def rule_block(self, confname, parse={}, data={}):
# 解析block,注意配置文件不能缺少关键字
try:
action = parse['block']['action']
expire = parse['block']['expire']
command = parse['block']['blkcmd']
iptables = parse['block']['iptables']
except Exception as e:
Loger().ERROR("block rule farmat error.")
raise
block_data={}
block_data['_id'] = data['_id']
block_data['total'] = data['total']
block_data["time"]=int(time.time())
block_data["exptime"]=int(time.time()) + expire
block_data["confname"]=str(confname)
block_data["command"]=''
if action:
if iptables:
block_data["command"] = ("/sbin/iptables -I INPUT -s %s -j DROP" % data['_id'])
else:
if command.find(' %s')>0:
data['block']=1
block_data["command"] = (command % data)
state=self.load_cache(self.Bcol, {'_id': data['_id']}, block_data)
if state:
subprocess.call(block_data["command"], shell=True)
Loger().WARNING(Notes['LOCK'] % (data['_id'], data['total']))
#发出邮件通知
self.rule_notice(confname, parse, data)
else:
Loger().WARNING(Notes['RECORD'] % (data['_id'], data['total']))
def rule_filter(self, parse={}):
if parse['bolt'] in ["TCP", "UDP"]:
col = self.cache_connect(parse['bolt'])
else:
Loger().ERROR("Bolt value must be 'TCP', 'UDP' !")
raise
# 解析filter,注意配置文件不能缺少关键字
try:
timeDelta = parse['filter']['timeDelta'] #时间区间, Seconds.
trustIps = parse['filter']['trustIps'] #排除src白名单
motrPort = parse['filter']['motrPort'] #过滤端口
motrProto = parse['filter']['motrProto'] #过滤协议
flags = parse['filter']['flags'] #连接状态
noOfConnections = parse['filter']['noOfConnections'] #阀值
noOfCondition = parse['filter']['noOfCondition'] #阀值条件 如$ge\$gt\$gte\$lt\$lte
returnFiled = parse['filter']['returnFiled'] #过滤器返回的字段名, blot表里必须存在
except Exception as e:
Loger().ERROR("filter rule farmat error.")
raise
#构造查询
aggs=[]
lte_time = int(time.time())
gte_time = (lte_time - timeDelta)
if timeDelta: aggs.append({'$match': {'time' : {'$gte' : gte_time, '$lte' : lte_time}}})
if flags: aggs.append({'$match': {'flags': {'$in': flags}}})
if motrPort: aggs.append({'$match': {'dport': {'$in': motrPort}}})
if trustIps: aggs.append({'$match': {'src': {'$nin': trustIps}}})
aggs.append({'$group': {'_id': '$%s' %returnFiled, 'total': {'$sum': 1}}})
aggs.append({'$match': {'total': {noOfCondition: noOfConnections}}})
#Loger().WARNING(aggs)
return CacheServer().find_aggregate(col, aggs)
def rule_unblock(self, confname, parse={}):
# 解析block,注意配置文件不能缺少关键字
try:
action = parse['block']['action']
expire = parse['block']['expire']
command = parse['block']['ubkcmd']
iptables = parse['block']['iptables']
except Exception as e:
Loger().ERROR("block rule farmat error.")
raise
if action:
#解封过时记录
call_cmd=''
kwargs={'exptime': {'$lt': int(time.time())}, 'confname': confname}
for item in CacheServer().find_conditions(self.Bcol, **kwargs):
if iptables:
call_cmd=("/sbin/iptables -D INPUT -s %s -j DROP" % item['_id'])
else:
if command.find(' %s')>0:
temp={}
temp['_id']=item['_id']
temp['total']=item['total']
temp['unblock']=1
call_cmd=(command % temp)
subprocess.call(call_cmd, shell=True)
Loger().WARNING(Notes['UNLOCK'] % item['_id'])
CacheServer().delete_many(self.Bcol, kwargs)
def sendto(self, subject, msg, receiver):
if self.avr['smtp_ssl']:
try:
self.sslsend(subject, msg, receiver)
Loger().WARNING('[MAIL] Send mail Success.')
except Exception as e:
Loger().ERROR('[MAIL] Send mail failed to: %s' % e)
else:
try:
self.nonsend(subject, msg, receiver)
Loger().WARNING('[MAIL] Send mail Success.')
except Exception as e:
Loger().ERROR('[MAIL] Send mail failed to: %s' % e)
def rule_notice(self, confname, parse={}, data={}):
try:
send = parse['notice']['send']
email = parse['notice']['email']
except Exception as e:
Loger().ERROR("block rule farmat error.")
raise
subject = "Scout email server"
if send:
for receiver in email:
PyEmail().sendto(subject, Notes['MAIL'] %(data['_id'], confname, data['total']), receiver)
def LOOP(self, keeprunning=True, timeout=3):
while keeprunning:
"""如果缓存里有key==>value
则取缓存数据,否则重新加载配置文件
"""
if self.S:
for k in self.S.keys():
#执行解锁
self.rule_unblock(k, self.S[k])
#执行封锁
for res in self.rule_filter(self.S[k]):
self.rule_block(k, self.S[k], res)
Loger().WARNING("[%s.%s] %s" % (k, self.filetype, res))
else:
ptn = re.compile('.*\.%s' % self.filetype)
for f in os.listdir(self.filepath):
ff = ptn.match(f)
if not ff is None:
tp = ff.group().split('.')[0]
self.rule_key_value(tp)
sleep(timeout)
def async_dstat(self):
try:
Dstat().LOOP()
except Exception as e:
Loger().WARNING("Scout dstat Exception: %s" % (e))
pass
def async_dump(self):
try:
Pcapy(**self.kwargs).DUMP()
except Exception as e:
Loger().WARNING("Scout dump Exception: %s" % (e))
raise
def view(self):
try:
Rule(**self.kwargs).view()
except Exception as e:
Loger().WARNING("Scout rule Exception: %s" % (e))
pass
def dstat(self):
try:
Dstat().show()
except Exception as e:
Loger().WARNING("Scout dstat Exception: %s" % (e))
pass
def async_rule(self):
try:
Rule(**self.kwargs).LOOP()
except Exception as e:
Loger().WARNING("Scout rule Exception: %s" % (e))
pass