def process_message_pattern(self, data, data_len): """Processes the pattern message. """ logger.info("processing message: pattern") total = data_len readed = 0 pkg = data logid = 0 t_uuid = "" filename = "" json_str = "" while readed < total: s_type, s_len, s_value = ASECTLV.tlv_decode(pkg[readed:]) readed += s_len + 8 if s_type == ASECTLV.TLV_TYPE_PATTERN_FIELD_ID: logger.info("pattern_fieldid") t_uuid = base64.b64decode(s_value) elif s_type == ASECTLV.TLV_TYPE_PATTERN_FIELD_FILENAME: logger.info("pattern_field_filename") filename = base64.b64decode(s_value).rstrip('\n') elif s_type == ASECTLV.TLV_TYPE_PATTERN_FIELD_JSON_STR: logger.info("pattern_field_json") json_str = base64.b64decode(s_value).rstrip('\n') else: logger.error("unknown type: %s" % s_type) if self.__asecmodel.get_suggestion(t_uuid) is None: suggestion = AsecDb_Suggestion(suggestion_group_id=UUID(t_uuid).bytes, filename=filename,location="") self.__asecmodel.set_suggestion(suggestion) suggestion_pattern = AsecDb_Suggestion_pattern(suggestion_group_id=UUID(t_uuid).bytes, pattern_json=json_str) self.__asecmodel.set_suggestion_pattern(suggestion_pattern)
def process_message_active_plugin(self, data, data_len): """Processes the active plugin message. """ logger.info("processing active plugin message") total = data_len readed = 0 pkg = data plugin_id = "" plugin_name = "" sensor_id = "" log_file ="" while readed < total: s_type, s_len, s_value = ASECTLV.tlv_decode(pkg[readed:]) readed += s_len + 8 if s_type == ASECTLV.TLV_TYPE_ACTIVE_PLUGIN_FIELD_PLUGIN_ID: plugin_id = base64.b64decode(s_value).rstrip('\n') logger.info("pattern_pluginid: %s" % plugin_id) elif s_type == ASECTLV.TLV_TYPE_ACTIVE_PLUGIN_FIELD_PLUGIN_NAME: plugin_name = base64.b64decode(s_value).rstrip('\n') logger.info("pattern_field_pluginname :%s" % plugin_name) elif s_type == ASECTLV.TLV_TYPE_ACTIVE_PLUGIN_FIELD_PLUGIN_SENSOR_ID: sensor_id = base64.b64decode(s_value) logger.info("pattern_field_sensorid :%s" % sensor_id) elif s_type == ASECTLV.TLV_TYPE_ACTIVE_PLUGIN_FIELD_PLUGIN_LOG_FILE: log_file = base64.b64decode(s_value) else: logger.error("unknown type: %s" % s_type) try: pid = int(plugin_id) except: logger.error("invalid plugin %s" % plugin_id) pid = 0 notification = AsecDb_Notification(plugin_id=pid, sensor_id=UUID(sensor_id).bytes, rule_name=plugin_name,log_file = log_file) self.__asecmodel.set_notification(notification)
def process_message_mlog4fwk(self, data, data_len): """Processes the mlog4fwk message. """ logger.info("processing message: mlog4fwk") total = data_len readed = 0 pkg = data logstr = "" sensor = "" regex = "" while readed < total: s_type, s_len, s_value = ASECTLV.tlv_decode(pkg[readed:]) readed += s_len + 8 if s_type == ASECTLV.TLV_TYPE_MLOG4FWK_FIELD_LOG_LINE: logstr = s_value #base64.b64decode(s_value).rstrip('\n') elif s_type == ASECTLV.TLV_TYPE_MLOG4FWK_FIELD_REGEXP: regex = base64.b64decode(s_value) elif s_type == ASECTLV.TLV_TYPE_MLOG4FWK_FIELD_SENSOR_ID: sensor = base64.b64decode(s_value) logger.info("Campo Sensor :%s - %d" % (sensor, len(sensor))) else: logger.error("unknown type: %s" % s_type) obj = AsecDb_AlarmCoincidence(data=regex, sample_log=logstr, sensor_id=UUID(sensor).bytes) self.__asecmodel.set_alarm_coincidence(obj)
def process_message_pattern(self, data, data_len): """Processes the pattern message. """ logger.info("processing message: pattern") total = data_len readed = 0 pkg = data logid = 0 t_uuid = "" filename = "" json_str = "" while readed < total: s_type, s_len, s_value = ASECTLV.tlv_decode(pkg[readed:]) readed += s_len + 8 if s_type == ASECTLV.TLV_TYPE_PATTERN_FIELD_ID: logger.info("pattern_fieldid") t_uuid = base64.b64decode(s_value) elif s_type == ASECTLV.TLV_TYPE_PATTERN_FIELD_FILENAME: logger.info("pattern_field_filename") filename = base64.b64decode(s_value).rstrip('\n') elif s_type == ASECTLV.TLV_TYPE_PATTERN_FIELD_JSON_STR: logger.info("pattern_field_json") json_str = base64.b64decode(s_value).rstrip('\n') else: logger.error("unknown type: %s" % s_type) if self.__asecmodel.get_suggestion(t_uuid) is None: suggestion = AsecDb_Suggestion( suggestion_group_id=UUID(t_uuid).bytes, filename=filename, location="") self.__asecmodel.set_suggestion(suggestion) suggestion_pattern = AsecDb_Suggestion_pattern( suggestion_group_id=UUID(t_uuid).bytes, pattern_json=json_str) self.__asecmodel.set_suggestion_pattern(suggestion_pattern)
def process_message_active_plugin(self, data, data_len): """Processes the active plugin message. """ logger.info("processing active plugin message") total = data_len readed = 0 pkg = data plugin_id = "" plugin_name = "" sensor_id = "" log_file = "" while readed < total: s_type, s_len, s_value = ASECTLV.tlv_decode(pkg[readed:]) readed += s_len + 8 if s_type == ASECTLV.TLV_TYPE_ACTIVE_PLUGIN_FIELD_PLUGIN_ID: plugin_id = base64.b64decode(s_value).rstrip('\n') logger.info("pattern_pluginid: %s" % plugin_id) elif s_type == ASECTLV.TLV_TYPE_ACTIVE_PLUGIN_FIELD_PLUGIN_NAME: plugin_name = base64.b64decode(s_value).rstrip('\n') logger.info("pattern_field_pluginname :%s" % plugin_name) elif s_type == ASECTLV.TLV_TYPE_ACTIVE_PLUGIN_FIELD_PLUGIN_SENSOR_ID: sensor_id = base64.b64decode(s_value) logger.info("pattern_field_sensorid :%s" % sensor_id) elif s_type == ASECTLV.TLV_TYPE_ACTIVE_PLUGIN_FIELD_PLUGIN_LOG_FILE: log_file = base64.b64decode(s_value) else: logger.error("unknown type: %s" % s_type) try: pid = int(plugin_id) except: logger.error("invalid plugin %s" % plugin_id) pid = 0 notification = AsecDb_Notification(plugin_id=pid, sensor_id=UUID(sensor_id).bytes, rule_name=plugin_name, log_file=log_file) self.__asecmodel.set_notification(notification)
def process(self, requestor, line): """Processes an ASEC requests requestor: Source Socket line: command to process """ msg = Util.get_var("msg=\"([^\"]+)\"", line) line = base64.b64decode(msg) # TODO ACK tlv response = "" try: tlv_type, tlv_len, tlv_value = ASECTLV.tlv_decode(line) if tlv_type == ASECTLV.TLV_TYPE_PATTERN: self.process_message_pattern(tlv_value, tlv_len) elif tlv_type == ASECTLV.TLV_TYPE_MLOG4FWK: self.process_message_mlog4fwk(tlv_value, tlv_len); elif tlv_type == ASECTLV.TLV_TYPE_ACTIVE_PLUGIN: self.process_message_active_plugin(tlv_value, tlv_len) else: logger.error("unknown tlv") except Exception, e: import traceback logger.error(traceback.print_exc()) logger.error("ERROR: %s" % str(e))
def process(self, requestor, line): """Processes an ASEC requests requestor: Source Socket line: command to process """ msg = Util.get_var("msg=\"([^\"]+)\"", line) line = base64.b64decode(msg) # TODO ACK tlv response = "" try: tlv_type, tlv_len, tlv_value = ASECTLV.tlv_decode(line) if tlv_type == ASECTLV.TLV_TYPE_PATTERN: self.process_message_pattern(tlv_value, tlv_len) elif tlv_type == ASECTLV.TLV_TYPE_MLOG4FWK: self.process_message_mlog4fwk(tlv_value, tlv_len) elif tlv_type == ASECTLV.TLV_TYPE_ACTIVE_PLUGIN: self.process_message_active_plugin(tlv_value, tlv_len) else: logger.error("unknown tlv") except Exception, e: import traceback logger.error(traceback.print_exc()) logger.error("ERROR: %s" % str(e))