1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
# soc_collector -- Gathering vulnerability information and presenting it
## The oneliner
The collector answers the fundamental question constantly posed by all
SOC staff ever: Can we have lunch now?
## The elevator pitch
Your're working as a Security Operations Center engineer and your job
is to, one, know when any part of your infrastructure is vulnerable
and, two, if it is, do something smart about it.
The collector compiles data from vulnerability scanners and stores the
data in a database. You query the collector for the current
vulnerability status of your network infrastructure.
Without a summary of your vulnerability status and the ability to quickly
deepen your knowledge of a given system, your chances of ever eating
lunch with a clear conscience are slim.
## The user interface
TODO
## The gory^Wtechnical details
TODO
## The name
The "soc" part means Security Operations Center.
The "collector" part is correct but misleading since `soc_collector`
also processes and presents.
## The license
This code is licensed under the 2-Clause BSD License, see LICENSE for
the full text.
## How to test it out
The collector has been tested on Debian 10 (Buster). Other Unix
systems should also be capable of hosting it.
Clone the repository.
git clone https://git.sunet.se/soc_collector.git
Install dependencies (Debian).
sudo apt install python3 python3-pip python3-leveldb
pip3 install falcon
Start CouchDB, make sure to give it a username and password:
cd docker
export COUCHDB_USER=couchdb
export COUCHDB_PASSWORD=insecure
docker-compose up -d
Start the demo HTTP server. Here we should pass on a few environment
variables to let it know which CouchDB to use:
export DB_NAME=test
export DB_HOSTNAME=localhost
export DB_USERNAME=couchdb
export DB_PASSWORD=insecure
python3 src/wsgi.py
Submit some data.
echo '[{
"ip": "192.0.2.10",
"port": 443,
"whois_description": "SOMENET",
"asn": "AS65001",
"asn_country_code": "SE",
"ptr": "host10.test.soc.sunet.se",
"abuse_mail": "abuse@test.soc.sunet.se",
"domain": "sunet.se",
"timestamp_in_utc": "2021-06-21T14:06 UTC",
"producer_unique_keys": {
"subject_cn": "unknown",
"subject_o": "unknown",
"full_name": "VMware ESXi 6.7.0 build-17700523",
"end_of_general_support": false,
"cve_2021_21972": "CVE-2021-21972 not applicable",
"cve_2021_21974": "CVE-2021-21974 patched",
"cve_2021_21985": "CVE-2021-21985 not applicable"
}
}]' | curl -s -u admin:admin --data-binary @- http://localhost:8000/sc/v0/add
Get the same data back.
curl -s -u sunet.se: http://localhost:8000/sc/v0/get | json_pp -json_opt utf8,pretty
We might also filter the data:
curl -s -u sunet.se: http://localhost:8000/sc/v0/get?port=111 | json_pp -json_opt utf8,pretty
|