Beispiel #1
0
    def test_event(self):
        events = EventManager(time_range='CUSTOM',
                              start_time=datetime.now() -
                              timedelta(days=QUERY_TIMERANGE),
                              end_time=datetime.now() + timedelta(days=1),
                              limit=1)
        events.load_data()
        event = events[0]

        event_from_ips_get_alert_data = Event(id=event['IPSIDAlertID'])

        self.assertEqual(
            event['IPSIDAlertID'], '|'.join([
                str(event_from_ips_get_alert_data['ipsId']['id']),
                str(event_from_ips_get_alert_data['alertId'])
            ]))

        if msiempy.NitroSession().api_v == 2:
            print('CREATING EVENT MANUALLY FROM ID')
            data = Event().data_from_id(id=event['IPSIDAlertID'],
                                        use_query=True)
            event_from_direct_id_query = Event(data)
            print('EVENT RETREIVED : {}'.format(event_from_direct_id_query))
            print('ORIGINAL EVENT : {}'.format(event))
            self.assertEqual(event_from_direct_id_query, data)
Beispiel #2
0
def event_examples():
    print('EVENT QUERY #1 : Simple event query sorted by AlertID')
    events = EventManager(
        time_range='LAST_3_DAYS',
        fields=['SrcIP',
                'AlertID'],  # SrcIP and AlertID are not queried by default
        filters=[
            FieldFilter('DstIP', [
                '0.0.0.0/0',
            ]),
            FieldFilter('HostID', ['mail'], operator='CONTAINS')
        ],  # Please replace "mail" by a test hostname
        order=(('ASCENDING', 'AlertID')),
        limit=10)

    events.load_data()
    print(events)
    print(events.get_text(fields=['AlertID', 'LastTime', 'SrcIP', 'Rule.msg']))

    print('EVENT QUERY #2 : Deeper event query')
    events = msiempy.event.EventManager(
        time_range='LAST_3_DAYS',
        fields=['SrcIP',
                'AlertID'],  # SrcIP and AlertID are not queried by default
        limit=3)
    events.load_data(slots=3, max_query_depth=1)
    print(events)
    print(events.get_text(fields=['AlertID', 'LastTime', 'SrcIP', 'Rule.msg']))
Beispiel #3
0
def event_examples():
    print("EVENT QUERY #1 : Simple event query sorted by AlertID")
    events = EventManager(
        time_range="LAST_3_DAYS",
        fields=["SrcIP",
                "AlertID"],  # SrcIP and AlertID are not queried by default
        filters=[
            FieldFilter(
                "DstIP",
                [
                    "0.0.0.0/0",
                ],
            ),
            FieldFilter("HostID", ["mail"], operator="CONTAINS"),
        ],  # Please replace "mail" by a test hostname
        order=(("ASCENDING", "AlertID")),
        limit=10,
    )

    events.load_data()
    print(events)
    print(events.get_text(fields=["AlertID", "LastTime", "SrcIP", "Rule.msg"]))

    print("EVENT QUERY #2 : Deeper event query")
    events = msiempy.event.EventManager(
        time_range="LAST_3_DAYS",
        fields=["SrcIP",
                "AlertID"],  # SrcIP and AlertID are not queried by default
        limit=3,
    )
    events.load_data(slots=3, max_query_depth=1)
    print(events)
    print(events.get_text(fields=["AlertID", "LastTime", "SrcIP", "Rule.msg"]))
Beispiel #4
0
    def test_query_splitted_with_timedelta(self):
        events_no_split = EventManager(
            time_range='CUSTOM',
            start_time=datetime.now() - timedelta(days=QUERY_TIMERANGE),
            end_time=datetime.now() + timedelta(days=1),
            order=(('ASCENDING', 'AlertID')),
            limit=10)
        events_no_split.load_data()
        print('events_no_split'.upper())
        print(events_no_split.text)

        events = EventManager(
            time_range='CUSTOM',
            start_time=datetime.now() - timedelta(days=QUERY_TIMERANGE),
            end_time=datetime.now() + timedelta(days=1),
            order=(('ASCENDING', 'AlertID')),
            limit=5,
            max_query_depth=1  # Generate warning and ignore
        )
        events.load_data(slots=2, max_query_depth=1)  # Works
        print('events_splitted'.upper())
        print(events.text)

        l1 = events_no_split[:5]
        l2 = events[:5]

        self.assertEqual(
            l1, l2,
            'Firts part of the splitted query doesn\'t correspond to the genuine query. This can happen when some event are generated at the exact same moment the query is submitted, retry the test ?'
        )
Beispiel #5
0
    def test_add_note(self):

        events = EventManager(time_range='CUSTOM',
                              start_time=datetime.now() -
                              timedelta(days=QUERY_TIMERANGE),
                              end_time=datetime.now() + timedelta(days=1),
                              limit=2)
        events.load_data()

        for event in events:
            event.set_note("Test note")
            genuine_event = Event(id=event['IPSIDAlertID'])
            self.assertRegexpMatches(
                genuine_event['note'], "Test note",
                "The doesn't seem to have been added to the event \n" +
                str(event))
Beispiel #6
0
    def test_unique_keys(self):

        ukeys=EventManager(fields=["Rule.msg","Alert.SrcIP","Alert.DstIP","Alert.IPSIDAlertID","Alert.LastTime","SrcMac","Alert.SrcMac","Alert.DstMac","Alert.NormID","Alert.BIN(4)","HostID","Alert.BIN(7)","DSID","Alert.EventCount"]).fields
        print("Got")
        print(sorted(ukeys))
        print("EXPECTED")
        print(sorted(['Alert.NormID', 'DSID', 'DstIP', 'DstMac', 'EventCount', 'HostID', 'IPSIDAlertID', 'LastTime', 'Rule.msg', 'SrcIP', 'SrcMac', 'UserIDSrc']))

        self.assertEqual(sorted(ukeys), sorted(['Alert.NormID', 'DSID', 'DstIP', 'DstMac', 'EventCount', 'HostID', 'IPSIDAlertID', 'LastTime', 'Rule.msg', 'SrcIP', 'SrcMac', 'UserIDSrc']))
Beispiel #7
0
 def get_events(self, ds_id, window='LAST_HOUR'):
     """Returns most recent event for the given datasource ID
     
     Arguments:
         ds_id (str) -- datasource ID, aka IPSID 
     
     Keyword Arguments:
         window (str) -- time window to query data in minutes
                 (default: {'LAST_HOUR'})
     """
     events = EventManager(
         time_range=window,
         fields=['HostID', 'UserIDSrc'],
         order=('ASCENDING', 'LastTime'),
         filters=[FieldFilter('IPSID', ds_id, operator='EQUALS')],
         limit=1,
         max_query_depth=1)
     events.load_data()
     return events
Beispiel #8
0
    def test_query(self):

        events = EventManager(time_range='CUSTOM',
                              start_time=datetime.now() -
                              timedelta(days=QUERY_TIMERANGE),
                              end_time=datetime.now() + timedelta(days=1),
                              fields=Event.REGULAR_EVENT_FIELDS,
                              limit=10)
        events.load_data()

        for e in events:
            self.assertNotEqual(e['Alert.SrcIP'], '',
                                "An event doesn't have proper source IP")

        self.assertGreater(len(events), 0)

        print('EVENTS KEYS\n' + str(events.keys))
        print('EVENTS TEXT\n' + str(events))
        print('EVENT JSON\n' + events.json)
Beispiel #9
0
    def test_ordered_query(self):
        events_no_split = EventManager(
            time_range='CUSTOM',
            start_time=datetime.now() - timedelta(days=QUERY_TIMERANGE),
            end_time=datetime.now() + timedelta(days=1),
            fields=['Alert.AlertID'],
            order=(('ASCENDING', 'AlertID')),
            limit=10,
        )
        events_no_split.load_data()

        last_event = None
        for event in events_no_split:
            if not last_event:
                last_event = event
                continue
            self.assertGreater(int(event['Alert.AlertID']),
                               int(last_event['Alert.AlertID']))
            last_event = event
Beispiel #10
0
    def test_unique_keys(self):

        ukeys = EventManager(fields=[
            "Rule.msg",
            "Alert.SrcIP",
            "Alert.DstIP",
            "Alert.IPSIDAlertID",
            "Alert.LastTime",
            "SrcMac",
            "Alert.SrcMac",
            "Alert.DstMac",
            "Alert.NormID",
            "Alert.BIN(4)",
            "HostID",
            "Alert.BIN(7)",
            "DSID",
            "Alert.EventCount",
        ]).fields
        print("Got")
        print(sorted(ukeys))
        print("EXPECTED")
        print(
            sorted([
                "Alert.NormID",
                "DSID",
                "DstIP",
                "DstMac",
                "EventCount",
                "HostID",
                "IPSIDAlertID",
                "LastTime",
                "Rule.msg",
                "SrcIP",
                "SrcMac",
                "UserIDSrc",
            ]))

        self.assertEqual(
            sorted(ukeys),
            sorted([
                "Alert.NormID",
                "DSID",
                "DstIP",
                "DstMac",
                "EventCount",
                "HostID",
                "IPSIDAlertID",
                "LastTime",
                "Rule.msg",
                "SrcIP",
                "SrcMac",
                "UserIDSrc",
            ]),
        )
Beispiel #11
0
    def test_filtered_query(self):

        qry_filters = [FieldFilter(name='SrcIP', values=['22.0.0.0/8'])]
        e = EventManager(fields=['SrcIP'], filters=qry_filters).load_data()
        for event in e:
            self.assertIn('22.', event['SrcIP'])

        qry_filters = [
            GroupFilter([
                FieldFilter(name='SrcIP', values=['22.0.0.0/8']),
                FieldFilter('AppID', 'CRON', operator='EQUALS')
            ],
                        logic='AND')
        ]

        e = EventManager(fields=['SrcIP', 'AppID'],
                         filters=qry_filters).load_data()
        for event in e:
            self.assertIn('22.', event['SrcIP'])
            self.assertEqual(event['AppID'], 'CRON')
Beispiel #12
0
    def test_getitem(self):
        events = EventManager(time_range='CUSTOM',
                              start_time=datetime.now() -
                              timedelta(days=QUERY_TIMERANGE),
                              end_time=datetime.now() + timedelta(days=1),
                              fields=Event.REGULAR_EVENT_FIELDS,
                              limit=5)
        events.load_data()

        print(events)

        print(
            events.get_text(fields=[
                "Rule.msg", "SrcIP", "DstIP", "SrcMac", "DstMac", "NormID",
                "HostID", "UserIDSrc", "ObjectID", "Severity", "LastTime",
                "DSIDSigID", "IPSIDAlertID"
            ],
                            format='csv'))

        print(
            events.get_text(fields=[
                "Rule.msg", "SrcIP", "DstIP", "SrcMac", "DstMac", "NormID",
                "HostID", "UserIDSrc", "ObjectID", "Severity", "LastTime",
                "DSIDSigID", "IPSIDAlertID"
            ],
                            format='prettytable',
                            max_column_width=50))

        an_event = events[1]

        print(an_event)

        self.assertTrue('Rule.msg' in an_event)
        self.assertTrue('DstIP' in an_event)
        self.assertTrue('HostID' in an_event)

        for key in [
                "Rule.msg", "SrcIP", "DstIP", "SrcMac", "DstMac", "NormID",
                "HostID"
        ]:
            del an_event[key]

        [
            self.assertFalse(key in an_event) for key in [
                "Rule.msg", "Alert.SrcIP", "Alert.DstIP", "Alert.SrcMac",
                "Alert.DstMac", "Alert.NormID", "Alert.BIN(4)"
            ]
        ]
        [
            self.assertFalse(key in an_event) for key in [
                "Rule.msg", "SrcIP", "DstIP", "SrcMac", "DstMac", "NormID",
                "HostID"
            ]
        ]
Beispiel #13
0
 def test_manager(self):
     events = EventManager(alist=T.TEST_EVENTS)
     print("get_text(fields=['SrcIP', 'DstIP', 'LastTime'])")
     print(events.get_text(fields=['SrcIP', 'DstIP', 'LastTime']))
Beispiel #14
0
if __name__ == "__main__":
    args = parse_args()
    #print(args)
    filters=list()

    if args.user: filters.append(('UserIDSrc',args.user))
    if args.ip: filters.append(('SrcIP',args.ip))
    if args.host: filters.append(('HostID',args.host))
    if args.macaddr: filters.append(('SrcMac', args.macaddr))

    if len(filters)==0:
        print('You must specify a filter. One of the arguments --user --ip --host --macaddr is required')
        exit(-1)

    events = EventManager(
            time_range=args.timerange,
            fields=['SrcMac','SrcIP','UserIDSrc','HostID','EventCount'],
            filters=filters)

    events.load_data(delta='2h', max_query_depth=5)

    if len(events)==0: 
        print('No event found, sorry')
        exit(0)

    for e in events:
        del e['IPSIDAlertID']
        del e['LastTime']
        del e['Rule.msg']

    print("Loaded {} events".format(len(events)))
"""
Print raw events results hour by hour for the past 24h
"""

from datetime import datetime

from msiempy.event import EventManager
from msiempy.__utils__ import parse_timedelta, divide_times

# Generate last 24h tuples (start_time, end_time)
periods = divide_times(
    first=datetime.now() - parse_timedelta("24h"), last=datetime.now(), slots=24
)

periods_results = list()

for time in periods:

    query = EventManager(
        start_time=time[0],
        end_time=time[1],
        filters=[("SrcIP", ["22.0.0.0/8", "127.0.0.1"])],
    )

    query.load_data()
    periods_results.append(query)

for i, p in enumerate(periods_results):
    print("{} hours ago, query got {}".format(24 - i, periods_results[i]))
Beispiel #16
0
"""
Print raw events results hour by hour for the past 24h
"""

from datetime import datetime

from msiempy.event import EventManager
from msiempy.__utils__ import parse_timedelta, divide_times

# Generate last 24h tuples (start_time, end_time)
periods = divide_times(
    first = datetime.now() - parse_timedelta('24h'),
    last = datetime.now(),
    slots=24 )

periods_results = list()

for time in periods:

    query = EventManager(
        start_time=time[0],
        end_time=time[1],
        filters=[ ('SrcIP', ['22.0.0.0/8', '127.0.0.1'] ) ]
    )

    query.load_data()
    periods_results.append(query)

for i, p in enumerate(periods_results):
    print("{} hours ago, query got {}".format(24-i, periods_results[i]))