def process(self, alert):
self._totalProcessed += 1
action = alert.getAction()
if action == AlertAction.get('Block'):
self._block(alert)
elif action == AlertAction.get('Revoke'):
self._revoke(alert)
def process(self, alert):
self._totalProcessed += 1
action = alert.getAction()
if action == AlertAction.get('Block'):
self._block(alert)
elif action == AlertAction.get('Revoke'):
self._revoke(alert)
def process(self, alert):
"""Process an alert."""
self._totalProcessed = self._totalProcessed + 1
action = alert.getAction()
if (action == AlertAction.get('Block')):
self._block(alert)
elif (action == AlertAction.get('Revoke')):
self._revoke(alert)
def process(self, alert):
"""Process an alert."""
self._totalProcessed=self._totalProcessed+1;
action=alert.getAction()
if(action == AlertAction.get('Block')):
self._block(alert)
elif (action==AlertAction.get('Revoke')):
self._revoke(alert)
def __init__(self, config):
super().__init__(config, [AlertAction.get('Block'), AlertAction.get('Revoke')])
self._logger = logging.getLogger("LQMT.Checkpoint.{0}".format(self.getName()))
self._rules = {} # CFM-created rules from config device
self._blocks = set() # Blocks to block that aren't already blocked
self._blockIPs = set()
self._unblockUIDs = set() # IPs to unblock
self._totalProcessed = 0
self._totalBlocked = 0
self._totalRevoked = 0
self._modified = False
self._cp = config
def __init__(self, config):
super().__init__(config,
[AlertAction.get('Block'),
AlertAction.get('Revoke')])
self._logger = logging.getLogger("LQMT.Checkpoint.{0}".format(
self.getName()))
self._rules = {} # CFM-created rules from config device
self._blocks = set() # Blocks to block that aren't already blocked
self._blockIPs = set()
self._unblockUIDs = set() # IPs to unblock
self._totalProcessed = 0
self._totalBlocked = 0
self._totalRevoked = 0
self._modified = False
self._cp = config
def __init__(self, config):
"""
ToMBL tool. Used to push data to MBL using the Splunk Web API.
:param config: configuration file
"""
super().__init__(config, [AlertAction.get('All')])
self._logger = logging.getLogger("LQMT.ToolName.{0}".format(
self.getName()))
self.alerts = {}
self.sourcetype_lexicon = ['block', 'spearphish', 'malware']
self._parser = FlexTransformParser(
{'mbl': 'resources/sampleConfigurations/MBL.cfg'})
for file_type, source_config in self._config.source_configs.items():
self._parser.add_parser(file_type, source_config)
self.splunk_handler = ApiHandler(
self._config.host,
self._config.port,
self._config.username,
self._config.password,
cert_check=self._config.cert_check,
source=self._config.source,
index=self._config.index,
)
def process(self, data, isWhitelisted, datafile, meta):
"""
Process the alert data using each tool in the toolchain
:param meta: used to provide parser with information not found in the source data.
:param data: the processed alert data in the intermediate format
:param isWhitelisted: indicates if the alert data is whitelisted or not
:param datafile: the directory location of the processed alert datafile. Currently only used with FlexText
because the alert has to be reprocessed for FlexText
"""
if self.isEnabled():
# if the alert can be processed by this toolchain, then process it
if data.getAction() in self._actionsToProcess or AlertAction.get('All') in self._actionsToProcess:
# if indicator isn't whitelisted, proceed with processing. Otherwise ignore processing
# and log the whitelist block.
if isWhitelisted is False:
self._alertsProcessed += 1
for tool in self._tools:
# FlexText requires the datafile instead of the processed data.
if tool.toolName == "FlexText" or tool.toolName == 'MBL':
tool.process(datafile, meta)
else:
tool.process(data)
else:
self._logger.info(
"Alert not processed. IP Indicator is whitelisted. Whitelisted IP:{0}".format(
data.getIPToBlock()))
else:
self._alertsNotProcessed += 1
def __init__(self, config):
"""
ToSnort tool. Used to insert Snort rules into a Snort configuration.
:param config: configuration file
"""
super().__init__(config, [AlertAction.get('OtherAction')])
self._logger = logging.getLogger("LQMT.ToSnort.{0}".format(
self.getName()))
def __init__(self, config):
super().__init__(config, [AlertAction.get('Block'), AlertAction.get('Revoke')])
# self._config=config
self._conn = self._config.getDBConn()
self._cur = self._conn.cursor()
self._xapi=self._config.getXapi()
self._totalProcessed=0
self._totalBlocked=0
self._totalRevoked=0
self._totalUpdated=0
self._totalPruned=0
self._totalExpired=0
self._logger = logging.getLogger("LQMT.PaloAlto.{0}".format(self.getName()))
self._blocks=dict()
self._revokes=dict()
# max per query controls the number of ips per query that are handled. This is done to ensure that sqlite
# and python don't have issues if there a significant number of ips to process at once
self._maxPerQuery=100
def __init__(self, config):
"""
ToFlexText tool. Used to reformat CTI data in a user configured manner.
:param config: configuration file
"""
super().__init__(config, [AlertAction.get('All')])
self._logger = logging.getLogger("LQMT.ToBro.{0}".format(self.getName()))
self.file = None
self.writer = None
self.header_exists = False
self.header_keys = self.header_formatting()
def __init__(self, config):
"""
ToFlexText tool. Used to reformat CTI data in a user configured manner.
:param config: configuration file
"""
super().__init__(config, [AlertAction.get('All')])
self._logger = logging.getLogger("LQMT.ToBro.{0}".format(
self.getName()))
self.file = None
self.writer = None
self.header_exists = False
self.header_keys = self.header_formatting()
def __init__(self, config):
super().__init__(config,
[AlertAction.get('Block'),
AlertAction.get('Revoke')])
# self._config=config
self._conn = self._config.getDBConn()
self._cur = self._conn.cursor()
self._xapi = self._config.getXapi()
self._totalProcessed = 0
self._totalBlocked = 0
self._totalRevoked = 0
self._totalUpdated = 0
self._totalPruned = 0
self._totalExpired = 0
self._logger = logging.getLogger("LQMT.PaloAlto.{0}".format(
self.getName()))
self._blocks = dict()
self._revokes = dict()
# max per query controls the number of ips per query that are handled. This is done to ensure that sqlite
# and python don't have issues if there a significant number of ips to process at once
self._maxPerQuery = 100
def __init__(self, config):
"""
ToFlexText tool. Used to reformat CTI data in a user configured manner.
:param config: configuration file
"""
super().__init__(config, [AlertAction.get('All')])
self._logger = logging.getLogger("LQMT.FlexText.{0}".format(self.getName()))
# initialize parser with a dict created with variables from flextext configuration
self._parser = FlexTransformParser({'CSV': self._config.flext_config})
for file_type, source_config in self._config.source_configs.items():
self._parser.add_parser(file_type, source_config)
self._file_obj = None
self._processed = []
def __init__(self, config):
super().__init__(config, [AlertAction.get('All')])
self._logger = logging.getLogger("LQMT.ArcSight.{0}".format(self.getName()))
self._totalSent = 0
if self.isEnabled():
# Open the appropriate type of socket
if self._config.getProtocol() == 'tcp':
self._socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
self._socket.connect((config.getHost(), config.getPort()))
except Exception as e:
self._logger.error(
"Unable to connect to ArcSight: {0}:{1}".format(config.getHost(), config.getPort()))
self._logger.error(str(e))
self._socket = None
self.disable()
else:
self._socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
def __init__(self, config):
super().__init__(config, [AlertAction.get('All')])
self._logger = logging.getLogger("LQMT.SysLog.{0}".format(self.getName()))
self._totalSent = 0
self._messageHead = self._config.messageHead
self._messageFields = self._config.messageFields
if self.isEnabled():
if self._config.protocol == 'tcp':
self._socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
self._socket.connect((self._config.host, self._config.port))
except Exception as e:
self._logger.error(
"Unable to connect to remote Syslog server: {0}:{1}".format(self._config.host,
self._config.port))
self._logger.error(str(e))
self._socket = None
self.disable()
else:
self._socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
def __init__(self, config):
"""
ToSplunk tool. Used to push data to Splunk using Splunk web API.
:param config: configuration file
"""
super().__init__(config, [AlertAction.get('All')])
self._logger = logging.getLogger("LQMT.ToSplunk.{0}".format(
self.getName()))
self._splunk_token = ""
if self._config.cert_check is False:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
self.handler = ApiHandler(self._config.host,
self._config.port,
self._config.username,
self._config.password,
cert_check=self._config.cert_check,
source=self._config.source,
sourcetype=self._config.sourcetype,
index=self._config.index)
def __init__(self, config):
"""
ToSplunk tool. Used to push data to Splunk using Splunk web API.
:param config: configuration file
"""
super().__init__(config, [AlertAction.get('All')])
self._logger = logging.getLogger("LQMT.ToSplunk.{0}".format(self.getName()))
self._splunk_token = ""
if self._config.cert_check is False:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
self.handler = ApiHandler(
self._config.host,
self._config.port,
self._config.username,
self._config.password,
cert_check=self._config.cert_check,
source=self._config.source,
sourcetype=self._config.sourcetype,
index=self._config.index
)
def __init__(self, config):
"""
ToMBL tool. Used to push data to MBL using the Splunk Web API.
:param config: configuration file
"""
super().__init__(config, [AlertAction.get('All')])
self._logger = logging.getLogger("LQMT.ToolName.{0}".format(self.getName()))
self.alerts = {}
self.sourcetype_lexicon = ['block', 'spearphish', 'malware']
self._parser = FlexTransformParser({'mbl': 'resources/sampleConfigurations/MBL.cfg'})
for file_type, source_config in self._config.source_configs.items():
self._parser.add_parser(file_type, source_config)
self.splunk_handler = ApiHandler(
self._config.host,
self._config.port,
self._config.username,
self._config.password,
cert_check=self._config.cert_check,
source=self._config.source,
index=self._config.index,
)
def __init__(self, config):
super().__init__(config, [AlertAction.get('All')])
self._logger = logging.getLogger("LQMT.CEF.{0}".format(self.getName()))
def __init__(self, config):
super().__init__(config, [AlertAction.get('All')])
self._logger = logging.getLogger("LQMT.CEF.{0}".format(self.getName()))