Is your feature request related to a problem? Please describe.
When the agent has access to a host, it discovers all networks in which the host has interface. However, in some of scenarios hosts from the client network can access some hosts from the server network because of the firewall rules. This is creating a problem: the agent needs to scan the other network, but has no way of knowing it exists (without specifically telling it).
Currently, it is solved by artificially adding +-1 neighboring network to the known network set for every discovered network assuming that the agent will scan them (results in some redundant scans)
Suggested solution
To simulate the packet sniffing and detection of traces of traffic, which is often used for discoveries of such networks, the proposed solution is to add new action type = CaptureTraffic(source_host:IP, target_host:IP) to the action set.
- source_host is the IP from which the action orginates (can be other than target, but must be controlled)
- target_host is the IP where the traffic is captured (must be controlled)
The action will result in following:
- every other host
h_new, which is not member of the known_hosts set to which the FW allows connection is being discovered with low probability (defined in the task_config.yaml)
- in case there are previous connections to that from
target_host to h_new from (actions of other agents) the probability of discovery is increased. (Perhaps withing given timewindow, not linearly)
This action will extend the known_hosts set, resulting in a situation in which some known hosts have IPs that are not in any known_networks.
Alternatives considered
- leave the existing solution
- just leave it on the agent side
Additional context
The proposed solution should be easily extended for:
- mutliple agents (benign, background traffic etc
- better estimation of the discovery in future
- backward compatible with previous versions (just se the probability to 1 in the task_config
Is your feature request related to a problem? Please describe.
When the agent has access to a host, it discovers all networks in which the host has interface. However, in some of scenarios hosts from the client network can access some hosts from the server network because of the firewall rules. This is creating a problem: the agent needs to scan the other network, but has no way of knowing it exists (without specifically telling it).
Currently, it is solved by artificially adding +-1 neighboring network to the known network set for every discovered network assuming that the agent will scan them (results in some redundant scans)
Suggested solution
To simulate the packet sniffing and detection of traces of traffic, which is often used for discoveries of such networks, the proposed solution is to add new action type = CaptureTraffic(source_host:IP, target_host:IP) to the action set.
The action will result in following:
h_new, which is not member of theknown_hostsset to which the FW allows connection is being discovered with low probability (defined in the task_config.yaml)target_hosttoh_newfrom (actions of other agents) the probability of discovery is increased. (Perhaps withing given timewindow, not linearly)This action will extend the
known_hostsset, resulting in a situation in which some known hosts have IPs that are not in any known_networks.Alternatives considered
Additional context
The proposed solution should be easily extended for: