Example #1
0
 def run(self, idmef):
     for source in idmef.Get("alert.source(*).node.address(*).address"):
         if self.__iphash.has_key(source):
             ca = IDMEF()
             ca.Set("alert.source(>>)", idmef.Get("alert.source"))
             ca.Set("alert.target(>>)", idmef.Get("alert.target"))
             ca.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid"))
             ca.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1])
             ca.Set("alert.classification.text", "IP source matching Dshield database")
             ca.Set("alert.correlation_alert.name", "IP source matching Dshield database")
             ca.Set("alert.assessment.impact.description", "Dshield gather IP addresses tagged from firewall logs drops")
             ca.Set("alert.assessment.impact.severity", "high")
             ca.alert()
Example #2
0
    def run(self, idmef):

        t = time.localtime(int(idmef.Get("alert.create_time")))
        if not (t.tm_wday == 5 or t.tm_wday == 6 or t.tm_hour >= 9 or t.tm_hour <= 18):
                return

        if idmef.Get("alert.assessment.impact.completion") != "succeeded":
                return

        ca = IDMEF()
        ca.Set("alert.source", idmef.Get("alert.source"))
        ca.Set("alert.target", idmef.Get("alert.target"))
        ca.Set("alert.classification", idmef.Get("alert.classification"))
        ca.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid"))
        ca.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1])
        ca.Set("alert.correlation_alert.name", "Critical system activity on day off")
        ca.alert()
Example #3
0
    def run(self, idmef):
        self.__t = time.localtime(int(idmef.Get("alert.create_time")))
        if not (self.__t.tm_wday in self.__offdays or self.__t.tm_hour < self.__hworkstart or self.__t.tm_hour > self.__hworkend):
            return
        
        #if idmef.Get("alert.assessment.impact.completion") != "succeeded":
        #    return

        ca = IDMEF()
        ca.addAlertReference(idmef)
        ca.Set("alert.classification", idmef.Get("alert.classification"))
        ca.Set("alert.correlation_alert.name", "Critical system activity on day off")
        
        ca.alert()