def run(self, idmef): for source in idmef.Get("alert.source(*).node.address(*).address"): if self.__iphash.has_key(source): ca = IDMEF() ca.Set("alert.source(>>)", idmef.Get("alert.source")) ca.Set("alert.target(>>)", idmef.Get("alert.target")) ca.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid")) ca.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1]) ca.Set("alert.classification.text", "IP source matching Dshield database") ca.Set("alert.correlation_alert.name", "IP source matching Dshield database") ca.Set("alert.assessment.impact.description", "Dshield gather IP addresses tagged from firewall logs drops") ca.Set("alert.assessment.impact.severity", "high") ca.alert()
def run(self, idmef): t = time.localtime(int(idmef.Get("alert.create_time"))) if not (t.tm_wday == 5 or t.tm_wday == 6 or t.tm_hour >= 9 or t.tm_hour <= 18): return if idmef.Get("alert.assessment.impact.completion") != "succeeded": return ca = IDMEF() ca.Set("alert.source", idmef.Get("alert.source")) ca.Set("alert.target", idmef.Get("alert.target")) ca.Set("alert.classification", idmef.Get("alert.classification")) ca.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid")) ca.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1]) ca.Set("alert.correlation_alert.name", "Critical system activity on day off") ca.alert()
def run(self, idmef): self.__t = time.localtime(int(idmef.Get("alert.create_time"))) if not (self.__t.tm_wday in self.__offdays or self.__t.tm_hour < self.__hworkstart or self.__t.tm_hour > self.__hworkend): return #if idmef.Get("alert.assessment.impact.completion") != "succeeded": # return ca = IDMEF() ca.addAlertReference(idmef) ca.Set("alert.classification", idmef.Get("alert.classification")) ca.Set("alert.correlation_alert.name", "Critical system activity on day off") ca.alert()