def _alert(ctx):
cnt = 0
fw = context.search("FIREWALL INFOS")
for idmef in ctx.candidates:
source = idmef.get("alert.source(0).node.address(0).address")
target = idmef.get("alert.target(0).node.address(0).address")
dport = str(idmef.get("alert.target(0).service.port", 0))
if target not in fw._protected_hosts:
continue
if (source + dport) in fw._protected_hosts[target][1]:
continue
cnt += 1
ctx.addAlertReference(idmef)
if cnt > 0:
ctx.set("alert.classification.text", "Events hit target")
ctx.set("alert.assessment.impact.severity", "medium")
ctx.set(
"alert.assessment.impact.description",
"The target are known to be protected by a Firewall device, but a set of event have not been dropped"
)
ctx.set("alert.correlation_alert.name", "No firewall block observed")
ctx.alert()
ctx.destroy()
def _alert(ctx):
cnt = 0
fw = context.search("FIREWALL INFOS")
for idmef in ctx.candidates:
source = idmef.get("alert.source(0).node.address(0).address")
target = idmef.get("alert.target(0).node.address(0).address")
dport = str(idmef.get("alert.target(0).service.port", 0))
if not target in fw._protected_hosts:
continue
if (source + dport) in fw._protected_hosts[target][1]:
continue
cnt += 1
ctx.addAlertReference(idmef)
if cnt > 0:
ctx.set("alert.classification.text", "Events hit target")
ctx.set("alert.assessment.impact.severity", "medium")
ctx.set("alert.assessment.impact.description", "The target are known to be protected by a Firewall device, but a set of event have not been dropped")
ctx.set("alert.correlation_alert.name", "No firewall block observed")
ctx.alert()
ctx.destroy()
def run(self, idmef):
ctxt = idmef.get("alert.classification.text")
if not ctxt:
return
# Create context for classification combined with all the target.
tlist = {}
for target in idmef.get("alert.target(*).node.address(*).address"):
ctx = context.Context(("WORM HOST", ctxt, target), {"expire": 300},
overwrite=False,
idmef=idmef,
ruleid=self.name)
if ctx.getUpdateCount() == 0:
ctx._target_list = {}
tlist[target] = True
for source in idmef.get("alert.source(*).node.address(*).address"):
# We are trying to see whether a previous target is now attacking other hosts
# thus, we check whether a context exist with this classification combined to
# this source.
ctx = context.search(("WORM HOST", ctxt, source))
if not ctx:
continue
plen = len(ctx._target_list)
ctx._target_list.update(tlist)
nlen = len(ctx._target_list)
if nlen > plen:
ctx.update(idmef=idmef)
if nlen >= self.__repeat_target:
ctx.set("alert.classification.text", "Possible Worm Activity")
ctx.set(
"alert.correlation_alert.name",
"Source host is repeating actions taken against it recently"
)
ctx.set("alert.assessment.impact.severity", "high")
ctx.set(
"alert.assessment.impact.description", source +
" has repeated actions taken against it recently at least %d times. It may have been "
"infected with a worm." % self.__repeat_target)
ctx.alert()
ctx.destroy()
def run(self, idmef):
ctxt = idmef.get("alert.classification.text")
if not ctxt:
return
# Create context for classification combined with all the target.
tlist = {}
for target in idmef.get("alert.target(*).node.address(*).address"):
ctx = context.Context(("WORM HOST", ctxt, target), {"expire": 300}, overwrite=False, idmef=idmef)
if ctx.getUpdateCount() == 0:
ctx._target_list = {}
tlist[target] = True
for source in idmef.get("alert.source(*).node.address(*).address"):
# We are trying to see whether a previous target is now attacking other hosts
# thus, we check whether a context exist with this classification combined to
# this source.
ctx = context.search(("WORM HOST", ctxt, source))
if not ctx:
continue
plen = len(ctx._target_list)
ctx._target_list.update(tlist)
nlen = len(ctx._target_list)
if nlen > plen:
ctx.update(idmef=idmef)
if nlen >= self.__repeat_target:
ctx.set("alert.classification.text", "Possible Worm Activity")
ctx.set("alert.correlation_alert.name", "Source host is repeating actions taken against it recently")
ctx.set("alert.assessment.impact.severity", "high")
ctx.set(
"alert.assessment.impact.description",
source
+ " has repeated actions taken against it recently at least %d times. It may have been infected with a worm."
% (self.__repeat_target),
)
ctx.alert()
ctx.destroy()
