def delay_confirm_log(self, secs=60):
doc = copy.deepcopy(self.log.record)
doc["_delay_info"] = {
"time": move_n_sec(datetime_now_obj(), -secs),
"data_type": "event_log",
"alert_code": self.code
}
self.mongo.insert_one(doc)
def delay_confirm_krb(self, secs=10):
doc = copy.deepcopy(self.krb.record)
doc["_delay_info"] = {
"time": move_n_sec(datetime_now_obj(), -secs),
"data_type": "traffic_kerberos",
"alert_code": self.code
}
self.mongo.insert_one(doc)
def save_ticket(self, ticket_doc):
# 首先将当前票据保存到redis缓存中
self.redis.set_str_value(ticket_doc["ticket_data"]["ticket_hash"],
ticket_doc["ticket_type"],
expire=60 * 60 *
main_config.TGT_maximum_lifetime)
index = ElasticConfig.krb5_ticket_write_index_prefix + datetime_to_log_date(
datetime_now_obj())
# 保存到ES中
self.es.delay_index(body=ticket_doc,
index=index,
doc_type=ElasticConfig.krb5_ticket_doc_type)
def run(self, log: Log):
self.init(log=log)
# 处于数据统计时间内,不检测
if datetime_now_obj() < main_config.learning_end_time:
return
if not log.source_info.ip_address:
return
if log.event_data["AuthenticationPackageName"] != "NTLM":
return
work_station = log.source_info.work_station_name
netbios_name = get_netbios_domain(log.target_info.domain_name)
if filter_domain(netbios_name):
return
# 为较小误报 目前只考虑来源主机为敏感主机的行为
if not self.account_info.computer_is_sensitive_by_name(
work_station, domain=netbios_name):
return
ip_address = log.source_info.ip_address
if ip_filter(ip_address):
return
# 根据主机名去查最近的认证IP
last_ip = self.account_history.search_last_ip_by_workstation(
work_station)
if not last_ip or last_ip == "unknown" or last_ip == ip_address:
return
# 二次确认,如果上次认证IP与当前IP不相同,则对主机名进行解析,判断IP是否相等
resolver_ips = self._get_host_ip(log)
if ip_address in resolver_ips:
return
if "V1" in log.event_data["LmPackageName"]:
version = "v1"
else:
version = "v2"
relay_workstation = self.account_history.get_last_workstation_by_ip(
ip_address)
return self._generate_alert_doc(relay_workstation=relay_workstation,
ntlm_version=version,
resolver_ips=resolver_ips,
last_ip=last_ip)
def delay_index(self, body, index, doc_type):
self.bulk_task_queue.append(
{"index": {
"_index": index,
"_type": doc_type
}})
self.bulk_task_queue.append(body)
if self._can_do_bulk():
self.bulk(body=self.bulk_task_queue,
index=index,
doc_type=doc_type)
self.bulk_task_queue = []
self.bulk_last_time = datetime_now_obj()
def save_activity(self, domain, user_name, sid, dc_name, timestamp,
data: dict):
doc = {
"domain": get_netbios_domain(domain),
"user_name": user_name,
"sid": sid,
"activity_type": self.activity_type,
"dc_name": dc_name,
"@timestamp": timestamp,
"data": data
}
index = ElasticConfig.user_activity_write_index_prefix + datetime_to_log_date(
datetime_now_obj())
self.es.delay_index(body=doc,
index=index,
doc_type=ElasticConfig.user_activity_doc_type)
def _get_delay_data(self):
query = {"_delay_info.time": {"$lte": datetime_now_obj()}}
return [each for each in self.mongo.find_all(query)]
def __init__(self):
self.es = Elasticsearch(ElasticConfig.uri)
self._multi_search_results = []
self.bulk_task_queue = []
self.bulk_last_time = datetime_now_obj()