def run(self, idmef):
for source in idmef.Get("alert.source(*).node.address(*).address"):
if self.__iphash.has_key(source):
ca = IDMEF()
ca.Set("alert.source(>>)", idmef.Get("alert.source"))
ca.Set("alert.target(>>)", idmef.Get("alert.target"))
ca.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid"))
ca.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1])
ca.Set("alert.classification.text", "IP source matching Dshield database")
ca.Set("alert.correlation_alert.name", "IP source matching Dshield database")
ca.Set("alert.assessment.impact.description", "Dshield gather IP addresses tagged from firewall logs drops")
ca.Set("alert.assessment.impact.severity", "high")
ca.alert()
def run(self, idmef):
t = time.localtime(int(idmef.Get("alert.create_time")))
if not (t.tm_wday == 5 or t.tm_wday == 6 or t.tm_hour >= 9 or t.tm_hour <= 18):
return
if idmef.Get("alert.assessment.impact.completion") != "succeeded":
return
ca = IDMEF()
ca.Set("alert.source", idmef.Get("alert.source"))
ca.Set("alert.target", idmef.Get("alert.target"))
ca.Set("alert.classification", idmef.Get("alert.classification"))
ca.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid"))
ca.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1])
ca.Set("alert.correlation_alert.name", "Critical system activity on day off")
ca.alert()
def run(self, idmef):
self.__t = time.localtime(int(idmef.Get("alert.create_time")))
if not (self.__t.tm_wday in self.__offdays or self.__t.tm_hour < self.__hworkstart or self.__t.tm_hour > self.__hworkend):
return
#if idmef.Get("alert.assessment.impact.completion") != "succeeded":
# return
ca = IDMEF()
ca.addAlertReference(idmef)
ca.Set("alert.classification", idmef.Get("alert.classification"))
ca.Set("alert.correlation_alert.name", "Critical system activity on day off")
ca.alert()
