Introducing
Sock Puppet

Here's a fun project that I'm in the middle of building out, in order to gather real time data insights and ci/cd monitoring on a limited budget without sacrificing security or functionality. At the moment no data is persisted by the broker, but I most likely will be adding a time-series view of the data in the near future.
The key components are compromised of a few different parts:
  • Agent
  • Agent Impersonator
  • Broker
  • Client

Agent

The agent is a small daemon which forks one or more plugins, and establishes a secure connection to the broker. The plugins can be written in any language communicating with the agent via a domain socket.

The plugins write data to a domain socket where in turn, the agent forwards the data to the broker.

  • Outbound: TCP/443 to the broker
  • Inbound: Can block all or allow as other use cases require
  • ESTABLISHED/RELATED required

Broker Connection Security:

  • Google Service Account to fetch JWT from storage bucket
  • JWT sent to broker during connection

Broker

The broker negotiates data exchange between the agents and the client. Clients that connect, whether an agent, an agent impersonator, or a web client each connection has a type.

When a non-agent connects(ie web client or other user interface), it can subscribe to an agent's stream. As agents send data to the broker, the broker forwards the data to all clients subscribed to that agent's stream.

The broker also has a private certificate which is used to generate a JWT for agent connections. The JWT is rotated on a very short interval and pushed to a private google storage bucket.

PCAP Filtering Demo

In order to quickly see meaningfull data, it's nice to be able to filter out traffic that has no associated log file data, bots and general noisy garbage data. Classifications might be described at a later time.

Test Case Streaming Demo:

Utilizes the agent impersonator feature. The client connects directly to the broker and impersonates an agent. This provides the abiility to have short lived processes, not part of any given agent, executed in a CI/CD pipeline or local development environment to stream data to the broker.

Using the impersonator functionality is as simple as:

import SockAgentImpersonator 
from "@ccyphers/sock_agent_impersonator"
streamImpersonator = 
await SockAgentImpersonator(   
	"casper", 
	"tc_results", 
	"Test Case Results", 
	"tc_results",  
	"https://puppet.casperconnection.com/sock", 
	"/google_auth.json"
)

// sending image data:
await streamImpersonator.stream({
	type: 'image', 
	imageType: 'png', 
	data: 
	screenshot.toString('base64')
})

// sending text data:
await streamImpersonator
.stream({
	type: 'text',
	data: "something"
})

File Monitor Plugin Demo:

Network Monitor Plugin Demo:

Multiple Agents Demo: