{ "cells": [ { "attachments": {}, "cell_type": "markdown", "metadata": {}, "source": [ "# IpInformer\n", "\n", "This presentations goal it to introduce the features of the `IpInformer` and how to configure it." ] }, { "attachments": {}, "cell_type": "markdown", "metadata": {}, "source": [ "### The challenge\n", "\n", "I want to enrich an event with additional information of ip_addresses" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "from this:" ] }, { "cell_type": "code", "execution_count": 7, "metadata": {}, "outputs": [], "source": [ "document = {\n", " 'ip_addresses': [\n", " \"127.0.0.1\",\n", " \"::1\",\n", " \"192.168.178.54\",\n", " \"10.10.0.2\",\n", " \"fe80::b056:32ff:fe70:1f61\"\n", " ]\n", " }" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "to this:" ] }, { "cell_type": "code", "execution_count": 8, "metadata": {}, "outputs": [], "source": [ "expected = {\n", " \"ip_addresses\": {\n", " \"127.0.0.1\": {\n", " \"compressed\": \"127.0.0.1\",\n", " \"exploded\": \"127.0.0.1\",\n", " \"is_global\": False,\n", " \"is_link_local\": False,\n", " \"is_loopback\": True,\n", " \"is_multicast\": False,\n", " \"is_private\": True,\n", " \"is_reserved\": False,\n", " \"is_unspecified\": False,\n", " \"max_prefixlen\": 32,\n", " \"reverse_pointer\": \"1.0.0.127.in-addr.arpa\",\n", " \"version\": 4\n", " },\n", " \"::1\": {\n", " \"compressed\": \"::1\",\n", " \"exploded\": \"0000:0000:0000:0000:0000:0000:0000:0001\",\n", " \"ipv4_mapped\": None,\n", " \"is_global\": False,\n", " \"is_link_local\": False,\n", " \"is_loopback\": True,\n", " \"is_multicast\": False,\n", " \"is_private\": True,\n", " \"is_reserved\": True,\n", " \"is_site_local\": False,\n", " \"is_unspecified\": False,\n", " \"max_prefixlen\": 128,\n", " \"reverse_pointer\": \"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa\",\n", " \"scope_id\": None,\n", " \"sixtofour\": None,\n", " \"teredo\": None,\n", " \"version\": 6\n", " },\n", " \"192.168.178.54\": {\n", " \"compressed\": \"192.168.178.54\",\n", " \"exploded\": \"192.168.178.54\",\n", " \"is_global\": False,\n", " \"is_link_local\": False,\n", " \"is_loopback\": False,\n", " \"is_multicast\": False,\n", " \"is_private\": True,\n", " \"is_reserved\": False,\n", " \"is_unspecified\": False,\n", " \"max_prefixlen\": 32,\n", " \"reverse_pointer\": \"54.178.168.192.in-addr.arpa\",\n", " \"version\": 4\n", " },\n", " \"10.10.0.2\": {\n", " \"compressed\": \"10.10.0.2\",\n", " \"exploded\": \"10.10.0.2\",\n", " \"is_global\": False,\n", " \"is_link_local\": False,\n", " \"is_loopback\": False,\n", " \"is_multicast\": False,\n", " \"is_private\": True,\n", " \"is_reserved\": False,\n", " \"is_unspecified\": False,\n", " \"max_prefixlen\": 32,\n", " \"reverse_pointer\": \"2.0.10.10.in-addr.arpa\",\n", " \"version\": 4\n", " },\n", " \"fe80::b056:32ff:fe70:1f61\": {\n", " \"compressed\": \"fe80::b056:32ff:fe70:1f61\",\n", " \"exploded\": \"fe80:0000:0000:0000:b056:32ff:fe70:1f61\",\n", " \"ipv4_mapped\": None,\n", " \"is_global\": False,\n", " \"is_link_local\": True,\n", " \"is_loopback\": False,\n", " \"is_multicast\": False,\n", " \"is_private\": True,\n", " \"is_reserved\": False,\n", " \"is_site_local\": False,\n", " \"is_unspecified\": False,\n", " \"max_prefixlen\": 128,\n", " \"reverse_pointer\": \"1.6.f.1.0.7.e.f.f.f.2.3.6.5.0.b.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa\",\n", " \"scope_id\": None,\n", " \"sixtofour\": None,\n", " \"teredo\": None,\n", " \"version\": 6\n", " }\n", " }\n", "}" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Create rule and processor" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "create the rule:" ] }, { "cell_type": "code", "execution_count": 9, "metadata": {}, "outputs": [], "source": [ "import sys\n", "sys.path.append(\"../../../../../\")\n", "from logprep.processor.ip_informer.rule import IpInformerRule\n", "\n", "rule_definition = {\n", " \"filter\": \"ip_addresses\",\n", " \"ip_informer\": {\n", " \"source_fields\": [\"ip_addresses\"],\n", " \"target_field\": \"ip_addresses\",\n", " \"overwrite_target\": True\n", " }\n", "}\n", "\n", "rule = IpInformerRule.create_from_dict(rule_definition)\n" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "create the processor config:" ] }, { "cell_type": "code", "execution_count": 10, "metadata": {}, "outputs": [], "source": [ "processor_config = {\n", " \"the_ip_informer_name\":{ \n", " \"type\": \"ip_informer\",\n", " \"rules\": [],\n", " }\n", " }" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "create the processor with the factory:" ] }, { "cell_type": "code", "execution_count": 11, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "ip_informer" ] }, "execution_count": 11, "metadata": {}, "output_type": "execute_result" } ], "source": [ "from logging import getLogger\n", "from logprep.factory import Factory\n", "\n", "logger = getLogger()\n", "ip_informer = Factory.create(processor_config)\n", "ip_informer" ] }, { "attachments": {}, "cell_type": "markdown", "metadata": {}, "source": [ "load the rule to the processor:" ] }, { "cell_type": "code", "execution_count": 12, "metadata": {}, "outputs": [], "source": [ "ip_informer._rule_tree.add_rule(rule)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Process event" ] }, { "cell_type": "code", "execution_count": 13, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "before: {\n", " \"ip_addresses\": [\n", " \"127.0.0.1\",\n", " \"::1\",\n", " \"192.168.178.54\",\n", " \"10.10.0.2\",\n", " \"fe80::b056:32ff:fe70:1f61\"\n", " ]\n", "}\n", "after: {\n", " \"ip_addresses\": {\n", " \"127.0.0.1\": {\n", " \"compressed\": \"127.0.0.1\",\n", " \"exploded\": \"127.0.0.1\",\n", " \"is_global\": false,\n", " \"is_link_local\": false,\n", " \"is_loopback\": true,\n", " \"is_multicast\": false,\n", " \"is_private\": true,\n", " \"is_reserved\": false,\n", " \"is_unspecified\": false,\n", " \"max_prefixlen\": 32,\n", " \"reverse_pointer\": \"1.0.0.127.in-addr.arpa\",\n", " \"version\": 4\n", " },\n", " \"::1\": {\n", " \"compressed\": \"::1\",\n", " \"exploded\": \"0000:0000:0000:0000:0000:0000:0000:0001\",\n", " \"ipv4_mapped\": null,\n", " \"is_global\": false,\n", " \"is_link_local\": false,\n", " \"is_loopback\": true,\n", " \"is_multicast\": false,\n", " \"is_private\": true,\n", " \"is_reserved\": true,\n", " \"is_site_local\": false,\n", " \"is_unspecified\": false,\n", " \"max_prefixlen\": 128,\n", " \"reverse_pointer\": \"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa\",\n", " \"scope_id\": null,\n", " \"sixtofour\": null,\n", " \"teredo\": null,\n", " \"version\": 6\n", " },\n", " \"192.168.178.54\": {\n", " \"compressed\": \"192.168.178.54\",\n", " \"exploded\": \"192.168.178.54\",\n", " \"is_global\": false,\n", " \"is_link_local\": false,\n", " \"is_loopback\": false,\n", " \"is_multicast\": false,\n", " \"is_private\": true,\n", " \"is_reserved\": false,\n", " \"is_unspecified\": false,\n", " \"max_prefixlen\": 32,\n", " \"reverse_pointer\": \"54.178.168.192.in-addr.arpa\",\n", " \"version\": 4\n", " },\n", " \"10.10.0.2\": {\n", " \"compressed\": \"10.10.0.2\",\n", " \"exploded\": \"10.10.0.2\",\n", " \"is_global\": false,\n", " \"is_link_local\": false,\n", " \"is_loopback\": false,\n", " \"is_multicast\": false,\n", " \"is_private\": true,\n", " \"is_reserved\": false,\n", " \"is_unspecified\": false,\n", " \"max_prefixlen\": 32,\n", " \"reverse_pointer\": \"2.0.10.10.in-addr.arpa\",\n", " \"version\": 4\n", " },\n", " \"fe80::b056:32ff:fe70:1f61\": {\n", " \"compressed\": \"fe80::b056:32ff:fe70:1f61\",\n", " \"exploded\": \"fe80:0000:0000:0000:b056:32ff:fe70:1f61\",\n", " \"ipv4_mapped\": null,\n", " \"is_global\": false,\n", " \"is_link_local\": true,\n", " \"is_loopback\": false,\n", " \"is_multicast\": false,\n", " \"is_private\": true,\n", " \"is_reserved\": false,\n", " \"is_site_local\": false,\n", " \"is_unspecified\": false,\n", " \"max_prefixlen\": 128,\n", " \"reverse_pointer\": \"1.6.f.1.0.7.e.f.f.f.2.3.6.5.0.b.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa\",\n", " \"scope_id\": null,\n", " \"sixtofour\": null,\n", " \"teredo\": null,\n", " \"version\": 6\n", " }\n", " }\n", "}\n", "True\n" ] } ], "source": [ "import json\n", "from copy import deepcopy\n", "mydocument = deepcopy(document)\n", "\n", "\n", "print(f\"before: {json.dumps(mydocument, indent=2)}\")\n", "ip_informer.process(mydocument)\n", "print(f\"after: {json.dumps(mydocument, indent=2)}\")\n", "print(mydocument == expected)" ] } ], "metadata": { "kernelspec": { "display_name": "Python 3.11.0 ('.venv': venv)", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.9.16" }, "orig_nbformat": 4, "vscode": { "interpreter": { "hash": "586280540a85d3e21edc698fe7b86af2848b9b02644e6c22463da25c40a3f1be" } } }, "nbformat": 4, "nbformat_minor": 2 }