Example #1
0
def esLdapResults(begindateUTC=None, enddateUTC=None):
    '''an ES query/facet to count success/failed logins'''
    resultsList = list()
    if begindateUTC is None:
        begindateUTC = datetime.now() - timedelta(hours=1)
        begindateUTC = toUTC(begindateUTC)
    if enddateUTC is None:
        enddateUTC = datetime.now()
        enddateUTC = toUTC(enddateUTC)

    try:
        es_client = ElasticsearchClient(
            list('{0}'.format(s) for s in options.esservers))
        search_query = SearchQuery()
        range_match = RangeMatch('utctimestamp', begindateUTC, enddateUTC)

        search_query.add_must(range_match)
        search_query.add_must(TermMatch('tags', 'ldap'))

        search_query.add_must(
            TermMatch('details.result', 'LDAP_INVALID_CREDENTIALS'))

        search_query.add_aggregation(Aggregation('details.result'))
        search_query.add_aggregation(Aggregation('details.dn'))

        results = search_query.execute(es_client, indices=['events'])

        stoplist = ('o', 'mozilla', 'dc', 'com', 'mozilla.com',
                    'mozillafoundation.org', 'org', 'mozillafoundation')

        for t in results['aggregations']['details.dn']['terms']:
            if t['key'] in stoplist:
                continue
            failures = 0
            success = 0
            dn = t['key']

            details_query = SearchQuery()
            details_query.add_must(range_match)
            details_query.add_must(TermMatch('tags', 'ldap'))
            details_query.add_must(TermMatch('details.dn', dn))
            details_query.add_aggregation(Aggregation('details.result'))

            results = details_query.execute(es_client)

            for t in results['aggregations']['details.result']['terms']:
                if t['key'].upper() == 'LDAP_SUCCESS':
                    success = t['count']
                if t['key'].upper() == 'LDAP_INVALID_CREDENTIALS':
                    failures = t['count']
            resultsList.append(
                dict(dn=dn,
                     failures=failures,
                     success=success,
                     begin=begindateUTC.isoformat(),
                     end=enddateUTC.isoformat()))

        return (json.dumps(resultsList))
    except Exception as e:
        sys.stderr.write('Error trying to get ldap results: {0}\n'.format(e))
Example #2
0
    def main(self):

        superquery = None
        run = 0

        for user in self._config['users']:
            if run == 0:
                superquery = PhraseMatch('summary', user)
            else:
                superquery |= PhraseMatch('summary', user)
            run += 1

        r1 = datetime.datetime.now().replace(hour=5, minute=50,
                                             second=00).isoformat()
        r2 = datetime.datetime.now().replace(hour=6, minute=0,
                                             second=00).isoformat()

        search_query = SearchQuery(minutes=5)

        search_query.add_must([
            TermMatch('_type', 'event'),
            TermMatch('category', 'syslog'),
            TermMatch('details.program', 'sshd'),
            QueryStringMatch('summary:"session opened"'),
        ])

        search_query.add_must_not([RangeMatch('utctimestamp', r1, r2)])
        search_query.add_must(superquery)

        self.filtersManual(search_query)
        self.searchEventsAggregated('details.hostname', samplesLimit=10)
        self.walkAggregations(threshold=1)
Example #3
0
 def query_tests(self):
     begin_date = "2016-08-12T21:07:12.316450+00:00"
     end_date = "2016-08-13T21:07:12.316450+00:00"
     tests = {
         RangeMatch('utctimestamp', begin_date, end_date): [
             {
                 'utctimestamp': '2016-08-12T21:07:11.316450+00:00'
             },
             {
                 'utctimestamp': '2016-08-13T21:07:13.316450+00:00'
             },
         ],
     }
     return tests
Example #4
0
    def main(self):

        superquery = None
        run = 0

        for user in self._config['users'].values():
            if run == 0:
                superquery = PhraseMatch('summary', user)
            else:
                superquery |= PhraseMatch('summary', user)
            run += 1

        search_query = SearchQuery(minutes=10)

        search_query.add_must([
            TermMatch('_type', 'event'),
            TermMatch('category', 'syslog'),
            TermMatch('details.program', 'sshd'),
            QueryStringMatch('summary:"session opened"'),
        ])

        for expectedtime in self._config['scan_expected'].values():
            r1 = datetime.datetime.now().replace(
                hour=int(expectedtime['start_hour']),
                minute=int(expectedtime['start_minute']),
                second=int(expectedtime['start_second'])).isoformat()
            r2 = datetime.datetime.now().replace(
                hour=int(expectedtime['end_hour']),
                minute=int(expectedtime['end_minute']),
                second=int(expectedtime['end_second'])).isoformat()
            search_query.add_must_not([RangeMatch('utctimestamp', r1, r2)])

        search_query.add_must(superquery)

        self.filtersManual(search_query)
        self.searchEventsAggregated('details.program', samplesLimit=10)
        self.walkAggregations(threshold=1)