def execute(event): sourcetype = "bro_dns" print("Checking Splunk for events..."), sys.stdout.flush() sp = Splunk( host=SPLUNK_SEARCH_HEAD, port=SPLUNK_SEARCH_HEAD_PORT, username=SPLUNK_SEARCH_HEAD_USERNAME, password=SPLUNK_SEARCH_HEAD_PASSWORD, scheme=SPLUNK_SEARCH_HEAD_SCHEME, ) if not event.adHoc: if hasattr(event, "ip_address"): event._include = 'id_orig_h="%s" OR id_resp_h="%s"' % (event.ip_address, event.ip_address) cirtaDT = epochToDatetime(event.cirta_id.split(".")[0]) timedelta = (datetime.date(event._DT) - datetime.date(cirtaDT)).days earliest = timedelta - event._daysBefore latest = timedelta + 1 + event._daysAfter if earliest >= 0: earliest = "+" + str(earliest) if latest >= 0: latest = "+" + str(latest) query = """search eventtype="%s" earliest_time="%sd@d" latest_time="%sd@d" %s | table _raw""" % ( sourcetype, earliest, latest, event._include, ) log.debug('''msg="raw event query" query="%s"''' % query) results = sp.search(query) print("Done") if not results: log.warn("No %s events exist in Splunk" % sourcetype) return raw = [x["_raw"] for x in results] if raw: with open("%s.%s" % (event._baseFilePath, confVars.outputExtension), "w") as outFile: for row in raw: outFile.write(row + "\n") print("%s file: %s%s.%s" % (sourcetype, colors.OKGREEN, event._baseFilePath, confVars.outputExtension)) event._splunk.push(sourcetype=confVars.splunkSourcetype, eventList=raw)
def getForwardZone(fzPath, nameServer, domain, today=datetime.datetime.today(), attemptsLeft=10): sleep(1) if attemptsLeft: attemptsLeft -= 1 try: fstat = os.stat(fzPath) except(OSError): refreshForwardZone(fzPath, nameServer, domain) return getForwardZone(fzPath, nameServer, domain, today, attemptsLeft) modDate = epochToDatetime(fstat.st_mtime) if modDate.date() < today.date(): refreshForwardZone(fzPath, nameServer, domain) return getForwardZone(fzPath, nameServer, domain, today, attemptsLeft) recs = {} f = open(fzPath) for line in f.readlines(): sline = line.strip().split() if len(sline) is not 5: continue rec, recType, ans = sline[0].rstrip('.'), sline[3], sline[4] if recType == 'CNAME': rec, ans = ans.rstrip('.'), rec if not recs.has_key(rec): recs[rec] = Record(rec) recs[rec].raw.append(line) recs[ans] = recs[rec] if recType == 'A': recs[rec].ips.append(ans) if recType == 'TXT': recs[rec].txt.append(ans) if recType == 'CNAME': recs[rec].cnames.append(ans) f.close() return recs else: sys.stderr.write('Could not get forward zone, exhausted max attempts of 10') exit()
def __init__(self, cirta_id, configs, options, playbook, cirtaHome): log.info('msg="initializing event"') object.__setattr__(self, 'cirta_id', cirta_id) object.__setattr__(self, '_fifoAttrs', OrderedDict()) object.__setattr__(self, 'attrDefaults', configs['attributes']) object.__setattr__(self, 'currentPlugin', 'cirta') self.cirta_id = cirta_id self.cirta_dt = epochToDatetime(cirta_id.split('.')[0]).strftime("%Y-%m-%d %H:%M:%S") self.cirta_status = 'input' self._configs = configs self._options = options self._playbook = playbook self._testing = configs['cirta']['settings']['TESTING'] if options.test: self._testing = options.test self._cirtaHome = cirtaHome self._tracked = self._playbook.tracked self._adhoc = self._playbook.adHoc self.setEventDateTime(datetime.datetime.today()) if configs['cirta']['settings']['ANALYST_USERNAME']: self._analystUsername = configs['cirta']['settings']['ANALYST_USERNAME'] else: self._analystUsername = getpass.getuser() self._analystHostname = gethostname() if configs['cirta']['settings']['SPLUNK_ENABLED'] and not options.disable_splunk: self._splunkEnabled = True self._splunk = SplunkIt(configs['cirta']['settings']['SPLUNK_ENABLED'], [x.strip() for x in configs['cirta']['settings']['SPLUNK_INDEXERS'].split(',')], configs['cirta']['settings']['SPLUNK_INDEXER_PORT'], configs['cirta']['settings']['SPLUNK_SEARCH_HEAD'], configs['cirta']['settings']['SPLUNK_SEARCH_HEAD_PORT'], configs['cirta']['settings']['SPLUNK_USER'], configs['cirta']['settings']['SPLUNK_PASSWORD'], configs['cirta']['settings']['SPLUNK_INDEX'], self._analystHostname, self.cirta_id) else: self._splunkEnabled = False self._splunk = SplunkIt(None, None, None, None, None, None, None, None, None, None) self._stackTraces = [] self._outDir = configs['cirta']['settings']['IR_PATH'] + self._DT.date().isoformat() self._outDirGroup = configs['cirta']['settings']['IR_PATH_GROUP'] self._resourcesPath = os.path.join(self._cirtaHome, 'resources')
def execute(event): sp = Splunk(host=SPLUNK_SEARCH_HEAD, port=SPLUNK_SEARCH_HEAD_PORT, username=SPLUNK_SEARCH_HEAD_USERNAME, password=SPLUNK_SEARCH_HEAD_PASSWORD, scheme=SPLUNK_SEARCH_HEAD_SCHEME) cirtaDT = epochToDatetime(event.cirta_id.split('.')[0]) timedelta = (event._DT - cirtaDT).days earliest = timedelta - 20 latest = timedelta + 10 if earliest >= 0: earliest = '+' + str(earliest) if latest >= 0: latest = '+' + str(latest) rawQuery = '''search index=mcafee src_ip="%s" OR dest_ip="%s" earliest_time="%sd@d" latest_time="%sd@d" \ | eval mcafee_id = "mc".substr(detected_timestamp, -5, 2).".".AutoID \ | sort 0 _time | table _raw''' % (event.ip_address, event.ip_address, earliest, latest) print('Checking Splunk Raw...'), sys.stdout.flush() raw = [x['_raw'] + '\n' for x in sp.search(rawQuery)] print('Done') if not raw: print("No results") return with open("%s.%s" % (event._baseFilePath, 'mc'), 'w') as orf: for row in raw: orf.write(row) #event._splunk.push(sourcetype=confVars.splunkSourcetype, eventList=results) query = '''search index=mcafee category!="ops*" threat_type!="none" src_ip="%s" OR dest_ip="%s" earliest_time="%sd@d" latest_time="now" \ | eval timedelta = _time - %s | eval position = if(timedelta < 0, "before", "after") \ | eval abstimedelta = abs(timedelta) | sort 0 abstimedelta \ | head 20 | sort 0 _time | eval mcafee_id = "mc".substr(detected_timestamp, -5, 2).".".AutoID \ | table _time threat_type vendor_action user src_ip dest_ip signature file_name''' % (event.ip_address, event.ip_address, earliest, datetimeToEpoch(event._DT)) print('\nChecking Splunk...'), sys.stdout.flush() results = [x for x in sp.search(query)] print('Done') if results: print("\n_time\t\t\ttype\taction\tuser\tsrc_ip\t\tdest_ip\t\tsignature\t\tfile_name") print("-" * 115) for result in results: print(result['_time'].split('.')[0] + "\t" + '\t'.join(result.values()[1:])) event._splunk.push(sourcetype=confVars.splunkSourcetype, eventList=raw)
def execute(event): sp = Splunk(host=SPLUNK_SEARCH_HEAD, port=SPLUNK_SEARCH_HEAD_PORT, username=SPLUNK_SEARCH_HEAD_USERNAME, password=SPLUNK_SEARCH_HEAD_PASSWORD, scheme=SPLUNK_SEARCH_HEAD_SCHEME) if hasattr(event, 'mcAfeeID'): event.setAttribute('mcAfeeID', prompt='McAfee ID', header= '', force=True) else: event.setAttribute('mcAfeeID', prompt='McAfee ID', header="McAfee Initial Indicator") event.setAttribute('alertID', event.mcAfeeID, force=True) event.setAttribute('alertType', 'McAfee', force=True) query = '''search index=mcafee earliest=-30d@d | eval mcafee_id = "mc".substr(detected_timestamp, -5, 2).".".AutoID | search mcafee_id="%s" | head 1 | table detected_timestamp src_ip src_mac dest_ip dest_mac signature category''' % (event.mcAfeeID) print('\nChecking Splunk...'), sys.stdout.flush() results = sp.search(query) print('Done') try: result = results.next() except(StopIteration): log.warn("Error: unable to pull McAfee ID event details from Splunk") exit() event.setOutPath(event.mcAfeeID) timestamp = epochToDatetime(result['detected_timestamp'][:-3]) srcIP = result['src_ip'] srcMAC = result['src_mac'] dstIP = result['dest_ip'] dstMAC = result['dest_mac'] secondaryName = result['signature'] name = result['category'] signature = '%s %s' % (name, secondaryName) # Note the utc offset for the US will always be -x so by adding the offset you are adding a negative, i.e. subtracting # This is very important for accurate time conversion. You should always add the offset if the time is in UTC and # subtract the offset if the time is local. If the reverse makes more sense to you, event._absUTCOffsetTimeDelta # is available # Also note, setEventDateTime is called twice to initialize utcOffsetTimeDelta then adjust. #event.setEventDateTime(datetime.datetime.strptime(timestamp, '%Y-%m-%d %H:%M:%S')) event.setEventDateTime(timestamp) event.setEventDateTime(event._DT) print('\nLocal Timestamp Source IP Destination IP Signature') print('-' * 80) print('%-20s %-16s %-16s %s\n' % (event._DT.strftime('%Y-%m-%d %H:%M:%S'), srcIP, dstIP, signature)) event.setAttribute('Event_Date/Time', event._DT.strftime('%Y-%m-%d %H:%M:%S')) ans = getUserInWithDef('Track source or destination (s/d)', 's') if 's' in ans: if srcIP: event.setAttribute('ip_address', srcIP) else: event.setAttribute('ip_address', prompt="\nIP Address") #if srcMAC: # event.setAttribute('mac_address', srcMAC) elif 'd' in ans: if dstIP: event.setAttribute('ip_address', dstIP) else: event.setAttribute('ip_address', prompt="\nIP Address") #if dstMAC: # event.setAttribute('mac_address', dstMAC) else: event.setAttribute('ip_address', prompt='IP Address', default=ans, description='Neither the source or destination was chosen, please confirm.') print('') event.setAttribute('description', prompt='Description', default=signature) event.setDateRange()
def execute(event): print('Checking Splunk for events...'), sys.stdout.flush() sp = Splunk(host=SPLUNK_SEARCH_HEAD, port=SPLUNK_SEARCH_HEAD_PORT, username=SPLUNK_SEARCH_HEAD_USERNAME, password=SPLUNK_SEARCH_HEAD_PASSWORD, scheme=SPLUNK_SEARCH_HEAD_SCHEME) if not event.adHoc: if hasattr(event, 'mac_address'): event._include = 'EndPointMACAddress="%s"' % (event.mac_address.replace(":", "-")) cirtaDT = epochToDatetime(event.cirta_id.split('.')[0]) timedelta = (datetime.date(event._DT) - datetime.date(cirtaDT)).days earliest = timedelta - event._daysBefore latest = timedelta + 1 + event._daysAfter if earliest >= 0: earliest = '+' + str(earliest) if latest >= 0: latest = '+' + str(latest) log.debug('DT="%s" cirtaDT="%s" timedelta="%s" daysBefore="%s" daysAfter="%s" earliest="%s" latest="%s"' % (event._DT, cirtaDT, (event._DT - cirtaDT).days, event._daysBefore, event._daysAfter, earliest, latest)) query = '''search index=cisco_ise earliest_time="%sd@d" latest_time="%sd@d" %s | table _raw''' % (earliest, latest, event._include) log.debug('''msg="raw event query" query="%s"''' % query) results = sp.search(query) print('Done') if not results: log.warn("No Infoblox events exist in Splunk") return raw = [x['_raw'] for x in results] with open('%s.%s' % (event._baseFilePath, confVars.outputExtension), 'w') as outFile: for row in raw: outFile.write(row + '\n') event._splunk.push(sourcetype=confVars.splunkSourcetype, eventList=raw) print('\nChecking Splunk for Hostname and MAC...'), sys.stdout.flush() query = '''search index=cisco_ise earliest_time="%sd@d" latest_time="%sd@d" %s | eval timedelta = abs(_time - %s) | sort 0 timedelta | where isnotnull(AD_User_Resolved_Identities) | rex field=AD_User_Resolved_Identities "(?<user>.+)@" | head 1 | rename NetworkDeviceGroups AS network_device_groups Location AS location EndPointMatchedProfile AS device_type AD_Domain as domain | table user network_device_groups location device_type domain''' % (earliest, latest, event._include, datetimeToEpoch(event._DT)) log.debug('''msg="raw event query" query="%s"''' % query) results = [x for x in sp.search(query)] print('Done') '''
def execute(event): try: sc = SecurityCenter5(event.scHostname) except: log.error("Failed to connect to Security Center") return sc.login(event.scUser, event.scPassword) ipInfo = sc.get('''ipInfo?ip=%s''' % event.ip_address) if ipInfo.status_code == 200: ipInfo = ipInfo.json()['response'] if not ipInfo.get('repositories'): log.warn("No vulnerability results found") return else: log.warn("No vulnerability results found") return #ipInfo = sc.ip_info(event.ip_address)['records'] if ipInfo: event.setAttribute('operating_system', ipInfo.get('os')) if ipInfo.get('netbiosName'): event.setAttribute('netbios_name', ipInfo.get('netbiosName').split('\\')[-1]) event.setAttribute('mac_address', ipInfo.get('macAddress')) try: if ipInfo.get('dnsName'): socket.inet_aton(ipInfo.get('dnsName')) except socket.error: event.setAttribute('hostname', ipInfo.get('dnsName').split('.')[0]) event.setAttribute('fqdn', ipInfo.get('dnsName')) event.setAttribute('domain_name', ipInfo.get('dnsName').split('.', 1)[-1]) event.setAttribute('sc_compliant', ipInfo.get('hasCompliance')) if ipInfo.get('lastScan'): event.setAttribute('sc_lastScan', epochToDatetime(ipInfo.get('lastScan'))) vulns = sc.analysis(('ip','=', event.ip_address), ('severity','!=','0'), tool='vulndetails') if vulns: for vuln in vulns: if vuln['pluginID'] == '38689': event.setAttribute('username', vuln['pluginText'].split('Last Successful logon : ')[-1].split('<')[0]) localAdmins = [] for vuln in vulns: vuln['severity'] = vuln['severity']['id'] vuln['repository'] = vuln['repository']['name'] vuln['family'] = vuln['family']['name'] if vuln['pluginID'] == '10902': localAdmins = [x.split(' - ')[-1] for x in vuln['pluginText'].split("'Administrators' group :<br/><br/>")[-1].split('</plugin_output')[0].split('<br/>') if x] if hasattr(event, 'username') and event.username: if event.username.lower() in '\n'.join(localAdmins).lower(): event.setAttribute('local_admin', True, exceptional=True) else: event.setAttribute('local_admin', False) vulnerabilities = [] splunkVulnerabilities = [] excluded = ['pluginText', 'description', 'solution', 'synopsis'] for vuln in sorted(vulns, key=lambda v: int(v['severity']), reverse=True): splunkVulnerabilities.append(event.sc_lastScan.isoformat() + ' ' + ' '.join([k + '="' + v + '"' for k,v in sorted(vuln.iteritems()) if k not in excluded])) if int(vuln['severity']) >= event._riskFactors[event.scSeverity.lower()]: vulnerabilities.append('%(ip)-16s%(riskFactor)-13s%(port)-6s%(pluginID)-12s%(pluginName)s' % vuln) printStatusMsg('Scan Details', 22, '-', color=colors.HEADER2) print('Last Scan: %s' % event.sc_lastScan.isoformat()) print('SC Compliant: %s' % event.sc_compliant) printStatusMsg('Local Admins', 22, '-', color=colors.HEADER2) print('\n'.join(sorted(localAdmins))) printStatusMsg('Vulnerabilities', 22, '-', color=colors.HEADER2) print('%-16s%-13s%-6s%-12s%s' % ('IP', 'Risk Factor', 'Port', 'Plugin ID', 'Plugin Name')) print('-' * 80) print('\n'.join(vulnerabilities)) if vulnerabilities: event._splunk.push(sourcetype=confVars.splunkSourcetype, eventList=splunkVulnerabilities) with open('%s.%s' % (event._baseFilePath, confVars.outputExtension), 'w') as outFile: outFile.writelines([x + '\n' for x in splunkVulnerabilities]) else: print('Asset not found.')
def execute(event): print('\nChecking Splunk for events...'), sys.stdout.flush() sp = Splunk(host=SPLUNK_SEARCH_HEAD, port=SPLUNK_SEARCH_HEAD_PORT, username=SPLUNK_SEARCH_HEAD_USERNAME, password=SPLUNK_SEARCH_HEAD_PASSWORD, scheme=SPLUNK_SEARCH_HEAD_SCHEME) if not event.adHoc: if hasattr(event, 'ip_address'): event._include = 'src="%s" OR dest="%s"' % (event.ip_address, event.ip_address) cirtaDT = epochToDatetime(event.cirta_id.split('.')[0]) timedelta = (datetime.date(event._DT) - datetime.date(cirtaDT)).days earliest = timedelta - event._daysBefore latest = timedelta + 1 + event._daysAfter if earliest >= 0: earliest = '+' + str(earliest) if latest >= 0: latest = '+' + str(latest) query = '''search index=fortinet earliest_time="%sd@d" latest_time="%sd@d" %s | table _raw''' % (earliest, latest, event._include) log.debug('''msg="raw event query" query="%s"''' % query) results = sp.search(query) print('Done') if not results: log.warn("No Juniper events exist in Splunk") return raw = [x['_raw'] for x in results] with open('%s.%s' % (event._baseFilePath, confVars.outputExtension), 'w') as outFile: for row in raw: outFile.write(row + '\n') event._splunk.push(sourcetype=confVars.splunkSourcetype, eventList=raw) sid = sp.getLatestSID() print('\nChecking Splunk for user...'), query = '''search index=juniper earliest_time="%sd@d" latest_time="%sd@d" %s | eval timedelta = abs(_time - %s) | sort 0 timedelta | where isnotnull(user) | head 1 | table user''' % (earliest, latest, event._include, datetimeToEpoch(event._DT)) results = sp.search(query) print('Done') if results and 'user' in results[0]: event.setAttribute('username', results[0]['user'].lower()) else: log.warn("Warning: unable to pull Fortinet user from Splunk") print('\nChecking Splunk for surrounding events...'), query = '''search index=fortinet earliest_time="%sd@d" latest_time="%sd@d" %s | eval timedelta = abs(_time - %s) | sort 0 timedelta | search type=utm | head 500 | eval uri = coalesce(hostname, dstip) + url | dedup uri | head 50 | sort 0 -_time | table _time srcip user status uri''' % (earliest, latest, event._include, datetimeToEpoch(event._DT)) query = '''search index=fortinet type=utm earliest_time="%sd@d" latest_time="%sd@d" %s | regex url!="\.jpg$|\.png$|\.gif$|\.crl$" | eval timedelta = _time - %s | eval position = if(timedelta < 0, "before", "after") | eval abstimedelta = abs(timedelta) | sort 0 abstimedelta | dedup hostname url | streamstats count AS row by position | where row <= 25 | eval uri = coalesce(hostname, dstip) + url | sort 0 _time | table _time srcip user status uri''' % (earliest, latest, event._include, datetimeToEpoch(event._DT)) log.debug('''msg="raw event query" query="%s"''' % query) results = sp.search(query) print('Done') if not results: log.warn("Warning: unable to pull surrounding Fortinet events from Splunk") return if hasattr(event, '_vturls'): event._vturls.extend([x['uri'] for x in results]) else: event._vturls = [x['uri'] for x in results] print('')
def execute(event): print('Checking Splunk for events...'), sys.stdout.flush() sp = Splunk(host=SPLUNK_SEARCH_HEAD, port=SPLUNK_SEARCH_HEAD_PORT, username=SPLUNK_SEARCH_HEAD_USERNAME, password=SPLUNK_SEARCH_HEAD_PASSWORD, scheme=SPLUNK_SEARCH_HEAD_SCHEME) if not event.adHoc: if hasattr(event, 'ip_address'): event._include = 'src="%s"' % (event.ip_address) cirtaDT = epochToDatetime(event.cirta_id.split('.')[0]) timedelta = (datetime.date(event._DT) - datetime.date(cirtaDT)).days earliest = timedelta - event._daysBefore latest = timedelta + 1 + event._daysAfter if earliest >= 0: earliest = '+' + str(earliest) if latest >= 0: latest = '+' + str(latest) log.debug('DT="%s" cirtaDT="%s" timedelta="%s" daysBefore="%s" daysAfter="%s" earliest="%s" latest="%s"' % (event._DT, cirtaDT, (event._DT - cirtaDT).days, event._daysBefore, event._daysAfter, earliest, latest)) query = '''search index=infoblox earliest_time="%sd@d" latest_time="%sd@d" %s | table _raw''' % (earliest, latest, event._include) log.debug('''msg="raw event query" query="%s"''' % query) results = sp.search(query) print('Done') if not results: log.warn("No Infoblox events exist in Splunk") return raw = [x['_raw'] for x in results] with open('%s.%s' % (event._baseFilePath, confVars.outputExtension), 'w') as outFile: for row in raw: outFile.write(row + '\n') event._splunk.push(sourcetype=confVars.splunkSourcetype, eventList=raw) print('\nChecking Splunk for Hostname and MAC...'), sys.stdout.flush() if event.adHoc: query = '''search index=infoblox earliest_time="%sd@d" latest_time="%sd@d" %s | stats first(hostname) AS hostname first(src_mac) AS src_mac''' % (earliest, latest, event._include) else: query = '''search index=infoblox earliest_time="%sd@d" latest_time="%sd@d" %s | eval timedelta = %s -_time | where timedelta >= 0 | sort 0 timedelta | stats first(hostname) AS hostname first(src_mac) AS src_mac''' % (earliest, latest, event._include, datetimeToEpoch(event._DT)) log.debug('''msg="raw event query" query="%s"''' % query) results = [x for x in sp.search(query)] print('Done') if results and 'src_mac' in results[0]: event.setAttribute('mac_address', results[0]['src_mac'].lower()) else: log.warn("Warning: unable to pull Infoblox MAC from Splunk") if results and 'hostname' in results[0]: event.setAttribute('hostname', results[0]['hostname'].lower()) else: log.warn("Warning: unable to pull Infoblox hostname from Splunk") print('')
def logInScope(path): epoch = epochToDatetime(path.split('.')[-1]) - event._utcOffsetTimeDelta #print epoch #print event._pcapStart <= epoch and epoch <= event._pcapEnd return event._pcapStart <= epoch and epoch <= event._pcapEnd