Useful Functions
From Observer GigaFlow Support | VIAVI Solutions Inc.
Sleep
function sleep(delay) {
var start = new Date().getTime();
while (new Date().getTime() < start + delay);
}
HTTP Request with pem files
var utils = Java.type('ros.CROSUtils');
//var d = utils.getJSONFromString(utils.getHTTPsGet("c:/temp/viavi1Cert.pem", "c:/temp/viavi1-Key.pem", "https://proxy.lynchehaun.net:6200/nuage_dpi_flowstats-2020.12.09-000001/_search"));
var d = JSON.parse(utils.getHTTPsGet("c:/temp/viavi1Cert.pem", "c:/temp/viavi1-Key.pem", "https://proxy.lynchehaun.net:6200/nuage_dpi_flowstats-2020.12.09-000001/_search"));
log.warn(d);
for (key in d.hits.hits){
var el = d.hits.hits[key]
log.warn(JSON.stringify(el._source.SrcIp+"\t"+el._source.DstIp));
}
Adding Attributes, automaticaly creating the category if it doesn't exists
actions.addIPAttribute("172.21.40.14","State","New York"); //Add "New York" Attribute to "State" category for this ip
actions.addMACAttribute("a4:ba:db:ff:18:bc","State","Washington"); //Add "Washington" Attribute to "State" category for this mac
actions.addMACAttribute("a4:ba:db:ff:18:bc","City","Colorado");
JSON access to data
var utils = Java.type('ros.CROSUtils');
var json = utils.getJSONFromString(data.get("fields").get(0));
log.warn(json.getString('field_1'));
log.warn(json.getString('field_2'));
Base64 encoding and decoding
var utils = Java.type('ros.CROSUtils');
var user='Kevin'
var password = '!£$%^&*()1234kevin'
var encodeduser=utils.base64EncodeString(user);
var encodedpass=utils.base64EncodeString(password);
var decodeduser=utils.base64DecodeString(encodeduser);
var decodedpass=utils.base64DecodeString(encodedpass);
log.warn("user:"+user+" password:"+password+" encodeduser:"+encodeduser+" encodedpass:"+encodedpass)
log.warn("user:"+user+" password:"+password+" decodeduser:"+decodeduser+" decodedpass:"+decodedpass)
//Output= user:Kevin password:!£$%^&*()1234kevin encodeduser:S2V2aW4= encodedpass:IcKjJCVeJiooKTEyMzRrZXZpbg==
//Output= user:Kevin password:!£$%^&*()1234kevin decodeduser:Kevin decodedpass:!£$%^&*()1234kevin
Http Post with attributes
var utils = Java.type('ros.CROSUtils');
var thisurl = 'https://jsonplaceholder.typicode.com/posts/1';
var user='Kevin'
var password = '!£$%^&*()1234kevin'
var encodeduser=utils.base64EncodeString(user);
var encodedpass=utils.base64EncodeString(password);
var decodeduser=utils.base64DecodeString(encodeduser);
var decodedpass=utils.base64DecodeString(encodedpass);
log.warn("user:"+user+" password:"+password+" encodeduser:"+encodeduser+" encodedpass:"+encodedpass)
log.warn("user:"+user+" password:"+password+" decodeduser:"+decodeduser+" decodedpass:"+decodedpass)
//log.warn(utils.HTTPSClientGet(thisurl))
log.warn(utils.HTTPSClientPost("http://jsonplaceholder.typicode.com/posts",[["title","fook"],["body","bark"],["userId","1"]]));
Live DNS lookups
var InetSocketAddress = Java.type('java.net.InetSocketAddress');
var hostname = new InetSocketAddress("172.21.40.14",0).getAddress().getCanonicalHostName();
log.warn(hostname);
Cached DNS lookups
var hostname = actions.dnsCache.resolve("172.21.40.14").name;
log.warn(hostname);
See if an ip address is within a range using isIPInRange function
var utils = Java.type('ros.CROSUtils');
log.warn("new arp "+ data.get("display")+" "+data.get("ifdisplay")+" "+data.get("ip")+" "+data.get("macAddress")+" "+data.get("seenIPAddress")+ " "+utils.isIPInRange(data.get("seenIPAddress"),"172.21.40.0","172.21.40.254"));
Sending Syslog Messages
actions.ros.getSyslogSender().send("test");
Searching for IP addresses seen
var utils = Java.type('ros.CROSUtils');
log.warn(actions.allIPs.size())
for (var i=0;i<255;i++){
checkAddress("172.21.40."+i);
}
function checkAddress(address){
if (actions.allIPs.containsKey(utils.inet_atob(address))){
log.warn("seen "+address+" "+actions.allIPs.get(utils.inet_atob(address)))
}else{
log.warn("didnt see "+address);
}
}
Resolve DNS
function getDNS(ip){
log.warn("getDNS:"+actions.dnsCache.cache.size());
log.warn("getDNS:\""+ip+"\"");
var ret = actions.dnsCache.resolve(ip);
log.warn(ret);
log.warn(ret.name);
log.warn(ret.ip);
log.warn(ret.resolved);
if (ret==null||typeof ret==='undefined'){
return "";
}
if (ret.name!==ip){
log.warn(ret);
return "Hostname:"+ret.name;
}
return "";
}
Clear empty tables
var query = "SELECT nspname || '.' || relname AS \"relation\", pg_size_pretty(pg_relation_size(C.oid)) AS \"size\" FROM pg_class C LEFT JOIN pg_namespace N ON (N.oid = C.relnamespace) "
+"WHERE nspname NOT IN ('pg_catalog', 'information_schema') "
+"and relname like 'netflow________%' "
+"and pg_relation_size(C.oid)=0 "
+"ORDER BY pg_relation_size(C.oid) asc;"
var cuttofftime = (new Date().getTime())-(1000*60*60*24*4);
var cuttoffwindow=1000*60*60*24;
log.warn(cuttofftime+" "+cuttoffwindow);
log.warn("Clean empty tables, start");
var rows = actions.getDatabaseManager().getVectorFromDBprepared(query,[])
log.warn("Clean empty tables, rows:"+rows.size());
var countremove=0;
var countskipped=0;
for (var i=0;i<rows.length;i++){
var fields=rows[i][0].split("_");
if ((((parseInt(fields[4])+parseInt(fields[5]))<cuttofftime))){
var rowcount=actions.getDatabaseManager().getLongFromDB("select count(*) from "+rows[i][0],0)
if (rowcount==0){
countremove++;
log.warn("Clean empty tables, removing:" +rows[i][0]+" 0:"+fields[0]+" 1:"+fields[1]+" 2:"+fields[2]+" 3:"+fields[3]+" 4:"+fields[4]+" 5:"+fields[5]);
actions.getDatabaseManager().executePrepared("drop table "+rows[i][0],[])
}else{
log.warn("Clean empty tables, not removing unempty taable:" +rows[i][0]+" 0:"+fields[0]+" 1:"+fields[1]+" 2:"+fields[2]+" 3:"+fields[3]+" 4:"+fields[4]+" 5:"+fields[5]+" rowcount"+rowcount);
}
}else{
countskipped++;
log.warn("Clean empty tables, skipping: "+rows[i][0]+" 0:"+fields[0]+" 1:"+fields[1]+" 2:"+fields[2]+" 3:"+fields[3]+" 4:"+fields[4]+" 5:"+fields[5]+" time:"
+(parseInt(fields[4])<cuttofftime)+" window:"+(parseInt(fields[5])<cuttoffwindow)+" "+(parseInt(fields[4])+parseInt(fields[5]))+" "+(((parseInt(fields[4])+parseInt(fields[5]))<cuttofftime)));
}
}
log.warn("Clean empty tables, removed:"+countremove+" skipped:"+countskipped);
log.warn("Clean empty tables, vacuuming:pg_catalog.pg_inherits");
actions.getDatabaseManager().executePrepared("vacuum full pg_catalog.pg_inherits;",[])
log.warn("Clean empty tables, vacuuming:pg_catalog.pg_constraint");
actions.getDatabaseManager().executePrepared("vacuum full pg_catalog.pg_constraint;",[])
log.warn("Clean empty tables, vacuuming:pg_catalog.pg_depend");
actions.getDatabaseManager().executePrepared("vacuum full pg_catalog.pg_depend;",[])
log.warn("Clean empty tables, Done");
Disable autovacuum,
var query = "SELECT nspname || '.' || relname AS \"relation\" FROM pg_class C LEFT JOIN pg_namespace N ON (N.oid = C.relnamespace) "
+"WHERE nspname NOT IN ('pg_catalog', 'information_schema') "
+"and relname like 'netflow________%';"
var rows = actions.getDatabaseManager().getVectorFromDBprepared(query,[])
log.warn("Setting tables, rows:"+rows.size());
var count=0;
for (var i=0;i<rows.length;i++){
count++;
log.warn("Setting tables :"+count+" "+rows[i][0]);
actions.getDatabaseManager().executePrepared("alter table "+rows[i][0]+" set (autovacuum_enabled = false, toast.autovacuum_enabled = false)",[])
}
log.warn("Setting tables, donw:"+count);
SNMP To A Device
var BigInteger = Java.type("java.math.BigInteger"); var rosutils = Java.type('ros.CROSUtils'); var PrintWriter = Java.type('java.io.PrintWriter');
var writer = new PrintWriter("./resources/webapps/static/softwareversions.html", "UTF-8");
writer.println("<html>"); writer.println("<head>"); writer.println("<link href='/static/css/jquery.dataTables.css' rel='stylesheet'>");
writer.println("<link href='/static/css/dashboard.css' rel='stylesheet'>"); writer.println("</head>");writer.println("<body>| IP | Name | OID | Version | Description |
|---|---|---|---|---|
| "+thisDevice.getIP()+" | "+thisDevice.getName()+" | "+thisDevice.getSysOID()+" | "+actions.querySNMPText(thisDevice, '.1.3.6.1.4.1.9.6.1.101.2.16.1.1.5.1', -1)+" | "+thisDevice.getSysDescr()+" |
writer.close();
Processing synner data
//This script should be set to run every minute
//It will find the syn sources matching the required thresholds so that additional actions are performed
var utils = Java.type('ros.CROSUtils'); //load utility classes
var upperPortCountThreshold=15; //set upper boundary, only synners who probe less than this number are eligible
var lowerPortCountThreshold=1; // set lower boundary, only synners who probe more than this number are eligible
var ipCount=1; //Set unique IP destination count to match for
for (var synner in actions.ros.synMonitor.synners){ //process all source synners. Sinner field contains this synners ip.
var synEntry=actions.ros.synMonitor.synners.get(synner); //get sinner object for current synner ip
if (!synEntry.ipAlerted){ //if this entry hasn’t been alerted on already
if (synEntry.getIps()==ipCount&&synEntry.getDstports()>lowerPortCountThreshold&&synEntry.getDstports()<upperPortCountThreshold){ //check the thresholds
log.warn("Synner:"+utils.inet_btoa(synner)+" synCount:"+synEntry.getSyncount()+" Unique IPs:"+synEntry.getIps()+" UniquePorts:"+synEntry.getDstports()); //log out ematching details
//Preform actions
synEntry.ipAlerted=true; //set this sinner as if it has alerted already so we don’t reprocess it.
}
}
}
Find Un-managed Devices
var utils = Java.type('ros.CROSUtils');
var BigDecimal=Java.type("java.math.BigDecimal")
var BigInteger=Java.type("java.math.BigInteger")
var Integer = Java.type("java.lang.Long")
var Integer = Java.type("java.lang.Integer")
var jsonarray = Java.type('org.json.JSONArray');
var portsToTest=[22,80,21]
var message="Unmanaged devices";
addSubnet("172.21.21.20/24");
addSubnet("172.21.50.0/24");
//addSubnet("1.0.0.0/29");
//addSubnet("192.168.1.0/24");
log.warn(message);
//actions.sendMail('emailaddress@emailaddress.here', 'Potential new devices' ,message);
function isAlive(ip){
var results=new jsonarray(true);
utils.tcpPortTest(results,ip,portsToTest,100,10);
for (var j=0;j<results.length();j++){
var entry =results.getJSONObject(j);
if (entry.getInt("response")>-1){
log.warn(entry);
return true;
}
}
return false;
}
function addSubnet(subnet){
var d = utils.getIPRange(subnet.split("/"))
//log.warn(utils.inet_btoa(d[0])+" - "+utils.inet_btoa(d[1]));
for (var i=d[0];i.compareTo(d[1])<1;i=i.add(BigInteger.ONE)){
if (actions.getDevice(utils.inet_btoa(i))!==null){
//log.warn(utils.inet_btoa(i)+" is already managed")
}else{
if (isAlive(utils.inet_btoa(i))){
message+=utils.inet_btoa(i)+" is on the network and unmanaged"
log.warn(utils.inet_btoa(i)+" "+isAlive(utils.inet_btoa(i)))
}
}
}
log.warn(d);
}
Adding arp users
var utils = Java.type('ros.CROSUtils');
var now = new Date().getTime();
function addArp(deviceip,amac,athisip,username,domain,ifindex){
var router = actions.getDevice(deviceip);
var mac=utils.macToLong(amac);
var thisip=utils.inet_atob(athisip);
if (router!==null){
log.warn("known router:"+router);
router.addArp(ifindex,mac,thisip,now)
actions.addUserToIP(router,thisip,username,domain,now,true);
actions.getDatabaseManager().executePrepared("insert into arps_0_"+(now-(now%86400000))+"(customerid,device,ip,mac,userid,domain,ifindex,firstseen,lastseen) values(?,?,?,?,?,?,?,?,?)" ,0,router.getIp(),thisip,mac,username,domain,ifindex,now,now)
actions.getDatabaseManager().executePrepared("insert into cams_0_"+(now-(now%86400000))+" values(?,?,?,?,?,?,?)" ,0,router.getIp(),mac,0,ifindex,now,now)
actions.getDatabaseManager().executePrepared("insert into searchips_0_"+(now-(now%86400000))+" values(?,?,?,?,?,?,?) " ,thisip,now,router.getIp(),ifindex,1,username,domain)
}else{
log.warn("unknown router:"+deviceip);
}
}
addArp("10.20.170.254","18:a9:05:cc:ab:cd","10.200.6.22","john.smith","viavi",30)
addArp("172.21.42.3","c0:4a:00:2c:d4:06","10.238.12.30","john.smith","viavi",30)
addArp("10.238.12.30","18:a9:05:4b:ab:cd","10.238.12.30","bill.procotor@viavisolutions.com","",30)
Accessing users to ip
log.warn(actions.usersToIP)
var userdata = actions.usersToIP;
var keys=userdata.keys()
for (var i in userdata){
var thisentry=actions.usersToIP.get(i)
log.warn(i+" "+thisentry.seenuser.getCurrentIP()+" "+thisentry.seenuser.getLastSeen()+" "+thisentry.seenuser.getUserName()+" "+thisentry.seenuser.getUserDomain())
}
Create LLDP Table
var utils = Java.type('ros.CROSUtils');
actions.getDatabaseManager().executePrepared("create table lldpneighbours(lastseen bigint,device numeric(39),ip text,localintrface text, ifindex int, lldptype int,peeraddress text, peername text, peerplatform text ) ",[])
var timenow= utils.now();
for (var deviceid in actions.getDevices()){
var device =actions.getDevice(deviceid);
if (device.lldpEntries.size()>0){
//log.warn("---device:"+device+" lldps:"+device.lldpEntries.size());
for (var lldpid in device.lldpEntries){
var lldp =device.lldpEntries.get(lldpid);
//log.warn(lldp);
var ifindex =device.getIfIndexFromName(lldp.getLocalinterface());
if (ifindex>-1){
log.warn(timenow+" "+device.getIp()+" "+device.getIP()+" name:"+lldp.getLocalinterface()+" ifindex:"+ifindex+"-------lldp:"+lldp.getType()+" getPeerAddress:"+lldp.getPeerAddress()+"
getPeerName:"+lldp.getPeerName()+" getPlatform:"+lldp.getPlatform());
actions.getDatabaseManager().executePrepared("insert into lldpneighbours values ("+timenow+",'"+device.getIp()+"','"+device.getIP()+"','"+utils.cleanText(lldp.getLocalinterface())+"',"+ifindex+","+lldp.getType()+",'"+lldp.getPeerAddress()+"','"+utils.cleanText(lldp.getPeerName())+"','"+utils.cleanText(ll dp.getPlatform())+"')",[])
}else{
//Couldn't identify interface
}
}
}
}
actions.getDatabaseManager().executePrepared("delete from lldpneighbours where lastseen!="+timenow+";",[])
Injecting events into the database directly
var utils = Java.type('ros.CROSUtils');
var ros = Java.type('ros.ROS');
ros.postureToString.put(1000,"Interface State");
var now= new Date().getTime();
log.warn("ROS.eventsWindow:"+ros.eventsWindow);
var fields='(customerid,device,firstseen,eventtype,eventsrctype,eventsrc,message,datatype,data,datasource,category,confidence,severity,target)';
//Just edit the following
var state="Down";
var deviceip="172.21.21.254"
var ifindex=1;
//
var customerid=0;
var device=utils.inet_atob(deviceip);
var firstseen=now;
var eventtype=1000
var eventsrctype=8
var eventsrc=deviceip
var message="Interface "+state+" on ifindex:"+ifindex;
var datatype=1
var data=JSON.stringify({"inif":ifindex,"outif":ifindex,"device":deviceip});
var datasource="IF Script"
var category="Interface "+state
var confidence=100;
var severity=100;
var target=deviceip;
log.warn("insert into events_"+(now - (now % ros.eventsWindow))+" "+fields+" values (?,?,?,?,?,?,?,?,?,?,?,?,?,?)");
actions.getDatabaseManager().executePrepared("insert into events_"+(now - (now % ros.eventsWindow))+" "+fields+" values (?,?,?,?,?,?,?,?,?,?,?,?,?,?)",
customerid,device,firstseen,eventtype,eventsrctype,eventsrc,message,datatype,data,datasource,category,confidence,severity,target)
Interface state
for (var deviceid in actions.getDevices()){
var device =actions.getDevice(deviceid);
if (device.snmpOK&&device.interfaces.size()>0){
var ar=device.interfaces.values().toArray()
for (var anint in ar){
log.warn(device.getIP()+" ifindex:"+ar[anint].ifindex+" ifName:"+ar[anint].ifName+" ifAlias:"+ar[anint].ifAlias+" speedIn:"+ar[anint].speedIn+" speedOut:"+ar[anint].speedOut+" adminStatus:"+ar[anint].adminStatus+" operStatus:"+ar[anint].operStatus)
}
}
}