def handleSYNPacketHostPortscanDetector(data=None):
"""
Creates an incident if a single canary receives SYN packets to more than 10 different
ports in less than 50 seconds.
"""
try:
host_scan_key = KEY_TRACK_HOST_PORT_SCAN + data[
'src_host'] + ':' + data['dst_host']
new_set = False
if not redis.exists(host_scan_key):
new_set = True
if redis.sadd(host_scan_key, data['dst_port']):
if new_set:
redis.expire(
host_scan_key,
c.config.getVal('portscan.monitor_period', default=50))
if redis.scard(host_scan_key) >= c.config.getVal(
'portscan.packet_threshold', default=5):
data['logdata'] = list(redis.smembers(host_scan_key))
IncidentFactory.create_incident('scans.host_portscan',
data=data)
redis.delete(host_scan_key)
except Exception as e:
import traceback
logger.critical(traceback.format_exc())
def handleSYNPacketNetworkPortscanDetector(data=None):
"""
Creates an incident if two or more canaries report a syn packet to the same dst port,
from the same host, in an hour or less.
"""
try:
network_scan_target_key = KEY_TRACK_NETWORK_PORT_SCAN + data[
'src_host'] + ':' + data['dst_port'] + ':targets'
try:
dst_host = data['reported_dst_host']
except KeyError:
dst_host = data['dst_host']
if not redis.sismember(network_scan_target_key, dst_host):
redis.sadd(network_scan_target_key, dst_host)
redis.expire(
network_scan_target_key,
c.config.getVal('networkscan.monitor_period', default=3600))
pckt_count = redis.scard(network_scan_target_key)
if pckt_count >= c.config.getVal('networkscan.packet_threshold',
default=2):
data['logdata'] = list(redis.smembers(network_scan_target_key))
IncidentFactory.create_incident('scans.network_portscan',
data=data)
except Exception as e:
import traceback
logger.critical(traceback.format_exc())
def _filter_incidents(filter_=None, include_hosts=True):
host_cache = {}
keys = redis.zrangebyscore(KEY_INCIDENTS, '-inf', '+inf')
incidents = []
for key in keys:
incident = redis.hgetall(key)
try:
if not filter_(incident):
continue
if include_hosts:
if not host_cache.has_key(incident['node_id']):
host_cache[incident['node_id']] = \
redis.hgetall(KEY_DEVICE+get_device_id_hash(incident['node_id']))
incident['host'] = host_cache[incident['node_id']]
incidents.append(jsonify_incident(key, incident))
except Exception as e:
logger.critical(e)
return incidents
def _filter_incidents(filter_=None, include_hosts=True):
host_cache = {}
keys = redis.zrangebyscore(KEY_INCIDENTS, '-inf', '+inf')
incidents = []
for key in keys:
incident = redis.hgetall(key)
try:
if not filter_(incident):
continue
if include_hosts:
if not host_cache.has_key(incident['node_id']):
host_cache[incident['node_id']] = \
redis.hgetall(KEY_DEVICE+get_device_id_hash(incident['node_id']))
incident['host'] = host_cache[incident['node_id']]
incidents.append(jsonify_incident(key, incident))
except Exception as e:
logger.critical(e)
return incidents
