Python InputLog Examples

Example #1

    def signature_detect(datetime, eventid, accountname, clientaddr, servicename, processname, objectname, sharedname, securityid):
        """ Detect attack using signature based detection.
        :param datetime: Datetime of the event
        :param eventid: EventID
        :param accountname: Accountname
        :param clientaddr: Source IP address
        :param servicename: Service name
        :param processname: Process name(command name)
        :param objectname: Object name
        :return : True(1) if attack, False(0) if normal
        """

        inputLog = InputLog.InputLog(datetime, eventid, accountname, clientaddr, servicename, processname, objectname, sharedname, securityid)
        return SignatureDetector.signature_detect(inputLog)

Example #2

def preds():
    global DOMAIN_NAME
    response = jsonify()
    datetime = request.form.get('datetime', None)
    eventid = request.form.get('eventid', None)
    org_accountname = request.form.get('accountname', None)
    clientaddr = request.form.get('clientaddr', None)
    servicename = request.form.get('servicename', None)
    processname = request.form.get('processname', None)
    objectname = request.form.get('objectname', None)
    sharedname = request.form.get('sharedname', None)

    datetime = datetime.strip("'")
    eventid = eventid.strip("'")
    if org_accountname != None:
        accountname = org_accountname.strip("'")
        accountname = accountname.lower()
        accountname = accountname.split('@')[0]
        if (accountname.find(DOMAIN_NAME) > -1 or len(accountname) == 0):
            return SignatureDetector.RESULT_NORMAL
    if clientaddr != None:
        clientaddr = clientaddr.strip("'")
    if servicename != None:
        servicename = servicename.strip("'")
        servicename = servicename.lower()
    if processname != None:
        processname = processname.strip("'")
        processname = processname.lower()
    if objectname != None:
        objectname = objectname.strip("'")
        objectname = objectname.lower()
    if sharedname != None:
        sharedname = sharedname.strip("'")
        sharedname = sharedname.lower()

    inputLog = InputLog.InputLog(datetime, eventid, accountname, clientaddr,
                                 servicename, processname, objectname,
                                 sharedname)
    result = SignatureDetector.signature_detect(inputLog)

    print(inputLog.get_eventid() + "," + inputLog.get_accountname() + "," +
          inputLog.get_clientaddr() + "," + inputLog.get_processname())
    print(result)

    return result

Example #3

def preds(row):
    #print(row)

    datetime = row[1]
    eventid = row[3]
    msg = row[5]
    item = msg.split("\n")
    org_accountname = ""
    clientaddr = ""
    sharedname = ""
    servicename = ""
    processname = ""
    objectname = ""
    securityid = ""
    if (eventid in TARGET_EVT):
        item_account = [s for s in item if 'Account Name' in s]
        org_accountname = item_account[0].split(":")[1]

        item_clientaddr = ""
        item_clientaddr = [s for s in item if 'Source Address' in s]
        if len(item_clientaddr) == 0:
            item_account = [s for s in item if 'Client Address' in s]
        if len(item_clientaddr) == 0:
            item_account = [s for s in item if 'Source Network Address' in s]
        if (len(item_clientaddr) >= 2):
            clientaddr = item_clientaddr[0].split(":")[1]

        item_service = ""
        item_service = [s for s in item if 'Service Name' in s]
        if (len(item_service) >= 2):
            servicename = item_service[0].split(":")[1]

        item_process = ""
        item_process = [s for s in item if 'Process Name' in s]
        if (len(item_process) >= 2):
            processname = item_process[0].split("New Process Name:")[1]

        item_obj = ""
        item_obj = [s for s in item if 'Object Name' in s]
        if (len(item_obj) >= 2):
            objectname = item_obj[0].split(":")[1]

        item_id = ""
        item_id = [s for s in item if 'Security ID' in s]
        if (len(item_id) >= 2):
            securityid = item_id[0].split(":")[1]

        if (eventid == SignatureDetector.EVENT_SHARE):
            item_sharedname = [s for s in item if 'Share Name' in s]
            sharedname = item_sharedname[0].split(":")[1]

    else:
        return SignatureDetector.RESULT_NORMAL

    datetime = datetime.strip("'")
    eventid = eventid.strip("'")
    if org_accountname != None:
        accountname = org_accountname.strip("'")
        accountname = accountname.lower()
        accountname = accountname.split('@')[0]
        if (accountname.find(DOMAIN_NAME) > -1 or len(accountname) == 0):
            return SignatureDetector.RESULT_NORMAL
    if clientaddr != None:
        clientaddr = clientaddr.strip("'")
    if servicename != None:
        servicename = servicename.strip("'")
        servicename = servicename.lower()
    if processname != None:
        processname = processname.strip("'")
        processname = processname.lower()
    if objectname != None:
        objectname = objectname.strip("'")
        objectname = objectname.lower()
    if sharedname != None:
        sharedname = sharedname.strip("'")
        sharedname = sharedname.lower()

    # To specify parameter as Object
    inputLog = InputLog.InputLog(datetime, eventid, accountname, clientaddr,
                                 servicename, processname, objectname,
                                 sharedname, securityid)
    # update start by gam
    result = SignatureDetector.signature_detect(inputLog)

    # update end
    clientaddr = inputLog.get_clientaddr()
    processname = inputLog.get_processname()

    if (result == SignatureDetector.RESULT_CMD
            or result == SignatureDetector.RESULT_MAL_CMD):
        if (mode == MODE_ML):
            result = ML.preds(eventid, accountname, processname, objectname,
                              base_dummies_4674, clf_4674, base_dummies_4688,
                              clf_4688)
        else:
            processname = processname.strip().strip("'")
            result = SignatureDetector.check_cmd_whitelist(processname)

    if (result != SignatureDetector.RESULT_NORMAL
            and result != ML.RESULT_WARN):
        print("attack!!")
        #send_alert.Send_alert(result, datetime, eventid, accountname, clientaddr, servicename, processname, objectname, sharedname)

    with open(RESULT_FILE, 'a') as f:
        writer = csv.writer(f)
        writer.writerow([
            datetime, eventid, accountname, clientaddr, servicename,
            processname, objectname, sharedname, result
        ])

    return result

Example #4

File: rest_ocsvm_gt.py Project: raystyle/Real-timeDetectionAD_ver2

def preds():
    global DOMAIN_NAME
    # loading
    response = jsonify()
    datetime = request.form.get('datetime',None)
    eventid = request.form.get('eventid',None)
    org_accountname = request.form.get('accountname',None)
    clientaddr = request.form.get('clientaddr',None)
    servicename = request.form.get('servicename',None)
    processname = request.form.get('processname',None)
    objectname = request.form.get('objectname',None)
    sharedname = request.form.get('sharedname',None)
    securityid = request.form.get('securityid', None)

    datetime = datetime.strip("'")
    eventid = eventid.strip("'")
    if org_accountname != None:
        accountname = org_accountname.strip("'")
        accountname = accountname.lower()
        accountname = accountname.split('@')[0]
        if (accountname.find(DOMAIN_NAME)> -1 or len(accountname)==0):
            return SignatureDetector.RESULT_NORMAL
    if clientaddr != None:
        clientaddr = clientaddr.strip("'")
    if servicename != None:
        servicename = servicename.strip("'")
        servicename = servicename.lower()
    if processname != None:
        processname = processname.strip("'")
        processname = processname.lower()
    if objectname != None:
        objectname = objectname.strip("'")
        objectname = objectname.lower()
    if sharedname != None:
        sharedname = sharedname.strip("'")
        sharedname = sharedname.lower()
    if securityid != None:
        securityid = securityid.strip("'")
        securityid = securityid.lower()

    # To specify parameter as Object
    inputLog = InputLog.InputLog(datetime, eventid, accountname, clientaddr, servicename, processname, objectname, sharedname, securityid)
    # update start by gam
    result = SignatureDetector.signature_detect(inputLog)

    # update end
    clientaddr = inputLog.get_clientaddr()
    processname=inputLog.get_processname()
    tactics=''

    if (result == SignatureDetector.RESULT_CMD or result == SignatureDetector.RESULT_MAL_CMD):
        if(mode==MODE_ML):
            result = ML.preds(eventid, accountname, processname, objectname, base_dummies_4674, clf_4674, base_dummies_4688, clf_4688)
        else:
            processname = processname.strip().strip("'")
            result = SignatureDetector.check_cmd_whitelist(processname)
    if (result != SignatureDetector.RESULT_NORMAL and result != ML.RESULT_WARN and result != SignatureDetector.WARN):
        print(result)
        print(inputLog.get_eventid() + "," + inputLog.get_accountname() + "," + inputLog.get_clientaddr() + "," + inputLog.get_processname()+ "," + inputLog.get_sharedname())
        tactics=identify_attack.identify_tactics(result,inputLog)
        send_alert.Send_alert(result+","+tactics, datetime, clientaddr, eventid, accountname, clientaddr, servicename, processname, objectname, sharedname)

    return result+","+tactics

Example #5

def parse_event(org_row):
    global cnt, id, idlist
    #print(row)

    row = [i.strip('\t') for i in org_row]
    datetime = row[1]
    eventid = row[3]
    msg = row[5]
    item = msg.split("\n")
    org_accountname = ""
    clientaddr = ""
    sharedname = ""
    servicename = ""
    processname = ""
    objectname = ""
    securityid = ""
    if (eventid == EVENT_ST):
        cnt = cnt + 1

    if (eventid in TARGET_EVT):

        item_account = [s for s in item if 'Account Name' in s]

        if len(item_account) == 0:
            item_account = [s for s in item if 'Logon Account' in s]

        org_accountname = item_account[0].split(":")[1]
        if eventid == EVENT_LOGIN:
            org_accountname = item_account[1].split(":")[1]

        item_clientaddr = ""
        item_clientaddr = [s for s in item if 'Source Address' in s]
        if len(item_clientaddr) == 0:
            item_clientaddr = [s for s in item if 'Client Address' in s]
        if len(item_clientaddr) == 0:
            item_clientaddr = [
                s for s in item if 'Source Network Address' in s
            ]
        if len(item_clientaddr) == 0:
            item_clientaddr = [s for s in item if 'Source Workstation' in s]
        if (len(item_clientaddr) >= 1):
            clientaddrs = item_clientaddr[0].split(":")
            clientaddr = clientaddrs[len(clientaddrs) - 1]

        item_service = ""
        item_service = [s for s in item if 'Service Name' in s]
        if (len(item_service) >= 2):
            servicename = item_service[0].split(":")[1]

        item_process = ""
        item_process = [s for s in item if 'Process Name' in s]
        if (len(item_process) >= 2):
            processname = item_process[0].split("New Process Name:")[1]
        elif (len(item_process) >= 1):
            processname = item_process[0].split("Process Name:")[1]

        item_obj = ""
        item_obj = [s for s in item if 'Object Name' in s]
        if (len(item_obj) >= 2):
            objectname = item_obj[0].split(":")[1]

        item_id = ""
        item_id = [s for s in item if 'Security ID' in s]
        if (len(item_id) >= 2):
            securityid = item_id[0].split(":")[1]

        if (eventid == EVENT_SHARE):
            item_sharedname = [s for s in item if 'Share Name' in s]
            sharedname = item_sharedname[0].split(":")[1]

        datetime = datetime.strip("'")
        eventid = eventid.strip("'")
        if org_accountname != None:
            accountname = org_accountname.strip("'")
            accountname = accountname.lower()
            accountname = accountname.split('@')[0]
            if (accountname.find(DOMAIN_NAME) > -1 or len(accountname) == 0):
                return
        if clientaddr != None:
            clientaddr = clientaddr.strip("'")
        if servicename != None:
            servicename = servicename.strip("'")
            servicename = servicename.lower()
        if processname != None:
            processname = processname.strip("'")
            processname = processname.lower()
        if objectname != None:
            objectname = objectname.strip("'")
            objectname = objectname.lower()
        if sharedname != None:
            sharedname = sharedname.strip("'")
            sharedname = sharedname.lower()
        id = ""
        id = (accountname + clientaddr + str(id)).strip()
        id = id.replace(" ", "").replace("\t", "")
        idlist.add(id)

        inputLog = InputLog.InputLog(datetime, eventid, accountname,
                                     clientaddr, servicename, processname,
                                     objectname, sharedname, securityid)
        create_input_DL(inputLog)
    return

Example #6

def parse_event_jp(org_row):
    global cnt, id, idlist
    #print(row)

    row = [i.strip('\t') for i in org_row]
    datetime = row[1]
    eventid = row[3]
    msg = row[5]
    item = msg.split("\n")
    org_accountname = ""
    clientaddr = ""
    sharedname = ""
    servicename = ""
    processname = ""
    objectname = ""
    securityid = ""
    if (eventid == EVENT_ST):
        cnt = cnt + 1

    if (eventid in TARGET_EVT):

        item_account = [s for s in item if 'アカウント名' in s]

        if len(item_account) == 0:
            item_account = [s for s in item if 'ログオン アカウント' in s]

        org_accountname = item_account[0].split(":")[1]
        if eventid == EVENT_LOGIN:
            org_accountname = item_account[1].split(":")[1]

        item_clientaddr = ""
        item_clientaddr = [s for s in item if 'ソース アドレス' in s]
        if len(item_clientaddr) == 0:
            item_clientaddr = [s for s in item if 'クライアント アドレス' in s]
        if len(item_clientaddr) == 0:
            item_clientaddr = [s for s in item if 'ソース ネットワーク アドレス' in s]
        if len(item_clientaddr) == 0:
            item_clientaddr = [s for s in item if 'ソース ワークステーション' in s]
        if (len(item_clientaddr) >= 1):
            clientaddrs = item_clientaddr[0].split(":")
            clientaddr = clientaddrs[len(clientaddrs) - 1]

        item_service = ""
        item_service = [s for s in item if 'サービス名' in s]
        if (len(item_service) >= 2):
            servicename = item_service[0].split(":")[1]

        item_process = ""
        item_process = [s for s in item if 'プロセス名' in s]
        if (len(item_process) >= 2):
            processname = item_process[0].split("新しいプロセス名:")[1]
        elif (len(item_process) >= 1):
            processname = item_process[0].split("プロセス名:")[1]

        item_obj = ""
        item_obj = [s for s in item if 'オブジェクト名' in s]
        if (len(item_obj) >= 2):
            objectname = item_obj[0].split(":")[1]

        item_id = ""
        item_id = [s for s in item if 'セキュリティ IDD' in s]
        if (len(item_id) >= 2):
            securityid = item_id[0].split(":")[1]

        if (eventid == EVENT_SHARE):
            item_sharedname = [s for s in item if '共有名' in s]
            sharedname = item_sharedname[0].split(":")[1]

        datetime = datetime.strip("'")
        eventid = eventid.strip("'")
        if org_accountname != None:
            accountname = org_accountname.strip("'")
            accountname = accountname.lower()
            accountname = accountname.split('@')[0]
            if (accountname.find(DOMAIN_NAME) > -1 or len(accountname) == 0):
                return
        if clientaddr != None:
            clientaddr = clientaddr.strip("'")
        if servicename != None:
            servicename = servicename.strip("'")
            servicename = servicename.lower()
        if processname != None:
            processname = processname.strip("'")
            processname = processname.lower()
        if objectname != None:
            objectname = objectname.strip("'")
            objectname = objectname.lower()
        if sharedname != None:
            sharedname = sharedname.strip("'")
            sharedname = sharedname.lower()
        id = ""
        id = (accountname + clientaddr + str(id)).strip()
        id = id.replace(" ", "").replace("\t", "")
        idlist.add(id)

        inputLog = InputLog.InputLog(datetime, eventid, accountname,
                                     clientaddr, servicename, processname,
                                     objectname, sharedname, securityid)
        create_input_DL(inputLog)
    return

Example #7

fo.write("datetime,eventid,accountname,clientaddr,servicename,processname,objectname,sharedname,result_sig,result_ML\n")

for row in f:
    datetime=row.get("datetime")
    eventid=row.get("eventid")
    accountname=row.get("accountname")
    clientaddr=row.get("clientaddr")
    servicename=row.get("servicename")
    processname=row.get("processname")
    objectname=row.get("objectname")
    sharedname=row.get("sharedname")

    #print(datetime+","+eventid+","+accountname+","+clientaddr)

    # To specify parameter as Object
    inputLog = InputLog.InputLog(datetime, eventid, accountname, clientaddr, servicename, processname, objectname,sharedname)
    sig_result=SignatureDetector.signature_detect(inputLog)
    #print("sig_result"+sig_result)

    result=sig_result
    if (sig_result == SignatureDetector.RESULT_CMD or sig_result == SignatureDetector.RESULT_MAL_CMD):
        result = ML.ml_detect(eventid, accountname, processname, objectname, base_dummies_4674, clf_4674, base_dummies_4688, clf_4688)

    #print("result" + result)
    csvlist = []
    csvlist.append(datetime)
    csvlist.append(eventid)
    csvlist.append(accountname)
    csvlist.append(clientaddr)
    csvlist.append(servicename)
    csvlist.append(processname)

Example #8

def preds(row, file):
    global logfile
    datetime = ''
    eventid = ''
    accountname = ''
    clientaddr = ''
    servicename = ''
    processname = ''
    objectname = ''
    sharedname = ''
    result = ''
    file = ''
    try:
        datetime = row[1]
        eventid = row[3]
        msg = row[5]
        item = msg.split("\n")
        org_accountname = ""
        clientaddr = ""
        sharedname = ""
        servicename = ""
        processname = ""
        objectname = ""
        securityid = ""
        if (eventid in TARGET_EVT):
            if eventid == SignatureDetector.EVENT_NTLM:
                item_account = [s for s in item if 'ログオン アカウント' in s]
                org_accountname = item_account[0].split(":")[1]
            else:
                item_account = [s for s in item if 'アカウント名' in s]
                org_accountname = item_account[0].split(":")[1]
            if eventid == SignatureDetector.EVENT_LOGIN:
                org_accountname = item_account[1].split(":")[1]

            item_clientaddr = ""
            item_clientaddr = [s for s in item if '送信元アドレス' in s]
            if len(item_clientaddr) == 0:
                item_clientaddr = [s for s in item if 'クライアント アドレス' in s]
            if len(item_clientaddr) == 0:
                item_clientaddr = [s for s in item if 'ソース ネットワーク アドレス' in s]
            if len(item_clientaddr) == 0:
                item_clientaddr = [s for s in item if 'ソース ワークステーション' in s]
            if (len(item_clientaddr) >= 1):
                clientaddr = item_clientaddr[0].split(":")[
                    len(item_clientaddr[0].split(":")) - 1]

            item_service = ""
            item_service = [s for s in item if 'サービス名' in s]
            if (len(item_service) >= 2):
                servicename = item_service[0].split(":")[1]

            item_process = ""
            item_process = [s for s in item if 'プロセス名' in s]
            if (len(item_process) >= 2):
                processname = item_process[0].split("新しいプロセス名:")[1]
            elif (len(item_process) >= 1):
                processname = item_process[0].split("プロセス名:")[1]

            item_obj = ""
            item_obj = [s for s in item if 'オブジェクト名' in s]
            if (len(item_obj) >= 2):
                objectname = item_obj[0].split(":")[1]

            item_id = ""
            item_id = [s for s in item if 'セキュリティ ID' in s]
            if (len(item_id) >= 1):
                securityid = item_id[0].split(":")[1]

            if (eventid == SignatureDetector.EVENT_SHARE):
                item_sharedname = [s for s in item if '共有名' in s]
                sharedname = item_sharedname[0].split(":")[1]

        else:
            return SignatureDetector.RESULT_NORMAL

        datetime = datetime.strip("'")
        eventid = eventid.strip("'")
        if org_accountname != None:
            accountname = org_accountname.strip("'")
            accountname = accountname.strip()
            accountname = accountname.strip('\t')
            accountname = accountname.lower()
            accountname = accountname.split('@')[0]
            if (accountname.find(DOMAIN_NAME) > -1 or len(accountname) == 0):
                return SignatureDetector.RESULT_NORMAL
        if clientaddr != None:
            clientaddr = clientaddr.strip("'")
        if servicename != None:
            servicename = servicename.strip("'")
            servicename = servicename.lower()
        if processname != None:
            processname = processname.strip("'")
            processname = processname.lower()
        if objectname != None:
            objectname = objectname.strip("'")
            objectname = objectname.lower()
        if sharedname != None:
            sharedname = sharedname.strip("'")
            sharedname = sharedname.lower()
        if securityid != None:
            securityid = securityid.strip("'")
            securityid = securityid.strip()
            securityid = securityid.strip('\t')
            securityid = securityid.lower()

        # To specify parameter as Object
        inputLog = InputLog.InputLog(datetime, eventid, accountname,
                                     clientaddr, servicename, processname,
                                     objectname, sharedname, securityid)
        # update start by gam
        result = SignatureDetector.signature_detect(inputLog)

        # update end
        clientaddr = inputLog.get_clientaddr()
        processname = inputLog.get_processname()

        if (result == SignatureDetector.RESULT_CMD
                or result == SignatureDetector.RESULT_MAL_CMD):
            if (mode == MODE_ML):
                #result = ML.preds(eventid, accountname, processname, objectname, base_dummies_4674, clf_4674, base_dummies_4688, clf_4688)
                print()
            else:
                processname = processname.strip().strip("'")
                result = SignatureDetector.check_cmd_whitelist(processname)

        if (result != SignatureDetector.RESULT_NORMAL
                #and result != ML.RESULT_WARN
            ):
            print(result)
            print(msg)
            #send_alert.Send_alert(result, datetime, eventid, accountname, clientaddr, servicename, processname, objectname, sharedname)

    except Exception as e:
        file = open(logfile, 'a')
        file.write(msg)
        file.write(e)

    with open(RESULT_FILE, 'a') as f:
        writer = csv.writer(f)
        writer.writerow([
            datetime, eventid, accountname, clientaddr, servicename,
            processname, objectname, sharedname, result, file
        ])

    return result