Changeset 1472

Timestamp:

04/08/08 10:43:11 (3 months ago)

Author:

kindlund

Message:

Still working on FW integration within Clone.

Files:

• honeyclient/branches/exp/kindlund-simpler_agent/lib/HoneyClient/Manager/VM/Clone.pm (modified) (19 diffs)
• honeyclient/branches/exp/kindlund-simpler_agent/t/honeyclient_manager_vm_clone.t (modified) (6 diffs)

honeyclient/branches/exp/kindlund-simpler_agent/lib/HoneyClient/Manager/VM/Clone.pm

@@ -68 +68 @@
-  my $ip_address = $clone->{'ip_address'};
-
+  # Specify the type of work you want the clone to handle.
+  my $work = {
+      "http://www.google.com/" => 1,
+      "http://www.cnn.com/" => 1,
+      "http://www.mitre.org/" => 10,
+  };
+
+  # Drive the clone, using the work specified.
+  $clone = $clone->drive(work => $work);
+
-  # Get the name of the cloned VM (as it appears in the VMware Console).
-  my $name = $clone->{'name'};
@@ -528 +538 @@
-
-    if (($OBJECT_COUNT >= 0) && defined($self->{'config'})) {
+        # Signal firewall to deny traffic from this clone.
+        # XXX: Fill this in. 
-       
-        # Initialize a new handler, but suppress any initial connection errors.
@@ -711 +723 @@
-            $LOG->info("Initialized clone VM (" . $self->{'name'} . ") using IP (" .
-                       $self->{'ip_address'} . ") and MAC (" . $self->{'mac_address'} . ").");
+
+            # Signal firewall to allow traffic from this clone through.
+            # XXX: Test this.
+            $self->_allowNetwork();
+
-            $LOG->info("Waiting for Agent daemon to initialize inside clone VM.");
-            $logMsgPrinted = 1;
@@ -736 +753 @@
-            # Register the cloned VM with the Drone database.
-            my $dt = DateTime::HiRes->now(time_zone => "local");
-
+
+
+
+
+
+
+
+
-            # Construct the 'Client' object.
-            my $client = {
@@ -866 +890 @@
-# If specified, dumps the supplied fingerprint information to
-# a corresponding file.
+# 
+# Inputs: self, fingerprint hashref
-sub _dumpFingerprint {
-
@@ -871 +897 @@
-    my ($self, $fingerprint) = @_;
-
+    # XXX: Should this be a new .dump file, per compromise?
-    # Dump the fingerprint to a file, if needed.
-    my $COMPROMISE_FILE = getVar(name => "fingerprint_dump");
@@ -884 +911 @@
-        $dump_file->close();
-    }
+}
+
+# Allows the specified VM to use the network.
+#
+# Inputs: self
+sub _allowNetwork {
+    # Extract arguments.
+    my ($self, %args) = @_;
+
+    # Determine if the firewall needs to be bypassed.
+    if ($self->{'_bypass_firewall'}) {
+        return;
+    }
+
+    # Build our VM's network connection table.
+    # Note: We assume our VM has a single MAC address
+    # and a single IP address.
+    my $netTable = {};
+
+    # XXX: This code is a hack and needs to be fixed.
+    $netTable->{$self->{'name'}}->{'sources'}->{$self->{'mac_address'}}->{$self->{'ip_address'}} = {
+        # Allow all TCP traffic from this VM through on ports 80, 443, and 3690.
+        tcp => [ 80, ], #443, 3690 ],
+    };
+
+    # XXX: This is a defect.  The current FW code requires we set a target, but
+    # doesn't care what hostname we provide -- as long as it's resolvable.
+    # However, it *does* care about the target ports, which are hardcoded.
+    $netTable->{$self->{'name'}}->{'targets'} = {
+        'www.cnn.com' => {
+            tcp => [ 80, 443, 3690 ],
+        },
+    };
+
+    $LOG->info("Allowing VM (" . $self->{'name'} . ") network access.");
+    $self->{'_fw_handle'}->addChain($netTable);
+    $self->{'_fw_handle'}->addRules($netTable);
+}
+
+# Denies the specified VM use of the network.
+# 
+# Inputs: self
+sub _denyNetwork {
+    # Extract arguments.
+    my ($self, %args) = @_;
+
+    # Determine if the firewall needs to be bypassed.
+    if ($self->{'_bypass_firewall'}) {
+        return;
+    }
+
+    # Build our VM's network connection table.
+    # Note: We assume our VM has a single MAC address
+    # and a single IP address.
+    my $netTable = {};
+    
+    # XXX: This code is a hack and needs to be fixed.
+    $netTable->{$self->{'name'}}->{'sources'}->{$self->{'mac_address'}}->{$self->{'ip_address'}} = {
+        # Deny all TCP traffic from this VM.
+        tcp => [ 80, ], #443, 3690 ],
+    };
+
+    $LOG->info("Denying VM (" . $self->{'name'} . ") network access.");
+    $self->{'_fw_handle'}->deleteChain($netTable);
-}
-
@@ -968 +1059 @@
-
-    # Create a generic empty clone, with test state data.
-
-
-
+, _bypass_firewall => 1
+, _bypass_firewall => 1
+, _bypass_firewall => 1
-    $clone = undef;
-
@@ -981 +1072 @@
-                       "# with a fully functional master VM that has the HoneyClient code\n" .
-                       "# loaded upon boot-up.\n" .
+                       "#\n" .
+                       "# This test also requires that the firewall VM is registered,\n" .
+                       "# powered on, and operational.\n" .
-                       "#\n" .
-                       "# Your master VM is: " . getVar(name => "master_vm_config", namespace => "HoneyClient::Manager::VM") . "\n" .
@@ -1073 +1167 @@
-        _agent_handle => undef,
-
+        # A SOAP handle to the FW daemon.  (This internal variable
+        # should never be modified externally.)
+        _fw_handle => undef,
+
-        # A variable indicated how long the object should wait for
-        # between subsequent retries to any SOAP server
@@ -1078 +1176 @@
-        # be modified externally.)
-        _retry_period => 2,
+
+        # A variable indicating if the firewall should be bypassed.
+        # (For testing use only.)
+        _bypass_firewall => 0,
-    );
-
@@ -1097 +1199 @@
-    # Set a valid handle for the VM daemon.
-    $self->{'_vm_handle'} = getClientHandle(namespace => "HoneyClient::Manager::VM");
+    
+    # Set a valid handle for the FW daemon.
+    $self->{'_fw_handle'} = getClientHandle(namespace => "HoneyClient::Manager::FW");
+
+    # XXX: Delete this, eventually.
+    $LOG->info("Installing default firewall rules.");
+    $self->{'_fw_handle'}->installDefaultRules();
+
+    # Determine if the firewall needs to be bypassed.
+    if ($self->{'_bypass_firewall'}) {
+        $self->{'_fw_handle'}->allowAllTraffic();
+    }
-
-    # If the clone's configuration wasn't supplied initially, then
@@ -1184 +1298 @@
-                       "# loaded upon boot-up.\n" .
-                       "#\n" .
+                       "# This test also requires that the firewall VM is registered,\n" .
+                       "# powered on, and operational.\n" .
+                       "#\n" .
-                       "# Your master VM is: " . getVar(name => "master_vm_config", namespace => "HoneyClient::Manager::VM") . "\n" .
-                       "#\n" .
@@ -1190 +1307 @@
-
-        # Create a generic empty clone, with test state data.
-
+_bypass_firewall => 1
-        my $cloneConfig = $clone->{config};
-
@@ -1254 +1371 @@
-    }
-
+    # Signal firewall to deny traffic from this clone.
+    # XXX: Fill this in. 
+
-    # Extract the VM configuration file.
-    my $vmConfig = $self->{'config'};
@@ -1343 +1463 @@
-                       "# loaded upon boot-up.\n" .
-                       "#\n" .
+                       "# This test also requires that the firewall VM is registered,\n" .
+                       "# powered on, and operational.\n" .
+                       "#\n" .
-                       "# Your master VM is: " . getVar(name => "master_vm_config", namespace => "HoneyClient::Manager::VM") . "\n" .
-                       "#\n" .
@@ -1349 +1472 @@
-
-        # Create a generic empty clone, with test state data.
-
+_bypass_firewall => 1
-        my $cloneConfig = $clone->{config};
-
@@ -1431 +1554 @@
-        $result = thaw(decode_base64($som->result()));
-
-# XXX: Delete this, eventually.
-print Dumper($result) . "\n";
-    
-        # Figure out if there was a compromise found.
-        if (scalar(@{$result->{'fingerprint'}->{os_processes}})) {
@@ -1478 +1598 @@
-        }
-    }
+
+    # XXX: Add error handling.
-
-    return $self;

honeyclient/branches/exp/kindlund-simpler_agent/t/honeyclient_manager_vm_clone.t

@@ -198 +198 @@
-
-    # Create a generic empty clone, with test state data.
-
-
-
+, _bypass_firewall => 1
+, _bypass_firewall => 1
+, _bypass_firewall => 1
-    $clone = undef;
-
@@ -211 +211 @@
-                       "# with a fully functional master VM that has the HoneyClient code\n" .
-                       "# loaded upon boot-up.\n" .
+                       "#\n" .
+                       "# This test also requires that the firewall VM is registered,\n" .
+                       "# powered on, and operational.\n" .
-                       "#\n" .
-                       "# Your master VM is: " . getVar(name => "master_vm_config", namespace => "HoneyClient::Manager::VM") . "\n" .
@@ -264 +267 @@
-                       "# loaded upon boot-up.\n" .
-                       "#\n" .
+                       "# This test also requires that the firewall VM is registered,\n" .
+                       "# powered on, and operational.\n" .
+                       "#\n" .
-                       "# Your master VM is: " . getVar(name => "master_vm_config", namespace => "HoneyClient::Manager::VM") . "\n" .
-                       "#\n" .
@@ -270 +276 @@
-
-        # Create a generic empty clone, with test state data.
-
+_bypass_firewall => 1
-        my $cloneConfig = $clone->{config};
-
@@ -325 +331 @@
-                       "# loaded upon boot-up.\n" .
-                       "#\n" .
+                       "# This test also requires that the firewall VM is registered,\n" .
+                       "# powered on, and operational.\n" .
+                       "#\n" .
-                       "# Your master VM is: " . getVar(name => "master_vm_config", namespace => "HoneyClient::Manager::VM") . "\n" .
-                       "#\n" .
@@ -331 +340 @@
-
-        # Create a generic empty clone, with test state data.
-
+_bypass_firewall => 1
-        my $cloneConfig = $clone->{config};
-
-# TODO: Fix this.
-        $clone = $clone->drive(work => { 'http://www.google.com/' => 1 });
-        isa_ok($clone, 'HoneyClient::Manager::VM::Clone', "drive(work => { 'http://www.google.com/' => 1})") or diag("The drive() call failed.");