Update

Author: RoyB99

README.md

@@ -0,0 +1,14 @@
+# blstsecurity-aws-loggers
+
+## BLST connector agents
+### What this is all about?
+BLST aims to replace the manual penetration tester by developing an advanced AI model that uses Machine Learning to identify anomalies and simulate real-world logic attacks on your application.
+
+### What is this repo for?
+These connector agents are meant to connect users to our systems via varius methods.
+
+### How to install and test?
+You can find instructions on how to install the EC2 traffic mirroring agent in this [address](mirror-traffic/EC2/EC2_Lambda_installation_instructions.pdf) <br>
+You can find instructions on how to install the API Gateway agent in this [address](api-gateway/API_Gateway_Lambda_installation_instructions.pdf)
+
+#### We would love to hear your comments and responses!

api-gateway/API_Gateway_Lambda_installation_instructions.pdf

@@ -0,0 +1,2 @@
+# blstsecurity-aws-loggers
+ 

api-gateway/README.md

@@ -0,0 +1,102 @@
+import json
+import boto3
+from datetime import datetime, timedelta
+import time
+import requests
+import random
+
+logs = boto3.client('logs')
+gateways = boto3.client('apigateway')
+events = boto3.client('events')
+lambdas = boto3.client('lambda')
+
+def put_rule(name):
+ rule_name = name + '-rule'
+ lambda_details = lambdas.get_function(FunctionName=name)
+ lambda_arn = ''
+ lambda_role = ''
+ if 'Configuration' in lambda_details:
+ lambda_arn = lambda_details['Configuration']['FunctionArn']
+ lambda_role = lambda_details['Configuration']['Role']
+ if lambda_arn != '':
+ response = events.list_rule_names_by_target(
+ TargetArn=lambda_arn
+ )
+ if not len(response['RuleNames']):
+ rule_arn = events.put_rule(
+ Name=rule_name,
+ ScheduleExpression='rate(10 minutes)',
+ State='ENABLED',
+ Description='rule for running blstsecurity logs'
+ )
+ events.put_targets(
+ Rule=rule_name,
+ Targets=[
+ {
+ 'Arn': lambda_arn,
+ 'Id': 'blstsecurity_logs_event_target',
+ }
+ ]
+ )
+ lambdas.add_permission(
+ FunctionName=name,
+ StatementId='AWS_Event' + str(random.randint(100000,999999)),
+ Action='lambda:InvokeFunction',
+ Principal='events.amazonaws.com',
+ SourceArn=rule_arn['RuleArn']
+ )
+ 
+def get_timestamp(data):
+ return data[0]['value']
+ 
+def get_id(data):
+ return data[1]['value'][1:36]
+ 
+def get_logs_from_group(log_group, start_time, query):
+ date_start_time = datetime.fromtimestamp(start_time)
+ start_query_response = logs.start_query(
+ logGroupName=log_group,
+ startTime=start_time - 30,
+ endTime=start_time + 600,
+ queryString=query,
+ )
+ query_id = start_query_response['queryId']
+ response = None
+ while response == None or response['status'] == 'Running':
+ time.sleep(1)
+ response = logs.get_query_results(
+ queryId=query_id
+ )
+ data=[]
+ response['results'].sort(key=lambda data: (get_id(data), get_timestamp(data)))
+ prev_stream_key = ''
+ stream_arr = []
+ add_stream = False
+ for stream in response['results']:
+ stream_key = stream[1]['value'][1:36]
+ log_time = stream[0]['value']
+ stream_message = stream[1]['value'][39:]
+ date_log_time = datetime.strptime(log_time, '%Y-%m-%d %H:%M:%S.%f')
+ if date_log_time > date_start_time and 'response body after transformations:' in stream_message[0:85]:
+ add_stream = True
+ if prev_stream_key != '' and stream_key != prev_stream_key:
+ if add_stream and len(stream_arr):
+ data.append(stream_arr)
+ stream_arr = []
+ add_stream = False
+ stream_arr.append({"time":log_time,"message":stream_message,"id":stream_key})
+ prev_stream_key = stream_key
+ if add_stream:
+ data.append(stream_arr)
+ return {"log_group_name":log_group,"data":data}
+
+def lambda_handler(event, context):
+ start_time = int((datetime.today() - timedelta(minutes=13)).timestamp())
+ query = "fields @timestamp, @message"
+ put_rule('blstsecurity-logs')
+ for log_group in logs.describe_log_groups(logGroupNamePrefix='API-Gateway-Execution-Logs_')['logGroups']:
+ api_log_group = get_logs_from_group(log_group['logGroupName'], start_time, query)
+ if 'data' in api_log_group and len(api_log_group['data']):
+ requests.post('https://z2yh3zbaw1.execute-api.eu-central-1.amazonaws.com/poc/send', data = json.dumps(api_log_group))
+ 
+ return 'success'

api-gateway/blstsecurity-api-gateway-logs.zip

@@ -0,0 +1,2 @@
+# blstsecurity-aws-loggers
+ 

api-gateway/lambda_function.py

@@ -0,0 +1,170 @@
+import json
+import boto3
+import os
+import time
+
+ram = boto3.client('ram')
+ec2 = boto3.client('ec2')
+
+blstsec_account = os.environ['BLSTSECURITY_ACCOUNT']
+blstsec_destination = os.environ['BLSTSECURITY_ROUTE_DESTINATION']
+source_instance_id = os.environ['SOURCE_INSTANCE_ID']
+
+def get_instance_data():
+ instance_data = ec2.describe_instances(
+ InstanceIds=[
+ source_instance_id
+ ]
+ )['Reservations'][0]['Instances'][0]['NetworkInterfaces'][0]
+ source_cidr = ec2.describe_vpcs(
+ VpcIds=[
+ instance_data['VpcId']
+ ]
+ )['Vpcs'][0]['CidrBlock']
+ print('Your CIDR Block is: ' + source_cidr)
+ route_table_id = ''
+ try:
+ route_table_id = ec2.describe_route_tables(
+ Filters=[
+ {
+ 'Name': 'association.subnet-id',
+ 'Values': [
+ instance_data['SubnetId']
+ ]
+ }
+ ]
+ )['RouteTables'][0]['RouteTableId']
+ except Exception as e:
+ route_tables_data = ec2.describe_route_tables(
+ Filters=[
+ {
+ 'Name': 'vpc-id',
+ 'Values': [
+ instance_data['VpcId']
+ ]
+ }
+ ]
+ )['RouteTables']
+ is_main = False
+ if route_tables_data[0]['Associations'][0]['Main']:
+ route_table_id = route_tables_data[0]['Associations'][0]['RouteTableId']
+ is_main = True
+ route_tables_index = 1
+ while not is_main and len(route_tables_data) > route_tables_index:
+ if route_tables_data[route_tables_index]['Associations'][0]['Main']:
+ route_table_id = route_tables_data[route_tables_index]['Associations'][0]['RouteTableId']
+ is_main = True
+ if not is_main:
+ print('There was an error with finding your route table id, please contact blstsecurity')
+ return {'vpc_id':instance_data['VpcId'], 'subnet_id':instance_data['SubnetId'], 'network_interface_id':instance_data['NetworkInterfaceId'], 'cidr':source_cidr, 'route_table_id':route_table_id}
+ 
+def get_resource_share_list():
+ shared_resources_inv = ram.get_resource_share_invitations()
+ shared_resources_list = []
+ for resource in shared_resources_inv['resourceShareInvitations']:
+ if resource['senderAccountId'] == blstsec_account:
+ if resource['status'] != 'ACCEPTED':
+ ram.accept_resource_share_invitation(
+ resourceShareInvitationArn=resource['resourceShareInvitationArn']
+ )
+ shared_resources_list.append(resource['resourceShareArn'])
+ return shared_resources_list
+
+def get_resource_share_ids(shared_resources_list):
+ shared_resources_ids_list = {}
+ shared_resources_ram_list = []
+ if not len(shared_resources_list):
+ return shared_resources_ram_list
+ while len(shared_resources_ram_list) != 2:
+ shared_resources_ram_list = ram.list_resources(
+ resourceOwner='OTHER-ACCOUNTS',
+ resourceShareArns=shared_resources_list
+ )['resources']
+ time.sleep(0.05)
+ for resource in shared_resources_ram_list:
+ if resource['type'] == 'ec2:TransitGateway':
+ shared_resources_ids_list['tgw'] = resource['arn'].split('/')[1]
+ elif resource['type'] == 'ec2:TrafficMirrorTarget':
+ shared_resources_ids_list['tmt'] = resource['arn'].split('/')[1]
+ return shared_resources_ids_list
+
+def create_transit_gateway_attachment(tgw_id, source_vpc_id, source_subnet_id):
+ tgwa = ''
+ try:
+ tgwa = ec2.create_transit_gateway_vpc_attachment(
+ TransitGatewayId=tgw_id,
+ VpcId=source_vpc_id,
+ SubnetIds=[source_subnet_id]
+ )['TransitGatewayVpcAttachment']['TransitGatewayAttachmentId']
+ except Exception as e:
+ tgwa = e
+ 
+def create_traffic_mirror_filter_rule(tmf_id, direction, number):
+ tmf_rule_id = ''
+ while tmf_rule_id == '':
+ try:
+ tmf_rule_id = ec2.create_traffic_mirror_filter_rule(
+ TrafficMirrorFilterId=tmf_id,
+ TrafficDirection=direction,
+ RuleNumber=number,
+ RuleAction='accept',
+ Protocol=6,
+ DestinationCidrBlock='0.0.0.0/0',
+ SourceCidrBlock='0.0.0.0/0'
+ )['TrafficMirrorFilterRule']['TrafficMirrorFilterRuleId']
+ except Exception as e:
+ print(e)
+ time.sleep(0.05)
+ 
+def create_traffic_mirror_filter():
+ traffic_mirror_filters = ec2.describe_traffic_mirror_filters(
+ Filters=[
+ {
+ 'Name': 'description',
+ 'Values': [
+ 'blstsecurity traffic mirror filter'
+ ]
+ },
+ ]
+ )['TrafficMirrorFilters']
+ if len(traffic_mirror_filters):
+ return ''
+ 
+ tmf_id = ec2.create_traffic_mirror_filter(
+ Description='blstsecurity traffic mirror filter'
+ )['TrafficMirrorFilter']['TrafficMirrorFilterId']
+ create_traffic_mirror_filter_rule(tmf_id, 'ingress', 100)
+ create_traffic_mirror_filter_rule(tmf_id, 'egress', 100)
+ return tmf_id
+ 
+def create_traffic_mirror_session(source_network_interface_id, tmt_id, tmf_id):
+ if tmf_id == '':
+ return
+ tms = ec2.create_traffic_mirror_session(
+ NetworkInterfaceId=source_network_interface_id,
+ TrafficMirrorTargetId=tmt_id,
+ TrafficMirrorFilterId=tmf_id,
+ SessionNumber=1,
+ Description='blstsecurity traffic mirror session'
+ )
+ 
+def add_tgw_route_table(route_table_id, tgw_id):
+ try:
+ ec2.create_route(
+ DestinationCidrBlock=blstsec_destination,
+ TransitGatewayId=tgw_id,
+ RouteTableId=route_table_id
+ )
+ return 'traffic mirroring integration installed successfully'
+ except:
+ return 'Wait until blstsecurity will accept the transit gateway attachment and then run the lambda again'
+ 
+def lambda_handler(event, context):
+ source_instance_data = get_instance_data()
+ shared_resources_ids = get_resource_share_ids(get_resource_share_list())
+ if len(shared_resources_ids):
+ create_transit_gateway_attachment(shared_resources_ids['tgw'], source_instance_data['vpc_id'] , source_instance_data['subnet_id'])
+ create_traffic_mirror_session(source_instance_data['network_interface_id'], shared_resources_ids['tmt'], create_traffic_mirror_filter())
+ return add_tgw_route_table(source_instance_data['route_table_id'], shared_resources_ids['tgw'])
+ else:
+ return 'Shared resources not found, please contact blstsecurity for more information'

mirror-traffic/EC2/EC2_Lambda_installation_instructions.pdf

@@ -0,0 +1,2 @@
+# blstsecurity-aws-loggers
+