def getEvent(self, event_id, full = 1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('event', 'event_id', event_id)
observer = None
reporter = None
source = None
destination = None
data = None
eventType = None
if full:
if myEntry['obsrv_id'] != 'None':
observer = self.getObserver(myEntry['obsrv_id'],1)
if myEntry['rprt_id'] != 'None':
reporter = self.getReporter(myEntry['rprt_id'],1)
if myEntry['src_id'] != 'None':
source = self.getSource(myEntry['src_id'],1)
if myEntry['dstn_id'] != 'None':
destination = self.getDestination(myEntry['dstn_id'],1)
if myEntry['data_id'] != 'None':
data = self.getData(myEntry['data_id'],1)
if myEntry['event_type_id'] != 'None':
eventType = self.getEventType(myEntry['event_type_id'])
return getPreXMLDictCreator().createEventEntry(myEntry, observer, reporter, source, destination, data, eventType)
def getExtensionEvent(self, plainEventId):
ioidsEventSlimDB = self.getIoidsEvents([['event_id', dbconnector.OPERATOR_EQUAL, plainEventId]])
ioidsEventSlim = getPreXMLDictCreator().restructureIoidsEventEntry(ioidsEventSlimDB[0]['relations'][0]['attributes'] )
## if not snortEvent:
## return None
ioidsEvent = self.getIoidsEvent(ioidsEventSlim[1]['ioids_event_id'])
return ioidsEvent
def getIoidsSource(self, sourceId, full = 1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('ioids_source', 'ioids_source_id', sourceId)
peer = None
if full:
if myEntry['ioids_peer_id'] != 'None':
peer = self.getIoidsPeer(myEntry['ioids_peer_id'])
return getPreXMLDictCreator().createIoidsSourceEntry(myEntry, peer)
def newIoidsEventFromRemote(self, ioidsevent, relations = []):
from dbconnector import getDBConnector
## print "I received from remote:\nEvent: %s\nRelations: %s" %(event, relations)
print "I received from remote Event with Relations"
primKey = getDBConnector().insertIoidsEvent(ioidsevent)
eventId = getDBConnector().getIoidsEvent(primKey, 0)[1]['event_id']
self._remoteEvents.append(eventId) # our trigger must not pick up this event
from dataengine_tools import getPreXMLDictCreator
for relation in relations:
print "New Relation:"
plainEvent = None
extensionEvent = None
relationType = relation[1]['type']
extensionType = None
for entry in relation[2]:
if entry[0] == 'plainevent':
plainEvent = entry[2][0]
elif entry[0] == 'extension':
try:
extensionEvent = entry[2][0]
extensionType = entry[1]['type']
except IndexError, msg:
pass # no prob, that only means, that the sender could not handle the extension
relType = getPreXMLDictCreator().createNewIoidsRelationTypeEntry(relationType)
relEntry = getPreXMLDictCreator().createNewIoidsRelationEntry([ioidsevent, plainEvent, relType])
# testing purposes
## import support.dictviewer
## support.dictviewer.showNowAscii(relEntry)
#### support.dictviewer.showNow(relEntry)
# ####
primKey = getDBConnector().insertFullIoidsEventWithRelation(relEntry)
print "-- Primary key for remote ioids event (relation): %s" %(primKey)
print "-- Event for Extension: %s" %(extensionType)
## support.dictviewer.showNowAscii(extensionEvent)
try:
primKey = getDBConnector().insertExtensionEvent(extensionType, extensionEvent)
print "-- Primary key for extension event: %s" %(primKey)
except ValueError, msg:
print "-- Extension is unknown: %s" %(extensionType)
pass # that's fine again - only means that I myself do not understand the extension here.
def getPreXMLDictCreator():
"""
Singleton implementation.
@return: The instance for the data engine
@rtype: L{DataEngine}
"""
from dataengine_tools import getPreXMLDictCreator
return getPreXMLDictCreator()
def getDestination(self, destination_id, full = 1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('destination', 'dstn_id', destination_id)
agent = None
if full:
if myEntry['agent_id'] != 'None':
agent = self.getAgent(myEntry['agent_id'],1)
return getPreXMLDictCreator().createDestinationEntry(myEntry, agent)
def getSource(self, source_id, full = 1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('source', 'src_id', source_id)
agent = None
if full:
if myEntry['agent_id'] != 'None':
agent = self.getAgent(myEntry['agent_id'],1)
return getPreXMLDictCreator().createSourceEntry(myEntry, agent)
def getReporter(self, reporter_id, full = 1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('reporter', 'rprt_id', reporter_id)
agent = None
if full:
if myEntry['agent_id'] != 'None':
agent = self.getAgent(myEntry['agent_id'],1)
return getPreXMLDictCreator().createReporterEntry(myEntry, agent)
def getUser(self, user_id, full = 1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('usr', 'usr_id', user_id)
if full and myEntry['usr_group_id'] != 'None':
userGroup = self.getUserGroup(myEntry['usr_group_id'], 1)
else:
userGroup = None
return getPreXMLDictCreator().createUserEntry(myEntry, userGroup)
def getComputer(self, computer_id, full = 1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('computer', 'comp_id', computer_id)
if full and myEntry['comp_type_id'] != 'None':
computerType = self.getComputerType(myEntry['comp_type_id'], 1)
else:
computerType = None
return getPreXMLDictCreator().createComputerEntry(myEntry, computerType)
def getData(self, data_id, full = 1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('data', 'data_id', data_id)
encoding = None
if full:
if myEntry['encoding_id'] != 'None':
encoding = self.getEncoding(myEntry['encoding_id'],1)
return getPreXMLDictCreator().createDataEntry(myEntry, encoding)
def getAgent(self, agent_id, full = 1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('agent', 'agent_id', agent_id)
agentClass = None
computer = None
process = None
if full:
if myEntry['agent_class_id'] != 'None':
agentClass = self.getAgentClass(myEntry['agent_class_id'], 1)
if myEntry['comp_id'] != 'None':
computer = self.getComputer(myEntry['comp_id'],1)
if myEntry['prcss_id'] != 'None':
process = self.getProcess(myEntry['prcss_id'],1)
return getPreXMLDictCreator().createAgentEntry(myEntry, agentClass, computer, process)
def getProcess(self, process_id, full = 1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('process', 'prcss_id', process_id)
user = None
processType = None
processName = None
if full:
if myEntry['usr_id'] != 'None':
user = self.getUser(myEntry['usr_id'], 1)
if myEntry['prcss_type_id'] != 'None':
processType = self.getProcessType(myEntry['prcss_type_id'],1)
if myEntry['prcss_name_id'] != 'None':
processName = self.getProcessName(myEntry['prcss_name_id'],1)
return getPreXMLDictCreator().createProcessEntry(myEntry, processType, processName, user)
def getIoidsRelation(self, relationId, full =1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('ioids_relation', 'ioids_relation_id', relationId)
event = None
ioids_event = None
relationType = None
if full:
if myEntry['event_id'] != 'None':
event = self.getEvent(myEntry['event_id'],1)
if myEntry['ioids_event_id'] != 'None':
ioids_event = self.getIoidsEvent(myEntry['ioids_event_id'],1)
if myEntry['ioids_relation_type_id'] != 'None':
relationType = self.getEvent(myEntry['ioids_relation_type_id'],1)
return getPreXMLDictCreator().createIoidsRelationEntry(myEntry, event, ioids_event, relationType)
def startup(self):
"""
Establishes the database connection regarding to settings in the config file and
keeps us running forever.
"""
self._dictCreator = dataengine_tools.getPreXMLDictCreator()
self._DBConnector = dbconnector.getDBConnector()
self._DBConnector.connect()
lastestEventOid = '0'
try:
filename = config.EVENT_STATUS_LOCATION
file = open(filename, 'r')
lastestEventOid = file.readline()
file.close()
except Exception, msg:
pass
def getIoidsEvent(self, ioids_event_id, full = 1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('ioids_event', 'ioids_event_id', ioids_event_id)
event = None
sender = None
source = None
classification = None
if full:
if myEntry['event_id'] != 'None':
event = self.getEvent(myEntry['event_id'],1)
if myEntry['ioids_sender_id'] != 'None':
sender = self.getIoidsSender(myEntry['ioids_sender_id'],1)
if myEntry['ioids_source_id'] != 'None':
source = self.getIoidsSource(myEntry['ioids_source_id'],1)
if myEntry['classification_id'] != 'None':
classification = self.getIoidsClassification(myEntry['classification_id'],1)
return getPreXMLDictCreator().createIoidsEventEntry(myEntry, event, sender, source, classification)
def getRelatedEventsForIoidsEvent(self, ioidsEventId, full = 1):
from messagewrapper import getXMLDBWrapper
xml = getXMLDBWrapper().wrapSelect('ioids_relation', 'event_id', [['ioids_event_id', OPERATOR_EQUAL, str(ioidsEventId)]])
result = self._performRequest(xml)
#print "\n>\n%s\n<\n" %result
no, resolved = getXMLDBWrapper().parseSelectReply(result)
from dataengine_tools import getPreXMLDictCreator
relations = []
items = resolved[0]['relations']
for item in items:
aRelation = getPreXMLDictCreator().restructureEntry(item['attributes'], 'relation')
relations.append(aRelation)
for rel in relations:
oneEvent = self.getEvent(rel[1] ['event_id'])
rel[2].append(oneEvent)
del rel[1]['event_id']
oneRelType = self.getIoidsRelationType(rel[1]['ioids_relation_type_id'])
rel[2].append(oneRelType)
del rel[1]['ioids_relation_type_id']
return relations
def _executeOneReaction(self, event, reaction):
"""
Performs all operations as defined by the reaction part of an ioids rule.
"""
from config import G4DS_MEMBER_ID
from dbconnector import getDBConnector
from errorhandling import IoidsDependencyException
ioidsSource = G4DS_MEMBER_ID
ioidsSender = G4DS_MEMBER_ID
if reaction['parameters'].has_key('community'):
if reaction['parameters']['community'] == 'Auto':
ioidsCommunity = 'C001' # we will do this properly soon :) TODO
else:
ioidsCommunity = reaction['parameters']['community']
else:
raise IoidsDependencyException('Community can not be determined for new local event. Looks like a mistake in ioids policy.')
if reaction['parameters'].has_key('classification'):
if reaction['parameters']['classification'] == 'Auto':
ioidsClassificationCode = '10' # we will do this properly soon :) TODO
else:
ioidsClassificationCode = reaction['parameters']['classification']
else:
raise IoidsDependencyException('Community can not be determined for new local event. Looks like a mistake in ioids policy.')
ioidsTimestamp = 'now'
if reaction['type'] == 'NewLocalEvent':
if event[1].has_key('event_id'): # we must get rid off the id - otherwise it will insert a new event again and again
del event[1]['event_id']
# create relations
from dataengine_tools import getPreXMLDictCreator
from config import IOIDS_EVENT_TYPE, LOCAL_ADDRESS, LOCAL_HOSTNAME, LOCAL_MAC, LOCAL_OS, LOCAL_DOMAIN, LOCAL_COMPUTER_TYPE
from messagewrapper import getXMLDBWrapper
import binascii as hex
creator = getPreXMLDictCreator()
# here we create the actual event
newEncoding = creator.createNewEncodingEntry('XML HEX')
eventXML = getXMLDBWrapper().wrapInsert(event[0], event[1], event[2])
encoded = hex.hexlify(eventXML)
newData = creator.createNewDataEntry(encoded, [newEncoding]) # todo: put whole event description here
newComputer = creator.createNewComputerEntry(LOCAL_HOSTNAME, LOCAL_OS, LOCAL_ADDRESS, LOCAL_MAC, LOCAL_DOMAIN, [], None, LOCAL_COMPUTER_TYPE)
newAgent = creator.createNewAgentEntry('IOIDS', [newComputer], '2')
newReporter = creator.createNewReporterEntry('IOIDS reporter', [newAgent])
newEventType = creator.createNewEventTypeEntry(IOIDS_EVENT_TYPE)
# reporter is me
# observer is the reporter from our event
oldEventReporterId = event[1]['rprt_id']
fullReporter = getDBConnector().getReporter(oldEventReporterId)
if fullReporter[1].has_key('rprt_name'):
repName = fullReporter[1]['rprt_name']
else:
repName = None
newObserver = creator.createNewObserverEntry(repName, fullReporter[2])
# source and destination are the same than of the actual event
newEvent = creator.createNewEventEntry('now', [newData, newEventType, newReporter, newObserver], None, None,
event[1]['src_id'], event[1]['dstn_id'])
ioidsEventEntry = creator.createNewIoidsEventEntry(ioidsCommunity, ioidsTimestamp, [
creator.createNewIoidsSourceEntry(ioidsSource),
creator.createNewIoidsSenderEntry(ioidsSender),
getDBConnector().getIoidsClassificationByCode(ioidsClassificationCode),
## creator.createNewIoidsClassificationEntry(ioidsClassificationCode, ioidsClassificationName),
newEvent # our event should be in the proper format already
])
## creator.createIoidsClassificationEntry(ioidsClassification)], event['event_id'])
# and finally the relations
newRelationEntry = creator.createNewIoidsRelationEntry([ioidsEventEntry, event], relationTypeName = 'parent')
# testing purposes
## import support.dictviewer
## support.dictviewer.showNow(newRelationEntry)
# ####
primKeyRel = getDBConnector().insertFullIoidsEventWithRelation(newRelationEntry)
## ioidsEventId = getDBConnector().getIoidsRelation(primKeyRel,0)[1]['ioids_event_id']
## ## primKey = getDBConnector().insertIoidsEvent(ioidsEventEntry)
## eventId = getDBConnector().getIoidsEvent(ioidsEventId, 0)[1]['event_id']
## self._remoteEvents.append(eventId)
print "\t-- Inserted event with id: %s" %(primKeyRel)
# now let's go and check whether this is to be distributed
if reaction['parameters'].has_key('distribute'):
print "\t--Now I would even send it off to %s." %(reaction['parameters']['distribute']['domain'])
def getUserGroup(self, user_group_id, full = 1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('usr_group', 'usr_group_id', user_group_id)
return getPreXMLDictCreator().createUserGroupEntry(myEntry)
def getProcessName(self, process_name_id, full =1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('prcss_name', 'prcss_name_id', process_name_id)
return getPreXMLDictCreator().createProcessNameEntry(myEntry)
def getIoidsRelationType(self, relation_type_id, full = 1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('ioids_relation_type', 'ioids_relation_type_id', relation_type_id)
return getPreXMLDictCreator().createIoidsRelationTypeEntry(myEntry)
def getAgentClass(self, agent_class_id, full =1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('agent_class', 'agent_class_id', agent_class_id)
return getPreXMLDictCreator().createAgentClassEntry(myEntry)
def getIoidsPeer(self, peerId, full = 1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('ioids_peer', 'ioids_peer_id', peerId)
return getPreXMLDictCreator().createIoidsPeerEntry(myEntry)
def getIoidsClassificationByCode(self, classification_code, full = 1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('ioids_classification', 'classification_code', classification_code)
return getPreXMLDictCreator().createIoidsClassificationEntry(myEntry)
def getEncoding(self, encoding_id, full = 1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('encoding', 'encoding_id', encoding_id)
return getPreXMLDictCreator().createEncodingEntry(myEntry)
def getComputerType(self, computer_type_id, full =1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('comp_type', 'comp_type_id', computer_type_id)
return getPreXMLDictCreator().createComputerTypeEntry(myEntry)
def getEventType(self, event_type_id, full = 1):
from dataengine_tools import getPreXMLDictCreator
myEntry = self._getSomething('event_type', 'event_type_id', event_type_id)
return getPreXMLDictCreator().createEventTypeEntry(myEntry)
