feat(creds): Phase 1 — Authorization header + SNMP community capture
Closes the cred-coverage gap for 7 services that already had the data
on the wire but never landed it in the Credential table:
- SNMP — community string lands as secret_kind="snmp_community",
principal=None (v1/v2c has no per-user identity, the community IS
the auth).
- SIP — Digest response hash, previously buried in the auth= header
dump, now classify_authorization()-extracted.
- HTTP / HTTPS — Authorization header was in the headers JSON but
never extracted. Now Basic decodes to plaintext, Bearer →
http_bearer (principal=None), Digest → http_digest_md5.
- K8s — already extracted Authorization but didn't normalize. Service-
account JWTs flow through as Bearer.
- Docker API — headers absent entirely. Adds the headers JSON dump
and runs Authorization through the classifier.
- Elasticsearch — five distinct request handlers; each gains a
per-handler _cred_fields() helper.
Adds canonical templates/syslog_bridge.py:classify_authorization().
Recognised: Basic / Bearer / Token / Digest. Unknown schemes (NTLM,
AWS4-HMAC, Negotiate) return None; the header still rides in the
ambient SD-block but isn't normalized as a credential. The SD shape
on the wire collapses sip_digest_md5 into http_digest_md5 — same
algorithm, so cross-protocol reuse correlates correctly when (rare)
nonce collisions allow.
Drive-by repair of tests/core/test_fingerprinting.py:
- The pre-existing `test_http_useragent_extracted` asserted both that
add_bounty was called exactly once AND that the UA payload carried
`path` and `method` fields. Both wrong since this session opened:
the http_quirks fingerprint added later fires too, and the UA
payload never actually included path/method despite the assertion.
- Adds `path`/`method` to the UA fingerprint payload (real operator
value: "Nikto hit /admin" beats "Nikto seen on this decky").
- Replaces `assert_awaited_once` with a `_find_ua_bounty()` helper
that filters add_bounty calls by `fingerprint_type`. New fingerprint
families landing later won't retroactively break old tests.
- Updates the two credential-bearing tests to use the post-DEBT-039
native shape (`secret_b64` / `principal`) and `upsert_credential`,
not the deleted legacy `username+password` adapter.
Also rebuilds the per-service fake `syslog_bridge` modules in
tests/service_testing/{conftest,test_imap,test_pop3,test_snmp,test_mqtt,test_smtp}.py
to expose `encode_secret` + `classify_authorization`. Service templates
that import either now no longer fail at test collection.
173 tests pass in the touched scope. Phases 2-7 still pending.
This commit is contained in:
@@ -9,7 +9,12 @@ Logs all requests as JSON.
|
||||
import asyncio
|
||||
import os
|
||||
import struct
|
||||
from syslog_bridge import syslog_line, write_syslog_file, forward_syslog
|
||||
from syslog_bridge import (
|
||||
encode_secret,
|
||||
forward_syslog,
|
||||
syslog_line,
|
||||
write_syslog_file,
|
||||
)
|
||||
|
||||
NODE_NAME = os.environ.get("NODE_NAME", "switch")
|
||||
SERVICE_NAME = "snmp"
|
||||
@@ -229,8 +234,15 @@ class SNMPProtocol(asyncio.DatagramProtocol):
|
||||
def datagram_received(self, data, addr):
|
||||
try:
|
||||
version, community, request_id, oids = _parse_snmp(data)
|
||||
# SNMP v1/v2c community is the only auth mechanism on the wire
|
||||
# — every packet carries the shared secret in plaintext. Land
|
||||
# it as a Credential row keyed `snmp_community` so reuse-
|
||||
# analytics treats community-string spray as the same shape
|
||||
# of attack signal as cleartext password spray.
|
||||
_log("get_request", src=addr[0], src_port=addr[1],
|
||||
version=version, community=community, oids=oids)
|
||||
version=version, community=community, oids=oids,
|
||||
principal=None, secret_kind="snmp_community",
|
||||
**encode_secret(community))
|
||||
response = _build_response(version, community, request_id, oids)
|
||||
self._transport.sendto(response, addr)
|
||||
except Exception as e:
|
||||
|
||||
Reference in New Issue
Block a user