souleyez 2.27.0__py3-none-any.whl → 2.32.0__py3-none-any.whl

souleyez/engine/background.py

@@ -321,7 +321,7 @@ def _next_job_id(jobs: List[Dict[str, Any]]) -> int:
         return maxid + 1
 
 
-def enqueue_job(tool: str, target: str, args: List[str], label: str = "", engagement_id: int = None, metadata: Dict[str, Any] = None, parent_id: int = None, reason: str = None, rule_id: int = None) -> int:
+def enqueue_job(tool: str, target: str, args: List[str], label: str = "", engagement_id: int = None, metadata: Dict[str, Any] = None, parent_id: int = None, reason: str = None, rule_id: int = None, skip_scope_check: bool = False) -> int:
     with _lock:
         jobs = _read_jobs()
         jid = _next_job_id(jobs)
@@ -339,6 +339,43 @@ def enqueue_job(tool: str, target: str, args: List[str], label: str = "", engage
 
         # Merge parent_id, reason, and rule_id into metadata
         job_metadata = metadata or {}
+
+        # Scope validation - check if target is within engagement scope
+        if not skip_scope_check and engagement_id:
+            try:
+                from souleyez.security.scope_validator import ScopeValidator, ScopeViolationError
+                validator = ScopeValidator(engagement_id)
+                result = validator.validate_target(target)
+                enforcement = validator.get_enforcement_mode()
+
+                if not result.is_in_scope and validator.has_scope_defined():
+                    if enforcement == 'block':
+                        validator.log_validation(target, result, 'blocked', job_id=jid)
+                        raise ScopeViolationError(
+                            f"Target '{target}' is out of scope. {result.reason}"
+                        )
+                    elif enforcement == 'warn':
+                        validator.log_validation(target, result, 'warned', job_id=jid)
+                        if 'warnings' not in job_metadata:
+                            job_metadata['warnings'] = []
+                        job_metadata['warnings'].append(
+                            f"SCOPE WARNING: {target} may be out of scope. {result.reason}"
+                        )
+                        logger.warning("Out-of-scope target allowed (warn mode)", extra={
+                            "target": target,
+                            "engagement_id": engagement_id,
+                            "reason": result.reason
+                        })
+                else:
+                    validator.log_validation(target, result, 'allowed', job_id=jid)
+            except ScopeViolationError:
+                raise  # Re-raise scope violations
+            except Exception as e:
+                # Don't block jobs if scope validation fails unexpectedly
+                logger.warning("Scope validation error (allowing job)", extra={
+                    "target": target,
+                    "error": str(e)
+                })
         if parent_id is not None:
             job_metadata['parent_id'] = parent_id
         if reason:

souleyez/engine/result_handler.py

@@ -10,6 +10,95 @@ from .job_status import STATUS_DONE, STATUS_NO_RESULTS, STATUS_WARNING, STATUS_E
 logger = logging.getLogger(__name__)
 
 
+# Common error patterns that indicate tool failure (not "no results")
+TOOL_ERROR_PATTERNS = {
+    'common': [
+        'connection refused',
+        'connection timed out',
+        'no route to host',
+        'network is unreachable',
+        'name or service not known',
+        'temporary failure in name resolution',
+        'host is down',
+        'connection reset by peer',
+    ],
+    'nmap': [
+        'host seems down',
+        'note: host seems down',
+        'failed to resolve',
+    ],
+    'gobuster': [
+        'timeout occurred during the request',
+        'error on running gobuster',
+        'unable to connect',
+        'context deadline exceeded',
+    ],
+    'hydra': [
+        'can not connect',
+        'could not connect',
+        'error connecting',
+        'target does not support',
+    ],
+    'nikto': [
+        'error connecting to host',
+        'unable to connect',
+        'no web server found',
+    ],
+    'nuclei': [
+        'could not connect',
+        'context deadline exceeded',
+        'no address found',
+    ],
+    'ffuf': [
+        'error making request',
+        'context deadline exceeded',
+    ],
+    'sqlmap': [
+        'connection timed out',
+        'unable to connect',
+        'target url content is not stable',
+    ],
+    'enum4linux': [
+        'could not initialise',
+        'nt_status_connection_refused',
+        'nt_status_host_unreachable',
+        'nt_status_io_timeout',
+    ],
+    'smbmap': [
+        'could not connect',
+        'connection error',
+        'nt_status_connection_refused',
+    ],
+}
+
+
+def detect_tool_error(log_content: str, tool: str) -> Optional[str]:
+    """
+    Check log content for tool errors that indicate failure (not just "no results").
+
+    Args:
+        log_content: The log file content
+        tool: Tool name (lowercase)
+
+    Returns:
+        Error pattern found, or None if no error detected
+    """
+    log_lower = log_content.lower()
+
+    # Check common patterns
+    for pattern in TOOL_ERROR_PATTERNS['common']:
+        if pattern in log_lower:
+            return pattern
+
+    # Check tool-specific patterns
+    tool_patterns = TOOL_ERROR_PATTERNS.get(tool, [])
+    for pattern in tool_patterns:
+        if pattern in log_lower:
+            return pattern
+
+    return None
+
+
 def handle_job_result(job: Dict[str, Any]) -> Optional[Dict[str, Any]]:
     """
     Process completed job and parse results into database.
@@ -527,9 +616,16 @@ def parse_nmap_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -> Di
                         'version': svc.get('version', '')
                     })
 
+        # Check for nmap errors before determining status
+        with open(log_path, 'r', encoding='utf-8', errors='replace') as f:
+            log_content = f.read()
+        nmap_error = detect_tool_error(log_content, 'nmap')
+
         # Determine status based on results
         hosts_up = len([h for h in parsed.get('hosts', []) if h.get('status') == 'up'])
-        if hosts_up > 0:
+        if nmap_error:
+            status = STATUS_ERROR  # Tool failed to run properly
+        elif hosts_up > 0:
             status = STATUS_DONE  # Found hosts
         else:
             status = STATUS_NO_RESULTS  # No hosts up
@@ -1122,8 +1218,13 @@ def parse_gobuster_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -
                 exclude_length = length_match.group(1)
                 logger.info(f"Gobuster wildcard detected: Length {exclude_length}b")
 
+        # Check for gobuster errors
+        gobuster_error = detect_tool_error(log_content, 'gobuster')
+
         # Determine status based on results
-        if wildcard_detected:
+        if gobuster_error:
+            status = STATUS_ERROR  # Tool failed to connect
+        elif wildcard_detected:
             # Wildcard detected - warning status (triggers auto-retry)
             status = STATUS_WARNING
         elif stats['total'] > 0:
@@ -1504,8 +1605,13 @@ def parse_sqlmap_job(engagement_id: int, log_path: str, job: Dict[str, Any]) ->
 
         stats = get_sqli_stats(parsed)
 
+        # Check for sqlmap errors
+        sqlmap_error = detect_tool_error(log_content, 'sqlmap')
+
         # Determine status based on results
-        if stats['sqli_confirmed'] or stats['xss_possible'] or stats['fi_possible']:
+        if sqlmap_error:
+            status = STATUS_ERROR  # Tool failed to connect
+        elif stats['sqli_confirmed'] or stats['xss_possible'] or stats['fi_possible']:
             status = STATUS_DONE  # Found injection vulnerabilities
         else:
             status = STATUS_NO_RESULTS  # No injections found
@@ -2011,11 +2117,22 @@ def parse_smbmap_job(engagement_id: int, log_path: str, job: Dict[str, Any]) ->
             )
             findings_added += 1
 
+        # Check for smbmap errors
+        smbmap_error = detect_tool_error(log_content, 'smbmap')
+
+        # Determine status
+        if smbmap_error:
+            status = STATUS_ERROR  # Tool failed to connect
+        elif shares_added > 0 or findings_added > 0:
+            status = STATUS_DONE
+        else:
+            status = STATUS_NO_RESULTS
+
         return {
             'tool': 'smbmap',
             'host': parsed['target'],
             'connection_status': parsed.get('status', 'Unknown'),  # SMB connection status
-            'status': STATUS_DONE if (shares_added > 0 or findings_added > 0) else STATUS_NO_RESULTS,  # Job status
+            'status': status,  # Job status
             'shares_added': shares_added,
             'files_added': files_added,
             'findings_added': findings_added
@@ -2382,8 +2499,13 @@ def parse_hydra_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -> D
             )
             findings_added += 1
 
+        # Check for hydra errors
+        hydra_error = detect_tool_error(log_content, 'hydra')
+
         # Determine status based on results
-        if len(parsed.get('credentials', [])) > 0:
+        if hydra_error:
+            status = STATUS_ERROR  # Tool failed to connect
+        elif len(parsed.get('credentials', [])) > 0:
             status = STATUS_DONE  # Found valid credentials
         elif len(parsed.get('usernames', [])) > 0:
             status = STATUS_DONE  # Found valid usernames (partial success is still a result)
@@ -2495,8 +2617,15 @@ def parse_nuclei_job(engagement_id: int, log_path: str, job: Dict[str, Any]) ->
             )
             findings_added += 1
 
+        # Check for nuclei errors
+        with open(log_path, 'r', encoding='utf-8', errors='replace') as f:
+            log_content = f.read()
+        nuclei_error = detect_tool_error(log_content, 'nuclei')
+
         # Determine status based on results
-        if parsed.get('findings_count', 0) > 0:
+        if nuclei_error:
+            status = STATUS_ERROR  # Tool failed to connect
+        elif parsed.get('findings_count', 0) > 0:
             status = STATUS_DONE  # Found vulnerabilities
         else:
             status = STATUS_NO_RESULTS  # No vulnerabilities found
@@ -2618,6 +2747,9 @@ def parse_enum4linux_job(engagement_id: int, log_path: str, job: Dict[str, Any])
                 'ip': parsed['target']
             })
 
+        # Check for enum4linux errors
+        enum4linux_error = detect_tool_error(log_content, 'enum4linux')
+
         # Determine status: done if we found any results (shares, users, or findings)
         has_results = (
             findings_added > 0 or
@@ -2626,9 +2758,16 @@ def parse_enum4linux_job(engagement_id: int, log_path: str, job: Dict[str, Any])
             stats['total_shares'] > 0
         )
 
+        if enum4linux_error:
+            status = STATUS_ERROR  # Tool failed to connect
+        elif has_results:
+            status = STATUS_DONE
+        else:
+            status = STATUS_NO_RESULTS
+
         return {
             'tool': 'enum4linux',
-            'status': STATUS_DONE if has_results else STATUS_NO_RESULTS,
+            'status': status,
             'findings_added': findings_added,
             'credentials_added': credentials_added,
             'users_found': len(parsed['users']),
@@ -2735,13 +2874,26 @@ def parse_ffuf_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -> Di
         
         if host_id and parsed.get('paths'):
             paths_added = wpm.bulk_add_web_paths(host_id, parsed['paths'])
-            
+
             # Check for sensitive paths and create findings (same as gobuster)
             created_findings = _create_findings_for_sensitive_paths(engagement_id, host_id, parsed['paths'], job)
 
+        # Check for ffuf errors
+        with open(log_path, 'r', encoding='utf-8', errors='replace') as f:
+            log_content = f.read()
+        ffuf_error = detect_tool_error(log_content, 'ffuf')
+
+        # Determine status
+        if ffuf_error:
+            status = STATUS_ERROR  # Tool failed to connect
+        elif parsed.get('results_found', 0) > 0:
+            status = STATUS_DONE
+        else:
+            status = STATUS_NO_RESULTS
+
         return {
             'tool': 'ffuf',
-            'status': STATUS_DONE if parsed.get('results_found', 0) > 0 else STATUS_NO_RESULTS,
+            'status': status,
             'target': target,
             'results_found': parsed.get('results_found', 0),
             'paths_added': paths_added,
@@ -3060,8 +3212,13 @@ def parse_nikto_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -> D
             )
             findings_added += 1
 
+        # Check for nikto errors
+        nikto_error = detect_tool_error(output, 'nikto')
+
         # Determine status based on results
-        if findings_added > 0:
+        if nikto_error:
+            status = STATUS_ERROR  # Tool failed to connect
+        elif findings_added > 0:
             status = STATUS_DONE
         else:
             status = STATUS_NO_RESULTS

souleyez/integrations/wazuh/config.py

@@ -22,10 +22,14 @@ class WazuhConfig:
     """
 
     @staticmethod
-    def get_config(engagement_id: int) -> Optional[Dict[str, Any]]:
+    def get_config(engagement_id: int, siem_type: str = None) -> Optional[Dict[str, Any]]:
         """
         Get SIEM config for an engagement.
 
+        Args:
+            engagement_id: Engagement ID
+            siem_type: Optional SIEM type to filter by. If None, returns first/active config.
+
         Returns:
             Config dict or None if not configured
         """
@@ -33,19 +37,31 @@ class WazuhConfig:
         conn = db.get_connection()
         cursor = conn.cursor()
 
-        # Check if new columns exist (migration 025)
+        # Check if new columns exist (migration 025+)
         cursor.execute("PRAGMA table_info(wazuh_config)")
         columns = [col[1] for col in cursor.fetchall()]
         has_new_columns = 'siem_type' in columns
 
         # Query with or without new columns
         if has_new_columns:
-            cursor.execute("""
-                SELECT api_url, api_user, api_password, indexer_url, indexer_user,
-                       indexer_password, verify_ssl, enabled, siem_type, config_json
-                FROM wazuh_config
-                WHERE engagement_id = ?
-            """, (engagement_id,))
+            if siem_type:
+                cursor.execute("""
+                    SELECT api_url, api_user, api_password, indexer_url, indexer_user,
+                           indexer_password, verify_ssl, enabled, siem_type, config_json
+                    FROM wazuh_config
+                    WHERE engagement_id = ? AND siem_type = ?
+                """, (engagement_id, siem_type))
+            else:
+                # Get most recently updated config (the "current" selected SIEM)
+                # Not filtering by enabled - user may have selected but not configured yet
+                cursor.execute("""
+                    SELECT api_url, api_user, api_password, indexer_url, indexer_user,
+                           indexer_password, verify_ssl, enabled, siem_type, config_json
+                    FROM wazuh_config
+                    WHERE engagement_id = ?
+                    ORDER BY updated_at DESC
+                    LIMIT 1
+                """, (engagement_id,))
         else:
             cursor.execute("""
                 SELECT api_url, api_user, api_password, indexer_url, indexer_user,
@@ -190,7 +206,7 @@ class WazuhConfig:
                 pass
             config_json_str = json.dumps(encrypted_config)
 
-        # Upsert config
+        # Upsert config - keyed by (engagement_id, siem_type) for multi-SIEM support
         cursor.execute("""
             INSERT INTO wazuh_config (
                 engagement_id, api_url, api_user, api_password, indexer_url,
@@ -198,7 +214,7 @@ class WazuhConfig:
                 siem_type, config_json
             )
             VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-            ON CONFLICT(engagement_id) DO UPDATE SET
+            ON CONFLICT(engagement_id, siem_type) DO UPDATE SET
                 api_url = excluded.api_url,
                 api_user = excluded.api_user,
                 api_password = excluded.api_password,
@@ -207,8 +223,8 @@ class WazuhConfig:
                 indexer_password = excluded.indexer_password,
                 verify_ssl = excluded.verify_ssl,
                 enabled = excluded.enabled,
-                siem_type = excluded.siem_type,
-                config_json = excluded.config_json
+                config_json = excluded.config_json,
+                updated_at = CURRENT_TIMESTAMP
         """, (
             engagement_id, api_url, api_user, encrypted_api_password,
             indexer_url, indexer_user or 'admin', encrypted_indexer_password,
@@ -262,17 +278,124 @@ class WazuhConfig:
             )
 
     @staticmethod
-    def delete_config(engagement_id: int) -> bool:
-        """Delete Wazuh config for an engagement."""
+    def delete_config(engagement_id: int, siem_type: str = None) -> bool:
+        """
+        Delete SIEM config for an engagement.
+
+        Args:
+            engagement_id: Engagement ID
+            siem_type: Optional SIEM type. If None, deletes ALL SIEM configs for engagement.
+        """
         db = get_db()
         conn = db.get_connection()
         cursor = conn.cursor()
-        cursor.execute("DELETE FROM wazuh_config WHERE engagement_id = ?", (engagement_id,))
+        if siem_type:
+            cursor.execute(
+                "DELETE FROM wazuh_config WHERE engagement_id = ? AND siem_type = ?",
+                (engagement_id, siem_type)
+            )
+        else:
+            cursor.execute("DELETE FROM wazuh_config WHERE engagement_id = ?", (engagement_id,))
         conn.commit()
         return cursor.rowcount > 0
 
     @staticmethod
-    def is_configured(engagement_id: int) -> bool:
-        """Check if Wazuh is configured for an engagement."""
-        config = WazuhConfig.get_config(engagement_id)
+    def is_configured(engagement_id: int, siem_type: str = None) -> bool:
+        """Check if SIEM is configured for an engagement."""
+        config = WazuhConfig.get_config(engagement_id, siem_type)
         return config is not None and config.get("enabled", False)
+
+    @staticmethod
+    def list_configured_siems(engagement_id: int) -> List[Dict[str, Any]]:
+        """
+        List all configured SIEMs for an engagement.
+
+        Returns:
+            List of dicts with siem_type, enabled, and api_url for each configured SIEM
+        """
+        db = get_db()
+        conn = db.get_connection()
+        cursor = conn.cursor()
+
+        cursor.execute("PRAGMA table_info(wazuh_config)")
+        columns = [col[1] for col in cursor.fetchall()]
+
+        if 'siem_type' not in columns:
+            # Old schema - only one config possible
+            cursor.execute("""
+                SELECT 'wazuh' as siem_type, enabled, api_url
+                FROM wazuh_config
+                WHERE engagement_id = ?
+            """, (engagement_id,))
+        else:
+            cursor.execute("""
+                SELECT siem_type, enabled, api_url, updated_at
+                FROM wazuh_config
+                WHERE engagement_id = ?
+                ORDER BY siem_type
+            """, (engagement_id,))
+
+        rows = cursor.fetchall()
+        return [
+            {
+                'siem_type': row[0],
+                'enabled': bool(row[1]),
+                'api_url': row[2],
+                'updated_at': row[3] if len(row) > 3 else None
+            }
+            for row in rows
+        ]
+
+    @staticmethod
+    def get_all_configs(engagement_id: int) -> Dict[str, Dict[str, Any]]:
+        """
+        Get all SIEM configs for an engagement, keyed by siem_type.
+
+        Returns:
+            Dict mapping siem_type to config dict
+        """
+        configs = {}
+        for siem in SIEM_TYPES:
+            config = WazuhConfig.get_config(engagement_id, siem)
+            if config:
+                configs[siem] = config
+        return configs
+
+    @staticmethod
+    def get_current_siem_type(engagement_id: int) -> str:
+        """
+        Get the currently selected SIEM type for an engagement.
+
+        Returns the most recently selected SIEM type, even if not fully configured.
+
+        Returns:
+            SIEM type string ('wazuh', 'splunk', etc.) or 'wazuh' as default
+        """
+        config = WazuhConfig.get_config(engagement_id)
+        if config:
+            return config.get('siem_type', 'wazuh')
+        return 'wazuh'
+
+    @staticmethod
+    def set_current_siem(engagement_id: int, siem_type: str) -> bool:
+        """
+        Set a SIEM type as current by updating its timestamp.
+
+        This makes the specified SIEM the "active" one without changing its config.
+
+        Args:
+            engagement_id: Engagement ID
+            siem_type: SIEM type to make current
+
+        Returns:
+            True if successful
+        """
+        db = get_db()
+        conn = db.get_connection()
+        cursor = conn.cursor()
+        cursor.execute(
+            "UPDATE wazuh_config SET updated_at = CURRENT_TIMESTAMP WHERE engagement_id = ? AND siem_type = ?",
+            (engagement_id, siem_type)
+        )
+        conn.commit()
+        return cursor.rowcount > 0