Verified Commit dfacaf9c authored by Martin Petráček's avatar Martin Petráček
Browse files

get mac address interface - check that before creating notification

This is to address problem that allowing dev-detect and then creating guest wifi creates notification about new device.
The MAC address of br-guest is created randomly, so this cannot be solved by initialization of known MACs at install time.
The detection thus has to be dynamic and I seen this as the easiest way how to solve it.

We are planning to move to ip neigh later anyway, so this won't be needed then.
parent 04e1addf
Pipeline #11586 passed with stage
in 27 seconds
......@@ -52,12 +52,12 @@ def main(argv = sys.argv):
raw_data = suricata_sock.recv(2048).decode('utf-8', 'ignore')
data = json.loads(raw_data)
if data["event_type"] == "flow_start":
mac_store.update(data["ether"]["src"], data["in_dev"])
except ValueError:
logger.warn("received malformed record (invalid JSON) from pakond: {}".format(raw_data))
except KeyError as err:
#We want to ignore missing keys "ether", "src" or "in_dev" - they may be missing, but we don't want warn about that
if err.args[0] != "ether" and err.args[0] != "src" and err.args[0] != "in_dev":
#We want to ignore missing keys "ether", "src" - they may be missing, but we don't want warn about that
if err.args[0] != "ether" and err.args[0] != "src":
logger.warn("received malformed report (missing expected key) from pakond: {}".format(raw_data))
if __name__ == "__main__":
......@@ -38,8 +38,12 @@ class MacAddrStore():
self.mac_timeout = 60*60*24*30 #TODO: move to configuration
self.__last_save = int(time.time())
self.__interfaces = interfaces
#add "" to self.__interfaces
#that way, if fails (or doesn't exists) we treat that as ANY_IFACE and we always create notification
#without that, if fails, the notification will never be created
def update(self, mac, device):
def update(self, mac):
"""update MAC address (its timestamp).
if it wasn't seen before, register it (also save file immdiatelly) and create notification for user
timestamp in __known is updated if current timestamp is bigger
......@@ -50,6 +54,7 @@ class MacAddrStore():
if mac in self.__known:
self.__known[mac] = max(int(time.time()), self.__known[mac])
device = self.__lookup_interface(mac)
if device not in self.__interfaces:
t = threading.Thread(target=self.__new_device, args=(mac,device,))
......@@ -135,3 +140,14 @@ class MacAddrStore():
except OSError:
logger.warn("failed to get MAC vendor (using ouidb)")
return ""
def __lookup_interface(self, mac):
"""gets interface for this MAC address (from ip neigh)
returns: string interface - or "" if it's not found (that might happen if address is local)"""
interface = subprocess.check_output(['/usr/share/pakon-dev-detect/', mac])
if interface:
return interface.rstrip() #remove trailing newline
except OSError:
logger.warn("failed to get interface (using")
return ""
ip neigh | grep -i "$1" | sed -E 's/^.*dev ([^ ]+).*$/\1/'
# DevDetect - small utility to detect new devices on local network
# Copyright (C) 2017 CZ.NIC, z.s.p.o. (
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# intended for initializing known_macs file, adds all local mac addresses to known_macs file
# parsing lines in format 'ifname Link encap:Ethernet HWaddr 00:01:02:03:04:05'
# then getting only the last part, converting to json (last seen=2^32-1 - we don't want these addresses to be ever removed)
ifconfig -a | grep "Ethernet" | grep -i hwaddr | awk '{print "\"" tolower($NF)"\": 4294967295,"}'| sort | uniq | tr -d '\n' | sed 's/^/{/' | sed 's/,$/}/'
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment