Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filter out Intelsat satellite network plane wifi from Impossible Travel #1358

Merged
merged 5 commits into from
Sep 30, 2024
Merged

Filter out Intelsat satellite network plane wifi from Impossible Travel #1358

merged 5 commits into from
Sep 30, 2024

Conversation

geoffg-sentry
Copy link
Contributor

@geoffg-sentry geoffg-sentry commented Sep 18, 2024
edited
Loading

Background

Intelsat provides in-flight wifi for a number of airlines (American, Alaska, etc) among other mobile services but like any ASN provides geographic information for a fixed spot on the globe. This leads to false positives when persons using in-flight wifi have login activity shortly before or after a login from in-flight. An example:

  • Login from LAX airport before boarding a flight at 17:00
  • Login from Intelsat in-flight wifi at 17:30 tied to Tysons Landing, Virginia.

Changes

Adds a check on ipinfo_asn lookups and excludes Intelsat's ASN AS22351 from triggering the rule or being included in new_login_stats. Any additional satellite network ASNs identified can be added to the SATELLITE_NETWORK_ASNS constant.

Testing

  • New test for a true positive impossible travel event but from a IP in AS22351 results
  • make lint
  • pat test --filter RuleID=Standard.ImpossibleTravel.Login

@geoffg-sentry
Filter out Intelsat satellite network plane wifi from Impossible Travel
fc7d98c 
Intelsat provides in-flight wifi for a number of airlines (American, Alaska, etc) but like any ASN provides geographic information for a fixed spot on the globe. This leads to false positives when persons using in-flight wifi have login activity shortly before or after a login from in-flight.
@geoffg-sentry geoffg-sentry requested a review from a team as a code owner September 18, 2024 16:20
@ben-githubs
Copy link
Contributor

Hi Geoff, thanks for submitting! I've been reviewing your PR and I'm wondering why the current rule code doesn't satisfy your situation...

It appears that Intelsat gets identified by IPinfo as a VPN, and therefore the current code would not use it for any distance calculations in further events. (It does generate an alert, but the alert is INFO level and auto-dismissed, so it shouldn't generate any noise. The reason we still generate an alert for VPNs is in case the VPN designation was a mistake - you'll still have a record of the alert and the event details, if you review your alert history.)

Please let me know if there's something I'm not seeing!

@geoffg-sentry
Copy link
Contributor Author

@ben-githubs It may be that not all of their subnets will return as VPN and I have a few alerts that have triggered as Highs as the default severity. No errors in my table lookups for ipinfo_privacy either.

@ben-githubs
Copy link
Contributor

That makes sense! I've adjusted the logic slightly to handle alerting/caching the same way the VPN check does, but still uses the is_satellite_network rather than rely on ipinfo_privacy. Lmk if you have any questions!

@arielkr256 arielkr256 added the tuning detection tuning label Sep 25, 2024
arielkr256
arielkr256 reviewed Sep 26, 2024
View reviewed changes
Copy link
Contributor

@arielkr256 arielkr256 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch! I wonder if there are other ASNs that are worth excluding?

Couple of minor suggestions.

rules/standard_rules/impossible_travel_login.py Outdated Show resolved Hide resolved
rules/standard_rules/impossible_travel_login.py Outdated Show resolved Hide resolved
rules/standard_rules/impossible_travel_login.py Outdated Show resolved Hide resolved
@abdullahdevrel
Copy link

Just an FYI, I am the DevRel of IPinfo and have been following this PR.

We are working on the engineering feature for recognizing in-flight WiFi providers. We do not want to point to just a fixed amount of ASN and say these provide In-Flight WiFi. In fact, whenever anyone from our engineering team travels by plane, they log networking information from the in-flight WiFi which we use to create a more reliable flagging mechanism for this feature.

This feature is currently in active development. I will update you once it is released.

@geoffg-sentry
Copy link
Contributor Author

Oh that's very cool, thanks @abdullahdevrel

arielkr256
arielkr256 approved these changes Sep 30, 2024
View reviewed changes
Copy link
Contributor

@arielkr256 arielkr256 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch! We'll keep an eye out for the new IPinfo feature to detect in-flight wifi providers.

@arielkr256 arielkr256 merged commit e36ab75 into panther-labs:release Sep 30, 2024
5 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arielkr256 arielkr256 arielkr256 approved these changes

Assignees
No one assigned
Labels
tuning detection tuning
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@geoffg-sentry @ben-githubs @abdullahdevrel @arielkr256