def malformed_requests(batch):
processor = whoami()
for hit in batch:
if 'MALFORMED_REQUEST' in hit.tags:
yield {
'@timestamp': hit['@timestamp'],
'event_processor': processor,
'source_ip': hit.attacker_ip,
'target_host': hit.host,
'contributor': hit.district,
'service': hit.service,
'attack_type': 'Known Exploit Iteration',
'specifics': {
'malformed_request': hit.malformed_req,
},
}
def mail_processor(batch):
who = whoami()
for hit in batch:
if hasattr(hit, 'user'):
domain = '-' if not hasattr(hit, 'domain') else hit.domain
yield {
'@timestamp': hit['@timestamp'],
'event_processor': who,
'source_ip': hit.attacker_ip,
'target_host': hit.host,
'contributor': hit.district,
'service': hit.service,
'attack_type': 'brute_force',
'specifics': {
'domain': domain,
'user': hit.user,
}
}
def non_wp_website(batch):
processor = whoami()
wp_list = ['wp-login', 'wp-content', 'wordpress', 'xmlrpc.php']
for hit in batch:
if any(token in hit.message for token in wp_list):
yield {
'@timestamp': hit['@timestamp'],
'event_processor': processor,
'source_ip': hit.attacker_ip,
'target_host': hit.host,
'contributor': hit.district,
'service': hit.service,
'attack_type': 'wpscan',
'specifics': {
'request': hit.request,
'response': hit.response,
'bytes': hit.bytes,
'http_method': hit.verb,
},
}
def ssh_processor(batch):
processor = whoami()
for hit in batch:
# ssh accepts a whitespace as username,
# but it is not caught by logstash's regex
username = '******' if not hasattr(hit, 'username') else hit.username
event = {
'event_processor': processor,
'@timestamp': hit['@timestamp'],
'source_ip': hit.attacker_ip,
'target_host': hit.host,
'contributor': hit.district,
'service': hit.service,
'attack_type': 'brute_force',
}
if hit.logline_type == 'SSHBANNERGRAB':
event.update({
'attack_type': 'fingerprinting',
'description': 'Version fingerprinting',
})
elif hit.logline_type == 'SSHFAILEDLOGIN' or hit.logline_type == 'SSHFAILEDLOGINF':
event.update({
'description': 'Failed attempt on a valid user',
'specifics': {
'username': username,
'valid_user': True,
'method': 'PW',
},
})
elif hit.logline_type == 'SSHINVALIDUSER' or hit.logline_type == 'SSHINVALIDUSERF':
event.update({
'description': 'Failed attempt to login on an invalid user',
'specifics': {
'username': username,
'valid_user': False,
'method': 'PW',
},
})
elif hit.host not in ssh_list:
if hit.logline_type == 'SSHINVALIDUSERPKI':
event.update({
'description':
'Failed attempt to login on an invalid user',
'specifics': {
'username': username,
'valid_user': False,
'method': 'PKI',
},
})
elif hit.logline_type == 'SSHCONNCLOSED' or hit.logline_type == 'SSHCONNCLOSEDPKI':
event.update({
'specifics': {
'method': 'PKI',
},
'description':
'Failed all auth methods on a password-disabled ssh daemon',
})
else:
#print('Non-type ', hit.message, hit.logline_type)
continue
yield event