## do ping
try:
ping = subprocess.Popen(['ping', ping_switch, host],
stdout=subprocess.PIPE)
new_result['_raw'] = ping.communicate()[0]
except Exception:
signature = 'Exception when executing ping command'
handleError(modaction, signature)
## add to successful rid list
rids.append(
modaction.rid_ntuple(modaction.orig_sid, modaction.rid,
modaction.orig_rid))
## add result for intersplunk output
new_results.append(new_result)
## add result for event creation
modaction.addevent(new_result['_raw'], 'ping')
else:
modaction.message('Invalid characters detected in host input',
status='failure',
level=logging.WARN)
if len(new_results) > 0:
if modaction.writeevents(index='main', source='ping'):
modaction.message('Successfully created splunk event',
status='success',
rids=rids)
else:
modaction.message('Failed to create splunk event',
status='failure',
rids=rids,
level=logging.ERROR)
events = []
for num, result in enumerate(csv.DictReader(fh)):
## set rid to row # (0->n) if unset
result.setdefault('rid', str(num))
## risk params
result['risk_score'] = normalize_risk_param(modaction, 'risk_score', default='1')
result['risk_object'] = normalize_risk_param(modaction, 'risk_object')
result['risk_object_type'] = normalize_risk_param(modaction, 'risk_object_type', default='other')
## for adhoc risk modifiers from incident review, change search_name to event's search_name if available.
if search_name == 'AdHoc Risk Score' and result.get('search_name'):
search_name = result.get('search_name')
modaction.update(result)
modaction.invoke()
modaction.addevent(modaction.result2stash(result, addinfo=True), 'stash')
if modaction.writeevents(index=index, source=search_name):
modaction.message('Successfully created splunk event', status='success', rids=modaction.rids)
else:
modaction.message('Failed to create splunk event', status='failure', rids=modaction.rids, level=logging.ERROR)
except Exception as e:
## adding additional logging since adhoc search invocations do not write to stderr
try:
modaction.message(e, status='failure', level=logging.CRITICAL)
except Exception as e:
logger.critical(e)
print >> sys.stderr, "ERROR Unexpected error: %s" % e
sys.exit(3)
## add status info
modaction.addinfo()
## index
index = 'ubaroute'
## process results
with gzip.open(modaction.results_file, 'rb') as fh:
events = []
for num, result in enumerate(csv.DictReader(fh)):
## set rid to row # (0->n) if unset
result.setdefault('rid', str(num))
modaction.update(result)
modaction.invoke()
modaction.addevent(modaction.result2stash(make_uba_alarm(
modaction, result),
dropexp=None,
mapexp=None),
'stash',
cam_header=False)
if modaction.writeevents(index=index, fext='uba_ubaroute'):
modaction.message('Successfully created splunk event',
status='success',
rids=modaction.rids)
else:
modaction.message('Failed to create splunk event',
status='failure',
rids=modaction.rids,
level=logging.ERROR)
except Exception as e:
## adding additional logging since adhoc search invocations do not write to stderr
def do_nbtstat(argv,
input_str=None,
outputfile=sys.stdout,
logger=logging.getLogger('dummy')):
## defaults
nbtstat = None
orig_sid = None
orig_rid = None
host = None
host_field = None
MAX_RESULTS = 1
max_results = 1
host_validation = '^([A-Za-z0-9\.\_\-]+)$'
ip_rex = re.compile('^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$')
the_time = util.mktimegm(time.gmtime())
## retrieve results and settings
results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults(
input_str)
logger.debug(settings)
## modular action hooks
modaction_payload = {
'sid': settings.get('sid', ''),
'owner': settings.get('owner'),
'app': settings.get('namespace')
}
modaction = ModularAction(json.dumps(modaction_payload),
logger,
action_name="nbtstat")
## override defaults w/ opts below
if len(argv) > 1:
for a in argv:
if a.startswith('host=') or a.startswith('dest='):
where = a.find('=')
host = a[where + 1:len(a)]
elif a.startswith('host_field=') or a.startswith('dest_field='):
where = a.find('=')
host_field = a[where + 1:len(a)]
elif a.startswith('orig_sid='):
where = a.find('=')
orig_sid = a[where + 1:len(a)]
elif a.startswith('orig_rid'):
where = a.find('=')
orig_rid = a[where + 1:len(a)]
elif a.startswith('max_results'):
where = a.find('=')
max_results = a[where + 1:len(a)]
try:
if int(max_results) > 0:
MAX_RESULTS = int(max_results)
except:
pass
logger.info('max_results setting determined: %s', MAX_RESULTS)
handleError = errorHandler(modaction, outputfile, logger)
## validate presence of host/host_field
if not host and not host_field:
signature = 'Must specify either host or host_field'
handleError(signature)
return
## set up single result
if host:
host_field = 'host'
result = {'host': host}
if orig_sid and orig_rid:
result.update({'orig_sid': orig_sid, 'orig_rid': orig_rid})
results = [result]
## process result(s)
new_results = []
rids = []
results_processed = 0
for num, result in enumerate(results):
if results_processed >= MAX_RESULTS:
break
## set result id
result.setdefault('rid', str(num))
## update and invoke
modaction.update(result)
modaction.invoke()
## validate host_field is present in result
if host_field not in result:
signature = 'host_field not present in result set'
handleError(signature)
return
else:
## handle MV
hosts = result[host_field].split('\n')
## iterate hosts (as MV is a possibility)
for host in hosts:
if results_processed >= MAX_RESULTS:
break
results_processed += 1
## validate host value but don't exit
if re.match(host_validation, host):
ip_match = ip_rex.match(host)
## set up new result which will be sent back to splunk
new_result = {
'_time': the_time,
'sid': modaction.sid,
'rid': modaction.rid,
'dest': host
}
if modaction.orig_sid and modaction.orig_rid:
new_result.update({
'orig_sid': modaction.orig_sid,
'orig_rid': modaction.orig_rid
})
## determine nbtstat_cmd
if os.name == 'nt':
if ip_match:
nbtstat_cmd = ['nbtstat', '-A', host]
else:
nbtstat_cmd = ['nbtstat', '-a', host]
elif sys.platform == 'darwin':
if ip_match:
nbtstat_cmd = None
modaction.message(
'Unable to perform reverse netbios lookup',
status='failure',
level=logging.WARN)
else:
nbtstat_cmd = ['smbutil', 'lookup', host]
else:
if ip_match:
nbtstat_cmd = ['nmblookup', '-A', host]
else:
nbtstat_cmd = ['nmblookup', host]
## do nbtstat
if nbtstat_cmd:
try:
nbtstat = subprocess.Popen(nbtstat_cmd,
stdout=subprocess.PIPE)
new_result['_raw'] = nbtstat.communicate()[0]
except Exception:
signature = 'Exception when executing nbtstat command'
handleError(signature)
return
## add to successful rid list
rids.append(
modaction.rid_ntuple(modaction.orig_sid, modaction.rid,
modaction.orig_rid))
## add result for intersplunk output
new_results.append(new_result)
## add result for event creation
modaction.addevent(new_result['_raw'], 'nbtstat')
else:
modaction.message('Invalid characters detected in host input',
status='failure',
level=logging.WARN)
if len(new_results) > 0:
if modaction.writeevents(index='main', source='nbtstat'):
modaction.message('Successfully created splunk event',
status='success',
rids=rids)
else:
modaction.message('Failed to create splunk event',
status='failure',
rids=rids,
level=logging.ERROR)
splunk.Intersplunk.outputResults(new_results, outputfile=outputfile)
