amzn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
amzn [2020/02/12 14:30] – [Ingress controller/friendly fire issue with vulnerability scans] mmuzeamzn [2020/02/13 13:01] (current) – [Programmatic UI manipulation] mmuze
Line 6: Line 6:
 ======sorcery, product configuration automation solution====== ======sorcery, product configuration automation solution======
   * The //sorcery// solution is a CLI tool that provides supplemental functionality that is not built into a product to provide ways of automating what would otherwise be onerous manual and error prone tasks carried out by an administrator.   * The //sorcery// solution is a CLI tool that provides supplemental functionality that is not built into a product to provide ways of automating what would otherwise be onerous manual and error prone tasks carried out by an administrator.
 +  * automates assigning agents to sensors
 +  * automates tagging agents to help with identifying and managing them
 +  * automates purging defunct agent configuration from the backend when VMs or hosts are terminated
   * **source code:** [[https://github.com/mgupton/sorcery]]   * **source code:** [[https://github.com/mgupton/sorcery]]
  
Line 11: Line 14:
   * The diagram below illustrates a problematic scenario that resulted in many false positive security incidents being generated by the IDS/vuln. scanning solution itself. That is, the IDS was producing and detecting its own threat activity.   * The diagram below illustrates a problematic scenario that resulted in many false positive security incidents being generated by the IDS/vuln. scanning solution itself. That is, the IDS was producing and detecting its own threat activity.
   * Because there was a ingress controller on the node with the application pod the vuln. scanner was scanning the application pod twice, once directly and once through the ingress controller.   * Because there was a ingress controller on the node with the application pod the vuln. scanner was scanning the application pod twice, once directly and once through the ingress controller.
-  * And the source IP of the scans going through the ingress controller was obscured, so when the IDS saw the traffic it did not recognized it as its own traffic. Therefore the IDS generated many false positive incidents from its own scans.+  * And the source IP of the scans going through the ingress controller was obscured, so when the IDS saw the traffic it did not recognize it as its own traffic. Therefore the IDS generated many false positive incidents from its own scans.
   * Normally the x-forwarded-for (XFF) header in HTTP traffic would prevent this issue, but for some reason the XFF was not always added to requests going through the ingress controller and the IDS solution has limitations that results in it not correctly handling the XFF.   * Normally the x-forwarded-for (XFF) header in HTTP traffic would prevent this issue, but for some reason the XFF was not always added to requests going through the ingress controller and the IDS solution has limitations that results in it not correctly handling the XFF.
   * The solution I implemented is to use an undocumented API to whitelist the ingress controllers from vuln. scans. **source code:** {{ :temp:al-exclude.py |}}   * The solution I implemented is to use an undocumented API to whitelist the ingress controllers from vuln. scans. **source code:** {{ :temp:al-exclude.py |}}
Line 22: Line 25:
   * This solution provides a way to programmatically manipulate a web UI to supplement the lack of an API for acquiring vulnerability data.   * This solution provides a way to programmatically manipulate a web UI to supplement the lack of an API for acquiring vulnerability data.
   * This solution was used to ingest vulnerability findings into an ITSM (e.g. ServiceNow) that was used for a partners workflow with their end customers.   * This solution was used to ingest vulnerability findings into an ITSM (e.g. ServiceNow) that was used for a partners workflow with their end customers.
 +  * The solution would authenticate with the UI and then fetch the latest scan results from a specified scan job and save the data as a CSV file that could be readily ingested into an ITSM.
   * **source code:** {{ :temp:aims-ui-access.py |}}   * **source code:** {{ :temp:aims-ui-access.py |}}
   * {{ :temp:customer-readme.pdf |}}   * {{ :temp:customer-readme.pdf |}}
   * [[https://www.youtube.com/watch?v=bCZ7yprk3Ig|Video demo of proof-of-concept]]   * [[https://www.youtube.com/watch?v=bCZ7yprk3Ig|Video demo of proof-of-concept]]
  
  • amzn.1581517822.txt.gz
  • Last modified: 2020/02/12 14:30
  • by mmuze