def checkticket(ip_src, cipher, msg_type, timestamp): conn = mysql.connector.connect(user='******', host='localhost', password='******', database='kerberos') cur = conn.cursor(buffered=True) try: time.sleep(1) if msg_type == 12: query = 'SELECT ip_src, kerberos_cipher, timestamp FROM cipher_table WHERE (msg_type = 11 OR msg_type = 13) AND ip_dst = INET_ATON(%s) AND kerberos_cipher = %s' cur.execute(query, (ip_src, cipher)) curfet = cur.fetchall() elif msg_type == 14: query = 'SELECT ip_src, kerberos_cipher, timestamp FROM cipher_table WHERE msg_type = 13 AND ip_dst = INET_ATON(%s) AND kerberos_cipher = %s' cur.execute(query, (ip_src, cipher)) curfet = cur.fetchall() for res in curfet: print(res[1]) if cur.rowcount != 0: print('matched with old cipher at ' + str(timestamp)) else: #Check TKT Expire query = 'SELECT * FROM cipher_table WHERE timestamp BETWEEN %s AND %s AND ip_dst = INET_ATON(%s) AND error_code = 32;' cur.execute(query, (timestamp, str(int(timestamp) + 1000), ip_src)) if cur.rowcount != 0: print('TKT Expired at ' + str(timestamp)) else: with open('./detected_ticket.log', mode='a') as f: utctime = datetime.fromtimestamp( int(timestamp[:10]), timezone.utc) if msg_type == 12: f.write('Golden ticket was used on ' + str(ip_src) + ' at ' + str(utctime) + ' ' + str(cipher) + '\n') print('Golden ticket was used on ' + str(ip_src) + ' at ' + str(utctime)) tactics = identify_attack.identify_tactics( SignatureDetector.RESULT_NOTGT, None) send_alert.Send_alert( result=SignatureDetector.RESULT_NOTGT, attack=tactics, datetime=utctime, ip_src=ip_src, eventid='-', accountname='-', clientaddr='-', servicename='-', processname='-', objectname='-', sharedname='-') if msg_type == 14: print('Silver ticket was used on ' + str(ip_src) + ' at ' + str(utctime)) f.write('Silver ticket was used on ' + str(ip_src) + ' at ' + str(utctime) + ' ' + str(cipher) + '\n') tactics = identify_attack.identify_tactics( SignatureDetector.RESULT_SILVER, None) send_alert.Send_alert( result=SignatureDetector.RESULT_SILVER, attack=tactics, datetime=utctime, ip_src=ip_src, eventid='-', accountname='-', clientaddr='-', servicename='-', processname='-', objectname='-', sharedname='-') if msg_type == 12: n = 0 update_flag_event = True while update_flag_event: update_flag_event = update_es.update_event(ip_src) time.sleep(1) n += 1 if n >= 2: break n = 0 update_flag_packet = True while update_flag_packet: update_flag_packet = update_es.update_packet(cipher) time.sleep(1) n += 1 if n >= 2: break finally: cur.close() conn.close()
def preds(): global DOMAIN_NAME # loading response = jsonify() datetime = request.form.get('datetime',None) eventid = request.form.get('eventid',None) org_accountname = request.form.get('accountname',None) clientaddr = request.form.get('clientaddr',None) servicename = request.form.get('servicename',None) processname = request.form.get('processname',None) objectname = request.form.get('objectname',None) sharedname = request.form.get('sharedname',None) securityid = request.form.get('securityid', None) datetime = datetime.strip("'") eventid = eventid.strip("'") if org_accountname != None: accountname = org_accountname.strip("'") accountname = accountname.lower() accountname = accountname.split('@')[0] if (accountname.find(DOMAIN_NAME)> -1 or len(accountname)==0): return SignatureDetector.RESULT_NORMAL if clientaddr != None: clientaddr = clientaddr.strip("'") if servicename != None: servicename = servicename.strip("'") servicename = servicename.lower() if processname != None: processname = processname.strip("'") processname = processname.lower() if objectname != None: objectname = objectname.strip("'") objectname = objectname.lower() if sharedname != None: sharedname = sharedname.strip("'") sharedname = sharedname.lower() if securityid != None: securityid = securityid.strip("'") securityid = securityid.lower() # To specify parameter as Object inputLog = InputLog.InputLog(datetime, eventid, accountname, clientaddr, servicename, processname, objectname, sharedname, securityid) # update start by gam result = SignatureDetector.signature_detect(inputLog) # update end clientaddr = inputLog.get_clientaddr() processname=inputLog.get_processname() tactics='' if (result == SignatureDetector.RESULT_CMD or result == SignatureDetector.RESULT_MAL_CMD): if(mode==MODE_ML): result = ML.preds(eventid, accountname, processname, objectname, base_dummies_4674, clf_4674, base_dummies_4688, clf_4688) else: processname = processname.strip().strip("'") result = SignatureDetector.check_cmd_whitelist(processname) if (result != SignatureDetector.RESULT_NORMAL and result != ML.RESULT_WARN and result != SignatureDetector.WARN): print(result) print(inputLog.get_eventid() + "," + inputLog.get_accountname() + "," + inputLog.get_clientaddr() + "," + inputLog.get_processname()+ "," + inputLog.get_sharedname()) tactics=identify_attack.identify_tactics(result,inputLog) send_alert.Send_alert(result+","+tactics, datetime, clientaddr, eventid, accountname, clientaddr, servicename, processname, objectname, sharedname) return result+","+tactics