '--help'].include?(ARGV[0])
   print_help
 else
-  parse(ARGV[0])
+  parse(ARGV.pop, ARGV)
 end
-

data/lib/scripts/viz/display-networks.rb

@@ -27,9 +27,12 @@ def print_help
   puts "This script utilizes the provided Prefuse-based Java application"
   puts "to display the networks contained in the current database."
   puts
+  puts "Script Options:"
+  puts "  --active    Rendered graph will be 'active' -- it will expand,"
+  puts "              move around, etc."
 end
 
-def display
+def display(options = [])
   output = File.open("#{Antfarm.tmp_dir_to_use}/network.gml", "w")
   output.puts "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
   output.puts "<graphml xmlns=\"http://graphml.graphdrawing.org/xmlns\">"
@@ -59,39 +62,27 @@ def display
       output.puts "    <edge source=\"node_#{node.id}\" target=\"network_#{l3_if.layer3_network.id}\" />"
     end
   end
-  node_list = Array.new
-  Traffic.find(:all).each do |traffic|
-    source_node = traffic.source_layer3_interface.layer2_interface.node
-    target_node = traffic.target_layer3_interface.layer2_interface.node
-    unless node_list.include?(source_node)
-      output.puts "    <node id=\"node_#{source_node.id}\">"
-      output.puts "      <data key=\"name\">#{source_node.name.nil? ? source_node.device_type : source_node.name}</data>"
-      output.puts "      <data key=\"type\">#{source_node.device_type}</data>"
-      output.puts "    </node>"
-    end
-    unless node_list.include?(target_node)
-      output.puts "    <node id=\"node_#{target_node.id}\">"
-      output.puts "      <data key=\"name\">#{target_node.name.nil? ? target_node.device_type : target_node.name}</data>"
-      output.puts "      <data key=\"type\">#{target_node.device_type}</data>"
-      output.puts "    </node>"
-    end
-    output.puts "    <edge source=\"node_#{source_node.id}\" target=\"node_#{target_node.id}\">"
-    output.puts "      <data key=\"line\">PCAP</data>"
-    output.puts "    </edge>"
-  end
   output.puts "  </graph>"
   output.puts "</graphml>"
   output.close
 
   if (defined? USER_DIR) && File.exists?("#{USER_DIR}/config/colors.xml")
-    `java -jar #{ANTFARM_ROOT}/lib/antfarm.jar -active -colors #{USER_DIR}/config/colors.xml #{Antfarm.tmp_dir_to_use}/network.gml`
+    if options.include?('--active')
+      `java -jar #{ANTFARM_ROOT}/lib/antfarm.jar -active -colors #{USER_DIR}/config/colors.xml #{Antfarm.tmp_dir_to_use}/network.gml`
+    else
+      `java -jar #{ANTFARM_ROOT}/lib/antfarm.jar -colors #{USER_DIR}/config/colors.xml #{Antfarm.tmp_dir_to_use}/network.gml`
+    end
   else
-    `java -jar #{ANTFARM_ROOT}/lib/antfarm.jar -active #{Antfarm.tmp_dir_to_use}/network.gml`
+    if options.include?('--active')
+      `java -jar #{ANTFARM_ROOT}/lib/antfarm.jar -active #{Antfarm.tmp_dir_to_use}/network.gml`
+    else
+      `java -jar #{ANTFARM_ROOT}/lib/antfarm.jar #{Antfarm.tmp_dir_to_use}/network.gml`
+    end
   end
 end
 
-if ARGV.length > 0
+if ['-h', '--help'].include?(ARGV[0])
   print_help
 else
-  display
+  display(ARGV)
 end