def run(self):
global homenet
global lock
while 1:
try:
f = open('/usr/local/bro/logs/current/notice.log', 'r')
lines = f.readlines()
for line in lines:
line = line.strip()
fields = line.split('\t')
if line[0] != '#':
uid = fields[1]
if uid not in self.recorded:
line = line.strip()
scan = re.search(self.scan_regex, line)
tracert = re.search(self.tracert_regex, line)
if scan:
ts = int(float(scan.group(1)))
src = scan.group(2)
dst = scan.group(3)
duration = scan.group(4)
with lock:
if src in homenet.hosts:
ctime = int(time.time())
description = 'This host has been detected scanning one or multiple destination ' \
'IP addresses for open ports. This could indicate that a hacker has ' \
'compromised and taken control of this device and is now trying to locate ' \
'and compromise other hosts in your network.'
reference = 'https://en.wikipedia.org/wiki/Port_scanner'
a = [0, 'port_scan', ts, ctime, 0, 0, 'Port Scan', src, dst, 0, description, reference]
alert_id = utils.add_alert_to_db(a)
homenet.hosts[src].alerts.append(alert_id)
elif tracert:
ts = int(float(tracert.group(1)))
src = tracert.group(2)
with lock:
if src in homenet.hosts:
ctime = int(time.time())
indicator = '%s performed a traceroute' % src
description = 'This host has been detected performing traceroute on your network.' \
'Traceroute is usually used by hackers during the initial stage ' \
'of an attack on a new network (reconnaissance). With this the ' \
'attacker gains visibility on how the traffic is travelling from ' \
'your internal network to other internal networks or the ' \
'Internet, which routers are on the way, etc.'
reference = 'https://en.wikipedia.org/wiki/Traceroute'
a = [0, 'traceroute', ts, ctime, 0, 0, 'Traceroute', src, indicator, 0, description, reference]
alert_id = utils.add_alert_to_db(a)
homenet.hosts[src].alerts.append(alert_id)
self.recorded.append(uid)
except (IOError, OSError) as e:
log.debug('FG-WARN: read_bro_notice_log - ' + e.__doc__ + " - " + e.message)
if len(self.recorded) > 100000:
del self.recorded[:]
time.sleep(5)
def run(self):
while 1:
try:
f = open('/usr/local/bro/logs/current/notice.log', 'r')
lines = f.readlines()
for line in lines:
line = line.strip()
fields = json.loads(line)
uid = fields["ts"]
if uid not in self.recorded:
if fields["note"] == "Scan::Port_Scan":
ts = float(fields["ts"])
src = fields["src"]
dst = fields["dst"]
with lock:
if src in homenet.hosts:
ctime = int(time.time())
description = 'This host has been detected scanning one or multiple destination ' \
'IP addresses for open ports. This could indicate that a hacker has ' \
'compromised and taken control of this device and is now trying to locate ' \
'and compromise other hosts in your network.'
reference = 'https://en.wikipedia.org/wiki/Port_scanner'
a = [0, 'port_scan', ts, ctime, 0, 0, 'Port Scan', src, dst, 0, description, reference]
alert_id = utils.add_alert_to_db(a)
homenet.hosts[src].alerts.append(alert_id)
elif fields["note"] == "Traceroute::Detected":
ts = float(fields["ts"])
src = fields["src"]
with lock:
if src in homenet.hosts:
ctime = int(time.time())
indicator = '%s performed a traceroute' % src
description = 'This host has been detected performing traceroute on your network.' \
'Traceroute is usually used by hackers during the initial stage ' \
'of an attack on a new network (reconnaissance). With this the ' \
'attacker gains visibility on how the traffic is travelling from ' \
'your internal network to other internal networks or the ' \
'Internet, which routers are on the way, etc.'
reference = 'https://en.wikipedia.org/wiki/Traceroute'
a = [0, 'traceroute', ts, ctime, 0, 0, 'Traceroute', src, indicator, 0, description, reference]
alert_id = utils.add_alert_to_db(a)
homenet.hosts[src].alerts.append(alert_id)
self.recorded.append(uid)
except Exception as e:
log.debug('FG-DEBUG: read_bro_notice_log - ' + str(e.__doc__) + " - " + str(e.message))
if len(self.recorded) > 100000:
del self.recorded[:]
time.sleep(5)
def create_spamming_alert(self, src):
description = 'This host has been detected to be requesting MX records for multiple ' \
'different domains in a short period of time. This could indicate that ' \
'this device it\'s infected with Malware with spamming capabilities.'
indicators = '|'.join(homenet.hosts[src].spammed_domains)
reference = 'https://en.wikipedia.org/wiki/Spamming'
a = [0, 'spammer', self.ctime, self.ctime, 0, 0, 'Spammer', src, indicators, 0, description, reference]
alert_id = utils.add_alert_to_db(a)
homenet.hosts[src].alerts.append(alert_id)
def create_dga_alert(self, src):
description = 'This host has been detected to perform a well-known Malware traffic ' \
'pattern: Domain Generation Algorithm (DGA). This is a strong indication ' \
'on the presence of active Malware on this device.'
indicators = '|'.join(homenet.hosts[src].dga_domains)
reference = 'https://en.wikipedia.org/wiki/Domain_generation_algorithm'
a = [0, 'dga', self.ctime, self.ctime, 0, 0, 'Malware', src, indicators, 0, description, reference]
alert_id = utils.add_alert_to_db(a)
homenet.hosts[src].alerts.append(alert_id)
def create_pwning_alert(self, src, breaches):
for breach in breaches:
description = breach['Description']
indicators = 'Site breached: ' + breach['Domain'] + '|' + 'BreachDate: ' + breach['BreachDate'] \
+ '|' + 'AddedDate: ' + breach['AddedDate'] + '|' + 'StolenData: ' \
+ ','.join(breach['DataClasses']) + '|' + 'Verified: ' + str(breach['IsVerified'])
reference = homenet.hibp_api_url + src
a = [0, 'data_breach', self.ctime, self.ctime, 0, 0, 'Data Breach', src, indicators, 0, description, reference]
alert_id = utils.add_alert_to_db(a)
def create_default_creds_alert(self, threat, src, service, uname, passwd):
ctime = int(time.time())
description = 'FalconGate has detected an account with default vendor credentials on this host. ' \
'This is a serious issue which could allow and attacker to remotely access and take control of ' \
'this device.'
indicators = 'Service: ' + service + '|' + 'Username: '******'|' + 'Password: '******'https://www.sans.edu/cyber-research/security-laboratory/article/default-psswd'
a = [0, threat, ctime, ctime, 0, 0, 'Default Credentials', src, indicators, 0, description, reference]
alert_id = utils.add_alert_to_db(a)
homenet.hosts[src].alerts.append(alert_id)
def create_bad_ip_alert(self, threat, src, dst):
description = 'This host has been detected trying to communicate with a malicious ' \
'IP address included in the local blacklist. This traffic was blocked ' \
'by FalconGate. This could be an indicator of the presence of Malware or hacker activity ' \
'on this host.'
indicators = homenet.hosts[src].conns[dst].dst_ip
reference = 'https://www.virustotal.com/en/ip-address/' + homenet.hosts[src].conns[dst].dst_ip + '/information/'
a = [0, threat, self.ctime, self.ctime, 0, 0, threat, src, indicators, 0, description, reference]
alert_id = utils.add_alert_to_db(a)
homenet.hosts[src].alerts.append(alert_id)
def create_bad_file_alert(self, src, fid):
description = 'This host was detected downloading a file known to be Malware or a ' \
'Malware vector according to VirusTotal. This file could be utilized ' \
'to infect this machine or could indicate the presence of active ' \
'Malware on this system.'
indicators = "SHA1: " + homenet.hosts[src].files[fid].sha1
reference = homenet.hosts[src].files[fid].vt_report
a = [0, 'malware', self.ctime, self.ctime, 0, 0, 'Malware', src, indicators, 0, description, reference]
alert_id = utils.add_alert_to_db(a)
homenet.hosts[src].alerts.append(alert_id)
def create_bad_domain_alert(self, src, dst):
description = 'This host was detected trying to resolve the IP address of a domain ' \
'which has recent Malware history according to VirusTotal and/or the ' \
'local FalconGate blacklist. This could be an indicator of the presence ' \
'of Malware on this host.'
indicators = homenet.hosts[src].dns[dst].query
reference = 'https://www.virustotal.com/en/domain/' + homenet.hosts[src].dns[dst].query + '/information/'
a = [0, 'malware', self.ctime, self.ctime, 0, 0, 'Malware', src, indicators, 0, description, reference]
alert_id = utils.add_alert_to_db(a)
homenet.hosts[src].alerts.append(alert_id)
def create_alert(self, ts, ip, mac, hostname):
ctime = int(time.time())
description = 'A new device was connected to your network. If this device was not ' \
'connected or authorized by you we recommend to check your router ' \
'configuration and disallow the access to this device.'
reference = 'https://en.wikipedia.org/wiki/Networking_hardware'
vendor = utils.get_vendor(mac)
indicators = ip + '|' + mac + '|' + hostname + '|' + [lambda:vendor, lambda:''][not vendor]()
a = [0, 'new_device', ts, ctime, 0, 0, 'New Device', ip, indicators, 0, description, reference]
alert_id = utils.add_alert_to_db(a)
homenet.hosts[ip].alerts.append(alert_id)
def run(self):
global homenet
global lock
while 1:
try:
f = open('/usr/local/bro/logs/current/notice.log', 'r')
lines = f.readlines()
for line in lines:
line = line.strip()
fields = line.split('\t')
if line[0] != '#':
uid = fields[1]
if uid not in self.recorded:
line = line.strip()
scan = re.search(self.scan_regex, line)
if scan:
ts = int(float(scan.group(1)))
src = scan.group(2)
dst = scan.group(3)
duration = scan.group(4)
with lock:
if src in homenet.hosts:
ctime = int(time.time())
description = 'This host has been detected scanning one or multiple destination ' \
'IP addresses for open ports. This could indicate that a hacker has ' \
'compromised and taken control of this device and is now trying to locate ' \
'and compromise other hosts in your network.'
reference = 'https://en.wikipedia.org/wiki/Port_scanner'
a = [
0, 'port_scan', ts, ctime, 0, 0,
'Port Scan', src, dst, 0,
description, reference
]
alert_id = utils.add_alert_to_db(a)
homenet.hosts[src].alerts.append(
alert_id)
self.recorded.append(uid)
except (IOError, OSError) as e:
log.debug('FG-WARN: read_bro_notice_log - ' + e.__doc__ +
" - " + e.message)
if len(self.recorded) > 100000:
del self.recorded[:]
time.sleep(5)
