New Feature : Network Graph

investigations/tasks.py

@@ -77,6 +77,53 @@ def collect_image_netscan(dump_path):
     data = json.loads(netscan_info)
     return {'netscan': data}
 
+"""
+Network Graph
+"""
+def generate_network_graph(data):
+    graph_data = {'nodes':[], 'edges':[]}
+    for entrie in data:
+        node_data_1 = {'id':entrie['LocalAddr'], 'Involved_PIDs': [entrie['PID']], 'Local_Ports':[entrie['LocalPort']]}
+        node_data_2 = {'id':entrie['ForeignAddr'], 'Involved_PIDs': [entrie['PID']], 'Local_Ports':[entrie['ForeignPort']]}
+        edge_data = {'from': entrie['LocalAddr'], 'to': entrie['ForeignAddr']}
+
+
+        if not graph_data['nodes']:
+            graph_data['nodes'].append(node_data_1)
+
+
+        is_present = False
+
+        for item in graph_data['nodes']:
+            if node_data_1['id'] == item['id']:
+                is_present = True
+                break
+        if not is_present:
+            graph_data['nodes'].append(node_data_1)
+        else:
+            if entrie['PID'] not in item['Involved_PIDs']:
+                item['Involved_PIDs'].append(entrie['PID'])
+            if entrie['LocalPort'] not in item['Local_Ports']:
+                item['Local_Ports'].append(entrie['LocalPort'])
+
+        is_present = False
+        for item in graph_data['nodes']:
+            if node_data_2['id'] == item['id']:
+                is_present = True
+                break
+        if not is_present:
+            graph_data['nodes'].append(node_data_2)
+        else:
+            if entrie['PID'] not in item['Involved_PIDs']:
+                item['Involved_PIDs'].append(entrie['PID'])
+            if entrie['ForeignPort'] not in item['Local_Ports']:
+                item['Local_Ports'].append(entrie['ForeignPort'])
+
+        if edge_data not in graph_data['edges']:
+            graph_data['edges'].append(edge_data)
+
+    return {'network_graph' : json.dumps(graph_data)}
+
 """
 PsScan
 """
@@ -261,6 +308,7 @@ def start_memory_analysis(dump_path,id):
     pstree = collect_image_pstree(dump_path)
     graph = build_graph(pstree['pstree'])
     netscan = collect_image_netscan(dump_path)
+    netgraph = generate_network_graph(netscan['netscan'])
     psscan = collect_image_psscan(dump_path)
     cmdline = collect_image_cmdline(dump_path)
     privileges = collect_image_privileges(dump_path)
@@ -274,6 +322,7 @@ def start_memory_analysis(dump_path,id):
     context.update(pstree)
     context.update(psscan)
     context.update(netscan)
+    context.update(netgraph)
     context.update(graph)
     context.update(cmdline)
     context.update(privileges)

investigations/templates/investigations/network_artifacts/network_graph.html

@@ -0,0 +1,35 @@
+<!-- Investigation network_scan artifacts -->
+<button class="btn btn-warn-d" type="button" data-bs-toggle="collapse" data-bs-target="#collapseNetGraph" aria-expanded="false" aria-controls="collapseNetscan">
+  Network Graph
+</button>
+<div class="collapse mt-5" id="collapseNetGraph">
+  <div id="net_graph" style="height:50rem;"></div>
+  <script>
+    anychart.onDocumentReady(function () {
+      // create data
+      var data = JSON.parse("{{network_graph|escapejs}}");
+      console.log(data);
+      // create a data tree
+      // create a chart and set the data
+      var chart = anychart.graph(data);
+      chart.background().fill("#293b58");
+      chart.nodes().labels().enabled(true);
+
+      chart.nodes().labels().format("{%id}");
+      chart.nodes().labels().fontSize(12);
+      chart.nodes().labels().fontWeight(600);
+      // set the chart title
+      chart.title("Network Communications");
+      // configure tooltips of nodes
+      chart.nodes().tooltip().useHtml(true);
+      chart.nodes().tooltip().format(
+      "<span style='font-weight:bold'>Involved PIDs : {%Involved_PIDs}</span><br><span style='font-weight:bold'>Local Ports: {%Local_Ports}</span>"
+      );
+      // set the container id
+      chart.container("net_graph");
+
+      // initiate drawing the chart
+      chart.draw();
+    });
+  </script>
+</div>

investigations/templates/investigations/reviewinvest.html

@@ -62,10 +62,14 @@
     color:white;
   }
 </style>
-<script src="{% static 'dashboard/anychart-base.min.js'%}"></script>
-<script src="{% static 'dashboard/anychart-sunburst.min.js' %}"></script>
-<script src="{% static 'dashboard/anychart-exports.min.js' %}"></script>
-<script src="{% static 'dashboard/anychart-ui.min.js' %}"></script>
+<script src="https://cdn.anychart.com/releases/8.11.0/js/anychart-base.min.js" type="text/javascript"></script>
+<script src="https://cdn.anychart.com/releases/8.11.0/js/anychart-core.min.js"></script>
+<script src="https://cdn.anychart.com/releases/8.11.0/js/anychart-graph.min.js"></script>
+<script src="https://cdn.anychart.com/releases/8.11.0/js/anychart-sunburst.min.js"></script>
+<!-- <script src="{% static 'dashboard/anychart-base.min.js'%}"></script> -->
+<!-- <script src="{% static 'dashboard/anychart-sunburst.min.js' %}"></script> -->
+<!-- <script src="{% static 'dashboard/anychart-exports.min.js' %}"></script> -->
+<!-- <script src="{% static 'dashboard/anychart-ui.min.js' %}"></script> -->
 <link rel="stylesheet" href="{% static 'dashboard/anychart-ui.min.css' %}">
 <link rel="stylesheet" type="text/css" href="{% static 'dashboard/anychart-font.min.css' %}"/>
 <div class="container-fluid main" style="overflow-y:scroll;" id="main">
@@ -102,6 +106,7 @@ <h4 class="h5">Process Artifacts</h4>
         <li class="list-group-item card-font">
           <h5 class="h5">Network Artifacts</h5>
           {% include "investigations/network_artifacts/network_scan.html" %}
+          {% include "investigations/network_artifacts/network_graph.html" %}
         </li>