def __init__(self, outputqueue, config): multiprocessing.Process.__init__(self) # All the printing output should be sent to the outputqueue. The outputqueue is connected to another process called OutputProcess self.outputqueue = outputqueue # In case you need to read the slips.conf configuration file for your own configurations self.config = config # Start the DB __database__.start(self.config) self.separator = __database__.getFieldSeparator() # Subscribe to 'new_flow' channel self.c1 = __database__.subscribe('new_flow') # To store the timelines of each profileid_twid self.profiles_tw = {} # Load the list of common known ports self.load_ports() # Store malicious IPs. We do not make alert everytime we receive flow with thi IP but only once. self.alerted_malicous_ips_dict = {} # Read information how we should print timestamp. self.is_human_timestamp = bool(self.read_configuration('modules', 'timeline_human_timestamp')) self.analysis_direction = self.config.get('parameters', 'analysis_direction') # Wait a little so we give time to have something to print # Set the timeout based on the platform. This is because the pyredis lib does not have officially recognized the timeout=None as it works in only macos and timeout=-1 as it only works in linux if platform.system() == 'Darwin': # macos self.timeout = None elif platform.system() == 'Linux': # linux self.timeout = None else: #?? self.timeout = None
def __init__(self, outputqueue, config): multiprocessing.Process.__init__(self) self.outputqueue = outputqueue # This dictionary will hold each malicious ip to store in the db self.malicious_ips_dict = {} # In case you need to read the slips.conf configuration file for your own configurations self.config = config self.separator = __database__.getFieldSeparator() # This default path is only used in case there is no path in the configuration file self.path_to_malicious_ip_folder = 'modules/ThreatIntelligence1/malicious_ips_files/' # Subscribe to the new_ip channel __database__.start(self.config) self.c1 = __database__.subscribe('new_ip') # Create the update manager. This manager takes care of the re-downloading of the list of IoC when needed. self.update_manager = UpdateIPManager(self.outputqueue) # Update the remote file containing malicious IPs. self.__update_remote_malicious_file() # Set the timeout based on the platform. This is because the pyredis lib does not have officially recognized the timeout=None as it works in only macos and timeout=-1 as it only works in linux if platform.system() == 'Darwin': # macos self.timeout = None elif platform.system() == 'Linux': self.timeout = -1 else: #?? self.timeout = None
def __init__(self, outputqueue, config): multiprocessing.Process.__init__(self) # All the printing output should be sent to the outputqueue. The outputqueue is connected to another process called OutputProcess self.outputqueue = outputqueue # In case you need to read the slips.conf configuration file for your own configurations self.config = config # Start the DB __database__.start(self.config) # Subscribe to the channel self.c1 = __database__.subscribe('new_flow') self.fieldseparator = __database__.getFieldSeparator() # Set the output queue of our database instance __database__.setOutputQueue(self.outputqueue) # Read the configuration self.read_configuration() # To know when to retrain. We store the number of labels when we last retrain self.retrain = 0 if platform.system() == 'Darwin': # macos self.timeout = None elif platform.system() == 'Linux': # linux self.timeout = None else: # ?? self.timeout = None
def __init__(self, outputqueue, config): multiprocessing.Process.__init__(self) self.outputqueue = outputqueue self.config = config # Start the DB __database__.start(self.config) # Set the output queue of our database instance __database__.setOutputQueue(self.outputqueue) # Get from the database the separator used to separate the IP and the word profile self.fieldseparator = __database__.getFieldSeparator() # To which channels do you wnat to subscribe? When a message arrives on the channel the module will wakeup self.c1 = __database__.subscribe('tw_modified') # We need to know that after a detection, if we receive another flow that does not modify the count for the detection, we are not # re-detecting again only becase the threshold was overcomed last time. self.cache_det_thresholds = {} # Set the timeout based on the platform. This is because the pyredis lib does not have officially recognized the timeout=None as it works in only macos and timeout=-1 as it only works in linux if platform.system() == 'Darwin': # macos self.timeout = None elif platform.system() == 'Linux': self.timeout = None else: #?? self.timeout = None self.separator = '_'
def __init__(self, outputqueue, config): self.outputqueue = outputqueue self.config = config # For now, read the malicious IPs from here self.name = 'UpdateManager' self.new_update_time = float('-inf') # Start the database __database__.start(self.config) # Get a separator from the database self.separator = __database__.getFieldSeparator() # Read the conf self.read_configuration()
def __init__(self, outputqueue, config): multiprocessing.Process.__init__(self) self.outputqueue = outputqueue # In case you need to read the slips.conf configuration file for your own configurations self.config = config # Subscribe to the channel __database__.start(self.config) # Get a separator from the database self.separator = __database__.getFieldSeparator() self.c1 = __database__.subscribe('give_threat_intelligence') # Set the timeout based on the platform. This is because the pyredis lib does not have officially recognized the timeout=None as it works in only macos and timeout=-1 as it only works in linux if platform.system() == 'Darwin': # macos self.timeout = None elif platform.system() == 'Linux': self.timeout = None else: self.timeout = None self.__read_configuration()
def __init__(self, inputqueue, outputqueue, verbose, debug, config): self.name = 'Logs' multiprocessing.Process.__init__(self) self.verbose = verbose self.debug = debug self.config = config # Start the DB __database__.start(self.config) self.separator = '_' # From the config, read the timeout to read logs. Now defaults to 5 seconds self.inputqueue = inputqueue self.outputqueue = outputqueue # Read the configuration self.read_configuration() self.fieldseparator = __database__.getFieldSeparator() # For some weird reason the database loses its outputqueue and we have to re set it here....... __database__.setOutputQueue(self.outputqueue) self.timeline_first_index = {} self.is_timline_file = False
# Store the host IP address if input type is interface if input_type == 'interface': hostIP = recognize_host_ip() __database__.set_host_ip(hostIP) # As the main program, keep checking if we should stop slips or not # This is not easy since we need to be sure all the modules are stopped # Each interval of checking is every 5 seconds check_time_sleep = 5 # In each interval we check if there has been any modifications to the database by any module. # If not, wait this amount of intervals and then stop slips. # We choose 6 to wait 30 seconds. limit_minimum_intervals_to_wait = 4 minimum_intervals_to_wait = limit_minimum_intervals_to_wait fieldseparator = __database__.getFieldSeparator() slips_internal_time = 0 try: while True: # Sleep some time to do rutine checks time.sleep(check_time_sleep) slips_internal_time = __database__.getSlipsInternalTime() # Get the amount of modified time windows since we last checked TWModifiedforProfile = __database__.getModifiedTWSinceTime( float(slips_internal_time) + 1) # TWModifiedforProfile = __database__.getModifiedTW() amount_of_modified = len(TWModifiedforProfile) # Get th time of last modified timewindow and set it as a new if amount_of_modified != 0: time_last_modified_tw = TWModifiedforProfile[-1][-1] __database__.setSlipsInternalTime(time_last_modified_tw)