def execute(event):
sourcetype = "bro_dns"
print("Checking Splunk for events..."),
sys.stdout.flush()
sp = Splunk(
host=SPLUNK_SEARCH_HEAD,
port=SPLUNK_SEARCH_HEAD_PORT,
username=SPLUNK_SEARCH_HEAD_USERNAME,
password=SPLUNK_SEARCH_HEAD_PASSWORD,
scheme=SPLUNK_SEARCH_HEAD_SCHEME,
)
if not event.adHoc:
if hasattr(event, "ip_address"):
event._include = 'id_orig_h="%s" OR id_resp_h="%s"' % (event.ip_address, event.ip_address)
cirtaDT = epochToDatetime(event.cirta_id.split(".")[0])
timedelta = (datetime.date(event._DT) - datetime.date(cirtaDT)).days
earliest = timedelta - event._daysBefore
latest = timedelta + 1 + event._daysAfter
if earliest >= 0:
earliest = "+" + str(earliest)
if latest >= 0:
latest = "+" + str(latest)
query = """search eventtype="%s" earliest_time="%sd@d" latest_time="%sd@d" %s | table _raw""" % (
sourcetype,
earliest,
latest,
event._include,
)
log.debug('''msg="raw event query" query="%s"''' % query)
results = sp.search(query)
print("Done")
if not results:
log.warn("No %s events exist in Splunk" % sourcetype)
return
raw = [x["_raw"] for x in results]
if raw:
with open("%s.%s" % (event._baseFilePath, confVars.outputExtension), "w") as outFile:
for row in raw:
outFile.write(row + "\n")
print("%s file: %s%s.%s" % (sourcetype, colors.OKGREEN, event._baseFilePath, confVars.outputExtension))
event._splunk.push(sourcetype=confVars.splunkSourcetype, eventList=raw)
def getForwardZone(fzPath, nameServer, domain, today=datetime.datetime.today(), attemptsLeft=10):
sleep(1)
if attemptsLeft:
attemptsLeft -= 1
try:
fstat = os.stat(fzPath)
except(OSError):
refreshForwardZone(fzPath, nameServer, domain)
return getForwardZone(fzPath, nameServer, domain, today, attemptsLeft)
modDate = epochToDatetime(fstat.st_mtime)
if modDate.date() < today.date():
refreshForwardZone(fzPath, nameServer, domain)
return getForwardZone(fzPath, nameServer, domain, today, attemptsLeft)
recs = {}
f = open(fzPath)
for line in f.readlines():
sline = line.strip().split()
if len(sline) is not 5:
continue
rec, recType, ans = sline[0].rstrip('.'), sline[3], sline[4]
if recType == 'CNAME':
rec, ans = ans.rstrip('.'), rec
if not recs.has_key(rec):
recs[rec] = Record(rec)
recs[rec].raw.append(line)
recs[ans] = recs[rec]
if recType == 'A':
recs[rec].ips.append(ans)
if recType == 'TXT':
recs[rec].txt.append(ans)
if recType == 'CNAME':
recs[rec].cnames.append(ans)
f.close()
return recs
else:
sys.stderr.write('Could not get forward zone, exhausted max attempts of 10')
exit()
def __init__(self, cirta_id, configs, options, playbook, cirtaHome):
log.info('msg="initializing event"')
object.__setattr__(self, 'cirta_id', cirta_id)
object.__setattr__(self, '_fifoAttrs', OrderedDict())
object.__setattr__(self, 'attrDefaults', configs['attributes'])
object.__setattr__(self, 'currentPlugin', 'cirta')
self.cirta_id = cirta_id
self.cirta_dt = epochToDatetime(cirta_id.split('.')[0]).strftime("%Y-%m-%d %H:%M:%S")
self.cirta_status = 'input'
self._configs = configs
self._options = options
self._playbook = playbook
self._testing = configs['cirta']['settings']['TESTING']
if options.test:
self._testing = options.test
self._cirtaHome = cirtaHome
self._tracked = self._playbook.tracked
self._adhoc = self._playbook.adHoc
self.setEventDateTime(datetime.datetime.today())
if configs['cirta']['settings']['ANALYST_USERNAME']:
self._analystUsername = configs['cirta']['settings']['ANALYST_USERNAME']
else:
self._analystUsername = getpass.getuser()
self._analystHostname = gethostname()
if configs['cirta']['settings']['SPLUNK_ENABLED'] and not options.disable_splunk:
self._splunkEnabled = True
self._splunk = SplunkIt(configs['cirta']['settings']['SPLUNK_ENABLED'],
[x.strip() for x in configs['cirta']['settings']['SPLUNK_INDEXERS'].split(',')],
configs['cirta']['settings']['SPLUNK_INDEXER_PORT'],
configs['cirta']['settings']['SPLUNK_SEARCH_HEAD'],
configs['cirta']['settings']['SPLUNK_SEARCH_HEAD_PORT'],
configs['cirta']['settings']['SPLUNK_USER'],
configs['cirta']['settings']['SPLUNK_PASSWORD'],
configs['cirta']['settings']['SPLUNK_INDEX'],
self._analystHostname,
self.cirta_id)
else:
self._splunkEnabled = False
self._splunk = SplunkIt(None, None, None, None, None, None, None, None, None, None)
self._stackTraces = []
self._outDir = configs['cirta']['settings']['IR_PATH'] + self._DT.date().isoformat()
self._outDirGroup = configs['cirta']['settings']['IR_PATH_GROUP']
self._resourcesPath = os.path.join(self._cirtaHome, 'resources')
def execute(event):
sp = Splunk(host=SPLUNK_SEARCH_HEAD, port=SPLUNK_SEARCH_HEAD_PORT, username=SPLUNK_SEARCH_HEAD_USERNAME, password=SPLUNK_SEARCH_HEAD_PASSWORD, scheme=SPLUNK_SEARCH_HEAD_SCHEME)
cirtaDT = epochToDatetime(event.cirta_id.split('.')[0])
timedelta = (event._DT - cirtaDT).days
earliest = timedelta - 20
latest = timedelta + 10
if earliest >= 0:
earliest = '+' + str(earliest)
if latest >= 0:
latest = '+' + str(latest)
rawQuery = '''search index=mcafee src_ip="%s" OR dest_ip="%s" earliest_time="%sd@d" latest_time="%sd@d" \
| eval mcafee_id = "mc".substr(detected_timestamp, -5, 2).".".AutoID \
| sort 0 _time | table _raw''' % (event.ip_address, event.ip_address, earliest, latest)
print('Checking Splunk Raw...'),
sys.stdout.flush()
raw = [x['_raw'] + '\n' for x in sp.search(rawQuery)]
print('Done')
if not raw:
print("No results")
return
with open("%s.%s" % (event._baseFilePath, 'mc'), 'w') as orf:
for row in raw:
orf.write(row)
#event._splunk.push(sourcetype=confVars.splunkSourcetype, eventList=results)
query = '''search index=mcafee category!="ops*" threat_type!="none" src_ip="%s" OR dest_ip="%s" earliest_time="%sd@d" latest_time="now" \
| eval timedelta = _time - %s | eval position = if(timedelta < 0, "before", "after") \
| eval abstimedelta = abs(timedelta) | sort 0 abstimedelta \
| head 20 | sort 0 _time | eval mcafee_id = "mc".substr(detected_timestamp, -5, 2).".".AutoID \
| table _time threat_type vendor_action user src_ip dest_ip signature file_name''' % (event.ip_address,
event.ip_address,
earliest,
datetimeToEpoch(event._DT))
print('\nChecking Splunk...'),
sys.stdout.flush()
results = [x for x in sp.search(query)]
print('Done')
if results:
print("\n_time\t\t\ttype\taction\tuser\tsrc_ip\t\tdest_ip\t\tsignature\t\tfile_name")
print("-" * 115)
for result in results:
print(result['_time'].split('.')[0] + "\t" + '\t'.join(result.values()[1:]))
event._splunk.push(sourcetype=confVars.splunkSourcetype, eventList=raw)
def execute(event):
sp = Splunk(host=SPLUNK_SEARCH_HEAD, port=SPLUNK_SEARCH_HEAD_PORT, username=SPLUNK_SEARCH_HEAD_USERNAME, password=SPLUNK_SEARCH_HEAD_PASSWORD, scheme=SPLUNK_SEARCH_HEAD_SCHEME)
if hasattr(event, 'mcAfeeID'):
event.setAttribute('mcAfeeID', prompt='McAfee ID', header= '', force=True)
else:
event.setAttribute('mcAfeeID', prompt='McAfee ID', header="McAfee Initial Indicator")
event.setAttribute('alertID', event.mcAfeeID, force=True)
event.setAttribute('alertType', 'McAfee', force=True)
query = '''search index=mcafee earliest=-30d@d | eval mcafee_id = "mc".substr(detected_timestamp, -5, 2).".".AutoID | search mcafee_id="%s" | head 1 | table detected_timestamp src_ip src_mac dest_ip dest_mac signature category''' % (event.mcAfeeID)
print('\nChecking Splunk...'),
sys.stdout.flush()
results = sp.search(query)
print('Done')
try:
result = results.next()
except(StopIteration):
log.warn("Error: unable to pull McAfee ID event details from Splunk")
exit()
event.setOutPath(event.mcAfeeID)
timestamp = epochToDatetime(result['detected_timestamp'][:-3])
srcIP = result['src_ip']
srcMAC = result['src_mac']
dstIP = result['dest_ip']
dstMAC = result['dest_mac']
secondaryName = result['signature']
name = result['category']
signature = '%s %s' % (name, secondaryName)
# Note the utc offset for the US will always be -x so by adding the offset you are adding a negative, i.e. subtracting
# This is very important for accurate time conversion. You should always add the offset if the time is in UTC and
# subtract the offset if the time is local. If the reverse makes more sense to you, event._absUTCOffsetTimeDelta
# is available
# Also note, setEventDateTime is called twice to initialize utcOffsetTimeDelta then adjust.
#event.setEventDateTime(datetime.datetime.strptime(timestamp, '%Y-%m-%d %H:%M:%S'))
event.setEventDateTime(timestamp)
event.setEventDateTime(event._DT)
print('\nLocal Timestamp Source IP Destination IP Signature')
print('-' * 80)
print('%-20s %-16s %-16s %s\n' % (event._DT.strftime('%Y-%m-%d %H:%M:%S'), srcIP, dstIP, signature))
event.setAttribute('Event_Date/Time', event._DT.strftime('%Y-%m-%d %H:%M:%S'))
ans = getUserInWithDef('Track source or destination (s/d)', 's')
if 's' in ans:
if srcIP:
event.setAttribute('ip_address', srcIP)
else:
event.setAttribute('ip_address', prompt="\nIP Address")
#if srcMAC:
# event.setAttribute('mac_address', srcMAC)
elif 'd' in ans:
if dstIP:
event.setAttribute('ip_address', dstIP)
else:
event.setAttribute('ip_address', prompt="\nIP Address")
#if dstMAC:
# event.setAttribute('mac_address', dstMAC)
else:
event.setAttribute('ip_address', prompt='IP Address', default=ans, description='Neither the source or destination was chosen, please confirm.')
print('')
event.setAttribute('description', prompt='Description', default=signature)
event.setDateRange()
def execute(event):
print('Checking Splunk for events...'),
sys.stdout.flush()
sp = Splunk(host=SPLUNK_SEARCH_HEAD, port=SPLUNK_SEARCH_HEAD_PORT, username=SPLUNK_SEARCH_HEAD_USERNAME, password=SPLUNK_SEARCH_HEAD_PASSWORD, scheme=SPLUNK_SEARCH_HEAD_SCHEME)
if not event.adHoc:
if hasattr(event, 'mac_address'):
event._include = 'EndPointMACAddress="%s"' % (event.mac_address.replace(":", "-"))
cirtaDT = epochToDatetime(event.cirta_id.split('.')[0])
timedelta = (datetime.date(event._DT) - datetime.date(cirtaDT)).days
earliest = timedelta - event._daysBefore
latest = timedelta + 1 + event._daysAfter
if earliest >= 0:
earliest = '+' + str(earliest)
if latest >= 0:
latest = '+' + str(latest)
log.debug('DT="%s" cirtaDT="%s" timedelta="%s" daysBefore="%s" daysAfter="%s" earliest="%s" latest="%s"' % (event._DT, cirtaDT, (event._DT - cirtaDT).days, event._daysBefore, event._daysAfter, earliest, latest))
query = '''search index=cisco_ise earliest_time="%sd@d" latest_time="%sd@d" %s | table _raw''' % (earliest,
latest,
event._include)
log.debug('''msg="raw event query" query="%s"''' % query)
results = sp.search(query)
print('Done')
if not results:
log.warn("No Infoblox events exist in Splunk")
return
raw = [x['_raw'] for x in results]
with open('%s.%s' % (event._baseFilePath, confVars.outputExtension), 'w') as outFile:
for row in raw:
outFile.write(row + '\n')
event._splunk.push(sourcetype=confVars.splunkSourcetype, eventList=raw)
print('\nChecking Splunk for Hostname and MAC...'),
sys.stdout.flush()
query = '''search index=cisco_ise earliest_time="%sd@d" latest_time="%sd@d" %s | eval timedelta = abs(_time - %s) | sort 0 timedelta | where isnotnull(AD_User_Resolved_Identities) | rex field=AD_User_Resolved_Identities "(?<user>.+)@" | head 1 | rename NetworkDeviceGroups AS network_device_groups Location AS location EndPointMatchedProfile AS device_type AD_Domain as domain | table user network_device_groups location device_type domain''' % (earliest, latest, event._include, datetimeToEpoch(event._DT))
log.debug('''msg="raw event query" query="%s"''' % query)
results = [x for x in sp.search(query)]
print('Done')
'''
def execute(event):
try:
sc = SecurityCenter5(event.scHostname)
except:
log.error("Failed to connect to Security Center")
return
sc.login(event.scUser, event.scPassword)
ipInfo = sc.get('''ipInfo?ip=%s''' % event.ip_address)
if ipInfo.status_code == 200:
ipInfo = ipInfo.json()['response']
if not ipInfo.get('repositories'):
log.warn("No vulnerability results found")
return
else:
log.warn("No vulnerability results found")
return
#ipInfo = sc.ip_info(event.ip_address)['records']
if ipInfo:
event.setAttribute('operating_system', ipInfo.get('os'))
if ipInfo.get('netbiosName'):
event.setAttribute('netbios_name', ipInfo.get('netbiosName').split('\\')[-1])
event.setAttribute('mac_address', ipInfo.get('macAddress'))
try:
if ipInfo.get('dnsName'):
socket.inet_aton(ipInfo.get('dnsName'))
except socket.error:
event.setAttribute('hostname', ipInfo.get('dnsName').split('.')[0])
event.setAttribute('fqdn', ipInfo.get('dnsName'))
event.setAttribute('domain_name', ipInfo.get('dnsName').split('.', 1)[-1])
event.setAttribute('sc_compliant', ipInfo.get('hasCompliance'))
if ipInfo.get('lastScan'):
event.setAttribute('sc_lastScan', epochToDatetime(ipInfo.get('lastScan')))
vulns = sc.analysis(('ip','=', event.ip_address), ('severity','!=','0'), tool='vulndetails')
if vulns:
for vuln in vulns:
if vuln['pluginID'] == '38689':
event.setAttribute('username', vuln['pluginText'].split('Last Successful logon : ')[-1].split('<')[0])
localAdmins = []
for vuln in vulns:
vuln['severity'] = vuln['severity']['id']
vuln['repository'] = vuln['repository']['name']
vuln['family'] = vuln['family']['name']
if vuln['pluginID'] == '10902':
localAdmins = [x.split(' - ')[-1] for x in vuln['pluginText'].split("'Administrators' group :<br/><br/>")[-1].split('</plugin_output')[0].split('<br/>') if x]
if hasattr(event, 'username') and event.username:
if event.username.lower() in '\n'.join(localAdmins).lower():
event.setAttribute('local_admin', True, exceptional=True)
else:
event.setAttribute('local_admin', False)
vulnerabilities = []
splunkVulnerabilities = []
excluded = ['pluginText', 'description', 'solution', 'synopsis']
for vuln in sorted(vulns, key=lambda v: int(v['severity']), reverse=True):
splunkVulnerabilities.append(event.sc_lastScan.isoformat() + ' ' + ' '.join([k + '="' + v + '"' for k,v in sorted(vuln.iteritems()) if k not in excluded]))
if int(vuln['severity']) >= event._riskFactors[event.scSeverity.lower()]:
vulnerabilities.append('%(ip)-16s%(riskFactor)-13s%(port)-6s%(pluginID)-12s%(pluginName)s' % vuln)
printStatusMsg('Scan Details', 22, '-', color=colors.HEADER2)
print('Last Scan: %s' % event.sc_lastScan.isoformat())
print('SC Compliant: %s' % event.sc_compliant)
printStatusMsg('Local Admins', 22, '-', color=colors.HEADER2)
print('\n'.join(sorted(localAdmins)))
printStatusMsg('Vulnerabilities', 22, '-', color=colors.HEADER2)
print('%-16s%-13s%-6s%-12s%s' % ('IP', 'Risk Factor', 'Port', 'Plugin ID', 'Plugin Name'))
print('-' * 80)
print('\n'.join(vulnerabilities))
if vulnerabilities:
event._splunk.push(sourcetype=confVars.splunkSourcetype, eventList=splunkVulnerabilities)
with open('%s.%s' % (event._baseFilePath, confVars.outputExtension), 'w') as outFile:
outFile.writelines([x + '\n' for x in splunkVulnerabilities])
else:
print('Asset not found.')
def execute(event):
print('\nChecking Splunk for events...'),
sys.stdout.flush()
sp = Splunk(host=SPLUNK_SEARCH_HEAD, port=SPLUNK_SEARCH_HEAD_PORT, username=SPLUNK_SEARCH_HEAD_USERNAME, password=SPLUNK_SEARCH_HEAD_PASSWORD, scheme=SPLUNK_SEARCH_HEAD_SCHEME)
if not event.adHoc:
if hasattr(event, 'ip_address'):
event._include = 'src="%s" OR dest="%s"' % (event.ip_address, event.ip_address)
cirtaDT = epochToDatetime(event.cirta_id.split('.')[0])
timedelta = (datetime.date(event._DT) - datetime.date(cirtaDT)).days
earliest = timedelta - event._daysBefore
latest = timedelta + 1 + event._daysAfter
if earliest >= 0:
earliest = '+' + str(earliest)
if latest >= 0:
latest = '+' + str(latest)
query = '''search index=fortinet earliest_time="%sd@d" latest_time="%sd@d" %s | table _raw''' % (earliest,
latest,
event._include)
log.debug('''msg="raw event query" query="%s"''' % query)
results = sp.search(query)
print('Done')
if not results:
log.warn("No Juniper events exist in Splunk")
return
raw = [x['_raw'] for x in results]
with open('%s.%s' % (event._baseFilePath, confVars.outputExtension), 'w') as outFile:
for row in raw:
outFile.write(row + '\n')
event._splunk.push(sourcetype=confVars.splunkSourcetype, eventList=raw)
sid = sp.getLatestSID()
print('\nChecking Splunk for user...'),
query = '''search index=juniper earliest_time="%sd@d" latest_time="%sd@d" %s | eval timedelta = abs(_time - %s) | sort 0 timedelta | where isnotnull(user) | head 1 | table user''' % (earliest, latest, event._include, datetimeToEpoch(event._DT))
results = sp.search(query)
print('Done')
if results and 'user' in results[0]:
event.setAttribute('username', results[0]['user'].lower())
else:
log.warn("Warning: unable to pull Fortinet user from Splunk")
print('\nChecking Splunk for surrounding events...'),
query = '''search index=fortinet earliest_time="%sd@d" latest_time="%sd@d" %s | eval timedelta = abs(_time - %s) | sort 0 timedelta | search type=utm | head 500 | eval uri = coalesce(hostname, dstip) + url | dedup uri | head 50 | sort 0 -_time | table _time srcip user status uri''' % (earliest, latest, event._include, datetimeToEpoch(event._DT))
query = '''search index=fortinet type=utm earliest_time="%sd@d" latest_time="%sd@d" %s | regex url!="\.jpg$|\.png$|\.gif$|\.crl$" | eval timedelta = _time - %s | eval position = if(timedelta < 0, "before", "after") | eval abstimedelta = abs(timedelta) | sort 0 abstimedelta | dedup hostname url | streamstats count AS row by position | where row <= 25 | eval uri = coalesce(hostname, dstip) + url | sort 0 _time | table _time srcip user status uri''' % (earliest, latest, event._include, datetimeToEpoch(event._DT))
log.debug('''msg="raw event query" query="%s"''' % query)
results = sp.search(query)
print('Done')
if not results:
log.warn("Warning: unable to pull surrounding Fortinet events from Splunk")
return
if hasattr(event, '_vturls'):
event._vturls.extend([x['uri'] for x in results])
else:
event._vturls = [x['uri'] for x in results]
print('')
def execute(event):
print('Checking Splunk for events...'),
sys.stdout.flush()
sp = Splunk(host=SPLUNK_SEARCH_HEAD, port=SPLUNK_SEARCH_HEAD_PORT, username=SPLUNK_SEARCH_HEAD_USERNAME, password=SPLUNK_SEARCH_HEAD_PASSWORD, scheme=SPLUNK_SEARCH_HEAD_SCHEME)
if not event.adHoc:
if hasattr(event, 'ip_address'):
event._include = 'src="%s"' % (event.ip_address)
cirtaDT = epochToDatetime(event.cirta_id.split('.')[0])
timedelta = (datetime.date(event._DT) - datetime.date(cirtaDT)).days
earliest = timedelta - event._daysBefore
latest = timedelta + 1 + event._daysAfter
if earliest >= 0:
earliest = '+' + str(earliest)
if latest >= 0:
latest = '+' + str(latest)
log.debug('DT="%s" cirtaDT="%s" timedelta="%s" daysBefore="%s" daysAfter="%s" earliest="%s" latest="%s"' % (event._DT, cirtaDT, (event._DT - cirtaDT).days, event._daysBefore, event._daysAfter, earliest, latest))
query = '''search index=infoblox earliest_time="%sd@d" latest_time="%sd@d" %s | table _raw''' % (earliest,
latest,
event._include)
log.debug('''msg="raw event query" query="%s"''' % query)
results = sp.search(query)
print('Done')
if not results:
log.warn("No Infoblox events exist in Splunk")
return
raw = [x['_raw'] for x in results]
with open('%s.%s' % (event._baseFilePath, confVars.outputExtension), 'w') as outFile:
for row in raw:
outFile.write(row + '\n')
event._splunk.push(sourcetype=confVars.splunkSourcetype, eventList=raw)
print('\nChecking Splunk for Hostname and MAC...'),
sys.stdout.flush()
if event.adHoc:
query = '''search index=infoblox earliest_time="%sd@d" latest_time="%sd@d" %s | stats first(hostname) AS hostname first(src_mac) AS src_mac''' % (earliest, latest, event._include)
else:
query = '''search index=infoblox earliest_time="%sd@d" latest_time="%sd@d" %s | eval timedelta = %s -_time | where timedelta >= 0 | sort 0 timedelta | stats first(hostname) AS hostname first(src_mac) AS src_mac''' % (earliest, latest, event._include, datetimeToEpoch(event._DT))
log.debug('''msg="raw event query" query="%s"''' % query)
results = [x for x in sp.search(query)]
print('Done')
if results and 'src_mac' in results[0]:
event.setAttribute('mac_address', results[0]['src_mac'].lower())
else:
log.warn("Warning: unable to pull Infoblox MAC from Splunk")
if results and 'hostname' in results[0]:
event.setAttribute('hostname', results[0]['hostname'].lower())
else:
log.warn("Warning: unable to pull Infoblox hostname from Splunk")
print('')
def logInScope(path):
epoch = epochToDatetime(path.split('.')[-1]) - event._utcOffsetTimeDelta
#print epoch
#print event._pcapStart <= epoch and epoch <= event._pcapEnd
return event._pcapStart <= epoch and epoch <= event._pcapEnd
