patronus_fati 1.3.3 → 1.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0decb36cf31bb39312c3aafa0b363d0c445d62f9
-  data.tar.gz: 28c87e8a494ccce26639b41a1a00b2cb1a9f9000
+  metadata.gz: d7cc61dae4e9a212fa42cdf646ff7520047c57f4
+  data.tar.gz: d5214c2c449b85771990ef81af25202f4b29c21c
 SHA512:
-  metadata.gz: e92db4e69fb9cde5927add5c1f64b967a9bfe2984e3cf649d6557521fbbd4b91771d1fcdc8e68ff2b52367915a32aca16237f777e451cc7328c58bf6771dbe97
-  data.tar.gz: d70418fb785ca6f3270c16dc470fa374e0dbe521992cc538fc1af6dabd8b22b2d6fc196107f61fafc1e98e2ee05205cd909e9994ff64e5b3633b4eb5e74349e3
+  metadata.gz: d12dabffaca480b0bb9e412173d37d64ba72a9adfcbeda9b2d36eae11c7efcc0c0288be3ae791e81b441c87041ceb36d04a9ca79085e6295f0c2a6128f64727d
+  data.tar.gz: e04be294d9b180b8794e872df31c0ec0d6fa8486abfb1c69386d34fe09ad754791bd17b20e1e4fe89753b7b10b903c05a8070f7a85a84b0b8c449b9bac299e19

data/lib/patronus_fati/consts.rb

@@ -79,6 +79,10 @@ module PatronusFati
     dirtyChildren: (1 << 3),
   }.freeze
 
+  # The minimum signal threshold we'll use to decide whether or not to track a
+  # new access point or client. This help remove noise in the produced data.
+  SIGNAL_THRESHOLD = -86
+
   # This is how many tracked intervals that need to be seen overlapping before
   # we consider an access point as transmitting multiple SSIDs. The length of
   # this is dependent on the length of presence intervals. The value of

data/lib/patronus_fati/data_models/access_point.rb

@@ -3,7 +3,7 @@ module PatronusFati
     class AccessPoint
       include CommonState
 
-      attr_accessor :client_macs, :local_attributes, :ssids
+      attr_accessor :client_macs, :last_dbm, :local_attributes, :ssids
 
       LOCAL_ATTRIBUTE_KEYS = [ :bssid, :channel, :type ].freeze
 
@@ -94,6 +94,7 @@ module PatronusFati
       def diagnostic_data
         dd = super
         dd.merge!(ssids: Hash[ssids.map { |k, s| [k, s.diagnostic_data] }]) if ssids
+        dd[:last_dbm] = last_dbm if last_dbm
         dd
       end
 

data/lib/patronus_fati/data_models/client.rb

@@ -3,7 +3,7 @@ module PatronusFati
     class Client
       include CommonState
 
-      attr_accessor :access_point_bssids, :local_attributes, :probes
+      attr_accessor :access_point_bssids, :last_dbm, :local_attributes, :probes
 
       LOCAL_ATTRIBUTE_KEYS = [ :mac, :channel ].freeze
 
@@ -16,7 +16,7 @@ module PatronusFati
       end
 
       def announce_changes
-        return unless dirty? && valid?
+        return unless dirty? && valid? && worth_syncing?
 
         if active?
           status = new? ? :new : :changed
@@ -51,6 +51,13 @@ module PatronusFati
         probes.reject! { |_, pres| pres.dead? }
       end
 
+      def diagnostic_data
+        dd = super
+        dd[:last_dbm] = last_dbm if last_dbm
+        dd[:visible_time] = presence.visible_time
+        dd
+      end
+
       def full_state
         {
           active: active?,
@@ -65,7 +72,7 @@ module PatronusFati
       def initialize(mac)
         super
         self.access_point_bssids = []
-        self.local_attributes = { mac: mac }
+        self.local_attributes = { channel: 0, mac: mac }
         self.probes = {}
       end
 
@@ -99,6 +106,17 @@ module PatronusFati
         result = Louis.lookup(local_attributes[:mac])
         result['long_vendor'] || result['short_vendor']
       end
+
+      # This is a safety mechanism to check whether or not a client device is
+      # actually 'present'. This is intended to cut out the one time fake
+      # generated addresses from devices that generate random MAC addresses,
+      # probe quickly and disappear and requires us to either see a client
+      # connect to an access point, be visible for more than one interval, or
+      # have already been synced.
+      def worth_syncing?
+        access_point_bssids.any? || sync_flag?(:syncedOnline) ||
+          (presence && presence.visible_time && presence.visible_time > INTERVAL_DURATION)
+      end
     end
   end
 end

data/lib/patronus_fati/message_models/client.rb

@@ -30,11 +30,12 @@ module PatronusFati
                            :noise_rssi, :minsignal_rssi, :minnoise_rssi,
                            :maxsignal_rssi, :maxnoise_rssi, :bestlat, :bestlon,
                            :bestalt, :atype, :datasize, :maxseenrate,
-                           :encodingset, :carrierset, :decrypted, :channel,
+                           :encodingset, :carrierset, :decrypted,
                            :fragments, :retries, :newpackets) { |val| val.to_i }
+    Client.set_data_filter(:channel) { |val| val.to_i == 0 ? nil : val.to_i }
     Client.set_data_filter(:gpsfixed) { |val| val.to_i == 1 }
 
-    Client.set_data_filter(:ip, :gatewayip) { |val| (val == "0.0.0.0") ? nil : val }
+    Client.set_data_filter(:ip, :gatewayip) { |val| (val == '0.0.0.0') ? nil : val }
     Client.set_data_filter(:dhcphost) { |val| (val || '').strip.empty? ? nil : val }
 
     Client.set_data_filter(:freqmhz) do |val|

data/lib/patronus_fati/message_processor/bssid.rb

@@ -13,20 +13,26 @@ module PatronusFati::MessageProcessor::Bssid
     # Ignore the initial flood of cached data and any objects that would have
     # already expired
     return unless PatronusFati.past_initial_flood? &&
-      obj[:lasttime] >= PatronusFati::DataModels::AccessPoint.current_expiration_threshold
+      obj.lasttime >= PatronusFati::DataModels::AccessPoint.current_expiration_threshold
 
     # Some messages from kismet come in corrupted with partial MACs. We care
     # not for them, just drop the bad data.
-    return unless obj[:bssid].match(/^([0-9a-f]{2}[:-]){5}[0-9a-f]{2}$/)
+    return unless obj.bssid.match(/^([0-9a-f]{2}[:-]){5}[0-9a-f]{2}$/)
 
     # Ignore probe requests as their BSSID information is useless (the ESSID
     # isn't present and it's coming from a client).
     return unless %w(infrastructure adhoc).include?(obj.type.to_s)
 
+    # Only create new access points if we're seeing it at a meaningful
+    # detection strength
+    return unless PatronusFati::DataModels::AccessPoint.exists?(obj.bssid) ||
+      obj.signal_dbm > PatronusFati::SIGNAL_THRESHOLD
+
     ap_info = ap_data(obj.attributes)
 
     access_point = PatronusFati::DataModels::AccessPoint[obj.bssid]
     access_point.update(ap_info)
+    access_point.last_dbm = obj.signal_dbm if obj.signal_dbm
     access_point.presence.mark_visible
     access_point.announce_changes
 

data/lib/patronus_fati/message_processor/client.rb

@@ -3,8 +3,8 @@ module PatronusFati::MessageProcessor::Client
 
   def self.client_data(attrs)
     {
-      bssid:          attrs[:mac],
-      channel:        attrs[:channel],
+      bssid:   attrs[:mac],
+      channel: attrs[:channel]
     }.reject { |_, v| v.nil? }
   end
 
@@ -36,10 +36,16 @@ module PatronusFati::MessageProcessor::Client
     return if %w(unknown from_ds).include?(obj[:type]) &&
       (!PatronusFati::DataModels::Client.exists?(obj[:mac]) || access_point.nil?)
 
+    # Only create new clients if we're seeing it at a meaningful detection
+    # strength
+    return unless PatronusFati::DataModels::Client.exists?(obj.bssid) ||
+      obj.signal_dbm > PatronusFati::SIGNAL_THRESHOLD
+
     client_info = client_data(obj.attributes)
 
     client = PatronusFati::DataModels::Client[obj[:mac]]
     client.update(client_info)
+    client.last_dbm = obj.signal_dbm if obj.signal_dbm
     client.presence.mark_visible
     client.announce_changes
 

data/lib/patronus_fati/message_processor/ssid.rb

@@ -14,7 +14,7 @@ module PatronusFati::MessageProcessor::Ssid
       access_point.track_ssid(ssid_info)
       access_point.presence.mark_visible
       access_point.announce_changes
-    elsif obj[:type] == 'probe_request'
+    elsif obj[:type] == 'probe_request' && !obj[:ssid].empty?
       client = PatronusFati::DataModels::Client[obj[:mac]]
       client.presence.mark_visible
       client.track_probe(obj[:ssid])

data/lib/patronus_fati/version.rb

@@ -1,3 +1,3 @@
 module PatronusFati
-  VERSION = '1.3.3'
+  VERSION = '1.3.4'
 end

data/spec/patronus_fati/data_models/client_spec.rb

@@ -38,6 +38,15 @@ RSpec.describe(PatronusFati::DataModels::Client) do
       subject.announce_changes
     end
 
+    it 'should emit no events when the client isn\'t worth sending up' do
+      expect(subject).to receive(:dirty?).and_return(true)
+      expect(subject).to receive(:valid?).and_return(true)
+      expect(subject).to receive(:worth_syncing?).and_return(false)
+
+      expect(PatronusFati.event_handler).to_not receive(:event)
+      subject.announce_changes
+    end
+
     it 'should emit no events when the instance isn\'t dirty' do
       expect(subject).to receive(:dirty?).and_return(false)
 
@@ -45,9 +54,10 @@ RSpec.describe(PatronusFati::DataModels::Client) do
       subject.announce_changes
     end
 
-    it 'should emit a new client event when dirty and unsynced' do
+    it 'should emit a new client event when dirty, unsynced and worth syncing' do
       expect(subject).to receive(:dirty?).and_return(true)
       expect(subject).to receive(:valid?).and_return(true)
+      expect(subject).to receive(:worth_syncing?).and_return(true)
       subject.presence.mark_visible
 
       expect(PatronusFati.event_handler)
@@ -61,6 +71,7 @@ RSpec.describe(PatronusFati::DataModels::Client) do
 
       expect(subject).to receive(:dirty?).and_return(true)
       expect(subject).to receive(:valid?).and_return(true)
+      expect(subject).to receive(:worth_syncing?).and_return(true)
 
       expect(PatronusFati.event_handler)
         .to receive(:event).with(:client, :changed, anything, anything)
@@ -74,6 +85,7 @@ RSpec.describe(PatronusFati::DataModels::Client) do
       subject.presence.mark_visible
 
       expect(subject).to receive(:valid?).and_return(true)
+      expect(subject).to receive(:worth_syncing?).and_return(true)
       expect(PatronusFati.event_handler)
         .to receive(:event).with(:client, :changed, anything, anything)
       subject.announce_changes
@@ -85,6 +97,7 @@ RSpec.describe(PatronusFati::DataModels::Client) do
       expect(subject.active?).to be_truthy
 
       expect(subject).to receive(:valid?).and_return(true)
+      expect(subject).to receive(:worth_syncing?).and_return(true)
       expect(subject).to receive(:active?).and_return(false).exactly(3).times
 
       expect(PatronusFati.event_handler)
@@ -98,6 +111,7 @@ RSpec.describe(PatronusFati::DataModels::Client) do
       expect(subject.active?).to be_truthy
 
       expect(subject).to receive(:valid?).and_return(true)
+      expect(subject).to receive(:worth_syncing?).and_return(true)
       expect(subject).to receive(:active?).and_return(false).exactly(3).times
 
       expect { subject.announce_changes }
@@ -138,6 +152,7 @@ RSpec.describe(PatronusFati::DataModels::Client) do
 
     it 'short not be dirty after being synced' do
       expect(subject).to receive(:valid?).and_return(true)
+      expect(subject).to receive(:worth_syncing?).and_return(true)
       subject.update(channel: 8)
 
       expect { subject.announce_changes }.to change { subject.dirty? }.from(true).to(false)
@@ -151,6 +166,7 @@ RSpec.describe(PatronusFati::DataModels::Client) do
 
       expect(subject).to receive(:dirty?).and_return(true)
       expect(subject).to receive(:valid?).and_return(true)
+      expect(subject).to receive(:worth_syncing?).and_return(true)
       expect(subject).to receive(:full_state).and_return(data_sample)
 
       expect(PatronusFati.event_handler)
@@ -163,9 +179,10 @@ RSpec.describe(PatronusFati::DataModels::Client) do
       subject.mark_synced
 
       expect(subject).to receive(:valid?).and_return(true)
+      expect(subject).to receive(:worth_syncing?).and_return(true)
       expect(subject).to receive(:active?).and_return(false).exactly(3).times
 
-      expect(subject.presence).to receive(:visible_time).and_return(1234)
+      expect(subject.presence).to receive(:visible_time).and_return(1234).twice
       min_data = {
         'bssid' => subject.local_attributes[:mac],
         'uptime' => 1234
@@ -181,6 +198,7 @@ RSpec.describe(PatronusFati::DataModels::Client) do
 
       expect(subject).to receive(:dirty?).and_return(true)
       expect(subject).to receive(:valid?).and_return(true)
+      expect(subject).to receive(:worth_syncing?).and_return(true)
       expect(subject).to receive(:diagnostic_data).and_return(sample_data)
 
       expect(PatronusFati.event_handler)
@@ -235,7 +253,7 @@ RSpec.describe(PatronusFati::DataModels::Client) do
     end
 
     it 'should initialize the local attributes with the client\'s mac' do
-      expect(subject.local_attributes.keys).to eql([:mac])
+      expect(subject.local_attributes.keys).to eql([:channel, :mac])
       expect(subject.local_attributes[:mac]).to_not be_nil
     end
 

data/tools/change_analysis.rb

@@ -0,0 +1,91 @@
+#!/usr/bin/env ruby
+
+require 'json'
+
+def deep_diff(a, b)
+  (a.keys | b.keys).each_with_object({}) do |k, diff|
+    if a[k] != b[k]
+      if a[k].is_a?(Hash) && b[k].is_a?(Hash)
+        diff[k] = deep_diff(a[k], b[k])
+      else
+        diff[k] = [a[k], b[k]]
+      end
+    end
+    diff
+  end
+end
+
+unless ARGV[0]
+  puts 'Must provide a file as the first argument...'
+  exit 1
+end
+
+unless File.exists?(ARGV[0]) && File.readable?(ARGV[0])
+  puts 'Provided filename either doesn\'t exist or isn\'t readable.'
+  exit 2
+end
+
+message_breakdown = {
+  'access_point' => {},
+  'client' => {}
+}
+
+stats = {
+  relevant_messages: 0,
+  abberations: 0
+}
+
+file = File.open(ARGV[0])
+file.each_line do |line|
+  msg = JSON.parse(line)
+  next if %w(alert both connection sync).include?(msg['asset_type'])
+  next if msg['event_type'] == 'sync'
+
+  stats[:relevant_messages] += 1
+  asset_type = msg['asset_type']
+
+  data = msg['data']
+  data['event_type'] = msg['event_type']
+  data['last_dbm'] = msg['diagnostics']['last_dbm']
+  #data['timestamp'] = msg['timestamp']
+
+  if data['ssids']
+    ssids = data.delete('ssids')
+    data['ssids'] = ssids.map do |s|
+      s.reject { |k, _| %w(last_visible).include?(k) }
+    end
+  end
+
+  bssid = data.delete('bssid')
+
+  message_breakdown[asset_type][bssid] ||= []
+  message_breakdown[asset_type][bssid] << data
+end
+file.close
+
+changes = []
+
+message_breakdown.each do |type, data|
+  data.each do |bssid, msgs|
+    next if msgs.count <= 2
+    stats[:abberations] += msgs.count
+
+    change_string = msgs.map { |m| m['event_type'][0] }.join
+    info = {
+      bssid: bssid,
+      msgs_count: msgs.count,
+      initial_state: msgs[0],
+      change_string: change_string,
+      deltas: []
+    }
+
+    1.upto(msgs.count - 1) do |i|
+      info[:deltas] << deep_diff(msgs[i - 1], msgs[i])
+    end
+
+    changes << info
+  end
+end
+
+puts JSON.pretty_generate(changes)
+puts stats.inspect

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: patronus_fati
 version: !ruby/object:Gem::Version
-  version: 1.3.3
+  version: 1.3.4
 platform: ruby
 authors:
 - Sam Stelfox
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-12-05 00:00:00.000000000 Z
+date: 2018-02-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: louis
@@ -214,6 +214,7 @@ files:
 - spec/patronus_fati_spec.rb
 - spec/shared_examples/common_model_state.rb
 - spec/spec_helper.rb
+- tools/change_analysis.rb
 homepage: ''
 licenses:
 - MIT