def list_cracks_data():
crackers = rsyslogweblib.get_evil_list(conn)
smap = "mapLogsourceUserMethodRemoteResultPerDay"
base = "_id"
query = {
base+".remote": { "$in": crackers},
base+".result": { "$in" : ['Accepted', 'Authorized']}
}
c = conn.sshd[smap].aggregate([
{ "$match": query },
{ "$group": {"_id": { "remote": "$_id.remote", "user": "******", "result": "$_id.result", "logsource": "$_id.logsource" }, "count": {"$sum": "$value.count"}}},
{ "$sort": bson.son.SON([("_id.remote", 1), ("count", -1)])}
])
data=[]
if c:
for tmp in c:
if "remote" in tmp["_id"]:
a = "".join(tmp["_id"]["remote"])
tmp["_id"]["remote"] = "<a href='profile_remote?remote="+a+"'>"+a+"</a>"
data.append(tmp)
columns = []
if len(data):
columns = list_columns(data)
return bson.json_util.dumps({"aaData":data, "aoColumns":columns }, sort_keys=True, indent=1, separators=(',', ': '))
alert['listed'] = rsyslogweblib.remote_listed(remote, conn)
now = datetime.datetime.now(our_zone)
conn.sshd.internalData.update({"type": "alert", "remote":remote},{"$set": {"reported_on": now}}, upsert=True)
print json.dumps(alert, sort_keys=True, indent=1, separators=(',', ': '))
conn = pymongo.mongo_client.MongoClient("mongodb://localhost", w=1, tz_aware=True)
our_zone = dateutil.tz.gettz('CET')
utc_zone = dateutil.tz.gettz('UTC')
# ip list with susspicious accesses
crackers = rsyslogweblib.get_evil_list(conn)
# find successfull accesses from those remotes
smap = "mapLogsourceUserMethodRemoteResultPerDay"
base = "_id"
query = {
base+".remote": { "$in": crackers},
base+".result": { "$in" : ['Accepted', 'Authorized']}
}
# aggregated, for every ip is then generated simple profile anyway
c = conn.sshd[smap].aggregate([
{ "$match": query },
{ "$group": {"_id": "$_id.remote" }}
])
