def run(self, idmef):
if idmef.get("alert.analyzer(-1).manufacturer") != "OpenSSH":
return
if idmef.get("alert.assessment.impact.completion") != "succeeded":
return
data = idmef.get("alert.additional_data('Authentication method').data")
if not data:
return
data = data[0]
for username in idmef.get("alert.target(*).user.user_id(*).name"):
for target in idmef.get("alert.target(*).node.address(*).address"):
ctx = Context(("SSHAUTH", target, username), {
"expire": 30,
"alert_on_expire": alert
},
update=True,
ruleid=self.name)
if ctx.getUpdateCount() == 0:
ctx.authtype = {data: True}
ctx.addAlertReference(idmef)
elif data not in ctx.authtype:
ctx.authtype[data] = True
ctx.addAlertReference(idmef)
def _BruteUserForce(self, idmef):
userid = idmef.get("alert.target(*).user.user_id(*).name");
if not userid:
return
for user in userid:
ctx = Context(("BRUTE USER", user), { "expire": 120, "threshold": 5, "alert_on_expire": True }, update=True, idmef=idmef)
if ctx.getUpdateCount() == 0:
ctx.set("alert.classification.text", "Brute Force attack")
ctx.set("alert.correlation_alert.name", "Multiple failed login against a single account")
ctx.set("alert.assessment.impact.severity", "high")
ctx.set("alert.assessment.impact.description", "Multiple failed attempts have been made to login to a user account")
def run(self, idmef):
for source in idmef.get("alert.source(*).node.address(*).address"):
try:
addr = IPAddress(source)
except:
continue
if addr in self.__data.get():
ca = Context(("SPAMHAUS", source), { "expire": 300, "alert_on_expire": True }, update = True, idmef = idmef)
if ca.getUpdateCount() == 0:
ca.set("alert.classification.text", "IP source matching Spamhaus DROP dataset")
ca.set("alert.correlation_alert.name", "IP source matching Spamhaus DROP dataset")
ca.set("alert.assessment.impact.description", "Spamhaus gathered this IP address in their DROP list - %s" % (source))
ca.set("alert.assessment.impact.severity", "medium")
def _BruteForce(self, idmef):
sadd = idmef.get("alert.source(*).node.address(*).address")
tadd = idmef.get("alert.target(*).node.address(*).address")
if not sadd or not tadd:
return
for source in sadd:
for target in tadd:
ctx = Context(("BRUTE ST", source, target), { "expire": 120, "threshold": 5, "alert_on_expire": True }, update=True, idmef = idmef)
if ctx.getUpdateCount() == 0:
ctx.set("alert.classification.text", "Brute Force attack")
ctx.set("alert.correlation_alert.name", "Multiple failed login")
ctx.set("alert.assessment.impact.severity", "high")
ctx.set("alert.assessment.impact.description", "Multiple failed attempts have been made to login using different account")
def run(self, idmef):
source = idmef.get("alert.source(*).node.address(*).address")
if not source:
return
for saddr in source:
ctx = Context(("SCAN EVENTSTORM", saddr), { "expire": 120, "threshold": 150, "alert_on_expire": True }, update = True, idmef = idmef)
if ctx.getUpdateCount() == 0:
ctx.set("alert.correlation_alert.name", "A single host is producing an unusual amount of events")
ctx.set("alert.classification.text", "Eventstorm")
ctx.set("alert.assessment.impact.severity", "high")
def run(self, idmef):
source = idmef.get("alert.source(*).node.address(*).address")
target = idmef.get("alert.target(*).node.address(*).address")
if not source or not target:
return
for saddr in source:
for daddr in target:
ctx = Context(("SCAN EVENTSCAN", saddr, daddr), { "expire": 60, "threshold": 30, "alert_on_expire": True }, update = True, idmef=idmef)
if ctx.getUpdateCount() == 0:
ctx.set("alert.correlation_alert.name", "A single host has played many events against a single target. This may be a vulnerability scan")
ctx.set("alert.classification.text", "Eventscan")
ctx.set("alert.assessment.impact.severity", "high")
def _PortScan(self, idmef):
#print idmef
#logging.debug(str(idmef.get("alert.classification.text")))
#logging.debug('\n\n\n')
#source = IDMEF.get("alert.source(*).node.address(*).address")
source = self._getDataByMeaning(idmef, IP_SRC)
dest = self._getDataByMeaning(idmef, IP_DST)
ctx = Context(("PORT_SCAN_STORM", source, dest), {
"expire": EXPIRATION,
"threshold": THRESHOLD,
"alert_on_expire": True
},
update=True,
idmef=idmef)
if ctx.getUpdateCount() == 0:
ctx.set("alert.correlation_alert.name", "Port Scan Storm Detected")
ctx.set("alert.classification.text", "PortScanStorm")
ctx.set("alert.assessment.impact.severity", "high")
def run(self, idmef):
source = idmef.get("alert.source(*).node.address(*).address")
if not source:
return
for saddr in source:
ctx = Context(("SCAN EVENTSTORM", saddr), {
"expire": 120,
"threshold": 150,
"alert_on_expire": True
},
update=True,
idmef=idmef,
ruleid=self.name)
if ctx.getUpdateCount() == 0:
ctx.set(
"alert.correlation_alert.name",
"A single host is producing an unusual amount of events")
ctx.set("alert.classification.text", "Eventstorm")
ctx.set("alert.assessment.impact.severity", "high")
def run(self, idmef):
source = idmef.get("alert.source(*).node.address(*).address")
target = idmef.get("alert.target(*).node.address(*).address")
if not source or not target:
return
for saddr in source:
for daddr in target:
ctx = Context(("SCAN EVENTSCAN", saddr, daddr), {
"expire": 60,
"threshold": 30,
"alert_on_expire": True
},
update=True,
idmef=idmef,
ruleid=self.name)
if ctx.getUpdateCount() == 0:
ctx.set(
"alert.correlation_alert.name",
"A single host has played many events against a single target. This may be a vulnerability "
"scan")
ctx.set("alert.classification.text", "Eventscan")
ctx.set("alert.assessment.impact.severity", "high")
def run(self, idmef):
if idmef.get("alert.analyzer(-1).manufacturer") != "OpenSSH":
return
if idmef.get("alert.assessment.impact.completion") != "succeeded":
return
data = idmef.get("alert.additional_data('Authentication method').data")
if not data:
return
data = data[0]
for username in idmef.get("alert.target(*).user.user_id(*).name"):
for target in idmef.get("alert.target(*).node.address(*).address"):
ctx = Context(("SSHAUTH", target, username), { "expire": 30, "alert_on_expire": alert }, update=True)
if ctx.getUpdateCount() == 0:
ctx.authtype = { data: True }
ctx.addAlertReference(idmef)
elif not data in ctx.authtype:
ctx.authtype[data] = True
ctx.addAlertReference(idmef)
def run(self, idmef):
classification = idmef.get("alert.classification.text")
source = idmef.get("alert.source(*).node.address(*).address")
target = idmef.get("alert.target(*).node.address(*).address")
if not source or not target or not classification:
return
for saddr in source:
ctx = Context(("SCAN EVENTSWEEP", classification, saddr), {
"expire": 60,
"threshold": 30,
"alert_on_expire": True
},
overwrite=False,
ruleid=self.name)
if ctx.getUpdateCount() == 0:
ctx.set(
"alert.correlation_alert.name",
"A single host has played the same event against multiple targets. This may be a network scan "
"for a specific vulnerability")
ctx.set("alert.classification.text", "Eventsweep")
ctx.set("alert.assessment.impact.severity", "high")
cur = ctx.get("alert.target(*).node.address(*).address")
if cur:
for address in target:
if address in cur:
return
ctx.update(idmef=idmef, timer_rst=ctx.getUpdateCount())
def run(self, idmef):
for source in idmef.get("alert.source(*).node.address(*).address"):
try:
addr = IPAddress(source)
except:
continue
if addr in self.__data.get():
ca = Context(("SPAMHAUS", source), {
"expire": 300,
"alert_on_expire": True
},
update=True,
idmef=idmef,
ruleid=self.name)
if ca.getUpdateCount() == 0:
ca.set("alert.classification.text",
"IP source matching Spamhaus DROP dataset")
ca.set("alert.correlation_alert.name",
"IP source matching Spamhaus DROP dataset")
ca.set(
"alert.assessment.impact.description",
"Spamhaus gathered this IP address in their DROP list - %s"
% source)
ca.set("alert.assessment.impact.severity", "medium")
def _BruteUserForce(self, idmef):
userid = idmef.get("alert.target(*).user.user_id(*).name")
if not userid:
return
for user in userid:
ctx = Context(("BRUTE USER", user), {
"expire": 120,
"threshold": 5,
"alert_on_expire": True
},
update=True,
idmef=idmef,
ruleid=self.name)
if ctx.getUpdateCount() == 0:
ctx.set("alert.classification.text", "Brute Force attack")
ctx.set("alert.correlation_alert.name",
"Multiple failed login against a single account")
ctx.set("alert.assessment.impact.severity", "high")
ctx.set(
"alert.assessment.impact.description",
"Multiple failed attempts have been made to login to a user account"
)
def _BruteForce(self, idmef):
sadd = [
sorted(node.get('node.address(*).address'))
for node in idmef.get('alert.source(*)', False)
]
tadd = [
sorted(node.get('node.address(*).address'))
for node in idmef.get('alert.target(*)', False)
]
for source in sadd:
if not source:
continue
for target in tadd:
if not target:
continue
ctx = Context(("BRUTE ST", source, target), {
"expire": 120,
"threshold": 5,
"alert_on_expire": True
},
update=True,
idmef=idmef,
ruleid=self.name)
if ctx.getUpdateCount() == 0:
ctx.set("alert.classification.text", "Brute Force attack")
ctx.set("alert.correlation_alert.name",
"Multiple failed login")
ctx.set("alert.assessment.impact.severity", "high")
ctx.set(
"alert.assessment.impact.description",
"Multiple failed attempts have been made to login using different account"
)
def run(self, idmef):
classification = idmef.get("alert.classification.text")
source = idmef.get("alert.source(*).node.address(*).address")
target = idmef.get("alert.target(*).node.address(*).address")
if not source or not target or not classification:
return
for saddr in source:
ctx = Context(("SCAN EVENTSWEEP", classification, saddr), { "expire": 60, "threshold": 30, "alert_on_expire": True }, overwrite = False)
if ctx.getUpdateCount() == 0:
ctx.set("alert.correlation_alert.name", "A single host has played the same event against multiple targets. This may be a network scan for a specific vulnerability")
ctx.set("alert.classification.text", "Eventsweep")
ctx.set("alert.assessment.impact.severity", "high")
cur = ctx.get("alert.target(*).node.address(*).address")
if cur:
for address in target:
if address in cur:
insert = False
return
ctx.update(idmef=idmef, timer_rst=ctx.getUpdateCount())
