def run(self, idmef): source = idmef.Get("alert.source(0).node.address(0).address") sport = idmef.Get("alert.source(0).service.port", 0) target = idmef.Get("alert.target(0).node.address(0).address") dport = idmef.Get("alert.target(0).service.port", 0) if not source or not target: return ctxname = "FIREWALL_" + source + str(sport) + target + str(dport) if idmef.match("alert.classification.text", re.compile("[Pp]acket [Dd]ropped|[Dd]enied")): # Update context if any, removing the alert_on_expire attribute. ctx = context.Context(ctxname, { "expire": 10 }, update = True) else: # Begins a timer for every event that contains a source and a target # address which has not been matched by an observed packet denial. If a packet # denial is not observed in the next 10 seconds, an event alert is generated. if not context.search(ctxname): ctx = context.Context(ctxname, { "expire": 10, "alert_on_expire": True }) ctx.Set("alert.source", idmef.Get("alert.source")) ctx.Set("alert.target", idmef.Get("alert.target")) ctx.Set("alert.assessment", idmef.Get("alert.assessment")) ctx.Set("alert.classification", idmef.Get("alert.classification")) ctx.Set("alert.correlation_alert.name", "Events to firewall correlation") ctx.Set("alert.correlation_alert.alertident(0).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1]) ctx.Set("alert.correlation_alert.alertident(0).alertident", idmef.Get("alert.messageid"))
def run(self, idmef): ctxt = idmef.Get("alert.classification.text") if not ctxt: return # Create context for classification combined with all the target. for target in idmef.Get("alert.target(*).node.address(*).address"): ctx = context.Context("WORM_HOST_" + ctxt + target, { "expire": 300, "threshold": 5 }, update = True) for source in idmef.Get("alert.source(*).node.address(*).address"): # We are trying to see whether a previous target is now attacking other hosts # thus, we check whether a context exist with this classification combined to # this source. ctx = context.search("WORM_HOST_" + ctxt + source) if not ctx: continue ctx.Set("alert.source(>>)", idmef.Get("alert.source")) ctx.Set("alert.target(>>)", idmef.Get("alert.target")) ctx.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid")) ctx.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1]) # Increase and check the context threshold. if ctx.CheckAndDecThreshold(): ctx.Set("alert.classification.text", "Possible Worm Activity") ctx.Set("alert.correlation_alert.name", "Source host repeating actions taken against it recently") ctx.Set("alert.assessment.impact.severity", "high") ctx.Set("alert.assessment.impact.description", source + " has repeated actions taken against it recently at least 5 times. It may have been infected with a worm.") ctx.alert() ctx.destroy()