-
Notifications
You must be signed in to change notification settings - Fork 189
Sweet Security Client
Service Name: sweetsecurity
Installation Path: /opt/sweetsecurity/client
Log File: /var/log/sweetsecurity.log
Processing of the Sweet Security Client is kicked off by /opt/sweetsecurity/client/sweetSecurity.py. This file initializes multiple threads to handle various client side tasks. Before starting any threads, the code completes two vital tasks.
Enabling IP Forwarding by setting the value of /proc/sys/net/ipv4/ip_forward to 1. This allows the Sweet Security device to intercept network traffic and forward it back out to the appropriate location.
Deploy Bro IDS. This is done to ensure Bro is running when the device starts up. The following command is issued to start Bro.
sudo /opt/nsm/bro/bin/broctl deploy
** Frequency**: 5 minutes
URL: https://webapp/sensorHealth
Post Data
sensorMac: MAC Address of Selected Interface
sensorName: Hostname of Device
broHealth: Value from 'sudo /opt/nsm/bro/bin/broctl status'
logstashHealth: Value from 'sudo service logstash status'
diskUsage: Value from df -k
memAvailable: Value from 'free -f -m'
memConsumed: Value from 'free -f -m'
memPercent: Value from 'free -f -m'
This sends sensor health information to the webApp server for two reasons. The first is to register the sensor with the server. The second is to display the health of the device to the user when going to /settings.
Frequency: 5 seconds
Server will return a list of all known devices discovered by all sensors with their associated configurations.
From the returned JSON file, the value of the 'ignore' field will be inspected and placed into the local sqlite database. The spoofing thread will honor this value when attempting to ARP spoof devices on the network.
From the returned JSON file, the value of the 'isolate' field will be inspected. If it is set to '1', a firewall rule will be created to drop all local subnet traffic for that device's IP.
From the returned JSON file, the data blob from 'firewall' field will be inspected. There will always be one default action for each device for either DROP or ALLOW. Any additional fields will be added on top of this in the firewall configuration. An IPTables script is created based off of the configurations and applied to the device.
Frequency: 20 seconds
This URL is used to send device information up to the webApp server. If the device has not previously been discovered, it will add it to the server's database and alert the user (if configured to send email alerts). If the device has already been discovered, it will update the lastSeen field for that particular device. The following information is sent to the server:
hostname
ip address
mac address
vendor
sudo nmap -sn interfaceIP/interfaceSubnetMask -e %s -oX /opt/sweetsecurity/client/nmap_scans/pingSweep.xml
Once completed, the XML file is parsed. Each device is stored in the local sqlite database as well as information sent up to the webApp server.
Frequency: 60 minutes
URL: https://webApp/addPort Data Sent to Server:
MAC Address
Port Number
Protocol
Service Name
Service Version
Product Name
nmap -sV -oX /opt/sweetsecurity/client/nmap_scans/portScan_deviceIP_timestamp.xml deviceIP
For each device, NMAP will perform a '-sV' command to look at the open ports for each device. For each open port discovered, it will send the port information along with the device MAC address up to the server.
Frequency: Every Second
The spoofing code uses SCAPY to spoof network devices. For each device which has ignore set to '1' and active set to '0' , it will construct the following scapy packets to be sent each second.
Ether()/ARP(op="who-has",hwdst=DefaultGatewayMAC,pdst=DefaultGatewayIP,psrc=VictimIP)
Ether()/ARP(op="who-has",hwdst=VictimMac,pdst=VictimIP,psrc=DefaultGatewayIP)
Ignore status of 0 means the devices will not be ignored and should be spoofed
At the beginning of each ping sweep, the value of 'active' will be set to '0'. If a device is discovered by the ping sweep command, the value of active will be set to '1'. This helps avoid timeout issues when sending ARP spoofing packets with scapy.
Frequency: 60 minutes
URL: https://check.torproject.org/exit-addresses
URL: http://www.malwaredomainlist.com/hostslist/ip.txt
Local File: /etc/logstash/translate/torIP.yaml
For each IP address listed in the torproject.org website:
"TOR_IP_ADDRESS": "YES"
Local File: /etc/logstash/translate/maliciousIP.yaml For each IP address listed in the malwaredomainlist.com website:
"MALICIOUS_IP_ADDRESS": "YES"