def handleSYNPacketHostPortscanDetector(data=None):
"""
Creates an incident if a single canary receives SYN packets to more than 10 different
ports in less than 50 seconds.
"""
try:
host_scan_key = KEY_TRACK_HOST_PORT_SCAN + data[
'src_host'] + ':' + data['dst_host']
new_set = False
if not redis.exists(host_scan_key):
new_set = True
if redis.sadd(host_scan_key, data['dst_port']):
if new_set:
redis.expire(
host_scan_key,
c.config.getVal('portscan.monitor_period', default=50))
if redis.scard(host_scan_key) >= c.config.getVal(
'portscan.packet_threshold', default=5):
data['logdata'] = list(redis.smembers(host_scan_key))
IncidentFactory.create_incident('scans.host_portscan',
data=data)
redis.delete(host_scan_key)
except Exception as e:
import traceback
logger.critical(traceback.format_exc())
def clear_incidents():
for incident_key in redis.zrevrangebyscore(KEY_INCIDENTS, '+inf', '-inf'):
redis.delete(incident_key)
redis.delete(KEY_INCIDENTS)
def clear_incidents():
for incident_key in redis.zrevrangebyscore(KEY_INCIDENTS, '+inf', '-inf'):
redis.delete(incident_key)
redis.delete(KEY_INCIDENTS)
