def onAggregation(self, aggreg):
category = 'nsm'
severity = 'NOTICE'
tags = ['nsm', "bro", 'addressscan']
indicators = 'unknown'
x = aggreg['events'][0]['_source']
if 'details' in x:
if 'indicators' in x['details']:
indicators = x['details']['sourceipaddress']
indicators_info = add_hostname_to_ip(indicators, '{0} ({1})', require_internal=False)
summary = 'Address scan from {}'.format(indicators_info)
return self.createAlertDict(summary, category, tags, aggreg['events'], severity)
def onAggregation(self, aggreg):
category = 'nsm'
severity = 'NOTICE'
tags = ['nsm', "bro", 'addressscan']
indicators = 'unknown'
x = aggreg['events'][0]['_source']
if 'details' in x:
if 'indicators' in x['details']:
indicators = x['details']['sourceipaddress']
indicators_info = add_hostname_to_ip(indicators, '{0} ({1})', require_internal=False)
summary = 'Address scan from {}'.format(indicators_info)
return self.createAlertDict(summary, category, tags, aggreg['events'], severity)
def onAggregation(self, aggreg):
category = 'session'
severity = 'WARNING'
tags = ['sshd', 'syslog']
# Determine if this source host is in scope, first match against
# hostmustmatch, and then negate matches using hostmustnotmatch
if len(aggreg['events']) == 0:
return None
srchost = aggreg['events'][0]['_source']['hostname']
srcmatch = False
for x in self._config['hostmustmatch']:
if re.match(x, srchost) is not None:
srcmatch = True
break
if not srcmatch:
return None
for x in self._config['hostmustnotmatch']:
if re.match(x, srchost) is not None:
return None
# Determine if the origin of the connection was from a source outside
# of the exception policy, and in our address scope
candidates = []
source_ips = []
users = []
for x in aggreg['events']:
m = re.match('Accepted publickey for (\S+) from (\S+).*', x['_source']['summary'])
if m is not None and len(m.groups()) == 2:
ipaddr = netaddr.IPAddress(m.group(2))
for y in self._config['alertifsource']:
if ipaddr in netaddr.IPNetwork(y):
# Validate it's not excepted in the IP negation list
notalertnetwork = False
for z in self._config['notalertifsource']:
if ipaddr in netaddr.IPNetwork(z):
notalertnetwork = True
break
if notalertnetwork:
continue
# Check our user ignore list
skipuser = False
for z in self._config['ignoreusers']:
if re.match(z, m.group(1)):
skipuser = True
break
if skipuser:
continue
# Check our exception list
if self.exception_check(m.group(1), srchost, m.group(2)):
continue
source_ips.append(m.group(2))
users.append(m.group(1))
candidates.append(x)
if len(candidates) == 0:
return None
src_hosts_info = []
for source_ip in source_ips:
src_hosts_info.append(add_hostname_to_ip(source_ip, '{0} ({1})'))
summary = 'SSH lateral movement outside policy: access to {} from {} as {}'.format(srchost, ','.join(src_hosts_info), ','.join(users))
return self.createAlertDict(summary, category, tags, aggreg['events'], severity)
def onAggregation(self, aggreg):
category = 'session'
severity = 'WARNING'
tags = ['sshd', 'syslog']
# Determine if this source host is in scope, first match against
# hostmustmatch, and then negate matches using hostmustnotmatch
if len(aggreg['events']) == 0:
return None
srchost = aggreg['events'][0]['_source']['hostname']
srcmatch = False
for x in self._config['hostmustmatch']:
if re.match(x, srchost) is not None:
srcmatch = True
break
if not srcmatch:
return None
for x in self._config['hostmustnotmatch']:
if re.match(x, srchost) is not None:
return None
# Determine if the origin of the connection was from a source outside
# of the exception policy, and in our address scope
candidates = []
source_ips = []
users = []
for x in aggreg['events']:
m = re.match(r'Accepted publickey for (\S+) from (\S+).*',
x['_source']['summary'])
if m is not None and len(m.groups()) == 2:
ipaddr = netaddr.IPAddress(m.group(2))
for y in self._config['alertifsource']:
if ipaddr in netaddr.IPNetwork(y):
# Validate it's not excepted in the IP negation list
notalertnetwork = False
for z in self._config['notalertifsource']:
if ipaddr in netaddr.IPNetwork(z):
notalertnetwork = True
break
if notalertnetwork:
continue
# Check our user ignore list
skipuser = False
for z in self._config['ignoreusers']:
if re.match(z, m.group(1)):
skipuser = True
break
if skipuser:
continue
# Check our exception list
if self.exception_check(m.group(1), srchost,
m.group(2)):
continue
source_ips.append(m.group(2))
users.append(m.group(1))
candidates.append(x)
if len(candidates) == 0:
return None
src_hosts_info = []
for source_ip in source_ips:
src_hosts_info.append(add_hostname_to_ip(source_ip, '{0} ({1})'))
summary = 'SSH lateral movement outside policy: access to {} from {} as {}'.format(
srchost, ','.join(src_hosts_info), ','.join(users))
return self.createAlertDict(summary, category, tags, aggreg['events'],
severity)
