Skip to content

Use-cases

1 External tenants

Enrolled organizations can utilize the SNER service to expand the visibility of their respective infrastructure's Internet attack surface. External users can access available data through the API.

1.1 Setup shell

Get API token in web interface on user profile page (user > profile > apikey generate). Setup shell environment for calling API:

export APIKEY=""
export URL="https://sner.flab.cesnet.cz/sner"
alias snerapi='curl -s -H "X-API-KEY: $APIKEY"'

1.2 Get information about single host

Any service SHOULD NOT be visible from public Internet on core IdP or Directory controllers.

snerapi -XPOST \
  "$URL/api/v2/public/storage/host" \
  --json '{"address": "203.0.113.50"}' | jq

{
  "address": "203.0.113.50",
  "hostname": "dc1.example.org",
  "services": [
    {
      "info": "extrainfo: Anonymous bind OK",
      "notes": [
        {
          "data": "[\"cpe:/a:openldap:openldap\"]",
          "xtype": "cpe"
        },
        {
          "data": "{\"product\": \"OpenLDAP\", \"version\": \"2.2.X - 2.3.X\"}"
          "xtype": "nmap.banner_dict"
        }
      ],
      "port": 636,
      "proto": "tcp",
      "state": "open:syn-ack"
    }
  ]
}

1.3 Get information about range of addresses

Check services exposed on department network segment.

snerapi -XPOST \
  "$URL/api/v2/public/storage/range" \
  --json '{"cidr": "203.0.113.0/26"}' | jq

[
  {
    "address": "203.0.113.3",
    "hostname": "dhcp-wk1.dept.example.org",
    "services": [
      {
        "info": "product: OpenSSH version: 8.4p1 Debian 5+deb11u1 extrainfo: protocol 2.0 ostype: Linux",
        "port": 443,
        "proto": "tcp",
        "state": "open:syn-ack"
      },
      {
        "port": 22,
        "proto": "tcp",
        "state": "open:syn-ack"
      }
    ]
  },
  {
    "address": "203.0.113.1",
    "hostname": "gw.dept.example.org",
    "services": [
      {
        "port": 179,
        "proto": "tcp",
        "state": "open:syn-ack"
      }
    ]
  }
]

1.4 Get information about specific services

Backup infrastructure SHOULD NOT be accessible from public Internet. For detailed information about filter syntax, please see the full specification.

snerapi -XPOST \
  "$URL/api/v2/public/storage/servicelist" \
  --json '{"filter": "Service.port==\"445\" AND Service.state ilike \"open:%\""}' | jq

[
  {
    "address": "2001:db8::71",
    "info": "product: Samba smbd version: 3.X - 4.X extrainfo: workgroup: UCN hostname: BACKUP-EXAMPLE",
    "port": 445,
    "proto": "tcp",
    "state": "open:syn-ack"
  }
]

1.5 Search for endpoints exposing specific product

List of popular database engine exposed to public Internet.

snerapi -XPOST \
  "$URL/api/v2/public/storage/versioninfo" \
  --json '{"product":"mariadb"}' | jq

[
  {
    "host_address": "203.0.113.30",
    "host_hostname": "serverx.example.org",
    "service_port": 3306,
    "service_proto": "tcp",
    "product": "mariadb",
    "version": "10.3.38",
    "extra": {
      "full_version": "5.5.5-10.3.38-MariaDB-1:10.3.38+maria~ubu2004-log"
    }
  }
]

1.6 Breakdown of exposed products on respective hosts

snerapi -XPOST \
  "$URL/api/v2/public/storage/versioninfo" | jq -s \
  '.[] | map({product,host_address}) | group_by(.product) | map({product: .[0].product, host_address: map(.host_address)})'

[
  {
    "product": "mariadb",
    "host_address": [
      "203.0.113.30"
    ]
  },
  {
    "product": "zookeeper",
    "host_address": [
      "203.0.113.30",
      "2001:db8::30"
    ]
  }
]

2 CESNET SOC

SOC team members can use the following systems, which will enable them to obtain various information useful for the fulfillment of their missions.

SNER

Database of IP services running in monitored realm.

Snerlytics

Set of supplemental services.

  • ELK stack

    • mirror of SNER storage database
    • CPE vs CVE correlation results

  • CVE-Search

    • local instance, tool to perform local searches for known vulnerabilities

2.1a Vulnsearch, remotely exploitable vulnerabilities

Use Sner UI Storage Vulnsearch view (or corresponding API), to find vulnerabilities with filter Vulnsearch.attack_vector ilike "%NETWORK%".

2.1b Vulnsearch, vulnerabilities with public exploits

Use Sner UI Storage Vulnsearch view (or corresponding API) to find vulnerabilities with filter Vulnsearch.data astext_ilike "%exploit-db%".

2.2 Host health

Analyze data for specific host in Sner web UI (menu: sner > storage > hosts).

2.3 Hosts with extensive number of services

Analyze data in hosts list view, sort view by number of services (menu: sner > storage > hosts, sort by cnt_s).

2.4 Specific services or combinations

Search and analyze hosts with specific services or combination of services.

webserver + database

web servers don't typically expose internal database if properly configured

hostname + database

purpose of server/service can be inferred from hostname, high-profile targets should expose only minimal set of services, (eg. authentication service).

debugging or management interfaces

any service used for debuging (eg. JDWP, JMX) or remote management (iDrac, BMC) should not be exposed for public access