def _getSomething(self, relationName, primKeyName, primKey): from dataengine_tools import getPreXMLDictCreator from messagewrapper import getXMLDBWrapper xml = getXMLDBWrapper().wrapSelect(relationName, 'all', [[primKeyName, OPERATOR_EQUAL, primKey]]) result = self._performRequest(xml) no, resolved = getXMLDBWrapper().parseSelectReply(result) myEntry = resolved[0]['relations'][0]['attributes'] return myEntry
def insertExtensionEvent(self, data): if data[0] != 'ioids_event': raise ValueError('This is not a valid extension message for the IOIDS extension.') from messagewrapper import getXMLDBWrapper xml = getXMLDBWrapper().wrapInsert(data[0], data[1], data[2]) result = self._performRequest(xml) decode = getXMLDBWrapper().parseInsertReply(result) ## print "Result - primary key: %s " %(decode[0][2]) return decode[0][2][1:len(decode[0][2])-1]
def getIoidsEvents(self, conditions = []): """ Collects available ioids events from the database. The result is returned in a format mixed by lists and dictionaries. """ from messagewrapper import getXMLDBWrapper xml = getXMLDBWrapper().wrapSelect('ioids_event', 'all', conditions) result = self._performRequest(xml) no, resolved = getXMLDBWrapper().parseSelectReply(result) return resolved
def insertEvent(self, event): """ Insert a new event. """ from messagewrapper import getXMLDBWrapper xml = getXMLDBWrapper().wrapInsert(event[0], event[1], event[2]) result = self._performRequest(xml) ## print result decode = getXMLDBWrapper().parseInsertReply(result) ## print "Result - primary key: %s " %(decode[0][2]) return decode[0][2][1:len(decode[0][2])-1] # don't ask -hehe - it's removing the apostrophes ;) nice, isn't it???
def insertFullIoidsEventWithRelation(self, fullIoidsEvent): """ Insert a new ioids event with its relation to further events. @return: The primary key of the new relation entry @rtype: C{String} """ from messagewrapper import getXMLDBWrapper xml = getXMLDBWrapper().wrapInsert(fullIoidsEvent[0], fullIoidsEvent[1], fullIoidsEvent[2]) result = self._performRequest(xml) decode = getXMLDBWrapper().parseInsertReply(result) ## print "Result - primary key: %s " %(decode[0][2]) return decode[0][2][1:len(decode[0][2])-1]
def insertSnortDBEvent(self, snortdbEvent): """ Insert a new snortdb event. @return: The primary key of the new event @rtype: C{String} """ from messagewrapper import getXMLDBWrapper xml = getXMLDBWrapper().wrapInsert(snortdbEvent[0], snortdbEvent[1], snortdbEvent[2]) result = self._performRequest(xml) decode = getXMLDBWrapper().parseInsertReply(result) ## print "Result - primary key: %s " %(decode[0][2]) return decode[0][2][1:len(decode[0][2])-1]
def _processIoidsEventFromLocal(self, event): from dbconnector import getDBConnector ioidsevent = getDBConnector().getIoidsEvent(event[1]['ioids_event_id']) ## print ioidsevent from messagewrapper import getXMLDBWrapper, getIoidsMessageWrapper x = getXMLDBWrapper().wrapInsert(ioidsevent[0], ioidsevent[1], ioidsevent[2]) ## print "***** SENT:\n", x from g4dsconnector import getG4dsConnector ## getG4dsConnector().sendMessage(ioidsevent) relatedEvents = getDBConnector().getRelatedEventsForIoidsEvent(event[1]['ioids_event_id']) # determine the extension information for each related event for relEvent in relatedEvents: relEventEvent = getIoidsMessageWrapper()._getRelationInTree(relEvent, ['event']) extName, extValue = getDBConnector().getExtensionForEvent(relEventEvent) dict = {} dict['extension_name'] = extName relEvent[2].append(['extension',dict, [extValue]]) from messagewrapper import getIoidsMessageWrapper xml = getIoidsMessageWrapper().assembleIoidsMessage(ioidsevent, relatedEvents) ## print "Sending:\n%s" %xml getG4dsConnector().sendEventUpdate(xml) print "*** processed (and sent) IOIDS event %s" %(event[1]['ioids_event_id'])
def insertIoidsEvent(self, ioidsEventEntryList): """ Insert a new IOIDS event. @return: The primary key of the new event @rtype: C{String} """ from messagewrapper import getXMLDBWrapper ## xml = getXMLDBWrapper().wrapInsert('ioids_event', eventDict, relations) xml = getXMLDBWrapper().wrapInsert(ioidsEventEntryList[0], ioidsEventEntryList[1], ioidsEventEntryList[2]) ## print xml result = self._performRequest(xml) ## print result decode = getXMLDBWrapper().parseInsertReply(result) ## print "Result - primary key: %s " %(decode[0][2]) return decode[0][2][1:len(decode[0][2])-1]
def testDicts(): from dbconnector import getDBConnector getDBConnector().connect() from messagewrapper import getXMLDBWrapper ## lists = getDBConnector().getEvent('5') lists = getDBConnector().getIoidsEvent('2') ## print lists xml = getXMLDBWrapper().wrapInsert(lists[0], lists[1], lists[2]) print xml getDBConnector().disconnect()
def getRelatedEventsForIoidsEvent(self, ioidsEventId, full = 1): from messagewrapper import getXMLDBWrapper xml = getXMLDBWrapper().wrapSelect('ioids_relation', 'event_id', [['ioids_event_id', OPERATOR_EQUAL, str(ioidsEventId)]]) result = self._performRequest(xml) #print "\n>\n%s\n<\n" %result no, resolved = getXMLDBWrapper().parseSelectReply(result) from dataengine_tools import getPreXMLDictCreator relations = [] items = resolved[0]['relations'] for item in items: aRelation = getPreXMLDictCreator().restructureEntry(item['attributes'], 'relation') relations.append(aRelation) for rel in relations: oneEvent = self.getEvent(rel[1] ['event_id']) rel[2].append(oneEvent) del rel[1]['event_id'] oneRelType = self.getIoidsRelationType(rel[1]['ioids_relation_type_id']) rel[2].append(oneRelType) del rel[1]['ioids_relation_type_id'] return relations
def testWrapper(): from messagewrapper import getXMLDBWrapper from dbconnector import OPERATOR_GREATER_THEN ## print getXMLDBWrapper().wrapSelect('event', 'all', [['oid',OPERATOR_GREATER_THEN,'30608']]) xml = "<RELATIONS command='SELECT_RESULTS' >" + \ "<REL RESULTS_ID='1'>" + \ "<REL name='table1'>" + \ "<ATT name='x1'>128</ATT><ATT name='table1_id'>1</ATT><ATT name='table2_id'>1</ATT>" + \ "</REL>" + \ "<REL name='table1'>" + \ "<ATT name='x1'>12</ATT><ATT name='table1_id'>2</ATT><ATT name='table2_id'>1</ATT>" + \ "</REL>" + \ "<REL name='TOTAL_RECORDS'>2</REL>" + \ "</REL>" + \ "<REL name='TOTAL_RESULTS'>1</REL>" + \ "</RELATIONS>" print "Number of sets: %d\n%s" %(getXMLDBWrapper().parseSelectReply(xml))
def _executeOneReaction(self, event, reaction): """ Performs all operations as defined by the reaction part of an ioids rule. """ from config import G4DS_MEMBER_ID from dbconnector import getDBConnector from errorhandling import IoidsDependencyException ioidsSource = G4DS_MEMBER_ID ioidsSender = G4DS_MEMBER_ID if reaction['parameters'].has_key('community'): if reaction['parameters']['community'] == 'Auto': ioidsCommunity = 'C001' # we will do this properly soon :) TODO else: ioidsCommunity = reaction['parameters']['community'] else: raise IoidsDependencyException('Community can not be determined for new local event. Looks like a mistake in ioids policy.') if reaction['parameters'].has_key('classification'): if reaction['parameters']['classification'] == 'Auto': ioidsClassificationCode = '10' # we will do this properly soon :) TODO else: ioidsClassificationCode = reaction['parameters']['classification'] else: raise IoidsDependencyException('Community can not be determined for new local event. Looks like a mistake in ioids policy.') ioidsTimestamp = 'now' if reaction['type'] == 'NewLocalEvent': if event[1].has_key('event_id'): # we must get rid off the id - otherwise it will insert a new event again and again del event[1]['event_id'] # create relations from dataengine_tools import getPreXMLDictCreator from config import IOIDS_EVENT_TYPE, LOCAL_ADDRESS, LOCAL_HOSTNAME, LOCAL_MAC, LOCAL_OS, LOCAL_DOMAIN, LOCAL_COMPUTER_TYPE from messagewrapper import getXMLDBWrapper import binascii as hex creator = getPreXMLDictCreator() # here we create the actual event newEncoding = creator.createNewEncodingEntry('XML HEX') eventXML = getXMLDBWrapper().wrapInsert(event[0], event[1], event[2]) encoded = hex.hexlify(eventXML) newData = creator.createNewDataEntry(encoded, [newEncoding]) # todo: put whole event description here newComputer = creator.createNewComputerEntry(LOCAL_HOSTNAME, LOCAL_OS, LOCAL_ADDRESS, LOCAL_MAC, LOCAL_DOMAIN, [], None, LOCAL_COMPUTER_TYPE) newAgent = creator.createNewAgentEntry('IOIDS', [newComputer], '2') newReporter = creator.createNewReporterEntry('IOIDS reporter', [newAgent]) newEventType = creator.createNewEventTypeEntry(IOIDS_EVENT_TYPE) # reporter is me # observer is the reporter from our event oldEventReporterId = event[1]['rprt_id'] fullReporter = getDBConnector().getReporter(oldEventReporterId) if fullReporter[1].has_key('rprt_name'): repName = fullReporter[1]['rprt_name'] else: repName = None newObserver = creator.createNewObserverEntry(repName, fullReporter[2]) # source and destination are the same than of the actual event newEvent = creator.createNewEventEntry('now', [newData, newEventType, newReporter, newObserver], None, None, event[1]['src_id'], event[1]['dstn_id']) ioidsEventEntry = creator.createNewIoidsEventEntry(ioidsCommunity, ioidsTimestamp, [ creator.createNewIoidsSourceEntry(ioidsSource), creator.createNewIoidsSenderEntry(ioidsSender), getDBConnector().getIoidsClassificationByCode(ioidsClassificationCode), ## creator.createNewIoidsClassificationEntry(ioidsClassificationCode, ioidsClassificationName), newEvent # our event should be in the proper format already ]) ## creator.createIoidsClassificationEntry(ioidsClassification)], event['event_id']) # and finally the relations newRelationEntry = creator.createNewIoidsRelationEntry([ioidsEventEntry, event], relationTypeName = 'parent') # testing purposes ## import support.dictviewer ## support.dictviewer.showNow(newRelationEntry) # #### primKeyRel = getDBConnector().insertFullIoidsEventWithRelation(newRelationEntry) ## ioidsEventId = getDBConnector().getIoidsRelation(primKeyRel,0)[1]['ioids_event_id'] ## ## primKey = getDBConnector().insertIoidsEvent(ioidsEventEntry) ## eventId = getDBConnector().getIoidsEvent(ioidsEventId, 0)[1]['event_id'] ## self._remoteEvents.append(eventId) print "\t-- Inserted event with id: %s" %(primKeyRel) # now let's go and check whether this is to be distributed if reaction['parameters'].has_key('distribute'): print "\t--Now I would even send it off to %s." %(reaction['parameters']['distribute']['domain'])