def getEvent(self, event_id, full = 1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('event', 'event_id', event_id) observer = None reporter = None source = None destination = None data = None eventType = None if full: if myEntry['obsrv_id'] != 'None': observer = self.getObserver(myEntry['obsrv_id'],1) if myEntry['rprt_id'] != 'None': reporter = self.getReporter(myEntry['rprt_id'],1) if myEntry['src_id'] != 'None': source = self.getSource(myEntry['src_id'],1) if myEntry['dstn_id'] != 'None': destination = self.getDestination(myEntry['dstn_id'],1) if myEntry['data_id'] != 'None': data = self.getData(myEntry['data_id'],1) if myEntry['event_type_id'] != 'None': eventType = self.getEventType(myEntry['event_type_id']) return getPreXMLDictCreator().createEventEntry(myEntry, observer, reporter, source, destination, data, eventType)
def getExtensionEvent(self, plainEventId): ioidsEventSlimDB = self.getIoidsEvents([['event_id', dbconnector.OPERATOR_EQUAL, plainEventId]]) ioidsEventSlim = getPreXMLDictCreator().restructureIoidsEventEntry(ioidsEventSlimDB[0]['relations'][0]['attributes'] ) ## if not snortEvent: ## return None ioidsEvent = self.getIoidsEvent(ioidsEventSlim[1]['ioids_event_id']) return ioidsEvent
def getIoidsSource(self, sourceId, full = 1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('ioids_source', 'ioids_source_id', sourceId) peer = None if full: if myEntry['ioids_peer_id'] != 'None': peer = self.getIoidsPeer(myEntry['ioids_peer_id']) return getPreXMLDictCreator().createIoidsSourceEntry(myEntry, peer)
def newIoidsEventFromRemote(self, ioidsevent, relations = []): from dbconnector import getDBConnector ## print "I received from remote:\nEvent: %s\nRelations: %s" %(event, relations) print "I received from remote Event with Relations" primKey = getDBConnector().insertIoidsEvent(ioidsevent) eventId = getDBConnector().getIoidsEvent(primKey, 0)[1]['event_id'] self._remoteEvents.append(eventId) # our trigger must not pick up this event from dataengine_tools import getPreXMLDictCreator for relation in relations: print "New Relation:" plainEvent = None extensionEvent = None relationType = relation[1]['type'] extensionType = None for entry in relation[2]: if entry[0] == 'plainevent': plainEvent = entry[2][0] elif entry[0] == 'extension': try: extensionEvent = entry[2][0] extensionType = entry[1]['type'] except IndexError, msg: pass # no prob, that only means, that the sender could not handle the extension relType = getPreXMLDictCreator().createNewIoidsRelationTypeEntry(relationType) relEntry = getPreXMLDictCreator().createNewIoidsRelationEntry([ioidsevent, plainEvent, relType]) # testing purposes ## import support.dictviewer ## support.dictviewer.showNowAscii(relEntry) #### support.dictviewer.showNow(relEntry) # #### primKey = getDBConnector().insertFullIoidsEventWithRelation(relEntry) print "-- Primary key for remote ioids event (relation): %s" %(primKey) print "-- Event for Extension: %s" %(extensionType) ## support.dictviewer.showNowAscii(extensionEvent) try: primKey = getDBConnector().insertExtensionEvent(extensionType, extensionEvent) print "-- Primary key for extension event: %s" %(primKey) except ValueError, msg: print "-- Extension is unknown: %s" %(extensionType) pass # that's fine again - only means that I myself do not understand the extension here.
def getPreXMLDictCreator(): """ Singleton implementation. @return: The instance for the data engine @rtype: L{DataEngine} """ from dataengine_tools import getPreXMLDictCreator return getPreXMLDictCreator()
def getDestination(self, destination_id, full = 1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('destination', 'dstn_id', destination_id) agent = None if full: if myEntry['agent_id'] != 'None': agent = self.getAgent(myEntry['agent_id'],1) return getPreXMLDictCreator().createDestinationEntry(myEntry, agent)
def getSource(self, source_id, full = 1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('source', 'src_id', source_id) agent = None if full: if myEntry['agent_id'] != 'None': agent = self.getAgent(myEntry['agent_id'],1) return getPreXMLDictCreator().createSourceEntry(myEntry, agent)
def getReporter(self, reporter_id, full = 1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('reporter', 'rprt_id', reporter_id) agent = None if full: if myEntry['agent_id'] != 'None': agent = self.getAgent(myEntry['agent_id'],1) return getPreXMLDictCreator().createReporterEntry(myEntry, agent)
def getUser(self, user_id, full = 1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('usr', 'usr_id', user_id) if full and myEntry['usr_group_id'] != 'None': userGroup = self.getUserGroup(myEntry['usr_group_id'], 1) else: userGroup = None return getPreXMLDictCreator().createUserEntry(myEntry, userGroup)
def getComputer(self, computer_id, full = 1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('computer', 'comp_id', computer_id) if full and myEntry['comp_type_id'] != 'None': computerType = self.getComputerType(myEntry['comp_type_id'], 1) else: computerType = None return getPreXMLDictCreator().createComputerEntry(myEntry, computerType)
def getData(self, data_id, full = 1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('data', 'data_id', data_id) encoding = None if full: if myEntry['encoding_id'] != 'None': encoding = self.getEncoding(myEntry['encoding_id'],1) return getPreXMLDictCreator().createDataEntry(myEntry, encoding)
def getAgent(self, agent_id, full = 1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('agent', 'agent_id', agent_id) agentClass = None computer = None process = None if full: if myEntry['agent_class_id'] != 'None': agentClass = self.getAgentClass(myEntry['agent_class_id'], 1) if myEntry['comp_id'] != 'None': computer = self.getComputer(myEntry['comp_id'],1) if myEntry['prcss_id'] != 'None': process = self.getProcess(myEntry['prcss_id'],1) return getPreXMLDictCreator().createAgentEntry(myEntry, agentClass, computer, process)
def getProcess(self, process_id, full = 1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('process', 'prcss_id', process_id) user = None processType = None processName = None if full: if myEntry['usr_id'] != 'None': user = self.getUser(myEntry['usr_id'], 1) if myEntry['prcss_type_id'] != 'None': processType = self.getProcessType(myEntry['prcss_type_id'],1) if myEntry['prcss_name_id'] != 'None': processName = self.getProcessName(myEntry['prcss_name_id'],1) return getPreXMLDictCreator().createProcessEntry(myEntry, processType, processName, user)
def getIoidsRelation(self, relationId, full =1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('ioids_relation', 'ioids_relation_id', relationId) event = None ioids_event = None relationType = None if full: if myEntry['event_id'] != 'None': event = self.getEvent(myEntry['event_id'],1) if myEntry['ioids_event_id'] != 'None': ioids_event = self.getIoidsEvent(myEntry['ioids_event_id'],1) if myEntry['ioids_relation_type_id'] != 'None': relationType = self.getEvent(myEntry['ioids_relation_type_id'],1) return getPreXMLDictCreator().createIoidsRelationEntry(myEntry, event, ioids_event, relationType)
def startup(self): """ Establishes the database connection regarding to settings in the config file and keeps us running forever. """ self._dictCreator = dataengine_tools.getPreXMLDictCreator() self._DBConnector = dbconnector.getDBConnector() self._DBConnector.connect() lastestEventOid = '0' try: filename = config.EVENT_STATUS_LOCATION file = open(filename, 'r') lastestEventOid = file.readline() file.close() except Exception, msg: pass
def getIoidsEvent(self, ioids_event_id, full = 1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('ioids_event', 'ioids_event_id', ioids_event_id) event = None sender = None source = None classification = None if full: if myEntry['event_id'] != 'None': event = self.getEvent(myEntry['event_id'],1) if myEntry['ioids_sender_id'] != 'None': sender = self.getIoidsSender(myEntry['ioids_sender_id'],1) if myEntry['ioids_source_id'] != 'None': source = self.getIoidsSource(myEntry['ioids_source_id'],1) if myEntry['classification_id'] != 'None': classification = self.getIoidsClassification(myEntry['classification_id'],1) return getPreXMLDictCreator().createIoidsEventEntry(myEntry, event, sender, source, classification)
def getRelatedEventsForIoidsEvent(self, ioidsEventId, full = 1): from messagewrapper import getXMLDBWrapper xml = getXMLDBWrapper().wrapSelect('ioids_relation', 'event_id', [['ioids_event_id', OPERATOR_EQUAL, str(ioidsEventId)]]) result = self._performRequest(xml) #print "\n>\n%s\n<\n" %result no, resolved = getXMLDBWrapper().parseSelectReply(result) from dataengine_tools import getPreXMLDictCreator relations = [] items = resolved[0]['relations'] for item in items: aRelation = getPreXMLDictCreator().restructureEntry(item['attributes'], 'relation') relations.append(aRelation) for rel in relations: oneEvent = self.getEvent(rel[1] ['event_id']) rel[2].append(oneEvent) del rel[1]['event_id'] oneRelType = self.getIoidsRelationType(rel[1]['ioids_relation_type_id']) rel[2].append(oneRelType) del rel[1]['ioids_relation_type_id'] return relations
def _executeOneReaction(self, event, reaction): """ Performs all operations as defined by the reaction part of an ioids rule. """ from config import G4DS_MEMBER_ID from dbconnector import getDBConnector from errorhandling import IoidsDependencyException ioidsSource = G4DS_MEMBER_ID ioidsSender = G4DS_MEMBER_ID if reaction['parameters'].has_key('community'): if reaction['parameters']['community'] == 'Auto': ioidsCommunity = 'C001' # we will do this properly soon :) TODO else: ioidsCommunity = reaction['parameters']['community'] else: raise IoidsDependencyException('Community can not be determined for new local event. Looks like a mistake in ioids policy.') if reaction['parameters'].has_key('classification'): if reaction['parameters']['classification'] == 'Auto': ioidsClassificationCode = '10' # we will do this properly soon :) TODO else: ioidsClassificationCode = reaction['parameters']['classification'] else: raise IoidsDependencyException('Community can not be determined for new local event. Looks like a mistake in ioids policy.') ioidsTimestamp = 'now' if reaction['type'] == 'NewLocalEvent': if event[1].has_key('event_id'): # we must get rid off the id - otherwise it will insert a new event again and again del event[1]['event_id'] # create relations from dataengine_tools import getPreXMLDictCreator from config import IOIDS_EVENT_TYPE, LOCAL_ADDRESS, LOCAL_HOSTNAME, LOCAL_MAC, LOCAL_OS, LOCAL_DOMAIN, LOCAL_COMPUTER_TYPE from messagewrapper import getXMLDBWrapper import binascii as hex creator = getPreXMLDictCreator() # here we create the actual event newEncoding = creator.createNewEncodingEntry('XML HEX') eventXML = getXMLDBWrapper().wrapInsert(event[0], event[1], event[2]) encoded = hex.hexlify(eventXML) newData = creator.createNewDataEntry(encoded, [newEncoding]) # todo: put whole event description here newComputer = creator.createNewComputerEntry(LOCAL_HOSTNAME, LOCAL_OS, LOCAL_ADDRESS, LOCAL_MAC, LOCAL_DOMAIN, [], None, LOCAL_COMPUTER_TYPE) newAgent = creator.createNewAgentEntry('IOIDS', [newComputer], '2') newReporter = creator.createNewReporterEntry('IOIDS reporter', [newAgent]) newEventType = creator.createNewEventTypeEntry(IOIDS_EVENT_TYPE) # reporter is me # observer is the reporter from our event oldEventReporterId = event[1]['rprt_id'] fullReporter = getDBConnector().getReporter(oldEventReporterId) if fullReporter[1].has_key('rprt_name'): repName = fullReporter[1]['rprt_name'] else: repName = None newObserver = creator.createNewObserverEntry(repName, fullReporter[2]) # source and destination are the same than of the actual event newEvent = creator.createNewEventEntry('now', [newData, newEventType, newReporter, newObserver], None, None, event[1]['src_id'], event[1]['dstn_id']) ioidsEventEntry = creator.createNewIoidsEventEntry(ioidsCommunity, ioidsTimestamp, [ creator.createNewIoidsSourceEntry(ioidsSource), creator.createNewIoidsSenderEntry(ioidsSender), getDBConnector().getIoidsClassificationByCode(ioidsClassificationCode), ## creator.createNewIoidsClassificationEntry(ioidsClassificationCode, ioidsClassificationName), newEvent # our event should be in the proper format already ]) ## creator.createIoidsClassificationEntry(ioidsClassification)], event['event_id']) # and finally the relations newRelationEntry = creator.createNewIoidsRelationEntry([ioidsEventEntry, event], relationTypeName = 'parent') # testing purposes ## import support.dictviewer ## support.dictviewer.showNow(newRelationEntry) # #### primKeyRel = getDBConnector().insertFullIoidsEventWithRelation(newRelationEntry) ## ioidsEventId = getDBConnector().getIoidsRelation(primKeyRel,0)[1]['ioids_event_id'] ## ## primKey = getDBConnector().insertIoidsEvent(ioidsEventEntry) ## eventId = getDBConnector().getIoidsEvent(ioidsEventId, 0)[1]['event_id'] ## self._remoteEvents.append(eventId) print "\t-- Inserted event with id: %s" %(primKeyRel) # now let's go and check whether this is to be distributed if reaction['parameters'].has_key('distribute'): print "\t--Now I would even send it off to %s." %(reaction['parameters']['distribute']['domain'])
def getUserGroup(self, user_group_id, full = 1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('usr_group', 'usr_group_id', user_group_id) return getPreXMLDictCreator().createUserGroupEntry(myEntry)
def getProcessName(self, process_name_id, full =1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('prcss_name', 'prcss_name_id', process_name_id) return getPreXMLDictCreator().createProcessNameEntry(myEntry)
def getIoidsRelationType(self, relation_type_id, full = 1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('ioids_relation_type', 'ioids_relation_type_id', relation_type_id) return getPreXMLDictCreator().createIoidsRelationTypeEntry(myEntry)
def getAgentClass(self, agent_class_id, full =1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('agent_class', 'agent_class_id', agent_class_id) return getPreXMLDictCreator().createAgentClassEntry(myEntry)
def getIoidsPeer(self, peerId, full = 1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('ioids_peer', 'ioids_peer_id', peerId) return getPreXMLDictCreator().createIoidsPeerEntry(myEntry)
def getIoidsClassificationByCode(self, classification_code, full = 1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('ioids_classification', 'classification_code', classification_code) return getPreXMLDictCreator().createIoidsClassificationEntry(myEntry)
def getEncoding(self, encoding_id, full = 1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('encoding', 'encoding_id', encoding_id) return getPreXMLDictCreator().createEncodingEntry(myEntry)
def getComputerType(self, computer_type_id, full =1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('comp_type', 'comp_type_id', computer_type_id) return getPreXMLDictCreator().createComputerTypeEntry(myEntry)
def getEventType(self, event_type_id, full = 1): from dataengine_tools import getPreXMLDictCreator myEntry = self._getSomething('event_type', 'event_type_id', event_type_id) return getPreXMLDictCreator().createEventTypeEntry(myEntry)