def set_sID_cID(): if hasattr(event, 'sguilID'): event.setAttribute('sguilID', prompt='Alert ID', header= '', force=True) else: event.setAttribute('sguilID', prompt='Alert ID', header="Sguil Initial Indicator") event.setAttribute('alertID', event.sguilID, force=True) event.setAttribute('alertType', 'Sguil', force=True) try: splitID = event.sguilID.split('.') event.setAttribute('_sID', value=splitID[0], force=True) event.setAttribute('_cID', value=splitID[1], force=True) query = 'SELECT timestamp, INET_NTOA(src_ip), INET_NTOA(dst_ip), signature FROM event WHERE sid in (%s) AND cid in (%s);' % (event._sID, event._cID) log.debug('msg="MySQL query statement for alert id" alertID="%s" query="%s"' % (event.sguilID, query)) queryResults = getSguilSql('SELECT timestamp, INET_NTOA(src_ip), INET_NTOA(dst_ip), signature FROM event WHERE sid in (%s) AND cid in (%s);' % (event._sID, event._cID), sguilserver=SGUIL_SERVER, tableSplit=True) return queryResults[-1] except(IndexError): print('Invalid AlertID or DB Error. Try again.\n') return set_sID_cID()
def execute(event): print('Querying Sguil DB...\n') if (datetime.datetime.now() - event._startDate).days < 1: start = event._DT - datetime.timedelta(days=1) else: start = event._startDate if not hasattr(event, 'ip_address_list'): event.ip_address_list = [event.ip_address] for ip in event.ip_address_list: print("Pulling flow for %s..." % ip) query = "( SELECT sensor.hostname, sancp.sid, sancp.sancpid, sancp.start_time as datetime, sancp.end_time, " query += "INET_NTOA(sancp.src_ip), sancp.src_port, INET_NTOA(sancp.dst_ip), sancp.dst_port, sancp.ip_proto, " query += "sancp.src_pkts, sancp.src_bytes, sancp.dst_pkts, sancp.dst_bytes FROM sancp IGNORE INDEX (p_key) " query += "INNER JOIN sensor ON sancp.sid=sensor.sid WHERE sancp.start_time > '%s' AND sancp.src_ip = INET_ATON('%s')) " % (start.date().isoformat(), ip) query += "UNION " query += "( SELECT sensor.hostname, sancp.sid, sancp.sancpid, sancp.start_time as datetime, sancp.end_time, " query += "INET_NTOA(sancp.src_ip), sancp.src_port, INET_NTOA(sancp.dst_ip), sancp.dst_port, sancp.ip_proto, " query += "sancp.src_pkts, sancp.src_bytes, sancp.dst_pkts, sancp.dst_bytes FROM sancp IGNORE INDEX (p_key) " query += "INNER JOIN sensor ON sancp.sid=sensor.sid WHERE sancp.start_time > '%s' AND sancp.dst_ip = INET_ATON('%s')) " % (start.date().isoformat(), ip) query += "ORDER BY datetime, src_port ASC LIMIT %s;" % event._sqlLimit log.debug('msg="Sguil Flow Query" query="%s"' % query) queryResults = getSguilSql(query, sguilserver=so_server, tableSplit=True) orf = '%s.%s' % (event._baseFilePath, confVars.outputExtension) outRawFile = open(orf, 'a') for line in queryResults: outRawFile.write(','.join(line) + '\n') outRawFile.close() # splunkSguilFlow = [] # for line in open(orf, 'rb'): # if 'INET_NTOA' not in line: # splunkSguilFlow.append(line) # event._splunk.push(sourcetype=confVars.splunkSourcetype, eventList=splunkSguilFlow, exclusionRegex='INET_NTOA') event._splunk.push(sourcetype=confVars.splunkSourcetype, filename=orf, exclusionRegex='INET_NTOA') print('\n%s results saved to: %s' % (FORMAL_NAME, orf))