def showESResult(esid):
search = get_hits(esid)
for result in search['hits']['hits']:
esindex = result['_index']
result = result['_source']
return render_template("result.html", result=result, esindex=esindex)
def createHiveCase(esid):
search = get_hits(esid)
tlp = int(parser.get('hive', 'hive_tlp'))
severity = 2
for item in search['hits']['hits']:
result = item['_source']
es_id = item['_id']
try:
message = result['message']
description = str(message)
except:
description = str(result)
sourceRef = str(uuid.uuid4())[0:6]
tags = ["SecurityOnion"]
artifacts = []
event = result['event']
src = srcport = dst = dstport = None
if event['dataset'] == 'alert':
title = result['rule']['name']
else:
title = f'New {event["module"].capitalize()} {event["dataset"].capitalize()} Event'
form = DefaultForm()
#artifact_string = jsonpickle.encode(artifacts)
return render_template('hive.html',
title=title,
description=description,
severity=severity,
form=form)
def createRTIRIncident(esid):
search = get_hits(esid)
rtir_url = parser.get('rtir', 'rtir_url')
rtir_api = parser.get('rtir', 'rtir_api')
rtir_user = parser.get('rtir', 'rtir_user')
rtir_pass = parser.get('rtir', 'rtir_pass')
rtir_queue = parser.get('rtir', 'rtir_queue')
rtir_creator = parser.get('rtir', 'rtir_creator')
verify_cert = parser.getboolean('rtir', 'rtir_verifycert', fallback=False)
for result in search['hits']['hits']:
result = result['_source']
message = result['message']
description = str(message)
event = result['event']
rtir_subject = f'New {event["module"]}_{event["dataset"]} Event From Security Onion'
rtir_text = description
rtir_rt = rt.Rt(rtir_url + '/' + rtir_api,
rtir_user,
rtir_pass,
verify_cert=verify_cert)
rtir_rt.login()
rtir_rt.create_ticket(Queue=rtir_queue,
Owner=rtir_creator,
Subject=rtir_subject,
Text=rtir_text)
rtir_rt.logout()
# Redirect to RTIR instance
return redirect(rtir_url)
def eventModifyFields(esid):
search = get_hits(esid)
for result in search['hits']['hits']:
esindex = result['_index']
result = result['_source']
tags = result['tags']
form = DefaultForm()
return render_template('update_event.html', result=result, esindex=esindex, esid=esid, tags=tags, form=form)
def createStrelkaScan(esid):
search = get_hits(esid)
for result in search['hits']['hits']:
result = result['_source']
extracted_file = result['extracted']
conn_id = result['log']['id']['uid'][0]
sensorsearch = get_conn(conn_id)
for result in sensorsearch['hits']['hits']:
result = result['_source']
sensor = result['observer']['name'].rsplit('-', 1)[0]
strelka_scan_drop = "echo " + sensor + "," + extracted_file + " >> /tmp/soctopus/strelkaq.log"
os.system(strelka_scan_drop)
return render_template('strelka.html', extracted_file=extracted_file, sensor=sensor)
def createFIREvent(esid):
search = get_hits(esid)
fir_api = '/api/incidents'
fir_url = parser.get('fir', 'fir_url')
fir_token = parser.get('fir', 'fir_token')
actor = parser.get('fir', 'fir_actor')
category = parser.get('fir', 'fir_category')
confidentiality = parser.get('fir', 'fir_confidentiality')
detection = parser.get('fir', 'fir_detection')
plan = parser.get('fir', 'fir_plan')
severity = parser.get('fir', 'fir_severity')
verify_cert = parser.getboolean('fir', 'fir_verifycert', fallback=False)
for result in search['hits']['hits']:
result = result['_source']
message = result['message']
event = result['event']
description = str(message)
subject = f'New {event["module"]}_{event["dataset"]} Event From Security Onion'
headers = {
'Authorization': 'Token ' + fir_token,
'Content-type': 'application/json'
}
data = {
"actor": actor,
"category": category,
"confidentiality": confidentiality,
"description": description,
"detection": detection,
"plan": plan,
"severity": int(severity),
"subject": subject
}
requests.post(fir_url + fir_api,
headers=headers,
data=json.dumps(data),
verify=verify_cert)
# Redirect to FIR instance
return redirect(fir_url + '/events')
def createSlackAlert(esid):
search = get_hits(esid)
slack_url = parser.get('slack', 'slack_url')
webhook_url = parser.get('slack', 'slack_webhook')
for result in search['hits']['hits']:
result = result['_source']
message = result['message']
description = str(message)
slack_data = {'text': description}
response = requests.post(webhook_url,
data=json.dumps(slack_data),
headers={'Content-Type': 'application/json'})
if response.status_code != 200:
raise ValueError(
'Request to slack returned an error %s, the response is:\n%s' %
(response.status_code, response.text))
# Redirect to Slack workspace
return redirect(slack_url)
def createMISPEvent(esid):
search = get_hits(esid)
# MISP Stuff
misp_url = parser.get('misp', 'misp_url')
misp_key = parser.get('misp', 'misp_key')
misp_verifycert = parser.getboolean('misp',
'misp_verifycert',
fallback=False)
distrib = parser.get('misp', 'distrib')
threat = parser.get('misp', 'threat')
analysis = parser.get('misp', 'analysis')
for result in search['hits']['hits']:
result = result['_source']
message = result['message']
description = str(message)
info = description
def init(url, key):
return PyMISP(url, key, ssl=misp_verifycert, debug=True)
misp = init(misp_url, misp_key)
event = misp.new_event(distrib, threat, analysis, info)
event_id = str(event['Event']['id'])
if result.get('source', {}).get('ip'):
data_type = "ip-src"
source_ip = result['source']['ip']
misp.add_named_attribute(event_id, data_type, source_ip)
if result.get('destination', {}).get('ip'):
data_type = "ip-dst"
destination_ip = result['destination']['ip']
misp.add_named_attribute(event_id, data_type, destination_ip)
# Redirect to MISP instance
return redirect(misp_url + '/events/index')
def createHiveAlert(esid):
search = get_hits(esid)
# Hive Stuff
hive_url = parser.get('hive', 'hive_url')
hive_api = hiveInit()
tlp = int(parser.get('hive', 'hive_tlp'))
for item in search['hits']['hits']:
# Get initial details
result = item['_source']
message = result['message']
es_id = item['_id']
description = str(message)
sourceRef = str(uuid.uuid4())[0:6]
tags = ["SecurityOnion"]
artifacts = []
event = result['event']
src = srcport = dst = dstport = None
if 'source' in result:
if 'ip' in result['source']:
src = str(result['source']['ip'])
if 'port' in result['source']:
srcport = str(result['source']['port'])
if 'destination' in result:
if 'ip' in result['destination']:
dst = str(result['destination']['ip'])
if 'port' in result['destination']:
dstport = str(result['destination']['port'])
# NIDS Alerts
if event['module'] == 'ids':
alert = result['rule']['name']
sid = str(result['rule']['signature_id'])
category = result['rule']['category']
sensor = result['observer']['name']
masterip = str(es_url.split("//")[1].split(":")[0])
tags.append("nids")
tags.append(category)
title = alert
print(alert)
sys.stdout.flush()
# Add artifacts
artifacts.append(AlertArtifact(dataType='ip', data=src))
artifacts.append(AlertArtifact(dataType='ip', data=dst))
artifacts.append(AlertArtifact(dataType='other', data=sensor))
description = "`NIDS Dashboard:` \n\n <https://" + masterip + f"/kibana/so-soctopus/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:{es_index}',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:" + sid + "')),sort:!('@timestamp',desc))> \n\n `IPs: `" + src + ":" + srcport + "-->" + dst + ":" + dstport + "\n\n `Signature:`" + alert + "\n\n `PCAP:` " + "https://" + masterip + "/kibana/so-soctopus//sensoroni/securityonion/joblookup?redirectUrl=/sensoroni/&esid=" + es_id
# Zeek logs
elif event['module'] == 'zeek':
_map_key_type = {
"conn": "Connection",
"dhcp": "DHCP",
"dnp3": "DNP3",
"dns": "DNS",
"file": "Files",
"ftp": "FTP",
"http": "HTTP",
"intel": "Intel",
"irc": "IRC",
"kerberos": "Kerberos",
"modbus": "Modbus",
"mysql": "MySQL",
"ntlm": "NTLM",
"pe": "PE",
"radius": "RADIUS",
"rdp": "RDP",
"rfb": "RFB",
"sip": "SIP",
"smb": "SMB",
"smtp": "SMTP",
"snmp": "SNMP",
"ssh": "SSH",
"ssl": "SSL",
"syslog": "Syslog",
"weird": "Weird",
"x509": "X509"
}
zeek_tag = event['dataset']
zeek_tag_title = _map_key_type.get(zeek_tag)
title = str('New Zeek ' + zeek_tag_title + ' record!')
if src:
artifacts.append(AlertArtifact(dataType='ip', data=src))
if dst:
artifacts.append(AlertArtifact(dataType='ip', data=dst))
if result.get('observer', {}).get('name'):
sensor = str(result['observer']['name'])
artifacts.append(AlertArtifact(dataType='other', data=sensor))
if result.get('log', {}).get('id', {}).get('uid'):
uid = str(result['log']['id']['uid'])
title = str('New Zeek ' + zeek_tag_title + ' record! - ' + uid)
artifacts.append(AlertArtifact(dataType='other', data=uid))
if result.get('log', {}).get('id', {}).get('fuid'):
fuid = str(result['log']['id']['fuid'])
title = str('New Zeek ' + zeek_tag_title + ' record! - ' +
fuid)
artifacts.append(AlertArtifact(dataType='other', data=fuid))
if result.get('log', {}).get('id', {}).get('id'):
fuid = str(result['log']['id']['id'])
title = str('New Zeek ' + zeek_tag_title + ' record! - ' +
fuid)
artifacts.append(AlertArtifact(dataType='other', data=fuid))
tags.append('zeek')
tags.append(zeek_tag)
# Wazuh/OSSEC logs
elif event['module'] == 'ossec':
agent_name = result['agent']['name']
if 'description' in result:
ossec_desc = result['rule']['description']
else:
ossec_desc = result['log']['full']
if 'ip' in result['agent']:
agent_ip = result['agent']['ip']
artifacts.append(AlertArtifact(dataType='ip', data=agent_ip))
artifacts.append(
AlertArtifact(dataType='other', data=agent_name))
else:
artifacts.append(
AlertArtifact(dataType='other', data=agent_name))
title = ossec_desc
tags.append("wazuh")
# Sysmon logs
elif event['module'] == 'sysmon':
if 'ossec' in result['tags']:
agent_name = result['agent']['name']
agent_ip = result['agent']['ip']
artifacts.append(AlertArtifact(dataType='ip', data=agent_ip))
artifacts.append(
AlertArtifact(dataType='other', data=agent_name))
tags.append("wazuh")
elif 'beat' in result['tags']:
agent_name = str(result['agent']['hostname'])
if result.get('agent'):
try:
os_name = str(result['agent']['os']['name'])
artifacts.append(
AlertArtifact(dataType='other', data=os_name))
except:
pass
try:
beat_name = str(result['agent']['name'])
artifacts.append(
AlertArtifact(dataType='other', data=beat_name))
except:
pass
if result.get('source', {}).get('hostname'):
source_hostname = result['source']['hostname']
artifacts.append(
AlertArtifact(dataType='fqdn', data=source_hostname))
if result.get('source', {}).get('ip'):
source_ip = str(result['source']['ip'])
artifacts.append(
AlertArtifact(dataType='ip', data=source_ip))
if result.get('destination', {}).get('ip'):
destination_ip = str(result['destination']['ip'])
artifacts.append(
AlertArtifact(dataType='ip', data=destination_ip))
# FIXME: find what "image_path" has been changed to
# if 'image_path' in result:
# image_path = str(result['image_path'])
# artifacts.append(AlertArtifact(dataType='filename', data=image_path))
# FIXME: find what "Hashes" has been changed to
# if 'Hashes' in result['data']['data']:
# hashes = result['event']['data']['Hashes']
# for hash in hashes.split(','):
# if hash.startswith('MD5') or hash.startswith('SHA256'):
# artifacts.append(AlertArtifact(dataType='hash', data=hash.split('=')[1]))
tags.append("agent")
else:
agent_name = ''
title = "New Sysmon Event! - " + agent_name
else:
title = f'New {event["module"]}_{event["dataset"]} Event From Security Onion'
form = DefaultForm()
artifact_string = jsonpickle.encode(artifacts)
return render_template('hive.html',
title=title,
tlp=tlp,
tags=tags,
description=description,
artifact_string=artifact_string,
sourceRef=sourceRef,
form=form)
def createGRRFlow(esid, flow_name):
search = get_hits(esid)
tlp = int(parser.get('hive', 'hive_tlp'))
hive_api = hiveInit()
grr_url = parser.get('grr', 'grr_url')
grr_user = parser.get('grr', 'grr_user')
grr_pass = parser.get('grr', 'grr_pass')
grrapi = api.InitHttp(api_endpoint=grr_url, auth=(grr_user, grr_pass))
base64string = '%s:%s' % (grr_user, grr_pass)
base64string = base64.b64encode(bytes(base64string, "utf-8"))
auth_header = "Basic %s" % base64string
index_response = requests.get(grr_url,
auth=HTTPBasicAuth(grr_user, grr_pass))
csrf_token = index_response.cookies.get("csrftoken")
headers = {
"Authorization": auth_header,
"x-csrftoken": csrf_token,
"x-requested-with": "XMLHttpRequest"
}
cookies = {"csrftoken": csrf_token}
for result in search['hits']['hits']:
result = result['_source']
message = result['message']
if result.get('source', {}).get('ip'):
source_ip = result['source']['ip']
if result.get('destination', {}).get('ip'):
destination_ip = result['destination']['ip']
for ip in source_ip, destination_ip:
search_result = grrapi.SearchClients(ip)
grr_result = {}
client_id = ''
for client in search_result:
# Get client id
client_id = client.client_id
client_last_seen_at = client.data.last_seen_at
grr_result[client_id] = client_last_seen_at
if client_id is None:
pass
# Process flow and get flow id
flow_id = listProcessFlow(client_id, grr_url, headers, cookies,
grr_user, grr_pass)
# Get status
status = checkFlowStatus(client_id, grr_url, flow_id, headers,
cookies, grr_user, grr_pass)
# Keep checking to see if complete
while status != "terminated":
time.sleep(15)
print(
"Flow not yet completed..waiting 15 secs before attempting to check status again..."
)
status = checkFlowStatus(client_id, grr_url, flow_id,
headers, cookies, grr_user,
grr_pass)
# If terminated, run the download
if status == "terminated":
downloadFlowResults(client_id, grr_url, flow_id, headers,
cookies, grr_user, grr_pass)
# Run flow via API client
# flow_obj = grrapi.Client(client_id)
# flow_obj.CreateFlow(name=flow_name)
title = "Test Alert with GRR Flow"
description = str(message)
sourceRef = str(uuid.uuid4())[0:6]
tags = ["SecurityOnion", "GRR"]
artifacts = []
filepath = "/tmp/soctopus/" + client_id + ".zip"
artifacts.append(
AlertArtifact(dataType='file', data=str(filepath)))
# Build alert
hive_alert = Alert(title=title,
tlp=tlp,
tags=tags,
description=description,
type='external',
source='SecurityOnion',
sourceRef=sourceRef,
artifacts=artifacts)
# Send it off
response = hive_api.create_alert(hive_alert)
if client_id:
# Redirect to GRR instance
return redirect(grr_url + '/#/clients/' + client_id + '/flows')
else:
return "No matches found for source or destination ip"