def run(self, idmef):
source = idmef.get("alert.source(0).node.address(0).address")
scat = idmef.get("alert.source(0).node.address(0).category")
target = idmef.get("alert.target(0).node.address(0).address")
tcat = idmef.get("alert.target(0).node.address(0).category")
dport = idmef.get("alert.target(0).service.port")
if not source or not target or not dport:
return
if scat not in ("ipv4-addr", "ipv6-addr") or tcat not in ("ipv4-addr",
"ipv6-addr"):
return
ctx = context.Context("FIREWALL INFOS", {
"expire": self._flush_protected_hosts,
"alert_on_expire": _evict
},
update=True,
ruleid=self.name)
if ctx.getUpdateCount() == 0:
ctx._protected_hosts = {}
ctx._flush_protected_hosts = self._flush_protected_hosts
if idmef.match("alert.classification.text",
re.compile("[Pp]acket [Dd]ropped|[Dd]enied")):
if target not in ctx._protected_hosts:
ctx._protected_hosts[target] = [0, {}]
ctx._protected_hosts[target][0] = float(idmef.getTime())
ctx._protected_hosts[target][1][source + str(dport)] = True
else:
if target not in ctx._protected_hosts:
return
if time.time(
) - ctx._protected_hosts[target][0] > self._flush_protected_hosts:
ctx._protected_hosts.pop(target)
return
if (source + str(dport)) in ctx._protected_hosts[target][1]:
return
ctx = context.Context(("FIREWALL", source), {
"expire": 120,
"alert_on_expire": _alert
},
update=True,
ruleid=self.name)
if ctx.getUpdateCount() == 0:
ctx.candidates = []
ctx.candidates.append(idmef)
def run(self, idmef):
data = self.__data.get()
for source in idmef.get("alert.source(*).node.address(*).address"):
entry = data.get(source, None)
if entry:
ca = context.Context(("DSHIELD", source), {"expire": 300, "alert_on_expire": True}, update=True,
idmef=idmef, ruleid=self.name)
if ca.getUpdateCount() == 0:
ca.set("alert.classification.text", "IP source matching Dshield database")
ca.set("alert.correlation_alert.name", "IP source matching Dshield database")
ca.set("alert.assessment.impact.description",
"Dshield gathered this IP address from firewall drops logs (%s - reports: %d, attacks: %d, "
"first/last seen: %s - %s)" % (source, entry[0], entry[1], entry[2], entry[3]))
ca.set("alert.assessment.impact.severity", "high")
def run(self, idmef):
ctxt = idmef.get("alert.classification.text")
if not ctxt:
return
# Create context for classification combined with all the target.
tlist = {}
for target in idmef.get("alert.target(*).node.address(*).address"):
ctx = context.Context(("WORM HOST", ctxt, target), {"expire": 300},
overwrite=False,
idmef=idmef,
ruleid=self.name)
if ctx.getUpdateCount() == 0:
ctx._target_list = {}
tlist[target] = True
for source in idmef.get("alert.source(*).node.address(*).address"):
# We are trying to see whether a previous target is now attacking other hosts
# thus, we check whether a context exist with this classification combined to
# this source.
ctx = context.search(("WORM HOST", ctxt, source))
if not ctx:
continue
plen = len(ctx._target_list)
ctx._target_list.update(tlist)
nlen = len(ctx._target_list)
if nlen > plen:
ctx.update(idmef=idmef)
if nlen >= self.__repeat_target:
ctx.set("alert.classification.text", "Possible Worm Activity")
ctx.set(
"alert.correlation_alert.name",
"Source host is repeating actions taken against it recently"
)
ctx.set("alert.assessment.impact.severity", "high")
ctx.set(
"alert.assessment.impact.description", source +
" has repeated actions taken against it recently at least %d times. It may have been "
"infected with a worm." % self.__repeat_target)
ctx.alert()
ctx.destroy()
def run(self, idmef):
data = self.__data.get()
for source in idmef.get("alert.source(*).node.address(*).address"):
if source in data:
ca = context.Context(("CIARMY", source), {
"expire": 300,
"alert_on_expire": True
},
update=True,
idmef=idmef,
ruleid=self.name)
if ca.getUpdateCount() == 0:
ca.set("alert.classification.text",
"IP source matching CIArmy database")
ca.set("alert.correlation_alert.name",
"IP source matching CIArmy database")
ca.set(
"alert.assessment.impact.description",
"CIArmy gathered this IP address from firewall drop logs (%s)"
% source)
ca.set("alert.assessment.impact.severity", "high")