first commit

Author: p1-martin

AUTHORS

@@ -0,0 +1,26 @@
+Original Authors
+-------- -------
+Martin Kacer <kacer.martin[AT]gmail.com>
+Philippe Langlois <philippe.langlois[AT]p1sec.com>
+ 
+Special thanks to
+-----------------
+Telestax - jSS7, jDiameter opensource project
+ 
+
+Contributors
+------------
+
+
+Acknowledgements
+----------------
+The work is copyrighted also with all right by the original authors:
+ Martin Kacer <kacer.martin[AT]gmail.com>
+ Philippe Langlois <philippe.langlois[AT]p1sec.com>
+
+Commercial license can be also obtained from P1 Security and H21 lab
+and the copyright, authorship and all other rights are held by both
+P1 Security and H21 lab. P1 Security grant to H21 lab the, transferable,
+irrevocable, perpetual, royalty-free right to use, modify, copy, sell,
+and distribute the Original work and Contributions under the terms
+of any OSI recognized Open Source License or any commercial use license.

LICENSE

@@ -0,0 +1,86 @@
+# SigFW
+Open Source SS7/Diameter firewall
+
+## Build instructions
+
+### Prerequisities
+Install Maven
+
+(Optional) Netbeans IDE for developers
+
+### Clone source code
+git clone https://github.com/P1sec/SigFW
+
+### Build SS7FW project
+```bash
+cd ./SigFW/ss7fw/ss7fw.ss7fw-core_jar_1.0.0-SNAPSHOT
+mvn clean install -Dmaven.test.skip=true
+```
+
+### Run SS7FW project
+```bash
+mvn exec:java -Dexec.mainClass="ss7fw.SS7Firewall"
+mvn exec:java -Dexec.mainClass="ss7fw.SS7ClientLiveInput"
+mvn exec:java -Dexec.mainClass="ss7fw.SS7Server"
+```
+
+### Replay traffic from pcap
+```bash
+cd ./input
+mkfifo pipe
+tshark -T ek -x -j "" -r ./input/sigtran.pcap > sigtran.json
+cat ./input/sigtran.json > pipe
+```
+
+![](https://github.com/P1sec/SigFW/blob/master/docs/running_from_netbeans.gif)
+
+### Build DiameterFW project
+```bash
+cd ./SigFW/diameterfw/diameterfw.diameterfw-core_jar_1.0.0-SNAPSHOT
+mvn clean install -Dmaven.test.skip=true
+```
+
+### Run DiameterFW project
+```bash
+mvn exec:java -Dexec.mainClass="diameterfw.DiameterFirewall"
+mvn exec:java -Dexec.mainClass="diameterfw.DiameterClientLiveInput"
+mvn exec:java -Dexec.mainClass="diameterfw.DiameterServer"
+```
+
+### Replay traffic from pcap
+```bash
+cd ./input
+mkfifo pipe
+tshark -T ek -x -j "" -r ./input/diameter.pcap > diameter.json
+cat ./input/diameter.json > pipe
+```
+
+### Security
+For both SS7FW and DiameterFW before using.
+
+realm.properties: Change the username, password for firewall API
+
+sigfw.json: Generate new Public, Private Keys. Change the mThreat salt
+
+Jetty: Change the certificate
+
+### To test the encryption, signatures
+Instead of SS7Firewall run SS7FirewallFirstInstance and SS7FirewallSecondInstance
+
+Instead of DiameterFirewall run DiameterFirewallFirstInstance and DiameterFirewallSecondInstance
+
+## Limitations
+Program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY.
+
+## License
+SigFW is licensed under dual license policy. The default license is the Free Open Source GNU Affero GPL v3.0. Alternatively a commercial license can be obtained from P1 Security S.A.S.
+
+## Attribution
+For the list of contributors, see the AUTHORS file.
+
+Original work was created by Martin Kacer, Philippe Langlois
+
+Copyright 2017, P1 Security S.A.S and individual contributors
+
+We would like to thanks for everyone supporting this project.
+

README.md

@@ -0,0 +1,79 @@
+#!/bin/sh
+#
+#    00-header - create the header of the MOTD
+#    Copyright (C) 2009-2010 Canonical Ltd.
+#
+#    Authors: Dustin Kirkland <[email protected]>
+#
+#    This program is free software; you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation; either version 2 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License along
+#    with this program; if not, write to the Free Software Foundation, Inc.,
+#    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+[ -r /etc/lsb-release ] && . /etc/lsb-release
+
+if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
+	# Fall back to using the very slow lsb_release utility
+	DISTRIB_DESCRIPTION=$(lsb_release -s -d)
+fi
+
+#printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
+
+printf "SigFW\n"
+printf "Open Source SS7/Diameter firewall\n"
+printf "Original work was created by Martin Kacer, Philippe Langlois\n"
+printf "Copyright 2017, P1 Security S.A.S and individual contributors\n"
+printf "See the AUTHORS in the distribution for a full listing of individual contributors.\n"
+printf "\n"
+printf "SigFW is licensed under dual license policy. The default license is\n"
+printf "the Free Open Source GNU Affero GPL v3.0. Alternatively a commercial license\n"
+printf "can be obtained from P1 Security S.A.S.\n"
+printf "\n"
+printf "\n"
+printf "Interfaces:\n"
+printf "   enp0s3 - management (SSH, Web)\n"
+printf "   enp0s8 - signalling (SigFW could be reconfigured here)\n"
+printf "   enp0s9 - passive signalling (port-mirrored traffic)\n"
+printf "\n"
+printf "To access Kibana:\n"
+printf "   http://<host>:5601/\n"
+printf "\n"
+printf "To access API\n"
+printf "   https://<host>:8443/ss7fw_api/1.0/get_status\n"
+printf "\n"
+printf "To check if services are running:\n"
+printf "   sudo service tshark_to_ss7fw status\n"
+printf "   sudo service tshark_to_ek status\n"
+printf "   sudo service ss7fw status\n"
+printf "   sudo service ss7server status\n"
+printf "   sudo service ss7client status\n"
+printf "\n"
+printf "To replay the pcap on passive interface:\n"
+printf "   sudo tcpreplay  --intf1=enp0s9 sigtran.pcap\n"
+printf "\n"
+printf "Description:\n"
+printf "   By default only SS7FW is enabled. The SS7FW is in passive mode.\n"
+printf "   DiameterFW code is present but configured as service system service.\n"
+printf "   Tshark is capturing traffic on enp0s9 and pushing into ElasticSearch.\n"
+printf "   Second instance of tshark is pushing capture into named pipe of SS7FW.\n"
+printf "   The SS7FW consist of ss7client, ss7firewall, ss7server. ss7client replay\n"
+printf "   the captured traffic from enp0s9 towards ss7firewall and ss7server on\n"
+printf "   localhost.\n"
+printf "\n"
+printf "   SS7FW is located in /opt/SigFW/ss7fw/\n"
+printf "   DiameterFW is located in /opt/SigFW/diameterfw/\n"
+printf "\n"
+printf "   Before first run or if the IP has changed, modify /etc/kibana/kibana.yml"
+printf "\n"
+printf "\n"
+printf "To access logs:\n"
+printf "   tail -f /opt/SigFW/ss7fw/ss7fw.ss7fw-core_jar_1.0.0-SNAPSHOT/ss7fw.log\n"

VM/00-header

@@ -0,0 +1,24 @@
+#!/bin/bash - 
+i=0
+while read line; do
+    # process only non empty lines because of older tshark release
+    if [ ! -z "$line" ]; then
+        c=$(printf '%s\n%s\n' "$c" "$line")
+        i=$((i+1))
+
+        # curl only every X seconds 
+        # the better solution is to use logstash or multithreaded client
+        if !((i % 2)) &&  !((SECONDS % 10)) && [[ -v c ]]; then
+            #printf '%s\n' "$c"
+            printf '%s\n' "$c" | curl -o /dev/null --silent -XPUT http://localhost:9200/_bulk --data-binary @- &
+            c=
+            i=0
+        fi
+    fi
+done
+
+#echo $c
+if [[ -v c ]]; then
+#    #printf '%s\n' "$c"
+    printf '%s\n' "$c" | curl -o /dev/null --silent -XPUT http://localhost:9200/_bulk --data-binary @- &
+fi

VM/line_curl.sh

@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+
+if [[ $# -ne 1 ]] ; then
+    echo "usage: template.sh node"
+    exit
+fi
+
+curl -XPUT 'http://'$1'/_template/packets-template' -d '
+{
+    "template": "packets-*",
+    "mappings": {
+        "_default_": {
+            "dynamic": "true",
+            "dynamic_date_formats" : [
+                "yyyy-MM-dd HH:mm:SS"
+            ],
+            "dynamic_templates": [
+                {
+                    "string_fields": {
+                        "match": "*",
+                        "match_mapping_type": "string",
+                        "mapping": {
+                            "index": "not_analyzed",
+                            "omit_norms": true,
+                            "type": "string"
+                        }
+                    }
+                }
+            ],
+            "properties": {
+                "@version": {
+                    "type": "string",
+                    "index": "not_analyzed"
+                }
+            }
+        },
+        "my_mapping": {
+            "numeric_detection": true,
+            "dynamic": "true",
+            "properties": {
+                "timestamp": {
+                   "type": "date"
+                },
+                "layers": {
+                    "properties": {
+                        "tcap": {
+                            "properties": {
+                                "tcap_opCode_tcap_localValue": {
+                                    "type": "integer"
+                                }
+                            }
+                        },
+                        "gsm_map": {
+                            "properties": {
+                                "gsm_old_opCode_gsm_old_localValue": {
+                                    "type": "integer"
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+    }
+}'
+
+echo

VM/mapping_template.sh

@@ -0,0 +1,14 @@
+[Unit]
+Description=SS7FW client service
+
+[Service]
+User=p1sec
+Group=p1sec
+WorkingDirectory=/opt/SigFW/ss7fw/ss7fw.ss7fw-core_jar_1.0.0-SNAPSHOT
+ExecStart=/usr/bin/mvn exec:java -Dexec.mainClass="ss7fw.SS7ClientLiveInput"
+#Restart=always
+StandardOutput=null
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

VM/ss7client.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=SS7FW service
+
+[Service]
+User=p1sec
+Group=p1sec
+WorkingDirectory=/opt/SigFW/ss7fw/ss7fw.ss7fw-core_jar_1.0.0-SNAPSHOT
+ExecStart=/usr/bin/mvn exec:java -Dexec.mainClass="ss7fw.SS7Firewall"
+#Restart=always
+StandardOutput=null
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

VM/ss7fw.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=SS7FW server service
+
+[Service]
+User=p1sec
+Group=p1sec
+WorkingDirectory=/opt/SigFW/ss7fw/ss7fw.ss7fw-core_jar_1.0.0-SNAPSHOT
+ExecStart=/usr/bin/mvn exec:java -Dexec.mainClass="ss7fw.SS7Server"
+#Restart=always
+StandardOutput=null
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

VM/ss7server.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=tshark to elasticsearch
+
+[Service]
+User=p1sec
+Group=p1sec
+WorkingDirectory=/opt/SigFW/VM/
+ExecStart=/opt/SigFW/VM/tshark_to_ek.sh
+#Restart=always
+StandardOutput=null
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

VM/tshark_to_ek.service

@@ -0,0 +1,2 @@
+#!/bin/bash -
+tshark -i enp0s9 -T ek -l | /opt/SigFW/VM/line_curl.sh

VM/tshark_to_ek.sh

@@ -0,0 +1,14 @@
+[Unit]
+Description=tshark to SS7FW
+
+[Service]
+User=p1sec
+Group=p1sec
+WorkingDirectory=/opt/SigFW/VM/
+ExecStart=/opt/SigFW/VM/tshark_to_ss7fw.sh
+#Restart=always
+StandardOutput=null
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

VM/tshark_to_ss7fw.service

@@ -0,0 +1,2 @@
+#!/bin/bash -
+tshark -i enp0s9 -T ek -x -j " " -l > /opt/SigFW/ss7fw/ss7fw.ss7fw-core_jar_1.0.0-SNAPSHOT/input/pipe

VM/tshark_to_ss7fw.sh

@@ -0,0 +1,7 @@
+target/
+XmlDiameterClientLiveInput/
+XmlDiameterFirewall/
+*.last
+input/*
+127*.xml
+server*.xml