acidvegas/eris
acidvegas/eris
1
Fork 0
Code Issues Pull Requests Activity

Many bugs fixed in sniffer and async model.

Browse Source
This commit is contained in:
Dionysus 2024-03-08 12:13:57 -05:00
parent d34aa105f1
commit 6c4ae3e988
Signed by: acidvegas
GPG Key ID: EF4B922DB85DC9DE
3 changed files with 52 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
eris.py
View File

@ -13,7 +13,7 @@ sys.dont_write_bytecode = True
try: try:
# This is commented out because there is a bug with the elasticsearch library that requires a patch (see initialize() method below) # This is commented out because there is a bug with the elasticsearch library that requires a patch (see initialize() method below)
#from elasticsearch import AsyncElasticsearch #from elasticsearch import AsyncElasticsearch
from elasticsearch.exceptions import NotFoundError from elasticsearch.exceptions import NotFoundError
from elasticsearch.helpers import async_streaming_bulk from elasticsearch.helpers import async_streaming_bulk
except ImportError: except ImportError:
@ -43,23 +43,23 @@ class ElasticIndexer:
'request_timeout': args.timeout, 'request_timeout': args.timeout,
'max_retries': args.retries, 'max_retries': args.retries,
'retry_on_timeout': True, 'retry_on_timeout': True,
'sniff_on_start': True, # Is this problematic? 'sniff_on_start': False, # Problems when True....
'sniff_on_node_failure': True, 'sniff_on_node_failure': True,
'min_delay_between_sniffing': 60 # Add config option for this? 'min_delay_between_sniffing': 60 # Add config option for this?
} }
if args.api_key: #if args.api_key:
self.es_config['api_key'] = (args.api_key, '') # Verify this is correct # self.es_config['api_key'] = (args.api_key, '') # Verify this is correct
else: #else:
self.es_config['basic_auth'] = (args.user, args.password) self.es_config['basic_auth'] = (args.user, args.password)
async def initialize(self): async def initialize(self):
'''Initialize the Elasticsearch client.''' '''Initialize the Elasticsearch client.'''
# Patching the Elasticsearch client to fix a bug with sniffing (https://github.com/elastic/elasticsearch-py/issues/2005#issuecomment-1645641960) # Patching the Elasticsearch client to fix a bug with sniffing (https://github.com/elastic/elasticsearch-py/issues/2005#issuecomment-1645641960)
import sniff_patch import sniff_patch
self.es = sniff_patch.init_elasticsearch(**self.es_config) self.es = await sniff_patch.init_elasticsearch(**self.es_config)
# Remove the above and uncomment the below if the bug is fixed in the Elasticsearch client: # Remove the above and uncomment the below if the bug is fixed in the Elasticsearch client:
#self.es = AsyncElasticsearch(**es_config) #self.es = AsyncElasticsearch(**es_config)
@ -68,7 +68,7 @@ class ElasticIndexer:
async def create_index(self, map_body: dict, pipeline: str = '', replicas: int = 1, shards: int = 1): async def create_index(self, map_body: dict, pipeline: str = '', replicas: int = 1, shards: int = 1):
''' '''
Create the Elasticsearch index with the defined mapping. Create the Elasticsearch index with the defined mapping.
:param map_body: Mapping for the index :param map_body: Mapping for the index
:param pipeline: Name of the ingest pipeline to use for the index :param pipeline: Name of the ingest pipeline to use for the index
:param replicas: Number of replicas for the index :param replicas: Number of replicas for the index
@ -106,7 +106,7 @@ class ElasticIndexer:
'''Get the health of the Elasticsearch cluster.''' '''Get the health of the Elasticsearch cluster.'''
return await self.es.cluster.health() return await self.es.cluster.health()
async def get_cluster_size(self) -> int: async def get_cluster_size(self) -> int:
'''Get the number of nodes in the Elasticsearch cluster.''' '''Get the number of nodes in the Elasticsearch cluster.'''
@ -128,7 +128,7 @@ class ElasticIndexer:
count = 0 count = 0
total = 0 total = 0
async for ok, result in async_streaming_bulk(self.es, actions=data_generator(file_path), chunk_size=self.chunk_size, max_chunk_bytes=self.chunk_max): async for ok, result in async_streaming_bulk(self.es, actions=data_generator(file_path), chunk_size=self.chunk_size, max_chunk_bytes=self.chunk_max):
action, result = result.popitem() action, result = result.popitem()
@ -151,17 +151,17 @@ async def main():
'''Main function when running this script directly.''' '''Main function when running this script directly.'''
parser = argparse.ArgumentParser(description='Index data into Elasticsearch.') parser = argparse.ArgumentParser(description='Index data into Elasticsearch.')
# General arguments # General arguments
parser.add_argument('input_path', help='Path to the input file or directory') # Required parser.add_argument('input_path', help='Path to the input file or directory') # Required
parser.add_argument('--watch', action='store_true', help='Create or watch a FIFO for real-time indexing') parser.add_argument('--watch', action='store_true', help='Create or watch a FIFO for real-time indexing')
# Elasticsearch arguments # Elasticsearch arguments
parser.add_argument('--host', default='http://localhost/', help='Elasticsearch host') parser.add_argument('--host', default='http://localhost/', help='Elasticsearch host')
parser.add_argument('--port', type=int, default=9200, help='Elasticsearch port') parser.add_argument('--port', type=int, default=9200, help='Elasticsearch port')
parser.add_argument('--user', default='elastic', help='Elasticsearch username') parser.add_argument('--user', default='elastic', help='Elasticsearch username')
parser.add_argument('--password', default=os.getenv('ES_PASSWORD'), help='Elasticsearch password (if not provided, check environment variable ES_PASSWORD)') parser.add_argument('--password', default=os.getenv('ES_PASSWORD'), help='Elasticsearch password (if not provided, check environment variable ES_PASSWORD)')
parser.add_argument('--api-key', default=os.getenv('ES_APIKEY'), help='Elasticsearch API Key for authentication (if not provided, check environment variable ES_APIKEY)') #parser.add_argument('--api-key', default=os.getenv('ES_APIKEY'), help='Elasticsearch API Key for authentication (if not provided, check environment variable ES_APIKEY)')
parser.add_argument('--self-signed', action='store_false', help='Elasticsearch is using self-signed certificates') parser.add_argument('--self-signed', action='store_false', help='Elasticsearch is using self-signed certificates')
# Elasticsearch indexing arguments # Elasticsearch indexing arguments
@ -169,7 +169,7 @@ async def main():
parser.add_argument('--pipeline', help='Use an ingest pipeline for the index') parser.add_argument('--pipeline', help='Use an ingest pipeline for the index')
parser.add_argument('--replicas', type=int, default=1, help='Number of replicas for the index') parser.add_argument('--replicas', type=int, default=1, help='Number of replicas for the index')
parser.add_argument('--shards', type=int, default=1, help='Number of shards for the index') parser.add_argument('--shards', type=int, default=1, help='Number of shards for the index')
# Performance arguments # Performance arguments
parser.add_argument('--chunk-size', type=int, default=50000, help='Number of records to index in a chunk') parser.add_argument('--chunk-size', type=int, default=50000, help='Number of records to index in a chunk')
parser.add_argument('--chunk-max', type=int, default=100, help='Maximum size of a chunk in bytes') parser.add_argument('--chunk-max', type=int, default=100, help='Maximum size of a chunk in bytes')
@ -206,12 +206,15 @@ async def main():
from ingestors import ingest_massdns as ingestor from ingestors import ingest_massdns as ingestor
elif args.zone: elif args.zone:
from ingestors import ingest_zone as ingestor from ingestors import ingest_zone as ingestor
if not isinstance(ingestor, object):
raise ValueError('No ingestor selected')
health = await edx.get_cluster_health() health = await edx.get_cluster_health()
print(health) print(health)
await asyncio.sleep(5) # Delay to allow time for sniffing to complete await asyncio.sleep(5) # Delay to allow time for sniffing to complete
nodes = await edx.get_cluster_size() nodes = await edx.get_cluster_size()
logging.info(f'Connected to {nodes:,} Elasticsearch node(s)') logging.info(f'Connected to {nodes:,} Elasticsearch node(s)')
@ -220,7 +223,7 @@ async def main():
map_body = ingestor.construct_map() map_body = ingestor.construct_map()
await edx.create_index(map_body, args.pipeline, args.replicas, args.shards) await edx.create_index(map_body, args.pipeline, args.replicas, args.shards)
if os.path.isfile(args.input_path): if os.path.isfile(args.input_path):
logging.info(f'Processing file: {args.input_path}') logging.info(f'Processing file: {args.input_path}')
await edx.process_data(args.input_path, ingestor.process_data) await edx.process_data(args.input_path, ingestor.process_data)
@ -245,4 +248,4 @@ async def main():
if __name__ == '__main__': if __name__ == '__main__':
asyncio.run(main()) asyncio.run(main())

31
ingestors/ingest_massdns.py
View File

@ -48,7 +48,8 @@ async def process_data(file_path: str):
# Sentinel value to indicate the end of a process (for closing out a FIFO stream) # Sentinel value to indicate the end of a process (for closing out a FIFO stream)
if line == '~eof': if line == '~eof':
return last yield last
break
# Skip empty lines # Skip empty lines
if not line: if not line:
@ -61,50 +62,47 @@ async def process_data(file_path: str):
if len(parts) < 3: if len(parts) < 3:
logging.warning(f'Invalid PTR record: {line}') logging.warning(f'Invalid PTR record: {line}')
continue continue
# Split the PTR record into its parts # Split the PTR record into its parts
name, record_type, record = parts[0].rstrip('.'), parts[1], ' '.join(parts[2:]).rstrip('.') name, record_type, record = parts[0].rstrip('.'), parts[1], ' '.join(parts[2:]).rstrip('.')
# Do not index other records # Do not index other records
if record_type != 'PTR': if record_type != 'PTR':
logging.warning(f'Invalid record type: {record_type}: {line}')
continue continue
# Do not index PTR records that do not have a record # Do not index PTR records that do not have a record
if not record: if not record:
logging.warning(f'Empty PTR record: {line}')
continue continue
# Let's not index the PTR record if it's the same as the in-addr.arpa domain # Let's not index the PTR record if it's the same as the in-addr.arpa domain
if record == name: if record == name:
logging.warning(f'PTR record is the same as the in-addr.arpa domain: {line}')
continue continue
# Get the IP address from the in-addr.arpa domain # Get the IP address from the in-addr.arpa domain
ip = '.'.join(name.replace('.in-addr.arpa', '').split('.')[::-1]) ip = '.'.join(name.replace('.in-addr.arpa', '').split('.')[::-1])
# Check if we are still processing the same IP address # Check if we are still processing the same IP address
if last: if last:
if ip == last['_id']: if ip == last['_id']:
last_record = last['_doc']['record'] last_record = last['doc']['record']
if isinstance(last_record, list): if isinstance(last_record, list):
if record not in last_record: if record not in last_record:
last['_doc']['record'].append(record) last['doc']['record'].append(record)
else: else:
logging.warning(f'Duplicate PTR record: {line}') logging.warning(f'Duplicate PTR record: {line}')
else: else:
if record != last_record: if record != last_record:
last['_doc']['record'] = [last_record, record] # IP addresses with more than one PTR record will turn into a list last['doc']['record'] = [last_record, record] # IP addresses with more than one PTR record will turn into a list
continue continue
else: else:
yield last yield last # Return the last document and start a new one
# Cache the this document in-case we have more for the same IP address # Cache the this document in-case we have more for the same IP address
last = { last = {
'_op_type' : 'update', '_op_type' : 'update',
'_id' : ip, '_id' : ip,
'_index' : default_index, '_index' : default_index,
'_doc' : { 'doc' : {
'ip' : ip, 'ip' : ip,
'record' : record, 'record' : record,
'seen' : time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime()) 'seen' : time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime())
@ -116,7 +114,7 @@ async def process_data(file_path: str):
async def test(input_path: str): async def test(input_path: str):
''' '''
Test the MassDNS ingestion process Test the MassDNS ingestion process
:param input_path: Path to the MassDNS log file :param input_path: Path to the MassDNS log file
''' '''
async for document in process_data(input_path): async for document in process_data(input_path):
@ -131,16 +129,17 @@ if __name__ == '__main__':
parser = argparse.ArgumentParser(description='MassDNS Ingestor for ERIS') parser = argparse.ArgumentParser(description='MassDNS Ingestor for ERIS')
parser.add_argument('input_path', help='Path to the input file or directory') parser.add_argument('input_path', help='Path to the input file or directory')
args = parser.parse_args() args = parser.parse_args()
asyncio.run(test(args.input_path)) asyncio.run(test(args.input_path))
''' '''
Deployment: Deployment:
sudo apt-get install build-essential gcc make
git clone --depth 1 https://github.com/blechschmidt/massdns.git $HOME/massdns && cd $HOME/massdns && make git clone --depth 1 https://github.com/blechschmidt/massdns.git $HOME/massdns && cd $HOME/massdns && make
curl -s https://public-dns.info/nameservers.txt | grep -v ':' > $HOME/massdns/nameservers.txt curl -s https://public-dns.info/nameservers.txt | grep -v ':' > $HOME/massdns/nameservers.txt
pythons ./scripts/ptr.py | ./bin/massdns -r $HOME/massdns/nameservers.txt -t PTR --filter NOERROR-s 1000 -o S -w $HOME/massdns/fifo.json python3 ./scripts/ptr.py | ./bin/massdns -r $HOME/massdns/nameservers.txt -t PTR --filter NOERROR-s 500 -o S -w $HOME/massdns/fifo.json
or... or...
while true; do python ./scripts/ptr.py | ./bin/massdns -r $HOME/massdns/nameservers.txt -t PTR --filter NOERROR -s 1000 -o S -w $HOME/massdns/fifo.json; done while true; do python ./scripts/ptr.py | ./bin/massdns -r $HOME/massdns/nameservers.txt -t PTR --filter NOERROR -s 1000 -o S -w $HOME/massdns/fifo.json; done
@ -163,4 +162,4 @@ Input:
Notes: Notes:
Why do some IP addresses return a CNAME from a PTR request Why do some IP addresses return a CNAME from a PTR request
What is dns-servfail.net (Frequent CNAME response from PTR requests) What is dns-servfail.net (Frequent CNAME response from PTR requests)
''' '''

24
sniff_patch.py
View File

@ -16,19 +16,19 @@ import elasticsearch._async.client as async_client
from elasticsearch.exceptions import SerializationError, ConnectionError from elasticsearch.exceptions import SerializationError, ConnectionError
async def init_elasticsearch_async(*args, **kwargs): async def init_elasticsearch(*args, **kwargs):
''' '''
Initialize the Async Elasticsearch client with the sniff patch. Initialize the Async Elasticsearch client with the sniff patch.
:param args: Async Elasticsearch positional arguments. :param args: Async Elasticsearch positional arguments.
:param kwargs: Async Elasticsearch keyword arguments. :param kwargs: Async Elasticsearch keyword arguments.
''' '''
async_client.default_sniff_callback = _override_async_sniff_callback(kwargs['basic_auth']) async_client.default_sniff_callback = _override_sniff_callback(kwargs['basic_auth'])
return async_client.AsyncElasticsearch(*args, **kwargs) return async_client.AsyncElasticsearch(*args, **kwargs)
def _override_async_sniff_callback(basic_auth): def _override_sniff_callback(basic_auth):
''' '''
Taken from https://github.com/elastic/elasticsearch-py/blob/8.8/elasticsearch/_sync/client/_base.py#L166 Taken from https://github.com/elastic/elasticsearch-py/blob/8.8/elasticsearch/_sync/client/_base.py#L166
Completely unmodified except for adding the auth header to the elastic request. Completely unmodified except for adding the auth header to the elastic request.
@ -40,7 +40,7 @@ def _override_async_sniff_callback(basic_auth):
auth_str = base64.b64encode(':'.join(basic_auth).encode()).decode() auth_str = base64.b64encode(':'.join(basic_auth).encode()).decode()
sniffed_node_callback = async_client._base._default_sniffed_node_callback sniffed_node_callback = async_client._base._default_sniffed_node_callback
async def modified_async_sniff_callback(transport, sniff_options): async def modified_sniff_callback(transport, sniff_options):
for _ in transport.node_pool.all(): for _ in transport.node_pool.all():
try: try:
meta, node_infos = await transport.perform_request( meta, node_infos = await transport.perform_request(
@ -48,7 +48,7 @@ def _override_async_sniff_callback(basic_auth):
'/_nodes/_all/http', '/_nodes/_all/http',
headers={ headers={
'accept': 'application/vnd.elasticsearch+json; compatible-with=8', 'accept': 'application/vnd.elasticsearch+json; compatible-with=8',
'authorization': f'Basic {auth_str}' # This auth header is missing in 8.x releases of the client, and causes 401s 'authorization': f'Basic {auth_str}' # This auth header is missing in 8.x releases of the client, and causes 401s
}, },
request_timeout=( request_timeout=(
sniff_options.sniff_timeout sniff_options.sniff_timeout
@ -79,9 +79,13 @@ def _override_async_sniff_callback(basic_auth):
port = int(port_str) port = int(port_str)
assert sniffed_node_callback is not None assert sniffed_node_callback is not None
sniffed_node = await sniffed_node_callback(
node_info, meta.node.replace(host=host, port=port) # Pay not mind to this, it's just a workaround for my own setup.
) #host = elastic.domain.com
#port = int(str(port).replace('', ''))
sniffed_node = sniffed_node_callback(node_info, meta.node.replace(host=host, port=port))
if sniffed_node is None: if sniffed_node is None:
continue continue
@ -93,4 +97,4 @@ def _override_async_sniff_callback(basic_auth):
return [] return []
return modified_async_sniff_callback return modified_sniff_callback