def test_processFolder(self):
UpdateTasks.processFolder(path="update", update=self.update)
# Check generator
generator = Generator.objects.get(GID=1, alertID=1, message="snort general alert")
print repr(generator)
# Check reference type
RuleReferenceType.objects.get(name="bugtraq", urlPrefix="http://www.securityfocus.com/bid/")
# Get reference types generated by rule
rtArachnids = RuleReferenceType.objects.get(name="arachnids")
rtUrl = RuleReferenceType.objects.get(name="url")
# Get rule and revision
rule = Rule.objects.get(SID=2000000)
ruleRevision = rule.revisions.get(rev=10, msg="DELETED BACKDOOR subseven 22")
# Check rule references
ruleRevision.references.get(reference="485",referenceType=rtArachnids)
ruleRevision.references.get(reference="www.hackfix.org/subseven/",referenceType=rtUrl)
# Check filter
rule.eventFilters.get(sensor=self.allSensors, eventFilterType=EventFilter.LIMIT, track=EventFilter.SOURCE, count=1, seconds=60)
# Check suppress
suppress = rule.suppress.get(sensor=self.allSensors, track=Suppress.DESTINATION)
for ip in suppress.getAddresses:
if ip not in ["192.168.0.1", "192.168.1.1/24"]:
self.fail("Suppress address not found or incorrect.")
def test_runUpdate(self):
UpdateTasks.runUpdate("update/test.rules")
Rule.objects.get(SID=2000000, active=True, priority=10)
# def test_weirdRule(self):
# rule = self.update.updateRule('alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:5;)', "example2.rules")
# rule.revisions.get(rev=5)
#
# def test_deleteRevisions(self):
# self.update.updateRule('alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:1;)', "example.rules")
# self.update.updateRule('alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:2;)', "example.rules")
# self.update.updateRule('alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:3;)', "example.rules")
# self.update.updateRule('alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:4;)', "example.rules")
# self.update.updateRule('alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:5;)', "example.rules")
#
# rule = Rule.objects.get(SID=2003195)
#
# self.assertTrue(rule.revisions.count() == 2)
def test_runUpdate(self):
UpdateTasks.runUpdate("update/test.rules")
Rule.objects.get(SID=2000000, active=True, priority=10)
# def test_weirdRule(self):
# rule = self.update.updateRule('alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:5;)', "example2.rules")
# rule.revisions.get(rev=5)
#
# def test_deleteRevisions(self):
# self.update.updateRule('alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:1;)', "example.rules")
# self.update.updateRule('alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:2;)', "example.rules")
# self.update.updateRule('alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:3;)', "example.rules")
# self.update.updateRule('alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:4;)', "example.rules")
# self.update.updateRule('alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:5;)', "example.rules")
#
# rule = Rule.objects.get(SID=2003195)
#
# self.assertTrue(rule.revisions.count() == 2)
def test_processFolder(self):
UpdateTasks.processFolder(path="update", update=self.update)
# Check generator
generator = Generator.objects.get(GID=1,
alertID=1,
message="snort general alert")
print repr(generator)
# Check reference type
RuleReferenceType.objects.get(
name="bugtraq", urlPrefix="http://www.securityfocus.com/bid/")
# Get reference types generated by rule
rtArachnids = RuleReferenceType.objects.get(name="arachnids")
rtUrl = RuleReferenceType.objects.get(name="url")
# Get rule and revision
rule = Rule.objects.get(SID=2000000)
ruleRevision = rule.revisions.get(rev=10,
msg="DELETED BACKDOOR subseven 22")
# Check rule references
ruleRevision.references.get(reference="485", referenceType=rtArachnids)
ruleRevision.references.get(reference="www.hackfix.org/subseven/",
referenceType=rtUrl)
# Check filter
rule.eventFilters.get(sensor=self.allSensors,
eventFilterType=EventFilter.LIMIT,
track=EventFilter.SOURCE,
count=1,
seconds=60)
# Check suppress
suppress = rule.suppress.get(sensor=self.allSensors,
track=Suppress.DESTINATION)
for ip in suppress.getAddresses:
if ip not in ["192.168.0.1", "192.168.1.1/24"]:
self.fail("Suppress address not found or incorrect.")
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "srm.settings")
from update.models import Source
from update.tasks import UpdateTasks
if __name__ == "__main__":
logger = logging.getLogger(__name__)
# Grab the parameters.
try:
filename = sys.argv[1]
except IndexError:
print "Usage: %s <update directory> [<source>] [create]"
sys.exit(1)
try:
sourcename = sys.argv[2]
except IndexError:
sourcename = "Manual"
logger.info("Starting the update, with PID:%d, from: %s" % (os.getpid(), filename))
# Creating the source if desired and needed.
if("create" in sys.argv):
s, c = Source.objects.get_or_create(name=sourcename)
if(c):
logger.info("Created a new source during updates: %s", s)
# Start doing the update.
UpdateTasks.runUpdate(filename, sourcename)
logger.info("Finished the update, with PID:%d, from: %s" % (os.getpid(), filename))
logger.info("Created a new source during updates: %s", s)
else:
try:
s = Source.objects.get(name=sourcename)
except:
logger.warning("Could not find a source for the manual update.")
sys.exit(1)
if (s.locked):
logger.info(
"Could not update '%s', as there seems to already be an update going for this source."
% s.name)
sys.exit(1)
else:
s.locked = True
s.save()
logger.info("Starting the update from %s, with PID:%d." %
(s.name, os.getpid()))
# Start doing the update.
try:
UpdateTasks.runUpdate(filename, sourcename)
logger.info("Finished the update, with PID:%d, from: %s" %
(os.getpid(), filename))
except:
logger.warning("Something happened while doing a manual update of %s",
s.name)
finally:
s.locked = False
s.save()
source.locked = False
source.save()
sys.exit(1)
logger.debug("Downloaded-MD5:'%s'" % str(_hash.hexdigest()))
logger.debug("LastUpdate-MD5:'%s'" % str(source.lastMd5))
if (str(_hash.hexdigest()) != str(source.lastMd5)):
UpdateLog.objects.create(
update=update,
time=datetime.datetime.now(),
logType=UpdateLog.PROGRESS,
text="7 Starting to process the download.")
logger.info("Processing the download")
try:
UpdateTasks.runUpdate(filename, source.name, update=update)
except Exception as e:
logger.critical("Hit exception while running update: %s" %
str(e))
UpdateLog.objects.create(
update=update,
time=datetime.datetime.now(),
logType=UpdateLog.PROGRESS,
text=
"100 ERROR: Hit an exception while processing the update.")
logger.debug("%s" % (traceback.format_exc()))
source.locked = False
source.save()
sys.exit(1)
logger.info("Storing md5 of this update: %s" % (_hash.hexdigest()))
except urllib2.HTTPError as e:
UpdateLog.objects.create(update=update, time=datetime.datetime.now(), logType=UpdateLog.PROGRESS, text="100 Error during downloading. Check log for details..")
logger.error("Error during download: %s" % str(e))
source.locked = False
source.save()
sys.exit(1)
logger.debug("Downloaded-MD5:'%s'" % str(_hash.hexdigest()))
logger.debug("LastUpdate-MD5:'%s'" % str(source.lastMd5))
if(str(_hash.hexdigest()) != str(source.lastMd5)):
UpdateLog.objects.create(update=update, time=datetime.datetime.now(), logType=UpdateLog.PROGRESS, text="7 Starting to process the download.")
logger.info("Processing the download" )
try:
UpdateTasks.runUpdate(filename, source.name, update=update)
except Exception as e:
logger.critical("Hit exception while running update: %s" % str(e))
UpdateLog.objects.create(update=update, time=datetime.datetime.now(), logType=UpdateLog.PROGRESS, text="100 ERROR: Hit an exception while processing the update.")
logger.debug("%s" % (traceback.format_exc()))
source.locked = False
source.save()
sys.exit(1)
logger.info("Storing md5 of this update: %s" % (_hash.hexdigest()))
source.lastMd5 = _hash.hexdigest()
source.save()
else:
logger.info("The downloaded file has the same md5sum as the last file we updated from. Skipping update.")
UpdateLog.objects.create(update=update, time=datetime.datetime.now(), logType=UpdateLog.PROGRESS, text="100 Downloaded file is processed earlier. Finishing.")
else: