def initConfig():
options.esservers = list(getConfig(
'esservers',
'http://localhost:9200',
options.configfile).split(',')
)
options.indices = list(getConfig(
'backup_indices',
'events,alerts,kibana-int',
options.configfile).split(',')
)
options.dobackup = list(getConfig(
'backup_dobackup',
'1,1,1',
options.configfile).split(',')
)
options.rotation = list(getConfig(
'backup_rotation',
'daily,monthly,none',
options.configfile).split(',')
)
options.pruning = list(getConfig(
'backup_pruning',
'20,0,0',
options.configfile).split(',')
)
def initConfig():
#change this to your default zone for when it's not specified
options.defaultTimeZone=getConfig('defaulttimezone','US/Pacific',options.configfile)
options.filemask=getConfig('filemask','*.log',options.configfile)
options.cachelength=getConfig('cachelength',100,options.configfile)
options.url=getConfig('url','http://localhost:9200',options.configfile)
options.bindignore=getConfig('bindignore','',options.configfile) #space delimited list of words/usernames/items if found in BIND dn="something" to ignore
def initConfiguration(self):
myparser = OptionParser()
# setup self.options by sending empty list [] to parse_args
(self.options, args) = myparser.parse_args([])
# fill self.options with plugin-specific options
# change this to your default zone for when it's not specified
self.options.defaultTimeZone = getConfig('defaulttimezone', 'US/Pacific', self.configfile)
# options for your custom/internal ip blocking service
# mozilla's is called banhammer
# and uses an intermediary mysql DB
# here we set credentials
self.options.banhammerdbhost = getConfig(
'banhammerdbhost',
'localhost',
self.configfile)
self.options.banhammerdbuser = getConfig(
'banhammerdbuser',
'auser',
self.configfile)
self.options.banhammerdbpasswd = getConfig(
'banhammerdbpasswd',
'',
self.configfile)
self.options.banhammerdbdb = getConfig(
'banhammerdbdb',
'banhammer',
self.configfile)
def initConfig():
#change this to your default timezone
options.defaulttimezone=getConfig('defaulttimezone','UTC',options.configfile)
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
# syslog hostname
options.sysloghostname = getConfig('sysloghostname',
'localhost',
options.configfile)
# syslog port
options.syslogport = getConfig('syslogport', 514, options.configfile)
# mongo instance
options.mongohost = getConfig('mongohost', 'localhost', options.configfile)
options.mongoport = getConfig('mongoport', 3001, options.configfile)
# CIDR whitelist as a comma separted list of 8.8.8.0/24 style masks
options.ipwhitelist = list()
for i in list(getConfig('ipwhitelist', '127.0.0.1/32', options.configfile).split(',')):
options.ipwhitelist.append(netaddr.IPNetwork(i))
# Output File Name
options.outputfile = getConfig('outputfile', 'ipblocklist.txt', options.configfile)
# Category to choose
options.category = getConfig('category', 'bruteforcer', options.configfile)
# Max IPs to emit
options.iplimit = getConfig('iplimit', 1000, options.configfile)
def initConfig():
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
# syslog hostname
options.sysloghostname = getConfig('sysloghostname',
'localhost',
options.configfile)
# syslog port
options.syslogport = getConfig('syslogport', 514, options.configfile)
# msg queue servers to check in on (list of servernames)
# message queue server(s) hostname
options.mqservers = list(getConfig('mqservers',
'localhost',
options.configfile).split(','))
options.mquser = getConfig('mquser', 'guest', options.configfile)
options.mqpassword = getConfig('mqpassword', 'guest', options.configfile)
# port of the rabbitmq json management interface
options.mqapiport = getConfig('mqapiport', 15672, options.configfile)
# elastic search server settings
options.esservers = list(getConfig('esservers',
'http://localhost:9200',
options.configfile).split(','))
# configure the index to save events to
options.index = getConfig('index', 'mozdefstate', options.configfile)
# point to mapping json for the index
default_mapping_location = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'mozdefStateDefaultMappingTemplate.json')
options.default_mapping_file = getConfig('default_mapping_file', default_mapping_location, options.configfile)
def initConfig():
# output our log to stdout or syslog
options.output = getConfig(
'output',
'stdout',
options.configfile
)
# syslog hostname
options.sysloghostname = getConfig(
'sysloghostname',
'localhost',
options.configfile
)
options.syslogport = getConfig(
'syslogport',
514,
options.configfile
)
options.esservers = list(getConfig(
'esservers',
'http://localhost:9200',
options.configfile).split(',')
)
options.index_age = getConfig(
'index_age',
15,
options.configfile
)
def initConfig():
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
options.sysloghostname = getConfig('sysloghostname', 'localhost', options.configfile)
options.syslogport = getConfig('syslogport', 514, options.configfile)
options.db_download_location = getConfig('db_download_location', '', options.configfile)
options.db_location = getConfig('db_location', '', options.configfile)
def initConfig():
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
options.sysloghostname = getConfig('sysloghostname', 'localhost', options.configfile)
options.syslogport = getConfig('syslogport', 514, options.configfile)
options.required_fields = getConfig('required_fields', '', options.configfile).split(',')
options.esservers = getConfig('esservers', '', options.configfile).split(',')
def initConfig():
options.esservers = list(getConfig(
'esservers',
'http://localhost:9200',
options.configfile).split(',')
)
# how many days of events to retain for daily rotations
options.days = getConfig('days', 20, options.configfile)
# how many months of events to retain for monthly rotations
options.months = getConfig('months', 3, options.configfile)
def initConfig():
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
# syslog hostname
options.sysloghostname = getConfig('sysloghostname',
'localhost',
options.configfile)
# syslog port
options.syslogport = getConfig('syslogport', 514, options.configfile)
# msg queue servers to check in on (list of servernames)
# message queue server(s) hostname
options.mqservers = list(getConfig('mqservers',
'localhost',
options.configfile).split(','))
options.mquser = getConfig('mquser', 'guest', options.configfile)
options.mqpassword = getConfig('mqpassword', 'guest', options.configfile)
# port of the rabbitmq json management interface
options.mqapiport = getConfig('mqapiport', 15672, options.configfile)
# change this to your default zone for when it's not specified
options.defaulttimezone = getConfig('defaulttimezone',
'UTC',
options.configfile)
# elastic search server settings
options.esservers = list(getConfig('esservers',
'http://localhost:9200',
options.configfile).split(','))
def initConfig():
'''setup the default options and override with any in our .conf file'''
# message queue server hostname
options.mqalertserver = getConfig(
'mqalertserver',
'localhost',
options.configfile)
# queue exchange name
options.alertExchange = getConfig(
'alertexchange',
'alerts',
options.configfile)
# queue name
options.queueName = getConfig(
'alertqueuename',
'alertPlugins',
options.configfile)
# queue topic
options.alerttopic = getConfig(
'alerttopic',
'mozdef.*',
options.configfile)
# how many messages to ask for at once
options.prefetch = getConfig('prefetch', 50, options.configfile)
options.mquser = getConfig('mquser', 'guest', options.configfile)
options.mqpassword = getConfig('mqpassword', 'guest', options.configfile)
options.mqport = getConfig('mqport', 5672, options.configfile)
# mqack=True sets persistant delivery, False sets transient delivery
options.mqack = getConfig('mqack', True, options.configfile)
def initConfig():
# output our log to stdout or syslog
options.output = getConfig(
'output',
'stdout',
options.configfile
)
# syslog hostname
options.sysloghostname = getConfig(
'sysloghostname',
'localhost',
options.configfile
)
options.syslogport = getConfig(
'syslogport',
514,
options.configfile
)
options.esservers = list(getConfig(
'esservers',
'http://localhost:9200',
options.configfile).split(',')
)
options.indices = list(getConfig(
'backup_indices',
'events,alerts,kibana-int',
options.configfile).split(',')
)
options.dobackup = list(getConfig(
'backup_dobackup',
'1,1,1',
options.configfile).split(',')
)
options.rotation = list(getConfig(
'backup_rotation',
'daily,monthly,none',
options.configfile).split(',')
)
options.pruning = list(getConfig(
'backup_pruning',
'20,0,0',
options.configfile).split(',')
)
# aws credentials to use to send files to s3
options.aws_access_key_id = getConfig(
'aws_access_key_id',
'',
options.configfile
)
options.aws_secret_access_key = getConfig(
'aws_secret_access_key',
'',
options.configfile
)
def initConfig():
options.output=getConfig('output','stdout',options.configfile) #output our log to stdout or syslog
options.sysloghostname=getConfig('sysloghostname','localhost',options.configfile) #syslog hostname
options.syslogport=getConfig('syslogport',514,options.configfile) #syslog port
options.defaultTimeZone=getConfig('defaulttimezone','US/Pacific',options.configfile)
# Z = UTC, -07:00 = PDT
options.mighost=getConfig('mighost','https://localhost',options.configfile)
options.sslclientcert=getConfig('sslclientcert','mig.crt',options.configfile)
options.sslclientkey=getConfig('sslclientkey','mig.key',options.configfile)
options.sslcacert = getConfig('sslcacert', '', options.configfile)
options.esservers=list(getConfig('esservers','http://localhost:9200',options.configfile).split(','))
options.lastrun=toUTC(getConfig('lastrun',toUTC(datetime.now()-timedelta(minutes=15)),options.configfile))
def initConfig():
# change this to your default zone for when it's not specified
options.defaultTimeZone = getConfig('defaulttimezone', 'US/Pacific', options.configfile)
# elastic search options.
options.esservers = list(getConfig('esservers', 'http://localhost:9200', options.configfile).split(','))
# memory watermark, set to 90 (percent) by default
options.jvmlimit = getConfig('jvmlimit', 90, options.configfile)
# be conservative? if set only clears cache for the first index found with no searches and cached field data
# if false, will continue to clear for any index not matching the date suffix.
options.conservative = getConfig('conservative', True, options.configfile)
def __init__(self):
'''
this plugin takes a source hostname of form
host.private.site.mozilla.com
extracts the site, adds it and compares the site
to a list of known datacenters or offices and adds that metadata
'''
self.registration = ['network', 'netflow']
self.priority = 5
config_location = os.path.join(os.path.dirname(os.path.abspath(__file__)), "mozilla_location.conf")
self.dc_code_list = getConfig('dc_code_list', '', config_location).split(',')
self.offices_code_list = getConfig('offices_code_list', '', config_location).split(',')
def initConfig():
# aws options
options.accesskey = getConfig('accesskey', '', options.configfile)
options.secretkey = getConfig('secretkey', '', options.configfile)
options.region = getConfig('region', 'us-west-1', options.configfile)
options.taskexchange = getConfig('taskexchange', 'nsmglobalssqslists', options.configfile).split(',')
options.output = getConfig('output', 'stdout', options.configfile)
# mozdef options
options.sysloghostname = getConfig('sysloghostname', 'localhost', options.configfile)
options.syslogport = getConfig('syslogport', 514, options.configfile)
options.esservers = list(getConfig('esservers', 'http://localhost:9200', options.configfile).split(','))
options.index = getConfig('index', 'mozdefstate', options.configfile)
options.account = getConfig('account', '', options.configfile)
def initConfig():
# elastic search servers
options.esservers = list('{0}'.format(s) for s in getConfig('esservers', 'http://localhost:9200', options.configfile).split(','))
# memory watermark, set to 90 (percent) by default
options.jvmlimit = getConfig('jvmlimit', 90, options.configfile)
# be conservative? if set only clears cache for the first index found with no searches and cached field data
# if false, will continue to clear for any index not matching the date suffix.
options.conservative = getConfig('conservative', True, options.configfile)
# check jvm memory first? or just clear cache
options.checkjvmmemory = getConfig('checkjvmmemory', True, options.configfile)
def initConfig():
options.output=getConfig('output','stdout',options.configfile) #output our log to stdout or syslog
options.sysloghostname=getConfig('sysloghostname','localhost',options.configfile) #syslog hostname
options.syslogport=getConfig('syslogport',514,options.configfile) #syslog port
options.defaultTimeZone=getConfig('defaulttimezone','US/Pacific',options.configfile)
options.aws_access_key_id=getConfig('aws_access_key_id','',options.configfile) #aws credentials to use to connect to cloudtrail
options.aws_secret_access_key=getConfig('aws_secret_access_key','',options.configfile)
options.esservers=list(getConfig('esservers','http://localhost:9200',options.configfile).split(','))
options.lastrun=toUTC(getConfig('lastrun',toUTC(datetime.now()-timedelta(hours=1)),options.configfile))
options.purge=getConfig('purge',False,options.configfile)
def initConfig():
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
options.sysloghostname = getConfig('sysloghostname', 'localhost', options.configfile)
options.syslogport = getConfig('syslogport', 514, options.configfile)
options.aws_access_key_id=getConfig('aws_access_key_id','',options.configfile)
options.aws_secret_access_key=getConfig('aws_secret_access_key','',options.configfile)
options.aws_bucket_name=getConfig('aws_bucket_name','',options.configfile)
options.aws_document_key_name=getConfig('aws_document_key_name','',options.configfile)
options.local_ip_list_path = getConfig('local_ip_list_path', '', options.configfile)
options.ips_list_threshold = getConfig('ips_list_threshold', 20, options.configfile)
options.manual_additions = getConfig('manual_additions', '', options.configfile).split(',')
def initConfiguration(self):
myparser = OptionParser()
# setup self.options by sending empty list [] to parse_args
(self.options, args) = myparser.parse_args([])
# fill self.options with plugin-specific options
# change this to your default zone for when it's not specified
self.options.serviceKey = getConfig('serviceKey', 'APIKEYHERE', self.configfile)
self.options.keywords = getConfig('keywords', 'KEYWORDS', self.configfile)
self.options.clienturl = getConfig('clienturl', 'CLIENTURL', self.configfile)
try:
self.options.docs = json.loads(getConfig('docs', {}, self.configfile))
except:
self.options.docs = {}
def initConfig():
options.output=getConfig('output','stdout',options.configfile) #output our log to stdout or syslog
options.sysloghostname=getConfig('sysloghostname','localhost',options.configfile) #syslog hostname
options.syslogport=getConfig('syslogport',514,options.configfile) #syslog port
options.defaultTimeZone=getConfig('defaulttimezone','US/Pacific',options.configfile)
# Z = UTC, -07:00 = PDT
options.mighost=getConfig('mighost','https://localhost',options.configfile)
options.gpghome=getConfig('gpghome','/home/someuser/.gnupg',options.configfile)
options.keyid=getConfig('keyid','E60892BB9BD89A69F759A1A0A3D652173B763E8F',options.configfile)
options.esservers=list(getConfig('esservers','http://localhost:9200',options.configfile).split(','))
options.lastrun=toUTC(getConfig('lastrun',toUTC(datetime.now()-timedelta(minutes=15)),options.configfile))
def initConfig():
options.output = getConfig("output", "stdout", options.configfile) # output our log to stdout or syslog
options.sysloghostname = getConfig("sysloghostname", "localhost", options.configfile) # syslog hostname
options.syslogport = getConfig("syslogport", 514, options.configfile) # syslog port
options.defaultTimeZone = getConfig("defaulttimezone", "US/Pacific", options.configfile) # default timezone
options.apikey = getConfig("apikey", "", options.configfile) # okta api key to use
options.oktadomain = getConfig(
"oktadomain", "yourdomain.okta.com", options.configfile
) # okta domain: something.okta.com
options.esservers = list(getConfig("esservers", "http://localhost:9200", options.configfile).split(","))
options.lastrun = toUTC(getConfig("lastrun", toUTC(datetime.now() - timedelta(hours=1)), options.configfile))
options.recordlimit = getConfig("recordlimit", 10000, options.configfile) # max number of records to request
def initConfig():
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
# syslog hostname
options.sysloghostname = getConfig('sysloghostname',
'localhost',
options.configfile)
# syslog port
options.syslogport = getConfig('syslogport', 514, options.configfile)
# change this to your default zone for when it's not specified
options.defaulttimezone = getConfig('defaulttimezone',
'UTC',
options.configfile)
# elastic search server settings
options.esservers = list(getConfig('esservers',
'http://localhost:9200',
options.configfile).split(','))
# field to use as the aggegation point (category, _type, etc)
options.aggregationfield = getConfig('aggregationfield',
'category',
options.configfile)
# default time period in minutes to look back in time for the aggregation
options.aggregationminutes = getConfig('aggregationminutes',
15,
options.configfile)
# set the threshold per aggregation to alert
# use this to customize the std deviation/mean at which an alert is
# generated
options.aggregations = list(getConfig('aggregations',
'',
options.configfile
).split(','))
options.aggregationthresholds = list(getConfig('aggregationthresholds',
'',
options.configfile
).split(','))
# default threshold to use if not specified in the list above
options.defaultthreshold = getConfig('defaultthreshold',
90,
options.configfile)
def initConfig():
options.url = getConfig('url', 'http://localhost:8080/events/', options.configfile)
options.eventsglob = getConfig('eventsglob', './sampleevents/events*json', options.configfile)
options.alertsglob = getConfig('alertsglob', './sampleevents/alert*json', options.configfile)
options.attackersglob = getConfig('attackersglob', './sampleevents/attacker*json', options.configfile)
# how many alerts to create
options.alertscount = getConfig('alertscount', 2, options.configfile)
# how many minutes to wait between creating ^ alerts
options.alertsminutesinterval = getConfig('alertsminutesinterval', 5, options.configfile)
options.lastalert = getConfig('lastalert', datetime.now() - timedelta(hours=1), options.configfile)
# how many attackers to create
options.attackerscount = getConfig('attackers', 1, options.configfile)
# how many minutes to wait between creating ^ attackers
options.attackersminutesinterval = getConfig('attackersminutesinterval', 5, options.configfile)
options.lastattacker = getConfig('lastattacker', datetime.now() - timedelta(hours=1), options.configfile)
def initConfig():
options.esservers = list(getConfig(
'esservers',
'http://localhost:9200',
options.configfile).split(',')
)
options.templatenames = list(getConfig(
'templatenames',
'defaulttemplate',
options.configfile).split(',')
)
options.templatefiles = list(getConfig(
'templatefiles',
'',
options.configfile).split(',')
)
def parse_config(self, config_filename, config_keys):
myparser = OptionParser()
self.config = None
(self.config, args) = myparser.parse_args([])
for config_key in config_keys:
temp_value = getConfig(config_key, "", config_filename)
setattr(self.config, config_key, temp_value)
def initConfiguration(self):
myparser = OptionParser()
# setup self.options by sending empty list [] to parse_args
(self.options, args) = myparser.parse_args([])
# fill self.options with plugin-specific options
# change this to your default zone for when it's not specified
self.options.defaultTimeZone = getConfig('defaulttimezone', 'US/Pacific', self.configfile)
# threat exchange options
self.options.appid = getConfig('appid',
'',
self.configfile)
self.options.appsecret=getConfig('appsecret',
'',
self.configfile)
def initConfig():
#change this to your default zone for when it's not specified
options.defaultTimeZone=getConfig('defaulttimezone','US/Pacific',options.configfile)
options.mqserver=getConfig('mqserver','localhost',options.configfile)
options.taskexchange=getConfig('taskexchange','eventtask',options.configfile)
options.eventexchange=getConfig('eventexchange','events',options.configfile)
options.esservers=list(getConfig('esservers','http://localhost:9200',options.configfile).split(','))
#how many messages to ask for at once.
options.prefetch=getConfig('prefetch',50,options.configfile)
options.mquser=getConfig('mquser','guest',options.configfile)
options.mqpassword=getConfig('mqpassword','guest',options.configfile)
options.mqport=getConfig('mqport',5672,options.configfile)
#plugin options
#secs to pass before checking for new/updated plugins
options.plugincheckfrequency=getConfig('plugincheckfrequency',120,options.configfile)
def initConfig():
options.output=getConfig('output','stdout',options.configfile) # output our log to stdout or syslog
options.sysloghostname=getConfig('sysloghostname','localhost',options.configfile) # syslog hostname
options.syslogport=getConfig('syslogport',514,options.configfile) # syslog port
options.apikey=getConfig('apikey','',options.configfile) # okta api key to use
options.oktadomain = getConfig('oktadomain', 'yourdomain.okta.com', options.configfile) # okta domain: something.okta.com
options.esservers=list(getConfig('esservers','http://localhost:9200',options.configfile).split(','))
options.state_file=getConfig('state_file','{0}.json'.format(sys.argv[0]),options.configfile)
options.recordlimit = getConfig('recordlimit', 10000, options.configfile) # max number of records to request
def initConfiguration(self):
myparser = OptionParser()
# setup self.options by sending empty list [] to parse_args
(self.options, args) = myparser.parse_args([])
# fill self.options with plugin-specific options
# change this to your default zone for when it's not specified
self.options.serviceKey = getConfig('serviceKey', 'APIKEYHERE', self.configfile)
def initConfig():
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
# syslog hostname
options.sysloghostname = getConfig('sysloghostname',
'localhost',
options.configfile)
# syslog port
options.syslogport = getConfig('syslogport', 514, options.configfile)
# elastic search server settings
options.esservers = list(getConfig('esservers',
'http://localhost:9200',
options.configfile).split(','))
options.mongohost = getConfig('mongohost', 'localhost', options.configfile)
options.mongoport = getConfig('mongoport', 3001, options.configfile)
def initConfig():
#change this to your default zone for when it's not specified
options.defaultTimeZone = getConfig('defaulttimezone',
'US/Pacific',
options.configfile)
options.esservers = list(getConfig('esservers',
'http://localhost:9200',
options.configfile).split(','))
options.kibanaurl = getConfig('kibanaurl',
'http://localhost:9090',
options.configfile)
# options for your CIF service
options.cifapikey = getConfig('cifapikey', '', options.configfile)
options.cifhosturl = getConfig('cifhosturl',
'http://localhost/',
options.configfile)
# mongo connectivity options
options.mongohost = getConfig('mongohost', 'localhost', options.configfile)
options.mongoport = getConfig('mongoport', 3001, options.configfile)
def initConfig():
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
# syslog hostname
options.sysloghostname = getConfig('sysloghostname', 'localhost',
options.configfile)
# syslog port
options.syslogport = getConfig('syslogport', 514, options.configfile)
# elastic search server settings
options.esservers = list(
getConfig('esservers', 'http://localhost:9200',
options.configfile).split(','))
# field to use as the aggegation point (category, _type, etc)
options.aggregationfield = getConfig('aggregationfield', 'category',
options.configfile)
# default time period in minutes to look back in time for the aggregation
options.aggregationminutes = getConfig('aggregationminutes', 15,
options.configfile)
# configure the index to save events to
options.index = getConfig('index', 'mozdefstate', options.configfile)
def initConfiguration(self):
myparser = OptionParser()
# setup self.options by sending empty list [] to parse_args
(self.options, args) = myparser.parse_args([])
# fill self.options with plugin-specific options
self.options.mongohost = getConfig(
'mongohost',
'localhost',
self.configfile)
self.options.mongoport = getConfig(
'mongoport',
3001,
self.configfile)
# FQDN whitelist as a comma separted list of example.com or foo.bar.com style names
self.options.fqdn_whitelist_file = getConfig('fqdn_whitelist_file', '/dev/null', self.configfile)
# optional statuspage.io integration
self.options.statuspage_api_key = getConfig(
'statuspage_api_key',
'',
self.configfile)
self.options.statuspage_page_id = getConfig(
'statuspage_page_id',
'',
self.configfile)
self.options.statuspage_url = 'https://api.statuspage.io/v1/pages/{0}/incidents.json'.format(
self.options.statuspage_page_id)
self.options.statuspage_component_id = getConfig(
'statuspage_component_id',
'',
self.configfile)
self.options.statuspage_sub_component_id = getConfig(
'statuspage_sub_component_id',
'',
self.configfile)
def initConfig():
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
# syslog hostname
options.sysloghostname = getConfig('sysloghostname', 'localhost',
options.configfile)
# syslog port
options.syslogport = getConfig('syslogport', 514, options.configfile)
# elastic search server settings
options.esservers = list(
getConfig('esservers', 'http://localhost:9200',
options.configfile).split(','))
# default time period in minutes to look back in time for the aggregation
options.correlationminutes = getConfig('correlationminutes', 150,
options.configfile)
# default location of the OUI file from IEEE for resolving mac prefixes
# Expects the OUI file from IEEE:
# wget http://www.ieee.org/netstorage/standards/oui.txt
options.ouifilename = getConfig('ouifilename', 'oui.txt',
options.configfile)
def test_failing_syslog_var(self):
from configlib import getConfig
res = getConfig('syslogport', 514, self.config_path)
assert res == 514
def logg(msg):
config = getConfig()
if config["decorate"]:
msg = decorate(msg)
print("RODO LOGGER | " + msg)
return msg
def initConfig():
#change this to your default zone for when it's not specified
options.defaultTimeZone = getConfig('defaulttimezone', 'US/Pacific',
options.configfile)
options.esservers = list(
getConfig('esservers', 'http://localhost:9200',
options.configfile).split(','))
options.kibanaurl = getConfig('kibanaurl', 'http://localhost:9090',
options.configfile)
# options for your custom/internal ip blocking service
# mozilla's is called banhammer
# and uses an intermediary mysql DB
# here we set credentials
options.enableBlockIP = getConfig('enableBlockIP', False,
options.configfile)
options.banhammerdbhost = getConfig('banhammerdbhost', 'localhost',
options.configfile)
options.banhammerdbuser = getConfig('banhammerdbuser', 'auser',
options.configfile)
options.banhammerdbpasswd = getConfig('banhammerdbpasswd', '',
options.configfile)
options.banhammerdbdb = getConfig('banhammerdbdb', 'banhammer',
options.configfile)
# options for your CIF service
options.cifapikey = getConfig('cifapikey', '', options.configfile)
options.cifhosturl = getConfig('cifhosturl', 'http://localhost/',
options.configfile)
# mongo connectivity options
options.mongohost = getConfig('mongohost', 'localhost', options.configfile)
options.mongoport = getConfig('mongoport', 3001, options.configfile)
# check any service you'd like at startup rather than waiting
# for a client request.
checkBlockIPService()
def initConfig():
# capture the hostname
options.mozdefhostname = getConfig('mozdefhostname', socket.gethostname(),
options.configfile)
# elastic search options. set esbulksize to a non-zero value to enable bulk posting, set timeout to post no matter how many events after X seconds.
options.esservers = list(
getConfig('esservers', 'http://localhost:9200',
options.configfile).split(','))
options.esbulksize = getConfig('esbulksize', 0, options.configfile)
options.esbulktimeout = getConfig('esbulktimeout', 30, options.configfile)
# set to sqs for Amazon
options.mqprotocol = getConfig('mqprotocol', 'sqs', options.configfile)
# rabbit message queue options
options.taskexchange = getConfig('taskexchange', 'eventtask',
options.configfile)
# rabbit: how many messages to ask for at once from the message queue
options.prefetch = getConfig('prefetch', 10, options.configfile)
# aws options
options.accesskey = getConfig('accesskey', '', options.configfile)
options.secretkey = getConfig('secretkey', '', options.configfile)
options.region = getConfig('region', '', options.configfile)
# How long to sleep between polling
options.sleep_time = getConfig('sleep_time', 0.1, options.configfile)
def initConfig():
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
# syslog hostname
options.sysloghostname = getConfig('sysloghostname', 'localhost',
options.configfile)
options.syslogport = getConfig('syslogport', 514, options.configfile)
options.esservers = list(
getConfig('esservers', 'http://localhost:9200',
options.configfile).split(','))
options.indices = list(
getConfig('backup_indices', 'events,alerts,.kibana',
options.configfile).split(','))
options.dobackup = list(
getConfig('backup_dobackup', '1,1,1', options.configfile).split(','))
options.rotation = list(
getConfig('backup_rotation', 'daily,monthly,none',
options.configfile).split(','))
options.pruning = list(
getConfig('backup_pruning', '20,0,0', options.configfile).split(','))
options.weekly_rotation_indices = list(
getConfig('weekly_rotation_indices', 'events',
options.configfile).split(','))
default_mapping_location = os.path.join(
os.path.dirname(os.path.abspath(__file__)),
'defaultMappingTemplate.json')
options.default_mapping_file = getConfig('default_mapping_file',
default_mapping_location,
options.configfile)
options.refresh_interval = getConfig('refresh_interval', '1s',
options.configfile)
options.number_of_shards = getConfig('number_of_shards', '1',
options.configfile)
options.number_of_replicas = getConfig('number_of_replicas', '1',
options.configfile)
options.slowlog_threshold_query_warn = getConfig(
'slowlog_threshold_query_warn', '5s', options.configfile)
options.slowlog_threshold_fetch_warn = getConfig(
'slowlog_threshold_fetch_warn', '5s', options.configfile)
options.mapping_total_fields_limit = getConfig(
'mapping_total_fields_limit', '1000', options.configfile)
def initConfig():
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
# syslog hostname
options.sysloghostname = getConfig('sysloghostname', 'localhost',
options.configfile)
# syslog port
options.syslogport = getConfig('syslogport', 514, options.configfile)
# mongo instance
options.mongohost = getConfig('mongohost', 'localhost', options.configfile)
options.mongoport = getConfig('mongoport', 3001, options.configfile)
# FQDN whitelist as a \n separted file of example.com or foo.bar.com style names
options.fqdn_whitelist_file = getConfig('fqdn_whitelist_file', '/dev/null',
options.configfile)
options.fqdnwhitelist = parse_fqdn_whitelist(options.fqdn_whitelist_file)
# Output File Name
options.outputfile = getConfig('outputfile', 'fqdnblocklist.txt',
options.configfile)
# Days after expiration that we purge an fqdnblocklist entry (from the ui, they don't end up in the export after expiring)
options.expireage = getConfig('expireage', 1, options.configfile)
# Max FQDNs to emit
options.fqdnlimit = getConfig('fqdnlimit', 1000, options.configfile)
# AWS creds
options.aws_access_key_id = getConfig(
'aws_access_key_id', '', options.configfile
) # aws credentials to use to connect to mozilla_infosec_blocklist
options.aws_secret_access_key = getConfig('aws_secret_access_key', '',
options.configfile)
options.aws_bucket_name = getConfig('aws_bucket_name', '',
options.configfile)
options.aws_document_key_name = getConfig('aws_document_key_name', '',
options.configfile)
def initConfig():
# capture the hostname
options.mozdefhostname = getConfig('mozdefhostname', socket.gethostname(),
options.configfile)
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
options.sysloghostname = getConfig('sysloghostname', 'localhost',
options.configfile)
options.syslogport = getConfig('syslogport', 514, options.configfile)
# elastic search options. set esbulksize to a non-zero value to enable bulk posting, set timeout to post no matter how many events after X seconds.
options.esservers = list(
getConfig('esservers', 'http://localhost:9200',
options.configfile).split(','))
options.esbulksize = getConfig('esbulksize', 0, options.configfile)
options.esbulktimeout = getConfig('esbulktimeout', 30, options.configfile)
# set to sqs for Amazon
options.mqprotocol = getConfig('mqprotocol', 'sqs', options.configfile)
# rabbit message queue options
options.mqserver = getConfig('mqserver', 'localhost', options.configfile)
options.taskexchange = getConfig('taskexchange', 'eventtask',
options.configfile)
options.eventexchange = getConfig('eventexchange', 'events',
options.configfile)
# rabbit: how many messages to ask for at once from the message queue
options.prefetch = getConfig('prefetch', 10, options.configfile)
# rabbit: user creds
options.mquser = getConfig('mquser', 'guest', options.configfile)
options.mqpassword = getConfig('mqpassword', 'guest', options.configfile)
# rabbit: port/vhost
options.mqport = getConfig('mqport', 5672, options.configfile)
options.mqvhost = getConfig('mqvhost', '/', options.configfile)
# aws options
options.accesskey = getConfig('accesskey', '', options.configfile)
options.secretkey = getConfig('secretkey', '', options.configfile)
options.region = getConfig('region', '', options.configfile)
# This is the full ARN that the s3 bucket lives under
options.cloudtrail_arn = getConfig('cloudtrail_arn', 'cloudtrail_arn',
options.configfile)
all_indices = []
total_num_tries = 15
for attempt in range(total_num_tries):
try:
all_indices = client.get_indices()
except ConnectionError:
print 'Unable to connect to Elasticsearch...retrying'
sleep(5)
else:
break
else:
print 'Cannot connect to Elasticsearch after ' + str(
total_num_tries) + ' tries, exiting script.'
exit(1)
refresh_interval = getConfig('refresh_interval', '1s', args.backup_conf_file)
number_of_shards = getConfig('number_of_shards', '1', args.backup_conf_file)
number_of_replicas = getConfig('number_of_replicas', '1',
args.backup_conf_file)
slowlog_threshold_query_warn = getConfig('slowlog_threshold_query_warn', '5s',
args.backup_conf_file)
slowlog_threshold_fetch_warn = getConfig('slowlog_threshold_fetch_warn', '5s',
args.backup_conf_file)
mapping_total_fields_limit = getConfig('mapping_total_fields_limit', '1000',
args.backup_conf_file)
index_settings['settings'] = {
"index": {
"refresh_interval": refresh_interval,
"number_of_shards": number_of_shards,
"number_of_replicas": number_of_replicas,
def initConfig():
# capture the hostname
options.mozdefhostname = getConfig('mozdefhostname', socket.gethostname(),
options.configfile)
# elastic search options. set esbulksize to a non-zero value to enable bulk posting, set timeout to post no matter how many events after X seconds.
options.esservers = list(
getConfig('esservers', 'http://localhost:9200',
options.configfile).split(','))
options.esbulksize = getConfig('esbulksize', 0, options.configfile)
options.esbulktimeout = getConfig('esbulktimeout', 30, options.configfile)
# message queue options
options.mqserver = getConfig('mqserver', 'localhost', options.configfile)
options.taskexchange = getConfig('taskexchange', 'eventtask',
options.configfile)
options.eventexchange = getConfig('eventexchange', 'events',
options.configfile)
# how many messages to ask for at once from the message queue
options.prefetch = getConfig('prefetch', 50, options.configfile)
options.mquser = getConfig('mquser', 'guest', options.configfile)
options.mqpassword = getConfig('mqpassword', 'guest', options.configfile)
options.mqport = getConfig('mqport', 5672, options.configfile)
options.mqvhost = getConfig('mqvhost', '/', options.configfile)
# set to either amqp or amqps for ssl
options.mqprotocol = getConfig('mqprotocol', 'amqp', options.configfile)
# run with message acking?
# also toggles transient/persistant delivery (messages in memory only or stored on disk)
# ack=True sets persistant delivery, False sets transient delivery
options.mqack = getConfig('mqack', True, options.configfile)
# plugin options
# secs to pass before checking for new/updated plugins
# seems to cause memory leaks..
# regular updates are disabled for now,
# though we set the frequency anyway.
options.plugincheckfrequency = getConfig('plugincheckfrequency', 120,
options.configfile)
def initConfig():
# initialize config options
# sets defaults or overrides from config file.
# irc options
options.host = getConfig('host', 'irc.somewhere.com', options.configfile)
options.nick = getConfig('nick', 'mozdefnick', options.configfile)
options.port = getConfig('port', 6697, options.configfile)
options.username = getConfig('username', 'username', options.configfile)
options.realname = getConfig('realname', 'realname', options.configfile)
options.password = getConfig('password', '', options.configfile)
options.join = getConfig('join', '#mzdf', options.configfile)
options.alertircchannel = getConfig('alertircchannel', '',
options.configfile)
options.channelkeys = json.loads(
getConfig('channelkeys', '{"#somechannel": "somekey"}',
options.configfile))
# message queue options
# server hostname
options.mqalertserver = getConfig('mqalertserver', 'localhost',
options.configfile)
# queue exchange name
options.alertExchange = getConfig('alertexchange', 'alerts',
options.configfile)
# queue name
options.queueName = getConfig('alertqueuename', 'alertBot',
options.configfile)
# queue topic
options.alerttopic = getConfig('alerttopic', 'mozdef.*',
options.configfile)
# how many messages to ask for at once
options.prefetch = getConfig('prefetch', 50, options.configfile)
options.mquser = getConfig('mquser', 'guest', options.configfile)
options.mqpassword = getConfig('mqpassword', 'guest', options.configfile)
options.mqport = getConfig('mqport', 5672, options.configfile)
# mqack=True sets persistant delivery, False sets transient delivery
options.mqack = getConfig('mqack', True, options.configfile)
if options.alertircchannel == '':
options.alertircchannel = options.join.split(",")[0]
def initConfig():
# capture the hostname
options.mozdefhostname = getConfig('mozdefhostname', socket.gethostname(),
options.configfile)
# elastic search options. set esbulksize to a non-zero value to enable bulk posting, set timeout to post no matter how many events after X seconds.
options.esservers = list(
getConfig('esservers', 'http://localhost:9200',
options.configfile).split(','))
options.esbulksize = getConfig('esbulksize', 0, options.configfile)
options.esbulktimeout = getConfig('esbulktimeout', 30, options.configfile)
# set to sqs for Amazon
options.mqprotocol = getConfig('mqprotocol', 'sqs', options.configfile)
# rabbit message queue options
options.taskexchange = getConfig('taskexchange', 'eventtask',
options.configfile)
# rabbit: how many messages to ask for at once from the message queue
options.prefetch = getConfig('prefetch', 10, options.configfile)
# aws options
options.accesskey = getConfig('accesskey', '', options.configfile)
options.secretkey = getConfig('secretkey', '', options.configfile)
options.region = getConfig('region', 'us-west-1', options.configfile)
# plugin options
# secs to pass before checking for new/updated plugins
# seems to cause memory leaks..
# regular updates are disabled for now,
# though we set the frequency anyway.
options.plugincheckfrequency = getConfig('plugincheckfrequency', 120,
options.configfile)
def initConfig():
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
# syslog hostname
options.sysloghostname = getConfig('sysloghostname', 'localhost',
options.configfile)
# syslog port
options.syslogport = getConfig('syslogport', 514, options.configfile)
# mongo instance
options.mongohost = getConfig('mongohost', 'localhost', options.configfile)
options.mongoport = getConfig('mongoport', 3001, options.configfile)
# CIDR whitelist as a line separted list of 8.8.8.0/24 style masks
options.network_list_file = getConfig('network_whitelist_file', '',
options.configfile)
options.ipwhitelist = parse_network_whitelist(options.network_list_file)
# Output File Name
options.outputfile = getConfig('outputfile', 'ipblocklist.txt',
options.configfile)
# Category to choose
options.category = getConfig('category', 'bruteforcer', options.configfile)
# Max days to look back for attackers
options.attackerage = getConfig('attackerage', 90, options.configfile)
# Days after expiration that we purge an ipblocklist entry (from the ui, they don't end up in the export after expiring)
options.expireage = getConfig('expireage', 1, options.configfile)
# Max IPs to emit
options.iplimit = getConfig('iplimit', 1000, options.configfile)
# AWS creds
options.aws_access_key_id = getConfig(
'aws_access_key_id', '', options.configfile
) # aws credentials to use to connect to mozilla_infosec_blocklist
options.aws_secret_access_key = getConfig('aws_secret_access_key', '',
options.configfile)
options.aws_bucket_name = getConfig('aws_bucket_name', '',
options.configfile)
options.aws_document_key_name = getConfig('aws_document_key_name', '',
options.configfile)
def test_current_behavior(self):
from configlib import getConfig
res = getConfig('mongohost', 'defaultvalue', self.config_path)
assert res == 'mongodb'
def initConfig():
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
# syslog hostname
options.sysloghostname = getConfig('sysloghostname', 'localhost',
options.configfile)
options.syslogport = getConfig('syslogport', 514, options.configfile)
options.esservers = list(
getConfig('esservers', 'http://localhost:9200',
options.configfile).split(','))
options.indices = list(
getConfig('backup_indices', 'events,alerts,.kibana',
options.configfile).split(','))
options.dobackup = list(
getConfig('backup_dobackup', '1,1,1', options.configfile).split(','))
options.rotation = list(
getConfig('backup_rotation', 'daily,monthly,none',
options.configfile).split(','))
options.pruning = list(
getConfig('backup_pruning', '20,0,0', options.configfile).split(','))
# aws credentials to use to send files to s3
options.aws_access_key_id = getConfig('aws_access_key_id', '',
options.configfile)
options.aws_secret_access_key = getConfig('aws_secret_access_key', '',
options.configfile)
options.aws_region = getConfig('aws_region', 'us-west-1',
options.configfile)
def initConfig():
#change this to your default timezone
options.defaulttimezone=getConfig('defaulttimezone','UTC',options.configfile)
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
# syslog hostname
options.sysloghostname = getConfig('sysloghostname',
'localhost',
options.configfile)
# syslog port
options.syslogport = getConfig('syslogport', 514, options.configfile)
# elastic search server settings
options.esservers = list(getConfig('esservers',
'http://localhost:9200',
options.configfile).split(','))
options.mongohost = getConfig('mongohost', 'localhost', options.configfile)
options.mongoport = getConfig('mongoport', 3001, options.configfile)
# should we automatically categorize
# new attackers based on their alerts?
options.autocategorize = getConfig('autocategorize', False, options.configfile)
# get the mapping of alert category to attacker category
# supply as a list of dicts:
# [{"bruteforce":"bruteforcer"},{"alertcategory":"attackercategory"}]
options.categorymapping = json.loads(getConfig('categorymapping', "[]", options.configfile))
# should we broadcast new attackers
# to a message queue?
options.broadcastattackers = getConfig('broadcastattackers', False, options.configfile)
# message queue options
options.mqserver = getConfig('mqserver', 'localhost', options.configfile)
options.alertexchange = getConfig('alertexchange', 'alerts', options.configfile)
options.routingkey = getConfig('routingkey', 'mozdef.alert', options.configfile)
options.mquser = getConfig('mquser', 'guest', options.configfile)
options.mqpassword = getConfig('mqpassword', 'guest', options.configfile)
options.mqport = getConfig('mqport', 5672, options.configfile)
options.mqvhost = getConfig('mqvhost', '/', options.configfile)
# set to either amqp or amqps for ssl
options.mqprotocol = getConfig('mqprotocol', 'amqp', options.configfile)
def _discover_task_exchange(self):
"""Use configuration information to understand the message queue protocol.
return: amqp, sqs
"""
return getConfig("mqprotocol", "amqp", None)
def initConfig():
# capture the hostname
options.mozdefhostname = getConfig('mozdefhostname', socket.gethostname(),
options.configfile)
# elastic search options. set esbulksize to a non-zero value to enable bulk posting, set timeout to post no matter how many events after X seconds.
options.esservers = list(
getConfig('esservers', 'http://localhost:9200',
options.configfile).split(','))
options.esbulksize = getConfig('esbulksize', 0, options.configfile)
options.esbulktimeout = getConfig('esbulktimeout', 30, options.configfile)
# set to sqs for Amazon
options.mqprotocol = getConfig('mqprotocol', 'sqs', options.configfile)
# rabbit message queue options
options.mqserver = getConfig('mqserver', 'localhost', options.configfile)
options.taskexchange = getConfig('taskexchange', 'eventtask',
options.configfile)
# rabbit: how many messages to ask for at once from the message queue
options.prefetch = getConfig('prefetch', 10, options.configfile)
# rabbit: user creds
options.mquser = getConfig('mquser', 'guest', options.configfile)
options.mqpassword = getConfig('mqpassword', 'guest', options.configfile)
# rabbit: port/vhost
options.mqport = getConfig('mqport', 5672, options.configfile)
options.mqvhost = getConfig('mqvhost', '/', options.configfile)
# rabbit: run with message acking?
# also toggles transient/persistant delivery (messages in memory only or stored on disk)
# ack=True sets persistant delivery, False sets transient delivery
options.mqack = getConfig('mqack', True, options.configfile)
# aws options
options.accesskey = getConfig('accesskey', '', options.configfile)
options.secretkey = getConfig('secretkey', '', options.configfile)
options.region = getConfig('region', '', options.configfile)
# How long to sleep between polling
options.sleep_time = getConfig('sleep_time', 0.1, options.configfile)
def initConfig():
# initialize config options
# sets defaults or overrides from config file.
# irc options
options.host = getConfig('host', 'irc.somewhere.com', options.configfile)
options.nick = getConfig('nick', 'mozdefnick', options.configfile)
options.port = getConfig('port', 6697, options.configfile)
options.username = getConfig('username', 'username', options.configfile)
options.realname = getConfig('realname', 'realname', options.configfile)
options.password = getConfig('password', '', options.configfile)
# Our config parser removes '#'
# so we gotta re-add them
options.join = getConfig('join', '#mzdf', options.configfile)
channels = []
for channel in options.join.split(','):
if not channel.startswith('#'):
channel = '#{0}'.format(channel)
channels.append(channel)
options.join = ','.join(channels)
options.alertircchannel = getConfig(
'alertircchannel',
'',
options.configfile)
options.channelkeys = json.loads(getConfig(
'channelkeys',
'{"#somechannel": "somekey"}',
options.configfile))
# Our config parser stomps out the '#' so we gotta readd
channelkeys = {}
for key, value in options.channelkeys.items():
if not key.startswith('#'):
key = '#{0}'.format(key)
channelkeys[key] = value
options.channelkeys = channelkeys
# message queue options
# server hostname
options.mqalertserver = getConfig(
'mqalertserver',
'localhost',
options.configfile)
# queue exchange name
options.alertExchange = getConfig(
'alertexchange',
'alerts',
options.configfile)
# queue name
options.queueName = getConfig(
'alertqueuename',
'alertBot',
options.configfile)
# queue topic
options.alerttopic = getConfig(
'alerttopic',
'mozdef.*',
options.configfile)
# how many messages to ask for at once
options.prefetch = getConfig('prefetch', 50, options.configfile)
options.mquser = getConfig('mquser', 'guest', options.configfile)
options.mqpassword = getConfig('mqpassword', 'guest', options.configfile)
options.mqport = getConfig('mqport', 5672, options.configfile)
# mqack=True sets persistant delivery, False sets transient delivery
options.mqack = getConfig('mqack', True, options.configfile)
if options.alertircchannel == '':
options.alertircchannel = options.join.split(",")[0]
def initConfig():
'''setup the default options and override with any in our .conf file'''
# message queue server hostname to listen to for events
options.mqeventserver = getConfig('mqeventserver', 'localhost',
options.configfile)
# message queue server hostname to send alerts to (in case it's different)
options.mqalertserver = getConfig('mqalertserver', 'localhost',
options.configfile)
# event queue topic
options.eventqueue = getConfig('eventqueue', 'mozdef.event',
options.configfile)
# event queue exchange name
options.eventexchange = getConfig('eventexchange', 'events',
options.configfile)
# alert queue topic
options.alertqueue = getConfig('alertqueue', 'mozdef.alert',
options.configfile)
# alert queue exchange name
options.alertexchange = getConfig('alertexchange', 'alerts',
options.configfile)
# how many messages to ask for at once
options.prefetch = getConfig('prefetch', 50, options.configfile)
options.mquser = getConfig('mquser', 'guest', options.configfile)
options.mqpassword = getConfig('mqpassword', 'guest', options.configfile)
options.mqport = getConfig('mqport', 5672, options.configfile)
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
options.sysloghostname = getConfig('sysloghostname', 'localhost',
options.configfile) # syslog hostname
options.syslogport = getConfig('syslogport', 514,
options.configfile) # syslog port
# do we remove any date string from the 'summary' field (removes syslog
# timestamps)
options.removemessagedate = getConfig('removemessagedate', True,
options.configfile)
options.esservers = list(
getConfig('esservers', 'http://localhost:9200',
options.configfile).split(','))
# load any alert regexes from the config file
# expecting one line, tab delimited json:
# regexes={"type":"LDAP Group Update","expression":"ou=groups","severity":"INFO"} {"type":"LDAP Delete","expression":"delete","severity":"INFO"}
# adding a tag attribute will limit expression matching to items with that tag
# regexes={"type":"LDAP Group Update","expression":"ou=groups","severity":"INFO","tag":"ldap"}
regexes = getConfig('regexes', '', options.configfile)
options.regexlist = []
if len(regexes) > 0:
for r in regexes.split('\t'):
options.regexlist.append(json.loads(r))
def initConfig():
# initialize config options
# sets defaults or overrides from config file.
options.host = getConfig('host', 'irc.somewhere.com', options.configfile)
options.nick = getConfig('nick', 'mozdefnick', options.configfile)
options.port = getConfig('port', 6697, options.configfile)
options.username = getConfig('username', 'username', options.configfile)
options.realname = getConfig('realname', 'realname', options.configfile)
options.password = getConfig('password', '', options.configfile)
options.join = getConfig('join', '#mzdf', options.configfile)
options.mqserver = getConfig('mqserver', 'localhost', options.configfile)
options.alertqueue = getConfig('alertqueue', 'mozdef.alert',
options.configfile)
options.alertexchange = getConfig('alertexchange', 'alerts',
options.configfile)
options.alertircchannel = getConfig('alertircchannel', '',
options.configfile)
options.channelkeys = json.loads(
getConfig('channelkeys', '{"#somechannel": "somekey"}',
options.configfile))
if options.alertircchannel == '':
options.alertircchannel = options.join
def initConfig():
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
options.sysloghostname = getConfig('sysloghostname', 'localhost',
options.configfile)
options.syslogport = getConfig('syslogport', 514, options.configfile)
options.logfile = getConfig('logfile', 'auditd.mozdef.fifo',
options.configfile)
# change this to your default zone for when it's not specified
options.defaultTimeZone = getConfig('defaulttimezone', 'US/Pacific',
options.configfile)
# mq server/exchange options.
# mqservers can be a comma delimited list of server,server2,server3 etc to load balance the posts.
options.mqservers = getConfig('mqservers', 'localhost', options.configfile)
options.taskexchange = getConfig('taskexchange', 'eventtask',
options.configfile)
options.mquser = getConfig('mquser', 'guest', options.configfile)
options.mqpassword = getConfig('mqpassword', 'guest', options.configfile)
options.mqport = getConfig('mqport', 5672, options.configfile)
# how much to read in a chunk from the fifo
options.fiforeadsize = getConfig('fiforeadsize', 2048, options.configfile)
def initConfig():
#capture the hostname
options.mozdefhostname = getConfig('mozdefhostname', socket.gethostname(),
options.configfile)
# elastic search options. set esbulksize to a non-zero value to enable bulk posting, set timeout to post no matter how many events after X seconds.
options.esservers = list(
getConfig('esservers', 'http://localhost:9200',
options.configfile).split(','))
options.esbulksize = getConfig('esbulksize', 0, options.configfile)
options.esbulktimeout = getConfig('esbulktimeout', 30, options.configfile)
# papertrail configuration
options.ptapikey = getConfig('papertrailapikey', 'none',
options.configfile)
options.ptquery = getConfig('papertrailquery', '', options.configfile)
options.ptinterval = getConfig('papertrailinterval', 60,
options.configfile)
options.ptbackoff = getConfig('papertrailbackoff', 300, options.configfile)
options.ptacctname = getConfig('papertrailaccount', 'unset',
options.configfile)
options.ptquerymax = getConfig('papertrailmaxevents', 2000,
options.configfile)
# plugin options
# secs to pass before checking for new/updated plugins
# seems to cause memory leaks..
# regular updates are disabled for now,
# though we set the frequency anyway.
options.plugincheckfrequency = getConfig('plugincheckfrequency', 120,
options.configfile)
def test_list_returns_as_string(self):
from configlib import getConfig
res = getConfig('foo', 'zab,za', self.config_path)
print(res)
assert res == 'foo,bar'
assert isinstance(res, str)
def initConfig():
# output our log to stdout or syslog
options.output = getConfig('output', 'stdout', options.configfile)
options.sysloghostname = getConfig('sysloghostname', 'localhost',
options.configfile)
options.syslogport = getConfig('syslogport', 514, options.configfile)
# elastic search options. set esbulksize to a non-zero value to enable bulk posting, set timeout to post no matter how many events after X seconds.
options.esservers = list(
getConfig('esservers', 'http://localhost:9200',
options.configfile).split(','))
options.esbulksize = getConfig('esbulksize', 0, options.configfile)
options.esbulktimeout = getConfig('esbulktimeout', 30, options.configfile)
# set to sqs for Amazon
options.mqprotocol = getConfig('mqprotocol', 'sqs', options.configfile)
# rabbit message queue options
options.mqserver = getConfig('mqserver', 'localhost', options.configfile)
options.taskexchange = getConfig('taskexchange', 'eventtask',
options.configfile)
options.eventexchange = getConfig('eventexchange', 'events',
options.configfile)
# rabbit: how many messages to ask for at once from the message queue
options.prefetch = getConfig('prefetch', 10, options.configfile)
# rabbit: user creds
options.mquser = getConfig('mquser', 'guest', options.configfile)
options.mqpassword = getConfig('mqpassword', 'guest', options.configfile)
# rabbit: port/vhost
options.mqport = getConfig('mqport', 5672, options.configfile)
options.mqvhost = getConfig('mqvhost', '/', options.configfile)
# rabbit: run with message acking?
# also toggles transient/persistant delivery (messages in memory only or stored on disk)
# ack=True sets persistant delivery, False sets transient delivery
options.mqack = getConfig('mqack', True, options.configfile)
# aws options
options.accesskey = getConfig('accesskey', '', options.configfile)
options.secretkey = getConfig('secretkey', '', options.configfile)
options.region = getConfig('region', 'us-west-1', options.configfile)
# plugin options
# secs to pass before checking for new/updated plugins
# seems to cause memory leaks..
# regular updates are disabled for now,
# though we set the frequency anyway.
options.plugincheckfrequency = getConfig('plugincheckfrequency', 120,
options.configfile)
# This is the full ARN that the s3 bucket lives under
options.cloudtrail_arn = getConfig('cloudtrail_arn', 'cloudtrail_arn',
options.configfile)
def initConfig():
options.slack_token = getConfig('slack_token', '<CHANGE ME>', options.configfile)
options.name = getConfig('name', 'mozdef', options.configfile)
options.channels = getConfig('channels', 'general', options.configfile).split(',')
options.alert_channel = getConfig('alert_channel', 'siem', options.configfile)
# queue exchange name
options.alertExchange = getConfig(
'alertexchange',
'alerts',
options.configfile)
# queue name
options.queueName = getConfig(
'alertqueuename',
'alertBot',
options.configfile)
# queue topic
options.alerttopic = getConfig(
'alerttopic',
'mozdef.*',
options.configfile)
# how many messages to ask for at once
options.prefetch = getConfig('prefetch', 50, options.configfile)
options.mqalertserver = getConfig('mqalertserver', 'localhost', options.configfile)
options.mquser = getConfig('mquser', 'guest', options.configfile)
options.mqpassword = getConfig('mqpassword', 'guest', options.configfile)
options.mqport = getConfig('mqport', 5672, options.configfile)
# mqack=True sets persistant delivery, False sets transient delivery
options.mqack = getConfig('mqack', True, options.configfile)
