def _getSomething(self, relationName, primKeyName, primKey):
from dataengine_tools import getPreXMLDictCreator
from messagewrapper import getXMLDBWrapper
xml = getXMLDBWrapper().wrapSelect(relationName, 'all', [[primKeyName, OPERATOR_EQUAL, primKey]])
result = self._performRequest(xml)
no, resolved = getXMLDBWrapper().parseSelectReply(result)
myEntry = resolved[0]['relations'][0]['attributes']
return myEntry
def insertExtensionEvent(self, data):
if data[0] != 'ioids_event':
raise ValueError('This is not a valid extension message for the IOIDS extension.')
from messagewrapper import getXMLDBWrapper
xml = getXMLDBWrapper().wrapInsert(data[0], data[1], data[2])
result = self._performRequest(xml)
decode = getXMLDBWrapper().parseInsertReply(result)
## print "Result - primary key: %s " %(decode[0][2])
return decode[0][2][1:len(decode[0][2])-1]
def getIoidsEvents(self, conditions = []):
"""
Collects available ioids events from the database.
The result is returned in a format mixed by lists and dictionaries.
"""
from messagewrapper import getXMLDBWrapper
xml = getXMLDBWrapper().wrapSelect('ioids_event', 'all', conditions)
result = self._performRequest(xml)
no, resolved = getXMLDBWrapper().parseSelectReply(result)
return resolved
def insertEvent(self, event):
"""
Insert a new event.
"""
from messagewrapper import getXMLDBWrapper
xml = getXMLDBWrapper().wrapInsert(event[0], event[1], event[2])
result = self._performRequest(xml)
## print result
decode = getXMLDBWrapper().parseInsertReply(result)
## print "Result - primary key: %s " %(decode[0][2])
return decode[0][2][1:len(decode[0][2])-1] # don't ask -hehe - it's removing the apostrophes ;) nice, isn't it???
def insertFullIoidsEventWithRelation(self, fullIoidsEvent):
"""
Insert a new ioids event with its relation to further events.
@return: The primary key of the new relation entry
@rtype: C{String}
"""
from messagewrapper import getXMLDBWrapper
xml = getXMLDBWrapper().wrapInsert(fullIoidsEvent[0], fullIoidsEvent[1], fullIoidsEvent[2])
result = self._performRequest(xml)
decode = getXMLDBWrapper().parseInsertReply(result)
## print "Result - primary key: %s " %(decode[0][2])
return decode[0][2][1:len(decode[0][2])-1]
def insertSnortDBEvent(self, snortdbEvent):
"""
Insert a new snortdb event.
@return: The primary key of the new event
@rtype: C{String}
"""
from messagewrapper import getXMLDBWrapper
xml = getXMLDBWrapper().wrapInsert(snortdbEvent[0], snortdbEvent[1], snortdbEvent[2])
result = self._performRequest(xml)
decode = getXMLDBWrapper().parseInsertReply(result)
## print "Result - primary key: %s " %(decode[0][2])
return decode[0][2][1:len(decode[0][2])-1]
def _processIoidsEventFromLocal(self, event):
from dbconnector import getDBConnector
ioidsevent = getDBConnector().getIoidsEvent(event[1]['ioids_event_id'])
## print ioidsevent
from messagewrapper import getXMLDBWrapper, getIoidsMessageWrapper
x = getXMLDBWrapper().wrapInsert(ioidsevent[0], ioidsevent[1], ioidsevent[2])
## print "***** SENT:\n", x
from g4dsconnector import getG4dsConnector
## getG4dsConnector().sendMessage(ioidsevent)
relatedEvents = getDBConnector().getRelatedEventsForIoidsEvent(event[1]['ioids_event_id'])
# determine the extension information for each related event
for relEvent in relatedEvents:
relEventEvent = getIoidsMessageWrapper()._getRelationInTree(relEvent, ['event'])
extName, extValue = getDBConnector().getExtensionForEvent(relEventEvent)
dict = {}
dict['extension_name'] = extName
relEvent[2].append(['extension',dict, [extValue]])
from messagewrapper import getIoidsMessageWrapper
xml = getIoidsMessageWrapper().assembleIoidsMessage(ioidsevent, relatedEvents)
## print "Sending:\n%s" %xml
getG4dsConnector().sendEventUpdate(xml)
print "*** processed (and sent) IOIDS event %s" %(event[1]['ioids_event_id'])
def insertIoidsEvent(self, ioidsEventEntryList):
"""
Insert a new IOIDS event.
@return: The primary key of the new event
@rtype: C{String}
"""
from messagewrapper import getXMLDBWrapper
## xml = getXMLDBWrapper().wrapInsert('ioids_event', eventDict, relations)
xml = getXMLDBWrapper().wrapInsert(ioidsEventEntryList[0], ioidsEventEntryList[1], ioidsEventEntryList[2])
## print xml
result = self._performRequest(xml)
## print result
decode = getXMLDBWrapper().parseInsertReply(result)
## print "Result - primary key: %s " %(decode[0][2])
return decode[0][2][1:len(decode[0][2])-1]
def testDicts():
from dbconnector import getDBConnector
getDBConnector().connect()
from messagewrapper import getXMLDBWrapper
## lists = getDBConnector().getEvent('5')
lists = getDBConnector().getIoidsEvent('2')
## print lists
xml = getXMLDBWrapper().wrapInsert(lists[0], lists[1], lists[2])
print xml
getDBConnector().disconnect()
def getRelatedEventsForIoidsEvent(self, ioidsEventId, full = 1):
from messagewrapper import getXMLDBWrapper
xml = getXMLDBWrapper().wrapSelect('ioids_relation', 'event_id', [['ioids_event_id', OPERATOR_EQUAL, str(ioidsEventId)]])
result = self._performRequest(xml)
#print "\n>\n%s\n<\n" %result
no, resolved = getXMLDBWrapper().parseSelectReply(result)
from dataengine_tools import getPreXMLDictCreator
relations = []
items = resolved[0]['relations']
for item in items:
aRelation = getPreXMLDictCreator().restructureEntry(item['attributes'], 'relation')
relations.append(aRelation)
for rel in relations:
oneEvent = self.getEvent(rel[1] ['event_id'])
rel[2].append(oneEvent)
del rel[1]['event_id']
oneRelType = self.getIoidsRelationType(rel[1]['ioids_relation_type_id'])
rel[2].append(oneRelType)
del rel[1]['ioids_relation_type_id']
return relations
def testWrapper():
from messagewrapper import getXMLDBWrapper
from dbconnector import OPERATOR_GREATER_THEN
## print getXMLDBWrapper().wrapSelect('event', 'all', [['oid',OPERATOR_GREATER_THEN,'30608']])
xml = "<RELATIONS command='SELECT_RESULTS' >" + \
"<REL RESULTS_ID='1'>" + \
"<REL name='table1'>" + \
"<ATT name='x1'>128</ATT><ATT name='table1_id'>1</ATT><ATT name='table2_id'>1</ATT>" + \
"</REL>" + \
"<REL name='table1'>" + \
"<ATT name='x1'>12</ATT><ATT name='table1_id'>2</ATT><ATT name='table2_id'>1</ATT>" + \
"</REL>" + \
"<REL name='TOTAL_RECORDS'>2</REL>" + \
"</REL>" + \
"<REL name='TOTAL_RESULTS'>1</REL>" + \
"</RELATIONS>"
print "Number of sets: %d\n%s" %(getXMLDBWrapper().parseSelectReply(xml))
def _executeOneReaction(self, event, reaction):
"""
Performs all operations as defined by the reaction part of an ioids rule.
"""
from config import G4DS_MEMBER_ID
from dbconnector import getDBConnector
from errorhandling import IoidsDependencyException
ioidsSource = G4DS_MEMBER_ID
ioidsSender = G4DS_MEMBER_ID
if reaction['parameters'].has_key('community'):
if reaction['parameters']['community'] == 'Auto':
ioidsCommunity = 'C001' # we will do this properly soon :) TODO
else:
ioidsCommunity = reaction['parameters']['community']
else:
raise IoidsDependencyException('Community can not be determined for new local event. Looks like a mistake in ioids policy.')
if reaction['parameters'].has_key('classification'):
if reaction['parameters']['classification'] == 'Auto':
ioidsClassificationCode = '10' # we will do this properly soon :) TODO
else:
ioidsClassificationCode = reaction['parameters']['classification']
else:
raise IoidsDependencyException('Community can not be determined for new local event. Looks like a mistake in ioids policy.')
ioidsTimestamp = 'now'
if reaction['type'] == 'NewLocalEvent':
if event[1].has_key('event_id'): # we must get rid off the id - otherwise it will insert a new event again and again
del event[1]['event_id']
# create relations
from dataengine_tools import getPreXMLDictCreator
from config import IOIDS_EVENT_TYPE, LOCAL_ADDRESS, LOCAL_HOSTNAME, LOCAL_MAC, LOCAL_OS, LOCAL_DOMAIN, LOCAL_COMPUTER_TYPE
from messagewrapper import getXMLDBWrapper
import binascii as hex
creator = getPreXMLDictCreator()
# here we create the actual event
newEncoding = creator.createNewEncodingEntry('XML HEX')
eventXML = getXMLDBWrapper().wrapInsert(event[0], event[1], event[2])
encoded = hex.hexlify(eventXML)
newData = creator.createNewDataEntry(encoded, [newEncoding]) # todo: put whole event description here
newComputer = creator.createNewComputerEntry(LOCAL_HOSTNAME, LOCAL_OS, LOCAL_ADDRESS, LOCAL_MAC, LOCAL_DOMAIN, [], None, LOCAL_COMPUTER_TYPE)
newAgent = creator.createNewAgentEntry('IOIDS', [newComputer], '2')
newReporter = creator.createNewReporterEntry('IOIDS reporter', [newAgent])
newEventType = creator.createNewEventTypeEntry(IOIDS_EVENT_TYPE)
# reporter is me
# observer is the reporter from our event
oldEventReporterId = event[1]['rprt_id']
fullReporter = getDBConnector().getReporter(oldEventReporterId)
if fullReporter[1].has_key('rprt_name'):
repName = fullReporter[1]['rprt_name']
else:
repName = None
newObserver = creator.createNewObserverEntry(repName, fullReporter[2])
# source and destination are the same than of the actual event
newEvent = creator.createNewEventEntry('now', [newData, newEventType, newReporter, newObserver], None, None,
event[1]['src_id'], event[1]['dstn_id'])
ioidsEventEntry = creator.createNewIoidsEventEntry(ioidsCommunity, ioidsTimestamp, [
creator.createNewIoidsSourceEntry(ioidsSource),
creator.createNewIoidsSenderEntry(ioidsSender),
getDBConnector().getIoidsClassificationByCode(ioidsClassificationCode),
## creator.createNewIoidsClassificationEntry(ioidsClassificationCode, ioidsClassificationName),
newEvent # our event should be in the proper format already
])
## creator.createIoidsClassificationEntry(ioidsClassification)], event['event_id'])
# and finally the relations
newRelationEntry = creator.createNewIoidsRelationEntry([ioidsEventEntry, event], relationTypeName = 'parent')
# testing purposes
## import support.dictviewer
## support.dictviewer.showNow(newRelationEntry)
# ####
primKeyRel = getDBConnector().insertFullIoidsEventWithRelation(newRelationEntry)
## ioidsEventId = getDBConnector().getIoidsRelation(primKeyRel,0)[1]['ioids_event_id']
## ## primKey = getDBConnector().insertIoidsEvent(ioidsEventEntry)
## eventId = getDBConnector().getIoidsEvent(ioidsEventId, 0)[1]['event_id']
## self._remoteEvents.append(eventId)
print "\t-- Inserted event with id: %s" %(primKeyRel)
# now let's go and check whether this is to be distributed
if reaction['parameters'].has_key('distribute'):
print "\t--Now I would even send it off to %s." %(reaction['parameters']['distribute']['domain'])
