Create initial Client-Server Communication

.gitignore

@@ -11,6 +11,10 @@ vcpkg/
 *.lib
 *.aps
 
+# BLUESPAWN-common
+BLUESPAWN-common/bluespawnpb/*.h
+BLUESPAWN-common/bluespawnpb/*.cc
+
 # BLUESPAWN-win-client
 BLUESPAWN-win-client/external/
 BLUESPAWN-win-client/resources/severe

BLUESPAWN-common/bluespawnpb/bluespawn.proto

@@ -0,0 +1,193 @@
+syntax = "proto3";
+package bluespawn.protobuffer;
+
+option go_package = "BLUESPAWN/BLUESPAWN-common/bluespawnpb";
+
+/* Core BLUESPAWN RPC Server */
+service BluespawnRPC {
+	// Clients logging to Server
+	rpc SendLogMessage(LogMessage) returns (ResponseMessage) {}
+	rpc RecordDetection(Detection) returns (ResponseMessage) {}
+	rpc AddAssociation(DetectionAssociation) returns (ResponseMessage) {}
+	rpc UpdateCertainty(DetectionCertaintyUpdate) returns (ResponseMessage) {}
+}
+
+/* Data Type Enums */
+// General and Log
+enum LogDetail {
+	Low = 0;
+	Moderate = 1;
+	High = 2;
+}
+
+enum LogSeverity {
+	LogError = 0;
+	LogWarn = 1;
+	LogInfo = 2;
+	LogVerbose = 3;
+}
+
+// Windows Objects
+enum RegistryType {
+	RegSz = 0;
+	RegExpandSz = 1;
+	RegMultiSz = 2;
+	RegDword = 3;
+	RegBinary = 4;
+}
+
+// Detections
+enum DetectionType {
+	ProcessDetection = 0;
+	RegistryDetection = 1;
+	FileDetection = 2;
+	ServiceDetection = 3;
+	OtherDetection = 4;
+}
+
+enum DetectionRecordType {
+	PreScan = 0;
+	PostScan = 1;
+}
+
+enum RegistryDetectionType {
+	CommandReference = 0;
+	FileReference = 1;
+	FolderReference = 2;
+	PipeReference = 3;
+	ShareReference = 4;
+	UserReference = 5;
+	Configuration = 6;
+	Unknown = 7;
+}
+
+enum ProcessDetectionType {
+	MaliciousProcess = 0;
+	MaliciousImage = 1;
+	MaliciousMemory = 2;
+	MaliciousCommand = 3;
+}
+
+/* Message Serializers Types */
+// General and Log
+message LogMessage {
+	string client_id = 1;
+	int64 timestamp = 2;
+	string message = 3;
+	LogSeverity severity = 4;
+	LogDetail detail = 5;
+}
+
+message ResponseMessage {
+	bool received = 1;
+	bool success = 2;
+	string message = 3; // optional
+}
+
+// Windows Objects
+message RegistryKey {
+	string key_path = 1;
+	bool exists = 2;
+}
+
+message RegistryValue {
+	string value_name = 1;
+	string value_data = 2;
+}
+
+// Detections
+message DetectionAssociation {
+	int64 detection_id = 1; // NOTE: Request change to string
+	int64 associated_id = 2; // NOTE: Request change to string
+	double strength = 3;
+}
+
+message DetectionCertaintyUpdate {
+	int64 id = 1; // NOTE: Request change to string
+	double raw_certainty = 2;
+	double certainty = 3;
+}
+
+message YaraScanResult {
+	repeated string known_bad_rules = 1;
+	repeated string indicator_rules = 2;
+}
+
+message ProcessDetectionData {
+	ProcessDetectionType type = 1;
+	uint64 pid = 2; // optional
+	uint64 tid = 3; // optional
+	string process_name = 4; // optional
+	string process_path = 5; // optional
+	string process_command = 6; // optional
+	// TODO: add repeated ParentProcess which is a ProcessDetectionData
+	string base_address = 7; // optional
+	uint64 memory_size = 8; // optional
+	string image_name = 9; // optional
+}
+message FileDetectionData {
+	bool exists = 1;
+	string file_path = 2;
+	string file_name = 3;
+	string file_extension = 4; // optional
+	string file_type = 5; // optional
+	string executor = 6; // optional
+	string md5 = 7; // optional
+	string sha1 = 8; // optional
+	string sha256 = 9; // optional
+	uint64 last_opened = 10; // optional
+	uint64 file_created = 11; // optional
+	YaraScanResult yara = 12; // optional
+	bool file_signed = 13; // optional
+	string signer = 14; // optional
+}
+message RegistryDetectionData {
+	string key_path = 1;
+	RegistryKey key = 2;
+	RegistryValue value = 3; // optional
+	RegistryDetectionType type = 4; // optional 
+}
+message ServiceDetectionData {
+	string service_name = 1; // optional
+	string display_name = 2; // optional
+	string description = 3; // optional
+	string file_path = 4; // optional
+}
+message OtherDetectionData {
+	string type = 1;
+	map<string, string> properties = 2;
+}
+
+message ScanInfo {
+	double raw_certainty = 1;
+	double certainty = 2;
+	map<int64, double> assocations = 3; // Detection Id (int64), certainity (double)
+}
+
+message DetectionData {
+	oneof data {
+		ProcessDetectionData process_data = 1;
+		FileDetectionData file_data = 2;
+		RegistryDetectionData registry_data = 3;
+		ServiceDetectionData service_data = 4;
+		OtherDetectionData other_data = 5;
+	}
+}
+
+message DetectionContext {
+	repeated string hunts = 1;
+	int64 first_evidence_time = 2; // optional
+	int64 detection_created_time = 3;
+	string note = 4; // optional
+}
+
+message Detection {
+	int64 id = 1; // NOTE: Request change to string
+	int64 timestamp = 2;
+	DetectionType type = 3;
+	DetectionRecordType record_type = 4;
+	ScanInfo info = 5;
+	DetectionData data = 6;
+	DetectionContext context = 7;
+}
+

BLUESPAWN-server/docker-compose.yml

@@ -0,0 +1,37 @@
+version: '3.8'
+services:
+  # MySQL: https://hub.docker.com/_/mysql
+  mysql:
+    build:
+      context: .
+      dockerfile: ./mysql/Dockerfile
+    environment:
+      - MYSQL_ROOT_PASSWORD=Chiapet1
+      - MYSQL_DATABASE=bluespawn_server
+      - MYSQL_USER=bluespawn
+      - MYSQL_PASSWORD=Chiapet1
+    restart: on-failure
+    ports:
+      - "3306:3306"
+    networks:
+      - server_core
+    volumes:
+      - /data/mysql
+      - type: bind 
+        source: ./mysql/init
+        target: /docker-entrypoint-initdb.d/
+        read_only: true
+  # RPC Server for Client<->Server Communication written in Go/GRPC
+  rpc_server:
+    build:
+      context: ../
+      dockerfile: ./BLUESPAWN-server/rpc_server/Dockerfile
+    ports:
+      - "50052:50052"
+    depends_on:
+      - mysql
+    networks:
+      - server_core
+networks:
+  server_core:
+    driver: bridge

BLUESPAWN-server/mysql/Dockerfile

@@ -0,0 +1 @@
+FROM mysql:8

BLUESPAWN-server/mysql/init/build_db_schema.sql

@@ -0,0 +1,64 @@
+-- MySQL dump 10.13  Distrib 8.0.21, for Win64 (x86_64)
+--
+-- Host: 127.0.0.1    Database: bluespawn_server
+-- ------------------------------------------------------
+-- Server version	8.0.21
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!50503 SET NAMES utf8mb4 */;
+/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
+/*!40103 SET TIME_ZONE='+00:00' */;
+/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
+/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
+/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
+/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
+
+USE bluespawn_server;
+
+--
+-- Table structure for table `clients`
+--
+
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!50503 SET character_set_client = utf8mb4 */;
+CREATE TABLE IF NOT EXISTS `clients` (
+	  `client_id` int unsigned NOT NULL AUTO_INCREMENT,
+	  `client_guid` varchar(45) DEFAULT NULL,
+	  `hostname` varchar(256) DEFAULT NULL,
+	  `ip_address` varchar(46) DEFAULT NULL,
+	  `last_heartbeat` datetime DEFAULT NULL,
+	  PRIMARY KEY (`client_id`),
+	  UNIQUE KEY `client_id_UNIQUE` (`client_id`),
+	  UNIQUE KEY `client_guid_UNIQUE` (`client_guid`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Table structure for table `messages`
+--
+
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!50503 SET character_set_client = utf8mb4 */;
+CREATE TABLE IF NOT EXISTS `messages` (
+	  `message_id` int unsigned NOT NULL AUTO_INCREMENT,
+	  `client_id` varchar(45) DEFAULT NULL,
+	  `timestamp` datetime DEFAULT NULL,
+	  `message` varchar(256) DEFAULT NULL,
+	  `severity` int DEFAULT NULL,
+	  `detail` int DEFAULT NULL,
+	  PRIMARY KEY (`message_id`),
+	  UNIQUE KEY `message_id_UNIQUE` (`message_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci;
+/*!40101 SET character_set_client = @saved_cs_client */;
+/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
+
+/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
+/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
+/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
+/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
+/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
+/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
+/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
+

BLUESPAWN-server/rpc_server/Dockerfile

@@ -0,0 +1,34 @@
+FROM golang:1.15
+
+ENV PROTOC_VER 3.13.0
+
+# Install dependencies
+RUN apt-get update --fix-missing && apt-get install -y \
+    zip unzip build-essential curl wget
+
+# Install protoc 
+WORKDIR /tmp
+RUN wget -O protoc-${PROTOC_VER}-linux-x86_64.zip https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VER}/protoc-${PROTOC_VER}-linux-x86_64.zip \
+    && unzip protoc-${PROTOC_VER}-linux-x86_64.zip \
+    && cp -vv ./bin/protoc /usr/local/bin
+
+# Install Go Protocol Buffers plugin
+RUN go get -u google.golang.org/protobuf/cmd/protoc-gen-go && go install google.golang.org/protobuf/cmd/protoc-gen-go
+
+# Install gRPC
+RUN go get -u google.golang.org/grpc && go install google.golang.org/grpc/cmd/protoc-gen-go-grpc
+
+# Change to /usr/src
+WORKDIR /usr/src
+
+# Copy BLUESPAWN source code into container
+COPY ./ ./
+
+# Compile Protobuf 
+RUN protoc --go_out="$GOPATH/src" --go-grpc_out="$GOPATH/src" ./BLUESPAWN-common/bluespawnpb/bluespawn.proto
+
+# Build and start rpc_server
+RUN cd ./BLUESPAWN-server/rpc_server && \
+    go build
+
+ENTRYPOINT ["./BLUESPAWN-server/rpc_server/rpc_server"]