Ejemplo n.º 1
0
def create_heartbeat(heartbeat_id, heartbeat_date=None, heartbeat_interval=600, status='', analyzer_id=None):
    """
    Create an IDMEF Heartbeat for test suite.

    :param str heartbeat_id: Heartbeat ID.
    :param str heartbeat_date: Optional Heartbeat date.
    :param str heartbeat_interval: default interval.
    :param str status: Add "Analyzer status" in additional data.
    :param str analyzer_id: Analyzer ID, based on heartbeat_id if not specified.
    :return: An IDMEF object with Heartbeat information.
    :rtype: prelude.IDMEF
    """
    if not analyzer_id:
        analyzer_id = heartbeat_id.replace('-', '')

    idmef = prelude.IDMEF()
    if heartbeat_date:
        idmef.set('heartbeat.create_time', heartbeat_date)

    idmef.set('heartbeat.messageid', heartbeat_id)
    idmef.set('heartbeat.heartbeat_interval', heartbeat_interval)
    idmef.set('heartbeat.analyzer(0).analyzerid', analyzer_id)
    idmef.set('heartbeat.analyzer(0).name', 'prelude-testing')
    idmef.set('heartbeat.analyzer(0).manufacturer', 'https://www.prelude-siem.com')
    idmef.set('heartbeat.analyzer(0).node.name', 'testing.prelude')
    idmef.set('heartbeat.additional_data(0).meaning', 'Analyzer status')
    idmef.set('heartbeat.additional_data(0).data', status)

    return idmef
Ejemplo n.º 2
0
    def newIDMEF(self):
        idmef = prelude.IDMEF()

        # Source
        #idmef.Set("alert.source(0).node.address(0).address", "127.0.0.1")

        # analyzer
        idmef.set("alert.analyzer(0).name", "Armadito antivirus")
        idmef.set("alert.analyzer(0).manufacturer", "www.teclib.com")
        idmef.set("alert.analyzer(0).class", "Antivirus")

        return idmef
Ejemplo n.º 3
0
def create_alert(alert_id):
    """
    Create an IDMEF Alert for test suite.

    :param str alert_id: Alert ID.
    :return: An IDMEF object with alert information.
    :rtype: prelude.IDMEF
    """
    idmef = prelude.IDMEF()
    idmef.set('alert.messageid', alert_id)
    idmef.set('alert.analyzer(0).analyzerid', alert_id.replace('-', ''))
    idmef.set('alert.analyzer(0).name', 'prelude-testing')
    idmef.set('alert.analyzer(0).manufacturer', 'https://www.prelude-siem.com')
    idmef.set('alert.analyzer(0).node.name', 'testing.prelude')

    return idmef
Ejemplo n.º 4
0
p = select.poll()
p.register(f.stdout)

# Create a new Prelude client.
clientPrelude = prelude.ClientEasy("MySensor")
clientPrelude.start()

priority = ["info", "low", "medium", "high"]

while True:
    if p.poll(1):
        s = f.stdout.readline()

        #conversion
        # Create the IDMEF message
        idmef = prelude.IDMEF()

        m = re.match(
            r'^([0-9:./-]+)\s+ \[(.+?)\] \[(.+?)\] (.+?) \[(.+?)\] \[Classification: (.+?)\] \[Priority: (\d+)] \{(.+?)\} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5}) -> (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5})\n?',
            s)

        if m is None:
            m = re.match(
                r'^([0-9:./-]+)\s+ \[(.+?)\] \[(.+?)\] (.+?) \[(.+?)\] \[Classification: (.+?)\] \[Priority: (\d+)] \{(.+?)\} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) -> (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\n?',
                s)

            if m is None:
                continue
            else:

                idmef.set("alert.target(0).node.address(0).address",
Ejemplo n.º 5
0
#!/usr/bin/env python
# -*- coding: utf-8 -*-

import sys
import prelude


def log_cb(level, str):
    sys.stdout.write("log: " + str)


prelude.PreludeLog.setCallback(log_cb)

idmef = prelude.IDMEF()

print("*** IDMEF->Set() ***")
idmef.set("alert.classification.text", "My Message")
idmef.set("alert.source(0).node.address(0).address", "s0a0")
idmef.set("alert.source(0).node.address(1).address", "s0a1")
idmef.set("alert.source(1).node.address(0).address", "s1a0")
idmef.set("alert.source(1).node.address(1).address", "s1a1")
idmef.set("alert.source(1).node.address(2).address", None)
idmef.set("alert.source(1).node.address(3).address", "s1a3")
print(idmef)

print("\n*** Value IDMEF->Get() ***")
print(idmef.get("alert.classification.text"))

print("\n*** Listed Value IDMEF->Get() ***")
print(idmef.get("alert.source(*).node.address(*).address"))
Ejemplo n.º 6
0
#!/usr/bin/env python
# coding: utf-8

from pykafka import KafkaClient
import prelude

client_idmef = prelude.ClientEasy("MySensor")
client_idmef.start()

TOPIC_NAME = "Prelude_IDMEF"

client_kafka = KafkaClient(hosts="127.0.0.1:9092")
topic = client_kafka.topics[TOPIC_NAME]

consumer = topic.get_balanced_consumer(consumer_group='testgroup',
                                       auto_commit_enable=True,
                                       auto_commit_interval_ms=10000)

for message in consumer:
    if message is not None:
        idmef = prelude.IDMEF(message.value)
        client_idmef.sendIDMEF(idmef)
Ejemplo n.º 7
0
 def from_json(cls, data):
     return cls(prelude.IDMEF(data["idmef_json"]))