In [1]:
import psycopg2
import numpy as np
import matplotlib.pyplot as plt
import os

In [2]:
# setup connection
conn = psycopg2.connect(
    host='localhost',
    database='cadets_e3',
    user='rosendahl',
)
conn.set_session(readonly=True)
# get cursor
cur = conn.cursor()

In [3]:
# debug
os.system("hostnamectl hostname")
print(f'current working directory: {os.getcwd()}')

vmrosendahl
current working directory: /home/rosendahl/remote_interpreter/dataset/jupyter


In [4]:
# load subject_blacklist
subject_blacklist = set()
with open('data/blacklisted_subjects.txt', 'r') as file:
    for line in file:
        subject_blacklist.add(line.strip())

In [6]:
# get column names
query = '''
select distinct *
from event e
join subject s
    on e.subject_uuid = s.uuid
join principal p
    on s.localprincipal = p.uuid
left join fileobject fo1
    on e.predicateobject_uuid = fo1.uuid
left join fileobject fo2
    on e.predicateobject2_uuid = fo2.uuid
left join netflowobject nfo1
    on e.predicateobject_uuid = nfo1.uuid
left join netflowobject nfo2
    on e.predicateobject_uuid = nfo2.uuid
limit 0;
'''

cur.execute(query)
column_names = [desc[0] for desc in cur.description]
print(column_names)

index_event_uuid = column_names.index('uuid')
index_subject_uuid = column_names.index('subject_uuid')
print(f'index_event_uuid: {index_event_uuid}')
print(f'index_subject_uuid: {index_subject_uuid}')

['ts', 'uuid', 'type', 'timestampnanos', 'sequence_long', 'threadid_int', 'subject_uuid', 'predicateobject_uuid', 'name_string', 'parameters_array', 'properties_map_return_value', 'properties_map_fd', 'properties_map_exec', 'properties_map_ppid', 'predicateobject2_uuid', 'properties_map_ret_fd2', 'properties_map_ret_fd1', 'predicateobjectpath_string', 'size_long', 'properties_map_partial_path', 'predicateobject2path_string', 'properties_map_arg_pid', 'properties_map_cmdline', 'properties_map_arg_mem_flags', 'properties_map_arg_euid', 'properties_map_arg_suid', 'properties_map_arg_ruid', 'properties_map_arg_rgid', 'properties_map_arg_egid', 'properties_map_arg_sgid', 'properties_map_address', 'properties_map_ret_msgid', 'properties_map_arg_uid', 'properties_map_arg_gid', 'properties_map_arg_miouuid', 'properties_map_port', 'properties_map_login', 'properties_map_ret_miouuid', 'ts', 'uuid', 'cid', 'localprincipal', 'starttimestampnanos', 'parentsubject_uuid', 'uuid', 'userid', 'username_

In [7]:
event_blacklist = set()
subject_blacklist = set()

In [11]:
# tape 1, 20180406
keywords = [
    'elevate',
    'drakon',
    'nrinfo',
    'nrtcp',
    '154.145.113.18',
    '61.167.39.128',
    './deploy/archive/libdrakon.freebsd.x64.so_152.111.159.139',
    '/var/log/devc',
    'foo',
    '/var/log/devc',
    'xxx',
    '81.49.200.166',
    '78.205.235.65',
    '200.36.109.21',
    '139.123.0.113',
    '152.111.159.139',
    '200.36.109.214',
    'shellcode_server',
    'loaderDrakon.freebsd.x64',
    'drakon.freebsd.x64',
    'netrecon',
    '(nrtcp fail)',
    '(nrtcp success)',
    '/tmp/vUgefal',
    '/var/log/devc',
    '/dev/gtx_dsa_675',
    '91.49.200.18',
    'nginx',
    '/etc/passwd',
    '/etc/group',
    'stage 1',
    'oc2',
    '200.16.109.214',
    'cmd_exec',
    'vUgefal',
    '139.123.0.133',
    'sshd',
]

_event_blacklist = set()
_subject_blacklist = set()

query = '''
select distinct *
from event e
join subject s
    on e.subject_uuid = s.uuid
join principal p
    on s.localprincipal = p.uuid
left join fileobject fo1
    on e.predicateobject_uuid = fo1.uuid
left join fileobject fo2
    on e.predicateobject2_uuid = fo2.uuid
left join netflowobject nfo1
    on e.predicateobject_uuid = nfo1.uuid
left join netflowobject nfo2
    on e.predicateobject_uuid = nfo2.uuid
where e.ts >= '2018-04-06 11:21'
and e.ts <= '2018-04-06 12:08'
'''

cur.execute(query)

for row in cur:
    event_uuid = row[index_event_uuid]
    subject_uuid = row[index_subject_uuid]
    for keyword in keywords:
        if keyword in row:
            _event_blacklist.add(event_uuid)
            _subject_blacklist.add(subject_uuid)

print(f'blacklisted events: {len(_event_blacklist)}')
print(f'blacklisted subjects: {len(_subject_blacklist)}')

event_blacklist = event_blacklist.union(_event_blacklist)
subject_blacklist = subject_blacklist.union(_subject_blacklist)

blacklisted events: 365
blacklisted subjects: 71


In [12]:
# tape 2, 20180411
keywords = [
    '/tmp/grain',
    '/etc/group',
    'sshd',
    'nignx'
    '25.159.96.207',
    '76.56.184.25',
    '155.162.39.48',
    '198.115.236.119',
    '128.55.12.167',
    'loaderDrakon',
    'shellcode_server',
    'libdrakon',
    './deploy/archive/libdrakon.freebsd.x64.so_198.115.236.119',
    'vUGefai'
]

_event_blacklist = set()
_subject_blacklist = set()

query = '''
select distinct *
from event e
join subject s
    on e.subject_uuid = s.uuid
join principal p
    on s.localprincipal = p.uuid
left join fileobject fo1
    on e.predicateobject_uuid = fo1.uuid
left join fileobject fo2
    on e.predicateobject2_uuid = fo2.uuid
left join netflowobject nfo1
    on e.predicateobject_uuid = nfo1.uuid
left join netflowobject nfo2
    on e.predicateobject_uuid = nfo2.uuid
where e.ts >= '2018-04-11 15:08'
and e.ts <= '2018-04-11 15:15'
'''

cur.execute(query)

for row in cur:
    event_uuid = row[index_event_uuid]
    subject_uuid = row[index_subject_uuid]
    for keyword in keywords:
        if keyword in row:
            _event_blacklist.add(event_uuid)
            _subject_blacklist.add(subject_uuid)

print(f'blacklisted events: {len(_event_blacklist)}')
print(f'blacklisted subjects: {len(_subject_blacklist)}')

event_blacklist = event_blacklist.union(_event_blacklist)
subject_blacklist = subject_blacklist.union(_subject_blacklist)

blacklisted events: 915
blacklisted subjects: 24


In [14]:
# tape 3, 20180412
keywords = [
    'shell',
    'tmux-1002',
    '/tmp/test',
    'micro',
    'scans',
    '25.159.96.207',
    '128.55.12.167',
    '76.56.184.25',
    '155.162.39.48',
    '198.115.236.119',
    '53.158.101.118',
    '98.15.44.232',
    '192.113.144.28',
    'webserver',
    'shellcode_server',
    'loaderDrakon',
    'libdrakon',
    'drakon',
    'sendmail',
    'vUGefai',
    './deploy/archive/microapt.freebsd.x64_98.15.44.232',
    './deploy/archive/libdrakon.freebsd.x64.so_198.115.236.119',
    '/tmp/font',
    'font',
    './deploy/archive/drakon.freebsd.x64_53.158.101.118',
    'XIM',
    'netlog',
    'main',
    'test',
    '/tmp/tmux-1002',
    '/tmp/minions',
    '/tmp/font',
    '/tmo/XIM',
    '/var/log/netlog',
    '/var/log/sendmail',
    '/tmp/main',
    '/tmp/test',
    '128.55.12.67',
    '128.55.12.141',
    '128.55.12.110',
    '128.55.12.118',
    '128.55.12.10',
    '128.55.12.1',
    '128.55.12.55',
]

_event_blacklist = set()
_subject_blacklist = set()

query = '''
select distinct *
from event e
join subject s
    on e.subject_uuid = s.uuid
join principal p
    on s.localprincipal = p.uuid
left join fileobject fo1
    on e.predicateobject_uuid = fo1.uuid
left join fileobject fo2
    on e.predicateobject2_uuid = fo2.uuid
left join netflowobject nfo1
    on e.predicateobject_uuid = nfo1.uuid
left join netflowobject nfo2
    on e.predicateobject_uuid = nfo2.uuid
where e.ts >= '2018-04-12 14:00'
and e.ts <= '2018-04-12 14:38'
'''

cur.execute(query)

for row in cur:
    event_uuid = row[index_event_uuid]
    subject_uuid = row[index_subject_uuid]
    for keyword in keywords:
        if keyword in row:
            _event_blacklist.add(event_uuid)
            _subject_blacklist.add(subject_uuid)

print(f'blacklisted events: {len(_event_blacklist)}')
print(f'blacklisted subjects: {len(_subject_blacklist)}')

event_blacklist = event_blacklist.union(_event_blacklist)
subject_blacklist = subject_blacklist.union(_subject_blacklist)

blacklisted events: 523
blacklisted subjects: 58


In [15]:
# tape 3, 20180413
keywords = [
    'reconnect',
    'whoami',
    'nc -s',
    'shell',
    './deploy/archive/drakon.freebsd.x64_53.158.101.118',
    'pEja72mA',
    './deploy/archive/libdrakon.freebsd.x64.so_198.115.236.119',
    'eWq10bVcx',
    'elevate',
    '20691',
    '/usr/sbin/sshd',
    'inject',
    'crash',
    '25.159.96.207',
    '128.55.12.73',
    '128.55.12.167',
    '76.56.184.25',
    '155.162.39.48',
    '98.115.236.119',
    '53.158.101.118',
    'memhelp.so',
    'eraseme',
    'done.so',
    '78.205.235.65',
    'nginx',
    'sshd',
    '/etc/group',
    '/etc/passwd',
    '/dec/gtx_dsa_675'
]

_event_blacklist = set()
_subject_blacklist = set()

query = '''
select distinct *
from event e
join subject s
    on e.subject_uuid = s.uuid
join principal p
    on s.localprincipal = p.uuid
left join fileobject fo1
    on e.predicateobject_uuid = fo1.uuid
left join fileobject fo2
    on e.predicateobject2_uuid = fo2.uuid
left join netflowobject nfo1
    on e.predicateobject_uuid = nfo1.uuid
left join netflowobject nfo2
    on e.predicateobject_uuid = nfo2.uuid
where e.ts >= '2018-04-13 09:04'
and e.ts <= '2018-04-13 09:15'
'''

cur.execute(query)

for row in cur:
    event_uuid = row[index_event_uuid]
    subject_uuid = row[index_subject_uuid]
    for keyword in keywords:
        if keyword in row:
            _event_blacklist.add(event_uuid)
            _subject_blacklist.add(subject_uuid)

print(f'blacklisted events: {len(_event_blacklist)}')
print(f'blacklisted subjects: {len(_subject_blacklist)}')

event_blacklist = event_blacklist.union(_event_blacklist)
subject_blacklist = subject_blacklist.union(_subject_blacklist)

blacklisted events: 406
blacklisted subjects: 8


In [17]:
# print result
print('total blacklist:')
print(f'blacklisted events: {len(event_blacklist)}')
print(f'blacklisted subjects: {len(subject_blacklist)}')

query = f'''
select count(distinct e.uuid)
from event e
where e.subject_uuid not in %s
'''

cur.execute(query, (tuple(subject_blacklist),))
print(f'events after subject blacklist: {cur.fetchone()[0]}')

total blacklist:
blacklisted events: 2253
blacklisted subjects: 169
events after subject blacklist: 20586823
