def query_tests(self):
tests = {
TermsMatch('summary', ['test']): [
{
'summary': 'test'
},
{
'summary': 'test summary'
},
{
'summary': 'example test summary'
},
{
'summary': 'example summary test'
},
],
TermsMatch('summary', ['test', 'redfred']): [
{
'summary': 'test'
},
{
'summary': 'redfred'
},
{
'summary': 'test summary'
},
{
'summary': 'example test summary'
},
{
'summary': 'example redfred summary test'
},
],
}
return tests
def query_tests(self):
tests = {
TermsMatch('summary', ['test']): [
{'summary': 'example summary'},
{'summary': 'example summary tes'},
],
TermsMatch('summary', ['test', 'exam']): [
{'summary': 'example summary'},
{'summary': 'example summary tes'},
]
}
return tests
def query_tests(self):
tests = [
[
TermsMatch('summary', ['test']),
[
{
'summary': 'test'
},
{
'summary': 'test summary'
},
{
'summary': 'example test summary'
},
{
'summary': 'example summary test'
},
]
],
[
TermsMatch('summary', ['test', 'redfred']),
[
{
'summary': 'test'
},
{
'summary': 'redfred'
},
{
'summary': 'test summary'
},
{
'summary': 'example test summary'
},
{
'summary': 'example redfred summary test'
},
]
],
]
return tests
def query_tests(self):
tests = [[
TermsMatch('summary', ['test']),
[
{
'summary': 'example summary'
},
{
'summary': 'example summary tes'
},
]
],
[
TermsMatch('summary', ['test', 'exam']),
[
{
'summary': 'example summary'
},
{
'summary': 'example summary tes'
},
]
]]
return tests
def main(self):
search_query = SearchQuery(minutes=2)
search_query.add_must([
TermMatch('category', 'bro'),
TermMatch('source', 'intel'),
ExistsMatch('details.seenindicator'),
TermsMatch('hostname', ['sensor1', 'sensor2', 'sensor3'])
])
self.filtersManual(search_query)
# Search aggregations on field 'seenindicator', keep X samples of events at most
self.searchEventsAggregated('details.seenindicator', samplesLimit=10)
# alert when >= X matching events in an aggregation
self.walkAggregations(threshold=10)
def main(self):
search_query = SearchQuery(minutes=15)
self.config = self.parse_json_alert_config('ssh_access.json')
search_query.add_must([
TermMatch('category', 'syslog'),
TermMatch('details.program', 'sshd'),
PhraseMatch('summary', 'Accepted publickey for ')
])
watchedsrcips = []
for watched in self.config['watchlist']:
watchedsrcips.append(watched['ipaddress'])
search_query.add_must(
[TermsMatch('details.sourceipaddress', watchedsrcips)])
self.filtersManual(search_query)
self.searchEventsSimple()
self.walkEvents()
def main(self):
self.parse_config('bruteforce_ssh.conf', ['skiphosts'])
search_query = SearchQuery(minutes=2)
search_query.add_must([
PhraseMatch('summary', 'failed'),
TermMatch('details.program', 'sshd'),
TermsMatch('summary', ['login', 'invalid', 'ldap_count_entries', 'publickey', 'keyboard'])
])
for ip_address in self.config.skiphosts.split():
search_query.add_must_not(PhraseMatch('summary', ip_address))
self.filtersManual(search_query)
# Search aggregations on field 'sourceipaddress', keep X samples of
# events at most
self.searchEventsAggregated('details.sourceipaddress', samplesLimit=10)
# alert when >= X matching events in an aggregation
self.walkAggregations(threshold=10)