def rule_block(self, confname, parse={}, data={}): # 解析block,注意配置文件不能缺少关键字 try: action = parse['block']['action'] expire = parse['block']['expire'] command = parse['block']['blkcmd'] iptables = parse['block']['iptables'] except Exception as e: Loger().ERROR("block rule farmat error.") raise block_data={} block_data['_id'] = data['_id'] block_data['total'] = data['total'] block_data["time"]=int(time.time()) block_data["exptime"]=int(time.time()) + expire block_data["confname"]=str(confname) block_data["command"]='' if action: if iptables: block_data["command"] = ("/sbin/iptables -I INPUT -s %s -j DROP" % data['_id']) else: if command.find(' %s')>0: data['block']=1 block_data["command"] = (command % data) state=self.load_cache(self.Bcol, {'_id': data['_id']}, block_data) if state: subprocess.call(block_data["command"], shell=True) Loger().WARNING(Notes['LOCK'] % (data['_id'], data['total'])) #发出邮件通知 self.rule_notice(confname, parse, data) else: Loger().WARNING(Notes['RECORD'] % (data['_id'], data['total']))
def rule_filter(self, parse={}): if parse['bolt'] in ["TCP", "UDP"]: col = self.cache_connect(parse['bolt']) else: Loger().ERROR("Bolt value must be 'TCP', 'UDP' !") raise # 解析filter,注意配置文件不能缺少关键字 try: timeDelta = parse['filter']['timeDelta'] #时间区间, Seconds. trustIps = parse['filter']['trustIps'] #排除src白名单 motrPort = parse['filter']['motrPort'] #过滤端口 motrProto = parse['filter']['motrProto'] #过滤协议 flags = parse['filter']['flags'] #连接状态 noOfConnections = parse['filter']['noOfConnections'] #阀值 noOfCondition = parse['filter']['noOfCondition'] #阀值条件 如$ge\$gt\$gte\$lt\$lte returnFiled = parse['filter']['returnFiled'] #过滤器返回的字段名, blot表里必须存在 except Exception as e: Loger().ERROR("filter rule farmat error.") raise #构造查询 aggs=[] lte_time = int(time.time()) gte_time = (lte_time - timeDelta) if timeDelta: aggs.append({'$match': {'time' : {'$gte' : gte_time, '$lte' : lte_time}}}) if flags: aggs.append({'$match': {'flags': {'$in': flags}}}) if motrPort: aggs.append({'$match': {'dport': {'$in': motrPort}}}) if trustIps: aggs.append({'$match': {'src': {'$nin': trustIps}}}) aggs.append({'$group': {'_id': '$%s' %returnFiled, 'total': {'$sum': 1}}}) aggs.append({'$match': {'total': {noOfCondition: noOfConnections}}}) #Loger().WARNING(aggs) return CacheServer().find_aggregate(col, aggs)
def rule_unblock(self, confname, parse={}): # 解析block,注意配置文件不能缺少关键字 try: action = parse['block']['action'] expire = parse['block']['expire'] command = parse['block']['ubkcmd'] iptables = parse['block']['iptables'] except Exception as e: Loger().ERROR("block rule farmat error.") raise if action: #解封过时记录 call_cmd='' kwargs={'exptime': {'$lt': int(time.time())}, 'confname': confname} for item in CacheServer().find_conditions(self.Bcol, **kwargs): if iptables: call_cmd=("/sbin/iptables -D INPUT -s %s -j DROP" % item['_id']) else: if command.find(' %s')>0: temp={} temp['_id']=item['_id'] temp['total']=item['total'] temp['unblock']=1 call_cmd=(command % temp) subprocess.call(call_cmd, shell=True) Loger().WARNING(Notes['UNLOCK'] % item['_id']) CacheServer().delete_many(self.Bcol, kwargs)
def sendto(self, subject, msg, receiver): if self.avr['smtp_ssl']: try: self.sslsend(subject, msg, receiver) Loger().WARNING('[MAIL] Send mail Success.') except Exception as e: Loger().ERROR('[MAIL] Send mail failed to: %s' % e) else: try: self.nonsend(subject, msg, receiver) Loger().WARNING('[MAIL] Send mail Success.') except Exception as e: Loger().ERROR('[MAIL] Send mail failed to: %s' % e)
def rule_notice(self, confname, parse={}, data={}): try: send = parse['notice']['send'] email = parse['notice']['email'] except Exception as e: Loger().ERROR("block rule farmat error.") raise subject = "Scout email server" if send: for receiver in email: PyEmail().sendto(subject, Notes['MAIL'] %(data['_id'], confname, data['total']), receiver)
def LOOP(self, keeprunning=True, timeout=3): while keeprunning: """如果缓存里有key==>value 则取缓存数据,否则重新加载配置文件 """ if self.S: for k in self.S.keys(): #执行解锁 self.rule_unblock(k, self.S[k]) #执行封锁 for res in self.rule_filter(self.S[k]): self.rule_block(k, self.S[k], res) Loger().WARNING("[%s.%s] %s" % (k, self.filetype, res)) else: ptn = re.compile('.*\.%s' % self.filetype) for f in os.listdir(self.filepath): ff = ptn.match(f) if not ff is None: tp = ff.group().split('.')[0] self.rule_key_value(tp) sleep(timeout)
def async_dstat(self): try: Dstat().LOOP() except Exception as e: Loger().WARNING("Scout dstat Exception: %s" % (e)) pass
def async_dump(self): try: Pcapy(**self.kwargs).DUMP() except Exception as e: Loger().WARNING("Scout dump Exception: %s" % (e)) raise
def view(self): try: Rule(**self.kwargs).view() except Exception as e: Loger().WARNING("Scout rule Exception: %s" % (e)) pass
def dstat(self): try: Dstat().show() except Exception as e: Loger().WARNING("Scout dstat Exception: %s" % (e)) pass
def async_rule(self): try: Rule(**self.kwargs).LOOP() except Exception as e: Loger().WARNING("Scout rule Exception: %s" % (e)) pass