def happy(request):
result = ''
final_result = ''
stat=''
total='0'
lat='31.218816'
lng='121.416603'
if request.method == 'POST':
form = DefaultForm(request.POST)
if form.is_valid():
keyword = form.cleaned_data['keyword']
clienttype = form.cleaned_data['clienttype']
postype = form.cleaned_data['postype']
sorttype = form.cleaned_data['sorttype']
lng = form.cleaned_data['lng']
lat = form.cleaned_data['lat']
distance = form.cleaned_data['distance']
if keyword != '' or distance != '':
url = createQuery(keyword, sorttype, clienttype, postype, lng, lat, distance)
result = urllib2.urlopen(encoding.smart_str(url)).read()
if result != '':
final_result = simplejson.loads(result)['records']
total = simplejson.loads(result)['totalhits']
else:
form = DefaultForm()
return render_to_response('happytimes.html', {'form': form, 'total':total, 'result': final_result, 'lat':lat, 'lng':lng }, context_instance=RequestContext(request))
def defaultconfig(request):
username = request.session.get('username','')
if username:
try:
if request.method == "POST":
fw = DefaultForm(request.POST)
if fw.is_valid():
fs = request.POST.get('defaultconfig')
addmd5(fs,'default')
default = open('/tftpboot/pxelinux.cfg/default','w+')
default.write(fs)
default.close()
# temp = shellshow('service dhcpd start')
# print temp
# shellshow('service dhcpd start')
return render_to_response('defaultconfig.html',{'defaultconfig':fs,'username':username})
else:
default = open('/tftpboot/pxelinux.cfg/default','r+')
str = ''
for line in default.readlines():
str = str + line
default.close()
# template = loader.get_template("configfile.html")
# context = Context({'configfile':str,'username':name})
# return HttpResponse(template.render(context))
return render_to_response('defaultconfig.html',{'defaultconfig':str,'username':username})
return render_to_response('defaultconfig.html',{'defaultconfig':fw.cleaned_data['defaultconfig'],'username':username})
except IOError:
print('IOError')
finally:
default.close()
else:
return HttpResponseRedirect('/user/login/')
def createHiveCase(esid):
search = get_hits(esid)
tlp = int(parser.get('hive', 'hive_tlp'))
severity = 2
for item in search['hits']['hits']:
result = item['_source']
es_id = item['_id']
try:
message = result['message']
description = str(message)
except:
description = str(result)
sourceRef = str(uuid.uuid4())[0:6]
tags = ["SecurityOnion"]
artifacts = []
event = result['event']
src = srcport = dst = dstport = None
if event['dataset'] == 'alert':
title = result['rule']['name']
else:
title = f'New {event["module"].capitalize()} {event["dataset"].capitalize()} Event'
form = DefaultForm()
#artifact_string = jsonpickle.encode(artifacts)
return render_template('hive.html',
title=title,
description=description,
severity=severity,
form=form)
def eventModifyFields(esid):
search = get_hits(esid)
for result in search['hits']['hits']:
esindex = result['_index']
result = result['_source']
tags = result['tags']
form = DefaultForm()
return render_template('update_event.html', result=result, esindex=esindex, esid=esid, tags=tags, form=form)
def createHiveAlert(esid):
search = getHits(esid)
#Hive Stuff
#es_url = parser.get('es', 'es_url')
hive_url = parser.get('hive', 'hive_url')
api = hiveInit()
tlp = int(parser.get('hive', 'hive_tlp'))
for result in search['hits']['hits']:
# Get initial details
message = result['_source']['message']
es_id = result['_id']
description = str(message)
sourceRef = str(uuid.uuid4())[0:6]
tags = ["SecurityOnion"]
artifacts = []
id = None
host = str(result['_index']).split(":")[0]
index = str(result['_index']).split(":")[1]
event_type = result['_source']['event_type']
if 'source_ip' in result['_source']:
src = str(result['_source']['source_ip'])
if 'destination_ip' in result['_source']:
dst = str(result['_source']['destination_ip'])
if 'source_port' in result['_source']:
srcport = str(result['_source']['source_port'])
if 'destination_port' in result['_source']:
dstport = str(result['_source']['destination_port'])
# NIDS Alerts
if 'ids' in event_type:
alert = result['_source']['alert']
sid = str(result['_source']['sid'])
category = result['_source']['category']
sensor = result['_source']['sensor_name']
masterip = str(es_url.split("//")[1].split(":")[0])
tags.append("nids")
tags.append(category)
title = alert
print(alert)
sys.stdout.flush()
# Add artifacts
artifacts.append(AlertArtifact(dataType='ip', data=src))
artifacts.append(AlertArtifact(dataType='ip', data=dst))
artifacts.append(AlertArtifact(dataType='other', data=sensor))
description = "`NIDS Dashboard:` \n\n <https://" + masterip + "/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:" + sid + "')),sort:!('@timestamp',desc))> \n\n `IPs: `" + src + ":" + srcport + "-->" + dst + ":" + dstport + "\n\n `Signature:`" + alert + "\n\n `PCAP:` " + "https://" + masterip + "/kibana/app//sensoroni/securityonion/joblookup?redirectUrl=/sensoroni/&esid=" + es_id
# Bro logs
elif 'bro' in event_type:
_map_key_type = {
"conn": "Connection",
"dhcp": "DHCP",
"dnp3": "DNP3",
"dns": "DNS",
"files": "Files",
"ftp": "FTP",
"http": "HTTP",
"intel": "Intel",
"irc": "IRC",
"kerberos": "Kerberos",
"modbus": "Modbus",
"mysql": "MySQL",
"ntlm": "NTLM",
"pe": "PE",
"radius": "RADIUS",
"rdp": "RDP",
"rfb": "RFB",
"sip": "SIP",
"smb": "SMB",
"smtp": "SMTP",
"snmp": "SNMP",
"ssh": "SSH",
"ssl": "SSL",
"syslog": "Syslog",
"weird": "Weird",
"x509": "X509"
}
def map_key_type(indicator_type):
'''
Maps a key type to use in the request URL.
'''
return _map_key_type.get(indicator_type)
bro_tag = event_type.strip('bro_')
bro_tag_title = map_key_type(bro_tag)
title = str('New Bro ' + bro_tag_title + ' record!')
if 'source_ip' in result['_source']:
artifacts.append(AlertArtifact(dataType='ip', data=src))
if 'destination_ip' in result['_source']:
artifacts.append(AlertArtifact(dataType='ip', data=dst))
if 'sensor_name' in result['_source']:
sensor = str(result['_source']['sensor_name'])
artifacts.append(AlertArtifact(dataType='other', data=sensor))
if 'uid' in result['_source']:
uid = str(result['_source']['uid'])
title = str('New Bro ' + bro_tag_title + ' record! - ' + uid)
artifacts.append(AlertArtifact(dataType='other', data=uid))
if 'fuid' in result['_source']:
fuid = str(result['_source']['fuid'])
title = str('New Bro ' + bro_tag_title + ' record! - ' + fuid)
artifacts.append(AlertArtifact(dataType='other', data=fuid))
if 'id' in result['_source']:
fuid = str(result['_source']['id'])
title = str('New Bro ' + bro_tag_title + ' record! - ' + fuid)
artifacts.append(AlertArtifact(dataType='other', data=fuid))
tags.append('bro')
tags.append(bro_tag)
# Wazuh/OSSEC logs
elif 'ossec' in event_type:
agent_name = result['_source']['agent']['name']
if 'description' in result['_source']:
ossec_desc = result['_source']['description']
else:
ossec_desc = result['_source']['full_log']
if 'ip' in result['_source']['agent']:
agent_ip = result['_source']['agent']['ip']
artifacts.append(AlertArtifact(dataType='ip', data=agent_ip))
artifacts.append(
AlertArtifact(dataType='other', data=agent_name))
else:
artifacts.append(
AlertArtifact(dataType='other', data=agent_name))
title = ossec_desc
tags.append("wazuh")
elif 'sysmon' in event_type:
if 'ossec' in result['_source']['tags']:
agent_name = result['_source']['agent']['name']
agent_ip = result['_source']['agent']['ip']
ossec_desc = result['_source']['full_log']
artifacts.append(AlertArtifact(dataType='ip', data=agent_ip))
artifacts.append(
AlertArtifact(dataType='other', data=agent_name))
tags.append("wazuh")
elif 'beat' in result['_source']['tags']:
agent_name = str(result['_source']['beat']['hostname'])
if 'beat_host' in result['_source']:
os_name = str(result['_source']['beat_host']['os']['name'])
artifacts.append(
AlertArtifact(dataType='other', data=os_name))
if 'source_hostname' in result['_source']:
source_hostname = str(result['_source']['source_hostname'])
artifacts.append(
AlertArtifact(dataType='fqdn', data=source_hostname))
if 'source_ip' in result['_source']:
source_ip = str(result['_source']['source_ip'])
artifacts.append(
AlertArtifact(dataType='ip', data=source_ip))
if 'destination_ip' in result['_source']:
destination_ip = str(result['_source']['destination_ip'])
artifacts.append(
AlertArtifact(dataType='ip', data=destination_ip))
if 'image_path' in result['_source']:
image_path = str(result['_source']['image_path'])
artifacts.append(
AlertArtifact(dataType='filename', data=image_path))
if 'Hashes' in result['_source']['event_data']:
hashes = result['_source']['event_data']['Hashes']
for hash in hashes.split(','):
if hash.startswith('MD5') or hash.startswith('SHA256'):
artifacts.append(
AlertArtifact(dataType='hash',
data=hash.split('=')[1]))
tags.append("beats")
else:
agent_name = ''
title = "New Sysmon Event! - " + agent_name
else:
title = "New " + event_type + " Event From Security Onion"
form = DefaultForm()
artifact_string = jsonpickle.encode(artifacts)
return render_template('hive.html',
title=title,
tlp=tlp,
tags=tags,
description=description,
artifact_string=artifact_string,
sourceRef=sourceRef,
form=form)
def createHiveAlert(esid):
search = get_hits(esid)
# Hive Stuff
hive_url = parser.get('hive', 'hive_url')
hive_api = hiveInit()
tlp = int(parser.get('hive', 'hive_tlp'))
for item in search['hits']['hits']:
# Get initial details
result = item['_source']
message = result['message']
es_id = item['_id']
description = str(message)
sourceRef = str(uuid.uuid4())[0:6]
tags = ["SecurityOnion"]
artifacts = []
event = result['event']
src = srcport = dst = dstport = None
if 'source' in result:
if 'ip' in result['source']:
src = str(result['source']['ip'])
if 'port' in result['source']:
srcport = str(result['source']['port'])
if 'destination' in result:
if 'ip' in result['destination']:
dst = str(result['destination']['ip'])
if 'port' in result['destination']:
dstport = str(result['destination']['port'])
# NIDS Alerts
if event['module'] == 'ids':
alert = result['rule']['name']
sid = str(result['rule']['signature_id'])
category = result['rule']['category']
sensor = result['observer']['name']
masterip = str(es_url.split("//")[1].split(":")[0])
tags.append("nids")
tags.append(category)
title = alert
print(alert)
sys.stdout.flush()
# Add artifacts
artifacts.append(AlertArtifact(dataType='ip', data=src))
artifacts.append(AlertArtifact(dataType='ip', data=dst))
artifacts.append(AlertArtifact(dataType='other', data=sensor))
description = "`NIDS Dashboard:` \n\n <https://" + masterip + f"/kibana/so-soctopus/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:{es_index}',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:" + sid + "')),sort:!('@timestamp',desc))> \n\n `IPs: `" + src + ":" + srcport + "-->" + dst + ":" + dstport + "\n\n `Signature:`" + alert + "\n\n `PCAP:` " + "https://" + masterip + "/kibana/so-soctopus//sensoroni/securityonion/joblookup?redirectUrl=/sensoroni/&esid=" + es_id
# Zeek logs
elif event['module'] == 'zeek':
_map_key_type = {
"conn": "Connection",
"dhcp": "DHCP",
"dnp3": "DNP3",
"dns": "DNS",
"file": "Files",
"ftp": "FTP",
"http": "HTTP",
"intel": "Intel",
"irc": "IRC",
"kerberos": "Kerberos",
"modbus": "Modbus",
"mysql": "MySQL",
"ntlm": "NTLM",
"pe": "PE",
"radius": "RADIUS",
"rdp": "RDP",
"rfb": "RFB",
"sip": "SIP",
"smb": "SMB",
"smtp": "SMTP",
"snmp": "SNMP",
"ssh": "SSH",
"ssl": "SSL",
"syslog": "Syslog",
"weird": "Weird",
"x509": "X509"
}
zeek_tag = event['dataset']
zeek_tag_title = _map_key_type.get(zeek_tag)
title = str('New Zeek ' + zeek_tag_title + ' record!')
if src:
artifacts.append(AlertArtifact(dataType='ip', data=src))
if dst:
artifacts.append(AlertArtifact(dataType='ip', data=dst))
if result.get('observer', {}).get('name'):
sensor = str(result['observer']['name'])
artifacts.append(AlertArtifact(dataType='other', data=sensor))
if result.get('log', {}).get('id', {}).get('uid'):
uid = str(result['log']['id']['uid'])
title = str('New Zeek ' + zeek_tag_title + ' record! - ' + uid)
artifacts.append(AlertArtifact(dataType='other', data=uid))
if result.get('log', {}).get('id', {}).get('fuid'):
fuid = str(result['log']['id']['fuid'])
title = str('New Zeek ' + zeek_tag_title + ' record! - ' +
fuid)
artifacts.append(AlertArtifact(dataType='other', data=fuid))
if result.get('log', {}).get('id', {}).get('id'):
fuid = str(result['log']['id']['id'])
title = str('New Zeek ' + zeek_tag_title + ' record! - ' +
fuid)
artifacts.append(AlertArtifact(dataType='other', data=fuid))
tags.append('zeek')
tags.append(zeek_tag)
# Wazuh/OSSEC logs
elif event['module'] == 'ossec':
agent_name = result['agent']['name']
if 'description' in result:
ossec_desc = result['rule']['description']
else:
ossec_desc = result['log']['full']
if 'ip' in result['agent']:
agent_ip = result['agent']['ip']
artifacts.append(AlertArtifact(dataType='ip', data=agent_ip))
artifacts.append(
AlertArtifact(dataType='other', data=agent_name))
else:
artifacts.append(
AlertArtifact(dataType='other', data=agent_name))
title = ossec_desc
tags.append("wazuh")
# Sysmon logs
elif event['module'] == 'sysmon':
if 'ossec' in result['tags']:
agent_name = result['agent']['name']
agent_ip = result['agent']['ip']
artifacts.append(AlertArtifact(dataType='ip', data=agent_ip))
artifacts.append(
AlertArtifact(dataType='other', data=agent_name))
tags.append("wazuh")
elif 'beat' in result['tags']:
agent_name = str(result['agent']['hostname'])
if result.get('agent'):
try:
os_name = str(result['agent']['os']['name'])
artifacts.append(
AlertArtifact(dataType='other', data=os_name))
except:
pass
try:
beat_name = str(result['agent']['name'])
artifacts.append(
AlertArtifact(dataType='other', data=beat_name))
except:
pass
if result.get('source', {}).get('hostname'):
source_hostname = result['source']['hostname']
artifacts.append(
AlertArtifact(dataType='fqdn', data=source_hostname))
if result.get('source', {}).get('ip'):
source_ip = str(result['source']['ip'])
artifacts.append(
AlertArtifact(dataType='ip', data=source_ip))
if result.get('destination', {}).get('ip'):
destination_ip = str(result['destination']['ip'])
artifacts.append(
AlertArtifact(dataType='ip', data=destination_ip))
# FIXME: find what "image_path" has been changed to
# if 'image_path' in result:
# image_path = str(result['image_path'])
# artifacts.append(AlertArtifact(dataType='filename', data=image_path))
# FIXME: find what "Hashes" has been changed to
# if 'Hashes' in result['data']['data']:
# hashes = result['event']['data']['Hashes']
# for hash in hashes.split(','):
# if hash.startswith('MD5') or hash.startswith('SHA256'):
# artifacts.append(AlertArtifact(dataType='hash', data=hash.split('=')[1]))
tags.append("agent")
else:
agent_name = ''
title = "New Sysmon Event! - " + agent_name
else:
title = f'New {event["module"]}_{event["dataset"]} Event From Security Onion'
form = DefaultForm()
artifact_string = jsonpickle.encode(artifacts)
return render_template('hive.html',
title=title,
tlp=tlp,
tags=tags,
description=description,
artifact_string=artifact_string,
sourceRef=sourceRef,
form=form)
def createHiveAlert(esid):
search = getHits(esid)
#Hive Stuff
#es_url = parser.get('es', 'es_url')
hive_url = parser.get('hive', 'hive_url')
hive_key = parser.get('hive', 'hive_key')
hive_verifycert = parser.get('hive', 'hive_verifycert')
tlp = int(parser.get('hive', 'hive_tlp'))
# Check if verifying cert
if 'False' in hive_verifycert:
api = TheHiveApi(hive_url, hive_key, cert=False)
else:
api = TheHiveApi(hive_url, hive_key, cert=True)
#if hits > 0:
for result in search['hits']['hits']:
# Get initial details
message = result['_source']['message']
description = str(message)
sourceRef = str(uuid.uuid4())[0:6]
tags=["SecurityOnion"]
artifacts=[]
id = None
host = str(result['_index']).split(":")[0]
index = str(result['_index']).split(":")[1]
event_type = result['_source']['event_type']
if 'source_ip' in result['_source']:
src = str(result['_source']['source_ip'])
if 'destination_ip' in result['_source']:
dst = str(result['_source']['destination_ip'])
#if 'source_port' in result['_source']:
# srcport = result['_source']['source_port']
#if 'destination_port' in result['_source']:
# dstport = result['_source']['destination_port']
# NIDS Alerts
if 'snort' in event_type:
alert = result['_source']['alert']
category = result['_source']['category']
sensor = result['_source']['interface']
tags.append("nids")
tags.append(category)
title=alert
# Add artifacts
artifacts.append(AlertArtifact(dataType='ip', data=src))
artifacts.append(AlertArtifact(dataType='ip', data=dst))
artifacts.append(AlertArtifact(dataType='other', data=sensor))
# Bro logs
elif 'bro' in event_type:
_map_key_type ={
"conn": "Connection",
"dhcp": "DHCP",
"dnp3": "DNP3",
"dns": "DNS",
"files": "Files",
"ftp": "FTP",
"http": "HTTP",
"intel": "Intel",
"irc": "IRC",
"kerberos": "Kerberos",
"modbus": "Modbus",
"mysql": "MySQL",
"ntlm": "NTLM",
"pe": "PE",
"radius": "RADIUS",
"rdp": "RDP",
"rfb": "RFB",
"sip" : "SIP",
"smb": "SMB",
"smtp": "SMTP",
"snmp": "SNMP",
"ssh": "SSH",
"ssl": "SSL",
"syslog": "Syslog",
"weird": "Weird",
"x509": "X509"
}
def map_key_type(indicator_type):
'''
Maps a key type to use in the request URL.
'''
return _map_key_type.get(indicator_type)
bro_tag = event_type.strip('bro_')
bro_tag_title = map_key_type(bro_tag)
title= str('New Bro ' + bro_tag_title + ' record!')
if 'source_ip' in result['_source']:
artifacts.append(AlertArtifact(dataType='ip', data=src))
if 'destination_ip' in result['_source']:
artifacts.append(AlertArtifact(dataType='ip', data=dst))
if 'sensor_name' in result['_source']:
sensor = str(result['_source']['sensor_name'])
artifacts.append(AlertArtifact(dataType='other', data=sensor))
if 'uid' in result['_source']:
uid = str(result['_source']['uid'])
title= str('New Bro ' + bro_tag_title + ' record! - ' + uid)
artifacts.append(AlertArtifact(dataType='other', data=uid))
if 'fuid' in result['_source']:
fuid = str(result['_source']['fuid'])
title= str('New Bro ' + bro_tag_title + ' record! - ' + fuid)
artifacts.append(AlertArtifact(dataType='other', data=fuid))
if 'id' in result['_source']:
fuid = str(result['_source']['id'])
title= str('New Bro ' + bro_tag_title + ' record! - ' + fuid)
artifacts.append(AlertArtifact(dataType='other', data=fuid))
tags.append('bro')
tags.append(bro_tag)
# Wazuh/OSSEC logs
elif 'ossec' in event_type:
agent_name = result['_source']['agent']['name']
if 'description' in result['_source']:
ossec_desc = result['_source']['description']
else:
ossec_desc = result['_source']['full_log']
if 'ip' in result['_source']['agent']:
agent_ip = result['_source']['agent']['ip']
artifacts.append(AlertArtifact(dataType='ip', data=agent_ip))
artifacts.append(AlertArtifact(dataType='other', data=agent_name))
else:
artifacts.append(AlertArtifact(dataType='other', data=agent_name))
title= ossec_desc
tags.append("wazuh")
elif 'sysmon' in event_type:
if 'ossec' in result['_source']['tags']:
agent_name = result['_source']['agent']['name']
agent_ip = result['_source']['agent']['ip']
ossec_desc = result['_source']['full_log']
artifacts.append(AlertArtifact(dataType='ip', data=agent_ip))
artifacts.append(AlertArtifact(dataType='other', data=agent_name))
tags.append("wazuh")
elif 'beat' in result['_source']['tags']:
agent_name = str(result['_source']['beat']['hostname'])
if 'beat_host' in result['_source']:
os_name = str(result['_source']['beat_host']['os']['name'])
artifacts.append(AlertArtifact(dataType='other', data=os_name))
if 'source_hostname' in result['_source']:
source_hostname = str(result['_source']['source_hostname'])
artifacts.append(AlertArtifact(dataType='fqdn', data=source_hostname))
if 'source_ip' in result['_source']:
source_ip = str(result['_source']['source_ip'])
artifacts.append(AlertArtifact(dataType='ip', data=source_ip))
if 'destination_ip' in result['_source']:
destination_ip = str(result['_source']['destination_ip'])
artifacts.append(AlertArtifact(dataType='ip', data=destination_ip))
if 'image_path' in result['_source']:
image_path = str(result['_source']['image_path'])
artifacts.append(AlertArtifact(dataType='filename', data=image_path))
if 'Hashes' in result['_source']['event_data']:
hashes = result['_source']['event_data']['Hashes']
for hash in hashes.split(','):
if hash.startswith('MD5') or hash.startswith('SHA256'):
artifacts.append(AlertArtifact(dataType='hash', data=hash.split('=')[1]))
tags.append("beats")
else:
agent_name = ''
title= "New Sysmon Event! - " + agent_name
else:
title = "New " + event_type + " Event From Security Onion"
form = DefaultForm()
artifact_string = jsonpickle.encode(artifacts)
return render_template('hive.html', title=title, tlp=tlp,tags=tags, description=description, artifact_string=artifact_string, sourceRef=sourceRef, form=form)
