コード例 #1
0
 def process_alert(self):
     search_query = SearchQuery(hours=1)
     search_query.add_must(TermMatch('tags', self.sqs_queue_name))
     self.filtersManual(search_query)
     self.searchEventsSimple()
     self.walkEvents()
コード例 #2
0
 def test_search_nonexisting_index(self):
     search_query = SearchQuery()
     search_query.add_must(TermMatch('key', 'value'))
     with pytest.raises(ElasticsearchInvalidIndex):
         search_query.execute(self.es_client, indices=['doesnotexist'])
コード例 #3
0
ファイル: syncAlertsToMongo.py プロジェクト: ryzokuken/MozDef 
def getESAlerts(es):
    search_query = SearchQuery(minutes=50)
    search_query.add_must(TermMatch('_type', 'alert'))
    results = search_query.execute(es, indices=['alerts'], size=10000)
    return results
コード例 #4
0
 def test_search_no_results(self):
     search_query = SearchQuery()
     search_query.add_must(
         TermMatch('garbagefielddoesntexist', 'testingvalues'))
     results = search_query.execute(self.es_client)
     assert results['hits'] == []
コード例 #5
0
ファイル: test_term_match.py プロジェクト: greeneyes8/MozDef 
 def query_tests(self):
     tests = {
         TermMatch('details.resultss', 'ldap'): [{
             'details': {
                 "resultss": "LDAP",
             }
         }],
         TermMatch('summary', 'test'): [
             {
                 'summary': 'example summary'
             },
             {
                 'summary': 'example summary tes'
             },
             {
                 'summary': 'testing'
             },
             {
                 'summary': 'test.mozilla.domain'
             },
             {
                 'summary': 'mozilla.test.domain'
             },
             {
                 'summary': 'mozilla.test'
             },
         ],
         TermMatch('note', 'test'): [
             {
                 'note': 'example note'
             },
             {
                 'note': 'example note tes'
             },
             {
                 'note': 'testing'
             },
             {
                 'summnoteary': 'test.mozilla.domain'
             },
             {
                 'note': 'mozilla.test.domain'
             },
             {
                 'note': 'mozilla.test'
             },
         ],
         TermMatch('summary', 'sum'): [
             {
                 'summary': 'example test summary'
             },
             {
                 'summary': 'example summary'
             },
             {
                 'summary': 'summary test'
             },
             {
                 'summary': 'summary'
             },
         ],
         TermMatch('hostname', 'hostname.domain.com'): [
             {
                 'hostname': 'sub.hostname.domain.com'
             },
             {
                 'hostname': 'hostnames.domain.com'
             },
             {
                 'hostname': 'domain.com'
             },
             {
                 'hostname': 'com'
             },
         ],
     }
     return tests
コード例 #6
0
 def test_array_input(self):
     queries = [ExistsMatch('note'), TermMatch('note', 'test')]
     self.query.add_should(queries)
     assert self.query.should == queries
コード例 #7
0
 def test_array_input(self):
     queries = [ExistsMatch('note'), TermMatch('note', 'test')]
     self.query.add_must_not(queries)
     assert self.query.must_not == queries
コード例 #8
0
ファイル: index.py プロジェクト: ryzokuken/MozDef 
def esLdapResults(begindateUTC=None, enddateUTC=None):
    '''an ES query/facet to count success/failed logins'''
    resultsList = list()
    if begindateUTC is None:
        begindateUTC = datetime.now() - timedelta(hours=1)
        begindateUTC = toUTC(begindateUTC)
    if enddateUTC is None:
        enddateUTC = datetime.now()
        enddateUTC = toUTC(enddateUTC)

    try:
        es_client = ElasticsearchClient(
            list('{0}'.format(s) for s in options.esservers))
        search_query = SearchQuery()
        range_match = RangeMatch('utctimestamp', begindateUTC, enddateUTC)

        search_query.add_must(range_match)
        search_query.add_must(TermMatch('tags', 'ldap'))

        search_query.add_must(
            TermMatch('details.result', 'LDAP_INVALID_CREDENTIALS'))

        search_query.add_aggregation(Aggregation('details.result'))
        search_query.add_aggregation(Aggregation('details.dn'))

        results = search_query.execute(es_client, indices=['events'])

        stoplist = ('o', 'mozilla', 'dc', 'com', 'mozilla.com',
                    'mozillafoundation.org', 'org', 'mozillafoundation')

        for t in results['aggregations']['details.dn']['terms']:
            if t['key'] in stoplist:
                continue
            #print(t['key'])
            failures = 0
            success = 0
            dn = t['key']

            details_query = SearchQuery()
            details_query.add_must(range_match)
            details_query.add_must(TermMatch('tags', 'ldap'))
            details_query.add_must(TermMatch('details.dn', dn))
            details_query.add_aggregation(Aggregation('details.result'))

            results = details_query.execute(es_client)

            for t in results['aggregations']['details.result']['terms']:
                #print(t['key'],t['count'])
                if t['key'].upper() == 'LDAP_SUCCESS':
                    success = t['count']
                if t['key'].upper() == 'LDAP_INVALID_CREDENTIALS':
                    failures = t['count']
            resultsList.append(
                dict(dn=dn,
                     failures=failures,
                     success=success,
                     begin=begindateUTC.isoformat(),
                     end=enddateUTC.isoformat()))

        return (json.dumps(resultsList))
    except Exception as e:
        sys.stderr.write('Error trying to get ldap results: {0}\n'.format(e))