Skip to content
This repository has been archived by the owner on Nov 3, 2021. It is now read-only.

Commit

Permalink
Fix geomodel sourceipaddress (#1604)
Browse files Browse the repository at this point in the history 
* Sort events by utctimestamp and set sourceipaddress and sourceipv4address according to the hop destination ip
  • Loading branch information
@arcrose
arcrose committed Apr 20, 2020
1 parent f75d3d5 commit 06b9dd1
Show file tree
Hide file tree
Showing 2 changed files with 117 additions and 1 deletion.
13 changes: 12 additions & 1 deletion alerts/geomodel_location.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,9 +119,16 @@ def onAggregation(self, agg):
query = locality.wrap_query(self.es)
journal = locality.wrap_journal(self.es)

def _utctimestamp(event):
source = event.get('_source', {})
utctimestamp = source.get('utctimestamp', datetime.utcnow())
return toUTC(utctimestamp)

sorted_events = sorted(events, key=_utctimestamp, reverse=True)

locs_from_evts = list(filter(
lambda state: state is not None,
map(locality.from_event, events)))
map(locality.from_event, sorted_events)))

entry_from_es = locality.find(query, username, cfg.localities.es_index)

Expand Down Expand Up @@ -160,10 +167,14 @@ def onAggregation(self, agg):
events,
modded_alert.severity.value)

# The IP that the user is acting from is the one they hopped to.

# TODO: When we update to Python 3.7+, change to asdict(alert_produced)
alert_dict['details'] = {
'username': modded_alert.username,
'hops': [hop.to_json() for hop in new_alert.hops],
'sourceipaddress': new_alert.hops[-1].destination.ip,
'sourceipv4address': new_alert.hops[-1].destination.ip,
'factors': modded_alert.factors
}

Expand Down
105 changes: 105 additions & 0 deletions tests/alerts/test_geomodel_location.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,8 @@ class TestAlertGeoModel(GeoModelTest):
'(3645.78 KM in 16.00 minutes)',
'details': {
'username': 'tester1',
'sourceipaddress': '1.2.3.4',
'sourceipv4address': '1.2.3.4',
'hops': [
{
'origin': {
Expand Down Expand Up @@ -180,6 +182,99 @@ class TestAlertGeoModel(GeoModelTest):
]


class TestEventOrdering(GeoModelTest):
'''When events come in indicating geolocation movement has occurred, those
events will contain a `utctimestamp` field that we want to ensure we sort
on so that localities are both ordered correctly and so that GeoModel alerts
correctly identify the IP from which a user is acting.
'''

alert_filename = 'geomodel_location'
alert_classname = 'AlertGeoModel'

default_event = AlertTestSuite.create_event({
'_source': {
'details': {
'sourceipaddress': '1.2.3.4',
'sourceipgeolocation': {
'city': 'Toronto',
'country_code': 'CA',
'latitude': 43.6529,
'longitude': -79.3849,
},
'username': 'tester1',
},
'tags': ['auth0'],
},
})

default_event['_source']['utctimestamp'] =\
AlertTestSuite.subtract_from_timestamp_lambda({'minutes': 0})

change_location_event = AlertTestSuite.create_event({
'_source': {
'details': {
'sourceipaddress': '4.3.2.1',
'sourceipgeolocation': {
'city': 'San Francisco',
'country_code': 'US',
'latitude': 37.773972,
'longitude': -122.431297,
},
'username': 'tester1',
},
'tags': ['auth0'],
},
})

change_location_event['_source']['utctimestamp'] =\
AlertTestSuite.subtract_from_timestamp_lambda({'minutes': -1})

default_alert = {
'category': 'geomodel',
'summary': 'tester1 seen in Toronto,CA then San Francisco,US '
'(3645.78 KM in 1.00 minutes)',
'details': {
'username': 'tester1',
'sourceipaddress': '4.3.2.1',
'sourceipv4address': '4.3.2.1',
'hops': [
{
'origin': {
'ip': '1.2.3.4',
'city': 'Toronto',
'country': 'CA',
'latitude': 43.6529,
'longitude': -79.3849,
'observed': _NOW.isoformat(),
'geopoint': '43.6529,-79.3849',
},
'destination': {
'ip': '4.3.2.1',
'city': 'San Francisco',
'country': 'US',
'latitude': 37.773972,
'longitude': -122.431297,
'observed': (_NOW + timedelta(minutes=1)).isoformat(),
'geopoint': '37.773972,-122.431297',
},
},
],
'factors': [],
},
'severity': 'INFO',
'tags': ['geomodel'],
}

test_cases = [
PositiveAlertTestCase(
description='Alert fires with events sorted into the correct order',
events=[change_location_event, default_event],
expected_alert=default_alert,
),
]


class TestUpdateOrdering(GeoModelTest):
'''Alerts will trigger unexpectedly if locality state updates are applied
before determining whether a user's location has changed by comparing
Expand Down Expand Up @@ -269,6 +364,8 @@ class TestOnePreviousLocality(GeoModelTest):
'(3645.78 KM in 5.00 minutes)',
'details': {
'username': 'tester1',
'sourceipaddress': '1.2.3.4',
'sourceipv4address': '1.2.3.4',
'hops': [
{
'origin': {
Expand Down Expand Up @@ -351,6 +448,8 @@ class TestInitialLocalityPositiveAlert(GeoModelTest):
'(3645.78 KM in 3.00 minutes)',
'details': {
'username': 'tester1',
'sourceipaddress': '5.6.7.8',
'sourceipv4address': '5.6.7.8',
'hops': [
{
'origin': {
Expand Down Expand Up @@ -513,6 +612,8 @@ class TestMultipleEventsInWindow(GeoModelTest):
'(3645.78 KM in 3.00 minutes)',
'details': {
'username': 'tester1',
'sourceipaddress': '1.2.3.4',
'sourceipv4address': '1.2.3.4',
'hops': [
{
'origin': {
Expand Down Expand Up @@ -656,6 +757,8 @@ class TestSameCitiesFarAway(GeoModelTest):
'(4082.65 KM in 3.00 minutes)',
'details': {
'username': 'tester1',
'sourceipaddress': '1.2.3.4',
'sourceipv4address': '1.2.3.4',
'hops': [
{
'origin': {
Expand Down Expand Up @@ -784,6 +887,8 @@ class TestMultipleImpossibleJourneys(GeoModelTest):
'Petersburg,RU (6855.53 KM in 2.00 minutes)',
'details': {
'username': 'tester1',
'sourceipaddress': '12.34.45.56',
'sourceipv4address': '12.34.45.56',
'hops': [
{
'origin': {
Expand Down

0 comments on commit 06b9dd1

Please sign in to comment.