def process_pcap_on_service(self):
global suricata_socket_file
if not os.path.exists(
suricata_socket_file
) or self.output_folder is None or not os.path.exists(self.pcap_file):
print "SURICATASERVICE INVALID DATA ERROR"
return False
# create output folder
if not os.path.exists(self.output_folder):
os.mkdir(self.output_folder)
# suricata connection
try:
suri = suricatasc.SuricataSC(suricata_socket_file)
suri.connect()
except Exception as e:
print "SURICATASERVICE SOCKET CONNECTION ERROR"
traceback.print_exc()
return False
# suricata command (pcap-file)
try:
retcode = suri.send_command("pcap-file", {
"filename": self.pcap_file,
"output-dir": self.output_folder,
})
except Exception as e:
suri.close()
print "SURICATASERVICE COMMAND FAILED"
traceback.print_exc()
return False
# return code
if not retcode or ("return" in retcode and retcode["return"] != "OK"):
suri.close()
print "SURICATASERVICE CODE ERROR %s :: %s" % (retcode["return"],
retcode["message"])
return False
# TODO: I'm not sure that we're not waiting for ALL jobs to be
# finished. Maybe we should detect that our actual job has
# ended well, not all of them. Also, I wonder if multiprocessing
# will really improve performance and if we should not either use
# a dedicated dispatcher which polls regularly the new tasks.
exception_count = 0
while True:
try:
retcode = suri.send_command("pcap-current")
except Exception as e:
exception_count += 1
if exception_count == 10:
suri.close()
print "SURICATASERVICE EXCEPTIONS MAX REACHED"
return False
if retcode and ("message" in retcode
and retcode["message"] == "None"):
break
time.sleep(1)
suri.close()
return True
def process_pcap_socket(self):
"""Process a PCAP file with Suricata in socket mode."""
if not HAVE_SURICATASC:
raise CuckooProcessingError(
"Suricata has been configured to run in socket mode but "
"suricatasc has not been installed, please re-install "
"Suricata or SuricataSC"
)
if not os.path.exists(self.socket):
raise CuckooProcessingError(
"Suricata has been configured to run in socket mode "
"but the socket is unavailable"
)
suri = suricatasc.SuricataSC(self.socket)
try:
suri.connect()
except suricatasc.SuricataException as e:
raise CuckooProcessingError(
"Error connecting to Suricata in socket mode: %s" % e
)
# Submit the PCAP file.
ret = suri.send_command("pcap-file", {
"filename": self.pcap_path,
"output-dir": self.suricata_path,
})
if not ret or ret["return"] != "OK":
raise CuckooProcessingError(
"Error submitting PCAP file to Suricata in socket mode, "
"return value: %s" % ret
)
# TODO Should we add a timeout here? If we do so we should also add
# timeout logic to the binary mode.
while True:
ret = suri.send_command("pcap-current")
# When the pcap file has been processed the "current pcap" file
# will be none.
if ret and ret["message"] == "None":
break
time.sleep(1)
def status(self):
suri_running = False
if settings.SURICATA_UNIX_SOCKET:
sc = suricatasc.SuricataSC(settings.SURICATA_UNIX_SOCKET)
sc.connect()
res = sc.send_command('uptime', None)
if res['return'] == 'OK':
suri_running = True
sc.close()
else:
for proc in psutil.process_iter():
try:
pinfo = proc.as_dict(attrs=['name'])
except psutil.NoSuchProcess:
pass
else:
if pinfo['name'] == 'Suricata-Main':
suri_running = True
break
return suri_running
def launch_or_load_suricata(self):
self.suricata_socket = os.path.join(self.run_dir, 'suricata.socket')
if not os.path.exists(self.suricata_socket):
command = [
SURICATA_BIN,
"-vvvv", # Useful for debugging
"-c",
self.suricata_yaml,
f"--unix-socket={self.suricata_socket}",
"--pidfile",
f"{self.run_dir}/suricata.pid",
"--set",
f"logging.outputs.1.file.filename={self.suricata_log}",
]
self.log.info(f"Launching Suricata: {' '.join(command)}")
self.suricata_process = subprocess.Popen(command)
self.suricata_sc = suricatasc.SuricataSC(self.suricata_socket)
if not self.suricata_running_retry():
raise Exception('Suricata could not be started.')
import time
import argparse
import json
parser = argparse.ArgumentParser(prog='suri-influxdb', description='Export suricata stats to InfluxDB')
parser.add_argument('-H', '--host', default='localhost', help='Host running InfluxDB')
parser.add_argument('-P', '--port', default=2003, help='Port of InfluxDB data socket')
parser.add_argument('-O', '--oneshot', action='store_const', const=True, help='Send one update and exit', default=False)
parser.add_argument('-D', '--delay', default=10, help='Delay between data dump')
parser.add_argument('-d', '--db', default='suricata', help='Database name in InfluxDB')
parser.add_argument('socket', help='suricata socket file to connect to',
default="/var/run/suricata/suricata-command.socket", nargs='?')
parser.add_argument('-v', '--verbose', action='store_const', const=True, help='verbose output', default=False)
args = parser.parse_args()
sc = suricatasc.SuricataSC(args.socket)
try:
sc.connect()
except:
error = sys.exc_info()[0]
print "connection init error :: %r %s" % (error,args.socket)
if args.oneshot:
sys.exit(1)
#todo ...
USER = '******'
PASSWORD = '******'
client = InfluxDBClient(args.host, args.port, USER, PASSWORD, args.db)
#todo, create db if not exist
#dbs = client.get_database_list()
