def clean(self):
for element in conf.get("exemptions"):
if re.search("[.][a-z]+$", element):
db.session_append(
db.models.exemptions(ts=int(time.time()),
domain=element.lower()))
else:
db.session_append(
db.models.exemptions(ts=int(time.time()),
ipaddr=element.lower()))
try:
db.models.exemptions().metadata.drop_all(db.engine)
db.models.exemptions().metadata.create_all(db.engine)
db.session_commit()
except Exception as error:
log.error(error)
log.info(
str("[!] CLEAN part 1/2 done ({} threats)").format(
len(self.threats)))
for row in db.session.query(db.models.exemptions).order_by(
db.models.exemptions.id).yield_per(db.chunk):
regex = []
if row.domain:
pattern = row.domain
if row.ipaddr:
pattern = row.ipaddr
for index, node in enumerate(reversed(pattern.split("."))):
if len(node) != 0 and index == 0 and node == "tld":
regex.append("((co|com|net|org|edu|gov)[.])?([a-z]+)")
if len(node) != 0 and index == 0 and node != "tld":
regex.append(str("({})").format(node))
if len(node) != 0 and index != 0 and node != "*?":
regex.append(str("({})[.]").format(node))
if len(node) != 0 and index != 0 and node == "*?":
regex.append("(([^.]+)[.])?")
for element, revlookup in sorted(self.threats.items()):
for record in revlookup:
if re.search(
str("^{}$").format(str().join(reversed(regex))),
record):
log.warning(
str("Ignoring '{}' -> '{}' -> '{}'").format(
element, record,
str().join(reversed(regex))))
self.threats.pop(element)
if element in self.threats:
if re.search(
str("^{}$").format(str().join(reversed(regex))),
element):
log.warning(
str("Ignoring '{}' -> '{}'").format(
element,
str().join(reversed(regex))))
self.threats.pop(element)
log.info(
str("[!] CLEAN part 2/2 done ({} threats)").format(
len(self.threats)))
return 0
def parse(self, buffer):
for source, destination, port in re.findall(".* SRC=([0-9a-f:.]+) DST=([0-9a-f:.]+) .* DPT=([0-9]+) .*", buffer, re.IGNORECASE):
log.info(str("Blocking '{}' -> '{}:{}'").format(source, destination, port))
db.session_append(db.models.events(source=source, destination=destination, port=port, creation=int(time.time())))
try:
db.session_commit()
except Exception as error:
log.error(error)
return 0
def merge(self):
for row in db.session.query(db.models.threats).order_by(
db.models.threats.id).yield_per(db.chunk):
if row.domain:
if row.domain not in self.threats or json.loads(
row.jsondata) != self.threats.get(row.domain):
for record in json.loads(row.jsondata):
self.check_delete(record, ipfw.ipbl, ipfw.dnbl)
self.check_delete(row.domain, ipfw.dnbl, ipfw.drop)
db.session_delete(row)
else:
self.threats.pop(row.domain)
if row.ipaddr:
if row.ipaddr not in self.threats or json.loads(
row.jsondata) != self.threats.get(row.ipaddr):
self.check_delete(row.ipaddr, ipfw.ipbl, ipfw.drop)
db.session_delete(row)
else:
self.threats.pop(row.ipaddr)
try:
self.check_commit()
db.session_commit()
except Exception as error:
log.error(error)
log.info(
str("[!] MERGE part 1/2 done ({} threats)").format(
len(self.threats)))
for element, revlookup in sorted(self.threats.items()):
if re.search("[.][a-z]+$", element):
for record in revlookup:
self.check_append(record, ipfw.ipbl, ipfw.dnbl)
self.check_append(element, ipfw.dnbl, ipfw.drop)
db.session_append(
db.models.threats(ts=int(time.time()),
domain=element,
jsondata=json.dumps(revlookup)))
self.threats.pop(element)
else:
self.check_append(element, ipfw.ipbl, ipfw.drop)
db.session_append(
db.models.threats(ts=int(time.time()),
ipaddr=element,
jsondata=json.dumps(revlookup)))
self.threats.pop(element)
try:
self.check_commit()
db.session_commit()
except Exception as error:
log.error(error)
log.info(
str("[!] MERGE part 2/2 done ({} threats)").format(
len(self.threats)))
return 0
def start(self):
while self.idx >= 0:
try:
conf.reload()
except Exception as error:
log.critical(error)
return 1
if os.path.exists(conf.get("monitor")):
self.watch(conf.get("monitor"))
else:
log.error(str("[!] Could not find '{}' to monitor network events").format(conf.get("monitor")))
time.sleep(1)
return 0
def parse(self, content):
try:
iplist = subprocess.check_output(["hostname", "--all-ip"], stderr=subprocess.STDOUT).decode().strip().split(" ")
except Exception as error:
log.error(error)
iplist = []
for srcaddr, dstaddr, srcport, dstport in re.findall(".* SRC=([0-9a-f:.]+) DST=([0-9a-f:.]+) .* SPT=([0-9]+) DPT=([0-9]+) .*", content, re.IGNORECASE):
if dstaddr in iplist:
log.info(str("Blocking incoming '{}:{}' -> '{}:{}'").format(srcaddr, srcport, dstaddr, dstport))
db.session_append(db.models.events(ts=int(time.time()), srcaddr=srcaddr, dstaddr=dstaddr, srcport=srcport, dstport=dstport, flag=1))
if srcaddr in iplist:
log.info(str("Blocking outgoing '{}:{}' -> '{}:{}'").format(srcaddr, srcport, dstaddr, dstport))
db.session_append(db.models.events(ts=int(time.time()), srcaddr=srcaddr, dstaddr=dstaddr, srcport=srcport, dstport=dstport, flag=2))
try:
db.session_commit()
except Exception as error:
log.error(error)
return 0
def reset(self):
ipfw.init()
dnfw.init()
for row in db.session.query(db.models.threats).order_by(db.models.threats.id).yield_per(db.chunk):
if row.domain:
if row.domain not in self.threats:
for record in json.loads(row.jsondata):
self.check_append(record, ipfw.ipbl, ipfw.dnbl)
self.check_append(row.domain, ipfw.dnbl, ipfw.drop)
if row.ipaddr:
if row.ipaddr not in self.threats:
self.check_append(row.ipaddr, ipfw.ipbl, ipfw.drop)
try:
self.check_commit()
db.session_commit()
except Exception as error:
log.error(error)
log.info(str("[!] RESET part 1/1 done ({} threats)").format(len(self.threats)))
return 0
