def run(self, idmef): if idmef.get("alert.analyzer(-1).manufacturer") != "OpenSSH": return if idmef.get("alert.assessment.impact.completion") != "succeeded": return data = idmef.get("alert.additional_data('Authentication method').data") if not data: return data = data[0] for username in idmef.get("alert.target(*).user.user_id(*).name"): for target in idmef.get("alert.target(*).node.address(*).address"): ctx = Context(("SSHAUTH", target, username), { "expire": 30, "alert_on_expire": alert }, update=True, ruleid=self.name) if ctx.getUpdateCount() == 0: ctx.authtype = {data: True} ctx.addAlertReference(idmef) elif data not in ctx.authtype: ctx.authtype[data] = True ctx.addAlertReference(idmef)
def run(self, idmef): if idmef.get("alert.analyzer(-1).manufacturer") != "OpenSSH": return if idmef.get("alert.assessment.impact.completion") != "succeeded": return data = idmef.get("alert.additional_data('Authentication method').data") if not data: return data = data[0] for username in idmef.get("alert.target(*).user.user_id(*).name"): for target in idmef.get("alert.target(*).node.address(*).address"): ctx = Context(("SSHAUTH", target, username), { "expire": 30, "alert_on_expire": alert }, update=True) if ctx.getUpdateCount() == 0: ctx.authtype = { data: True } ctx.addAlertReference(idmef) elif not data in ctx.authtype: ctx.authtype[data] = True ctx.addAlertReference(idmef)