def handleSYNPacketHostPortscanDetector(data=None): """ Creates an incident if a single canary receives SYN packets to more than 10 different ports in less than 50 seconds. """ try: host_scan_key = KEY_TRACK_HOST_PORT_SCAN + data[ 'src_host'] + ':' + data['dst_host'] new_set = False if not redis.exists(host_scan_key): new_set = True if redis.sadd(host_scan_key, data['dst_port']): if new_set: redis.expire( host_scan_key, c.config.getVal('portscan.monitor_period', default=50)) if redis.scard(host_scan_key) >= c.config.getVal( 'portscan.packet_threshold', default=5): data['logdata'] = list(redis.smembers(host_scan_key)) IncidentFactory.create_incident('scans.host_portscan', data=data) redis.delete(host_scan_key) except Exception as e: import traceback logger.critical(traceback.format_exc())
def handleSYNPacketNetworkPortscanDetector(data=None): """ Creates an incident if two or more canaries report a syn packet to the same dst port, from the same host, in an hour or less. """ try: network_scan_target_key = KEY_TRACK_NETWORK_PORT_SCAN + data[ 'src_host'] + ':' + data['dst_port'] + ':targets' try: dst_host = data['reported_dst_host'] except KeyError: dst_host = data['dst_host'] if not redis.sismember(network_scan_target_key, dst_host): redis.sadd(network_scan_target_key, dst_host) redis.expire( network_scan_target_key, c.config.getVal('networkscan.monitor_period', default=3600)) pckt_count = redis.scard(network_scan_target_key) if pckt_count >= c.config.getVal('networkscan.packet_threshold', default=2): data['logdata'] = list(redis.smembers(network_scan_target_key)) IncidentFactory.create_incident('scans.network_portscan', data=data) except Exception as e: import traceback logger.critical(traceback.format_exc())
def _filter_incidents(filter_=None, include_hosts=True): host_cache = {} keys = redis.zrangebyscore(KEY_INCIDENTS, '-inf', '+inf') incidents = [] for key in keys: incident = redis.hgetall(key) try: if not filter_(incident): continue if include_hosts: if not host_cache.has_key(incident['node_id']): host_cache[incident['node_id']] = \ redis.hgetall(KEY_DEVICE+get_device_id_hash(incident['node_id'])) incident['host'] = host_cache[incident['node_id']] incidents.append(jsonify_incident(key, incident)) except Exception as e: logger.critical(e) return incidents