def onAggregation(self, aggreg): category = 'nsm' severity = 'NOTICE' tags = ['nsm', "bro", 'addressscan'] indicators = 'unknown' x = aggreg['events'][0]['_source'] if 'details' in x: if 'indicators' in x['details']: indicators = x['details']['sourceipaddress'] indicators_info = add_hostname_to_ip(indicators, '{0} ({1})', require_internal=False) summary = 'Address scan from {}'.format(indicators_info) return self.createAlertDict(summary, category, tags, aggreg['events'], severity)
def onAggregation(self, aggreg): category = 'session' severity = 'WARNING' tags = ['sshd', 'syslog'] # Determine if this source host is in scope, first match against # hostmustmatch, and then negate matches using hostmustnotmatch if len(aggreg['events']) == 0: return None srchost = aggreg['events'][0]['_source']['hostname'] srcmatch = False for x in self._config['hostmustmatch']: if re.match(x, srchost) is not None: srcmatch = True break if not srcmatch: return None for x in self._config['hostmustnotmatch']: if re.match(x, srchost) is not None: return None # Determine if the origin of the connection was from a source outside # of the exception policy, and in our address scope candidates = [] source_ips = [] users = [] for x in aggreg['events']: m = re.match('Accepted publickey for (\S+) from (\S+).*', x['_source']['summary']) if m is not None and len(m.groups()) == 2: ipaddr = netaddr.IPAddress(m.group(2)) for y in self._config['alertifsource']: if ipaddr in netaddr.IPNetwork(y): # Validate it's not excepted in the IP negation list notalertnetwork = False for z in self._config['notalertifsource']: if ipaddr in netaddr.IPNetwork(z): notalertnetwork = True break if notalertnetwork: continue # Check our user ignore list skipuser = False for z in self._config['ignoreusers']: if re.match(z, m.group(1)): skipuser = True break if skipuser: continue # Check our exception list if self.exception_check(m.group(1), srchost, m.group(2)): continue source_ips.append(m.group(2)) users.append(m.group(1)) candidates.append(x) if len(candidates) == 0: return None src_hosts_info = [] for source_ip in source_ips: src_hosts_info.append(add_hostname_to_ip(source_ip, '{0} ({1})')) summary = 'SSH lateral movement outside policy: access to {} from {} as {}'.format(srchost, ','.join(src_hosts_info), ','.join(users)) return self.createAlertDict(summary, category, tags, aggreg['events'], severity)
def onAggregation(self, aggreg): category = 'session' severity = 'WARNING' tags = ['sshd', 'syslog'] # Determine if this source host is in scope, first match against # hostmustmatch, and then negate matches using hostmustnotmatch if len(aggreg['events']) == 0: return None srchost = aggreg['events'][0]['_source']['hostname'] srcmatch = False for x in self._config['hostmustmatch']: if re.match(x, srchost) is not None: srcmatch = True break if not srcmatch: return None for x in self._config['hostmustnotmatch']: if re.match(x, srchost) is not None: return None # Determine if the origin of the connection was from a source outside # of the exception policy, and in our address scope candidates = [] source_ips = [] users = [] for x in aggreg['events']: m = re.match(r'Accepted publickey for (\S+) from (\S+).*', x['_source']['summary']) if m is not None and len(m.groups()) == 2: ipaddr = netaddr.IPAddress(m.group(2)) for y in self._config['alertifsource']: if ipaddr in netaddr.IPNetwork(y): # Validate it's not excepted in the IP negation list notalertnetwork = False for z in self._config['notalertifsource']: if ipaddr in netaddr.IPNetwork(z): notalertnetwork = True break if notalertnetwork: continue # Check our user ignore list skipuser = False for z in self._config['ignoreusers']: if re.match(z, m.group(1)): skipuser = True break if skipuser: continue # Check our exception list if self.exception_check(m.group(1), srchost, m.group(2)): continue source_ips.append(m.group(2)) users.append(m.group(1)) candidates.append(x) if len(candidates) == 0: return None src_hosts_info = [] for source_ip in source_ips: src_hosts_info.append(add_hostname_to_ip(source_ip, '{0} ({1})')) summary = 'SSH lateral movement outside policy: access to {} from {} as {}'.format( srchost, ','.join(src_hosts_info), ','.join(users)) return self.createAlertDict(summary, category, tags, aggreg['events'], severity)