def ajax_cd_recording_detail_events(self):
filtered = list(
filter(
lambda x: "cdrom" == x.get("System", {}).get("Provider", {})
.get("@Name", None) and (x.get("System", {}).get(
"EventID", {}).get("#text", None) == "133"),
self.events.values()))
data = []
# 정렬해야함
filtered = sort_by_timecreated(filtered, reverse=False)
for event in filtered:
event["_PluginResult"] = {}
EventID = event.get("System", {}).get("EventID",
{}).get("#text", None)
# 방화벽 켜기/끄기
if EventID == "133":
Device = event.get("EventData", {}).get("Data",
[]).get("#text", None)
event["_PluginResult"]["Device"] = Device
data.append(event)
return rapidjson.dumps(data)
def ajax_firewall_status_events(self):
filtered = list(filter(
lambda x: "Microsoft-Windows-Windows Firewall With Advanced Security" == x.get("System", {}).get("Provider",{}).get("@Name", None) and ( x.get("System", {}).get("EventID", {}).get("#text", None) in ("2003", "2010"))
, self.events.values()
))
# 방화벽 현재 상태 (온/오프)
# 현재 프로필
network_profile_dict = {}
network_profile_dict["2"] = "Disconnected"
network_profile_dict["4"] = "Disconnected"
firewall_result = []
firewall_private_status = ""
firewall_public_status = ""
firewall_domain_status = ""
# 정렬해야함
filtered = sort_by_timecreated(filtered, reverse=False)
for event in filtered:
EventID = event.get("System", {}).get("EventID", {}).get("#text", None)
if EventID == "2003":
SettingValue = event.get("EventData", {}).get("Data", [])[3].get("#text", None)
Profile = event.get("EventData", {}).get("Data", [])[0].get("#text", None)
if Profile == "1":
firewall_domain_status = SettingValue
elif Profile == "2":
firewall_private_status = SettingValue
elif Profile == "4":
firewall_public_status = SettingValue
if EventID == "2010":
OldProfile = event.get("EventData", {}).get("Data", [])[2].get("#text", None)
NewProfile = event.get("EventData", {}).get("Data", [])[3].get("#text", None)
InterfaceName = event.get("EventData", {}).get("Data", [])[1].get("#text", None)
if OldProfile == "2":
network_profile_dict["2"] = InterfaceName
elif OldProfile == "4":
network_profile_dict["4"] = InterfaceName
# print (network_profile_dict)
# 현재 프로파일
# firewall = {}
# firewall["current_profile"] = current_profile
# firewall["firewall_domain_status"] = firewall_domain_status
# firewall["firewall_private_status"] = firewall_private_status
# firewall["firewall_public_status"] = firewall_public_status
#
# firewall_result.append(firewall)
# 딕셔너리를 리스트 형태로 변환하고 반환
profile_list = []
for key, value in network_profile_dict.items():
profile_list.append(value)
firewall_result.append(profile_list)
firewall_result.append(firewall_domain_status)
firewall_result.append(firewall_private_status)
firewall_result.append(firewall_public_status)
return rapidjson.dumps(firewall_result)
def ajax_firewall_list_events(self):
# 예외 포트 현재 상태
filtered = list(filter(
lambda x: "Microsoft-Windows-Windows Firewall With Advanced Security" == x.get("System", {}).get("Provider", {}).get("@Name", None) and (x.get("System", {}).get("EventID", {}).get("#text", None) in ("2004", "2005", "2006"))
, self.events.values()
))
firewall_dict = {}
filtered = sort_by_timecreated(filtered, reverse=False)
for event in filtered:
EventID = event.get("System", {}).get("EventID", {}).get("#text", None)
# 룰 생성, 변경
if EventID == "2004" or EventID == "2005":
RuleID = event.get("EventData", {}).get("Data", [])[0].get("#text", None)
RuleName = event.get("EventData", {}).get("Data", [])[1].get("#text", None)
ApplicationPath = event.get("EventData", {}).get("Data", [])[3].get("#text", "*")
Direction = event.get("EventData", {}).get("Data", [])[5].get("#text", None)
Protocol = event.get("EventData", {}).get("Data", [])[6].get("#text", None)
LocalPorts = event.get("EventData", {}).get("Data", [])[7].get("#text", "*")
RemotePorts = event.get("EventData", {}).get("Data", [])[8].get("#text", "*")
Action = event.get("EventData", {}).get("Data", [])[9].get("#text", None)
LocalAddresses = event.get("EventData", {}).get("Data", [])[11].get("#text", "*")
RemoteAddresses = event.get("EventData", {}).get("Data", [])[12].get("#text", "*")
Active = event.get("EventData", {}).get("Data", [])[17].get("#text", None)
ModifyingApplication = event.get("EventData", {}).get("Data", [])[22].get("#text", None)
# 이름, 프로필, 작업, 방향, 프로그램, 로컬주소, 로컬포트, 원격주소, 원격포트
rule = {}
if dic_Action.get(Action) == "허용" :
if Active == "1" :
RuleName = "<img src='./static/images/Firewall_allow_enable.png' /> " + RuleName
else :
RuleName = "<img src='./static/images/Firewall_allow_disable.png' /> " + RuleName
elif dic_Action.get(Action) == "거부":
if Active == "1" :
RuleName = "<img src='./static/images/Firewall_deny_enable.png' /> " + RuleName
else :
RuleName = "<img src='./static/images/Firewall_deny_disable.png' /> " + RuleName
rule["RuleName"] = RuleName
rule["ApplicationPath"] = ApplicationPath.replace("*", "모두")
rule["Action"] = dic_Action.get(Action)
rule["Direction"] = dic_Direction.get(Direction)
rule["Protocol"] = dic_Protocol.get(Protocol)
rule["LocalAddresses"] = LocalAddresses.replace("*", "모두")
rule["RemoteAddresses"] = RemoteAddresses.replace("*", "모두")
rule["LocalPorts"] = LocalPorts.replace("*", "모두")
rule["RemotePorts"] = RemotePorts.replace("*", "모두")
#rule.append(rule_data)
firewall_dict[RuleID] = rule
# 룰 삭제
if EventID == "2006":
RuleID = event.get("EventData", {}).get("Data", [])[0].get("#text", None)
try :
del firewall_dict[RuleID]
except :
# 기존 룰추가 로그가 지워져 사전에 없는경우 예외 발생
pass
# 딕셔너리를 리스트 형태로 변환하고 반환
firewall_list = []
for key, value in firewall_dict.items():
firewall_list.append(value)
return rapidjson.dumps(firewall_list)
def ajax_dashboard_events(self):
filtered = list(filter(
lambda x: ("Microsoft-Windows-UserPnp" == x.get("System", {}).get("Provider", {}).get("@Name", None) and (x.get("System", {}).get("EventID", {}).get("#text", None) == "20001"))
or ("Microsoft-Windows-DriverFrameworks-UserMode" == x.get("System", {}).get("Provider", {}).get("@Name", None) and (x.get("System", {}).get("EventID", {}).get("#text", None) == "10000"))
or ("Microsoft-Windows-DriverFrameworks-UserMode" == x.get("System", {}).get("Provider", {}).get("@Name", None) and (x.get("System", {}).get("EventID", {}).get("#text", None) in ("2101", "2102"))
or ("Microsoft-Windows-Security-Auditing" == x.get("System", {}).get("Provider", {}).get("@Name", None) and (x.get("System", {}).get("EventID", {}).get("#text", None) =="4624") and "User32" == x.get("EventData", {}).get("Data", [])[9].get("#text", None))
or ("Microsoft-Windows-Partition" == x.get("System", {}).get("Provider", {}).get("@Name", None) and (x.get("System", {}).get("EventID", {}).get("#text", None) == "1006")))
, self.events.values()
))
#####################################
# 사용자 로그온 리스트
#####################################
user_logon_history = []
for event in filtered:
EventID = event.get("System", {}).get("EventID", {}).get("#text", None)
if EventID == "4624" :
user_data = []
# time, Name
local_time = event.get("_Metadata", {}).get("LocalTimeCreated", None)
TargetUserName = event.get("EventData", {}).get("Data", [])[5].get("#text", None)
user_data.append(TargetUserName)
user_data.append(local_time)
user_logon_history.append(user_data)
# 시간 내림차순으로정렬
user_logon_history = sorted(user_logon_history, key=operator.itemgetter(1), reverse=True)
#####################################
# win10 파티션 정보 리스트
#####################################
# 중복제거용
seen = set()
partition_list = []
for event in filtered:
EventID = event.get("System", {}).get("EventID", {}).get("#text", None)
if EventID == "1006":
# usbinfo
partition_data = []
Capacity = event.get("EventData", {}).get("Data", [])[9].get("#text", None)
if Capacity == "0" :
continue
vendor = event.get("EventData", {}).get("Data", [])[11].get("#text", "")
product = event.get("EventData", {}).get("Data", [])[12].get("#text", "")
serial = event.get("EventData", {}).get("Data", [])[14].get("#text", None)
registryid = event.get("EventData", {}).get("Data", [])[21].get("#text", None)
registryid = registryid.replace("{", "").replace("}", "")
if serial not in seen:
partition_data.append(Capacity)
partition_data.append(vendor)
partition_data.append(product)
partition_data.append(serial)
partition_data.append(registryid)
partition_list.append(partition_data)
seen.add(serial)
#####################################
# USB 연결 히스토리
#####################################
filtered = sort_by_timecreated(filtered, reverse=False)
usb_connect_history = []
# 중복제거용
seen = set()
for event in filtered:
EventID = event.get("System", {}).get("EventID", {}).get("#text", None)
if EventID == "2101" or EventID == "2102":
# 날짜, 구분(연결/해제), 장치명, 시리얼번호, 사용자
# 동일한 이벤트가 두세번씩 나오기때문에 리스트에 시간, 시리얼, 이벤트번호가 동일한 값이 있는 경우 스킵
usb_connect = []
DeviceInstanceID = event.get("UserData", {}).get("UMDFHostDeviceRequest", {}).get("@instance", None)
if DeviceInstanceID == None :
DeviceInstanceID = event.get("UserData", {}).get("UMDFHostDeviceRequest", {}).get("InstanceId", {}).get("#text", None)
if DeviceInstanceID.startswith("WPDBUSENUMROOT") or DeviceInstanceID.startswith("SWD") or DeviceInstanceID.startswith("USB"):
usb_local_time = event.get("_Metadata", {}).get("LocalTimeCreated", None)
parsed_date = dateutil.parser.parse(usb_local_time)
minor = event.get("UserData", {}).get("UMDFHostDeviceRequest", {}).get("Request", {}).get("@minor", None)
if minor == None :
minor = event.get("UserData", {}).get("UMDFHostDeviceRequest", {}).get("RequestMinorCode", {}).get("#text", None)
time_string = "%d-%02d-%02d %02d:%02d:%02d" % (parsed_date.year, parsed_date.month, parsed_date.day, parsed_date.hour, parsed_date.minute, parsed_date.second)
# minor 값을 확인하여 중복 방지
# 2101 : 20
# 2102 : 2
if EventID == "2101" and minor == "20":
usbinfo = self.get_usbinfo(DeviceInstanceID)
usb_connect.append(time_string)
usb_connect.append("<span class=\"label label-primary\">연결</span>")
usb_connect.append(EventID)
vendor = usbinfo[0]
product = usbinfo[1]
serial = usbinfo[2]
#(win10 해당됨) 시리얼과 파티션 테이블의 레지스트리 아이디가 같으면 해당 정보로 변경
for partition_data in partition_list :
if (serial == partition_data[3]) or (serial == partition_data[4]):
vendor = partition_data[1]
product = partition_data[2]
serial = partition_data[3]
break
usb_connect.append(vendor)
usb_connect.append(product)
usb_connect.append(serial)
usb_connect.append(usbinfo[3])
# USB 사용자 확인, user_logon_history 는 내림차순 정렬되어 있음
usb_user_name = "알수없음"
for history in user_logon_history:
user_name = history[0]
user_logon_time = history[1]
# 최근 사용자 확인
if user_logon_time < usb_local_time:
usb_user_name = user_name
break
usb_connect.append(usb_user_name)
usb_connect.append(False) # 히스토리 참조여부
usb_connect_history.append(usb_connect)
elif EventID == "2102" and (minor == "2" or minor == "3"):
usbinfo = self.get_usbinfo(DeviceInstanceID)
usb_connect.append(time_string)
usb_connect.append("<span class=\"label label-danger\">해제</span>")
usb_connect.append(EventID)
vendor = usbinfo[0]
product = usbinfo[1]
serial = usbinfo[2]
# (win10 해당됨) 시리얼과 파티션 테이블의 레지스트리 아이디가 같으면 해당 정보로 변경
for partition_data in partition_list:
if (serial == partition_data[3]) or (serial == partition_data[4]):
vendor = partition_data[1]
product = partition_data[2]
serial = partition_data[3]
break
usb_connect.append(vendor)
usb_connect.append(product)
usb_connect.append(serial)
usb_connect.append(usbinfo[3])
# USB 사용자 확인, user_logon_history 는 내림차순 정렬되어 있음
usb_user_name = "알수없음"
for history in user_logon_history:
user_name = history[0]
user_logon_time = history[1]
# 최근 사용자 확인
if user_logon_time < usb_local_time:
usb_user_name = user_name
break
usb_connect.append(usb_user_name)
usb_connect.append(False) # 히스토리 참조여부
usb_connect_history.append(usb_connect)
# win 10 에서 2101, 2102 가 없는 경우 비활성화되어 히스토리가 수집이 안되있음
# 그런경우 정확하진 않지만 차선으로 partition 에서 히스토리 수집
if len(usb_connect_history) == 0 :
for event in filtered:
EventID = event.get("System", {}).get("EventID", {}).get("#text", None)
if EventID == "1006" :
usb_connect = []
Capacity = event.get("EventData", {}).get("Data", [])[9].get("#text", None)
usb_local_time = event.get("_Metadata", {}).get("LocalTimeCreated", None)
parsed_date = dateutil.parser.parse(usb_local_time)
time_string = "%d-%02d-%02d %02d:%02d:%02d" % ( parsed_date.year, parsed_date.month, parsed_date.day, parsed_date.hour, parsed_date.minute, parsed_date.second)
# usbinfo
vendor = event.get("EventData", {}).get("Data", [])[11].get("#text", None)
product = event.get("EventData", {}).get("Data", [])[12].get("#text", None)
serial = event.get("EventData", {}).get("Data", [])[14].get("#text", None)
# 용량이 0 인경우 해제
if Capacity == "0" :
# disconnect
usb_connect.append(time_string)
usb_connect.append("<span class=\"label label-danger\">해제</span>")
usb_connect.append(EventID)
usb_connect.append(vendor)
usb_connect.append(product)
usb_connect.append(serial)
usb_connect.append("unknown")
# USB 사용자 확인, user_logon_history 는 내림차순 정렬되어 있음
usb_user_name = "알수없음"
for history in user_logon_history:
user_name = history[0]
user_logon_time = history[1]
# 최근 사용자 확인
if user_logon_time < usb_local_time:
usb_user_name = user_name
break
usb_connect.append(usb_user_name)
usb_connect.append(False) # 히스토리 참조여부
usb_connect_history.append(usb_connect)
else :
# connect
usb_connect.append(time_string)
usb_connect.append("<span class=\"label label-primary\">연결</span>")
usb_connect.append(EventID)
usb_connect.append(vendor)
usb_connect.append(product)
usb_connect.append(serial)
usb_connect.append("unknown")
# USB 사용자 확인, user_logon_history 는 내림차순 정렬되어 있음
usb_user_name = "알수없음"
for history in user_logon_history:
user_name = history[0]
user_logon_time = history[1]
# 최근 사용자 확인
if user_logon_time < usb_local_time:
usb_user_name = user_name
break
usb_connect.append(usb_user_name)
usb_connect.append(False) # 히스토리 참조여부
usb_connect_history.append(usb_connect)
#####################################
# MTP 장치 목록 가져오기
#####################################
mtp_list = []
external_device_list = []
for event in filtered:
# DriverName == wpdmtp.inf
# MTP 장치 구분
EventID = event.get("System", {}).get("EventID", {}).get("#text", None)
if EventID == "20001":
DeviceInstanceID = event.get("UserData", {}).get("InstallDeviceID", {}).get("DeviceInstanceID", {}).get("#text", None)
DriverName = event.get("UserData", {}).get("InstallDeviceID", {}).get("DriverName", {}).get("#text",None)
# USB\VID_04E8&PID_6860\0B15038F14190B8E
# mtp 드라이버만
if DriverName.find("wpdmtp.inf") != -1:
usbinfo = self.get_usbinfo(DeviceInstanceID)
mtp_list.append(usbinfo[2])
#####################################
# 10000번 기반(최초사용) USB 리스트뷰 작성
# Win10 에서 외장하드는 registryid 형태로 남기 때문에 partition 정보가 있는 경우 해당 테이블에서 시리얼 정보 참조
#####################################
usb_connect_info = []
seen = set()
for event in filtered:
EventID = event.get("System", {}).get("EventID", {}).get("#text", None)
if EventID == "10000" :
DeviceInstanceID = event.get("UserData", {}).get("UMDFDeviceInstallBegin", {}).get("DeviceId", {}).get("#text", None)
if DeviceInstanceID.startswith("WPDBUSENUMROOT") or DeviceInstanceID.startswith("SWD") or DeviceInstanceID.startswith("USB") :
# WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_BIZET&PROD_SECUYOUSB&REV_1100#650402230001179621
# USB\VID_04E8&PID_6860\5210EFA66404B3F5
usbinfo = self.get_usbinfo(DeviceInstanceID)
vendor = usbinfo[0]
product = usbinfo[1]
serial = usbinfo[2]
type = usbinfo[3]
capacity = ""
# (win10 해당됨) 시리얼과 파티션 테이블의 레지스트리 아이디가 같으면 해당 정보로 변경
for partition_data in partition_list:
if serial == partition_data[3] or serial == partition_data[4]:
vendor = partition_data[1]
product = partition_data[2]
serial = partition_data[3]
capacity = self.convert_capacity(partition_data[0])
break
if serial not in seen:
usb_local_time = event.get("_Metadata", {}).get("LocalTimeCreated", None)
parsed_date = dateutil.parser.parse(usb_local_time)
time_string = "%d-%02d-%02d %02d:%02d:%02d" % (parsed_date.year, parsed_date.month, parsed_date.day, parsed_date.hour, parsed_date.minute,parsed_date.second)
usb_connect = {}
usb_connect["FirstDate"] = time_string
usb_connect["Vendor"] = vendor
usb_connect["Product"] = product
usb_connect["Serial"] = serial
usb_connect["Type"] = type
usb_connect["Capacity"] = capacity
usb_connect["Etc"] = ""
# MTP 장치 여부 확인
for mtp in mtp_list :
if usbinfo[2] == mtp :
usb_connect["Etc"] = "MTP"
# USB 사용자 확인, user_logon_history 는 내림차순 정렬되어 있음
usb_user_name = "알수없음"
for history in user_logon_history:
user_name = history[0]
user_logon_time = history[1]
# 최근 사용자 확인
if user_logon_time < usb_local_time :
usb_user_name = user_name
break
usb_connect["User"] = usb_user_name
# 연결 히스토리 확인
sub_usb_connect = []
# 10000 번 이벤트 리스트에 없는 경우 따로 분류후 리스팅
last_date = ""
i = 0
for usb_connect_history_data in usb_connect_history :
# 시리얼 번호가 같은경우
if usb_connect_history_data[5] == serial :
# 참조된것 체크, 참조안된건 따로 리스트업
usb_connect_history[i][8] = True
sub_usb_connect_data = {}
sub_usb_connect_data["Sub_Date"] = usb_connect_history_data[0]
sub_usb_connect_data["Sub_Gubun"] = usb_connect_history_data[1]
sub_usb_connect_data["Sub_EventID"] = usb_connect_history_data[2]
sub_usb_connect_data["Sub_Vendor"] = usb_connect_history_data[3]
sub_usb_connect_data["Sub_Product"] = usb_connect_history_data[4]
sub_usb_connect_data["Sub_Serial"] = usb_connect_history_data[5]
sub_usb_connect_data["Sub_User"] = usb_connect_history_data[7]
sub_usb_connect.append(sub_usb_connect_data)
last_date = usb_connect_history_data[0]
i += 1
usb_connect["LastDate"] = last_date
usb_connect["nested"] = sub_usb_connect
usb_connect_info.append(usb_connect)
seen.add(serial)
#####################################
# 외장디스크는 20001번만 발생하고 10000번은 발생하지 않음 (Win 7)
# Win 10은 10000번, 20001번 구분 불필요
#####################################
for event in filtered:
EventID = event.get("System", {}).get("EventID", {}).get("#text", None)
if EventID == "20001" :
DriverName = event.get("UserData", {}).get("InstallDeviceID", {}).get("DriverName", {}).get("#text",None)
DeviceInstanceID = event.get("UserData", {}).get("InstallDeviceID", {}).get("DeviceInstanceID", {}).get("#text", None)
# Win 7 Only
if DriverName.find("disk.inf") != -1 and DeviceInstanceID[:7] == "USBSTOR":
usbinfo = self.get_usbinfo(DeviceInstanceID)
vendor = usbinfo[0]
product = usbinfo[1]
serial = usbinfo[2]
type = usbinfo[3]
capacity = ""
# (win10 해당됨) 시리얼과 파티션 테이블의 레지스트리 아이디가 같으면 해당 정보로 변경
for partition_data in partition_list:
if serial == partition_data[3] or serial == partition_data[4]:
vendor = partition_data[1]
product = partition_data[2]
serial = partition_data[3]
capacity = self.convert_capacity(partition_data[0])
break
# seen list 에 없으면 외장hdd 추정
if serial not in seen:
usb_local_time = event.get("_Metadata", {}).get("LocalTimeCreated", None)
parsed_date = dateutil.parser.parse(usb_local_time)
time_string = "%d-%02d-%02d %02d:%02d:%02d" % ( parsed_date.year, parsed_date.month, parsed_date.day, parsed_date.hour, parsed_date.minute, parsed_date.second)
usb_connect = {}
usb_connect["FirstDate"] = time_string
usb_connect["Vendor"] = vendor
usb_connect["Product"] = product
usb_connect["Serial"] = serial
usb_connect["Type"] = type
usb_connect["LastDate"] = "알수없음"
usb_connect["Capacity"] = capacity
usb_connect["Etc"] = ""
usb_connect["nested"] = []
# USB 사용자 확인, user_logon_history 는 내림차순 정렬되어 있음
usb_user_name = "알수없음"
for history in user_logon_history:
user_name = history[0]
user_logon_time = history[1]
# 최근 사용자 확인
if user_logon_time < usb_local_time:
usb_user_name = user_name
break
usb_connect["User"] = usb_user_name
usb_connect_info.append(usb_connect)
####################################################################
# 10000 번 이벤트가 없어서 2101, 2012 연결정보가 참조 안된경우 따로 리스트업
####################################################################
extra_usb_connect_info = []
seen = set()
for usb_connect_history_data in usb_connect_history:
if usb_connect_history_data[8] == False:
if usb_connect_history_data[5] not in seen:
usb_connect = {}
usb_connect["Date"] = ""
extra_usb_connect = []
extra_usb_connect.append(usb_connect_history_data[3])
extra_usb_connect.append(usb_connect_history_data[4])
extra_usb_connect.append(usb_connect_history_data[5])
extra_usb_connect.append(usb_connect_history_data[6])
# MTP 장치 여부 확인
is_mtp = ""
for mtp in mtp_list:
if usb_connect_history_data[5] == mtp:
is_mtp = "MTP"
extra_usb_connect.append(is_mtp)
extra_usb_connect_info.append(extra_usb_connect)
seen.add(usb_connect_history_data[5])
for extra_usb_connect in extra_usb_connect_info:
usb_connect = {}
vendor = extra_usb_connect[0]
product = extra_usb_connect[1]
serial = extra_usb_connect[2]
type = extra_usb_connect[3]
# (win10 해당됨) 시리얼과 파티션 테이블의 레지스트리 아이디가 같으면 해당 정보로 변경
capacity = ""
for partition_data in partition_list:
if extra_usb_connect[2] == partition_data[3] or extra_usb_connect[2] == partition_data[4]:
vendor = partition_data[1]
product = partition_data[2]
serial = partition_data[3]
capacity = self.convert_capacity(partition_data[0])
break
usb_connect["FirstDate"] = "알수없음"
usb_connect["Vendor"] = vendor
usb_connect["Product"] = product
usb_connect["Serial"] = serial
usb_connect["Type"] = type
usb_connect["Capacity"] = capacity
usb_connect["Etc"] = extra_usb_connect[4]
usb_user_name = "알수없음"
usb_connect["User"] = usb_user_name
sub_usb_connect = []
for usb_connect_history_data in usb_connect_history :
# 시리얼 번호가 같은경우
if usb_connect_history_data[5] == extra_usb_connect[2] :
sub_usb_connect_data = {}
sub_usb_connect_data["Sub_Date"] = usb_connect_history_data[0]
sub_usb_connect_data["Sub_Gubun"] = usb_connect_history_data[1]
sub_usb_connect_data["Sub_EventID"] = usb_connect_history_data[2]
sub_usb_connect_data["Sub_Vendor"] = usb_connect_history_data[3]
sub_usb_connect_data["Sub_Product"] = usb_connect_history_data[4]
sub_usb_connect_data["Sub_Serial"] = usb_connect_history_data[5]
sub_usb_connect_data["Sub_User"] = usb_connect_history_data[7]
sub_usb_connect.append(sub_usb_connect_data)
last_date = usb_connect_history_data[0]
usb_connect["nested"] = sub_usb_connect
usb_connect["LastDate"] = last_date
usb_connect_info.append(usb_connect)
return rapidjson.dumps(usb_connect_info)
def _get_security_auditing_data(self):
filtered = list(
filter(
lambda event:
("Microsoft-Windows-Security-Auditing" == event.get(
"System", {}).get("Provider", {}).get("@Name", None) and
(event.get("System", {}).get("EventID", {}).get(
"#text", None) in
("4688", "4689"))), self.events.values()))
filtered = sort_by_timecreated(filtered, reverse=False)
_running_processes = dict()
for event in filtered:
event["_PluginOutput"] = {}
event_id = event.get("System", {}).get("EventID",
{}).get("#text", None)
data_tags = event["EventData"]["Data"]
unknown_seen = 0
for data_tag in data_tags:
if "@Name" in data_tag:
event["_PluginOutput"][data_tag["@Name"]] = data_tag.get(
"#text", "")
else:
event["_PluginOutput"]["unknown_%d" %
unknown_seen] = data_tag.get(
"#text", "")
unknown_seen = unknown_seen + 1
for k in ("NewProcessId", "ProcessId", "SubjectLogonId",
"TargetLogonId"):
if k in event["_PluginOutput"]:
event["_PluginOutput"]["%s_Numeric" % k] = int(
event["_PluginOutput"][k], 16)
# 아래는 서로 다른 이벤트여도 같은 컬럼에 표시하기 위한 약간의 보정임.
if "4689" == event_id:
event["_PluginOutput"]["NewProcessName"] = event[
"_PluginOutput"]["ProcessName"]
event["_PluginOutput"]["NewProcessId"] = event[
"_PluginOutput"]["ProcessId"]
event["_PluginOutput"]["NewProcessId_Numeric"] = event[
"_PluginOutput"]["ProcessId_Numeric"]
# 아래 프로세스는 윈도우 7 환경에서 프로세스 이름을 구하기 위한 코드 보정
computer_name = event.get("System", {}).get("Computer",
{}).get("#text", None)
if ("4688" == event_id) and ("ParentProcessName"
not in event["EventData"]["Data"]):
created_process_id = event.get("_PluginOutput",
{}).get("NewProcessId", None)
created_process_key = (computer_name, created_process_id)
parent_process_id = event.get("_PluginOutput",
{}).get("ProcessId", None)
parent_process_key = (computer_name, parent_process_id)
_running_processes[created_process_key] = event
event["_PluginOutput"][
"ParentProcessName"] = _running_processes.get(
parent_process_key,
{}).get("_PluginOutput",
{}).get("NewProcessName", None)
elif "4689" == event_id:
destroyed_process_id = event.get("_PluginOutput",
{}).get("ProcessId", None)
destroyed_process_key = (computer_name, destroyed_process_id)
process_creation_event = None
if destroyed_process_key in _running_processes:
process_creation_event = _running_processes.pop(
destroyed_process_key)
if process_creation_event and ("ParentProcessName"
not in event["_PluginOutput"]):
event["_PluginOutput"][
"ParentProcessName"] = process_creation_event.get(
"_PluginOutput", {}).get("ParentProcessName", None)
return filtered
def ajax_account_list_events(self):
filtered = list(
filter(
lambda x: "Microsoft-Windows-Security-Auditing" == x.get(
"System", {}).get("Provider", {}).get("@Name", None) and
(x.get("System", {}).get("EventID", {}).get("#text", None) in
("4624", "4720", "4722", "4738", "4724", "4732", "4733",
"4733", "4729", "4726", "4731", "4735", "4734")),
self.events.values()))
account_dict = {}
filtered = sort_by_timecreated(filtered, reverse=False)
for event in filtered:
EventID = event.get("System", {}).get("EventID",
{}).get("#text", None)
local_time = event.get("_Metadata",
{}).get("LocalTimeCreated", None)
parsed_date = dateutil.parser.parse(local_time)
time_string = "%d-%02d-%02d %02d:%02d:%02d" % (
parsed_date.year, parsed_date.month, parsed_date.day,
parsed_date.hour, parsed_date.minute, parsed_date.second)
# 계정 생성
if EventID == "4720":
TargetSid = event.get("EventData",
{}).get("Data",
[])[2].get("#text", None)
TargetUserName = event.get("EventData",
{}).get("Data",
[])[0].get("#text", None)
TargetDomainName = event.get("EventData",
{}).get("Data",
[])[1].get("#text", None)
# 이름, 프로필, 작업, 방향, 프로그램, 로컬주소, 로컬포트, 원격주소, 원격포트
try:
account = account_dict[TargetSid]
except:
account = {}
for default_key in ("CreateDate", "TargetUserName",
"TargetDomainName",
"PasswordChangeDate",
"RecentLogonDate", "IsDeleted",
"DeleteDate"):
account[default_key] = None
account["CreateDate"] = time_string
account["TargetUserName"] = TargetUserName
account["TargetDomainName"] = TargetDomainName
account_dict[TargetSid] = account
# print (account_dict)
# 계정 패스워드 변경
elif EventID == "4724":
TargetSid = event.get("EventData",
{}).get("Data",
[])[2].get("#text", None)
TargetUserName = event.get("EventData",
{}).get("Data",
[])[0].get("#text", None)
TargetDomainName = event.get("EventData",
{}).get("Data",
[])[1].get("#text", None)
try:
account = account_dict[TargetSid]
except:
account = {}
for default_key in ("CreateDate", "TargetUserName",
"TargetDomainName",
"PasswordChangeDate",
"RecentLogonDate", "IsDeleted",
"DeleteDate"):
account[default_key] = None
account["PasswordChangeDate"] = time_string
account["TargetUserName"] = TargetUserName
account["TargetDomainName"] = TargetDomainName
account_dict[TargetSid] = account
# 계정 삭제
elif EventID == "4726":
TargetSid = event.get("EventData",
{}).get("Data",
[])[2].get("#text", None)
TargetUserName = event.get("EventData",
{}).get("Data",
[])[0].get("#text", None)
TargetDomainName = event.get("EventData",
{}).get("Data",
[])[1].get("#text", None)
try:
account = account_dict[TargetSid]
except:
account = {}
for default_key in ("CreateDate", "TargetUserName",
"TargetDomainName",
"PasswordChangeDate",
"RecentLogonDate", "IsDeleted",
"DeleteDate"):
account[default_key] = None
account["TargetUserName"] = TargetUserName
account["TargetDomainName"] = TargetDomainName
account["IsDeleted"] = "O"
account["DeleteDate"] = time_string
account_dict[TargetSid] = account
# 계정 로그인 일자
elif EventID == "4624":
LogonProcessName = event.get("EventData",
{}).get("Data",
[])[9].get("#text", None)
if LogonProcessName.find(
"User32") != -1 or LogonProcessName.find(
"NtLmSsp") != -1:
TargetSid = event.get("EventData",
{}).get("Data",
[])[4].get("#text", None)
logon_type = event.get("EventData",
{}).get("Data",
[])[8].get("#text", None)
# 계정 생성 이벤트가 지워져서 없는 경우
try:
account = account_dict[TargetSid]
except:
TargetUserName = event.get("EventData", {}).get(
"Data", [])[5].get("#text", None)
TargetDomainName = event.get("EventData", {}).get(
"Data", [])[6].get("#text", None)
account = {}
for default_key in ("CreateDate", "TargetUserName",
"TargetDomainName",
"PasswordChangeDate",
"RecentLogonDate", "IsDeleted",
"DeleteDate"):
account[default_key] = None
account["TargetUserName"] = TargetUserName
account["TargetDomainName"] = TargetDomainName
if logon_type == "2":
account["RecentLogonDate"] = time_string + "(로컬)"
account_dict[TargetSid] = account
elif logon_type == "3" and TargetUserName != "ANONYMOUS LOGON":
account["RecentLogonDate"] = time_string + "(네트워크)"
account_dict[TargetSid] = account
elif logon_type == "10":
account["RecentLogonDate"] = time_string + "(원격)"
account_dict[TargetSid] = account
# 딕셔너리를 리스트 형태로 변환하고 반환
account_list = []
for key, value in account_dict.items():
account_list.append(value)
return rapidjson.dumps(account_list)
def ajax_wireless_dashboard_events(self):
filtered = list(
filter(
lambda x: "Microsoft-Windows-WLAN-AutoConfig" == x.get(
"System", {}).get("Provider", {}).get("@Name", None) and
(x.get("System", {}).get("EventID", {}).get("#text", None) in
("8000", "8001", "8002", "8003")), self.events.values()))
wireless_graph_dict = {}
wireless_list_dict = {}
# 정렬해야함
filtered = sort_by_timecreated(filtered, reverse=False)
for event in filtered:
EventID = event.get("System", {}).get("EventID",
{}).get("#text", None)
local_time = event.get("_Metadata",
{}).get("LocalTimeCreated", None)
parsed_date = dateutil.parser.parse(local_time)
time_string = "%d-%02d-%02d %02d:%02d:%02d" % (
parsed_date.year, parsed_date.month, parsed_date.day,
parsed_date.hour, parsed_date.minute, parsed_date.second)
if EventID == "8001":
InterfaceGuid = event.get("EventData",
{}).get("Data",
[])[0].get("#text", None)
SSID = event.get("EventData",
{}).get("Data", [])[4].get("#text", None)
BSSID = event.get("EventData",
{}).get("Data", [])[6].get("#text", None)
PHYType = event.get("EventData",
{}).get("Data", [])[7].get("#text", None)
AuthenticationAlgorithm = event.get("EventData", {}).get(
"Data", [])[8].get("#text", None)
CipherAlgorithm = event.get("EventData",
{}).get("Data",
[])[9].get("#text", None)
ap_name = "%s" % (SSID)
try:
count = wireless_graph_dict[ap_name]
wireless = wireless_list_dict[InterfaceGuid]
except:
count = 0
wireless = {}
wireless_graph_dict[ap_name] = count + 1
wireless["RecentDate"] = time_string
wireless["SSID"] = SSID
wireless["BSSID"] = BSSID
wireless["EventID"] = EventID
wireless["PHYType"] = PHYType
wireless["AuthenticationAlgorithm"] = AuthenticationAlgorithm
wireless["CipherAlgorithm"] = CipherAlgorithm
wireless_list_dict[InterfaceGuid] = wireless
elif EventID == "8002":
InterfaceGuid = event.get("EventData",
{}).get("Data",
[])[0].get("#text", None)
SSID = event.get("EventData",
{}).get("Data", [])[4].get("#text", None)
try:
wireless = wireless_list_dict[InterfaceGuid]
except:
wireless = {}
wireless["RecentDate"] = time_string
wireless["SSID"] = SSID
wireless["EventID"] = EventID
wireless_list_dict[InterfaceGuid] = wireless
wireless_graph_data = []
for key, value in wireless_graph_dict.items():
wireless = []
wireless.append(key)
wireless.append(value)
wireless_graph_data.append(wireless)
wireless_list_data = []
for key, value in wireless_list_dict.items():
wireless_list_data.append(value)
wireless_data = []
wireless_data.append(wireless_graph_data)
wireless_data.append(wireless_list_data)
return rapidjson.dumps(wireless_data)
def ajax_wireless_detail_events(self):
filtered = list(
filter(
lambda x: "Microsoft-Windows-WLAN-AutoConfig" == x.get(
"System", {}).get("Provider", {}).get("@Name", None) and
(x.get("System", {}).get("EventID", {}).get("#text", None) in
("8000", "8001", "8002", "8003")), self.events.values()))
# 8000 서비스가 연결 시작
# 8001 무선랜 연결 성공
# 8002 무선랜 연결 실패
# 8003 무선랜 연결 끊어짐
# 11001 무선 네트워크 연결 성공
# 10000 연결 시작
# 11001 연결 성공
# 11010 무선보안 시작
# 11005 무선랜 보안 성공
data = []
# 정렬해야함
filtered = sort_by_timecreated(filtered, reverse=False)
for event in filtered:
EventID = event.get("System", {}).get("EventID",
{}).get("#text", None)
if EventID == "8000":
InterfaceGuid = event.get("EventData",
{}).get("Data",
[])[0].get("#text", None)
ProfileName = event.get("EventData",
{}).get("Data",
[])[3].get("#text", None)
SSID = event.get("EventData",
{}).get("Data", [])[4].get("#text", None)
BSSType = event.get("EventData",
{}).get("Data", [])[5].get("#text", None)
event["_PluginResult"] = {}
event["_PluginResult"]["InterfaceGuid"] = InterfaceGuid
event["_PluginResult"]["ProfileName"] = ProfileName
event["_PluginResult"]["SSID"] = SSID
event["_PluginResult"]["BSSType"] = BSSType
data.append(event)
elif EventID == "8001":
InterfaceGuid = event.get("EventData",
{}).get("Data",
[])[0].get("#text", None)
ProfileName = event.get("EventData",
{}).get("Data",
[])[3].get("#text", None)
SSID = event.get("EventData",
{}).get("Data", [])[4].get("#text", None)
BSSType = event.get("EventData",
{}).get("Data", [])[5].get("#text", None)
BSSID = event.get("EventData",
{}).get("Data", [])[6].get("#text", None)
PHYType = event.get("EventData",
{}).get("Data", [])[7].get("#text", None)
AuthenticationAlgorithm = event.get("EventData", {}).get(
"Data", [])[8].get("#text", None)
CipherAlgorithm = event.get("EventData",
{}).get("Data",
[])[9].get("#text", None)
event["_PluginResult"] = {}
event["_PluginResult"]["InterfaceGuid"] = InterfaceGuid
event["_PluginResult"]["ProfileName"] = ProfileName
event["_PluginResult"]["SSID"] = SSID
event["_PluginResult"]["BSSType"] = BSSType
event["_PluginResult"]["BSSID"] = BSSID
event["_PluginResult"]["PHYType"] = PHYType
event["_PluginResult"][
"AuthenticationAlgorithm"] = AuthenticationAlgorithm
event["_PluginResult"]["CipherAlgorithm"] = CipherAlgorithm
data.append(event)
elif EventID == "8002":
InterfaceGuid = event.get("EventData",
{}).get("Data",
[])[0].get("#text", None)
ProfileName = event.get("EventData",
{}).get("Data",
[])[3].get("#text", None)
SSID = event.get("EventData",
{}).get("Data", [])[4].get("#text", None)
BSSType = event.get("EventData",
{}).get("Data", [])[5].get("#text", None)
event["_PluginResult"] = {}
event["_PluginResult"]["InterfaceGuid"] = InterfaceGuid
event["_PluginResult"]["ProfileName"] = ProfileName
event["_PluginResult"]["SSID"] = SSID
event["_PluginResult"]["BSSType"] = BSSType
data.append(event)
elif EventID == "8003":
InterfaceGuid = event.get("EventData",
{}).get("Data",
[])[0].get("#text", None)
ProfileName = event.get("EventData",
{}).get("Data",
[])[3].get("#text", None)
SSID = event.get("EventData",
{}).get("Data", [])[4].get("#text", None)
BSSType = event.get("EventData",
{}).get("Data", [])[5].get("#text", None)
event["_PluginResult"] = {}
event["_PluginResult"]["InterfaceGuid"] = InterfaceGuid
event["_PluginResult"]["ProfileName"] = ProfileName
event["_PluginResult"]["SSID"] = SSID
event["_PluginResult"]["BSSType"] = BSSType
data.append(event)
return rapidjson.dumps(data)