Exemplo n.º 1
0
def list_cracks_data():
	crackers = rsyslogweblib.get_evil_list(conn)

	smap = "mapLogsourceUserMethodRemoteResultPerDay"
	base = "_id"
	query = {
		base+".remote": { "$in": crackers},
	        base+".result": { "$in" : ['Accepted', 'Authorized']}
	}

	c = conn.sshd[smap].aggregate([
		{ "$match": query },
	        { "$group": {"_id": { "remote": "$_id.remote", "user": "******", "result": "$_id.result", "logsource": "$_id.logsource" }, "count": {"$sum": "$value.count"}}},
	        { "$sort": bson.son.SON([("_id.remote", 1), ("count", -1)])}
	])

	data=[]	
	if c:
		for tmp in c:
			if "remote" in tmp["_id"]:
				a = "".join(tmp["_id"]["remote"])
				tmp["_id"]["remote"] = "<a href='profile_remote?remote="+a+"'>"+a+"</a>"
			data.append(tmp)

	columns = []
	if len(data):
		columns = list_columns(data)

	return bson.json_util.dumps({"aaData":data, "aoColumns":columns  }, sort_keys=True, indent=1, separators=(',', ': '))
Exemplo n.º 2
0
	alert['listed'] = rsyslogweblib.remote_listed(remote, conn)
	
	now = datetime.datetime.now(our_zone)
	conn.sshd.internalData.update({"type": "alert", "remote":remote},{"$set": {"reported_on": now}}, upsert=True)

	print json.dumps(alert, sort_keys=True, indent=1, separators=(',', ': '))



conn = pymongo.mongo_client.MongoClient("mongodb://localhost", w=1, tz_aware=True)
our_zone = dateutil.tz.gettz('CET')
utc_zone = dateutil.tz.gettz('UTC')


# ip list with susspicious accesses
crackers = rsyslogweblib.get_evil_list(conn)

# find successfull accesses from those remotes
smap = "mapLogsourceUserMethodRemoteResultPerDay"
base = "_id"
query = {
	base+".remote": { "$in": crackers},
        base+".result": { "$in" : ['Accepted', 'Authorized']}
}
# aggregated, for every ip is then generated simple profile anyway
c = conn.sshd[smap].aggregate([
	{ "$match": query },
        { "$group": {"_id": "$_id.remote" }}
])