Skip to content
Permalink
Browse files

Merge pull request #1568 from mozilla/remove_visualizations

Remove blue page visualizations
  • Loading branch information
pwnbus committed Feb 20, 2020
2 parents e8c367f + ed6f318 commit 83d8cd27a86fcd29560e5e17dc01b338822235c2
Showing with 2 additions and 4,165 deletions.
  1. +1 −4 cloudy_mozdef/cloudformation/mozdef-instance.yml
  2. +0 −9 cron/collectAttackers.conf
  3. +0 −473 cron/collectAttackers.py
  4. +0 −9 cron/collectAttackers.sh
  5. +1 −69 cron/createIPBlockList.py
  6. +0 −1 docker/compose/mozdef_cron/Dockerfile
  7. +0 −10 docker/compose/mozdef_cron/files/collectAttackers.conf
  8. +0 −1 docker/compose/mozdef_cron/files/cron_entries.txt
  9. +0 −2 docs/source/overview.rst
  10. +0 −6 docs/source/usage/web_interface.rst
  11. +0 −74 meteor/client/attackerdetails.html
  12. +0 −47 meteor/client/attackerdetails.js
  13. +0 −81 meteor/client/attackers.html
  14. +0 −1,036 meteor/client/attackers.js
  15. +0 −41 meteor/client/globe.html
  16. +0 −555 meteor/client/globe.js
  17. +0 −11 meteor/client/logincounts.html
  18. +0 −196 meteor/client/logincounts.js
  19. +0 −10 meteor/client/main.js
  20. +0 −15 meteor/client/menu.html
  21. +0 −12 meteor/client/mozdef.js
  22. +0 −13 meteor/client/nameplate.html
  23. +0 −17 meteor/client/nameplate.js
  24. +0 −32 meteor/client/router.js
  25. +0 −15 meteor/client/themes/classic/menu.html
  26. +0 −29 meteor/client/themes/side_nav_dark/menu.html
  27. +0 −35 meteor/imports/collections.js
  28. +0 −21 meteor/imports/models.js
  29. +0 −174 meteor/imports/themes/classic/mozdef.css
  30. +0 −174 meteor/imports/themes/dark/mozdef.css
  31. +0 −180 meteor/imports/themes/light/mozdef.css
  32. +0 −175 meteor/imports/themes/side_nav_dark/mozdef.css
  33. +0 −4 meteor/private/features.txt
  34. +0 −132 meteor/public/other/ogro/Ogro.txt
  35. +0 −77 meteor/public/other/ogro/ogro-light.js
  36. BIN meteor/public/other/ogro/ogro.md2
  37. BIN meteor/public/other/ogro/skins/arboshak.png
  38. BIN meteor/public/other/ogro/skins/ctf_b.png
  39. BIN meteor/public/other/ogro/skins/ctf_r.png
  40. BIN meteor/public/other/ogro/skins/darkam.png
  41. BIN meteor/public/other/ogro/skins/freedom.png
  42. BIN meteor/public/other/ogro/skins/gib.png
  43. BIN meteor/public/other/ogro/skins/gordogh.png
  44. BIN meteor/public/other/ogro/skins/grok.jpg
  45. BIN meteor/public/other/ogro/skins/igdosh.png
  46. BIN meteor/public/other/ogro/skins/khorne.png
  47. BIN meteor/public/other/ogro/skins/nabogro.png
  48. BIN meteor/public/other/ogro/skins/ogrobase.png
  49. BIN meteor/public/other/ogro/skins/sharokh.png
  50. BIN meteor/public/other/ogro/skins/weapon.jpg
  51. +0 −77 meteor/public/other/ogro/weapon-light.js
  52. BIN meteor/public/other/ogro/weapon.md2
  53. +0 −14 meteor/server/methods.js
  54. +0 −13 rest/index.py
  55. +0 −138 rest/plugins/logincounts.py
  56. +0 −183 tests/rest/test_rest_index.py
@@ -220,7 +220,7 @@ Resources:
METEOR_BACKEND=meteor:3000
ESBACKEND=${KibanaDomainOnlyURL}
# Disable certain web ui features
OPTIONS_REMOVE_FEATURES=ipblocklist,fqdnblocklist,logincounts,globe
OPTIONS_REMOVE_FEATURES=ipblocklist,fqdnblocklist
# See https://github.com/mozilla-iam/mozilla.oidc.accessproxy/blob/master/README.md#setup
# Future support will be added for cognito backed authentication.
client_id=${OIDCClientId}
@@ -241,9 +241,6 @@ Resources:
cookiename=sesmeteor
# Increase the AWS ES total fields limit from 1000 to 4000
OPTIONS_MAPPING_TOTAL_FIELDS_LIMIT=4000
# Set thresholds for attack dataviz lower means more ogres
OPTIONS_IPV4ATTACKERHITCOUNT=5
OPTIONS_IPV4ATTACKERPREFIXLENGTH=24
OPTIONS_ALERTSQSQUEUEURL=${AlertQueueUrl}
OPTIONS_MQPROTOCOL=sqs
DEFAULT_AWS_REGION=${AWS::Region}

This file was deleted.

This file was deleted.

This file was deleted.

@@ -7,7 +7,6 @@

import boto3
import netaddr
import random
import sys
from datetime import datetime
from datetime import timedelta
@@ -17,10 +16,6 @@
from mozdef_util.utilities.logger import logger


def genMeteorID():
return('%024x' % random.randrange(16**24))


def isIPv4(ip):
try:
# netaddr on it's own considers 1 and 0 to be valid_ipv4
@@ -43,43 +38,6 @@ def isIPv6(ip):
return False


def aggregateAttackerIPs(attackers):
iplist = []

# Set the attacker age timestamp
attackerage = datetime.now() - timedelta(days=options.attackerage)

ips = attackers.aggregate([
{"$sort": {"lastseentimestamp": -1}},
{"$match": {"category": options.category}},
{"$match": {"lastseentimestamp": {"$gte": attackerage}}},
{"$match": {"indicators.ipv4address": {"$exists": True}}},
{"$group": {"_id": {"ipv4address": "$indicators.ipv4address"}}},
{"$unwind": "$_id.ipv4address"},
{"$limit": options.iplimit}
])

for i in ips:
whitelisted = False
logger.debug('working {0}'.format(i))
ip = i['_id']['ipv4address']
ipcidr = netaddr.IPNetwork(ip)
if not ipcidr.ip.is_loopback() and not ipcidr.ip.is_private() and not ipcidr.ip.is_reserved():
for whitelist_range in options.ipwhitelist:
whitelist_network = netaddr.IPNetwork(whitelist_range)
if ipcidr in whitelist_network:
logger.debug(str(ipcidr) + " is whitelisted as part of " + str(whitelist_network))
whitelisted = True

# strip any host bits 192.168.10/24 -> 192.168.0/24
ipcidrnet = str(ipcidr.cidr)
if ipcidrnet not in iplist and not whitelisted:
iplist.append(ipcidrnet)
else:
logger.debug('invalid:' + ip)
return iplist


def parse_network_whitelist(network_whitelist_location):
networks = []
with open(network_whitelist_location, "r") as text_file:
@@ -98,32 +56,12 @@ def main():
client = MongoClient(options.mongohost, options.mongoport)
mozdefdb = client.meteor
ipblocklist = mozdefdb['ipblocklist']
attackers = mozdefdb['attackers']
# ensure indexes
ipblocklist.create_index([('dateExpiring', -1)])
attackers.create_index([('lastseentimestamp', -1)])
attackers.create_index([('category', 1)])

# First, gather IP addresses from recent attackers and add to the block list
attackerIPList = aggregateAttackerIPs(attackers)

# add attacker IPs to the blocklist
# first delete ones we've created from an attacker
ipblocklist.delete_many({'creator': 'mozdef', 'reference': 'attacker'})

# delete any that expired
ipblocklist.delete_many({'dateExpiring': {"$lte": datetime.utcnow() - timedelta(days=options.expireage)}})

# add the aggregations we've found recently
for ip in attackerIPList:
ipblocklist.insert_one(
{'_id': genMeteorID(),
'address': ip,
'reference': 'attacker',
'creator': 'mozdef',
'dateAdded': datetime.utcnow()})

# Lastly, export the combined blocklist
# Export the blocklist
ipCursor = mozdefdb['ipblocklist'].aggregate([
{"$sort": {"dateAdded": -1}},
{"$match": {"address": {"$exists": True}}},
@@ -174,12 +112,6 @@ def initConfig():
# Output File Name
options.outputfile = getConfig('outputfile', 'ipblocklist.txt', options.configfile)

# Category to choose
options.category = getConfig('category', 'bruteforcer', options.configfile)

# Max days to look back for attackers
options.attackerage = getConfig('attackerage', 90, options.configfile)

# Days after expiration that we purge an ipblocklist entry (from the ui, they don't end up in the export after expiring)
options.expireage = getConfig('expireage', 1, options.configfile)

@@ -13,7 +13,6 @@ COPY docker/compose/mozdef_cron/files/cron_entries.txt /cron_entries.txt

# Copy config files for crons
COPY --chown=mozdef:mozdef docker/compose/mozdef_cron/files/backup.conf /opt/mozdef/envs/mozdef/cron/backup.conf
COPY --chown=mozdef:mozdef docker/compose/mozdef_cron/files/collectAttackers.conf /opt/mozdef/envs/mozdef/cron/collectAttackers.conf
COPY --chown=mozdef:mozdef docker/compose/mozdef_cron/files/eventStats.conf /opt/mozdef/envs/mozdef/cron/eventStats.conf
COPY --chown=mozdef:mozdef docker/compose/mozdef_cron/files/healthAndStatus.conf /opt/mozdef/envs/mozdef/cron/healthAndStatus.conf
COPY --chown=mozdef:mozdef docker/compose/mozdef_cron/files/healthToMongo.conf /opt/mozdef/envs/mozdef/cron/healthToMongo.conf

This file was deleted.

@@ -1,7 +1,6 @@
BASH_ENV=/env
* * * * * /opt/mozdef/envs/mozdef/cron/healthAndStatus.sh
* * * * * /opt/mozdef/envs/mozdef/cron/healthToMongo.sh
* * * * * /opt/mozdef/envs/mozdef/cron/collectAttackers.sh
* * * * * /opt/mozdef/envs/mozdef/cron/syncAlertsToMongo.sh
* * * * * /opt/mozdef/envs/mozdef/cron/eventStats.sh
0 0 * * * /opt/mozdef/envs/mozdef/cron/esMaint.sh
@@ -65,8 +65,6 @@ MozDef is based on open source technologies including:
* MongoDB (scalable data store, tightly integrated to Meteor)
* VERIS from verizon (open source taxonomy of security incident categorizations)
* d3 (javascript library for data driven documents)
* dc.js (javascript wrapper for d3 providing common charts, graphs)
* three.js (javascript library for 3d visualizations)
* Firefox (a snappy little web browser)

Frontend processing
@@ -7,9 +7,3 @@ Meteor (the underlying UI framework) supports `many authentication options`_ inc

.. _Meteor framework: https://www.meteor.com/
.. _many authentication options: https://docs.meteor.com/#accounts_api

Events visualizations
*********************

Since the backend of MozDef is Elastic Search, you get all the goodness of Kibana with little configuration.
The MozDef UI is focused on incident handling and adding security-specific visualizations of SIEM data to help you weed through the noise.

This file was deleted.

This file was deleted.

0 comments on commit 83d8cd2

Please sign in to comment.
You can’t perform that action at this time.