def format_packet(self, record):
packet = {}
for key in record:
if key == "data":
packet["data"] = base64.b64encode(record[key]).decode("utf-8")
if self.packet_printable:
packet["data-printable"] = util.format_printable(
record[key])
if self.packet_hex:
packet["data-hex"] = self.format_hex(record[key])
else:
packet[key] = record[key]
return OrderedDict([("type", "packet"), ("packet", packet)])
def format_packet(self, record):
packet = {}
for key in record:
if key == "data":
packet["data"] = base64.b64encode(record[key]).decode("utf-8")
if self.packet_printable:
packet["data-printable"] = util.format_printable(
record[key])
if self.packet_hex:
packet["data-hex"] = self.format_hex(record[key])
else:
packet[key] = record[key]
return OrderedDict([("type", "packet"), ("packet", packet)])
def format_packet(self, packet):
output = OrderedDict()
output["timestamp"] = render_timestamp(
packet["packet-second"], packet["packet-microsecond"])
output["sensor_id"] = packet["sensor-id"]
# Snort only values, but needed to correlate the packet with
# the event.
output["event_id"] = packet["event-id"]
output["event_second"] = packet["event-second"]
output["packet"] = base64.b64encode(packet["data"]).decode("utf-8")
if self.packet_printable:
output["packet_printable"] = util.format_printable(packet["data"])
if self.packet_hex:
output["packet_hex"] = self.format_hex(packet["data"])
output["packet_info"] = {
"linktype": packet["linktype"],
}
return output
def format_packet(self, packet):
output = OrderedDict()
output["timestamp"] = render_timestamp(
packet["packet-second"], packet["packet-microsecond"])
output["sensor_id"] = packet["sensor-id"]
# Snort only values, but needed to correlate the packet with
# the event.
output["event_id"] = packet["event-id"]
output["event_second"] = packet["event-second"]
output["packet"] = base64.b64encode(packet["data"]).decode("utf-8")
if self.packet_printable:
output["packet_printable"] = util.format_printable(packet["data"])
if self.packet_hex:
output["packet_hex"] = self.format_hex(packet["data"])
output["packet_info"] = {
"linktype": packet["linktype"],
}
return output
def format_extra_data(self, record):
data = {}
# Remove this, the printable data is accessible as
# "data-printable" now.
#
# # For data types that can be printed in plain text, extract
# # the data into its own field with a descriptive name.
# if record["type"] == unified2.EXTRA_DATA_TYPE["SMTP_FILENAME"]:
# data["smtp-filename"] = record["data"]
# elif record["type"] == unified2.EXTRA_DATA_TYPE["SMTP_MAIL_FROM"]:
# data["smtp-from"] = record["data"]
# elif record["type"] == unified2.EXTRA_DATA_TYPE["SMTP_RCPT_TO"]:
# data["smtp-rcpt-to"] = record["data"]
# elif record["type"] == unified2.EXTRA_DATA_TYPE["SMTP_HEADERS"]:
# data["smtp-headers"] = record["data"]
# elif record["type"] == unified2.EXTRA_DATA_TYPE["HTTP_URI"]:
# data["http-uri"] = record["data"]
# elif record["type"] == unified2.EXTRA_DATA_TYPE["HTTP_HOSTNAME"]:
# data["http-hostname"] = record["data"]
# elif record["type"] == unified2.EXTRA_DATA_TYPE["NORMALIZED_JS"]:
# data["javascript"] = record["data"]
# else:
# LOG.warning("Unknown extra-data record type: %s" % (
# str(record["type"])))
for key, val in unified2.EXTRA_DATA_TYPE.items():
if val == record["type"]:
data[self.key("extra-data-type")] = key.lower()
break
for key in record:
if key == "data":
data["data"] = base64.b64encode(record[key]).decode("utf-8")
if self.extra_printable:
data["data-printable"] = util.format_printable(record[key])
else:
data[key] = record[key]
return OrderedDict([("type", self.key("extra-data")),
(self.key("extra-data"), data)])
def format_extra_data(self, record):
data = {}
# Remove this, the printable data is accessible as
# "data-printable" now.
#
# # For data types that can be printed in plain text, extract
# # the data into its own field with a descriptive name.
# if record["type"] == unified2.EXTRA_DATA_TYPE["SMTP_FILENAME"]:
# data["smtp-filename"] = record["data"]
# elif record["type"] == unified2.EXTRA_DATA_TYPE["SMTP_MAIL_FROM"]:
# data["smtp-from"] = record["data"]
# elif record["type"] == unified2.EXTRA_DATA_TYPE["SMTP_RCPT_TO"]:
# data["smtp-rcpt-to"] = record["data"]
# elif record["type"] == unified2.EXTRA_DATA_TYPE["SMTP_HEADERS"]:
# data["smtp-headers"] = record["data"]
# elif record["type"] == unified2.EXTRA_DATA_TYPE["HTTP_URI"]:
# data["http-uri"] = record["data"]
# elif record["type"] == unified2.EXTRA_DATA_TYPE["HTTP_HOSTNAME"]:
# data["http-hostname"] = record["data"]
# elif record["type"] == unified2.EXTRA_DATA_TYPE["NORMALIZED_JS"]:
# data["javascript"] = record["data"]
# else:
# LOG.warning("Unknown extra-data record type: %s" % (
# str(record["type"])))
for key, val in unified2.EXTRA_DATA_TYPE.items():
if val == record["type"]:
data[self.key("extra-data-type")] = key.lower()
break
for key in record:
if key == "data":
data["data"] = base64.b64encode(record[key]).decode("utf-8")
if self.extra_printable:
data["data-printable"] = util.format_printable(record[key])
else:
data[key] = record[key]
return OrderedDict([("type", self.key("extra-data")),
(self.key("extra-data"), data)])
def format_event(self, event):
output = OrderedDict()
output["timestamp"] = render_timestamp(
event["event-second"], event["event-microsecond"])
output["sensor_id"] = event["sensor-id"]
# These are Snort only.
output["event_id"] = event["event-id"]
output["event_second"] = event["event-second"]
output["event_type"] = "alert"
output["src_ip"] = event["source-ip"]
if event["protocol"] in [socket.IPPROTO_UDP, socket.IPPROTO_TCP]:
output["src_port"] = event["sport-itype"]
output["dest_ip"] = event["destination-ip"]
if event["protocol"] in [socket.IPPROTO_UDP, socket.IPPROTO_TCP]:
output["dest_port"] = event["dport-icode"]
output["proto"] = self.getprotobynumber(event["protocol"])
if event["protocol"] in [socket.IPPROTO_ICMP, socket.IPPROTO_ICMPV6]:
output["icmp_type"] = event["sport-itype"]
output["icmp_code"] = event["dport-icode"]
output["flow_id"] = calculate_flow_id(event)
alert = OrderedDict()
alert["action"] = "blocked" if event["blocked"] == 1 else "allowed"
alert["gid"] = event["generator-id"]
alert["signature_id"] = event["signature-id"]
alert["rev"] = event["signature-revision"]
alert["signature"] = self.resolve_msg(event)
alert["category"] = self.resolve_classification(event)
alert["severity"] = event["priority"]
output["alert"] = alert
# EVE only includes one packet.
if event["packet"]:
packet = event["packet"]
output["packet"] = base64.b64encode(packet["data"]).decode("utf-8")
if self.packet_printable:
output["packet_printable"] = util.format_printable(
packet["data"])
if self.packet_hex:
output["packet_hex"] = self.format_hex(packet["data"])
output["packet_info"] = {
"linktype": packet["linktype"],
}
if event["extra-data"]:
output["snort_extra_data"] = []
for ed in event["extra-data"]:
if ed["event-type"] in unified2.EXTRA_DATA_TYPE_MAP:
name = unified2.EXTRA_DATA_TYPE_MAP[ed["event-type"]]
else:
name = "unknown"
output["snort_extra_data"].append(OrderedDict(
[("type", name.lower()),
("type_id", ed["event-type"]),
("data_printable", util.format_printable(ed["data"]),
)]))
return output
def format_event(self, event):
output = OrderedDict()
output["timestamp"] = render_timestamp(
event["event-second"], event["event-microsecond"])
output["sensor_id"] = event["sensor-id"]
# These are Snort only.
output["event_id"] = event["event-id"]
output["event_second"] = event["event-second"]
output["event_type"] = "alert"
output["src_ip"] = event["source-ip"]
if event["protocol"] in [socket.IPPROTO_UDP, socket.IPPROTO_TCP]:
output["src_port"] = event["sport-itype"]
output["dest_ip"] = event["destination-ip"]
if event["protocol"] in [socket.IPPROTO_UDP, socket.IPPROTO_TCP]:
output["dest_port"] = event["dport-icode"]
output["proto"] = self.getprotobynumber(event["protocol"])
if event["protocol"] in [socket.IPPROTO_ICMP, socket.IPPROTO_ICMPV6]:
output["icmp_type"] = event["sport-itype"]
output["icmp_code"] = event["dport-icode"]
output["flow_id"] = calculate_flow_id(event)
alert = OrderedDict()
alert["action"] = "blocked" if event["blocked"] == 1 else "allowed"
alert["gid"] = event["generator-id"]
alert["signature_id"] = event["signature-id"]
alert["rev"] = event["signature-revision"]
alert["signature"] = self.resolve_msg(event)
alert["category"] = self.resolve_classification(event)
alert["severity"] = event["priority"]
output["alert"] = alert
# EVE only includes one packet.
if event["packet"]:
packet = event["packet"]
output["packet"] = base64.b64encode(packet["data"]).decode("utf-8")
if self.packet_printable:
output["packet_printable"] = util.format_printable(
packet["data"])
if self.packet_hex:
output["packet_hex"] = self.format_hex(packet["data"])
output["packet_info"] = {
"linktype": packet["linktype"],
}
if event["extra-data"]:
output["snort_extra_data"] = []
for ed in event["extra-data"]:
if ed["event-type"] in unified2.EXTRA_DATA_TYPE_MAP:
name = unified2.EXTRA_DATA_TYPE_MAP[ed["event-type"]]
else:
name = "unknown"
output["snort_extra_data"].append(OrderedDict(
[("type", name.lower()),
("type_id", ed["event-type"]),
("data_printable", util.format_printable(ed["data"]),
)]))
return output