CTI client prototype #252

f-galland · 2025-01-28T13:07:48Z

Description

This PR adds a CTI client prototype to the content-manager plugin

Issues Resolved

Closes #238

f-galland · 2025-02-05T21:59:49Z

The plugin exposes two test endpoints, that upon being called, reply in the following way:

Catalog call

$ curl http://localhost:9200/_plugins/_content_manager/vd-catalog | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   475  100   475    0     0   2503      0 --:--:-- --:--:-- --:--:--  2513
{
  "id": 4,
  "name": "vd_4.8.0",
  "context": "vd_1.0.0",
  "operations": null,
  "inserted_at": "2023-11-23T19:34:18.698495Z",
  "updated_at": "2025-02-05T16:35:39.126346Z",
  "paths_filter": null,
  "last_offset": 1286687,
  "changes_url": "cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_4.8.0/changes",
  "last_snapshot_at": "2025-02-03T09:38:11.980940Z",
  "last_snapshot_link": "https://cti.wazuh.com/store/contexts/vd_1.0.0/consumers/vd_4.8.0/1278352_1738575491.zip",
  "last_snapshot_offset": 1278352
}

Changes call

fede@tyner:~
$ curl "http://localhost:9200/_plugins/_content_manager/vd-changes?from_offset=5&to_offset=7&with_empties=true" | jq
{
  "data": [
    {
      "context": "vd_1.0.0",
      "offset": 6,
      "resource": "CVE-1999-0006",
      "type": "create",
      "version": 1,
      "payload": {
        "cveMetadata": {
          "datePublished": "1998-07-14T04:00:00Z",
          "cveId": "CVE-1999-0006",
          "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
          "state": "PUBLISHED",
          "assignerShortName": "mitre",
          "dateUpdated": "2008-09-09T12:33:31Z"
        },
        "dataVersion": "5.0",
        "dataType": "CVE_RECORD",
        "containers": {
          "cna": {
            "providerMetadata": {
              "x_subShortName": "nvd",
              "shortName": "nvd",
              "orgId": "00000000-0000-4000-A000-000000000003",
              "dateUpdated": "2008-09-09T12:33:31Z"
            },
            "references": [
              {
                "url": "ftp://patches.sgi.com/support/free/security/advisories/19980801-01-I"
              },
              {
                "url": "http://www.securityfocus.com/bid/133"
              }
            ],
            "metrics": [
              {
                "format": "CVSS",
                "cvssV2_0": {
                  "accessComplexity": "LOW",
                  "confidentialityImpact": "COMPLETE",
                  "availabilityImpact": "COMPLETE",
                  "integrityImpact": "COMPLETE",
                  "baseScore": 10,
                  "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
                  "version": "2.0",
                  "accessVector": "NETWORK",
                  "authentication": "NONE"
                }
              }
            ],
            "affected": [
              {
                "defaultStatus": "unaffected",
                "product": "qpopper",
                "cpes": [
                  "cpe:2.3:a:qualcomm:qpopper:2.4:*:*:*:*:*:*:*"
                ],
                "versions": [
                  {
                    "version": "2.4",
                    "status": "affected"
                  }
                ],
                "vendor": "qualcomm"
              }
            ],
            "descriptions": [
              {
                "lang": "en",
                "value": "Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command."
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "description": "NVD-CWE-Other",
                    "lang": "en"
                  }
                ]
              }
            ]
          }
        }
      }
    },
    {
      "context": "vd_1.0.0",
      "offset": 7,
      "resource": "CVE-1999-0007",
      "type": "create",
      "version": 1,
      "payload": {
        "cveMetadata": {
          "datePublished": "1998-06-26T04:00:00Z",
          "cveId": "CVE-1999-0007",
          "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
          "state": "PUBLISHED",
          "assignerShortName": "mitre",
          "dateUpdated": "2020-04-02T13:31:03Z"
        },
        "dataVersion": "5.0",
        "dataType": "CVE_RECORD",
        "containers": {
          "cna": {
            "providerMetadata": {
              "x_subShortName": "nvd",
              "shortName": "nvd",
              "orgId": "00000000-0000-4000-A000-000000000003",
              "dateUpdated": "2020-04-02T13:31:03Z"
            },
            "references": [
              {
                "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-002",
                "tags": [
                  "patch",
                  "vendor-advisory"
                ]
              }
            ],
            "metrics": [
              {
                "format": "CVSS",
                "cvssV2_0": {
                  "accessComplexity": "LOW",
                  "confidentialityImpact": "PARTIAL",
                  "availabilityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "baseScore": 5,
                  "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                  "version": "2.0",
                  "accessVector": "NETWORK",
                  "authentication": "NONE"
                }
              }
            ],
            "affected": [
              {
                "defaultStatus": "unaffected",
                "product": "stonghold_web_server",
                "cpes": [
                  "cpe:2.3:a:c2net:stonghold_web_server:2.0.1:*:*:*:*:*:*:*",
                  "cpe:2.3:a:c2net:stonghold_web_server:2.2:*:*:*:*:*:*:*",
                  "cpe:2.3:a:c2net:stonghold_web_server:2.3:*:*:*:*:*:*:*"
                ],
                "versions": [
                  {
                    "version": "2.0.1",
                    "status": "affected"
                  },
                  {
                    "version": "2.2",
                    "status": "affected"
                  },
                  {
                    "version": "2.3",
                    "status": "affected"
                  }
                ],
                "vendor": "c2net"
              },
              {
                "defaultStatus": "unaffected",
                "product": "open_market_secure_webserver",
                "cpes": [
                  "cpe:2.3:a:hp:open_market_secure_webserver:2.1:*:*:*:*:*:*:*"
                ],
                "versions": [
                  {
                    "version": "2.1",
                    "status": "affected"
                  }
                ],
                "vendor": "hp"
              },
              {
                "defaultStatus": "unaffected",
                "product": "exchange_server",
                "cpes": [
                  "cpe:2.3:a:microsoft:exchange_server:5.5:-:*:*:*:*:*:*"
                ],
                "versions": [
                  {
                    "version": "5.5",
                    "status": "affected"
                  }
                ],
                "vendor": "microsoft"
              },
              {
                "defaultStatus": "unaffected",
                "product": "internet_information_server",
                "cpes": [
                  "cpe:2.3:a:microsoft:internet_information_server:3.0:*:*:*:*:*:*:*",
                  "cpe:2.3:a:microsoft:internet_information_server:4.0:*:*:*:*:*:*:*"
                ],
                "versions": [
                  {
                    "version": "3.0",
                    "status": "affected"
                  },
                  {
                    "version": "4.0",
                    "status": "affected"
                  }
                ],
                "vendor": "microsoft"
              },
              {
                "defaultStatus": "unaffected",
                "product": "site_server",
                "cpes": [
                  "cpe:2.3:a:microsoft:site_server:3.0:*:*:*:*:*:*:*"
                ],
                "versions": [
                  {
                    "version": "3.0",
                    "status": "affected"
                  }
                ],
                "vendor": "microsoft"
              },
              {
                "defaultStatus": "unaffected",
                "product": "certificate_server patch1",
                "cpes": [
                  "cpe:2.3:a:netscape:certificate_server:1.0:patch1:*:*:*:*:*:*"
                ],
                "versions": [
                  {
                    "version": "1.0",
                    "status": "affected"
                  }
                ],
                "vendor": "netscape"
              },
              {
                "defaultStatus": "unaffected",
                "product": "collabra_server",
                "cpes": [
                  "cpe:2.3:a:netscape:collabra_server:3.5.2:*:*:*:*:*:*:*"
                ],
                "versions": [
                  {
                    "version": "3.5.2",
                    "status": "affected"
                  }
                ],
                "vendor": "netscape"
              },
              {
                "defaultStatus": "unaffected",
                "product": "directory_server patch5",
                "cpes": [
                  "cpe:2.3:a:netscape:directory_server:1.3:patch5:*:*:*:*:*:*"
                ],
                "versions": [
                  {
                    "version": "1.3",
                    "status": "affected"
                  }
                ],
                "vendor": "netscape"
              },
              {
                "defaultStatus": "unaffected",
                "product": "directory_server",
                "cpes": [
                  "cpe:2.3:a:netscape:directory_server:3.12:*:*:*:*:*:*:*"
                ],
                "versions": [
                  {
                    "version": "3.12",
                    "status": "affected"
                  }
                ],
                "vendor": "netscape"
              },
              {
                "defaultStatus": "unaffected",
                "product": "directory_server patch1",
                "cpes": [
                  "cpe:2.3:a:netscape:directory_server:3.1:patch1:*:*:*:*:*:*"
                ],
                "versions": [
                  {
                    "version": "3.1",
                    "status": "affected"
                  }
                ],
                "vendor": "netscape"
              },
              {
                "defaultStatus": "unaffected",
                "product": "enterprise_server",
                "cpes": [
                  "cpe:2.3:a:netscape:enterprise_server:2.0:*:*:*:*:*:*:*",
                  "cpe:2.3:a:netscape:enterprise_server:3.0.1b:*:*:*:*:*:*:*",
                  "cpe:2.3:a:netscape:enterprise_server:3.5.1:*:*:*:*:*:*:*"
                ],
                "versions": [
                  {
                    "version": "2.0",
                    "status": "affected"
                  },
                  {
                    "version": "3.0.1b",
                    "status": "affected"
                  },
                  {
                    "version": "3.5.1",
                    "status": "affected"
                  }
                ],
                "vendor": "netscape"
              },
              {
                "defaultStatus": "unaffected",
                "product": "fasttrack_server",
                "cpes": [
                  "cpe:2.3:a:netscape:fasttrack_server:3.01b:*:*:*:*:*:*:*"
                ],
                "versions": [
                  {
                    "version": "3.01b",
                    "status": "affected"
                  }
                ],
                "vendor": "netscape"
              },
              {
                "defaultStatus": "unaffected",
                "product": "messaging_server",
                "cpes": [
                  "cpe:2.3:a:netscape:messaging_server:3.54:*:*:*:*:*:*:*"
                ],
                "versions": [
                  {
                    "version": "3.54",
                    "status": "affected"
                  }
                ],
                "vendor": "netscape"
              },
              {
                "defaultStatus": "unaffected",
                "product": "proxy_server",
                "cpes": [
                  "cpe:2.3:a:netscape:proxy_server:3.5.1:*:*:*:*:*:*:*"
                ],
                "versions": [
                  {
                    "version": "3.5.1",
                    "status": "affected"
                  }
                ],
                "vendor": "netscape"
              },
              {
                "defaultStatus": "unaffected",
                "product": "ssleay",
                "cpes": [
                  "cpe:2.3:a:ssleay:ssleay:0.6.6:*:*:*:*:*:*:*",
                  "cpe:2.3:a:ssleay:ssleay:0.8.1:*:*:*:*:*:*:*",
                  "cpe:2.3:a:ssleay:ssleay:0.9:*:*:*:*:*:*:*"
                ],
                "versions": [
                  {
                    "version": "0.6.6",
                    "status": "affected"
                  },
                  {
                    "version": "0.8.1",
                    "status": "affected"
                  },
                  {
                    "version": "0.9",
                    "status": "affected"
                  }
                ],
                "vendor": "ssleay"
              }
            ],
            "descriptions": [
              {
                "lang": "en",
                "value": "Information from SSL-encrypted sessions via PKCS #1."
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-327",
                    "description": "CWE-327",
                    "lang": "en"
                  }
                ]
              }
            ]
          }
        }
      }
    }
  ]
}

Both endpoints call an Action class that issue an HTTP call to the CTI API, pull its reply, parse it and build a new JSON that is used as a repsonse to the endpoint call.
The Changes API admits three parameters: from_offset, to_offset and with_empties. These are forwarded to the CTI API.

AlexRuiz7

This proposes solution does not meet the design and implementation restrictions described in the issue.

plugins/content-manager/src/main/java/com/wazuh/contentmanager/ContentManagerPlugin.java

plugins/content-manager/cti-api-mock/changes.json

plugins/content-manager/cti-api-mock/consoleLog.js

plugins/content-manager/cti-api-mock/consumer.json

plugins/content-manager/cti-api-mock/cti-api-config.yaml

plugins/content-manager/src/main/java/com/wazuh/contentmanager/resthandler/CatalogHandler.java

plugins/content-manager/src/main/java/com/wazuh/contentmanager/resthandler/ChangesHandler.java

plugins/content-manager/src/main/java/com/wazuh/contentmanager/settings/PluginSettings.java

plugins/content-manager/src/main/java/com/wazuh/contentmanager/util/http/HttpClient.java

Add imposter for cti API

54ccdd9

f-galland self-assigned this Jan 28, 2025

f-galland added 22 commits January 28, 2025 10:14

Add authorization to imposter API

a395282

Fix authorization

e9b009d

Add http client

58cb592

Add placeholder authorization headers

310d7b8

Add CTI API reply to console

aeb9de5

Add CTI API reply to logs

45d0c55

Fixing GET route

55f1035

Fix cti_api.uri SecureSetting

2af159f

Improve class structure

fe039df

Populate enum and model classes

70418ec

Fix HttpClient permissions

5a3e091

Decouple privileged action execution

fb9b5e6

Add a model for the cti api context consumer catalog endpoint

6dc3a2e

Apply spotless

3169457

Make endpoint reply with offset and snapshot link

a0e42db

Iterate over consumers. Parse and return their information

bea549b

Improve multiple endpoints handling

913f62b

Move API logic from handler to action class

44f81d8

Add parser for offset payload

a7b2b58

Fix parsing data array

d721132

Make payload parseable to any depth

7f29bcc

Add javadocs

9c94f39

f-galland marked this pull request as ready for review February 5, 2025 21:54

f-galland requested a review from a team as a code owner February 5, 2025 21:54

AlexRuiz7 requested changes Feb 6, 2025

View reviewed changes

f-galland added 2 commits February 6, 2025 09:14

Removing unused API mock

954c860

Changing exception message

97f695d

f-galland and others added 5 commits February 6, 2025 09:18

Adding comments about provisional code

10dac65

Remove implementation of ClusterPlugin

0ef7988

Merge branch 'master' into 238-cti-client-prototype

5025e40

Spotless run

3881cdf

Add URL as a setting

8e37216

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CTI client prototype #252

CTI client prototype #252

f-galland commented Jan 28, 2025

f-galland commented Feb 5, 2025

Catalog call

Changes call

AlexRuiz7 left a comment

CTI client prototype #252

Are you sure you want to change the base?

CTI client prototype #252

Conversation

f-galland commented Jan 28, 2025

Description

Issues Resolved

f-galland commented Feb 5, 2025

Catalog call

Changes call

AlexRuiz7 left a comment

Choose a reason for hiding this comment