def run(self, idmef):
source = idmef.Get("alert.source(0).node.address(0).address")
sport = idmef.Get("alert.source(0).service.port", 0)
target = idmef.Get("alert.target(0).node.address(0).address")
dport = idmef.Get("alert.target(0).service.port", 0)
if not source or not target:
return
ctxname = "FIREWALL_" + source + str(sport) + target + str(dport)
if idmef.match("alert.classification.text", re.compile("[Pp]acket [Dd]ropped|[Dd]enied")):
# Update context if any, removing the alert_on_expire attribute.
ctx = context.Context(ctxname, { "expire": 10 }, update = True)
else:
# Begins a timer for every event that contains a source and a target
# address which has not been matched by an observed packet denial. If a packet
# denial is not observed in the next 10 seconds, an event alert is generated.
if not context.search(ctxname):
ctx = context.Context(ctxname, { "expire": 10, "alert_on_expire": True })
ctx.Set("alert.source", idmef.Get("alert.source"))
ctx.Set("alert.target", idmef.Get("alert.target"))
ctx.Set("alert.assessment", idmef.Get("alert.assessment"))
ctx.Set("alert.classification", idmef.Get("alert.classification"))
ctx.Set("alert.correlation_alert.name", "Events to firewall correlation")
ctx.Set("alert.correlation_alert.alertident(0).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1])
ctx.Set("alert.correlation_alert.alertident(0).alertident", idmef.Get("alert.messageid"))
def run(self, idmef):
ctxt = idmef.Get("alert.classification.text")
if not ctxt:
return
# Create context for classification combined with all the target.
for target in idmef.Get("alert.target(*).node.address(*).address"):
ctx = context.Context("WORM_HOST_" + ctxt + target, { "expire": 300, "threshold": 5 }, update = True)
for source in idmef.Get("alert.source(*).node.address(*).address"):
# We are trying to see whether a previous target is now attacking other hosts
# thus, we check whether a context exist with this classification combined to
# this source.
ctx = context.search("WORM_HOST_" + ctxt + source)
if not ctx:
continue
ctx.Set("alert.source(>>)", idmef.Get("alert.source"))
ctx.Set("alert.target(>>)", idmef.Get("alert.target"))
ctx.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid"))
ctx.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1])
# Increase and check the context threshold.
if ctx.CheckAndDecThreshold():
ctx.Set("alert.classification.text", "Possible Worm Activity")
ctx.Set("alert.correlation_alert.name", "Source host repeating actions taken against it recently")
ctx.Set("alert.assessment.impact.severity", "high")
ctx.Set("alert.assessment.impact.description", source + " has repeated actions taken against it recently at least 5 times. It may have been infected with a worm.")
ctx.alert()
ctx.destroy()
