maxmind info

.gitignore

@@ -272,3 +272,6 @@ compose/local/clamav/freshclam.conf
 # History
 .history
 orochi/utils/test.py
+compose/local/maxmind/GeoLite2-ASN.mmdb
+compose/local/maxmind/GeoLite2-City.mmdb
+compose/local/maxmind/GeoLite2-Country.mmdb

CHANGELOG.md

@@ -1,5 +1,12 @@
 ## Changelog
 
+
+<details open>
+  <summary><b>OROCHI 2.2.0</b></summary>
+
+  * ADD more info on foreign addr in netstat [[#494](https://github.com/LDO-CERT/orochi/issues/494)]
+</details>
+
 <details open>
   <summary><b>OROCHI 2.1.0 [2024/02/12]</b></summary>
 

compose/local/django/Dockerfile

@@ -69,6 +69,9 @@ RUN pip install -r /requirements/local.txt --ignore-installed ruamel.yaml
 
 COPY ./compose/local/__init__.py /src/volatility3/volatility3/framework/constants/__init__.py
 
+RUN mkdir /maxmind
+COPY ./compose/local/maxmind /maxmind
+
 WORKDIR /app
 COPY . .
 COPY ./compose/local/django/entrypoint /entrypoint

compose/local/maxmind/README.txt

@@ -0,0 +1,5 @@
+MAXMIND MMDB FILES
+===================================================================
+
+In order to update MaxMind database you should download them from a workstation with Internet connection.
+This is necessary because you must download databases from https://www.maxmind.com/en/accounts/851360/geoip/downloads after login with a proper account.

orochi/static/css/style.css

@@ -25,6 +25,10 @@ a.navbar-brand {
   padding-bottom: 0px;
 }
 
+.list-group-item {
+  background-color: rgba(var(--bs-tertiary-bg-rgb),var(--bs-bg-opacity))!important;
+}
+
 /********************************************************
   MOVE DOWN FROM TITLE [OVVERRIDE DASHBOARD]
 ********************************************************/

orochi/templates/website/index.html

@@ -11,7 +11,7 @@
 {% endblock %}
 
 {% block sidebar %}
-<h6 class="sidebar-heading d-flex justify-content-between align-items-center px-3 mt-4 mb-1 text-muted">
+<h6 class="sidebar-heading d-flex justify-content-between px-3 mt-4 mb-1 text-muted">
     <span>dumps
         <button id="new-index" type="button" class="btn btn-outline-success btn-sm">
             <i class="fa-solid fa-plus"></i>
@@ -24,7 +24,7 @@ <h6 class="sidebar-heading d-flex justify-content-between align-items-center px-
 </h6>
 {% include "website/partial_indices.html" %}
 <hr />
-<h6 class="sidebar-heading d-flex justify-content-between align-items-center px-3 mt-4 mb-1 text-muted">
+<h6 class="sidebar-heading d-flex justify-content-between px-3 mt-4 mb-1 text-muted">
     <span>plugins</span>
     <input type="text" id="filter_plugin" name="filter_plugin" style="width: 60%;" class="form-control form-control-sm" placeholder="Filter">
 </h6>
@@ -35,7 +35,7 @@ <h6 class="sidebar-heading d-flex justify-content-between align-items-center px-
 {% endblock sidebar %}
 
 {% block content%}
-<div id="main_stage" class="table-responsive px-3 py-3">
+<div id="main_stage" class="px-3 py-3">
     <div class="alert alert-primary" role="alert">
         Select index(es) and plugin!
     </div>
@@ -195,6 +195,24 @@ <h5 class="offcanvas-title" id="leftNoteLabel">History Log</h5>
             });
         });
 
+        // MAXMIND INFO
+        $(document).on("click", ".maxmind-info", function(){
+            var btn = $(this);
+            var ip = btn.data('ip');
+
+            $.ajax({
+                url: "{% url 'website:maxmind' %}",
+                data: { 'ip': ip },
+                method: 'get',
+                beforeSend: function () {
+                    $("#modal-update").modal("show");
+                },
+                success: function (data) {
+                    $("#modal-update .modal-content").html(data);
+                }
+            });
+        });
+
         // UPDATE MAIN STAGE AFTER INDEX, PLUGIN CHANGE
         function update_main_stage() {
             if (selected_plugin == null || selected_indexes.length == 0) {
@@ -224,6 +242,17 @@ <h5 class="offcanvas-title" id="leftNoteLabel">History Log</h5>
                                         d.columns = columns;
                                     }
                                 },
+                                "columnDefs": [{
+                                    "targets": "maxmind" ,
+                                    "render": function ( data, type, row, meta ) {
+                                        tmp_data = data.replace(/^"(.*)"$/, '$1')
+                                        if(!(["0.0.0.0", "*", "::"].includes(tmp_data))){
+                                            return data + ' <a class="btn btn-sm btn-primary maxmind-info" data-ip="' + tmp_data + '" href="#"><i class="fa-solid fa-map-location"></i></a>';
+                                        }else{
+                                            return data;
+                                        }
+                                    }
+                                }],
                                 processing: true,
                                 serverSide: true
                             });
@@ -293,6 +322,7 @@ <h5 class="offcanvas-title" id="leftNoteLabel">History Log</h5>
                 var a = $("input ~ .checkmark", $(this).closest(".check_container"));
                 a.css("background-color", "#eee");
             }
+            $("#filter_plugin").val('');
             update_sidebar();
         });
 

orochi/templates/website/partial_analysis.html

@@ -5,7 +5,7 @@
     <thead>
         <tr>
             {% for col in columns %}
-            <th>{{col}}</th>
+            <th {% if maxmind and col|in_list:"LocalAddr,ForeignAddr" %} class="maxmind" {% endif %}>{{col}}</th>
             {% endfor %}
         </tr>
     </thead>

orochi/templates/website/partial_indices.html

@@ -30,7 +30,7 @@
             {% endif %}
 
             {% if author == user.pk %}
-            <div class="btn-group float-end" role="group" aria-label="Basic example">
+            <div class="btn-group float-end" role="group">
                 <a href="{% url 'website:hex_view' index %}" class="btn btn-outline-dark hex-index btn-sm"
                     data-toggle="tooltip" data-placement="top" title="Hex View">
                     <i class="fas fa-asterisk"></i>

orochi/templates/website/partial_vt.html → orochi/templates/website/partial_json.html

@@ -1,14 +1,10 @@
 {% load widget_tweaks %}
 <div class="modal-header">
-    <h5 class="modal-title">VirusTotal Report</h5>
+    <h5 class="modal-title">{{title}}</h5>
     <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
 </div>
 <div class="modal-body">
-    <pre>
-        <code>
-            {{data | pprint}}
-        </code>
-    </pre>
+    <pre><code>{{data | pprint}}</code></pre>
 </div>
 <div class="modal-footer">
     <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Close</button>

orochi/utils/volatility_dask_elk.py

@@ -62,6 +62,7 @@
     RESULT_STATUS_DISABLED,
     RESULT_STATUS_EMPTY,
     RESULT_STATUS_ERROR,
+    RESULT_STATUS_NOT_STARTED,
     RESULT_STATUS_RUNNING,
     RESULT_STATUS_SUCCESS,
     RESULT_STATUS_UNSATISFIED,
@@ -324,10 +325,6 @@ def run_regipy(filepath):
         logging.error(e)
 
 
-def run_maxmind(filepath):
-    pass
-
-
 def send_to_ws(dump, result=None, plugin_name=None, message=None, color=None):
     """
     Notifies plugin result to websocket
@@ -876,7 +873,10 @@ def unzip_then_run(dump_pk, user_pk, password, restart):
             if restart:
                 tasks_list = tasks_list.filter(plugin__pk__in=restart)
             for result in tasks_list:
-                if result.result != RESULT_STATUS_DISABLED:
+                if result.result not in [
+                    RESULT_STATUS_DISABLED,
+                    RESULT_STATUS_NOT_STARTED,
+                ]:
                     task = dask_client.submit(
                         run_plugin, dump, result.plugin, None, user_pk
                     )

orochi/website/urls.py

@@ -69,6 +69,7 @@ def to_url(self, value):
     # CHANGELOG
     path("changelog", views.changelog, name="changelog"),
     # EXTERNAL VIEW
+    path("maxmind", views.maxmind, name="maxmind"),
     path("json_view/<path:filepath>", views.json_view, name="json_view"),
     path("hex_view/<str:index>", views.hex_view, name="hex_view"),
     path("get_hex/<str:index>", views.get_hex, name="get_hex"),

orochi/website/views.py

@@ -14,6 +14,7 @@
 from urllib.request import pathname2url
 
 import elasticsearch
+import geoip2.database
 import magic
 import requests
 from dask.distributed import Client, fire_and_forget
@@ -32,6 +33,7 @@
 from django.utils.text import slugify
 from elasticsearch import Elasticsearch
 from elasticsearch_dsl import Search
+from geoip2.errors import GeoIP2Error
 from guardian.shortcuts import assign_perm, get_objects_for_user, get_perms, remove_perm
 from pymisp import MISPEvent, MISPObject, PyMISP
 from pymisp.tools import FileObject
@@ -508,10 +510,21 @@ def analysis(request):
                         continue
                 elif res.result != RESULT_STATUS_DISABLED and columns == []:
                     columns = ["Disabled"]
+
+            maxmind = (
+                os.path.exists("/maxmind/GeoLite2-ASN.mmdb")
+                or os.path.exists("/maxmind/GeoLite2-City.mmdb")
+                or os.path.exists("/maxmind/GeoLite2-Country.mmdb")
+            )
             return render(
                 request,
                 "website/partial_analysis.html",
-                {"note": note, "columns": columns, "plugin": plugin.name},
+                {
+                    "note": note,
+                    "columns": columns,
+                    "plugin": plugin.name,
+                    "maxmind": maxmind,
+                },
             )
 
         # SEARCH FOR ITEMS AND KEEP INDEX
@@ -582,13 +595,48 @@ def change_keys(obj):
 ##############################
 # SPECIAL VIEWER
 ##############################
+@login_required
+def maxmind(request):
+    """Use maxmind mmdb to lookup ip information"""
+    if (
+        not Path("/maxmind/GeoLite2-ASN.mmdb").exists()
+        and not Path("/maxmind/GeoLite2-City.mmdb").exists()
+        and not Path("/maxmind/GeoLite2-Country.mmdb").exists()
+    ):
+        raise Http404("404")
+
+    try:
+        ip = request.GET.get("ip")
+        data = {}
+        if Path("/maxmind/GeoLite2-ASN.mmdb").exists():
+            with geoip2.database.Reader("/maxmind/GeoLite2-ASN.mmdb") as reader:
+                data.update(reader.asn(ip).raw)
+        if Path("/maxmind/GeoLite2-City.mmdb").exists():
+            with geoip2.database.Reader("/maxmind/GeoLite2-City.mmdb") as reader:
+                data.update(reader.city(ip).raw)
+        if Path("/maxmind/GeoLite2-Country.mmdb").exists():
+            with geoip2.database.Reader("/maxmind/GeoLite2-Country.mmdb") as reader:
+                data.update(reader.country(ip).raw)
+        return render(
+            request,
+            "website/partial_json.html",
+            {"data": data, "title": "Maxmind Info"},
+        )
+    except (GeoIP2Error, Exception):
+        raise Http404("404")
+
+
 @login_required
 def vt(request):
     """show vt report in dialog"""
     path = request.GET.get("path")
     if Path(path).exists():
         data = json.loads(open(path, "r").read())
-        return render(request, "website/partial_vt.html", {"data": data})
+        return render(
+            request,
+            "website/partial_json.html",
+            {"data": data, "title": "VirusTotal Report"},
+        )
     raise Http404("404")
 
 

requirements/base.txt

@@ -98,7 +98,7 @@ tornado==6.4
 # ------------------------------------------------------------------------------
 # https://github.com/volatilityfoundation/
 # volatility3==2.5.0
--e git+https://github.com/volatilityfoundation/volatility3.git@497d291ef4393e2580052a3dfddbef10e4dc2338#egg=volatility3 volatility3
+-e git+https://github.com/volatilityfoundation/volatility3.git@6d34e43667a4f709902f3c157a4e54ec4ed679ce#egg=volatility3 volatility3
 # https://github.com/VirusTotal/yara-python
 #yara-python==4.1.0
 # https://github.com/Viicos/clamdpy
@@ -113,6 +113,8 @@ capstone==5.0.1
 jsonschema==4.21.1
 # https://github.com/Legrandin/pycryptodome
 pycryptodome==3.20.0
+# https://github.com/maxmind/GeoIP2-python
+geoip2==4.8.0
 
 # Yara
 # ------------------------------------------------------------------------------