def execute(event): print('Checking nbtscan...') cmd = 'nbtscan %s' % event.ip_address nbt = runBash(cmd) results = nbt.read().splitlines()[-1] print('\n' + results) if not re.match('-', results): try: ip, netName, server, user, mac = results.split() except(ValueError): log.error("nbtscan results failed to parse") return event.setAttribute('netbios_name', netName.lower()) event.setAttribute('hostname', netName.lower()) if 'server' not in server: event.setAttribute('netbios_server', netName.lower()) if 'unknown' not in user: event.setAttribute('netbios_user', netName.lower()) event.setAttribute('netbios_mac', mac) event.setAttribute('mac_address', mac)
def execute(event): print('Executing dig...') a_record = runBash('dig -x %s +short' % event.ip_address).read().strip().rstrip('.') if a_record: event.setAttribute('a_record', a_record) event.setAttribute('hostname', a_record.split('.')[0])
def queueFile(self, filename, filepath, submissionSettings): submitURL = self.baseURL + 'submissions' curlCmd = '''curl -qgsSkH "Content-Type: multipart/form-data" --no-progress-bar --header "X-FEApi-Token: %s" -F "filename=@%s" -F "options=%s" %s''' % (self.token, filepath, simplejson.dumps(submissionSettings).replace('"', '\\"'), submitURL) response = runBash(curlCmd).read() if response: print response return simplejson.loads(response)[0]['ID']
def mergePCAPGroups(event): for name, match in [x.strip().split(':') for x in confVars.mergeGroups.split(',')]: matched = [x for x in event.pcaps if match in x] if matched: stdWriteFlush('Merging %s sensor group...\n' % name) mergedPCAP = '%s.%s.pcap' % (event._baseFilePath, name) out = runBash('mergecap -w %s %s' % (mergedPCAP, ' '.join(matched))) for pcap in matched: event.pcaps.remove(pcap) event.pcaps.append(mergedPCAP)
def tcpdumpFiles(event, ssh, server, dailies): def pcapNotEmpty(ssh, pcapFile): stdin, stdout, stderr = ssh.exec_command('/usr/sbin/tcpdump -s 1515 -nn -c 1 -r %s' % (pcapFile)) output = stdout.readlines() return len(output) #event.pcaps = [] for sensor, logs in dailies.iteritems(): tmpPath = '/tmp/%s_%s' % (os.path.basename(event._baseFilePath), sensor) i = 0 count = 1 total = len(logs) absTempPaths = [] tempFiles = [] #stdWriteFlush() for pcapFile in logs: stdWriteFlush(precentComplete('Processing PCAPs on %s: ' % sensor, count, total)) count += 1 #stdWriteFlush('.') absTempPath = "%s%06d" % (tmpPath, i) stdin, stdout, stderr = ssh.exec_command('/usr/sbin/tcpdump -s 1515 -nn -r %s -w %s %s' % (pcapFile, absTempPath, event._pcapBPF)) error = stderr.read() stdout.read() if 'tcpdump: syntax error' in error: log.error("Error: Invalid BPF, '%s'" % event._pcapBPF) log.debug('msg="invalid bpf" bpf="%s"' % event._pcapBPF) raise error if pcapNotEmpty(ssh, absTempPath): i += 1 absTempPaths.append(absTempPath) tempFiles.append(absTempPath.split('/')[-1]) stdWriteFlush('\n') if absTempPaths: concatPCAPs(ssh, tmpPath, sensor, absTempPaths) #print('scp %s:%sconcatenated %s.%s.pcap' % (server, tmpPath, event._baseFilePath, sensor)) print('Transferring PCAP from %s...\n' % sensor) dstPCAP = '%s.%s.pcap' % (event._baseFilePath, sensor) event.pcaps.append(dstPCAP) out = runBash('scp %s:%sconcatenated %s.%s.pcap' % (server, tmpPath, event._baseFilePath, sensor)) ssh.exec_command('rm %s*' % tmpPath)
def execute(event): if not os.path.exists(confVars.broPath): log.error('Bro does not exist check installation and [%s] in sources.conf' % __name__) log.debug('msg="configured bro path invalid" path="%s"' % confVars.broPath) return if not os.path.exists('%s/bro/extract.bro' % (event._resourcesPath)): log.error('Bro extract script does not exist check CIRTA resources directory') log.debug('msg="bro extract resource path invalid" path="%s"' % '%s/bro/extract.bro' % (event._resourcesPath)) return extracted = [] for pcap in event.pcaps: outDir = os.path.dirname(os.path.abspath(pcap)) try: tempPath = tempfile.mkdtemp(dir=outDir) except(OSError): log.warning("Warning: problem creating temporary directory at '%s'. Skipping..." % outDir) log.debug('msg="unable to create temp pcap directory" path="%s" result="skipping"' % outDir) break printStatusMsg(os.path.basename(pcap), length=20, char='-', color=colors.HEADER2) os.chdir(tempPath) pcapBase = "%s/%s" % (outDir, '.'.join(os.path.basename(pcap).split('.')[:-1])) runBash("%s -r %s %s/bro/extract.bro" % (confVars.broPath, pcap, event._resourcesPath)) logs = ["%s/%s" % (tempPath,x) for x in os.listdir(tempPath)] for log in [x for x in logs if '.log' in x]: dest = '.'.join([pcapBase, 'bro', os.path.basename(log)]) os.rename(log, dest) if 'files.log' in dest: filesPath = dest print('Bro Generated: %s' % dest) event._splunk.push(sourcetype="brospect_" + dest.split('.')[-2], filename=dest, exclusionRegex='^#') if os.path.exists(tempPath + '/extract_files'): files = open(filesPath).read().splitlines() print('') extractBase = os.sep.join([outDir, 'bin', '.'.join(os.path.basename(pcap).split('.')[:-1])]) for extract in ["%s/%s/%s" % (tempPath,'extract_files',x) for x in os.listdir(tempPath + '/extract_files')]: extractName = os.path.basename(extract) filename = [x for x in files if extractName in x][0].split('\t')[9] if filename != '-': newName = '.'.join([extractBase, filename, extractName]) else: newName = '.'.join([extractBase, extractName]) os.rename(extract, newName) print('Bro Extracted: %s' % newName) extracted.append(newName) runBash('rm -r %s' % tempPath) if not extracted: extracted = None event.setAttribute('extracted_files', extracted) os.chdir(outDir)
def refreshForwardZone(fzPath, nameServer, domain): runBash('dig @%s -t AXFR %s > %s' % (nameServer, domain, fzPath))