def process_pcap_on_service(self): global suricata_socket_file if not os.path.exists( suricata_socket_file ) or self.output_folder is None or not os.path.exists(self.pcap_file): print "SURICATASERVICE INVALID DATA ERROR" return False # create output folder if not os.path.exists(self.output_folder): os.mkdir(self.output_folder) # suricata connection try: suri = suricatasc.SuricataSC(suricata_socket_file) suri.connect() except Exception as e: print "SURICATASERVICE SOCKET CONNECTION ERROR" traceback.print_exc() return False # suricata command (pcap-file) try: retcode = suri.send_command("pcap-file", { "filename": self.pcap_file, "output-dir": self.output_folder, }) except Exception as e: suri.close() print "SURICATASERVICE COMMAND FAILED" traceback.print_exc() return False # return code if not retcode or ("return" in retcode and retcode["return"] != "OK"): suri.close() print "SURICATASERVICE CODE ERROR %s :: %s" % (retcode["return"], retcode["message"]) return False # TODO: I'm not sure that we're not waiting for ALL jobs to be # finished. Maybe we should detect that our actual job has # ended well, not all of them. Also, I wonder if multiprocessing # will really improve performance and if we should not either use # a dedicated dispatcher which polls regularly the new tasks. exception_count = 0 while True: try: retcode = suri.send_command("pcap-current") except Exception as e: exception_count += 1 if exception_count == 10: suri.close() print "SURICATASERVICE EXCEPTIONS MAX REACHED" return False if retcode and ("message" in retcode and retcode["message"] == "None"): break time.sleep(1) suri.close() return True
def process_pcap_socket(self): """Process a PCAP file with Suricata in socket mode.""" if not HAVE_SURICATASC: raise CuckooProcessingError( "Suricata has been configured to run in socket mode but " "suricatasc has not been installed, please re-install " "Suricata or SuricataSC" ) if not os.path.exists(self.socket): raise CuckooProcessingError( "Suricata has been configured to run in socket mode " "but the socket is unavailable" ) suri = suricatasc.SuricataSC(self.socket) try: suri.connect() except suricatasc.SuricataException as e: raise CuckooProcessingError( "Error connecting to Suricata in socket mode: %s" % e ) # Submit the PCAP file. ret = suri.send_command("pcap-file", { "filename": self.pcap_path, "output-dir": self.suricata_path, }) if not ret or ret["return"] != "OK": raise CuckooProcessingError( "Error submitting PCAP file to Suricata in socket mode, " "return value: %s" % ret ) # TODO Should we add a timeout here? If we do so we should also add # timeout logic to the binary mode. while True: ret = suri.send_command("pcap-current") # When the pcap file has been processed the "current pcap" file # will be none. if ret and ret["message"] == "None": break time.sleep(1)
def status(self): suri_running = False if settings.SURICATA_UNIX_SOCKET: sc = suricatasc.SuricataSC(settings.SURICATA_UNIX_SOCKET) sc.connect() res = sc.send_command('uptime', None) if res['return'] == 'OK': suri_running = True sc.close() else: for proc in psutil.process_iter(): try: pinfo = proc.as_dict(attrs=['name']) except psutil.NoSuchProcess: pass else: if pinfo['name'] == 'Suricata-Main': suri_running = True break return suri_running
def launch_or_load_suricata(self): self.suricata_socket = os.path.join(self.run_dir, 'suricata.socket') if not os.path.exists(self.suricata_socket): command = [ SURICATA_BIN, "-vvvv", # Useful for debugging "-c", self.suricata_yaml, f"--unix-socket={self.suricata_socket}", "--pidfile", f"{self.run_dir}/suricata.pid", "--set", f"logging.outputs.1.file.filename={self.suricata_log}", ] self.log.info(f"Launching Suricata: {' '.join(command)}") self.suricata_process = subprocess.Popen(command) self.suricata_sc = suricatasc.SuricataSC(self.suricata_socket) if not self.suricata_running_retry(): raise Exception('Suricata could not be started.')
import time import argparse import json parser = argparse.ArgumentParser(prog='suri-influxdb', description='Export suricata stats to InfluxDB') parser.add_argument('-H', '--host', default='localhost', help='Host running InfluxDB') parser.add_argument('-P', '--port', default=2003, help='Port of InfluxDB data socket') parser.add_argument('-O', '--oneshot', action='store_const', const=True, help='Send one update and exit', default=False) parser.add_argument('-D', '--delay', default=10, help='Delay between data dump') parser.add_argument('-d', '--db', default='suricata', help='Database name in InfluxDB') parser.add_argument('socket', help='suricata socket file to connect to', default="/var/run/suricata/suricata-command.socket", nargs='?') parser.add_argument('-v', '--verbose', action='store_const', const=True, help='verbose output', default=False) args = parser.parse_args() sc = suricatasc.SuricataSC(args.socket) try: sc.connect() except: error = sys.exc_info()[0] print "connection init error :: %r %s" % (error,args.socket) if args.oneshot: sys.exit(1) #todo ... USER = '******' PASSWORD = '******' client = InfluxDBClient(args.host, args.port, USER, PASSWORD, args.db) #todo, create db if not exist #dbs = client.get_database_list()