Exemplo n.º 1
    def run(self, idmef):
        source = idmef.Get("alert.source(0).node.address(0).address")
        sport = idmef.Get("alert.source(0).service.port", 0)
        target = idmef.Get("alert.target(0).node.address(0).address")
        dport = idmef.Get("alert.target(0).service.port", 0)

        if not source or not target:

        ctxname = "FIREWALL_" + source + str(sport) + target + str(dport)

        if idmef.match("alert.classification.text", re.compile("[Pp]acket [Dd]ropped|[Dd]enied")):
                # Update context if any, removing the alert_on_expire attribute.
                ctx = context.Context(ctxname, { "expire": 10 }, update = True)
                # Begins a timer for every event that contains a source and a target
                # address which has not been matched by an observed packet denial.  If a packet
                # denial is not observed in the next 10 seconds, an event alert is generated.

                if not context.search(ctxname):
                        ctx = context.Context(ctxname, { "expire": 10, "alert_on_expire": True })
                        ctx.Set("alert.source", idmef.Get("alert.source"))
                        ctx.Set("alert.target", idmef.Get("alert.target"))
                        ctx.Set("alert.assessment", idmef.Get("alert.assessment"))
                        ctx.Set("alert.classification", idmef.Get("alert.classification"))
                        ctx.Set("alert.correlation_alert.name", "Events to firewall correlation")
                        ctx.Set("alert.correlation_alert.alertident(0).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1])
                        ctx.Set("alert.correlation_alert.alertident(0).alertident", idmef.Get("alert.messageid"))
Exemplo n.º 2
Arquivo: worm.py Projeto: yoannv/pycor
    def run(self, idmef):
        ctxt = idmef.Get("alert.classification.text")
        if not ctxt:

        # Create context for classification combined with all the target.
        for target in idmef.Get("alert.target(*).node.address(*).address"):
            ctx = context.Context("WORM_HOST_" + ctxt + target, { "expire": 300, "threshold": 5 }, update = True)

        for source in idmef.Get("alert.source(*).node.address(*).address"):
            # We are trying to see whether a previous target is now attacking other hosts
            # thus, we check whether a context exist with this classification combined to
            # this source.
            ctx = context.search("WORM_HOST_" + ctxt + source)
            if not ctx:

            ctx.Set("alert.source(>>)", idmef.Get("alert.source"))
            ctx.Set("alert.target(>>)", idmef.Get("alert.target"))
            ctx.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid"))
            ctx.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1])

            # Increase and check the context threshold.
            if ctx.CheckAndDecThreshold():
                ctx.Set("alert.classification.text", "Possible Worm Activity")
                ctx.Set("alert.correlation_alert.name", "Source host repeating actions taken against it recently")
                ctx.Set("alert.assessment.impact.severity", "high")
                ctx.Set("alert.assessment.impact.description", source + " has repeated actions taken against it recently at least 5 times. It may have been infected with a worm.")