def checkticket(ip_src, cipher, msg_type, timestamp):
conn = mysql.connector.connect(user='******',
host='localhost',
password='******',
database='kerberos')
cur = conn.cursor(buffered=True)
try:
time.sleep(1)
if msg_type == 12:
query = 'SELECT ip_src, kerberos_cipher, timestamp FROM cipher_table WHERE (msg_type = 11 OR msg_type = 13) AND ip_dst = INET_ATON(%s) AND kerberos_cipher = %s'
cur.execute(query, (ip_src, cipher))
curfet = cur.fetchall()
elif msg_type == 14:
query = 'SELECT ip_src, kerberos_cipher, timestamp FROM cipher_table WHERE msg_type = 13 AND ip_dst = INET_ATON(%s) AND kerberos_cipher = %s'
cur.execute(query, (ip_src, cipher))
curfet = cur.fetchall()
for res in curfet:
print(res[1])
if cur.rowcount != 0:
print('matched with old cipher at ' + str(timestamp))
else:
#Check TKT Expire
query = 'SELECT * FROM cipher_table WHERE timestamp BETWEEN %s AND %s AND ip_dst = INET_ATON(%s) AND error_code = 32;'
cur.execute(query,
(timestamp, str(int(timestamp) + 1000), ip_src))
if cur.rowcount != 0:
print('TKT Expired at ' + str(timestamp))
else:
with open('./detected_ticket.log', mode='a') as f:
utctime = datetime.fromtimestamp(
int(timestamp[:10]), timezone.utc)
if msg_type == 12:
f.write('Golden ticket was used on ' +
str(ip_src) + ' at ' + str(utctime) + ' ' +
str(cipher) + '\n')
print('Golden ticket was used on ' + str(ip_src) +
' at ' + str(utctime))
tactics = identify_attack.identify_tactics(
SignatureDetector.RESULT_NOTGT, None)
send_alert.Send_alert(
result=SignatureDetector.RESULT_NOTGT,
attack=tactics,
datetime=utctime,
ip_src=ip_src,
eventid='-',
accountname='-',
clientaddr='-',
servicename='-',
processname='-',
objectname='-',
sharedname='-')
if msg_type == 14:
print('Silver ticket was used on ' + str(ip_src) +
' at ' + str(utctime))
f.write('Silver ticket was used on ' +
str(ip_src) + ' at ' + str(utctime) + ' ' +
str(cipher) + '\n')
tactics = identify_attack.identify_tactics(
SignatureDetector.RESULT_SILVER, None)
send_alert.Send_alert(
result=SignatureDetector.RESULT_SILVER,
attack=tactics,
datetime=utctime,
ip_src=ip_src,
eventid='-',
accountname='-',
clientaddr='-',
servicename='-',
processname='-',
objectname='-',
sharedname='-')
if msg_type == 12:
n = 0
update_flag_event = True
while update_flag_event:
update_flag_event = update_es.update_event(ip_src)
time.sleep(1)
n += 1
if n >= 2:
break
n = 0
update_flag_packet = True
while update_flag_packet:
update_flag_packet = update_es.update_packet(cipher)
time.sleep(1)
n += 1
if n >= 2:
break
finally:
cur.close()
conn.close()
def preds():
global DOMAIN_NAME
# loading
response = jsonify()
datetime = request.form.get('datetime',None)
eventid = request.form.get('eventid',None)
org_accountname = request.form.get('accountname',None)
clientaddr = request.form.get('clientaddr',None)
servicename = request.form.get('servicename',None)
processname = request.form.get('processname',None)
objectname = request.form.get('objectname',None)
sharedname = request.form.get('sharedname',None)
securityid = request.form.get('securityid', None)
datetime = datetime.strip("'")
eventid = eventid.strip("'")
if org_accountname != None:
accountname = org_accountname.strip("'")
accountname = accountname.lower()
accountname = accountname.split('@')[0]
if (accountname.find(DOMAIN_NAME)> -1 or len(accountname)==0):
return SignatureDetector.RESULT_NORMAL
if clientaddr != None:
clientaddr = clientaddr.strip("'")
if servicename != None:
servicename = servicename.strip("'")
servicename = servicename.lower()
if processname != None:
processname = processname.strip("'")
processname = processname.lower()
if objectname != None:
objectname = objectname.strip("'")
objectname = objectname.lower()
if sharedname != None:
sharedname = sharedname.strip("'")
sharedname = sharedname.lower()
if securityid != None:
securityid = securityid.strip("'")
securityid = securityid.lower()
# To specify parameter as Object
inputLog = InputLog.InputLog(datetime, eventid, accountname, clientaddr, servicename, processname, objectname, sharedname, securityid)
# update start by gam
result = SignatureDetector.signature_detect(inputLog)
# update end
clientaddr = inputLog.get_clientaddr()
processname=inputLog.get_processname()
tactics=''
if (result == SignatureDetector.RESULT_CMD or result == SignatureDetector.RESULT_MAL_CMD):
if(mode==MODE_ML):
result = ML.preds(eventid, accountname, processname, objectname, base_dummies_4674, clf_4674, base_dummies_4688, clf_4688)
else:
processname = processname.strip().strip("'")
result = SignatureDetector.check_cmd_whitelist(processname)
if (result != SignatureDetector.RESULT_NORMAL and result != ML.RESULT_WARN and result != SignatureDetector.WARN):
print(result)
print(inputLog.get_eventid() + "," + inputLog.get_accountname() + "," + inputLog.get_clientaddr() + "," + inputLog.get_processname()+ "," + inputLog.get_sharedname())
tactics=identify_attack.identify_tactics(result,inputLog)
send_alert.Send_alert(result+","+tactics, datetime, clientaddr, eventid, accountname, clientaddr, servicename, processname, objectname, sharedname)
return result+","+tactics