def __init__(self,
cfg,
logTTL=30,
maxLogsToProcess=0,
parserID=0,
parserName='Syslog',
logFile='/var/log/syslog',
keepPersistentStats=True,
metricsMode=False,
baselineMode=False,
sentryClient=None):
Inquisit.__init__(self,
cfg,
lgrName=__name__,
sentryClient=sentryClient)
self.parserID = parserID
self.parserName = parserName
self.logFile = logFile
self.logTTL = int(logTTL)
self.maxLogsToProcess = int(maxLogsToProcess)
self.keepPersistentStats = bool(keepPersistentStats)
self.metricsMode = bool(metricsMode)
self.baselineMode = bool(baselineMode)
# initialize offset file
self.offsetFile = '/opt/inquisition/tmp/' + str(
self.parserID) + '_' + self.parserName + '.offset'
# load templates into template store
self.templateStore = self.fetchTemplates()
self.lgr.info('loaded [ ' + str(len(self.templateStore)) +
' ] templates for ' + self.__str__())
self.lgr.debug(self.__str__() + ' created [ SUCCESSFULLY ]')
def __init__(self, cfg, sentryClient=None):
Inquisit.__init__(self,
cfg,
lgrName=__name__,
sentryClient=sentryClient)
# start connection pool manager
self.connPool = urllib3.PoolManager()
class InquisitTestCase(unittest.TestCase):
def setUp(self):
# generate config
cfg = configparser.ConfigParser()
cfg.read('build/tests/unit_tests_GOOD.cfg')
self.inquisit = Inquisit(cfg)
def test_generateLogger(self):
self.assertIsInstance(self.inquisit.lgr, logging.Logger)
def test_bounceInquisitionDbConnection(self):
self.inquisit.bounceInquisitionDbConnection()
self.assertIsInstance(self.inquisit.inquisitionDbHandle,
pymysql.connections.Connection)
def main():
"""
Main runtime module
:return: void
"""
# read in config file
cfg = generateCfg()
# start local logger
lgr = Inquisit.generateLogger(cfg, __name__)
lgr.info('starting inquisition.py...')
# create Sentry client for debugging (if API key is available)
sentryClient = None
try:
sentryApiKey = cfg['debug']['sentry_api_key']
except KeyError:
sentryApiKey = ''
if sentryApiKey:
# API key provided, initialize client
sentryClient = raven.Client(
dsn='https://' + sentryApiKey + '@sentry.io/174245',
release=raven.fetch_git_sha(path.dirname(__file__))
)
# initialize subroutine instances
anatomize = Anatomize(cfg, sentryClient)
erudite = Erudite(cfg, sentryClient)
sage = Sage(cfg, sentryClient)
augur = Augur(cfg, sentryClient)
if not cfg.getboolean('cli', 'config_check'):
# start log polling/parsing
anatomize.startAnatomizer()
# begin fetching OSINT data for threat detection engine
augur.fetchIntelData()
# start log anomaly engine (Erudite)
erudite.startAnomalyDetectionEngine()
try:
baselineMode = cfg.getboolean('learning', 'enableBaselineMode')
except (configparser.NoSectionError, configparser.NoOptionError, KeyError):
baselineMode = False
if not baselineMode:
# not running in baseline mode; start network threat detection engine
# network threat engine (Sage)
sage.startNetworkThreatEngine()
else:
lgr.info('running in baseline mode, not running network threat analysis engine (Sage)')
else:
msg = 'configuration check is [ SUCCESSFUL ], exiting...'
print('[INFO] ' + msg)
lgr.info(msg)
lgr.debug('exiting inquisition.py bootstrapper')
def __init__(self, cfg, sentryClient=None):
Inquisit.__init__(self,
cfg,
lgrName=__name__,
sentryClient=sentryClient)
self.lgr.info('loading Anatomize.py instance...')
# load parsers and associated templates
try:
self.parserStore = self.fetchParsers()
self.lgr.debug('loaded [ ' + str(len(self.parserStore)) +
' ] parsers into parser store')
except (InternalError, ProgrammingError) as e:
self.lgr.critical(
'could not fetch parsers from inquisition database :: [ ' +
str(e) + ' ]')
if Inquisit.sentryClient:
Inquisit.sentryClient.captureException()
exit(1)
self.lgr.info('loading of Anatomize.py [ COMPLETE ]')
def __init__(self, cfg, sentryClient=None):
Inquisit.__init__(self,
cfg,
lgrName=__name__,
sentryClient=sentryClient)
def setUp(self):
# generate config
cfg = configparser.ConfigParser()
cfg.read('build/tests/unit_tests_GOOD.cfg')
self.inquisit = Inquisit(cfg)