Merge pull request #32 from Kalsaria-C/master

Scripts for generating logs required in sprints/livelabs

Author: kgvarun

utils/api-logs-generator.py

@@ -0,0 +1,22 @@
+import random
+from datetime import datetime, timedelta
+
+current_time = datetime.utcnow()
+method = ["POST", "GET"]
+username = ["livelabuser01", "Naman", "Jacob", "Riya", "livelabuser02"]
+client_ip = ["::ffff:10.244.0.104", "::ffff:10.244.0.257", "::ffff:10.244.0.158", "::ffff:10.244.0.007", "::ffff:10.244.0.257"]
+req_code = ["401", "200", "201", "304", "400", "404", "406", "409", "500", "503"]
+content_length = random.randint(10,1000)
+
+for i in range(1000): # 1000 random logs generated
+    random_var_user_and_ip = random.randint(0,len(username)-1)
+    # Generate a random number of seconds between 0 and 7200 (120 minutes)
+    random_seconds = random.randint(0, 120*60)
+    # Calculate the end time by subtracting random seconds from current time
+    end_time_in_seconds = current_time - timedelta(seconds=random_seconds)
+    # Random 1000 log records of 2 hours before current UTC time.
+    end_time_in_proper_format = end_time_in_seconds.strftime('%d/%b/%Y:%T')
+    log = client_ip[random_var_user_and_ip] + " - " + username[random_var_user_and_ip] + " [" + end_time_in_proper_format + " +0000] " + '"' + method[random.randint(0,len(method)-1)] + " /api/orders HTTP/1.1" + '" ' + req_code[random.randint(0,len(req_code)-1)] + " " + str(content_length) + ' "-" ' + '"python-requests/2.25.1"' + "\n"
+    with open('livelab_logs.txt', 'a') as f:
+        f.write(log)
+    f.close()

utils/create-sprint-container-image-pulled-manually-logs-script.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+echo '
+{
+    "name": "fluentd",
+    "ready": true,
+    "restartCount": 0,
+    "image": "iad.ocir.io/namespace/fluentd_loganalytics_1:latest",
+    "imageID": "docker-pullable://iad.ocir.io/ns/fluentd_loganalytics_1@sha256:123456712345677c2b71e6e632ea376466d80997067e78e522862a62d58922fa",
+    "containerID": "docker://090458514f4d8ba69844f4cdcd55128d576ac6777e5937ca16f9e319fedb2536",
+    "started": true,
+    "initContainer": false,
+    "state": {
+        "status": "running",
+        "startedAt": "2021-08-13T12:21:35Z"
+    },
+    "lastState": {},
+    "podName": "fluentd-g42bx",
+    "nodeName":"10.20.10.14",
+    "namespaceName":"kube-system"
+}';

utils/create-sprint-oracle-database-abnormal-termination-logs-script.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+echo $(date +"%a %b %d %H:%M:%S %Y")"
+ERROR:
+ORA-12547 : TNS: lost contact
+
+Cause: Partner has unexpectedly gone away, usually during process startup.
+
+Action: Investigate partner application for abnormal termination. On an Interchange, this can happen if the machine is overloaded.
+";

utils/create-sprint-sensitive-configuration-and-privilege-escalation-logs-script.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+echo -n $(date +"%a %b"); echo -n "  "; echo $(date +"%d %H:%M:%S %Y %z")"
+LENGTH : '157'
+ACTION :[67] 'ALTER PROFILE'
+DATABASE USER:[3] 'sys'
+PRIVILEGE :[6] 'SYSDBA'
+CLIENT USER:[8] 'user1'
+CLIENT TERMINAL:[0] ''
+STATUS:[1] '0'
+DBID:[9] '592398530'
+";

utils/create-sprint-suspicious-activity-and-data-exfiltration-logs-script.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# Picks the username sent as an argument to made the logs with or picks the current user
+USER_NAME=${1:-$(whoami)}
+
+# A sample of Ip Addresses from multiple locations to trigger the alarm
+SAMPLE_IP_ADDRESSES=( "22.60.240.244" "196.220.230.205" "40.39.48.34" "217.128.212.236" "17.241.30.58" )
+
+# Generates the logs file content made of 5 unsuccesful login attempts OCI audit logs
+for IP_ADDRESS in ${SAMPLE_IP_ADDRESSES[@]};
+do
+
+  # Generates the json content of the log
+  echo -n "
+{
+  \"data\": {
+    \"availabilityDomain\": \"AD1\",
+    \"compartmentId\": \"ocid1.tenancy.uniqueId\",
+    \"compartmentName\": \"tanancy-uuid\",
+    \"eventName\": \"InteractiveLogin\",
+    \"identity\": {
+      \"ipAddress\": \"$IP_ADDRESS\",
+      \"principalId\": \"ocid1.user.oc1.uniqueId\",
+      \"principalName\": \"$USER_NAME\",
+      \"tenantId\": \"ocid1.tenancy.uniqueId\",
+      \"userAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0\"
+    },
+    \"message\": \"InteractiveLogin failed\",
+    \"response\": {
+      \"payload\": {
+      \"login_input\": \"tenant: tanancy-uuid, user: $USER_NAME\",
+      \"login_result\": \"PASSWORD_INVALID\"
+      },
+      \"responseTime\": \"2023-11-13T10:25:30.589Z\",
+      \"status\": \"400\"
+    }
+  },
+  \"time\": \"$(date +"%Y-%m-%dT%H:%M:%S%:%z")\",
+  \"type\": \"com.oraclecloud.IdentitySignOn.InteractiveLogin\"
+}";
+done;
+
+# Substitutes any trailing character by a new line
+echo;

utils/f5-firewall-logs.py

@@ -0,0 +1,15 @@
+import os
+import random
+from datetime import datetime, timedelta
+
+current_time = datetime.utcnow()
+formatted_time = current_time.strftime("%b %d %H:%M:%S")
+log_message = fr"{formatted_time} XXXX_F5_DMZXX err dcc[11457]: 9999999999:9: [SECEV] Request blocked, violations: Web scraping detected. HTTP protocol compliance sub violations: N/A. Evasion techniques sub violations: N/A. Web services security sub violations: N/A. Virus name: N/A. Support id: 99999999999999999, source ip: 192.168.1.100, xff ip: N/A, source port: 99999, destination ip: 203.128.45.67, destination port: 999, route_domain: 200, HTTP classifier: /Common/www.xxxxxxxxx.yy.http, scheme HTTPS, geographic location: <RU>, request: <GET /ns/xxxxxx.yyy?id_seccion=9999 HTTP/1.1\r\nContent-Length: 0\r\nCookie: XXXXXXXX_XXXXXXXXX=d8b78f937f6f9d569cda500fd5cae49>, username: <[email protected]>, session_id: <d9ba5ea0f4e98df0>"
+
+file_name = 'f5-firewall-logs.log'
+if os.path.exists(file_name):
+    os.remove(file_name)
+
+with open(file_name, 'a') as f:
+  f.write(log_message)
+f.close()

utils/microsoft-dns-server-logs.py

@@ -0,0 +1,75 @@
+import os
+import random
+from datetime import datetime, timedelta
+
+current_time = datetime.utcnow() - timedelta(minutes=10)
+formatted_time = current_time.strftime("%m/%d/%Y %I:%M:%S %p")
+event_str = f"{formatted_time} 03B4 EVENT 192.168.1.10 The DNS server has started."
+ips = ['10.0.0.5', '192.168.2.20', '192.168.2.2', '10.1.1.1']
+sockets = [336, 336, 328, 2688]
+remote_addrs = ['::1', '::1', '192.168.1.2', '192.168.1.2']
+ports = [64329, 64329, 37325, 53]
+packet_str = ''
+
+def choice_and_remove(list):
+  random_element = random.choice(list)
+  list.remove(random_element)
+  return random_element
+
+def get_random_values():
+  return {
+    'ip': choice_and_remove(ips),
+    'socket': choice_and_remove(sockets),
+    'remote_addr': choice_and_remove(remote_addrs),
+    'port': choice_and_remove(ports)
+  }
+
+for i in range(4):
+  current_time += timedelta(seconds=random.randint(1, 120))
+  formatted_time = current_time.strftime("%m/%d/%Y %I:%M:%S %p")
+  random_values = get_random_values()
+  packet_str += f'''\n{formatted_time} 00DC PACKET {random_values['ip']}  00000000016B80A0 UDP Rcv ::1             9ebb   Q [0001   D   NOERROR] SOA    (5)xyztu(4)labs(0)
+  UDP question info at 00000000016B80A0
+    Socket = {random_values['socket']}
+    Remote addr {random_values['remote_addr']}, port {random_values['port']}
+    Time Query=588068, Queued=0, Expire=0
+    Buf length = 0x0fa0 (4000)
+    Msg length = 0x001c (28)
+    Message:
+      XID       0x9ebb
+      Flags     0x0100
+        QR        0 (QUESTION)
+        OPCODE    0 (QUERY)
+        AA        0
+        TC        0
+        RD        1
+        RA        0
+        Z         0
+        CD        0
+        AD        0
+        RCODE     0 (NOERROR)
+      QCOUNT    1
+      ACOUNT    0
+      NSCOUNT   0
+      ARCOUNT   0
+      QUESTION SECTION:
+      Offset = 0x000c, RR count = 0
+      Name      "(5)xyztu(4)labs(0)"
+        QTYPE   SOA (6)
+        QCLASS  1
+      ANSWER SECTION:
+        empty
+      AUTHORITY SECTION:
+        empty
+      ADDITIONAL SECTION:
+        empty'''
+
+logs = f'{event_str}{packet_str}'
+file_name = 'microsoft-dns-server-logs.log'
+
+if os.path.exists(file_name):
+    os.remove(file_name)
+
+with open(file_name, 'a') as f:
+  f.write(logs)
+f.close()

utils/oci-storage-bucket-logs.py

@@ -0,0 +1,64 @@
+import os
+import random
+from datetime import datetime, timedelta
+
+ingested_time = datetime.utcnow() - timedelta(minutes=3)
+time = ingested_time + timedelta(seconds=random.randint(1, 120))
+formatted_ingested_time = ingested_time.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z"
+formatted_time = time.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z"
+
+log_string = f'''
+{{
+    "data": {{
+        "apiType": "native",
+        "authenticationType": "instance",
+        "bucketCreator": "Unknown",
+        "bucketId": "ocid1.bucket.oc1.abc.abcdef123456789",
+        "bucketName": "log",
+        "clientIpAddress": "192.168.0.104",
+        "compartmentId": "ocid1.compartment.oc1..abcdefg1234568888",
+        "compartmentName": "compartment_name",
+        "credentials": "abcdef123456789abcdef",
+        "eTag": "45385429-904b-4db1-866e-123",
+        "endTime": "2020-09-29T20:02:31.811Z",
+        "isPar": false,
+        "message": "Object retrieved.",
+        "namespaceName": "namespace_value",
+        "objectName": "object_name",
+        "opcRequestId": "iad-1:x-uGtXG5Wdk3abc",
+        "principalId": "ocid1.instance.oc1.12345",
+        "principalName": "UnknownPrincipal",
+        "region": "us-region-2",
+        "requestAction": "GET",
+        "requestResourcePath": "/n/namespace_value/b/log/o/object_name",
+        "startTime": "2023-09-29T20:02:31.787Z",
+        "statusCode": 200,
+        "tenantId": "ocid1.tenancy.oc1..6w4ohcbz7otxxy6kd",
+        "tenantName": "loganprod",
+        "userAgent": "Oracle-JavaSDK/1.19.3 (Linux/4.14.35-1902.305.4.el7uek.x86_64; Java/1.8.0_251; Java HotSpot(TM) 64-Bit GraalVM EE 19.3.2/25.251-b08-jvmci-20.1-b02-dev)",
+        "vcnId": "477016"
+    }},
+    "id": "20919d7c-2d6d-401a-9858-123",
+    "oracle": {{
+        "compartmentid": "ocid1.compartment.oc1..lxenat5opur",
+        "ingestedtime": "{formatted_ingested_time}",
+        "loggroupid": "ocid1.loggroup.oc1.gmsmd5c7qmebnsyx7dm",
+        "logid": "ocid1.log.oc1.iz6lu3innhmdyb6aiamaaaaa",
+        "tenantid": "ocid1.tenancy.oc1..1234"
+    }},
+    "source": "log",
+    "specversion": "1.0",
+    "subject": "subject value",
+    "time": "{formatted_time}",
+    "type": "com.oraclecloud.objectstorage.getobject"
+}}
+'''
+
+file_name = 'oci-storage-bucket-logs.log'
+
+if os.path.exists(file_name):
+    os.remove(file_name)
+
+with open(file_name, 'a') as f:
+  f.write(log_string)
+f.close()

utils/upload-helper.py

@@ -0,0 +1,107 @@
+"""
+  # This script is intended to run in your OCI Tenancy,
+  # It uploads a file from your OCI Shell into the logging analytics upload service.
+
+  # @param file - the path of the file to upload
+  # @param filename - The name with which the file will be saved in OCI
+  # @param log-source - The log source to upload the file for
+  # @param name - The name of the upload instance
+"""
+import subprocess, json, argparse
+
+
+# CLI Arguments
+argParser = argparse.ArgumentParser()
+argParser.add_argument("-f", "--file", help="your file", required=True)
+argParser.add_argument("-s", "--filename", help="your filename", required=True)
+argParser.add_argument("-l", "--log-source", help="your log source", required=True)
+argParser.add_argument("-n", "--name", help="your name", required=True)
+
+args = argParser.parse_args()
+
+
+# Functions
+# Lets the user choose a compartment to use the groups of
+def choose_compartment() -> str:
+
+  # Compartment Variables
+  compartments = json.loads(
+    subprocess.getoutput('oci iam compartment list --all --query "data[].{name:name, id:id}" --access-level ANY --compartment-id-in-subtree true')
+  )
+  compartments_names = [compartment['name'] for compartment in compartments]
+
+  # List the compartments of the OCI tenancies
+  print("Here is the list of your OCI tenancy compartments: ")
+  for name in enumerate(compartments_names):
+    print(*name, sep='> ')
+
+  # Prompt the user to select a value
+  selected_input = input("Please, Choose the index of the compartment you want to upload your files to: ")
+
+  while not (selected_input.isnumeric() and 0 <= int(selected_input) < len(compartments_names)) : # re-prompt if the user selected a different value
+    selected_input = input("The compartment selected does not exist, Please choose a valid compartment index: ")
+
+  return compartments[int(selected_input)]
+
+
+# Get the default namespace label
+def get_namespace() -> str:
+  namespace = subprocess.getoutput('''oci log-analytics namespace list --compartment-id $(oci iam compartment list --all --compartment-id-in-subtree true --access-level ACCESSIBLE --include-root --raw-output --query "data[?contains(\\"id\\",'tenancy')].id | [0]") --query "data.items[].{namespace: \\"namespace-name\\"}[0].namespace" --raw-output''')
+
+  return namespace
+
+
+# Lets the user choose a compartment to use the groups of
+def choose_log_group(settings:dict) -> str:
+
+  response = subprocess.getoutput(f'''oci log-analytics log-group list -c {settings["compartment"]["id"]} --namespace-name {settings["namespace"]} --query "data.items[].{{name: \\"display-name\\", id: id}}"''')
+
+  if response == "Query returned empty result, no output to show.":
+    # Create a new log group
+    print('You have no log groups in your compartment (Check your region and tenancy again)')
+    if not input('Do you want to create a new log group automatically? (y|n): ').lower() in ('y', 'yes'):
+      return
+
+    return create_log_group(settings)
+
+  # Compartment Variables
+  log_groups = json.loads(
+    subprocess.getoutput(f'''oci log-analytics log-group list -c {settings["compartment"]["id"]} --namespace-name {settings["namespace"]} --query "data.items[].{{name: \\"display-name\\", id: id}}"''')
+  )
+
+  log_groups_names = [log_group['name'] for log_group in log_groups]
+
+  # List the log groups of the OCI tenancies
+  print("Here is the list of your OCI tenancy log groups: ")
+  for name in enumerate(log_groups_names):
+    print(*name, sep='> ')
+
+  # Prompt the user to select a value
+  selected_input = input("Please, Choose the index of the log group you want to upload your files to: ")
+
+  while not (selected_input.isnumeric() and 0 <= int(selected_input) < len(log_groups_names)) : # re-prompt if the user selected a different value
+    selected_input = input("The log group selected does not exist, Please choose a valid log group index: ")
+
+  return log_groups[int(selected_input)]
+
+
+# Create a new log group
+def create_log_group(settings:dict):
+  return json.loads(
+    subprocess.getoutput(f"""oci log-analytics log-group create --namespace-name {settings["namespace"]} --display-name "Live Labs Log Group - You can delete it once you are done" --compartment-id {settings["compartment"]["id"]}""")
+  )
+
+
+# Implementation
+# The bash command parameters
+settings = {
+  "compartment": choose_compartment(),
+  "namespace": get_namespace()
+}
+
+settings["log_group"] = choose_log_group(settings)
+
+# OCI command script
+print(
+  subprocess.getoutput(f'''oci log-analytics upload upload-log-file --file "{args.file}" --filename "{args.filename}" --log-source-name "{args.log_source}" --namespace-name "{settings["namespace"]}" --opc-meta-loggrpid "{settings["log_group"]["id"]}" --upload-name "{args.name}"''')
+)