import time
import datetime
from lib import suricata_alert_log
from lib.log import reverse_log_reader
if __name__ == '__main__':
result = []
for filename in sorted(glob.glob('%s*'%suricata_alert_log)):
row = dict()
row['size'] = os.stat(filename).st_size
# always list first file and non empty next.
if row['size'] > 0 or filename.split('/')[-1].count('.') == 1:
row['modified'] = os.stat(filename).st_mtime
row['filename'] = filename.split('/')[-1]
# try to find actual timestamp from file
for line in reverse_log_reader(filename=filename):
if line['line'] != '':
record = ujson.loads(line['line'])
if record.has_key('timestamp'):
row['modified'] = int(time.mktime(datetime.datetime.strptime(record['timestamp'].split('.')[0], "%Y-%m-%dT%H:%M:%S").timetuple()))
break
ext=filename.split('.')[-1]
if ext.isdigit():
row['sequence'] = int(ext)
else:
row['sequence'] = None
result.append(row)
# filter one specific log line
if 'filepos' in data_filters and data_filters['filepos'].isdigit():
log_start_pos = int(data_filters['filepos'])
else:
log_start_pos = None
# query suricata eve log
result = {
'filters': data_filters,
'rows': [],
'total_rows': 0,
'origin': suricata_log.split('/')[-1]
}
if os.path.exists(suricata_log):
for line in reverse_log_reader(filename=suricata_log,
start_pos=log_start_pos):
try:
record = ujson.loads(line['line'])
except ValueError:
# can not handle line
record = {}
# only process valid alert items
if 'alert' in record:
# add position in file
record['filepos'] = line['pos']
record['fileid'] = parameters['fileid']
# flatten structure
record['alert_sid'] = record['alert']['signature_id']
record['alert_action'] = record['alert']['action']
record['alert'] = record['alert']['signature']
data_filters_comp[filterField] = re.compile(filter_regexp)
except sre_constants.error:
# remove illegal expression
#del data_filters[filterField]
data_filters_comp[filterField] = re.compile('.*')
# filter one specific log line
if 'filepos' in data_filters and data_filters['filepos'].isdigit():
log_start_pos = int(data_filters['filepos'])
else:
log_start_pos = None
# query suricata eve log
result = {'filters':data_filters,'rows':[],'total_rows':0,'origin':suricata_log.split('/')[-1]}
if os.path.exists(suricata_log):
for line in reverse_log_reader(filename=suricata_log, start_pos=log_start_pos):
try:
record = ujson.loads(line['line'])
except ValueError:
# can not handle line
record = {}
# only process valid alert items
if 'alert' in record:
# add position in file
record['filepos'] = line['pos']
# flatten structure
record['alert_sid'] = record['alert']['signature_id']
record['alert'] = record['alert']['signature']
# use filters on data (using regular expressions)
import time
import datetime
from lib import suricata_alert_log
from lib.log import reverse_log_reader
if __name__ == '__main__':
result = []
for filename in sorted(glob.glob('%s*' % suricata_alert_log)):
row = dict()
row['size'] = os.stat(filename).st_size
# always list first file and non empty next.
if row['size'] > 0 or filename.split('/')[-1].count('.') == 1:
row['modified'] = os.stat(filename).st_mtime
row['filename'] = filename.split('/')[-1]
# try to find actual timestamp from file
for line in reverse_log_reader(filename=filename):
if line['line'] != '':
try:
record = ujson.loads(line['line'])
except ValueError:
continue
if 'timestamp' in record:
row['modified'] = int(
time.mktime(
datetime.datetime.strptime(
record['timestamp'].split('.')[0],
"%Y-%m-%dT%H:%M:%S").timetuple()))
break
ext = filename.split('.')[-1]
if ext.isdigit():
