Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Autoignore mechanism for hijacks of limited impact/visibility #373

Merged
merged 32 commits into from
Jul 27, 2020
Merged

Autoignore mechanism for hijacks of limited impact/visibility #373

merged 32 commits into from
Jul 27, 2020

Conversation

vkotronis
Copy link
Member

@vkotronis vkotronis commented May 4, 2020
edited
Loading

Description of PR

What component(s) does this PR affect?

  • Back-End (Database, Detection/Configuration/etc. Microservices)
  • Front-End (Flask, API, UI, etc)
  • Monitor (RIPE RIS, BGPStream RV/RIS/CAIDA, etc.)
  • Docs (incl. wiki)
  • Build System

database, scheduler, env vars

Does the PR require changes on other components? If yes, please mark the components:

  • Back-End (Database, Detection/Configuration/etc. Microservices)
  • Front-End (Flask, API, UI, etc)
  • Monitor (RIPE RIS, BGPStream RV/RIS/CAIDA, etc.)
  • Docs (incl. wiki)
  • Build System

Related Issue

Resolves #346

Solution

Type

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Docs update
  • None of the above

Checklist:

  • I have read the contributing guide and my code conforms to the guidelines.

  • This change requires a change in the documentation.

  • I have updated the documentation accordingly.

  • TODO: Add proper tests (TestAutoIgnore)

  • TODO: adjust per configured prefix, consider module separation

@vkotronis vkotronis added this to the release-1.4.1 milestone May 4, 2020
@vkotronis vkotronis self-assigned this May 4, 2020
@vkotronis vkotronis changed the title Autoignore support [DRAFT] Autoignore support May 4, 2020
@vkotronis vkotronis requested a review from slowr May 4, 2020 19:07
@vkotronis vkotronis changed the title [DRAFT] Autoignore support Autoignore mechanism for hijacks of limited impact/visibility May 5, 2020
@vkotronis vkotronis marked this pull request as ready for review May 5, 2020 08:54
@vkotronis vkotronis requested a review from pgigis May 5, 2020 08:55
@artemis-pr-bot
Copy link
Collaborator

artemis-pr-bot commented May 5, 2020
edited
Loading

🏃 Benchmark Results 🏃

  • RMQ Update inserts: 444/s
  • RMQ Hijack inserts: 146/s
  • PG Update inserts: 190/s
  • PG Update updates: 145/s
  • PG Hijack inserts: 145/s

@codecov
Copy link

codecov bot commented May 5, 2020
edited
Loading

Codecov Report

Merging #373 into master will increase coverage by 1.10%.
The diff coverage is 89.52%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #373      +/-   ##
==========================================
+ Coverage   79.72%   80.82%   +1.10%     
==========================================
  Files           5        6       +1     
  Lines        1859     2044     +185     
==========================================
+ Hits         1482     1652     +170     
- Misses        377      392      +15
Impacted Files Coverage Δ
backend/core/detection.py 92.85% <ø> (+1.02%) ⬆️
backend/core/autoignore.py 88.48% <88.48%> (ø)
backend/core/configuration.py 48.09% <95.23%> (+1.48%) ⬆️
backend/core/scheduler.py 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9a11adf...88e0bae. Read the comment docs.

@vkotronis vkotronis added this to the release-.1.6.0 milestone May 24, 2020
@vkotronis vkotronis removed the request for review from pgigis June 12, 2020 18:16
@vkotronis vkotronis requested a review from pgigis June 13, 2020 08:42
@vkotronis
Copy link
Member Author

TODO:

auto_ignore_rules:
  - auto_ignore_rule_1: 
      threshold_num_peers_seen: <number of peers seen the hijack below which alert should be ignored>
      threshold_num_ases_infected: <number of infected ASes below which alert should be ignored>
      interval: <time passed since last hijack update>
      prefixes: 
      - *prefix_group_1
      - ...
  - auto_ignore_rule_2 
     ...

DONE, will also update the wiki accordingly.

@vkotronis
Copy link
Member Author

@slowr @pgigis This PR is ready for review. Please check the code (I have also added needed tests) as well as this wiki page on how to use the new mechanism: https://github.com/FORTH-ICS-INSPIRE/artemis/wiki/Configuration-file#autoignore

@vkotronis
Copy link
Member Author

@slowr @pgigis any feedback on this PR code review?

slowr
slowr approved these changes Jul 17, 2020
View reviewed changes
Copy link
Member

@slowr slowr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🎉 What happens if the same prefix is on multiple autoignores?

@vkotronis
Copy link
Member Author

LGTM tada What happens if the same prefix is on multiple autoignores?

If the same prefix is on multiple rules, if at least one of these rules causes a prefix-related alert to be ignored, it will be ignored. This is the correct behavior, right? Or should we do sth else, like issuing a warning to the user? I think that since the user puts it in at least one group that causes autoignore, it should be autoignored (the related alert I mean). See also my comments in the PR. Should I merge the current state or update something in the code?

@slowr
Copy link
Member

slowr commented Jul 24, 2020

LGTM tada What happens if the same prefix is on multiple autoignores?

If the same prefix is on multiple rules, if at least one of these rules causes a prefix-related alert to be ignored, it will be ignored. This is the correct behavior, right? Or should we do sth else, like issuing a warning to the user? I think that since the user puts it in at least one group that causes autoignore, it should be autoignored (the related alert I mean). See also my comments in the PR. Should I merge the current state or update something in the code?

Yes, I think this is the correct behaviour for now. In the future we can show an alert that it's on multiple rules for cleanup if needed.

@vkotronis vkotronis merged commit 69aa275 into master Jul 27, 2020
@vkotronis vkotronis deleted the autoignore branch July 27, 2020 15:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slowr slowr slowr approved these changes

@pgigis pgigis Awaiting requested review from pgigis

Assignees

@vkotronis vkotronis

Labels
automation backend database detection kubernetes logging p/medium Medium priority
Projects
None yet
Milestone
release-1.6.0
Development

Successfully merging this pull request may close these issues.

Auto-silent on insignificant alarms
3 participants
@vkotronis @artemis-pr-bot @slowr