-
Notifications
You must be signed in to change notification settings - Fork 7
Home
Purpose: The AttackSimulator application provides a web based application to generate data feeds that are published via syslog. The following features are available using AttackSimulator:
- Generate events in any format
- Variable substitution within feeds (Example: Time, AccountNme, IPAddress etc)
- Simulate real production data feeds based on an "Environment"
- Built-in variable generators like randomvaluegenerator, randomstringgenerator, randomexternalipgenerator, sequentialvaluegenerator,datevaluegenerator
- Allows using Lookup information during the generation of feeds (Example: store possible protocols in a table & use these protocols in data feeds)
- Multiple users can sign into Attack Simulator & each user has their own unique environment
- Setup multiple syslog destinations to send the data feeds
- Pre-requsite: MySQL 5.6 & Tomcat 8
- Run the DB schema
- Deploy Tomcat
- Open Code in your IDE & Build it (AttackSimulator.war)
- DB credentials are currently in multiple files (jdbc.properties)
- Deploy war file in Tomcat (place war file in Tomcat_home/webapps)
- Start Tomcat (bin/startup.sh)
- Click on First Time User/Register link
- Enter details , choose username & password to login
- Email will be sent to administrator for approval
- Once approved, you can login using the username & password provided during registration
- Generate an Environment that mimics a real world organization ** Enter number of "employees" in the company ** Enter the number of devices that should be in DMZ ** Enter the IPAddress of the syslog server & port that is open on the syslog server ** Select countries from which network traffic will be observed
- During the environment generation process, AttackSimulator will randomly pick up a set of users from the master user repository and make them part of your environment. Similarly, a set of DMZ devices will be generated & ip addresses from the countries you selected will be reserved for the events that are generated
- Now, you can download the users file in comma delimited format & use it to ingest within SNYPR
- Click on Orders tab in left panel
- Choose the data source for which you want data. Place your order
- Click on Run button to begin sending the data
-- Purpose: Used for storing configurations for simulating an attack
select * from attackconfiguration; -- Schema: (feedtype, description,transactionfile
select * from attackdefinition; -- Schema: (feedtype, orderid, feedconfigid,userid,attackelement1,attackelement2
select * from attackdetails; -- Schema: (orderid, nextorderid
select * from attackorders; -- Schema: (attackid,attackerid,threatid,username,secuserid,transactionfile,destinationip,destinatioportdayofattack,timeofattack,frequency
-- Purpose: DMZ machines for an environment
-- Schema: (secuserid,dmzaddress,dmzhostname)
select * from dmzusermapping;
-- Purpose: Countries for an environment
-- Schema: (secuserid,country)
select * from extusermapping;
-- Purpose: Master Table of ipaddress range per country
-- Schema: (iprangebegin,iprangeend,countrycode,country)
select * from ipcountry;
-- Schema: (feedtype,configfield1,configfield2,configfield3..configfield20)
select * from feedconfiguration;
-- Schema: (feedconfigid,feedconfigfield,feedconfigfieldvalue)
**select * from feedconfigurationoptions; **
-- Purpose: Master Table relating feedtype to template file used to generate the events
-- Schema: (feedtype,transactionfilepath)
select * from feedmaster;
-- Purpose: List of Orders placed by a user
-- Schema: (userid,feedtype,frequency,startdate,enddate,destinationip,destinationport,approved,threadid,weekendfactor)
select * from orders;
-- Purpose: Stores the user information for AttackSimulator users
select * from sec_role;
select * from sec_user;
select * from sec_user_sec_role;
-- Purpose: Stores the Syslog destination for sending events
-- Schema:(secuserid,destinationip,destinationport)
select * from usersyslogdetails;
-- Purpose: Employee User Details in an Environment
-- Schema: (secuserid, userid,ipaddress1,ipaddress2,ipaddress3,workemail,lanid,account1,username,desktophostname,desktopipaddress,internalip)
select * from sysipusermapping;
select * from userip; -- variable table firstname lastname ipaddress
select * from useripaddress; -- variable table firstname lastname ipaddress
select * from usermaster; -- Master table used to randomly select users from when generating an environment
-- Purpose: Master table used to randomly select users from when generating an environment
**
**select * from users;
-- Purpose: List of variables used in Template files.
-- Variables can be of type:
-- -- tablevaluegenerator: parmas1: name of table to query, params2: query used - eg: department like '%Finance%'
-- -- randomvaluegenerator: Randomly choose an integer in range parmas1: minimum integer params2: maximum integer
-- -- datevaluegenerator: Randomly Generate a date in sopecified format parmas1: Format like yyyy-MM-dd'T'HH:mm:ss or even specify epoch
-- -- sequentialvaluegenerator: Sequentially generate integer starting from specified number parmas1: Integer
-- -- dmztablegenerator: Queries dmzusermapping table & picks up some dmzaddress
-- -- randomexternalipgenerator: Chooses IPAddress from one of the chosen countries from user environment to use in external traffic
-- -- randomstringgenerator: Generates a random string of specified length. params1: length of string
-- Schema: variablename, variablegenerator,params1, params2,params3,params4,params5
select * from variablemaster;