def process_incident(self, incident): """ get the incident time from the db and gathers all features INPUT: log_files: the logs that we went through it. """ if(incident is None): return ip_sieve = IPSieve() ip_records = {} banned_ips = [] if(incident["file_name"] is None) or (len(incident["file_name"]) == 0): # get the logs from ES # get the logs from ES banned_ips = self.es_handler.get_banjax(incident['start'], incident['stop'], incident['target']) ats_records = self.es_handler.get(incident['start'], incident['stop'], incident['target']) # calculate IP dictionary with ATS records ip_records = ip_sieve.process_ats_records(ats_records) else: # read the sessions from the log file ip_sieve.add_log_file(incident["file_name"]) ip_records = ip_sieve.parse_log("nginx") # calculate features ip_feature_db = {} #At this stage it is only a peliminary list we might lose features #due to 0 variance self._active_feature_list = [] #do a dry run on all features just to gather the indeces of all available #features for CurentFeature in Learn2BanFeature.__subclasses__(): f = CurentFeature(ip_records, ip_feature_db) self._active_feature_list.append(f._FEATURE_INDEX) for CurentFeature in Learn2BanFeature.__subclasses__(): f = CurentFeature(ip_records, ip_feature_db) #logging.info("Computing feature %i..."% f._FEATURE_INDEX) print "Computing feature %i..."% f._FEATURE_INDEX f.compute() # post process the features ip_feature_db = self.bothound_tools.post_process(ip_feature_db) # delete the old sessions for thie incidend self.bothound_tools.delete_sessions(incident['id']) #print ip_feature_db self.bothound_tools.add_sessions(incident['id'], ip_feature_db, banned_ips) self.bothound_tools.set_incident_process(incident['id'], False) print "Incident {} processed.".format(incident['id']) return ip_feature_db
def process_incident(self, incident): """ get the incident time from the db and gathers all features INPUT: log_files: the logs that we went through it. """ if (incident is None): return ip_sieve = IPSieve() ip_records = {} banned_ips = [] if (incident["file_name"] is None) or (len(incident["file_name"]) == 0): # get the logs from ES # get the logs from ES banned_ips = self.es_handler.get_banjax(incident['start'], incident['stop'], incident['target']) ats_records = self.es_handler.get(incident['start'], incident['stop'], incident['target']) # calculate IP dictionary with ATS records ip_records = ip_sieve.process_ats_records(ats_records) else: # read the sessions from the log file ip_sieve.add_log_file(incident["file_name"]) ip_records = ip_sieve.parse_log("nginx") # calculate features ip_feature_db = {} #At this stage it is only a peliminary list we might lose features #due to 0 variance self._active_feature_list = [] #do a dry run on all features just to gather the indeces of all available #features for CurentFeature in Learn2BanFeature.__subclasses__(): f = CurentFeature(ip_records, ip_feature_db) self._active_feature_list.append(f._FEATURE_INDEX) for CurentFeature in Learn2BanFeature.__subclasses__(): f = CurentFeature(ip_records, ip_feature_db) #logging.info("Computing feature %i..."% f._FEATURE_INDEX) print "Computing feature %i..." % f._FEATURE_INDEX f.compute() # post process the features ip_feature_db = self.bothound_tools.post_process(ip_feature_db) # delete the old sessions for thie incidend self.bothound_tools.delete_sessions(incident['id']) #print ip_feature_db self.bothound_tools.add_sessions(incident['id'], ip_feature_db, banned_ips) self.bothound_tools.set_incident_process(incident['id'], False) print "Incident {} processed.".format(incident['id']) return ip_feature_db