def get_records_for_rule(self, snort, rule):
records = []
alerts = snort.find(sig=rule['rule'])
by_src = groupby(alerts, itemgetter("ip_src"))
for ip, alerts in by_src:
ip = str(ip)
alerts = list(alerts)
if is_reblockable(ip) or is_fishy(ip) or (len(alerts) >= rule['minimum'] and num_subnets(alerts) >= rule['subnet_minimum']):
records.append(dict(ip=ip, alerts=alerts, rule=rule))
return records
def get_records_for_rule(self, snort, rule):
records = []
alerts = snort.find(sig=rule['rule'])
by_src = groupby(alerts, itemgetter("ip_src"))
for ip, alerts in by_src:
ip = str(ip)
alerts = list(alerts)
if is_reblockable(ip) or is_fishy(ip) or (
len(alerts) >= rule['minimum']
and num_subnets(alerts) >= rule['subnet_minimum']):
records.append(dict(ip=ip, alerts=alerts, rule=rule))
return records
def num_subnets(alerts):
by_dst = groupby(alerts, lambda a: subnet(a['ip_dst']))
return len(list(by_dst))
def num_subnets(alerts):
by_dst = groupby(alerts, lambda a: subnet(a['ip_dst']))
return len(list(by_dst))
