def run(customer, result_type, server): global BLACKLIST_COUNT global ht_data ht_data = ESServer([server]) # Yaaayyy, colors print(colors.bcolors.OKBLUE + '[-] Finding blacklisted URLS for customer ' + colors.bcolors.HEADER + customer + colors.bcolors.OKBLUE + ' [-]' + colors.bcolors.ENDC) # Delete Previous Results ht_data.delete_results(customer, result_type) find_blacklisted_ipvoid(customer, result_type) # Report number of connections to blacklisted IPs found hits, scroll_id, scroll_size = ht_data.get_data(customer, 'results', [], [{'result_type':result_type}], [], '', 1000) print(colors.bcolors.FAIL + '[!] Found ' + str(scroll_size) + ' connections to blacklisted URLs in log entries [!]' + colors.bcolors.ENDC) print(colors.bcolors.OKGREEN + '[+] Finished finding blacklisted URLS for customer ' + colors.bcolors.HEADER + customer + colors.bcolors.OKGREEN + ' [+]' + colors.bcolors.ENDC)
def run(customer, proto, threshold, graph, graph_thresh, potential_save_dir, result_type, server): global ht_data ht_data = ESServer(server) print(colors.bcolors.OKBLUE + '[-] Checking potential port scans for ' + colors.bcolors.HEADER + customer), if proto != "": print(colors.bcolors.OKBLUE + ' with protocol ' + colors.bcolors.HEADER + proto ), print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC) # Get start time time_start = time.time() # Delete Previous Results ht_data.delete_results(customer, result_type) scan_analysis(customer, proto, threshold, graph, graph_thresh, potential_save_dir, result_type) time_end = time.time() time_elapsed = time_end - time_start print(colors.bcolors.OKGREEN + '[+] Finished checking potential port scans for ' + colors.bcolors.HEADER + customer), if proto != "": print(colors.bcolors.OKBLUE + ' with protocol ' + colors.bcolors.HEADER + proto ), print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC) print(colors.bcolors.OKGREEN + '[+] Time for scan analysis: ' + str(time_elapsed) + ' [+]' + colors.bcolors.ENDC)
def run(customer, proto, threshold, graph, potential_save_dir, result_type, server): global ht_data ht_data = ESServer(server) print(colors.bcolors.OKBLUE + '[-] Checking potential port scans for ' + colors.bcolors.HEADER + customer), if proto != "": print(colors.bcolors.OKBLUE + ' with protocol ' + colors.bcolors.HEADER + proto ), print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC) # Get start time time_start = time.time() # Delete Previous Results ht_data.delete_results(customer, result_type) scan_analysis(customer, proto, threshold, graph, potential_save_dir, result_type) time_end = time.time() time_elapsed = time_end - time_start # Report number of potential scans found hits, scroll_id, scroll_size = ht_data.get_data(customer, 'results', [], [{'result_type':result_type}], [], '', 1000) print(colors.bcolors.FAIL + '[!] Found ' + str(scroll_size) + ' potential port scans [!]' + colors.bcolors.ENDC) print(colors.bcolors.OKGREEN + '[+] Finished checking potential port scans for ' + colors.bcolors.HEADER + customer), if proto != "": print(colors.bcolors.OKBLUE + ' with protocol ' + colors.bcolors.HEADER + proto ), print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC) print(colors.bcolors.OKGREEN + '[+] Time for scan analysis: ' + str(time_elapsed) + ' [+]' + colors.bcolors.ENDC)
def run(customer, result_type, server): global BLACKLIST_COUNT global ht_data ht_data = ESServer([server]) # Yaaayyy, colors print(colors.bcolors.OKBLUE + '[-] Finding blacklisted URLS for customer ' + colors.bcolors.HEADER + customer + colors.bcolors.OKBLUE + ' [-]' + colors.bcolors.ENDC) # Delete Previous Results ht_data.delete_results(customer, result_type) find_blacklisted_ipvoid(customer, result_type) # Report number of connections to blacklisted IPs found hits, scroll_id, scroll_size = ht_data.get_data( customer, 'results', [], [{ 'result_type': result_type }], [], '', 1000) print(colors.bcolors.FAIL + '[!] Found ' + str(scroll_size) + ' connections to blacklisted URLs in log entries [!]' + colors.bcolors.ENDC) print(colors.bcolors.OKGREEN + '[+] Finished finding blacklisted URLS for customer ' + colors.bcolors.HEADER + customer + colors.bcolors.OKGREEN + ' [+]' + colors.bcolors.ENDC)
def run(customer, threshold, result_type, server): global ht_data ht_data = ESServer([server]) print(colors.bcolors.OKBLUE + '[-] Finding long URLs for customer ' + colors.bcolors.HEADER + customer + colors.bcolors.OKBLUE + ' [-]' + colors.bcolors.ENDC) # Delete Previous Results ht_data.delete_results(customer, result_type) find_long_urls(customer, threshold, result_type) print(colors.bcolors.OKGREEN + '[+] Finished checking long URLs for customer ' + colors.bcolors.HEADER + customer + colors.bcolors.OKGREEN + ' [+]' + colors.bcolors.ENDC)
def run(customer, threshold, result_type, server="http://localhost:5000/"): global ht_data ht_data = ESServer(server) print(colors.bcolors.OKBLUE + '[-] Finding long connections for customer ' + colors.bcolors.HEADER + customer + colors.bcolors.OKBLUE + ' [-]' + colors.bcolors.ENDC) # Delete Previous Results ht_data.delete_results(customer, result_type) find_long_durations(customer, threshold, result_type) print(colors.bcolors.OKGREEN + '[+] Finished checking long connections for customer ' + colors.bcolors.HEADER + customer + colors.bcolors.OKGREEN + ' [+]' + colors.bcolors.ENDC)
def run(customer, result_type, server): global ht_data ht_data = ESServer(server) # Yaaayyy, colors print(colors.bcolors.OKBLUE + '[-] Performing cross-analysis of malicious behaviors for customer ' + colors.bcolors.HEADER + customer + colors.bcolors.OKBLUE + ' [-]' + colors.bcolors.ENDC) # Delete Previous Results ht_data.delete_results(customer, result_type) find_cross_analysis(customer, result_type) print(colors.bcolors.OKGREEN + '[+] Finished performing cross-analysis of malicious behaviors for customer ' + colors.bcolors.HEADER + customer + colors.bcolors.OKGREEN + ' [+]' + colors.bcolors.ENDC)
def run(customer, result_type, server): global ht_data ht_data = ESServer(server) # Yaaayyy, colors print(colors.bcolors.OKBLUE + '[-] Finding concurrent logins for customer ' + colors.bcolors.HEADER + customer + colors.bcolors.OKBLUE + ' [-]' + colors.bcolors.ENDC) # Delete Previous Results ht_data.delete_results(customer, result_type) find_concurrent(customer, result_type) print(colors.bcolors.OKGREEN + '[+] Finished finding concurrent logins for customer ' + colors.bcolors.HEADER + customer + colors.bcolors.OKGREEN + ' [+]' + colors.bcolors.ENDC)
def run(customer, proto, threshold_likely, threshold_unlikely, graph_likely, graph_unlikely, potential_save_dir, unlikely_save_dir, result_type, server): global ht_data ht_data = ESServer(server) print(colors.bcolors.OKBLUE + '[-] Checking potential beacons for customer ' + colors.bcolors.HEADER + customer), if proto != "": print(colors.bcolors.OKBLUE + ' with protocol ' + colors.bcolors.HEADER + proto), print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC) # Get start time time_start = time.time() # Delete Previous Results ht_data.delete_results(customer, result_type) ht_data.delete_results(customer, 'likely_beacons') ht_data.delete_results(customer, 'unlikely_beacons') beacon_analysis(customer, proto, result_type) analyze_fft_data(customer, proto, threshold_likely, threshold_unlikely, result_type) if graph_likely: category = 'likely_beacons' print(colors.bcolors.OKBLUE + '[-] Graphing potential beacons customer ' + colors.bcolors.HEADER + customer + colors.bcolors.OKBLUE + ' with beaconing logs under result name ' + colors.bcolors.HEADER + result_type + colors.bcolors.OKBLUE + ' of type ' + colors.bcolors.HEADER + category), if proto != "": print(colors.bcolors.OKBLUE + ' with protocol ' + colors.bcolors.HEADER + proto), print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC) find_beacons_graph(customer, proto, category, potential_save_dir) if graph_unlikely: category = 'unlikely_beacons' print(colors.bcolors.OKBLUE + '[-] Graphing potential beacons customer ' + colors.bcolors.HEADER + customer + colors.bcolors.OKBLUE + ' with beaconing logs under result name ' + colors.bcolors.HEADER + result_type + colors.bcolors.OKBLUE + ' of type ' + colors.bcolors.HEADER + category), if proto != "": print(colors.bcolors.OKBLUE + ' with protocol ' + colors.bcolors.HEADER + proto), print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC) find_beacons_graph(customer, proto, category, unlikely_save_dir) time_end = time.time() time_elapsed = time_end - time_start print(colors.bcolors.OKGREEN + '[+] Finished checking potential beacons for ' + colors.bcolors.HEADER + customer), if proto != "": print(colors.bcolors.OKBLUE + ' with protocol ' + colors.bcolors.HEADER + proto), print(colors.bcolors.OKGREEN + '[+]' + colors.bcolors.ENDC) print(colors.bcolors.OKGREEN + '[+] Time for scan analysis: ' + str(time_elapsed) + ' [+]' + colors.bcolors.ENDC)
def run(customer, proto, threshold_likely, threshold_unlikely, graph_likely, graph_unlikely, potential_save_dir, unlikely_save_dir, result_type, server): global ht_data ht_data = ESServer(server) print(colors.bcolors.OKBLUE + '[-] Checking potential beacons for customer ' + colors.bcolors.HEADER + customer), if proto != "": print(colors.bcolors.OKBLUE + ' with protocol ' + colors.bcolors.HEADER + proto ), print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC) # Get start time time_start = time.time() # Delete Previous Results ht_data.delete_results(customer, result_type) ht_data.delete_results(customer, 'likely_beacons') ht_data.delete_results(customer, 'unlikely_beacons') beacon_analysis(customer, proto, result_type) analyze_fft_data(customer, proto, threshold_likely, threshold_unlikely, result_type) if graph_likely: category = 'likely_beacons' print(colors.bcolors.OKBLUE + '[-] Graphing potential beacons customer ' + colors.bcolors.HEADER + customer + colors.bcolors.OKBLUE + ' with beaconing logs under result name ' + colors.bcolors.HEADER + result_type + colors.bcolors.OKBLUE + ' of type ' + colors.bcolors.HEADER + category), if proto != "": print(colors.bcolors.OKBLUE + ' with protocol ' + colors.bcolors.HEADER + proto ), print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC) find_beacons_graph(customer, proto, category, potential_save_dir) if graph_unlikely: category = 'unlikely_beacons' print(colors.bcolors.OKBLUE + '[-] Graphing potential beacons customer ' + colors.bcolors.HEADER + customer + colors.bcolors.OKBLUE + ' with beaconing logs under result name ' + colors.bcolors.HEADER + result_type + colors.bcolors.OKBLUE + ' of type ' + colors.bcolors.HEADER + category), if proto != "": print(colors.bcolors.OKBLUE + ' with protocol ' + colors.bcolors.HEADER + proto ), print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC) find_beacons_graph(customer, proto, category, unlikely_save_dir) time_end = time.time() time_elapsed = time_end - time_start print(colors.bcolors.OKGREEN + '[+] Finished checking potential beacons for ' + colors.bcolors.HEADER + customer), if proto != "": print(colors.bcolors.OKBLUE + ' with protocol ' + colors.bcolors.HEADER + proto ), print(colors.bcolors.OKGREEN + '[+]' + colors.bcolors.ENDC) print(colors.bcolors.OKGREEN + '[+] Time for scan analysis: ' + str(time_elapsed) + ' [+]' + colors.bcolors.ENDC)