# seems to cause memory leaks..
# regular updates are disabled for now,
# though we set the frequency anyway.
options.plugincheckfrequency = getConfig('plugincheckfrequency', 120,
options.configfile)
# This is the full ARN that the s3 bucket lives under
options.cloudtrail_arn = getConfig('cloudtrail_arn', 'cloudtrail_arn',
options.configfile)
if __name__ == '__main__':
# configure ourselves
parser = OptionParser()
parser.add_option("-c",
dest='configfile',
default=sys.argv[0].replace('.py', '.conf'),
help="configuration file to use")
(options, args) = parser.parse_args()
initConfig()
initLogger(options)
# open ES connection globally so we don't waste time opening it per message
es = esConnect()
# force a check for plugins and establish the plugin list
pluginList = list()
lastPluginCheck = datetime.now() - timedelta(minutes=60)
pluginList, lastPluginCheck = checkPlugins(pluginList, lastPluginCheck)
main()
options.password = getConfig('password', '', options.configfile)
options.join = getConfig('join', '#mzdf', options.configfile)
options.mqserver = getConfig('mqserver', 'localhost', options.configfile)
options.alertqueue = getConfig('alertqueue', 'mozdef.alert',
options.configfile)
options.alertexchange = getConfig('alertexchange', 'alerts',
options.configfile)
options.alertircchannel = getConfig('alertircchannel', '',
options.configfile)
options.channelkeys = json.loads(
getConfig('channelkeys', '{"#somechannel": "somekey"}',
options.configfile))
if options.alertircchannel == '':
options.alertircchannel = options.join
if __name__ == "__main__":
parser = OptionParser()
parser.add_option("-c",
dest='configfile',
default='',
help="configuration file to use")
(options, args) = parser.parse_args()
initConfig()
thebot = mozdefBot()
thebot.run()
# vim: set ts=4 sts=4 sw=4 et:
# queue topic
options.alerttopic = get_config(
'alerttopic',
'mozdef.*',
options.configfile)
# how many messages to ask for at once
options.prefetch = get_config('prefetch', 50, options.configfile)
options.mq_alert_server = get_config('mqalertserver', 'localhost', options.configfile)
options.mq_user = get_config('mquser', 'guest', options.configfile)
options.mq_password = get_config('mqpassword', 'guest', options.configfile)
options.mq_port = get_config('mqport', 5672, options.configfile)
# mqack=True sets persistant delivery, False sets transient delivery
options.mq_ack = get_config('mqack', True, options.configfile)
if __name__ == "__main__":
parser = OptionParser()
parser.add_option(
"-c", dest='configfile',
default=sys.argv[0].replace('.py', '.conf'),
help="configuration file to use")
(options, args) = parser.parse_args()
init_config()
bot = SlackBot(options.slack_token, options.channels, options.name)
monitor_alerts_thread = Thread(target=consume_alerts, args=[bot])
monitor_alerts_thread.daemon = True
monitor_alerts_thread.start()
bot.run()
def initConfig():
#initialize config options
#sets defaults or overrides from config file.
options.host=getConfig('host','irc.somewhere.com',options.configfile)
options.nick=getConfig('nick','mozdefnick',options.configfile)
options.port=getConfig('port',6697,options.configfile)
options.username=getConfig('username','username',options.configfile)
options.realname=getConfig('realname','realname',options.configfile)
options.password=getConfig('password','',options.configfile)
options.join=getConfig('join','#mzdf',options.configfile)
options.esserver=getConfig('esserver','localhost',options.configfile)
options.mqserver=getConfig('mqserver','localhost',options.configfile)
options.alertqueue=getConfig('alertqueue','mozdef.alert',options.configfile)
options.alertexchange=getConfig('alertexchange','alerts',options.configfile)
options.alertircchannel=getConfig('alertircchannel','',options.configfile)
if options.alertircchannel=='':
options.alertircchannel=options.join
if __name__ == "__main__":
parser=OptionParser()
parser.add_option("-c", dest='configfile' , default='', help="configuration file to use")
(options,args) = parser.parse_args()
initConfig()
thebot=mozdefBot()
thebot.run()
# vim: set ts=4 sts=4 sw=4 et:
options.kibanaurl = getConfig('kibanaurl', 'http://localhost:9090',
options.configfile)
# mongo connectivity options
options.mongohost = getConfig('mongohost', 'localhost', options.configfile)
options.mongoport = getConfig('mongoport', 3001, options.configfile)
options.listen_host = getConfig('listen_host', '127.0.0.1',
options.configfile)
default_user_agent = 'Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/58.0'
options.user_agent = getConfig('user_agent', default_user_agent,
options.configfile)
parser = OptionParser()
parser.add_option("-c",
dest='configfile',
default=os.path.join(os.path.dirname(__file__),
__file__).replace('.py', '.conf'),
help="configuration file to use")
(options, args) = parser.parse_args()
initConfig()
initLogger(options)
registerPlugins()
if __name__ == "__main__":
run(host=options.listen_host, port=8081)
else:
application = default_app()
options.esservers = list(
getConfig('esservers', 'http://localhost:9200',
options.configfile).split(','))
# mongo connectivity options
options.mongohost = getConfig('mongohost', 'localhost', options.configfile)
options.mongoport = getConfig('mongoport', 3001, options.configfile)
options.listen_host = getConfig('listen_host', '127.0.0.1',
options.configfile)
default_user_agent = 'Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/58.0'
options.user_agent = getConfig('user_agent', default_user_agent,
options.configfile)
parser = OptionParser()
parser.add_option("-c",
dest='configfile',
default=__file__.replace(".py", ".conf"),
help="configuration file to use")
(options, args) = parser.parse_args()
initConfig()
initLogger(options)
registerPlugins()
if __name__ == "__main__":
run(host=options.listen_host, port=8081)
else:
application = default_app()
duo.get_telephony_log(mintime=state["telephony"] + 1),
"telephony",
state,
)
pickle.dump(state, open(options.statepath, "wb"))
def initConfig():
options.IKEY = getConfig("IKEY", "", options.configfile)
options.SKEY = getConfig("SKEY", "", options.configfile)
options.URL = getConfig("URL", "", options.configfile)
options.MOZDEF_URL = getConfig("MOZDEF_URL", "", options.configfile)
options.DEBUG = getConfig("DEBUG", True, options.configfile)
options.statepath = getConfig("statepath", "", options.configfile)
options.update_tags = getConfig("addtag", "", options.configfile)
if __name__ == "__main__":
parser = OptionParser()
defaultconfigfile = sys.argv[0].replace(".py", ".conf")
parser.add_option(
"-c",
dest="configfile",
default=defaultconfigfile,
help="configuration file to use",
)
(options, args) = parser.parse_args()
initConfig()
main()
# also toggles transient/persistant delivery (messages in memory only or stored on disk)
# ack=True sets persistant delivery, False sets transient delivery
options.mqack = getConfig("mqack", True, options.configfile)
# plugin options
# secs to pass before checking for new/updated plugins
# seems to cause memory leaks..
# regular updates are disabled for now,
# though we set the frequency anyway.
options.plugincheckfrequency = getConfig("plugincheckfrequency", 120, options.configfile)
if __name__ == "__main__":
# configure ourselves
parser = OptionParser()
parser.add_option(
"-c", dest="configfile", default=sys.argv[0].replace(".py", ".conf"), help="configuration file to use"
)
(options, args) = parser.parse_args()
initConfig()
# open ES connection globally so we don't waste time opening it per message
es = esConnect(None)
# force a check for plugins and establish the plugin list
pluginList = list()
lastPluginCheck = datetime.now() - timedelta(minutes=60)
pluginList, lastPluginCheck = checkPlugins(pluginList, lastPluginCheck)
main()
options.mqack = getConfig("mqack", True, options.configfile)
# aws options
options.accesskey = getConfig("accesskey", "", options.configfile)
options.secretkey = getConfig("secretkey", "", options.configfile)
options.region = getConfig("region", "", options.configfile)
# How long to sleep between polling
options.sleep_time = getConfig("sleep_time", 0.1, options.configfile)
if __name__ == "__main__":
# configure ourselves
parser = OptionParser()
parser.add_option("-c",
dest="configfile",
default=sys.argv[0].replace(".py", ".conf"),
help="configuration file to use")
(options, args) = parser.parse_args()
initConfig()
initLogger(options)
# open ES connection globally so we don't waste time opening it per message
es = esConnect()
pluginList = registerPlugins()
try:
main()
except KeyboardInterrupt as e:
logger.info("Exiting worker")
if options.esbulksize != 0:
duo.get_telephony_log(mintime=state["telephony"] + 1),
"telephony",
state,
)
pickle.dump(state, open(options.statepath, "wb"))
def initConfig():
options.IKEY = getConfig("IKEY", "", options.configfile)
options.SKEY = getConfig("SKEY", "", options.configfile)
options.URL = getConfig("URL", "", options.configfile)
options.MOZDEF_URL = getConfig("MOZDEF_URL", "", options.configfile)
options.DEBUG = getConfig("DEBUG", True, options.configfile)
options.statepath = getConfig("statepath", "", options.configfile)
options.update_tags = getConfig("addtag", "", options.configfile)
if __name__ == "__main__":
parser = OptionParser()
defaultconfigfile = sys.argv[0].replace(".py", ".conf")
parser.add_option(
"-c",
dest="configfile",
default=defaultconfigfile,
help="configuration file to use",
)
(options, args) = parser.parse_args()
initConfig()
main()
options.configfile).split(','))
options.kibanaurl = getConfig('kibanaurl',
'http://localhost:9090',
options.configfile)
# mongo connectivity options
options.mongohost = getConfig('mongohost', 'localhost', options.configfile)
options.mongoport = getConfig('mongoport', 3001, options.configfile)
options.listen_host = getConfig('listen_host', '127.0.0.1', options.configfile)
default_user_agent = 'Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/58.0'
options.user_agent = getConfig('user_agent', default_user_agent, options.configfile)
parser = OptionParser()
parser.add_option(
"-c",
dest='configfile',
default=os.path.join(os.path.dirname(__file__), __file__).replace('.py', '.conf'),
help="configuration file to use")
(options, args) = parser.parse_args()
initConfig()
initLogger(options)
registerPlugins()
if __name__ == "__main__":
run(host=options.listen_host, port=8081)
else:
application = default_app()
jlog=json.loads(f.read())
for r in jlog['Records']:
r['utctimestamp']=toUTC(r['eventTime']).isoformat()
jbody=json.dumps(r)
res=es.index(index='events',doc_type='cloudtrail',doc=jbody)
#logger.debug(res)
setConfig('lastrun',lastrun,options.configfile)
except boto.exception.NoAuthHandlerFound:
logger.error("No auth handler found, check your credentials")
except Exception as e:
logger.error("Unhandled exception, terminating: %r"%e)
def initConfig():
options.output=getConfig('output','stdout',options.configfile) #output our log to stdout or syslog
options.sysloghostname=getConfig('sysloghostname','localhost',options.configfile) #syslog hostname
options.syslogport=getConfig('syslogport',514,options.configfile) #syslog port
options.defaultTimeZone=getConfig('defaulttimezone','US/Pacific',options.configfile)
options.aws_access_key_id=getConfig('aws_access_key_id','',options.configfile) #aws credentials to use to connect to cloudtrail
options.aws_secret_access_key=getConfig('aws_secret_access_key','',options.configfile)
options.esservers=list(getConfig('esservers','http://localhost:9200',options.configfile).split(','))
options.lastrun=toUTC(getConfig('lastrun',toUTC(datetime.now()-timedelta(hours=1)),options.configfile))
options.purge=getConfig('purge',False,options.configfile)
if __name__ == '__main__':
parser=OptionParser()
parser.add_option("-c", dest='configfile' , default='{0}.conf'.format(sys.argv[0]), help="configuration file to use")
(options,args) = parser.parse_args()
initConfig()
main()
if options.action == "info":
get_volume_info(region)
# target a specific snapshot
if options.snapshots and len(options.snapshots) > 0:
# attach a snapshot to forensics?
if options.action == 'attach' and \
options.snapshots and \
options.forensic :
attach_snapshot(region)
if options.action == 'list':
list_snapshots(region)
if __name__ == '__main__':
parser = OptionParser()
parser.add_option("-c", "--conf", dest='configfile', default=sys.argv[0].replace('.py', '.conf'), help="configuration file to use")
parser.add_option("-o", "--output", dest='output', default='text', help="output format, json or text")
parser.add_option("-r", "--regions", dest='regions', default=None, help="comma delimited list of regions to target")
parser.add_option("-i", "--instances", dest='instances', default=None, help="comma delimited list of instance IDs to target")
parser.add_option("-f", "--forensic", dest='forensic', default=None, help="instance IDs to use as the forensic workstation")
parser.add_option("-v", "--volumes", dest='volumes', default=None, help="comma delimited list of volume IDs to target")
parser.add_option("-s", "--snapshots", dest='snapshots', default=None, help="comma delimited list of snapshot IDs to attach to the forensic instance")
parser.add_option("-d", "--device", dest="device", default="/dev/sdf", help="target device to use when attaching a volume")
parser.add_option("-a", "--action", dest='action', default='list', type="choice", choices=["list", "info", "snapshot", "attach"], help="Action to perform, list, info, snapshot, attach. Defaults to list")
(options, args) = parser.parse_args()
initConfig()
initLogger()
main()
options.aws_secret_access_key = getConfig('aws_secret_access_key', '',
options.configfile)
options.esservers = list(
getConfig('esservers', 'http://localhost:9200',
options.configfile).split(','))
options.aws_accounts = list(
getConfig('aws_accounts', '', options.configfile).split(','))
options.assumed_role_arns = list(
getConfig('assumed_role_arns', '', options.configfile).split(','))
options.bucket_account_map = json.loads(
getConfig('bucket_account_map', '{}', options.configfile))
options.state_file_name = getConfig('state_file_name',
'{0}.json'.format(sys.argv[0]),
options.configfile)
options.regions = list(
getConfig('regions',
','.join([x.name for x in boto.cloudtrail.regions()]),
options.configfile).split(','))
options.purge = getConfig('purge', False, options.configfile)
if __name__ == '__main__':
parser = OptionParser()
parser.add_option("-c",
dest='configfile',
default='{0}.conf'.format(sys.argv[0]),
help="configuration file to use")
(options, args) = parser.parse_args()
initConfig()
main()
