Skip to content

Commit

Permalink
Docs: Add nibble documentation (#3983)
Browse files Browse the repository at this point in the history
Co-authored-by: ammar92 <[email protected]>
Co-authored-by: originalsouth <[email protected]>
  • Loading branch information
3 people authored Jan 13, 2025
1 parent 171c449 commit 57c548a
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 5 deletions.
39 changes: 39 additions & 0 deletions docs/source/developer-documentation/octopoes.md
Original file line number Diff line number Diff line change
Expand Up @@ -650,3 +650,42 @@ The unit tests `octopoes/tests` are run using
```shell
python -m unittest discover octopoes/tests
```

## Nibbles

**What are Nibbles?**
Nibbles are the flexible replacement for bits. We learned a lot on what does and doesn't work around bits and ran into some limitations. The Nibbles are solving these limitations. We hope that the Nibbles are 4 times as efficient as bits, but this isn't officially benchmarked (and is more of a bits-Nibbles joke ;)).

Nibbles process the data in OpenKAT, they correlate data and try to extract as much information as possible based on the specified rules. Nibbles ensure for a mapping of one or more objects to another group of objects. Where bits would trigger on objects, Nibbles can trigger on sets of objects. This makes it possible to map a single object to N objects (1-to-N mapping), but also map multiple objects to multiple objects (N-to-M mapping).

**Limitation example of Bits**
One of the limitations from Bits was that if one of the bits (business rules) would identify an open port in network A, and for network B this port would identify as closed, how would you classify the port? With Bits it was not possible to correctly identify data mismatches and decide upon this. Nibbles allow you to detect these differences in data observations. If there are any inconsistencies, this could other Nibbles to be triggered to resolve the inconsistency.

**How are Nibbles better than Bits?**
Nibbles are a successor for bits, all the mistakes and issues we learned from Bits should be solved with Nibbles.

- Dynamic loading from the user interface. This allows a user to enable, run or add Nibbles from the web interface, instead of having to edit the code.
- Mapping of objects: Bits would trigger if a specific object (ooi) was loaded. This required a lot of recalculation of Bits, which is not cost effective. With Nibbles, as soon as data is added to the XTDB database, the Nibbles will pick this up and handle accordingly. This should speed things up and allows for more extensive querying.
- Objects do not require a relation: it is now possible to search for specific objects (e.g. give me all URLs with port 80 open) and return all data. With bits it was not possible to query this kind of information, as the parameters (such as URL and port) were only accessible in the bit and not on the overall dataset.
- Automatic updates: if a nibble gets updated, the affects are automatically recalculated.
- Visual representation: it is now possible to get a better visual representation in a graph on which inputs are available for Nibbles and how they relate to each other.
- Efficient: using Nibbles it is much more efficient to query for the right data and even make queries that were not previously possible. Nibbles also reduce the number of read and writes to XTDB, which reduces the database load.

**How can I use Nibbles?**
Nibbles are enabled by default. Users can choose to enable or disable the Nibbles themselves and determine where objects originated from and which Nibbles are also applicable on an object or set of objects.

Nibbles are accessible from the web interface, to allow for enabling, disabling, editing and adding of Nibbles.

Using the XTDB EDN query language you can perform queries for Nibbles. You can query a set of objects and process this in your nibble, including all possible combinations on the queried set (of objects). One of the downsides is that this could result in a large number of queries that are structurally the same, but are slightly different (e.g. flags that are different). It is therefore important to properly document your queries to still comprehend them in the future (and make it easier to catch bugs).

The `xtdb-cli` tool can be used to query on XTDB for Nibbles. The query below searches all variables where the object type is an URL:

```shell
octopoes/tools/xtdb-cli.py query '{:query {:find [(pull ?var [*])] :where [[?var :object_type "URL"]]}}'
```

Make it visually pretty with jq:

```shell
octopoes/tools/xtdb-cli.py query '{:query {:find [(pull ?var [*])] :where [[?var :object_type "URL"]]}}' | jq
```
19 changes: 14 additions & 5 deletions docs/source/manual/user-manual.rst
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ One or more findings can be selected. The textbox at the bottom allows for a des
Objects
-------

The Objects page lists all the objects in Octopoes. Objects can be anything, like DNS records, hostnames, URLs, software, software versions, ports, etc. It is any piece of information that is found by the normalizers, bits and boefjes. On a new installation you'll see the following objects by default:
The Objects page lists all the objects in Octopoes. Objects can be anything, like DNS records, hostnames, URLs, software, software versions, ports, etc. It is any piece of information that is found by the normalizers, Bits and boefjes. On a new installation you'll see the following objects by default:

.. image:: img/objects-clean-install.png
:alt: overview of default objects
Expand All @@ -100,7 +100,7 @@ Object clearances
Each object has a clearance type. The clearance type tells how the object was added to the Objects list. The following object types are available:

- Declared: declared objects were added by the user.
- Inherited: inherited objects were identified through propagation and the parsing of bits and normalizers. This means there is a relation to other object(s).
- Inherited: inherited objects were identified through propagation and the parsing of Bits and normalizers. This means there is a relation to other object(s).
- Empty: empyth objects do not have a relation to other objects.

The objects below show different clearance types for various objects. The hostname `mispo.es` was manually added and thus is `declared`. The DNS zone is `inherited` based on the DNS zone boefje.
Expand Down Expand Up @@ -153,11 +153,11 @@ The Members page allows for user management and is visible to users who have the
Settings
--------

The Settings page shows general information and its settings. In some cases you might want to add tags to the organisation or decide to manually run all bits. This can be done from the settings page. If you created a new organization, you can also add the indemnification on this page.
The Settings page shows general information and its settings. In some cases you might want to add tags to the organisation or decide to manually run all Bits. This can be done from the settings page. If you created a new organization, you can also add the indemnification on this page.

* Organization data
* Indemnification
* Rerun all bits on the current dataset
* Rerun all Bits on the current dataset
* Tags

.. image:: img/settings.png
Expand Down Expand Up @@ -442,7 +442,7 @@ Bits

Bits are businessrules that assess objects. These can be disabled or enabled using environment variables. The parameters of a Bit can be configured using config objects, which are explained in detail in :ref:`introduction/make-your-own:Bits: businessrules`.

Almost all bits are enabled by default and be disabled by adding the bit to `BITS_DISABLED`. The disabled bits can be enabled using `BITS_ENABLED`. For example:
Almost all Bits are enabled by default and be disabled by adding the bit to `BITS_DISABLED`. The disabled Bits can be enabled using `BITS_ENABLED`. For example:

.. code-block:: sh
Expand All @@ -452,6 +452,15 @@ Almost all bits are enabled by default and be disabled by adding the bit to `BIT
Note that if you enable a bit that was previously enabled the bit won't be automatically run for every object it should have run on, but only when it is triggered again after a new scan or other bit that has run. When a bit that was previously enabled is disabled the resulting objects from that bit will also not be automatically removed. Only when the bit triggers instead of running the bit the resulting OOIs of the previous run will be deleted. This also means that if the bit isn't triggered the old objects will not be removed.

Nibbles
=======
Nibbles are the flexible replacement for Bits. We learned a lot on what does and doesn't work around Bits and ran into some limitations. The Nibbles are solving these limitations. We hope that the Nibbles are 4 times as efficient as Bits, but this isn't officially benchmarked (and is more of a Bits-Nibbles joke ;)).

Nibbles process the data in OpenKAT, they correlate data and try to extract as much information as possible based on the specified rules. Nibbles ensure for a mapping of one or more objects to another group of objects.

A more technical explanation on Nibbles can be found at: `Nibbles`_.


Reports
=======

Expand Down

0 comments on commit 57c548a

Please sign in to comment.