def run(self, idmef): classification = idmef.Get("alert.classification.text") source = idmef.Get("alert.source(*).node.address(*).address") target = idmef.Get("alert.target(*).node.address(*).address") if not source or not target or not classification: return for saddr in source: ctx = Context("SCAN_EVENTSWEEP_" + classification + saddr, { "expire": 60, "threshold": 30 }, update = True) insert = True cur = ctx.Get("alert.target(*).node.address(*).address") if cur: for address in target: if address in cur: insert = False break if insert: ctx.Set("alert.source(>>)", idmef.Get("alert.source")) ctx.Set("alert.target(>>)", idmef.Get("alert.target")) ctx.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid")) ctx.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1]) if ctx.CheckAndDecThreshold(): ctx.Set("alert.correlation_alert.name", "A single host has played the same event against multiple targets. This may be a network scan for a specific vulnerability") ctx.Set("alert.classification.text", "Eventsweep") ctx.Set("alert.assessment.impact.severity", "high") ctx.alert() ctx.destroy()
def run(self, idmef): source = idmef.Get("alert.source(*).node.address(*).address") if not source: return for saddr in source: ctx = Context("SCAN_EVENTSTORM_" + saddr, { "expire": 120, "threshold": 150 }, update = True) ctx.Set("alert.source(>>)", idmef.Get("alert.source")) ctx.Set("alert.target(>>)", idmef.Get("alert.target")) ctx.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid")) ctx.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1]) if ctx.CheckAndDecThreshold(): ctx.Set("alert.correlation_alert.name", "A single host is producing an unusual amount of events") ctx.Set("alert.classification.text", "Eventstorm") ctx.Set("alert.assessment.impact.severity", "high") ctx.alert() ctx.destroy()
def _BruteUserForce(self, idmef): userid = idmef.Get("alert.target(*).user.user_id(*).name"); if not userid: return for user in userid: ctx = Context("BRUTE_U_" + user, { "expire": 120, "threshold": 2 }, update = True) ctx.Set("alert.source(>>)", idmef.Get("alert.source")) ctx.Set("alert.target(>>)", idmef.Get("alert.target")) ctx.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid")) ctx.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1]) if ctx.CheckAndDecThreshold(): ctx.Set("alert.classification.text", "Brute force attack") ctx.Set("alert.correlation_alert.name", "Multiple failed login") ctx.Set("alert.assessment.impact.severity", "high") ctx.Set("alert.assessment.impact.description", "Multiple failed attempts have been made to login to a user account") ctx.alert() ctx.destroy()
def run(self, idmef): source = idmef.Get("alert.source(*).node.address(*).address") target = idmef.Get("alert.target(*).node.address(*).address") if not source or not target: return for saddr in source: for daddr in target: ctx = Context("SCAN_EVENTSCAN_" + saddr + daddr, { "expire": 60, "threshold": 30 }, update = True) ctx.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid")) ctx.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1]) ctx.Set("alert.source(>>)", idmef.Get("alert.source")) ctx.Set("alert.target(>>)", idmef.Get("alert.target")) if ctx.CheckAndDecThreshold(): ctx.Set("alert.correlation_alert.name", "A single host has played many events against a single target. This may be a vulnerability scan") ctx.Set("alert.classification.text", "Eventscan") ctx.Set("alert.assessment.impact.severity", "high") ctx.alert() ctx.destroy()
def _BruteForce(self, idmef): sadd = idmef.Get("alert.source(*).node.address(*).address") tadd = idmef.Get("alert.target(*).node.address(*).address") if not sadd or not tadd: return for source in sadd: for target in tadd: ctx = Context("BRUTE_ST_" + source + target, { "expire": 2, "threshold": 5 }, update = True) ctx.Set("alert.source(>>)", idmef.Get("alert.source")) ctx.Set("alert.target(>>)", idmef.Get("alert.target")) ctx.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid")) ctx.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1]) if ctx.CheckAndDecThreshold(): ctx.Set("alert.classification.text", "Brute force attack") ctx.Set("alert.correlation_alert.name", "Multiple failed login") ctx.Set("alert.assessment.impact.severity", "high") ctx.Set("alert.assessment.impact.description", "Multiple failed attempts have been made to login to a user account") ctx.alert() ctx.destroy()
def run(self, idmef): if idmef.Get("alert.analyzer(-1).manufacturer") != "OpenSSH": return if idmef.Get("alert.assessment.impact.completion") != "succeeded": return try: idx = idmef.Get("alert.additional_data(*).meaning").index("Authentication method") except: return data = idmef.Get("alert.additional_data(%d).data" % idx) for username in idmef.Get("alert.target(*).user.user_id(*).name"): for target in idmef.Get("alert.target(*).node.address(*).address"): ctx = Context("SSH_MAT_" + target + username, {"threshold": 1}, update = True) ctx.Set("alert.source(>>)", idmef.Get("alert.source")) ctx.Set("alert.target(>>)", idmef.Get("alert.target")) ctx.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid")) ctx.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1]) if not hasattr(ctx, "authtype"): ctx.authtype = data elif ctx.authtype != data: ctx.Set("alert.classification.text", "Multiple authentication methods") ctx.Set("alert.correlation_alert.name", "Multiple authentication methods") ctx.Set("alert.assessment.impact.severity", "medium") ctx.Set("alert.assessment.impact.description", "Multiple ways of authenticating a single user have been found over SSH. If passphrase is the only allowed method, make sure you disable passwords.") ctx.alert() ctx.destroy()