-
-
Notifications
You must be signed in to change notification settings - Fork 100
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
mzfr
authored and
mzfr
committed
Aug 17, 2020
1 parent
a51b1be
commit 8866850
Showing
8 changed files
with
186 additions
and
58 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,6 +14,7 @@ Contents: | |
quick-start | ||
parameters | ||
emulators | ||
db_setup | ||
sessions | ||
storage | ||
dorks | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,35 @@ | ||
Storage | ||
======= | ||
Old Method | ||
========== | ||
Until Tanner v0.7 we were using Redis_ for storing all the data i.e analyzed and unanalyzed sessions. But the issue with that Redis was that it's a ``in-memory`` database meaning it consume large amount of RAM if large amount of data has to be stored. This usually resulted in the unexpected crash of the tanner server. | ||
|
||
We use Redis_ as main storage. | ||
TANNER connects to the redis with default values: ``host='localhost', port=6379`` | ||
|
||
You should install and start the Redis on the server before using TANNER. | ||
See :doc:`quick-start` | ||
New Method | ||
========== | ||
|
||
To solve the problem described above we decided to use the combination of Postgres_ and Redis_ for storage purpose. | ||
|
||
|
||
**Setup Both database** | ||
|
||
* Installation | ||
|
||
* Install Redis | ||
#. On ubuntu: ``sudo apt-get install redis-server`` | ||
|
||
* Install Postgres | ||
#. On ubuntu: ``sudo apt install postgresql`` | ||
|
||
* Configuration | ||
|
||
Once both the server are installed and are running, make the required changes to configuration file which should be present in `/opt/tanner/config.yaml`. See [config] section for more detail about configuration file. | ||
|
||
Migrating from old setup to new setup | ||
===================================== | ||
|
||
If you are currently using the old setup for tanner then you'll have to migrate all your data to the postgresql and have a properly configured database setup. To make your work easy we have made a migration-script_ | ||
|
||
|
||
.. _Redis: http://redis.io/ | ||
.. _Postgres: https://www.postgresql.org/ | ||
.. _migration-script: TODO ADD LINK HERE | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,54 +1,89 @@ | ||
Tanner WEB | ||
========== | ||
Tanner WEB provides various stats related to traffic captured by snare in UI form. It can be accessed at ``locahost:8091/``. | ||
Tanner WEB provides various stats related to traffic captured by snare in UI form. It can be accessed at ``locahost:8091/``. | ||
|
||
The web uses the Tanner API in the background to get the data. | ||
|
||
Index page | ||
~~~~~~~~~~ | ||
.. code-block:: | ||
/ | ||
/ | ||
~~~~ | ||
This is the index page which has a logo (mushorg) with ``Tanner web`` written below it. | ||
|
||
Below that we can find general info of the tanner instance: | ||
|
||
* **Tanner version** -- Which shows the version of tanner instance | ||
* **No. of snares connected** -- Which shows the number of snares connected to the tanner instance | ||
* **Latest session** -- Which will navigate you to the latest session's info page | ||
|
||
Below that we can find a clickable which states, ``Click here to navigate to snares list``, clicking which will move you to the ``/snares`` page. | ||
|
||
/snares | ||
~~~~~~~~~~ | ||
List snare instances | ||
~~~~~~~~~~~~~~~~~~~~ | ||
.. code-block:: | ||
/snares | ||
This shows all the snares' uuid. Each snare object is clickable. Clicking displays the page **/snare/<snare-uuid>** | ||
|
||
/snare/<snare-uuid> | ||
~~~~~~~~~~~~~~~~~~~~~~ | ||
Information about single snare instance | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
.. code-block:: | ||
/snare/<snare-uuid> | ||
Replace ``<snare-uuid>`` with a valid `snare-uuid` and it will provide two options: | ||
* **Snare-Stats** -- It will move you to **/snare-stats/<snare-uuid>** | ||
* **Sessions** -- It will move you to **/<snare-uuid>/sessions** | ||
|
||
/snare-stats/<snare-uuid> | ||
Stats of a snare instance | ||
~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
.. code-block:: | ||
/snare-stats/<snare-uuid> | ||
This page shows some general stats about the snare | ||
|
||
* **No of Sessions** - Total no of sessions of the snare | ||
* **Total Duration** - Total durations during which sessions remain active | ||
* **Attack Frequency** - Frequency of different attacks made on the snare | ||
|
||
/<snare-uuid>/sessions | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
List all sessions | ||
~~~~~~~~~~~~~~~~~ | ||
|
||
.. code-block:: | ||
/<snare-uuid>/sessions | ||
This shows all the sessions' uuid. Each is clickable. Clicking displays **/session/<sess-uuid>** | ||
Filters can be on the sessions using the input box and clicking the ``Apply`` button. | ||
Filters are sepatated by ``white-space`` and name-value pair are separated by ``:``. E.g ``filter1:value1 filter2:value2``. | ||
|
||
It supports 6 filters: | ||
* **peer_ip** -- Sessions with given ip. E.g ``peer_ip:127.0.0.1 `` | ||
* **user-agent** -- Sessions with given user-agent. E.g ``user-agent:Chrome`` | ||
* **attack_types** -- Sessions with given attack type such as lfi, rfi, xss, cmd_exec, sqli. E.g ``attack_types:lfi`` | ||
* **possible_owners** -- Sessions with given owner type such as user, tool, crawler, attacker. E.g ``possible_owners:attacker`` | ||
* **start_time** -- Sessions which started after `start_time`. E.g ``start_time:1480560`` | ||
* **end_time** -- Sessions which ended before `end_time`. E.g ``end_time:1480560`` | ||
* **location** -- Sessions which have been done from the specified geometric `location`. It can take value of either country, city, country_code or zip_code. E.g ``location:India``, ``location:Mumbai``, ``location:US``, ``location:636005`` etc | ||
It supports 5 filters: | ||
|
||
* **peer_ip** -- Sessions with given ip. | ||
E.g ``peer_ip:127.0.0.1`` | ||
* **user_agent** -- Sessions with given user-agent. | ||
E.g ``user-agent:Chrome`` | ||
* **attack_types** -- Sessions with given attack type such as lfi, rfi, xss, cmd_exec, sqli. | ||
E.g ``attack_types:lfi`` | ||
* **owners** -- Sessions with given owner type such as user, tool, crawler, attacker. | ||
E.g ``possible_owners:attacker`` | ||
* **start_time** -- Sessions which started after `start_time`. | ||
E.g ``start_time:1480560`` | ||
* **end_time** -- Sessions which ended before `end_time`. | ||
E.g ``end_time:1480560`` | ||
|
||
**Multiple filters** can be applied as ``peer_ip:127.0.0.1 start_time:1480560 possible_owners:attacker`` | ||
|
||
Multiple filters can be applied as ``peer_ip:127.0.0.1 start_time:1480560 possible_owners:attacker`` | ||
Information about single session | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
.. code-block:: | ||
/session/<sess-uuid> | ||
/session/<sess-uuid> | ||
~~~~~~~~~~~~~~~~~~~~~~~~ | ||
It gives all information about the session with given uuid. Here you may find some of the text clickable such as | ||
``peer_ip``,``possible_owners``, ``start_time``, ``end_time``, ``attack_types``. Clicking on them will display all the sessions will same attribute value. | ||
``peer_ip``, ``possible_owners``, ``start_time``, ``end_time``, ``attack_types``. Clicking on them will display all the sessions will same attribute value. |