def handler(cls, options, config):
table_name = options.table
key = options.key
print('==== LookupTables; Get Key ====')
LookupTables.get_instance(config=config)
print(' Table: {}'.format(table_name))
print(' Key: {}'.format(key))
value = LookupTables.get(table_name, key)
print()
print(' Type: {}'.format(type(value)))
if isinstance(value, (list, dict)):
# Render lists and dicts a bit better to make them easier to read
print(' Value:')
print(json.dumps(value, indent=2, sort_keys=True))
else:
print(' Value: {}'.format(value))
print()
return True
def __init__(self, *rule_paths):
RulesEngine._config = RulesEngine._config or load_config()
RulesEngine._threat_intel = (
RulesEngine._threat_intel or ThreatIntel.load_from_config(self.config)
)
# Instantiate the alert forwarder to handle sending alerts to the alert processor
RulesEngine._alert_forwarder = RulesEngine._alert_forwarder or AlertForwarder()
# Load the lookup tables
RulesEngine._lookup_tables = LookupTables.get_instance(config=self.config)
# If no rule import paths are specified, default to the config
rule_paths = rule_paths or [
item for location in {'rule_locations', 'matcher_locations'}
for item in self.config['global']['general'][location]
]
import_folders(*rule_paths)
self._rule_stat_tracker = RuleStatisticTracker(
'STREAMALERT_TRACK_RULE_STATS' in env,
'LAMBDA_RUNTIME_DIR' in env
)
self._required_outputs_set = resources.get_required_outputs()
self._load_rule_table(self.config)
def handler(cls, options, config):
print('==== LookupTables; Set Key ====')
table_name = options.table
key = options.key
if options.json:
try:
new_value = json.loads(options.value)
except json.decoder.JSONDecodeError as e:
print(' ERROR: Input is not valid JSON:')
print(e)
return False
else:
new_value = options.value
core = LookupTables.get_instance(config=config)
print(' Table: {}'.format(table_name))
print(' Key: {}'.format(key))
table = core.table(table_name)
old_value = table.get(key)
print(' Value: {} --> {}'.format(old_value, new_value))
LookupTablesMagic.set_table_value(table, key, new_value)
return True
def handler(cls, options, config):
print('==== LookupTables; List Add Key ====')
table_name = options.table
key = options.key
core = LookupTables.get_instance(config=config)
print(' Table: {}'.format(table_name))
print(' Key: {}'.format(key))
table = core.table(table_name)
old_value = table.get(key)
if old_value is None:
old_value = []
if not isinstance(old_value, list):
print(' ERROR: The current value is not a list: {}'.format(old_value))
return False
new_value = copy.copy(old_value)
new_value.append(options.value)
if options.unique:
new_value = list(set(new_value))
if options.sort:
new_value = sorted(new_value)
print(' Value: {} --> {}'.format(old_value, new_value))
LookupTablesMagic.set_table_value(table, key, new_value)
return True
def handler(cls, options, config):
print('==== LookupTables; Describe Tables ====\n')
lookup_tables = LookupTablesMagic.get_all_tables(LookupTables.get_instance(config=config))
print('{} Tables:\n'.format(len(lookup_tables)))
for table in lookup_tables.values():
print(' Table Name: {}'.format(table.table_name))
print(' Driver Id: {}'.format(table.driver_id))
print(' Driver Type: {}\n'.format(table.driver_type))
def duo_lookup_tables_example(rec):
"""
description: Alert on Duo auth logs from blacklisted browsers, as defined by a lookup table
note: This is purely for example purposes in testing, and is not meant to be used as-is
"""
# The 'global' fixture file at rules/test_fixtures/lookup_tables/dynamo-backed-table.json
# creates the 'dynamo-backed-table' containing the 'duo_blacklisted_browsers' value
blacklisted_browsers = LookupTables.get('dynamo-backed-table',
'duo_blacklisted_browsers', [])
# The test event contains a browser of 'Netscape', which is
# included in the lookup table blacklist
return rec['access_device'].get('browser') in set(blacklisted_browsers)
def setup(self):
"""LookupTables - Setup S3 bucket mocking"""
self.config = load_config('tests/unit/conf')
self.s3_mock = mock_s3()
self.s3_mock.start()
self.dynamodb_mock = mock_dynamodb2()
self.dynamodb_mock.start()
self._put_mock_data()
self._lookup_tables = LookupTables.get_instance(config=self.config,
reset=True)
def handler(cls, options, config):
print('==== LookupTables; Set from JSON File ====')
core = LookupTables.get_instance(config=config)
print(' Table: {}'.format(options.table))
print(' Key: {}'.format(options.key))
print(' File: {}'.format(options.file))
table = core.table(options.table)
old_value = table.get(options.key)
with open(options.file, "r") as json_file_fp:
new_value = json.load(json_file_fp)
print(' Value: {} --> {}'.format(
json.dumps(old_value, indent=2, sort_keys=True),
json.dumps(new_value, indent=2, sort_keys=True)
))
LookupTablesMagic.set_table_value(table, options.key, new_value)
return True