Exemplo n.º 1
0
    def run(self, idmef):
        source = idmef.get("alert.source(0).node.address(0).address")
        scat = idmef.get("alert.source(0).node.address(0).category")
        target = idmef.get("alert.target(0).node.address(0).address")
        tcat = idmef.get("alert.target(0).node.address(0).category")

        dport = idmef.get("alert.target(0).service.port")
        if not source or not target or not dport:
            return

        if scat not in ("ipv4-addr", "ipv6-addr") or tcat not in ("ipv4-addr",
                                                                  "ipv6-addr"):
            return

        ctx = context.Context("FIREWALL INFOS", {
            "expire": self._flush_protected_hosts,
            "alert_on_expire": _evict
        },
                              update=True,
                              ruleid=self.name)
        if ctx.getUpdateCount() == 0:
            ctx._protected_hosts = {}
            ctx._flush_protected_hosts = self._flush_protected_hosts

        if idmef.match("alert.classification.text",
                       re.compile("[Pp]acket [Dd]ropped|[Dd]enied")):
            if target not in ctx._protected_hosts:
                ctx._protected_hosts[target] = [0, {}]

            ctx._protected_hosts[target][0] = float(idmef.getTime())
            ctx._protected_hosts[target][1][source + str(dport)] = True
        else:
            if target not in ctx._protected_hosts:
                return

            if time.time(
            ) - ctx._protected_hosts[target][0] > self._flush_protected_hosts:
                ctx._protected_hosts.pop(target)
                return

            if (source + str(dport)) in ctx._protected_hosts[target][1]:
                return

            ctx = context.Context(("FIREWALL", source), {
                "expire": 120,
                "alert_on_expire": _alert
            },
                                  update=True,
                                  ruleid=self.name)
            if ctx.getUpdateCount() == 0:
                ctx.candidates = []

            ctx.candidates.append(idmef)
Exemplo n.º 2
0
    def run(self, idmef):
        data = self.__data.get()

        for source in idmef.get("alert.source(*).node.address(*).address"):
            entry = data.get(source, None)
            if entry:
                ca = context.Context(("DSHIELD", source), {"expire": 300, "alert_on_expire": True}, update=True,
                                     idmef=idmef, ruleid=self.name)
                if ca.getUpdateCount() == 0:
                    ca.set("alert.classification.text", "IP source matching Dshield database")
                    ca.set("alert.correlation_alert.name", "IP source matching Dshield database")
                    ca.set("alert.assessment.impact.description",
                           "Dshield gathered this IP address from firewall drops logs (%s - reports: %d, attacks: %d, "
                           "first/last seen: %s - %s)" % (source, entry[0], entry[1], entry[2], entry[3]))
                    ca.set("alert.assessment.impact.severity", "high")
Exemplo n.º 3
0
    def run(self, idmef):
        ctxt = idmef.get("alert.classification.text")
        if not ctxt:
            return

        # Create context for classification combined with all the target.
        tlist = {}
        for target in idmef.get("alert.target(*).node.address(*).address"):
            ctx = context.Context(("WORM HOST", ctxt, target), {"expire": 300},
                                  overwrite=False,
                                  idmef=idmef,
                                  ruleid=self.name)
            if ctx.getUpdateCount() == 0:
                ctx._target_list = {}

            tlist[target] = True

        for source in idmef.get("alert.source(*).node.address(*).address"):
            # We are trying to see whether a previous target is now attacking other hosts
            # thus, we check whether a context exist with this classification combined to
            # this source.
            ctx = context.search(("WORM HOST", ctxt, source))
            if not ctx:
                continue

            plen = len(ctx._target_list)
            ctx._target_list.update(tlist)

            nlen = len(ctx._target_list)
            if nlen > plen:
                ctx.update(idmef=idmef)

            if nlen >= self.__repeat_target:
                ctx.set("alert.classification.text", "Possible Worm Activity")
                ctx.set(
                    "alert.correlation_alert.name",
                    "Source host is repeating actions taken against it recently"
                )
                ctx.set("alert.assessment.impact.severity", "high")
                ctx.set(
                    "alert.assessment.impact.description", source +
                    " has repeated actions taken against it recently at least %d times. It may have been "
                    "infected with a worm." % self.__repeat_target)
                ctx.alert()
                ctx.destroy()
Exemplo n.º 4
0
    def run(self, idmef):
        data = self.__data.get()

        for source in idmef.get("alert.source(*).node.address(*).address"):
            if source in data:
                ca = context.Context(("CIARMY", source), {
                    "expire": 300,
                    "alert_on_expire": True
                },
                                     update=True,
                                     idmef=idmef,
                                     ruleid=self.name)
                if ca.getUpdateCount() == 0:
                    ca.set("alert.classification.text",
                           "IP source matching CIArmy database")
                    ca.set("alert.correlation_alert.name",
                           "IP source matching CIArmy database")
                    ca.set(
                        "alert.assessment.impact.description",
                        "CIArmy gathered this IP address from firewall drop logs (%s)"
                        % source)
                    ca.set("alert.assessment.impact.severity", "high")