fixed cache poisoning

elastic.py

@@ -19,17 +19,21 @@
 # ES PUT functions
 ##################
 
-def getCache(cacheItem, cache):
-    rv = cache.get(cacheItem)
+def getCache(cacheItem, cache, cacheType):
+    cacheTypeItem = cacheType + ":" + cacheItem
+    rv = cache.get(cacheTypeItem)
+    app.logger.debug("Returning item from cache: {0} - Value: {1}".format(cacheTypeItem, str(rv)[:200]+" ..."))
     if rv is None:
         return False
     return rv
 
-def setCache(cacheItem, cacheValue, cacheTimeout, cache):
+def setCache(cacheItem, cacheValue, cacheTimeout, cache, cacheType):
   try:
-      cache.set(cacheItem, cacheValue, timeout=cacheTimeout)
+      cacheTypeItem = cacheType + ":" + cacheItem
+      cache.set(cacheTypeItem, cacheValue, timeout=cacheTimeout)
+      app.logger.debug("Setting item to cache: {0} - Value: {1}".format(cacheTypeItem, str(cacheValue)[:200] + " ..."))
   except:
-        app.logger.error("Could not set memcache cache {0} to value {1} and Timeout {2}".format(cacheItem, str(cacheValue), cacheTimeout))
+        app.logger.error("Could not set memcache cache {0} to value {1} and Timeout {2}".format(cacheTypeItem, str(cacheValue), cacheTimeout))
 
 
 def getCountries(id):
@@ -65,12 +69,12 @@ def getGeoIPNative(sourceip, cache):
 
         asn = giASN.org_by_addr(sourceip)
         if (asn == "" ) or asn is None:
-            setCache(sourceip, "0.0" + "|" + "0.0" + "|" + country_fail + "|" + ASN_fail + "|" + ASN_fail_text, 60 * 60 * 24, cache)
+            setCache(sourceip, "0.0" + "|" + "0.0" + "|" + country_fail + "|" + ASN_fail + "|" + ASN_fail_text, 60 * 60 * 24, cache, "ip")
             return ("0.0", "0.0", "-", "-", "-")
 
         country = gi.country_code_by_addr(sourceip)
         if (country == "") or country is None:
-            setCache(sourceip, "0.0" + "|" + "0.0" + "|" + country_fail + "|" + ASN_fail + "|" + ASN_fail_text, 60 * 60 * 24, cache)
+            setCache(sourceip, "0.0" + "|" + "0.0" + "|" + country_fail + "|" + ASN_fail + "|" + ASN_fail_text, 60 * 60 * 24, cache, "ip")
             return ("0.0", "0.0", "-", "-", "-")
 
         long = giCity.record_by_addr(sourceip)['longitude']
@@ -79,12 +83,12 @@ def getGeoIPNative(sourceip, cache):
         asn = giASN.org_by_addr(sourceip)
 
         # store data in memcache
-        setCache(sourceip, str(lat) + "|" + str(long) + "|" + country + "|"+ asn  + "|" + countryName, 60*60*24, cache)
+        setCache(sourceip, str(lat) + "|" + str(long) + "|" + country + "|"+ asn  + "|" + countryName, 60*60*24, cache, "ip")
 
         return (lat, long, country, asn, countryName)
 
     except:
-        setCache(sourceip, "0.0" + "|" + "0.0" + "|" + country_fail + "|" + ASN_fail + "|" + ASN_fail_text, 60 * 60 * 24, cache)
+        setCache(sourceip, "0.0" + "|" + "0.0" + "|" + country_fail + "|" + ASN_fail + "|" + ASN_fail_text, 60 * 60 * 24, cache, "ip")
         return ("0.0", "0.0", country_fail, ASN_fail, ASN_fail_text)
 
 
@@ -95,7 +99,7 @@ def getGeoIP(ip,cache):
     """ get geoip and ASN information from IP """
 
     # get result from cache
-    getCacheResult = getCache(ip, cache)
+    getCacheResult = getCache(ip, cache, "ip")
     if getCacheResult is False:
         return getGeoIPNative(ip, cache)
 

misc/fillcache.py

@@ -49,8 +49,9 @@ def testElasticsearch():
     except:
         return False
 
-def getCache(cacheItem):
-    rv = cache.get(cacheItem)
+def getCache(cacheItem, cacheType):
+    cacheTypeItem = cacheType + ":" + cacheItem
+    rv = cache.get(cacheTypeItem)
     if rv is None:
         return False
     return rv
@@ -64,12 +65,13 @@ def testMemcached():
             return False
     return True
 
-def setCache(cacheItem, cacheValue, cacheTimeout,cacheIndex):
+def setCache(cacheItem, cacheValue, cacheTimeout, cacheIndex, cacheType):
     for cache in caches[cacheIndex]:
+        cacheTypeItem = cacheType + ":" + cacheItem
         try:
-            cache.set(cacheItem, cacheValue, cacheTimeout)
+            cache.set(cacheTypeItem, cacheValue, cacheTimeout)
         except pylibmc.Error as e:
-            print("Could not set {0} to {1}".format(cacheItem, e))
+            print("Could not set {0} to {1}".format(cacheTypeItem, e))
 
 def checkCommunityIndex(request):
     """check if request is agains community index or production index"""
@@ -480,7 +482,7 @@ def fillCacheRetrieveAlertsJson(sleeptime, cachetime, community):
         else:
             cacheItem=domain+itemRetrieveAlertsJsonCommunity
             cacheIndex = 1
-        settingResult=setCache(cacheItem, returnResult, cachetime, cacheIndex)
+        settingResult=setCache(cacheItem, returnResult, cachetime, cacheIndex, "url")
         sleep(sleeptime)
 
 ## /topCountriesAttacks
@@ -493,7 +495,7 @@ def fillCacheTopCountriesAttacks(sleeptime, cachetime, community):
         else:
             cacheItem=domain+itemTopCountriesAttacksCommunity
             cacheIndex = 3
-        settingResult=setCache(cacheItem, returnResult, cachetime, cacheIndex)
+        settingResult=setCache(cacheItem, returnResult, cachetime, cacheIndex, "url")
         sleep(sleeptime)
 
 
@@ -507,7 +509,7 @@ def fillRetrieveAlertStats(sleeptime, cachetime, community):
         else:
             cacheItem=domain+itemRetrieveAlertStatsCommunity
             cacheIndex = 5
-        settingResult=setCache(cacheItem, returnResult, cachetime, cacheIndex)
+        settingResult=setCache(cacheItem, returnResult, cachetime, cacheIndex, "url")
         sleep(sleeptime)
 
 ## /retrieveAlertsCountWithType
@@ -521,7 +523,7 @@ def fillRetrieveAlertsCountWithType(sleeptime, cachetime, community):
         else:
             cacheItem = domain + itemAlertsCountWithTypeCommunity
             cacheIndex = 7
-        settingResult=setCache(cacheItem, returnResult, cachetime, cacheIndex)
+        settingResult=setCache(cacheItem, returnResult, cachetime, cacheIndex, "url")
         sleep(sleeptime)
 
 

misc/put-requests/alarmtest.xml

@@ -0,0 +1,27 @@
+<EWS-SimpleMessage version="2.0">
+    <Authentication>
+        <username>community-01-user</username>
+        <token>foth{a5maiCee8fineu7</token>
+    </Authentication>
+
+      <Alert>
+        <Analyzer id="honeytrap"/>
+        <CreateTime tz="+0200">2013-03-11 19:12:22</CreateTime>
+        <Source category="ipv4" port="200" protocol="tcp">46.29.100.76</Source>
+        <Target category="ipv4" port="80" protocol="tcp">46.29.100.76</Target>
+        <Request type="url">/cgi-bin/.br/style.css3/444</Request>
+        <Request type="raw">R0VUIC9jZ2ktYmluLy5ici9zdHlsZS5jc3MgSFRUUC8xLjENCkFjY2VwdDogdGV4dC9jc3MsKi8q
+            O3E9MC4xLCovKg0KQWNjZXB0LUVuY29kaW5nOiBnemlwLGRlZmxhdGUNCkNvbm5lY3Rpb246IEtl
+            ZXAtYWxpdmUNCkZyb206IGdvb2dsZWJvdChhdClnb29nbGVib3QuY29tDQpIb3N0OiB3d3cud2Vi
+            bWFpbGhvdXNlLmRlDQpSZWZlcmVyOiBodHRwOi8vd3d3LndlYm1haWxob3VzZS5kZS9jZ2ktYmlu
+            Ly5ici9wYXRoLnBocA0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKGNvbXBhdGlibGU7IEdvb2ds
+            ZWJvdC8yLjE7ICtodHRwOi8vd3d3Lmdvb2dsZS5jb20vYm90Lmh0bWwp
+        </Request>
+        <Request type="description">honeytrap</Request>
+        <AdditionalData meaning="host" type="string">www.webe.de</AdditionalData>
+        <AdditionalData meaning="sqliteid" type="integer">3688</AdditionalData>
+          <AdditionalData meaning="cve_id">"}} ' {{ </AdditionalData>
+    </Alert>
+
+
+</EWS-SimpleMessage>