def ajax_cd_recording_detail_events(self): filtered = list( filter( lambda x: "cdrom" == x.get("System", {}).get("Provider", {}) .get("@Name", None) and (x.get("System", {}).get( "EventID", {}).get("#text", None) == "133"), self.events.values())) data = [] # 정렬해야함 filtered = sort_by_timecreated(filtered, reverse=False) for event in filtered: event["_PluginResult"] = {} EventID = event.get("System", {}).get("EventID", {}).get("#text", None) # 방화벽 켜기/끄기 if EventID == "133": Device = event.get("EventData", {}).get("Data", []).get("#text", None) event["_PluginResult"]["Device"] = Device data.append(event) return rapidjson.dumps(data)
def ajax_firewall_status_events(self): filtered = list(filter( lambda x: "Microsoft-Windows-Windows Firewall With Advanced Security" == x.get("System", {}).get("Provider",{}).get("@Name", None) and ( x.get("System", {}).get("EventID", {}).get("#text", None) in ("2003", "2010")) , self.events.values() )) # 방화벽 현재 상태 (온/오프) # 현재 프로필 network_profile_dict = {} network_profile_dict["2"] = "Disconnected" network_profile_dict["4"] = "Disconnected" firewall_result = [] firewall_private_status = "" firewall_public_status = "" firewall_domain_status = "" # 정렬해야함 filtered = sort_by_timecreated(filtered, reverse=False) for event in filtered: EventID = event.get("System", {}).get("EventID", {}).get("#text", None) if EventID == "2003": SettingValue = event.get("EventData", {}).get("Data", [])[3].get("#text", None) Profile = event.get("EventData", {}).get("Data", [])[0].get("#text", None) if Profile == "1": firewall_domain_status = SettingValue elif Profile == "2": firewall_private_status = SettingValue elif Profile == "4": firewall_public_status = SettingValue if EventID == "2010": OldProfile = event.get("EventData", {}).get("Data", [])[2].get("#text", None) NewProfile = event.get("EventData", {}).get("Data", [])[3].get("#text", None) InterfaceName = event.get("EventData", {}).get("Data", [])[1].get("#text", None) if OldProfile == "2": network_profile_dict["2"] = InterfaceName elif OldProfile == "4": network_profile_dict["4"] = InterfaceName # print (network_profile_dict) # 현재 프로파일 # firewall = {} # firewall["current_profile"] = current_profile # firewall["firewall_domain_status"] = firewall_domain_status # firewall["firewall_private_status"] = firewall_private_status # firewall["firewall_public_status"] = firewall_public_status # # firewall_result.append(firewall) # 딕셔너리를 리스트 형태로 변환하고 반환 profile_list = [] for key, value in network_profile_dict.items(): profile_list.append(value) firewall_result.append(profile_list) firewall_result.append(firewall_domain_status) firewall_result.append(firewall_private_status) firewall_result.append(firewall_public_status) return rapidjson.dumps(firewall_result)
def ajax_firewall_list_events(self): # 예외 포트 현재 상태 filtered = list(filter( lambda x: "Microsoft-Windows-Windows Firewall With Advanced Security" == x.get("System", {}).get("Provider", {}).get("@Name", None) and (x.get("System", {}).get("EventID", {}).get("#text", None) in ("2004", "2005", "2006")) , self.events.values() )) firewall_dict = {} filtered = sort_by_timecreated(filtered, reverse=False) for event in filtered: EventID = event.get("System", {}).get("EventID", {}).get("#text", None) # 룰 생성, 변경 if EventID == "2004" or EventID == "2005": RuleID = event.get("EventData", {}).get("Data", [])[0].get("#text", None) RuleName = event.get("EventData", {}).get("Data", [])[1].get("#text", None) ApplicationPath = event.get("EventData", {}).get("Data", [])[3].get("#text", "*") Direction = event.get("EventData", {}).get("Data", [])[5].get("#text", None) Protocol = event.get("EventData", {}).get("Data", [])[6].get("#text", None) LocalPorts = event.get("EventData", {}).get("Data", [])[7].get("#text", "*") RemotePorts = event.get("EventData", {}).get("Data", [])[8].get("#text", "*") Action = event.get("EventData", {}).get("Data", [])[9].get("#text", None) LocalAddresses = event.get("EventData", {}).get("Data", [])[11].get("#text", "*") RemoteAddresses = event.get("EventData", {}).get("Data", [])[12].get("#text", "*") Active = event.get("EventData", {}).get("Data", [])[17].get("#text", None) ModifyingApplication = event.get("EventData", {}).get("Data", [])[22].get("#text", None) # 이름, 프로필, 작업, 방향, 프로그램, 로컬주소, 로컬포트, 원격주소, 원격포트 rule = {} if dic_Action.get(Action) == "허용" : if Active == "1" : RuleName = "<img src='./static/images/Firewall_allow_enable.png' /> " + RuleName else : RuleName = "<img src='./static/images/Firewall_allow_disable.png' /> " + RuleName elif dic_Action.get(Action) == "거부": if Active == "1" : RuleName = "<img src='./static/images/Firewall_deny_enable.png' /> " + RuleName else : RuleName = "<img src='./static/images/Firewall_deny_disable.png' /> " + RuleName rule["RuleName"] = RuleName rule["ApplicationPath"] = ApplicationPath.replace("*", "모두") rule["Action"] = dic_Action.get(Action) rule["Direction"] = dic_Direction.get(Direction) rule["Protocol"] = dic_Protocol.get(Protocol) rule["LocalAddresses"] = LocalAddresses.replace("*", "모두") rule["RemoteAddresses"] = RemoteAddresses.replace("*", "모두") rule["LocalPorts"] = LocalPorts.replace("*", "모두") rule["RemotePorts"] = RemotePorts.replace("*", "모두") #rule.append(rule_data) firewall_dict[RuleID] = rule # 룰 삭제 if EventID == "2006": RuleID = event.get("EventData", {}).get("Data", [])[0].get("#text", None) try : del firewall_dict[RuleID] except : # 기존 룰추가 로그가 지워져 사전에 없는경우 예외 발생 pass # 딕셔너리를 리스트 형태로 변환하고 반환 firewall_list = [] for key, value in firewall_dict.items(): firewall_list.append(value) return rapidjson.dumps(firewall_list)
def ajax_dashboard_events(self): filtered = list(filter( lambda x: ("Microsoft-Windows-UserPnp" == x.get("System", {}).get("Provider", {}).get("@Name", None) and (x.get("System", {}).get("EventID", {}).get("#text", None) == "20001")) or ("Microsoft-Windows-DriverFrameworks-UserMode" == x.get("System", {}).get("Provider", {}).get("@Name", None) and (x.get("System", {}).get("EventID", {}).get("#text", None) == "10000")) or ("Microsoft-Windows-DriverFrameworks-UserMode" == x.get("System", {}).get("Provider", {}).get("@Name", None) and (x.get("System", {}).get("EventID", {}).get("#text", None) in ("2101", "2102")) or ("Microsoft-Windows-Security-Auditing" == x.get("System", {}).get("Provider", {}).get("@Name", None) and (x.get("System", {}).get("EventID", {}).get("#text", None) =="4624") and "User32" == x.get("EventData", {}).get("Data", [])[9].get("#text", None)) or ("Microsoft-Windows-Partition" == x.get("System", {}).get("Provider", {}).get("@Name", None) and (x.get("System", {}).get("EventID", {}).get("#text", None) == "1006"))) , self.events.values() )) ##################################### # 사용자 로그온 리스트 ##################################### user_logon_history = [] for event in filtered: EventID = event.get("System", {}).get("EventID", {}).get("#text", None) if EventID == "4624" : user_data = [] # time, Name local_time = event.get("_Metadata", {}).get("LocalTimeCreated", None) TargetUserName = event.get("EventData", {}).get("Data", [])[5].get("#text", None) user_data.append(TargetUserName) user_data.append(local_time) user_logon_history.append(user_data) # 시간 내림차순으로정렬 user_logon_history = sorted(user_logon_history, key=operator.itemgetter(1), reverse=True) ##################################### # win10 파티션 정보 리스트 ##################################### # 중복제거용 seen = set() partition_list = [] for event in filtered: EventID = event.get("System", {}).get("EventID", {}).get("#text", None) if EventID == "1006": # usbinfo partition_data = [] Capacity = event.get("EventData", {}).get("Data", [])[9].get("#text", None) if Capacity == "0" : continue vendor = event.get("EventData", {}).get("Data", [])[11].get("#text", "") product = event.get("EventData", {}).get("Data", [])[12].get("#text", "") serial = event.get("EventData", {}).get("Data", [])[14].get("#text", None) registryid = event.get("EventData", {}).get("Data", [])[21].get("#text", None) registryid = registryid.replace("{", "").replace("}", "") if serial not in seen: partition_data.append(Capacity) partition_data.append(vendor) partition_data.append(product) partition_data.append(serial) partition_data.append(registryid) partition_list.append(partition_data) seen.add(serial) ##################################### # USB 연결 히스토리 ##################################### filtered = sort_by_timecreated(filtered, reverse=False) usb_connect_history = [] # 중복제거용 seen = set() for event in filtered: EventID = event.get("System", {}).get("EventID", {}).get("#text", None) if EventID == "2101" or EventID == "2102": # 날짜, 구분(연결/해제), 장치명, 시리얼번호, 사용자 # 동일한 이벤트가 두세번씩 나오기때문에 리스트에 시간, 시리얼, 이벤트번호가 동일한 값이 있는 경우 스킵 usb_connect = [] DeviceInstanceID = event.get("UserData", {}).get("UMDFHostDeviceRequest", {}).get("@instance", None) if DeviceInstanceID == None : DeviceInstanceID = event.get("UserData", {}).get("UMDFHostDeviceRequest", {}).get("InstanceId", {}).get("#text", None) if DeviceInstanceID.startswith("WPDBUSENUMROOT") or DeviceInstanceID.startswith("SWD") or DeviceInstanceID.startswith("USB"): usb_local_time = event.get("_Metadata", {}).get("LocalTimeCreated", None) parsed_date = dateutil.parser.parse(usb_local_time) minor = event.get("UserData", {}).get("UMDFHostDeviceRequest", {}).get("Request", {}).get("@minor", None) if minor == None : minor = event.get("UserData", {}).get("UMDFHostDeviceRequest", {}).get("RequestMinorCode", {}).get("#text", None) time_string = "%d-%02d-%02d %02d:%02d:%02d" % (parsed_date.year, parsed_date.month, parsed_date.day, parsed_date.hour, parsed_date.minute, parsed_date.second) # minor 값을 확인하여 중복 방지 # 2101 : 20 # 2102 : 2 if EventID == "2101" and minor == "20": usbinfo = self.get_usbinfo(DeviceInstanceID) usb_connect.append(time_string) usb_connect.append("<span class=\"label label-primary\">연결</span>") usb_connect.append(EventID) vendor = usbinfo[0] product = usbinfo[1] serial = usbinfo[2] #(win10 해당됨) 시리얼과 파티션 테이블의 레지스트리 아이디가 같으면 해당 정보로 변경 for partition_data in partition_list : if (serial == partition_data[3]) or (serial == partition_data[4]): vendor = partition_data[1] product = partition_data[2] serial = partition_data[3] break usb_connect.append(vendor) usb_connect.append(product) usb_connect.append(serial) usb_connect.append(usbinfo[3]) # USB 사용자 확인, user_logon_history 는 내림차순 정렬되어 있음 usb_user_name = "알수없음" for history in user_logon_history: user_name = history[0] user_logon_time = history[1] # 최근 사용자 확인 if user_logon_time < usb_local_time: usb_user_name = user_name break usb_connect.append(usb_user_name) usb_connect.append(False) # 히스토리 참조여부 usb_connect_history.append(usb_connect) elif EventID == "2102" and (minor == "2" or minor == "3"): usbinfo = self.get_usbinfo(DeviceInstanceID) usb_connect.append(time_string) usb_connect.append("<span class=\"label label-danger\">해제</span>") usb_connect.append(EventID) vendor = usbinfo[0] product = usbinfo[1] serial = usbinfo[2] # (win10 해당됨) 시리얼과 파티션 테이블의 레지스트리 아이디가 같으면 해당 정보로 변경 for partition_data in partition_list: if (serial == partition_data[3]) or (serial == partition_data[4]): vendor = partition_data[1] product = partition_data[2] serial = partition_data[3] break usb_connect.append(vendor) usb_connect.append(product) usb_connect.append(serial) usb_connect.append(usbinfo[3]) # USB 사용자 확인, user_logon_history 는 내림차순 정렬되어 있음 usb_user_name = "알수없음" for history in user_logon_history: user_name = history[0] user_logon_time = history[1] # 최근 사용자 확인 if user_logon_time < usb_local_time: usb_user_name = user_name break usb_connect.append(usb_user_name) usb_connect.append(False) # 히스토리 참조여부 usb_connect_history.append(usb_connect) # win 10 에서 2101, 2102 가 없는 경우 비활성화되어 히스토리가 수집이 안되있음 # 그런경우 정확하진 않지만 차선으로 partition 에서 히스토리 수집 if len(usb_connect_history) == 0 : for event in filtered: EventID = event.get("System", {}).get("EventID", {}).get("#text", None) if EventID == "1006" : usb_connect = [] Capacity = event.get("EventData", {}).get("Data", [])[9].get("#text", None) usb_local_time = event.get("_Metadata", {}).get("LocalTimeCreated", None) parsed_date = dateutil.parser.parse(usb_local_time) time_string = "%d-%02d-%02d %02d:%02d:%02d" % ( parsed_date.year, parsed_date.month, parsed_date.day, parsed_date.hour, parsed_date.minute, parsed_date.second) # usbinfo vendor = event.get("EventData", {}).get("Data", [])[11].get("#text", None) product = event.get("EventData", {}).get("Data", [])[12].get("#text", None) serial = event.get("EventData", {}).get("Data", [])[14].get("#text", None) # 용량이 0 인경우 해제 if Capacity == "0" : # disconnect usb_connect.append(time_string) usb_connect.append("<span class=\"label label-danger\">해제</span>") usb_connect.append(EventID) usb_connect.append(vendor) usb_connect.append(product) usb_connect.append(serial) usb_connect.append("unknown") # USB 사용자 확인, user_logon_history 는 내림차순 정렬되어 있음 usb_user_name = "알수없음" for history in user_logon_history: user_name = history[0] user_logon_time = history[1] # 최근 사용자 확인 if user_logon_time < usb_local_time: usb_user_name = user_name break usb_connect.append(usb_user_name) usb_connect.append(False) # 히스토리 참조여부 usb_connect_history.append(usb_connect) else : # connect usb_connect.append(time_string) usb_connect.append("<span class=\"label label-primary\">연결</span>") usb_connect.append(EventID) usb_connect.append(vendor) usb_connect.append(product) usb_connect.append(serial) usb_connect.append("unknown") # USB 사용자 확인, user_logon_history 는 내림차순 정렬되어 있음 usb_user_name = "알수없음" for history in user_logon_history: user_name = history[0] user_logon_time = history[1] # 최근 사용자 확인 if user_logon_time < usb_local_time: usb_user_name = user_name break usb_connect.append(usb_user_name) usb_connect.append(False) # 히스토리 참조여부 usb_connect_history.append(usb_connect) ##################################### # MTP 장치 목록 가져오기 ##################################### mtp_list = [] external_device_list = [] for event in filtered: # DriverName == wpdmtp.inf # MTP 장치 구분 EventID = event.get("System", {}).get("EventID", {}).get("#text", None) if EventID == "20001": DeviceInstanceID = event.get("UserData", {}).get("InstallDeviceID", {}).get("DeviceInstanceID", {}).get("#text", None) DriverName = event.get("UserData", {}).get("InstallDeviceID", {}).get("DriverName", {}).get("#text",None) # USB\VID_04E8&PID_6860\0B15038F14190B8E # mtp 드라이버만 if DriverName.find("wpdmtp.inf") != -1: usbinfo = self.get_usbinfo(DeviceInstanceID) mtp_list.append(usbinfo[2]) ##################################### # 10000번 기반(최초사용) USB 리스트뷰 작성 # Win10 에서 외장하드는 registryid 형태로 남기 때문에 partition 정보가 있는 경우 해당 테이블에서 시리얼 정보 참조 ##################################### usb_connect_info = [] seen = set() for event in filtered: EventID = event.get("System", {}).get("EventID", {}).get("#text", None) if EventID == "10000" : DeviceInstanceID = event.get("UserData", {}).get("UMDFDeviceInstallBegin", {}).get("DeviceId", {}).get("#text", None) if DeviceInstanceID.startswith("WPDBUSENUMROOT") or DeviceInstanceID.startswith("SWD") or DeviceInstanceID.startswith("USB") : # WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_BIZET&PROD_SECUYOUSB&REV_1100#650402230001179621 # USB\VID_04E8&PID_6860\5210EFA66404B3F5 usbinfo = self.get_usbinfo(DeviceInstanceID) vendor = usbinfo[0] product = usbinfo[1] serial = usbinfo[2] type = usbinfo[3] capacity = "" # (win10 해당됨) 시리얼과 파티션 테이블의 레지스트리 아이디가 같으면 해당 정보로 변경 for partition_data in partition_list: if serial == partition_data[3] or serial == partition_data[4]: vendor = partition_data[1] product = partition_data[2] serial = partition_data[3] capacity = self.convert_capacity(partition_data[0]) break if serial not in seen: usb_local_time = event.get("_Metadata", {}).get("LocalTimeCreated", None) parsed_date = dateutil.parser.parse(usb_local_time) time_string = "%d-%02d-%02d %02d:%02d:%02d" % (parsed_date.year, parsed_date.month, parsed_date.day, parsed_date.hour, parsed_date.minute,parsed_date.second) usb_connect = {} usb_connect["FirstDate"] = time_string usb_connect["Vendor"] = vendor usb_connect["Product"] = product usb_connect["Serial"] = serial usb_connect["Type"] = type usb_connect["Capacity"] = capacity usb_connect["Etc"] = "" # MTP 장치 여부 확인 for mtp in mtp_list : if usbinfo[2] == mtp : usb_connect["Etc"] = "MTP" # USB 사용자 확인, user_logon_history 는 내림차순 정렬되어 있음 usb_user_name = "알수없음" for history in user_logon_history: user_name = history[0] user_logon_time = history[1] # 최근 사용자 확인 if user_logon_time < usb_local_time : usb_user_name = user_name break usb_connect["User"] = usb_user_name # 연결 히스토리 확인 sub_usb_connect = [] # 10000 번 이벤트 리스트에 없는 경우 따로 분류후 리스팅 last_date = "" i = 0 for usb_connect_history_data in usb_connect_history : # 시리얼 번호가 같은경우 if usb_connect_history_data[5] == serial : # 참조된것 체크, 참조안된건 따로 리스트업 usb_connect_history[i][8] = True sub_usb_connect_data = {} sub_usb_connect_data["Sub_Date"] = usb_connect_history_data[0] sub_usb_connect_data["Sub_Gubun"] = usb_connect_history_data[1] sub_usb_connect_data["Sub_EventID"] = usb_connect_history_data[2] sub_usb_connect_data["Sub_Vendor"] = usb_connect_history_data[3] sub_usb_connect_data["Sub_Product"] = usb_connect_history_data[4] sub_usb_connect_data["Sub_Serial"] = usb_connect_history_data[5] sub_usb_connect_data["Sub_User"] = usb_connect_history_data[7] sub_usb_connect.append(sub_usb_connect_data) last_date = usb_connect_history_data[0] i += 1 usb_connect["LastDate"] = last_date usb_connect["nested"] = sub_usb_connect usb_connect_info.append(usb_connect) seen.add(serial) ##################################### # 외장디스크는 20001번만 발생하고 10000번은 발생하지 않음 (Win 7) # Win 10은 10000번, 20001번 구분 불필요 ##################################### for event in filtered: EventID = event.get("System", {}).get("EventID", {}).get("#text", None) if EventID == "20001" : DriverName = event.get("UserData", {}).get("InstallDeviceID", {}).get("DriverName", {}).get("#text",None) DeviceInstanceID = event.get("UserData", {}).get("InstallDeviceID", {}).get("DeviceInstanceID", {}).get("#text", None) # Win 7 Only if DriverName.find("disk.inf") != -1 and DeviceInstanceID[:7] == "USBSTOR": usbinfo = self.get_usbinfo(DeviceInstanceID) vendor = usbinfo[0] product = usbinfo[1] serial = usbinfo[2] type = usbinfo[3] capacity = "" # (win10 해당됨) 시리얼과 파티션 테이블의 레지스트리 아이디가 같으면 해당 정보로 변경 for partition_data in partition_list: if serial == partition_data[3] or serial == partition_data[4]: vendor = partition_data[1] product = partition_data[2] serial = partition_data[3] capacity = self.convert_capacity(partition_data[0]) break # seen list 에 없으면 외장hdd 추정 if serial not in seen: usb_local_time = event.get("_Metadata", {}).get("LocalTimeCreated", None) parsed_date = dateutil.parser.parse(usb_local_time) time_string = "%d-%02d-%02d %02d:%02d:%02d" % ( parsed_date.year, parsed_date.month, parsed_date.day, parsed_date.hour, parsed_date.minute, parsed_date.second) usb_connect = {} usb_connect["FirstDate"] = time_string usb_connect["Vendor"] = vendor usb_connect["Product"] = product usb_connect["Serial"] = serial usb_connect["Type"] = type usb_connect["LastDate"] = "알수없음" usb_connect["Capacity"] = capacity usb_connect["Etc"] = "" usb_connect["nested"] = [] # USB 사용자 확인, user_logon_history 는 내림차순 정렬되어 있음 usb_user_name = "알수없음" for history in user_logon_history: user_name = history[0] user_logon_time = history[1] # 최근 사용자 확인 if user_logon_time < usb_local_time: usb_user_name = user_name break usb_connect["User"] = usb_user_name usb_connect_info.append(usb_connect) #################################################################### # 10000 번 이벤트가 없어서 2101, 2012 연결정보가 참조 안된경우 따로 리스트업 #################################################################### extra_usb_connect_info = [] seen = set() for usb_connect_history_data in usb_connect_history: if usb_connect_history_data[8] == False: if usb_connect_history_data[5] not in seen: usb_connect = {} usb_connect["Date"] = "" extra_usb_connect = [] extra_usb_connect.append(usb_connect_history_data[3]) extra_usb_connect.append(usb_connect_history_data[4]) extra_usb_connect.append(usb_connect_history_data[5]) extra_usb_connect.append(usb_connect_history_data[6]) # MTP 장치 여부 확인 is_mtp = "" for mtp in mtp_list: if usb_connect_history_data[5] == mtp: is_mtp = "MTP" extra_usb_connect.append(is_mtp) extra_usb_connect_info.append(extra_usb_connect) seen.add(usb_connect_history_data[5]) for extra_usb_connect in extra_usb_connect_info: usb_connect = {} vendor = extra_usb_connect[0] product = extra_usb_connect[1] serial = extra_usb_connect[2] type = extra_usb_connect[3] # (win10 해당됨) 시리얼과 파티션 테이블의 레지스트리 아이디가 같으면 해당 정보로 변경 capacity = "" for partition_data in partition_list: if extra_usb_connect[2] == partition_data[3] or extra_usb_connect[2] == partition_data[4]: vendor = partition_data[1] product = partition_data[2] serial = partition_data[3] capacity = self.convert_capacity(partition_data[0]) break usb_connect["FirstDate"] = "알수없음" usb_connect["Vendor"] = vendor usb_connect["Product"] = product usb_connect["Serial"] = serial usb_connect["Type"] = type usb_connect["Capacity"] = capacity usb_connect["Etc"] = extra_usb_connect[4] usb_user_name = "알수없음" usb_connect["User"] = usb_user_name sub_usb_connect = [] for usb_connect_history_data in usb_connect_history : # 시리얼 번호가 같은경우 if usb_connect_history_data[5] == extra_usb_connect[2] : sub_usb_connect_data = {} sub_usb_connect_data["Sub_Date"] = usb_connect_history_data[0] sub_usb_connect_data["Sub_Gubun"] = usb_connect_history_data[1] sub_usb_connect_data["Sub_EventID"] = usb_connect_history_data[2] sub_usb_connect_data["Sub_Vendor"] = usb_connect_history_data[3] sub_usb_connect_data["Sub_Product"] = usb_connect_history_data[4] sub_usb_connect_data["Sub_Serial"] = usb_connect_history_data[5] sub_usb_connect_data["Sub_User"] = usb_connect_history_data[7] sub_usb_connect.append(sub_usb_connect_data) last_date = usb_connect_history_data[0] usb_connect["nested"] = sub_usb_connect usb_connect["LastDate"] = last_date usb_connect_info.append(usb_connect) return rapidjson.dumps(usb_connect_info)
def _get_security_auditing_data(self): filtered = list( filter( lambda event: ("Microsoft-Windows-Security-Auditing" == event.get( "System", {}).get("Provider", {}).get("@Name", None) and (event.get("System", {}).get("EventID", {}).get( "#text", None) in ("4688", "4689"))), self.events.values())) filtered = sort_by_timecreated(filtered, reverse=False) _running_processes = dict() for event in filtered: event["_PluginOutput"] = {} event_id = event.get("System", {}).get("EventID", {}).get("#text", None) data_tags = event["EventData"]["Data"] unknown_seen = 0 for data_tag in data_tags: if "@Name" in data_tag: event["_PluginOutput"][data_tag["@Name"]] = data_tag.get( "#text", "") else: event["_PluginOutput"]["unknown_%d" % unknown_seen] = data_tag.get( "#text", "") unknown_seen = unknown_seen + 1 for k in ("NewProcessId", "ProcessId", "SubjectLogonId", "TargetLogonId"): if k in event["_PluginOutput"]: event["_PluginOutput"]["%s_Numeric" % k] = int( event["_PluginOutput"][k], 16) # 아래는 서로 다른 이벤트여도 같은 컬럼에 표시하기 위한 약간의 보정임. if "4689" == event_id: event["_PluginOutput"]["NewProcessName"] = event[ "_PluginOutput"]["ProcessName"] event["_PluginOutput"]["NewProcessId"] = event[ "_PluginOutput"]["ProcessId"] event["_PluginOutput"]["NewProcessId_Numeric"] = event[ "_PluginOutput"]["ProcessId_Numeric"] # 아래 프로세스는 윈도우 7 환경에서 프로세스 이름을 구하기 위한 코드 보정 computer_name = event.get("System", {}).get("Computer", {}).get("#text", None) if ("4688" == event_id) and ("ParentProcessName" not in event["EventData"]["Data"]): created_process_id = event.get("_PluginOutput", {}).get("NewProcessId", None) created_process_key = (computer_name, created_process_id) parent_process_id = event.get("_PluginOutput", {}).get("ProcessId", None) parent_process_key = (computer_name, parent_process_id) _running_processes[created_process_key] = event event["_PluginOutput"][ "ParentProcessName"] = _running_processes.get( parent_process_key, {}).get("_PluginOutput", {}).get("NewProcessName", None) elif "4689" == event_id: destroyed_process_id = event.get("_PluginOutput", {}).get("ProcessId", None) destroyed_process_key = (computer_name, destroyed_process_id) process_creation_event = None if destroyed_process_key in _running_processes: process_creation_event = _running_processes.pop( destroyed_process_key) if process_creation_event and ("ParentProcessName" not in event["_PluginOutput"]): event["_PluginOutput"][ "ParentProcessName"] = process_creation_event.get( "_PluginOutput", {}).get("ParentProcessName", None) return filtered
def ajax_account_list_events(self): filtered = list( filter( lambda x: "Microsoft-Windows-Security-Auditing" == x.get( "System", {}).get("Provider", {}).get("@Name", None) and (x.get("System", {}).get("EventID", {}).get("#text", None) in ("4624", "4720", "4722", "4738", "4724", "4732", "4733", "4733", "4729", "4726", "4731", "4735", "4734")), self.events.values())) account_dict = {} filtered = sort_by_timecreated(filtered, reverse=False) for event in filtered: EventID = event.get("System", {}).get("EventID", {}).get("#text", None) local_time = event.get("_Metadata", {}).get("LocalTimeCreated", None) parsed_date = dateutil.parser.parse(local_time) time_string = "%d-%02d-%02d %02d:%02d:%02d" % ( parsed_date.year, parsed_date.month, parsed_date.day, parsed_date.hour, parsed_date.minute, parsed_date.second) # 계정 생성 if EventID == "4720": TargetSid = event.get("EventData", {}).get("Data", [])[2].get("#text", None) TargetUserName = event.get("EventData", {}).get("Data", [])[0].get("#text", None) TargetDomainName = event.get("EventData", {}).get("Data", [])[1].get("#text", None) # 이름, 프로필, 작업, 방향, 프로그램, 로컬주소, 로컬포트, 원격주소, 원격포트 try: account = account_dict[TargetSid] except: account = {} for default_key in ("CreateDate", "TargetUserName", "TargetDomainName", "PasswordChangeDate", "RecentLogonDate", "IsDeleted", "DeleteDate"): account[default_key] = None account["CreateDate"] = time_string account["TargetUserName"] = TargetUserName account["TargetDomainName"] = TargetDomainName account_dict[TargetSid] = account # print (account_dict) # 계정 패스워드 변경 elif EventID == "4724": TargetSid = event.get("EventData", {}).get("Data", [])[2].get("#text", None) TargetUserName = event.get("EventData", {}).get("Data", [])[0].get("#text", None) TargetDomainName = event.get("EventData", {}).get("Data", [])[1].get("#text", None) try: account = account_dict[TargetSid] except: account = {} for default_key in ("CreateDate", "TargetUserName", "TargetDomainName", "PasswordChangeDate", "RecentLogonDate", "IsDeleted", "DeleteDate"): account[default_key] = None account["PasswordChangeDate"] = time_string account["TargetUserName"] = TargetUserName account["TargetDomainName"] = TargetDomainName account_dict[TargetSid] = account # 계정 삭제 elif EventID == "4726": TargetSid = event.get("EventData", {}).get("Data", [])[2].get("#text", None) TargetUserName = event.get("EventData", {}).get("Data", [])[0].get("#text", None) TargetDomainName = event.get("EventData", {}).get("Data", [])[1].get("#text", None) try: account = account_dict[TargetSid] except: account = {} for default_key in ("CreateDate", "TargetUserName", "TargetDomainName", "PasswordChangeDate", "RecentLogonDate", "IsDeleted", "DeleteDate"): account[default_key] = None account["TargetUserName"] = TargetUserName account["TargetDomainName"] = TargetDomainName account["IsDeleted"] = "O" account["DeleteDate"] = time_string account_dict[TargetSid] = account # 계정 로그인 일자 elif EventID == "4624": LogonProcessName = event.get("EventData", {}).get("Data", [])[9].get("#text", None) if LogonProcessName.find( "User32") != -1 or LogonProcessName.find( "NtLmSsp") != -1: TargetSid = event.get("EventData", {}).get("Data", [])[4].get("#text", None) logon_type = event.get("EventData", {}).get("Data", [])[8].get("#text", None) # 계정 생성 이벤트가 지워져서 없는 경우 try: account = account_dict[TargetSid] except: TargetUserName = event.get("EventData", {}).get( "Data", [])[5].get("#text", None) TargetDomainName = event.get("EventData", {}).get( "Data", [])[6].get("#text", None) account = {} for default_key in ("CreateDate", "TargetUserName", "TargetDomainName", "PasswordChangeDate", "RecentLogonDate", "IsDeleted", "DeleteDate"): account[default_key] = None account["TargetUserName"] = TargetUserName account["TargetDomainName"] = TargetDomainName if logon_type == "2": account["RecentLogonDate"] = time_string + "(로컬)" account_dict[TargetSid] = account elif logon_type == "3" and TargetUserName != "ANONYMOUS LOGON": account["RecentLogonDate"] = time_string + "(네트워크)" account_dict[TargetSid] = account elif logon_type == "10": account["RecentLogonDate"] = time_string + "(원격)" account_dict[TargetSid] = account # 딕셔너리를 리스트 형태로 변환하고 반환 account_list = [] for key, value in account_dict.items(): account_list.append(value) return rapidjson.dumps(account_list)
def ajax_wireless_dashboard_events(self): filtered = list( filter( lambda x: "Microsoft-Windows-WLAN-AutoConfig" == x.get( "System", {}).get("Provider", {}).get("@Name", None) and (x.get("System", {}).get("EventID", {}).get("#text", None) in ("8000", "8001", "8002", "8003")), self.events.values())) wireless_graph_dict = {} wireless_list_dict = {} # 정렬해야함 filtered = sort_by_timecreated(filtered, reverse=False) for event in filtered: EventID = event.get("System", {}).get("EventID", {}).get("#text", None) local_time = event.get("_Metadata", {}).get("LocalTimeCreated", None) parsed_date = dateutil.parser.parse(local_time) time_string = "%d-%02d-%02d %02d:%02d:%02d" % ( parsed_date.year, parsed_date.month, parsed_date.day, parsed_date.hour, parsed_date.minute, parsed_date.second) if EventID == "8001": InterfaceGuid = event.get("EventData", {}).get("Data", [])[0].get("#text", None) SSID = event.get("EventData", {}).get("Data", [])[4].get("#text", None) BSSID = event.get("EventData", {}).get("Data", [])[6].get("#text", None) PHYType = event.get("EventData", {}).get("Data", [])[7].get("#text", None) AuthenticationAlgorithm = event.get("EventData", {}).get( "Data", [])[8].get("#text", None) CipherAlgorithm = event.get("EventData", {}).get("Data", [])[9].get("#text", None) ap_name = "%s" % (SSID) try: count = wireless_graph_dict[ap_name] wireless = wireless_list_dict[InterfaceGuid] except: count = 0 wireless = {} wireless_graph_dict[ap_name] = count + 1 wireless["RecentDate"] = time_string wireless["SSID"] = SSID wireless["BSSID"] = BSSID wireless["EventID"] = EventID wireless["PHYType"] = PHYType wireless["AuthenticationAlgorithm"] = AuthenticationAlgorithm wireless["CipherAlgorithm"] = CipherAlgorithm wireless_list_dict[InterfaceGuid] = wireless elif EventID == "8002": InterfaceGuid = event.get("EventData", {}).get("Data", [])[0].get("#text", None) SSID = event.get("EventData", {}).get("Data", [])[4].get("#text", None) try: wireless = wireless_list_dict[InterfaceGuid] except: wireless = {} wireless["RecentDate"] = time_string wireless["SSID"] = SSID wireless["EventID"] = EventID wireless_list_dict[InterfaceGuid] = wireless wireless_graph_data = [] for key, value in wireless_graph_dict.items(): wireless = [] wireless.append(key) wireless.append(value) wireless_graph_data.append(wireless) wireless_list_data = [] for key, value in wireless_list_dict.items(): wireless_list_data.append(value) wireless_data = [] wireless_data.append(wireless_graph_data) wireless_data.append(wireless_list_data) return rapidjson.dumps(wireless_data)
def ajax_wireless_detail_events(self): filtered = list( filter( lambda x: "Microsoft-Windows-WLAN-AutoConfig" == x.get( "System", {}).get("Provider", {}).get("@Name", None) and (x.get("System", {}).get("EventID", {}).get("#text", None) in ("8000", "8001", "8002", "8003")), self.events.values())) # 8000 서비스가 연결 시작 # 8001 무선랜 연결 성공 # 8002 무선랜 연결 실패 # 8003 무선랜 연결 끊어짐 # 11001 무선 네트워크 연결 성공 # 10000 연결 시작 # 11001 연결 성공 # 11010 무선보안 시작 # 11005 무선랜 보안 성공 data = [] # 정렬해야함 filtered = sort_by_timecreated(filtered, reverse=False) for event in filtered: EventID = event.get("System", {}).get("EventID", {}).get("#text", None) if EventID == "8000": InterfaceGuid = event.get("EventData", {}).get("Data", [])[0].get("#text", None) ProfileName = event.get("EventData", {}).get("Data", [])[3].get("#text", None) SSID = event.get("EventData", {}).get("Data", [])[4].get("#text", None) BSSType = event.get("EventData", {}).get("Data", [])[5].get("#text", None) event["_PluginResult"] = {} event["_PluginResult"]["InterfaceGuid"] = InterfaceGuid event["_PluginResult"]["ProfileName"] = ProfileName event["_PluginResult"]["SSID"] = SSID event["_PluginResult"]["BSSType"] = BSSType data.append(event) elif EventID == "8001": InterfaceGuid = event.get("EventData", {}).get("Data", [])[0].get("#text", None) ProfileName = event.get("EventData", {}).get("Data", [])[3].get("#text", None) SSID = event.get("EventData", {}).get("Data", [])[4].get("#text", None) BSSType = event.get("EventData", {}).get("Data", [])[5].get("#text", None) BSSID = event.get("EventData", {}).get("Data", [])[6].get("#text", None) PHYType = event.get("EventData", {}).get("Data", [])[7].get("#text", None) AuthenticationAlgorithm = event.get("EventData", {}).get( "Data", [])[8].get("#text", None) CipherAlgorithm = event.get("EventData", {}).get("Data", [])[9].get("#text", None) event["_PluginResult"] = {} event["_PluginResult"]["InterfaceGuid"] = InterfaceGuid event["_PluginResult"]["ProfileName"] = ProfileName event["_PluginResult"]["SSID"] = SSID event["_PluginResult"]["BSSType"] = BSSType event["_PluginResult"]["BSSID"] = BSSID event["_PluginResult"]["PHYType"] = PHYType event["_PluginResult"][ "AuthenticationAlgorithm"] = AuthenticationAlgorithm event["_PluginResult"]["CipherAlgorithm"] = CipherAlgorithm data.append(event) elif EventID == "8002": InterfaceGuid = event.get("EventData", {}).get("Data", [])[0].get("#text", None) ProfileName = event.get("EventData", {}).get("Data", [])[3].get("#text", None) SSID = event.get("EventData", {}).get("Data", [])[4].get("#text", None) BSSType = event.get("EventData", {}).get("Data", [])[5].get("#text", None) event["_PluginResult"] = {} event["_PluginResult"]["InterfaceGuid"] = InterfaceGuid event["_PluginResult"]["ProfileName"] = ProfileName event["_PluginResult"]["SSID"] = SSID event["_PluginResult"]["BSSType"] = BSSType data.append(event) elif EventID == "8003": InterfaceGuid = event.get("EventData", {}).get("Data", [])[0].get("#text", None) ProfileName = event.get("EventData", {}).get("Data", [])[3].get("#text", None) SSID = event.get("EventData", {}).get("Data", [])[4].get("#text", None) BSSType = event.get("EventData", {}).get("Data", [])[5].get("#text", None) event["_PluginResult"] = {} event["_PluginResult"]["InterfaceGuid"] = InterfaceGuid event["_PluginResult"]["ProfileName"] = ProfileName event["_PluginResult"]["SSID"] = SSID event["_PluginResult"]["BSSType"] = BSSType data.append(event) return rapidjson.dumps(data)