def get_records_for_rule(self, snort, rule): records = [] alerts = snort.find(sig=rule['rule']) by_src = groupby(alerts, itemgetter("ip_src")) for ip, alerts in by_src: ip = str(ip) alerts = list(alerts) if is_reblockable(ip) or is_fishy(ip) or (len(alerts) >= rule['minimum'] and num_subnets(alerts) >= rule['subnet_minimum']): records.append(dict(ip=ip, alerts=alerts, rule=rule)) return records
def get_records_for_rule(self, snort, rule): records = [] alerts = snort.find(sig=rule['rule']) by_src = groupby(alerts, itemgetter("ip_src")) for ip, alerts in by_src: ip = str(ip) alerts = list(alerts) if is_reblockable(ip) or is_fishy(ip) or ( len(alerts) >= rule['minimum'] and num_subnets(alerts) >= rule['subnet_minimum']): records.append(dict(ip=ip, alerts=alerts, rule=rule)) return records
def num_subnets(alerts): by_dst = groupby(alerts, lambda a: subnet(a['ip_dst'])) return len(list(by_dst))