Beispiel #1
0
def execute(event):

    if not event.adHoc:
        if hasattr(event, "ip_address"):
            event._include = event.detectInputCases(event.ip_address, yes=True, trailingChar="\\b")
        else:
            event._include = event.detectInputCases(ip_address, yes=True, trailingChar="\\b")

    ils = ISOLogSource(event)
    if event.adHoc:
        ils.pullDaily(
            egrepInclude=event._include,
            egrepExclude=None,
            startDate=event._startDate,
            endDate=event._endDate,
            server=confVars.server,
            logpath=confVars.logpath,
            outputExtension=confVars.outputExtension,
            compressionDelay=confVars.compressionDelay,
            compressionExtension=confVars.compressionExtension,
            formalName=FORMAL_NAME,
            toFile=True,
            toStdOut=False,
            collect=False,
            formatter=None,
            retResults=False,
        )
    else:
        results = ils.pullDaily(
            egrepInclude=event._include,
            egrepExclude=None,
            startDate=event._startDate,
            endDate=event._endDate,
            server=confVars.server,
            logpath=confVars.logpath,
            outputExtension=confVars.outputExtension,
            compressionDelay=confVars.compressionDelay,
            compressionExtension=confVars.compressionExtension,
            formalName=FORMAL_NAME,
            toFile=True,
            toStdOut=False,
            collect=True,
            formatter=None,
            retResults=True,
        )

    event._splunk.push(
        sourcetype=confVars.splunkSourcetype, filename="%s.%s" % (event._baseFilePath, confVars.outputExtension)
    )

    if not event.adHoc:
        before, after = getTimeBisect(event._DT, results, yearlessTimeExtract)

        befuser = "******"
        afuser = "******"
        for bef, af in map(lambda *s: tuple(s), reversed(before), after):
            if bef:
                befDict = dict([y for y in [token.split("=", 1) for token in shlex.split(bef)] if len(y) == 2])
                if "user" in befDict:
                    befuser = befDict["user"]
            if af:
                afDict = dict([y for y in [token.split("=", 1) for token in shlex.split(af)] if len(y) == 2])
                if "user" in afDict:
                    afuser = afDict["user"]

            if befuser != "guest":
                event.setAttribute("username", befuser.lower())
                break
            elif afuser != "guest":
                event.setAttribute("username", afuser.lower())
                break

        print("")

        stdOutLines = uniq([x for x in before if "type=utm" in x if "subtype=webfilter" in x])[-10:]
        stdOutLines.extend(uniq([x for x in after if "type=utm" in x if "subtype=webfilter" in x])[:10])

        for line in stdOutLines:
            l = dict([y for y in [token.split("=", 1) for token in shlex.split(line)] if len(y) == 2])
            if "user" not in l:
                l["user"] = "******"
            if "hostname" not in l:
                if "dstip" in l:
                    l["hostname"] = l["dstip"]
                else:
                    l["hostname"] = "-"
            print("%(date)sT%(time)s %(srcip)s %(user)s %(status)s %(hostname)s%(url)s" % l)
Beispiel #2
0
def execute(event):

    if not event.adHoc:
        if hasattr(event, "ip_address"):
            event._include = event.detectInputCases(event.ip_address, yes=True, trailingChar="\\b")
        else:
            event._include = event.detectInputCases(ip_address, yes=True, trailingChar="\\b")

    def dhcpFormatter(inputText):
        remove = ["to ", "for ", "on ", "from "]
        formatted = ["%-20s %-8s %s" % ("Date/Time", "Type", "Message")]
        formatted.append("-" * 80)
        for line in uniq(inputText.splitlines()):
            sline = line.split("]:")
            time = datetime.datetime.strptime(sline[0][:15], "%b %d %H:%M:%S")
            msg = sline[1].strip()
            for r in remove:
                msg = msg.replace(r, "")
            msg = msg.split("via")[0].split()
            formatted.append(
                "%s  %-8s %s" % (time.strftime("%b %d %H:%M:%S"), msg[0].split("DHCP")[1], " ".join(msg[1:]))
            )

        formatted.append("")

        return "\n".join(uniq(formatted))

    def getHostName(inputText):
        hostname = re.search(r"\([a-zA-Z0-9_\-]+\) via", inputText)
        if hostname:
            return hostname.group().split()[0].strip("()").lower()
        else:
            return None

    event.setAttribute(
        "_customDHCPCmd",
        value='egrep "DHCPREQUEST|DHCPACK|DHCPNACK|DHCPRELEASE|DHCPOFFER" | egrep "%s"' % event._include,
    )
    ils = ISOLogSource(event)

    if event.adHoc:
        results = ils.pullDaily(
            egrepInclude=None,
            egrepExclude=None,
            startDate=event._startDate,
            endDate=event._endDate,
            server=confVars.server,
            logpath=confVars.logpath,
            outputExtension=confVars.outputExtension,
            compressionDelay=confVars.compressionDelay,
            compressionExtension=confVars.compressionExtension,
            formalName=FORMAL_NAME,
            toFile=True,
            toStdOut=True,
            collect=True,
            formatter=dhcpFormatter,
            customCmd=event._customDHCPCmd,
            retResults=True,
        )
    else:
        results = ils.pullDaily(
            egrepInclude=None,
            egrepExclude=None,
            startDate=event._startDate,
            endDate=event._endDate,
            server=confVars.server,
            logpath=confVars.logpath,
            outputExtension=confVars.outputExtension,
            compressionDelay=confVars.compressionDelay,
            compressionExtension=confVars.compressionExtension,
            formalName=FORMAL_NAME,
            toFile=True,
            toStdOut=False,
            collect=True,
            formatter=dhcpFormatter,
            customCmd=event._customDHCPCmd,
            retResults=True,
        )

    if not event.adHoc:

        event._splunk.push(
            sourcetype=confVars.splunkSourcetype, filename="%s.%s" % (event._baseFilePath, confVars.outputExtension)
        )

        before, after = getTimeBisect(event._DT, results, yearlessTimeExtract)

        for line in reversed(before):
            hostname = getHostName(line)
            if hostname:
                event.setAttribute("hostname", hostname)
                break

        for line in reversed(before):
            if "DHCPACK" in line:
                if getIPAddress(line.split("]:")[-1]) == event.ip_address:
                    event.setAttribute("mac_address", getMACAddress(line))
                    return

        for line in after:
            if "DHCPACK" in line:
                if getIPAddress(line.split("]:")[-1]) == event.ip_address:
                    event.setAttribute("mac_address", getMACAddress(line))
                    return