unseen-ip-to-airbrake 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 786fc0139b6baa2c5c7474c05c7d9651507a3463
+  data.tar.gz: 6ef92639e0b8e54b2dab02b1189fc80cd0552fe5
+SHA512:
+  metadata.gz: e6a62401f054c7b23af8767d338d1f29af55dc0e2b0098f3c5781205c9b6346f32b9e8def4eff33db17e5f95f4af3b1a04ff67819175c88a8d8c75009cedf035
+  data.tar.gz: 3dbc0ff1ecaa2e17d87d1f2f8305bf8502e74d358a8090e046abe5d300021fcf6642cc9456f9a5c88481100c3cf4cb5063e324acfc618d76fdfa2ef0a18feda3

data/bin/identify-ip-protocol-port

@@ -0,0 +1,28 @@
+#!/usr/bin/env ruby
+# 
+# identify-ip-protocol-port: script to identify an ip port combination
+# 
+# Usage:
+# 
+#   $ identify-ip-protocol-port 8.8.8.8 udp 53
+#   {
+#     "ip": "8.8.8.8",
+#     "protocol": "udp",
+#     "port": "53",
+#     "service_name": "domain",
+#     "host": "google-public-dns-a.google.com"
+#   }
+#
+require_relative '../lib/identify_util.rb'
+require 'json'
+
+def usage
+  puts File.read(__FILE__).scan(/^# (.*)$/)
+  exit 0
+end
+
+usage if ARGV.empty?
+
+ip, protocol, port = *ARGV
+puts JSON.pretty_generate(IdentifyUtil.ip_protocol_port(ip, protocol, port))
+

data/bin/unseen-connections

@@ -0,0 +1,81 @@
+#!/usr/bin/env ruby
+# 
+# unseen-connections: script to notify about unseen connection attempts
+# 
+# Usage:
+# 
+#   elktail -f '%@timestamp,%src_ip,%dst_ip,%protocol,%src_port' 'type:cisco-firewall AND action:Built AND direction:outbound' \
+#   | unseen-connections
+# 
+# Synopsis:
+# 
+#   The script expects input on STDIN, one line per firewall log entry.
+#   Each line must be formatted, including the fields %@timestamp, %src_ip, %dst_ip, %protocol and %src_port.
+# 
+#     %@timestamp,%src_ip,%dst_ip,%protocol,%src_port\n
+# 
+#   e.g.
+# 
+#     2016-11-29T10:36:05.990Z,50.31.164.146,10.248.177.12,TCP,443\n
+# 
+#   It remembers each destination ip:port combination for a given time.
+#   Over multiple runs it restores and saves its state with a YAML file.
+# 
+#   New ip:port combinations are reported to Airbrake with
+#   their respective environment and additional information.
+# 
+#   Airbrake in turn alerts the current Sherrif in charge via Pivotaltracker.
+# 
+# Dependencies:
+# 
+#   * A tool that can stream data out of the ELK stack and format its output as described above.
+#     For example 'elktail' (https://github.com/knes1/elktail/releases) does the job really well.
+# 
+#   * An Airbrake account project_id and project_key.
+# 
+#   * A yaml configuration file with symbol keys, including:
+# 
+#      ---
+#      # all keys are symbols
+#      # 7 days in seconds
+#      :remember_for: 604800
+#      # 1 hour in seconds
+#      :save_interval: 3600
+#      # were to save state
+#      :state_file: path/to/state.yml
+#      :airbrake:
+#        :project_id: <your airbrake project id>
+#        :project_key: <your airbrake project key>
+#      :networks:
+#        # name with regular expression to match against ip
+#        :staging: !ruby/regexp /10.248.177/
+#        :production: !ruby/regexp /10.248.237/
+require_relative '../lib/unseen_connections_monitor.rb'
+require 'optparse'
+
+def usage
+  puts File.read(__FILE__).scan(/^# (.*)$/)
+  exit 0
+end
+
+help = false
+config_file = 'config.yml'
+OptionParser.new do |options|
+  options.on('-cFILE', '--config=FILE', 'Set configuration file [config.yml]') do |value|
+    config_file = value
+  end
+  options.on('-h', '--help', 'Display help') do
+    usage
+  end
+end.parse!
+
+monitor = UnseenConnectionsMonitor.new(config: YAML.load_file(config_file))
+
+at_exit { monitor.close }
+
+while line = STDIN.gets
+  datetime, from_ip, to_ip, protocol, port = line.strip.split(",")
+  warning = monitor.feed(datetime: datetime, from_ip: from_ip, protocol: protocol, to_ip: to_ip, port: port)
+  STDERR.puts(warning.message) if warning
+end
+

data/lib/identify_util.rb

@@ -0,0 +1,21 @@
+require 'socket'
+require 'resolv'
+
+module IdentifyUtil
+  def ip_protocol_port(ip, protocol, port)
+    {
+      ip: ip,
+      protocol: protocol,
+      port: port,
+      service_name: (
+        Socket.getservbyport(port.to_i, protocol) rescue nil
+      ),
+      host: (
+        Resolv.getname(ip) rescue nil
+      )
+    }
+  end
+
+  extend self
+end
+

data/lib/identify_util_spec.rb

@@ -0,0 +1,11 @@
+describe IdentifyUtil do
+  describe '::ip_protocol_port' do
+    before do
+      expect(Resolv).to receive(:getname).with('127.0.0.1').and_return('localhost')
+      expect(Socket).to receive(:getservbyport).with(53, 'tcp').and_return('domain')
+    end
+    subject { IdentifyUtil.ip_protocol_port('127.0.0.1', 'tcp', '53') }
+    it { expect(subject).to eq(ip: '127.0.0.1', protocol: 'tcp', port: '53', service_name: 'domain', host: 'localhost') }
+  end
+end
+

data/lib/unseen_connections_monitor.rb

@@ -0,0 +1,130 @@
+require 'airbrake-ruby'
+require 'yaml'
+require 'time'
+require 'tempfile'
+require 'fileutils'
+require_relative './identify_util.rb'
+
+class UnseenConnectionsMonitor
+
+  class FirewallWarning < StandardError
+    attr_reader :from, :to, :protocol, :port
+
+    def initialize(from:, to:, protocol:, port:)
+      super("unseen #{protocol} connection from #{from} to #{to}:#{port}")
+      @from, @to, @protocol, @port = from, to, protocol, port
+    end
+
+    def params
+      IdentifyUtil.ip_protocol_port(to, protocol, port).merge(from: from)
+    end
+
+    def ==(other)
+      message == other.message
+    end
+    alias_method :eq?, :==
+  end
+
+  DEFAULTS = {
+    remember_for: 604800,
+    save_interval: 3600,
+    state_file: "unseen_connections.yml",
+    networks: {
+      production: /.*/
+    }
+  }
+
+  attr_reader :config
+
+  def initialize(config:)
+    @config = config
+    @config.default_proc = proc { |h,k| h[k] = DEFAULTS[k] }
+    DEFAULTS.keys.each { |k| @config[k] }
+    configure_airbrake
+  end
+
+  def close
+    networks.each { |name| Airbrake.close(name) }
+    save
+  end
+
+  # taken from activesupport File::atomic_write
+  def save
+    state_file = config.fetch(:state_file)
+    tempfile = Tempfile.new(File.basename(state_file), Dir.tmpdir)
+    tempfile.write(state.to_yaml)
+    tempfile.close
+    begin
+      # Get original file permissions
+      old_stat = File.stat(state_file)
+    rescue Errno::ENOENT
+      # No old permissions, write a temp file to determine the defaults
+      check_name = File.join(File.dirname(file_name), ".permissions_check.#{Thread.current.object_id}.#{Process.pid}.#{rand(1000000)}")
+      File.open(check_name, "w") { }
+      old_stat = File.stat(check_name)
+      File.unlink(check_name)
+    end
+    FileUtils.mv(tempfile.path, state_file)
+    File.chown(old_stat.uid, old_stat.gid, state_file)
+    File.chmod(old_stat.mode, state_file)
+    @last_save = Time.now.to_i
+  end
+
+  def state
+    @state ||= begin
+      @last_save = Time.now.to_i
+      YAML.load_file(config.fetch(:state_file)) || {} rescue {}
+    end
+  end
+
+  def last_save
+    @last_save || 0
+  end
+
+  def feed(datetime:,from_ip:,protocol:,to_ip:,port:)
+    timestamp = Time.parse(datetime).to_i
+    protocol = protocol.downcase
+    key = "#{to_ip}:#{protocol}/#{port}"
+
+    warning = notify(from: from_ip, to: to_ip, protocol: protocol, port: port) unless state.has_key?(key)
+    state[key] = timestamp
+    warning
+  ensure
+    housekeeping
+  end
+
+  def networks
+    config.fetch(:networks).keys
+  end
+
+  private
+
+  def notify(from:,to:,protocol:,port:)
+    warning = FirewallWarning.new(from: from, to: to, protocol: protocol, port: port)
+    Airbrake.notify(warning, warning.params, network_name(from) || :production)
+    warning
+  end
+
+  def network_name(from)
+    name, _ = config.fetch(:networks).find { |_, regexp| from =~ regexp }
+    name
+  end
+
+  def housekeeping
+    now = Time.now.to_i
+    state.reject! { |_, last_attempt| last_attempt < now - config.fetch(:remember_for)  }
+    save if last_save < now - config.fetch(:save_interval)
+  end
+
+  def configure_airbrake
+    networks.each do |name, _|
+      Airbrake.configure(name) do |c|
+        c.project_id = config.fetch(:airbrake).fetch(:project_id)
+        c.project_key = config.fetch(:airbrake).fetch(:project_key)
+        c.environment = name
+      end
+    end
+  end
+
+end
+

metadata

@@ -0,0 +1,112 @@
+--- !ruby/object:Gem::Specification
+name: unseen-ip-to-airbrake
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Lukas Rieder
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-12-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: airbrake-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.0
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.5'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Capture unseen IP addresses connection attempts and report them to Airbrake
+email: l.rieder@gmail.com
+executables:
+- identify-ip-protocol-port
+- unseen-connections
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/identify-ip-protocol-port
+- bin/unseen-connections
+- lib/identify_util.rb
+- lib/identify_util_spec.rb
+- lib/unseen_connections_monitor.rb
+homepage: https://github.com/Overbryd/unseen-ip-to-airbrake
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.8
+signing_key: 
+specification_version: 4
+summary: Unseen IP to Airbrake
+test_files: []