Пример #1
0
    def doAction(self, action_id):
        src_hostname = self.getHostnameFromIP(self.__request.get('src_ip', ''))
        dst_hostname = self.getHostnameFromIP(self.__request.get('dst_ip', ''))
        
        protocol = Util.getProtoByNumber(self.__request.get('protocol', ''))
        self.__request['protocol'] = protocol
        replaces = {
                'DATE':         self.__request.get('date', ''),
                'PLUGIN_ID':    self.__request.get('plugin_id', ''),
                'PLUGIN_SID':   self.__request.get('plugin_sid', ''),
                'RISK':         self.__request.get('risk', ''),
                'PRIORITY':     self.__request.get('priority', ''),
                'RELIABILITY':  self.__request.get('reliability', ''),
                'SRC_IP':       self.__request.get('src_ip', ''),
                'SRC_PORT':     self.__request.get('src_port', ''),
                'DST_IP':       self.__request.get('dst_ip', ''),
                'DST_PORT':     self.__request.get('dst_port', ''),
                'PROTOCOL':     self.__request.get('protocol', ''),
                'SENSOR':       self.__request.get('sensor', ''),
                'PLUGIN_NAME':  self.__request.get('plugin_id', ''),
                'SID_NAME':     self.__request.get('plugin_sid', ''),
                'USERDATA1':    self.__request.get('userdata1', ''),
                'USERDATA2':    self.__request.get('userdata2', ''),
                'USERDATA3':    self.__request.get('userdata3', ''),
                'USERDATA4':    self.__request.get('userdata4', ''),
                'USERDATA5':    self.__request.get('userdata5', ''),
                'USERDATA6':    self.__request.get('userdata6', ''),
                'USERDATA7':    self.__request.get('userdata7', ''),
                'USERDATA8':    self.__request.get('userdata8', ''),
                'USERDATA9':    self.__request.get('userdata9', ''),
                'FILENAME':     self.__request.get('filename', ''),
                'USERNAME':     self.__request.get('username', ''),
                'PASSWORD':     self.__request.get('password', ''),
                'BACKLOG_ID':   self.__request.get('backlog_id', ''),
                'EVENT_ID':     self.__request.get('event_id', ''),
                'SRC_IP_HOSTNAME':src_hostname,
                'DST_IP_HOSTNAME':dst_hostname,
            }

        # Fields with integer values
        int_fields = ["PLUGIN_ID", "PLUGIN_SID", "RISK", "PRIORITY", "RELIABILITY", "SRC_PORT", "DST_PORT"]

        query = "SELECT * FROM plugin WHERE id = %d" % int(self.__request['plugin_id'])

        for plugin in self.__db.exec_query(query):
            # should only yield one result anyway
            replaces["PLUGIN_NAME"] = plugin['name']

        query = "SELECT * FROM plugin_sid WHERE plugin_id = %d AND sid = %d" % \
            (int(self.__request['plugin_id']), int(self.__request['plugin_sid']))
        for plugin_sid in self.__db.exec_query(query):
            # should only yield one result anyway
            replaces["SID_NAME"] = plugin_sid['name']

        query = "SELECT a.id as id,a.ctx as ctx,a.action_type as action_type ,\
                a.cond as cond,a.on_risk as on_risk,a.descr as descr,\
                at.name as name FROM action a, action_type at \
                WHERE id = unhex('%s') and a.action_type = at.type" % (action_id)
        for action in self.__db.exec_query(query):

            ####################################################################
            # Condition
            ####################################################################

            # get the condition expression
            condition = action['cond']

            # authorized operators
            operators = [
                "+", "-", "*", "/", "%",
                "==", "<=", "<", ">=", ">",
                " and ", " or ", "(", ")",
                " True ", "False", "!=",
            ]

            # only operators and characters in [A-Z0-9_ ]
            # condition = '"' + condition +'"'
            condition_tmp = " %s " % condition
            for operator in operators:
                condition_tmp = condition_tmp.replace(operator, " ")
            logger.debug ("Condiction after op %s before op %s " % (condition_tmp, condition))
            if not re.match("^[A-Za-z0-9_\'\" ]+$", condition_tmp):
                logger.warning(": Illegal character in condition: %s - Allowed characters (A-Za-z0-9_ ' \")" % condition)
                condition = "False"

            # no function call
            if re.search("[A-Za-z0-9_]+\s*\(", condition):
                logger.warning(": Illegal function call in condition: %s" % condition)
                condition = "False"

            # replacements
            for key in replaces:
                if key in int_fields:
                    condition = condition.replace(key, replaces[key])
                else:
                    condition = condition.replace(key, "'" + replaces[key] + "'")

            # condition evaluation
            try:
                logger.debug(": condition = '%s'" % condition)
                condition = eval(condition)
            except Exception, e:
                logger.debug(": Condition evaluation failed: %s --> %s" % (condition, str(e)))
                condition = False
            logger.debug(": eval(condition) = %s" % condition)

            # is the condition True?
            if not condition: continue

            # is the action based on risk increase?
            if int(action['on_risk']) == 1:

                backlog_id = self.__request.get('backlog_id', '')
                risk_old = 0
                risk_new = int(self.__request.get('risk', ''))

                # get the old risk value
                query = "SELECT * FROM action_risk WHERE action_id = unhex('%s') AND backlog_id = unhex('%s')" % (action_id, backlog_id)
                for action_risk in self.__db.exec_query(query):
                    # should only yield one result anyway
                    risk_old = int(action_risk['risk'])
                    break
                else:
                    query = "INSERT INTO action_risk VALUES (%d, %d, %d)" % (
                        int(action_id), int(backlog_id), int(risk_new))
                    logger.debug(": %s" % query)
                    self.__db.exec_query(query)

                # is there a risk increase?
                logger.debug(": risk_new > risk_old = %s" % (risk_new > risk_old))
                if risk_new <= risk_old: continue

                # save the new risk value
                query = "UPDATE action_risk SET risk = %d WHERE action_id = unhex('%s') AND backlog_id = unhex('%s')" % (
                    int(risk_new), action_id, backlog_id)
                logger.debug(": %s" % query)
                self.__db.exec_query(query)

                # cleanup the action_risk table
                query = "DELETE FROM action_risk WHERE backlog_id NOT IN (SELECT id FROM backlog)"
                logger.debug(": %s" % query)
                self.__db.exec_query(query)

            ####################################################################

            # email notification
            logger.info("Successful Response with action: %s" % action['descr'])
            if action['name'] == 'email':
                self.get_mail_server_data()
                if not self.__email_server_relay_enabled:
                    logger.warning("Email server relay not enabled. Using local postfix..")
                query = "SELECT * FROM action_email WHERE action_id = unhex('%s')" % \
                    (action_id)
                for action_email in self.__db.exec_query(query):
                    email_from = action_email['_from']
                    email_to = action_email['_to'].split(',')
                    if len(email_to) == 1:
                        email_to = action_email['_to'].split(';')
                    email_subject = action_email['subject']
                    email_message = action_email['message']

                    for replace in replaces:
                        if replaces[replace]:
                            email_from = email_from.replace(replace, replaces[replace])
                            for to_mail in email_to:
                                to_mail = to_mail.strip()
                                to_mail = to_mail.replace(replace, \
                                                          replaces[replace])
                            replace_variable = r'\b%s\b' % replace
                            value_to_replace = replaces[replace].encode('string_escape')
                            email_subject = re.sub(replace_variable,value_to_replace , email_subject)
                            # email_subject= email_subject.replace(replace, replaces[replace])
                            if replace == 'DATE':
                                value_to_replace += " (UTC time)"
                            email_message = re.sub(replace_variable, value_to_replace, email_message)
                    use_local_server = not self.__email_server_relay_enabled
                    m = ActionMail(self.__email_server,self.__email_server_port,self.__email_server_user,
                                   self.__email_server_passwd, use_local_server)

                    for mail in email_to:
                        m.sendmail(email_from,
                                   mail,
                                   email_subject,
                                   email_message + \
                                   "\n\n" + self.requestRepr(self.__request, mail))
                    del(m)

            # execute external command
            elif action['name'] == 'exec':
                query = "SELECT * FROM action_exec WHERE action_id = unhex('%s')" % \
                    (action_id)
                for action_exec in self.__db.exec_query(query):
                    action = action_exec['command']
                    for replace in replaces:
                        replace_variable = r'\b%s\b' % replace
                        action = re.sub(replace_variable, replaces[replace].encode('string_escape'), action)
                        # action = action.replace(replace, replaces[replace])
                    c = ActionExec()
                    c.execCommand(action)
                    del(c)

            elif action['name'] == 'ticket':
                descr = action['descr']
                plugin_id = int(self.__request.get('plugin_id', ''))
                plugin_sid = int(self.__request.get('plugin_sid', ''))
                title = 'Automatic Incident Ticket'
                namequery = "select if((select name from plugin_sid where plugin_id='%s' and sid='%s')!='',(select name from plugin_sid where plugin_id='%s' and sid='%s')  , 'Automatic Incident Ticket') as name;" % (plugin_id, plugin_sid, plugin_id, plugin_sid)
                data = self.__db.exec_query(namequery)
                if data != []:
                    title = data[0]['name']
                regexp = re.compile('(?P<data>.*)##@##(?P<username>.*)')
                matches = regexp.search(descr)
                in_charge = 'admin'
                if matches:
                    in_charge = matches.group('username')
                    descr = matches.group('data')

                priority = int(self.__request.get('priority', '')) * 2
                incident_uuid = "%s" % uuid.uuid4()
                incident_uuid = incident_uuid.replace('-', '')
                ctx = self.__request.get('context_id', '')
                for replace in replaces:
                    if replaces[replace]:
                        replace_variable = r'\b%s\b' % replace
                        descr = re.sub(replace_variable, replaces[replace].encode('string_escape'), descr)


                ctx = ctx.replace('-', '')
                insert_query = """insert into incident (uuid,ctx,title,date,ref,type_id,priority,status,last_update,in_charge,submitter,event_start,event_end) values (unhex('%s'),unhex('%s'),'%s',utc_timestamp(),'Event','Generic','%s','Open',utc_timestamp(),'%s','admin',utc_timestamp(),utc_timestamp()); """ % (incident_uuid, ctx, title, priority, in_charge)
                self.__db.exec_query(insert_query)
                logger.debug("Query: %s" % insert_query)

                src_ip = self.__request.get('src_ip', '')
                src_port = int(self.__request.get('src_port', ''))
                dst_ip = self.__request.get('dst_ip', '')
                dst_port = int(self.__request.get('dst_port', ''))
                #    last_id_ie = data[0]['id'] +1
                """ We need the last id from incident in order to insert it. """
                get_last_id_query = "select max(id) as id from incident;"
                data = self.__db.exec_query(get_last_id_query)
                if data != []:
                    last_id = data[0]['id']

                insert_incident_event_query = """ INSERT INTO incident_event (incident_id,src_ips,src_ports,dst_ips,dst_ports) values ('%s','%s','%s','%s','%s'); """ % (last_id, src_ip, src_port, dst_ip, dst_port) 
                insert_subscription_query = "REPLACE INTO incident_subscrip(login, incident_id) VALUES('admin', {0})".format(last_id)
                self.__db.exec_query(insert_incident_event_query)
                self.__db.exec_query(insert_subscription_query)

                data = self.__db.exec_query("select max(id)+1 as id from incident_ticket;")
                newid = '0'
                if data != []:
                    newid = data[0]['id']

                insert_ticket_query = """ insert into incident_ticket(id,incident_id,date,status,priority,description,in_charge,users) values ('%s','%s',utc_timestamp(),'Open','%s','%s','%s','admin');""" % (newid, last_id, priority, descr, in_charge)
                self.__db.exec_query(insert_ticket_query)

                # Check if this context has an IRS webservice linked.
                ticket_data = {'type': '', 'op': 'INSERT', 'incident_id': last_id, 'date': time.asctime(), 'in_charge': in_charge, 'description': descr, 'status': 'Open'}
                ws_query = "SELECT id, type FROM webservice WHERE ctx = UNHEX('%s') AND type IN ('%s')" % (ctx, ','.join(IRS_TYPES))
                ws_data = self.__db.exec_query(ws_query)
                for item in ws_data:
                    ticket_data['type'] = ws_data['type']
                    # Create webservices, if available.
                    handler = WSHandler (self.__conf, item['id'])
                    if handler != None:
                        ret = handler.process_db (ticket_data)
            else:
                logger.error("Invalid action_type: '%s'" % action['action_type'])
Пример #2
0
    def doAction(self, action_id):
        src_hostname = self.getHostnameFromIP(self.__request.get('src_ip', ''))
        dst_hostname = self.getHostnameFromIP(self.__request.get('dst_ip', ''))
        plugin_id = int(self.__request['plugin_id'])
        plugin_sid = int(self.__request['plugin_sid'])
        
        protocol = Util.getProtoByNumber(self.__request.get('protocol', ''))
        self.__request['protocol'] = protocol
        replaces = {
                'DATE':         self.__request.get('date', ''),
                'PLUGIN_ID':    self.__request.get('plugin_id', ''),
                'PLUGIN_SID':   self.__request.get('plugin_sid', ''),
                'RISK':         self.__request.get('risk', ''),
                'PRIORITY':     self.__request.get('priority', ''),
                'RELIABILITY':  self.__request.get('reliability', ''),
                'SRC_IP':       self.__request.get('src_ip', ''),
                'SRC_PORT':     self.__request.get('src_port', ''),
                'DST_IP':       self.__request.get('dst_ip', ''),
                'DST_PORT':     self.__request.get('dst_port', ''),
                'PROTOCOL':     self.__request.get('protocol', ''),
                'SENSOR':       self.__request.get('sensor', ''),
                'PLUGIN_NAME':  self.__request.get('plugin_id', ''),
                'SID_NAME':     self.__request.get('plugin_sid', ''),
                'USERDATA1':    self.__request.get('userdata1', ''),
                'USERDATA2':    self.__request.get('userdata2', ''),
                'USERDATA3':    self.__request.get('userdata3', ''),
                'USERDATA4':    self.__request.get('userdata4', ''),
                'USERDATA5':    self.__request.get('userdata5', ''),
                'USERDATA6':    self.__request.get('userdata6', ''),
                'USERDATA7':    self.__request.get('userdata7', ''),
                'USERDATA8':    self.__request.get('userdata8', ''),
                'USERDATA9':    self.__request.get('userdata9', ''),
                'FILENAME':     self.__request.get('filename', ''),
                'USERNAME':     self.__request.get('username', ''),
                'PASSWORD':     self.__request.get('password', ''),
                'BACKLOG_ID':   self.__request.get('backlog_id', ''),
                'EVENT_ID':     self.__request.get('event_id', ''),
                'SRC_IP_HOSTNAME':src_hostname,
                'DST_IP_HOSTNAME':dst_hostname,
            }

        # Fields with integer values
        int_fields = ["PLUGIN_ID", "PLUGIN_SID", "RISK", "PRIORITY", "RELIABILITY", "SRC_PORT", "DST_PORT"]

        query = "SELECT * FROM plugin WHERE id = %s"

        for plugin in self.__db.exec_query(query, (plugin_id,)):
            # should only yield one result anyway
            replaces["PLUGIN_NAME"] = plugin['name']

        query = "SELECT * FROM plugin_sid WHERE plugin_id = %s AND sid = %s"
        for plugin_sid in self.__db.exec_query(query, (plugin_id, plugin_sid)):
            # should only yield one result anyway
            replaces["SID_NAME"] = plugin_sid['name']

        query = "SELECT a.id as id,a.ctx as ctx,a.action_type as action_type ,\
                a.cond as cond,a.on_risk as on_risk,a.descr as descr,\
                at.name as name FROM action a, action_type at \
                WHERE id = unhex(%s) and a.action_type = at.type"
        for action in self.__db.exec_query(query, (action_id,)):

            ####################################################################
            # Condition
            ####################################################################

            # get the condition expression
            condition = action['cond']

            # authorized operators
            operators = [
                "+", "-", "*", "/", "%",
                "==", "<=", "<", ">=", ">",
                " and ", " or ", "(", ")",
                " True ", "False", "!=",
            ]

            # only operators and characters in [A-Z0-9_ ]
            # condition = '"' + condition +'"'
            condition_tmp = " %s " % condition
            for operator in operators:
                condition_tmp = condition_tmp.replace(operator, " ")
            logger.debug ("Condiction after op %s before op %s " % (condition_tmp, condition))
            if not re.match("^[A-Za-z0-9_\'\" ]+$", condition_tmp):
                logger.warning(": Illegal character in condition: %s - Allowed characters (A-Za-z0-9_ ' \")" % condition)
                condition = "False"

            # no function call
            if re.search("[A-Za-z0-9_]+\s*\(", condition):
                logger.warning(": Illegal function call in condition: %s" % condition)
                condition = "False"

            # replacements
            for key in replaces:
                if key in int_fields:
                    condition = condition.replace(key, replaces[key])
                else:
                    condition = condition.replace(key, "'" + replaces[key] + "'")

            # condition evaluation
            try:
                logger.debug(": condition = '%s'" % condition)
                condition = eval(condition)
            except Exception, e:
                logger.debug(": Condition evaluation failed: %s --> %s" % (condition, str(e)))
                condition = False
            logger.debug(": eval(condition) = %s" % condition)

            # is the condition True?
            if not condition: continue

            # is the action based on risk increase?
            if int(action['on_risk']) == 1:

                backlog_id = self.__request.get('backlog_id', '')
                risk_old = 0
                risk_new = int(self.__request.get('risk', ''))

                # get the old risk value
                query = "SELECT * FROM action_risk WHERE action_id = unhex(%s) AND backlog_id = unhex(%s)"
                for action_risk in self.__db.exec_query(query, (action_id, backlog_id)):
                    # should only yield one result anyway
                    risk_old = int(action_risk['risk'])
                    break
                else:
                    query = self.__db.format_query(
                        "INSERT INTO action_risk VALUES (%s, %s, %s)",
                        (int(action_id), int(backlog_id), int(risk_new))
                    )
                    logger.debug(": %s" % query)
                    self.__db.exec_query(query)

                # is there a risk increase?
                logger.debug(": risk_new > risk_old = %s" % (risk_new > risk_old))
                if risk_new <= risk_old: continue

                # save the new risk value
                query = self.__db.format_query(
                    "UPDATE action_risk SET risk = %s WHERE action_id = unhex(%s) AND backlog_id = unhex(%s)",
                    (int(risk_new), action_id, backlog_id)
                )
                logger.debug(": %s" % query)
                self.__db.exec_query(query)

                # cleanup the action_risk table
                query = "DELETE FROM action_risk WHERE backlog_id NOT IN (SELECT id FROM backlog)"
                logger.debug(": %s" % query)
                self.__db.exec_query(query)

            ####################################################################

            # email notification
            logger.info("Successful Response with action: %s" % action['descr'])
            if action['name'] == 'email':
                self.get_mail_server_data()
                if not self.__email_server_relay_enabled:
                    logger.warning("Email server relay not enabled. Using local postfix..")
                query = "SELECT * FROM action_email WHERE action_id = unhex(%s)"
                for action_email in self.__db.exec_query(query, (action_id,)):
                    email_from = action_email['_from']
                    email_to = action_email['_to'].split(',')
                    if len(email_to) == 1:
                        email_to = action_email['_to'].split(';')
                    email_subject = action_email['subject']
                    email_message = action_email['message']

                    for replace in replaces:
                        if replaces[replace]:
                            email_from = email_from.replace(replace, replaces[replace])
                            for to_mail in email_to:
                                to_mail = to_mail.strip()
                                to_mail = to_mail.replace(replace, \
                                                          replaces[replace])
                            replace_variable = r'\b%s\b' % replace
                            value_to_replace = replaces[replace].encode('string_escape')
                            email_subject = re.sub(replace_variable,value_to_replace , email_subject)
                            # email_subject= email_subject.replace(replace, replaces[replace])
                            if replace == 'DATE':
                                value_to_replace += " (UTC time)"
                            email_message = re.sub(replace_variable, value_to_replace, email_message)
                    use_local_server = not self.__email_server_relay_enabled
                    m = ActionMail(self.__email_server,self.__email_server_port,self.__email_server_user,
                                   self.__email_server_passwd, use_local_server)

                    for mail in email_to:
                        new_email_message = email_message;
                        if action_email['message_suffix'] == 1:
                            new_email_message += "\n\n" + self.requestRepr(self.__request, mail)
                        m.sendmail(email_from,
                                   mail,
                                   email_subject,
                                   new_email_message)
                    del(m)

            # execute external command
            elif action['name'] == 'exec':
                query = "SELECT * FROM action_exec WHERE action_id = unhex(%s)"
                for action_exec in self.__db.exec_query(query, (action_id,)):
                    action = action_exec['command']
                    for replace in replaces:
                        replace_variable = r'\b%s\b' % replace
                        action = re.sub(replace_variable, replaces[replace].encode('string_escape'), action)
                        # action = action.replace(replace, replaces[replace])
                    c = ActionExec()
                    c.execCommand(action)
                    del(c)

            elif action['name'] == 'ticket':
                descr = action['descr']
                title = 'Automatic Incident Ticket'
                namequery = "SELECT name  FROM action WHERE id = unhex(%s);"
                data = self.__db.exec_query(namequery, {action_id})
                if data != []:
                    title = data[0]['name']
                regexp = re.compile('(?P<data>.*)##@##(?P<username>.*)')
                matches = regexp.search(descr)
                in_charge = 'admin'
                if matches:
                    in_charge = matches.group('username')
                    descr = matches.group('data')

                priority = int(self.__request.get('priority', '')) * 2
                incident_uuid = "%s" % uuid.uuid4()
                incident_uuid = incident_uuid.replace('-', '')
                ctx = self.__request.get('context_id', '')
                for replace in replaces:
                    if replaces[replace]:
                        replace_variable = r'\b%s\b' % replace
                        descr = re.sub(replace_variable, replaces[replace].encode('string_escape'), descr)


                ctx = ctx.replace('-', '')
                insert_query = "insert into incident (uuid,ctx,title,date,ref,type_id,priority,status,last_update," \
                               "in_charge,submitter,event_start,event_end) values (unhex(%(uuid)s)," \
                               "unhex(%(ctx)s),%(title)s,utc_timestamp(),'Event','Generic',%(priority)s," \
                               "'Open',utc_timestamp(),%(in_charge)s,'admin',utc_timestamp(),utc_timestamp());"
                params = {
                    "uuid": incident_uuid,
                    "ctx": ctx,
                    "title": title,
                    "priority": priority,
                    "in_charge": in_charge
                }
                insert_query = self.__db.format_query(insert_query, params)
                self.__db.exec_query(insert_query)
                logger.debug("Query: %s" % insert_query)

                src_ip = self.__request.get('src_ip', '')
                src_port = int(self.__request.get('src_port', ''))
                dst_ip = self.__request.get('dst_ip', '')
                dst_port = int(self.__request.get('dst_port', ''))
                #    last_id_ie = data[0]['id'] +1
                """ We need the last id from incident in order to insert it. """
                get_last_id_query = "select max(id) as id from incident;"
                data = self.__db.exec_query(get_last_id_query)
                if data != []:
                    last_id = data[0]['id']

                insert_incident_event_query = "INSERT INTO incident_event (incident_id,src_ips,src_ports,dst_ips,dst_ports) values (%s,%s,%s,%s,%s);"
                insert_subscription_query = "REPLACE INTO incident_subscrip(login, incident_id) VALUES('admin', %s)"
                self.__db.exec_query(insert_incident_event_query, (last_id, src_ip, src_port, dst_ip, dst_port))
                self.__db.exec_query(insert_subscription_query, (last_id,))

                data = self.__db.exec_query("select max(id)+1 as id from incident_ticket;")
                newid = '0'
                if data != []:
                    newid = data[0]['id']

                risk = int(self.__request.get('risk', ''))
                #Tickets from vulnerabilities come from a trigger, so we should only deal with events/alarms here
                if risk >= 0:
                    alarm_url = "<a target=\"_blank\" href=\"/ossim/alarm/alarm_detail.php?event=%s\">Link to Alarm</a>" % (self.__request.get('event_id', '').upper().replace('-',''))
                    descr = descr + "<br>" + alarm_url
                elif risk == 0:
                    pass
                    # #This is an event
                    # #There appears to be no easy way to link to an event so this is shelved
                    # #https://192.168.200.90/ossim/forensics/base_qry_alert.php?noheader=true&pag=&submit=#0-29482C89670511E59BF8000CD1ADBA0E&m_opt=analysis&sm_opt=security_events&h_opt=security_events
                    # event_id = self.__request.get('event_id', '').upper().replace('-','')
                    # event_url = "<a target=\"_blank\" href=\"https://%s/ossim/forensics/base_qry_alert.php?noheader=true&pag=&submit=#0-%s&m_opt=analysis&sm_opt=security_events&h_opt=security_events\">Link to Event</a>" % (ossim_setup['framework_ip'], event_id)
                    # descr = descr + "<br>" + event_url
                insert_ticket_query = "insert into incident_ticket(id,incident_id,date,status,priority,description," \
                                      "in_charge,users) values (%(id)s,%(incident_id)s,utc_timestamp(),'Open'," \
                                      "%(priority)s,%(description)s,%(in_charge)s,'admin');"
                insert_ticket_params = {
                    "id": newid,
                    "incident_id": last_id,
                    "priority": priority,
                    "description": descr,
                    "in_charge": in_charge
                }
                self.__db.exec_query(insert_ticket_query, insert_ticket_params)

                # Check if this context has an IRS webservice linked.
                ticket_data = {'type': '', 'op': 'INSERT', 'incident_id': last_id, 'date': time.asctime(), 'in_charge': in_charge, 'description': descr, 'status': 'Open'}
                type_params = ["%s" for _ in xrange(len(IRS_TYPES))]
                ws_query = "SELECT id, type FROM webservice WHERE ctx = UNHEX(%s) AND type IN (" + \
                           ",".join(type_params) + ")"
                ws_data = self.__db.exec_query(ws_query, tuple([ctx] + IRS_TYPES))
                for item in ws_data:
                    ticket_data['type'] = ws_data['type']
                    # Create webservices, if available.
                    handler = WSHandler (self.__conf, item['id'])
                    if handler is not None:
                        ret = handler.process_db (ticket_data)
            else:
                logger.error("Invalid action_type: '%s'" % action['action_type'])
Пример #3
0
    def doAction(self, action_id):
        src_hostname = self.getHostnameFromIP(self.__request.get('src_ip', ''))
        dst_hostname = self.getHostnameFromIP(self.__request.get('dst_ip', ''))
        plugin_id = int(self.__request['plugin_id'])
        plugin_sid = int(self.__request['plugin_sid'])

        protocol = Util.getProtoByNumber(self.__request.get('protocol', ''))
        self.__request['protocol'] = protocol
        replaces = {
            'DATE': self.__request.get('date', ''),
            'PLUGIN_ID': self.__request.get('plugin_id', ''),
            'PLUGIN_SID': self.__request.get('plugin_sid', ''),
            'RISK': self.__request.get('risk', ''),
            'PRIORITY': self.__request.get('priority', ''),
            'RELIABILITY': self.__request.get('reliability', ''),
            'SRC_IP': self.__request.get('src_ip', ''),
            'SRC_PORT': self.__request.get('src_port', ''),
            'DST_IP': self.__request.get('dst_ip', ''),
            'DST_PORT': self.__request.get('dst_port', ''),
            'PROTOCOL': self.__request.get('protocol', ''),
            'SENSOR': self.__request.get('sensor', ''),
            'PLUGIN_NAME': self.__request.get('plugin_id', ''),
            'SID_NAME': self.__request.get('plugin_sid', ''),
            'USERDATA1': self.__request.get('userdata1', ''),
            'USERDATA2': self.__request.get('userdata2', ''),
            'USERDATA3': self.__request.get('userdata3', ''),
            'USERDATA4': self.__request.get('userdata4', ''),
            'USERDATA5': self.__request.get('userdata5', ''),
            'USERDATA6': self.__request.get('userdata6', ''),
            'USERDATA7': self.__request.get('userdata7', ''),
            'USERDATA8': self.__request.get('userdata8', ''),
            'USERDATA9': self.__request.get('userdata9', ''),
            'FILENAME': self.__request.get('filename', ''),
            'USERNAME': self.__request.get('username', ''),
            'PASSWORD': self.__request.get('password', ''),
            'BACKLOG_ID': self.__request.get('backlog_id', ''),
            'EVENT_ID': self.__request.get('event_id', ''),
            'SRC_IP_HOSTNAME': src_hostname,
            'DST_IP_HOSTNAME': dst_hostname,
        }

        # Fields with integer values
        int_fields = [
            "PLUGIN_ID", "PLUGIN_SID", "RISK", "PRIORITY", "RELIABILITY",
            "SRC_PORT", "DST_PORT"
        ]

        query = "SELECT * FROM plugin WHERE id = %s"

        for plugin in self.__db.exec_query(query, (plugin_id, )):
            # should only yield one result anyway
            replaces["PLUGIN_NAME"] = plugin['name']

        query = "SELECT * FROM plugin_sid WHERE plugin_id = %s AND sid = %s"
        for plugin_sid in self.__db.exec_query(query, (plugin_id, plugin_sid)):
            # should only yield one result anyway
            replaces["SID_NAME"] = plugin_sid['name']

        query = "SELECT a.id as id,a.ctx as ctx,a.action_type as action_type ,\
                a.cond as cond,a.on_risk as on_risk,a.descr as descr,\
                at.name as name FROM action a, action_type at \
                WHERE id = unhex(%s) and a.action_type = at.type"

        for action in self.__db.exec_query(query, (action_id, )):

            ####################################################################
            # Condition
            ####################################################################

            # get the condition expression
            condition = action['cond']

            # authorized operators
            operators = [
                "+",
                "-",
                "*",
                "/",
                "%",
                "==",
                "<=",
                "<",
                ">=",
                ">",
                " and ",
                " or ",
                "(",
                ")",
                " True ",
                "False",
                "!=",
            ]

            # only operators and characters in [A-Z0-9_ ]
            # condition = '"' + condition +'"'
            condition_tmp = " %s " % condition
            for operator in operators:
                condition_tmp = condition_tmp.replace(operator, " ")
            logger.debug("Condiction after op %s before op %s " %
                         (condition_tmp, condition))
            if not re.match("^[A-Za-z0-9_\'\" ]+$", condition_tmp):
                logger.warning(
                    ": Illegal character in condition: %s - Allowed characters (A-Za-z0-9_ ' \")"
                    % condition)
                condition = "False"

            # no function call
            if re.search("[A-Za-z0-9_]+\s*\(", condition):
                logger.warning(": Illegal function call in condition: %s" %
                               condition)
                condition = "False"

            # replacements
            for key in replaces:
                if key in int_fields:
                    condition = condition.replace(key, replaces[key])
                else:
                    condition = condition.replace(key,
                                                  "'" + replaces[key] + "'")

            # condition evaluation
            try:
                logger.debug(": condition = '%s'" % condition)
                condition = eval(condition)
            except Exception, e:
                logger.debug(": Condition evaluation failed: %s --> %s" %
                             (condition, str(e)))
                condition = False
            logger.debug(": eval(condition) = %s" % condition)

            # is the condition True?
            if not condition: continue

            # is the action based on risk increase?
            if int(action['on_risk']) == 1:

                backlog_id = self.__request.get('backlog_id', '')
                risk_old = 0
                risk_new = int(self.__request.get('risk', ''))

                # get the old risk value
                query = "SELECT * FROM action_risk WHERE action_id = unhex(%s) AND backlog_id = unhex(%s)"
                for action_risk in self.__db.exec_query(
                        query, (action_id, backlog_id)):
                    # should only yield one result anyway
                    risk_old = int(action_risk['risk'])
                    break
                else:
                    query = self.__db.format_query(
                        "INSERT INTO action_risk VALUES (%s, %s, %s)",
                        (int(action_id), int(backlog_id), int(risk_new)))
                    logger.debug(": %s" % query)
                    self.__db.exec_query(query)

                # is there a risk increase?
                logger.debug(": risk_new > risk_old = %s" %
                             (risk_new > risk_old))
                if risk_new <= risk_old: continue

                # save the new risk value
                query = self.__db.format_query(
                    "UPDATE action_risk SET risk = %s WHERE action_id = unhex(%s) AND backlog_id = unhex(%s)",
                    (int(risk_new), action_id, backlog_id))
                logger.debug(": %s" % query)
                self.__db.exec_query(query)

                # cleanup the action_risk table
                query = "DELETE FROM action_risk WHERE backlog_id NOT IN (SELECT id FROM backlog)"
                logger.debug(": %s" % query)
                self.__db.exec_query(query)

            ####################################################################

            # email notification
            logger.info("Successful Response with action: %s" %
                        action['descr'])
            if action['name'] == 'email':
                self.get_mail_server_data()
                if not self.__email_server_relay_enabled:
                    logger.warning(
                        "Email server relay not enabled. Using local postfix.."
                    )
                query = "SELECT * FROM action_email WHERE action_id = unhex(%s)"
                for action_email in self.__db.exec_query(query, (action_id, )):
                    email_from = action_email['_from']
                    email_to = action_email['_to'].split(',')
                    if len(email_to) == 1:
                        email_to = action_email['_to'].split(';')
                    email_subject = action_email['subject']
                    email_message = action_email['message']

                    for replace in replaces:
                        if replaces[replace]:
                            email_from = email_from.replace(
                                replace, replaces[replace])
                            for to_mail in email_to:
                                to_mail = to_mail.strip()
                                to_mail = to_mail.replace(replace, \
                                                          replaces[replace])
                            replace_variable = r'\b%s\b' % replace
                            value_to_replace = replaces[replace].encode(
                                'string_escape')
                            email_subject = re.sub(replace_variable,
                                                   value_to_replace,
                                                   email_subject)
                            # email_subject= email_subject.replace(replace, replaces[replace])
                            if replace == 'DATE':
                                value_to_replace += " (UTC time)"
                            email_message = re.sub(replace_variable,
                                                   value_to_replace,
                                                   email_message)
                    use_local_server = not self.__email_server_relay_enabled
                    m = ActionMail(self.__email_server,
                                   self.__email_server_port,
                                   self.__email_server_user,
                                   self.__email_server_passwd,
                                   use_local_server)

                    for mail in email_to:
                        new_email_message = email_message
                        if action_email['message_suffix'] == 1:
                            new_email_message += "\n\n" + self.requestRepr(
                                self.__request, mail)
                        m.sendmail(email_from, mail, email_subject,
                                   new_email_message)
                    del (m)

            # execute external command
            elif action['name'] == 'exec':
                query = "SELECT * FROM action_exec WHERE action_id = unhex(%s)"
                for action_exec in self.__db.exec_query(query, (action_id, )):
                    action = action_exec['command']
                    for replace in replaces:
                        replace_variable = r'\b%s\b' % replace
                        action = re.sub(
                            replace_variable,
                            replaces[replace].encode('string_escape'), action)
                        # action = action.replace(replace, replaces[replace])
                    c = ActionExec()
                    c.execCommand(action)
                    del (c)

            elif action['name'] == 'ticket':
                descr = action['descr']
                title = 'Automatic Incident Ticket'
                namequery = "SELECT name  FROM action WHERE id = unhex(%s);"
                data = self.__db.exec_query(namequery, {action_id})
                if data != []:
                    title = data[0]['name']
                regexp = re.compile('(?P<data>.*)##@##(?P<username>.*)')
                matches = regexp.search(descr)
                in_charge = 'admin'
                if matches:
                    in_charge = matches.group('username')
                    descr = matches.group('data')

                priority = int(self.__request.get('priority', '')) * 2
                incident_uuid = "%s" % uuid.uuid4()
                incident_uuid = incident_uuid.replace('-', '')
                ctx = self.__request.get('context_id', '')
                for replace in replaces:
                    if replaces[replace]:
                        replace_variable = r'\b%s\b' % replace
                        descr = re.sub(
                            replace_variable,
                            replaces[replace].encode('string_escape'), descr)

                ctx = ctx.replace('-', '')
                insert_query = "insert into incident (uuid,ctx,title,date,ref,type_id,priority,status,last_update," \
                               "in_charge,submitter,event_start,event_end) values (unhex(%(uuid)s)," \
                               "unhex(%(ctx)s),%(title)s,utc_timestamp(),'Event','Generic',%(priority)s," \
                               "'Open',utc_timestamp(),%(in_charge)s,'admin',utc_timestamp(),utc_timestamp());"
                params = {
                    "uuid": incident_uuid,
                    "ctx": ctx,
                    "title": title,
                    "priority": priority,
                    "in_charge": in_charge
                }
                insert_query = self.__db.format_query(insert_query, params)
                self.__db.exec_query(insert_query)
                logger.debug("Query: %s" % insert_query)

                src_ip = self.__request.get('src_ip', '')
                src_port = int(self.__request.get('src_port', ''))
                dst_ip = self.__request.get('dst_ip', '')
                dst_port = int(self.__request.get('dst_port', ''))
                #    last_id_ie = data[0]['id'] +1
                """ We need the last id from incident in order to insert it. """
                get_last_id_query = "select max(id) as id from incident;"
                data = self.__db.exec_query(get_last_id_query)
                if data != []:
                    last_id = data[0]['id']

                insert_incident_event_query = "INSERT INTO incident_event (incident_id,src_ips,src_ports,dst_ips,dst_ports) values (%s,%s,%s,%s,%s);"
                insert_subscription_query = "REPLACE INTO incident_subscrip(login, incident_id) VALUES('admin', %s)"
                self.__db.exec_query(
                    insert_incident_event_query,
                    (last_id, src_ip, src_port, dst_ip, dst_port))
                self.__db.exec_query(insert_subscription_query, (last_id, ))

                data = self.__db.exec_query(
                    "select max(id)+1 as id from incident_ticket;")
                newid = '0'
                if data != []:
                    newid = data[0]['id']

                risk = int(self.__request.get('risk', ''))
                #Tickets from vulnerabilities come from a trigger, so we should only deal with events/alarms here
                if risk >= 0:
                    alarm_url = "<a target=\"_blank\" href=\"/ossim/alarm/alarm_detail.php?event=%s\">Link to Alarm</a>" % (
                        self.__request.get('event_id', '').upper().replace(
                            '-', ''))
                    descr = descr + "<br>" + alarm_url
                elif risk == 0:
                    pass
                    # #This is an event
                    # #There appears to be no easy way to link to an event so this is shelved
                    # #https://192.168.200.90/ossim/forensics/base_qry_alert.php?noheader=true&pag=&submit=#0-29482C89670511E59BF8000CD1ADBA0E&m_opt=analysis&sm_opt=security_events&h_opt=security_events
                    # event_id = self.__request.get('event_id', '').upper().replace('-','')
                    # event_url = "<a target=\"_blank\" href=\"https://%s/ossim/forensics/base_qry_alert.php?noheader=true&pag=&submit=#0-%s&m_opt=analysis&sm_opt=security_events&h_opt=security_events\">Link to Event</a>" % (ossim_setup['framework_ip'], event_id)
                    # descr = descr + "<br>" + event_url
                insert_ticket_query = "insert into incident_ticket(id,incident_id,date,status,priority,description," \
                                      "in_charge,users) values (%(id)s,%(incident_id)s,utc_timestamp(),'Open'," \
                                      "%(priority)s,%(description)s,%(in_charge)s,'admin');"
                insert_ticket_params = {
                    "id": newid,
                    "incident_id": last_id,
                    "priority": priority,
                    "description": descr,
                    "in_charge": in_charge
                }
                self.__db.exec_query(insert_ticket_query, insert_ticket_params)

                # Check if this context has an IRS webservice linked.
                ticket_data = {
                    'type': '',
                    'op': 'INSERT',
                    'incident_id': last_id,
                    'date': time.asctime(),
                    'in_charge': in_charge,
                    'description': descr,
                    'status': 'Open'
                }
                type_params = ["%s" for _ in xrange(len(IRS_TYPES))]
                ws_query = "SELECT id, type FROM webservice WHERE ctx = UNHEX(%s) AND type IN (" + \
                           ",".join(type_params) + ")"
                ws_data = self.__db.exec_query(ws_query,
                                               tuple([ctx] + IRS_TYPES))
                for item in ws_data:
                    ticket_data['type'] = ws_data['type']
                    # Create webservices, if available.
                    handler = WSHandler(self.__conf, item['id'])
                    if handler is not None:
                        ret = handler.process_db(ticket_data)
            else:
                logger.error("Invalid action_type: '%s'" %
                             action['action_type'])
Пример #4
0
    def doAction(self, action_id):

        replaces = {
            'DATE': self.__request.get('date', ''),
            'PLUGIN_ID': self.__request.get('plugin_id', ''),
            'PLUGIN_SID': self.__request.get('plugin_sid', ''),
            'RISK': self.__request.get('risk', ''),
            'PRIORITY': self.__request.get('priority', ''),
            'RELIABILITY': self.__request.get('reliability', ''),
            'SRC_IP': self.__request.get('src_ip', ''),
            'SRC_PORT': self.__request.get('src_port', ''),
            'DST_IP': self.__request.get('dst_ip', ''),
            'DST_PORT': self.__request.get('dst_port', ''),
            'PROTOCOL': self.__request.get('protocol', ''),
            'SENSOR': self.__request.get('sensor', ''),
            'PLUGIN_NAME': self.__request.get('plugin_id', ''),
            'SID_NAME': self.__request.get('plugin_sid', ''),
            'USERDATA1': self.__request.get('userdata1', ''),
            'USERDATA2': self.__request.get('userdata2', ''),
            'USERDATA3': self.__request.get('userdata3', ''),
            'USERDATA4': self.__request.get('userdata4', ''),
            'USERDATA5': self.__request.get('userdata5', ''),
            'USERDATA6': self.__request.get('userdata6', ''),
            'USERDATA7': self.__request.get('userdata7', ''),
            'USERDATA8': self.__request.get('userdata8', ''),
            'USERDATA9': self.__request.get('userdata9', ''),
            'FILENAME': self.__request.get('filename', ''),
            'USERNAME': self.__request.get('username', ''),
            'PASSWORD': self.__request.get('password', ''),
            'BACKLOG_ID': self.__request.get('backlog_id', ''),
            'EVENT_ID': self.__request.get('event_id', ''),
        }

        query = "SELECT * FROM plugin WHERE id = %d" % int(
            self.__request['plugin_id'])

        for plugin in self.__db.exec_query(query):
            # should only yield one result anyway
            replaces["PLUGIN_NAME"] = plugin['name']

        query = "SELECT * FROM plugin_sid WHERE plugin_id = %d AND sid = %d" %\
            (int(self.__request['plugin_id']), int(self.__request['plugin_sid']))
        for plugin_sid in self.__db.exec_query(query):
            # should only yield one result anyway
            replaces["SID_NAME"] = plugin_sid['name']

        query = "SELECT * FROM action WHERE id = %d" % (action_id)
        for action in self.__db.exec_query(query):

            logger.info("Successful Response with action: %s" %
                        action['descr'])
            # TODO: Remove when confirmed
            #            print __name__, ": Successful Response with action: ", action['descr']

            ####################################################################
            # Condition
            ####################################################################

            # get the condition expression
            condition = action['cond']

            # authorized operators
            operators = [
                "+", "-", "*", "/", "%", "==", "<=", "<", ">=", ">", " and ",
                " or ", "(", ")", " True ", "False"
            ]

            # only operators and characters in [A-Z0-9_ ]
            condition_tmp = " %s " % condition
            for operator in operators:
                condition_tmp = condition_tmp.replace(operator, " ")
            if not re.match("^[A-Z0-9_ ]+$", condition_tmp):
                print __name__, ": Illegal character in condition: %s" % condition
                condition = "False"

            # no function call
            if re.search("[A-Z0-9_]+\s*\(", condition):
                print __name__, ": Illegal function call in condition: %s" % condition
                condition = "False"

            # replacements
            for key in replaces:
                condition = condition.replace(key, replaces[key])

            # condition evaluation
            try:
                print __name__, ": condition = '%s'" % condition
                condition = eval(condition)
            except Exception, e:
                print __name__, ": Condition evaluation failed: %s" % condition
                condition = False
            print __name__, ": eval(condition) = %s" % condition

            # is the condition True?
            if not condition: continue

            # is the action based on risk increase?
            if int(action['on_risk']) == 1:

                backlog_id = int(self.__request.get('backlog_id', ''))
                risk_old = 0
                risk_new = int(self.__request.get('risk', ''))

                # get the old risk value
                query = "SELECT * FROM action_risk WHERE action_id = %d AND backlog_id = %d" % (
                    int(action_id), int(backlog_id))
                for action_risk in self.__db.exec_query(query):
                    # should only yield one result anyway
                    risk_old = int(action_risk['risk'])
                    break
                else:
                    query = "INSERT INTO action_risk VALUES (%d, %d, %d)" % (
                        int(action_id), int(backlog_id), int(risk_new))
                    print __name__, ": %s" % query
                    self.__db.exec_query(query)

                # is there a risk increase?
                print __name__, ": risk_new > risk_old = %s" % (risk_new >
                                                                risk_old)
                if risk_new <= risk_old: continue

                # save the new risk value
                query = "UPDATE action_risk SET risk = %d WHERE action_id = %d AND backlog_id = %d" % (
                    int(risk_new), int(action_id), int(backlog_id))
                print __name__, ": %s" % query
                self.__db.exec_query(query)

                # cleanup the action_risk table
                query = "DELETE FROM action_risk WHERE backlog_id NOT IN (SELECT id FROM backlog)"
                print __name__, ": %s" % query
                self.__db.exec_query(query)

            ####################################################################

            # email notification
            if action['action_type'] == 'email':

                query = "SELECT * FROM action_email WHERE action_id = %d" %\
                    (action_id)
                for action_email in self.__db.exec_query(query):
                    email_from = action_email['_from']
                    email_to = action_email['_to'].split(',')
                    email_subject = action_email['subject']
                    email_message = action_email['message']

                    for replace in replaces:
                        if replaces[replace]:
                            email_from = email_from.replace(
                                replace, replaces[replace])
                            for to_mail in email_to:
                                to_mail = to_mail.strip()
                                to_mail = to_mail.replace(replace,\
                                                          replaces[replace])
                            email_subject = email_subject.replace(
                                replace, replaces[replace])
                            email_message = email_message.replace(
                                replace, replaces[replace])

                    m = ActionMail()
                    m.sendmail(email_from,
                               email_to,
                               email_subject,
                               email_message +\
                               "\n\n" + self.requestRepr(self.__request))
                    del (m)

            # execute external command
            elif action['action_type'] == 'exec':
                query = "SELECT * FROM action_exec WHERE action_id = %d" %\
                    (action_id)
                for action_exec in self.__db.exec_query(query):
                    action = action_exec['command']
                    for replace in replaces:
                        action = action.replace(replace, replaces[replace])
                    c = ActionExec()
                    c.execCommand(action)
                    del (c)

            elif action['action_type'] == 'syslog':
                syslog(request)
Пример #5
0
    def doAction(self, action_id):

        replaces = {
                'DATE':         self.__request.get('date', ''),
                'PLUGIN_ID':    self.__request.get('plugin_id', ''),
                'PLUGIN_SID':   self.__request.get('plugin_sid', ''),
                'RISK':         self.__request.get('risk', ''),
                'PRIORITY':     self.__request.get('priority', ''),
                'RELIABILITY':  self.__request.get('reliability', ''),
                'SRC_IP':       self.__request.get('src_ip', ''),
                'SRC_PORT':     self.__request.get('src_port', ''),
                'DST_IP':       self.__request.get('dst_ip', ''),
                'DST_PORT':     self.__request.get('dst_port', ''),
                'PROTOCOL':     self.__request.get('protocol', ''),
                'SENSOR':       self.__request.get('sensor', ''),
                'PLUGIN_NAME':  self.__request.get('plugin_id', ''),
                'SID_NAME':     self.__request.get('plugin_sid', ''),
                'USERDATA1':    self.__request.get('userdata1', ''),
                'USERDATA2':    self.__request.get('userdata2', ''),
                'USERDATA3':    self.__request.get('userdata3', ''),
                'USERDATA4':    self.__request.get('userdata4', ''),
                'USERDATA5':    self.__request.get('userdata5', ''),
                'USERDATA6':    self.__request.get('userdata6', ''),
                'USERDATA7':    self.__request.get('userdata7', ''),
                'USERDATA8':    self.__request.get('userdata8', ''),
                'USERDATA9':    self.__request.get('userdata9', ''),
                'FILENAME':     self.__request.get('filename', ''),
                'USERNAME':     self.__request.get('username', ''),
                'PASSWORD':     self.__request.get('password', ''),
                'BACKLOG_ID':   self.__request.get('backlog_id', ''),
                'EVENT_ID':     self.__request.get('event_id', ''),
            }

        query = "SELECT * FROM plugin WHERE id = %d" % int(self.__request['plugin_id'])

        for plugin in self.__db.exec_query(query):
            # should only yield one result anyway
            replaces["PLUGIN_NAME"] = plugin['name']

        query = "SELECT * FROM plugin_sid WHERE plugin_id = %d AND sid = %d" %\
            (int(self.__request['plugin_id']), int(self.__request['plugin_sid']))
        for plugin_sid in self.__db.exec_query(query):
            # should only yield one result anyway
            replaces["SID_NAME"] = plugin_sid['name']

        query = "SELECT * FROM action WHERE id = %d" % (action_id)
        for action in self.__db.exec_query(query):

            logger.info("Successful Response with action: %s" % action['descr'])
            ####################################################################
            # Condition
            ####################################################################

            # get the condition expression
            condition = action['cond']

            # authorized operators
            operators = [
                "+", "-", "*", "/", "%",
                "==", "<=", "<", ">=", ">",
                " and ", " or ", "(", ")", 
                " True ", "False"
            ]

            # only operators and characters in [A-Z0-9_ ]
            condition_tmp = " %s " % condition
            for operator in operators:
                condition_tmp = condition_tmp.replace(operator, " ")
            if not re.match("^[A-Z0-9_ ]+$", condition_tmp):
                logger.warning( ": Illegal character in condition: %s" % condition)
                condition = "False"

            # no function call
            if re.search("[A-Z0-9_]+\s*\(", condition):
                logger.warning(": Illegal function call in condition: %s" % condition)
                condition = "False"

            # replacements
            for key in replaces:
                condition = condition.replace(key, replaces[key])

            # condition evaluation
            try:
                logger.debug(": condition = '%s'" % condition)
                condition = eval(condition)
            except Exception, e:
                logger.debug( ": Condition evaluation failed: %s --> %s" % (condition,str(e)))
                condition = False
            logger.debug( ": eval(condition) = %s" % condition)

            # is the condition True?
            if not condition: continue

            # is the action based on risk increase?
            if int(action['on_risk']) == 1:

                backlog_id = int(self.__request.get('backlog_id', ''))
                risk_old = 0
                risk_new = int(self.__request.get('risk', ''))

                # get the old risk value
                query = "SELECT * FROM action_risk WHERE action_id = %d AND backlog_id = %d" % (int(action_id), int(backlog_id))
                for action_risk in self.__db.exec_query(query):
                    # should only yield one result anyway
                    risk_old = int(action_risk['risk'])
                    break
                else:
                    query = "INSERT INTO action_risk VALUES (%d, %d, %d)" % (
                        int(action_id), int(backlog_id), int(risk_new))
                    logger.debug( ": %s" % query)
                    self.__db.exec_query(query)

                # is there a risk increase?
                logger.debug( ": risk_new > risk_old = %s" % (risk_new > risk_old))
                if risk_new <= risk_old: continue

                # save the new risk value
                query = "UPDATE action_risk SET risk = %d WHERE action_id = %d AND backlog_id = %d" % (
                    int(risk_new), int(action_id), int(backlog_id))
                logger.debug( ": %s" % query)
                self.__db.exec_query(query)

                # cleanup the action_risk table
                query = "DELETE FROM action_risk WHERE backlog_id NOT IN (SELECT id FROM backlog)"
                logger.debug(": %s" % query)
                self.__db.exec_query(query)

            ####################################################################

            # email notification
            if action['action_type'] == 'email':
                query = "SELECT * FROM action_email WHERE action_id = %d" %\
                    (action_id)
                for action_email in self.__db.exec_query(query):
                    email_from = action_email['_from']
                    email_to = action_email['_to'].split(',')
                    email_subject = action_email['subject']
                    email_message = action_email['message']

                    for replace in replaces:
                        if replaces[replace]:
                            email_from = email_from.replace(replace, replaces[replace])
                            for to_mail in email_to:
                                to_mail = to_mail.strip()
                                to_mail = to_mail.replace(replace,\
                                                          replaces[replace])
                            replace_variable=r'\b%s\b'%replace
                            email_subject = re.sub(replace_variable,replaces[replace],email_subject)
                            #email_subject= email_subject.replace(replace, replaces[replace])
                            email_message = re.sub(replace_variable,replaces[replace],email_message)
                            #email_message = email_message.replace(replace, replaces[replace])
                    m = ActionMail()
                    m.sendmail(email_from,
                               email_to,
                               email_subject,
                               email_message +\
                               "\n\n" + self.requestRepr(self.__request))
                    del(m)
                

            # execute external command
            elif action['action_type'] == 'exec':
                query = "SELECT * FROM action_exec WHERE action_id = %d" %\
                    (action_id)
                for action_exec in self.__db.exec_query(query):
                    action = action_exec['command']
                    for replace in replaces:
                        action = action.replace(replace, replaces[replace])
                    c = ActionExec()
                    c.execCommand(action)
                    del(c)

            elif action['action_type'] == 'syslog':
                syslog(self.__request) 
            elif action['action_type'] == 'ticket':
                descr = action['descr']
                plugin_id = int(self.__request.get('plugin_id', ''))
                plugin_sid = int(self.__request.get('plugin_sid', ''))
                title = 'Automatic Incident Ticket'
                namequery ="select if((select name from plugin_sid where plugin_id='%s' and sid='%s')!='',(select name from plugin_sid where plugin_id='%s' and sid='%s')  , 'Automatic Incident Ticket') as name;" % (plugin_id,plugin_sid,plugin_id,plugin_sid)
                data = self.__db.exec_query(namequery)
                if data !=[]:
                    title = data[0]['name']
                regexp = re.compile('(?P<data>.*)##@##(?P<username>.*)')
                matches = regexp.search(descr)
                in_charge = 'admin'
                descr=''
                if matches:
                    in_charge = matches.group('username')
                    descr = matches.group('data')
                get_last_id_query = "select max(id) as id from incident;"
                data = self.__db.exec_query(get_last_id_query)
                if data != []:
                    last_id = data[0]['id'] +1
                    priority = int(self.__request.get('priority', '')) *2
                    insert_query = """insert into incident (id,title,date,ref,type_id,priority,status,last_update,in_charge,submitter,event_start,event_end) values ('%s','%s',now(),'Event','Generic','%s','Open',now(),'%s','admin',now(),now()); """ % (last_id,title,priority,in_charge)
                    self.__db.exec_query(insert_query)
                    logger.debug("Query: %s" % insert_query)
                    get_last_id_query = "select max(id) as id from incident_event;"
                    data = self.__db.exec_query(get_last_id_query)
                    if data != []:
                        src_ip = self.__request.get('src_ip', '')
                        src_port = int(self.__request.get('src_port', ''))
                        dst_ip = self.__request.get('dst_ip', '')
                        dst_port = int(self.__request.get('dst_port', ''))
                        last_id_ie = data[0]['id'] +1
                        insert_incident_event_query = """ insert into incident_event (id,incident_id,src_ips,src_ports,dst_ips,dst_ports) values ('%s','%s','%s','%s','%s','%s'); """ % (last_id_ie,last_id,src_ip,src_port,dst_ip,dst_port) 
                        self.__db.exec_query(insert_incident_event_query)
                        logger.debug("Query2:_ %s" % insert_incident_event_query)
                else:
                    logger.error("Can't insert incident because it can't be retrieved the max id.")
            else:
                logger.error("Invalid action_type: '%s'" % action['action_type'])
Пример #6
0
    def doAction(self, action_id):

        replaces = {
                'DATE':         self.__request.get('date', ''),
                'PLUGIN_ID':    self.__request.get('plugin_id', ''),
                'PLUGIN_SID':   self.__request.get('plugin_sid', ''),
                'RISK':         self.__request.get('risk', ''),
                'PRIORITY':     self.__request.get('priority', ''),
                'RELIABILITY':  self.__request.get('reliability', ''),
                'SRC_IP':       self.__request.get('src_ip', ''),
                'SRC_PORT':     self.__request.get('src_port', ''),
                'DST_IP':       self.__request.get('dst_ip', ''),
                'DST_PORT':     self.__request.get('dst_port', ''),
                'PROTOCOL':     self.__request.get('protocol', ''),
                'SENSOR':       self.__request.get('sensor', ''),
                'PLUGIN_NAME':  self.__request.get('plugin_id', ''),
                'SID_NAME':     self.__request.get('plugin_sid', ''),
                'USERDATA1':    self.__request.get('userdata1', ''),
                'USERDATA2':    self.__request.get('userdata2', ''),
                'USERDATA3':    self.__request.get('userdata3', ''),
                'USERDATA4':    self.__request.get('userdata4', ''),
                'USERDATA5':    self.__request.get('userdata5', ''),
                'USERDATA6':    self.__request.get('userdata6', ''),
                'USERDATA7':    self.__request.get('userdata7', ''),
                'USERDATA8':    self.__request.get('userdata8', ''),
                'USERDATA9':    self.__request.get('userdata9', ''),
                'FILENAME':     self.__request.get('filename', ''),
                'USERNAME':     self.__request.get('username', ''),
                'PASSWORD':     self.__request.get('password', ''),
                'BACKLOG_ID':   self.__request.get('backlog_id', ''),
                'EVENT_ID':     self.__request.get('event_id', ''),
            }

        query = "SELECT * FROM plugin WHERE id = %d" % int(self.__request['plugin_id'])

        for plugin in self.__db.exec_query(query):
            # should only yield one result anyway
            replaces["PLUGIN_NAME"] = plugin['name']

        query = "SELECT * FROM plugin_sid WHERE plugin_id = %d AND sid = %d" %\
            (int(self.__request['plugin_id']), int(self.__request['plugin_sid']))
        for plugin_sid in self.__db.exec_query(query):
            # should only yield one result anyway
            replaces["SID_NAME"] = plugin_sid['name']

        query = "SELECT * FROM action WHERE id = %d" % (action_id)
        for action in self.__db.exec_query(query):

            logger.info("Successful Response with action: %s" % action['descr'])
# TODO: Remove when confirmed
#            print __name__, ": Successful Response with action: ", action['descr']

            ####################################################################
            # Condition
            ####################################################################

            # get the condition expression
            condition = action['cond']

            # authorized operators
            operators = [
                "+", "-", "*", "/", "%",
                "==", "<=", "<", ">=", ">",
                " and ", " or ", "(", ")", 
                " True ", "False"
            ]

            # only operators and characters in [A-Z0-9_ ]
            condition_tmp = " %s " % condition
            for operator in operators:
                condition_tmp = condition_tmp.replace(operator, " ")
            if not re.match("^[A-Z0-9_ ]+$", condition_tmp):
                print __name__, ": Illegal character in condition: %s" % condition
                condition = "False"

            # no function call
            if re.search("[A-Z0-9_]+\s*\(", condition):
                print __name__, ": Illegal function call in condition: %s" % condition
                condition = "False"

            # replacements
            for key in replaces:
                condition = condition.replace(key, replaces[key])

            # condition evaluation
            try:
                print __name__, ": condition = '%s'" % condition
                condition = eval(condition)
            except Exception, e:
                print __name__, ": Condition evaluation failed: %s" % condition
                condition = False
            print __name__, ": eval(condition) = %s" % condition

            # is the condition True?
            if not condition: continue

            # is the action based on risk increase?
            if int(action['on_risk']) == 1:

                backlog_id = int(self.__request.get('backlog_id', ''))
                risk_old = 0
                risk_new = int(self.__request.get('risk', ''))

                # get the old risk value
                query = "SELECT * FROM action_risk WHERE action_id = %d AND backlog_id = %d" % (
                    int(action_id), int(backlog_id))
                for action_risk in self.__db.exec_query(query):
                    # should only yield one result anyway
                    risk_old = int(action_risk['risk'])
                    break
                else:
                    query = "INSERT INTO action_risk VALUES (%d, %d, %d)" % (
                        int(action_id), int(backlog_id), int(risk_new))
                    print __name__, ": %s" % query
                    self.__db.exec_query(query)

                # is there a risk increase?
                print __name__, ": risk_new > risk_old = %s" % (risk_new > risk_old)
                if risk_new <= risk_old: continue

                # save the new risk value
                query = "UPDATE action_risk SET risk = %d WHERE action_id = %d AND backlog_id = %d" % (
                    int(risk_new), int(action_id), int(backlog_id))
                print __name__, ": %s" % query
                self.__db.exec_query(query)

                # cleanup the action_risk table
                query = "DELETE FROM action_risk WHERE backlog_id NOT IN (SELECT id FROM backlog)"
                print __name__, ": %s" % query
                self.__db.exec_query(query)

            ####################################################################

            # email notification
            if action['action_type'] == 'email':

                query = "SELECT * FROM action_email WHERE action_id = %d" %\
                    (action_id)
                for action_email in self.__db.exec_query(query):
                    email_from = action_email['_from']
                    email_to = action_email['_to'].split(',')
                    email_subject = action_email['subject']
                    email_message = action_email['message']

                    for replace in replaces:
                        if replaces[replace]:
                            email_from = email_from.replace(replace, replaces[replace])
                            for to_mail in email_to:
                                to_mail = to_mail.strip()
                                to_mail = to_mail.replace(replace,\
                                                          replaces[replace])
                            email_subject= email_subject.replace(replace, replaces[replace])
                            email_message = email_message.replace(replace, replaces[replace])
                    
                    m = ActionMail()
                    m.sendmail(email_from,
                               email_to,
                               email_subject,
                               email_message +\
                               "\n\n" + self.requestRepr(self.__request))
                    del(m)
                

            # execute external command
            elif action['action_type'] == 'exec':
                query = "SELECT * FROM action_exec WHERE action_id = %d" %\
                    (action_id)
                for action_exec in self.__db.exec_query(query):
                    action = action_exec['command']
                    for replace in replaces:
                        action = action.replace(replace, replaces[replace])
                    c = ActionExec()
                    c.execCommand(action)
                    del(c)

            elif action['action_type'] == 'syslog':
                syslog(request) 
Пример #7
0
    def doAction(self, action_id):
        src_hostname = self.getHostnameFromIP(self.__request.get('src_ip', ''))
        dst_hostname = self.getHostnameFromIP(self.__request.get('dst_ip', ''))

        protocol = Util.getProtoByNumber(self.__request.get('protocol', ''))
        self.__request['protocol'] = protocol
        replaces = {
            'DATE': self.__request.get('date', ''),
            'PLUGIN_ID': self.__request.get('plugin_id', ''),
            'PLUGIN_SID': self.__request.get('plugin_sid', ''),
            'RISK': self.__request.get('risk', ''),
            'PRIORITY': self.__request.get('priority', ''),
            'RELIABILITY': self.__request.get('reliability', ''),
            'SRC_IP': self.__request.get('src_ip', ''),
            'SRC_PORT': self.__request.get('src_port', ''),
            'DST_IP': self.__request.get('dst_ip', ''),
            'DST_PORT': self.__request.get('dst_port', ''),
            'PROTOCOL': self.__request.get('protocol', ''),
            'SENSOR': self.__request.get('sensor', ''),
            'PLUGIN_NAME': self.__request.get('plugin_id', ''),
            'SID_NAME': self.__request.get('plugin_sid', ''),
            'USERDATA1': self.__request.get('userdata1', ''),
            'USERDATA2': self.__request.get('userdata2', ''),
            'USERDATA3': self.__request.get('userdata3', ''),
            'USERDATA4': self.__request.get('userdata4', ''),
            'USERDATA5': self.__request.get('userdata5', ''),
            'USERDATA6': self.__request.get('userdata6', ''),
            'USERDATA7': self.__request.get('userdata7', ''),
            'USERDATA8': self.__request.get('userdata8', ''),
            'USERDATA9': self.__request.get('userdata9', ''),
            'FILENAME': self.__request.get('filename', ''),
            'USERNAME': self.__request.get('username', ''),
            'PASSWORD': self.__request.get('password', ''),
            'BACKLOG_ID': self.__request.get('backlog_id', ''),
            'EVENT_ID': self.__request.get('event_id', ''),
            'SRC_IP_HOSTNAME': src_hostname,
            'DST_IP_HOSTNAME': dst_hostname,
        }

        # Fields with integer values
        int_fields = [
            "PLUGIN_ID", "PLUGIN_SID", "RISK", "PRIORITY", "RELIABILITY",
            "SRC_PORT", "DST_PORT"
        ]

        query = "SELECT * FROM plugin WHERE id = %d" % int(
            self.__request['plugin_id'])

        for plugin in self.__db.exec_query(query):
            # should only yield one result anyway
            replaces["PLUGIN_NAME"] = plugin['name']

        query = "SELECT * FROM plugin_sid WHERE plugin_id = %d AND sid = %d" % \
            (int(self.__request['plugin_id']), int(self.__request['plugin_sid']))
        for plugin_sid in self.__db.exec_query(query):
            # should only yield one result anyway
            replaces["SID_NAME"] = plugin_sid['name']

        query = "SELECT a.id as id,a.ctx as ctx,a.action_type as action_type ,\
                a.cond as cond,a.on_risk as on_risk,a.descr as descr,\
                at.name as name FROM action a, action_type at \
                WHERE id = unhex('%s') and a.action_type = at.type" % (
            action_id)
        for action in self.__db.exec_query(query):

            ####################################################################
            # Condition
            ####################################################################

            # get the condition expression
            condition = action['cond']

            # authorized operators
            operators = [
                "+",
                "-",
                "*",
                "/",
                "%",
                "==",
                "<=",
                "<",
                ">=",
                ">",
                " and ",
                " or ",
                "(",
                ")",
                " True ",
                "False",
                "!=",
            ]

            # only operators and characters in [A-Z0-9_ ]
            # condition = '"' + condition +'"'
            condition_tmp = " %s " % condition
            for operator in operators:
                condition_tmp = condition_tmp.replace(operator, " ")
            logger.debug("Condiction after op %s before op %s " %
                         (condition_tmp, condition))
            if not re.match("^[A-Za-z0-9_\'\" ]+$", condition_tmp):
                logger.warning(
                    ": Illegal character in condition: %s - Allowed characters (A-Za-z0-9_ ' \")"
                    % condition)
                condition = "False"

            # no function call
            if re.search("[A-Za-z0-9_]+\s*\(", condition):
                logger.warning(": Illegal function call in condition: %s" %
                               condition)
                condition = "False"

            # replacements
            for key in replaces:
                if key in int_fields:
                    condition = condition.replace(key, replaces[key])
                else:
                    condition = condition.replace(key,
                                                  "'" + replaces[key] + "'")

            # condition evaluation
            try:
                logger.debug(": condition = '%s'" % condition)
                condition = eval(condition)
            except Exception, e:
                logger.debug(": Condition evaluation failed: %s --> %s" %
                             (condition, str(e)))
                condition = False
            logger.debug(": eval(condition) = %s" % condition)

            # is the condition True?
            if not condition: continue

            # is the action based on risk increase?
            if int(action['on_risk']) == 1:

                backlog_id = self.__request.get('backlog_id', '')
                risk_old = 0
                risk_new = int(self.__request.get('risk', ''))

                # get the old risk value
                query = "SELECT * FROM action_risk WHERE action_id = unhex('%s') AND backlog_id = unhex('%s')" % (
                    action_id, backlog_id)
                for action_risk in self.__db.exec_query(query):
                    # should only yield one result anyway
                    risk_old = int(action_risk['risk'])
                    break
                else:
                    query = "INSERT INTO action_risk VALUES (%d, %d, %d)" % (
                        int(action_id), int(backlog_id), int(risk_new))
                    logger.debug(": %s" % query)
                    self.__db.exec_query(query)

                # is there a risk increase?
                logger.debug(": risk_new > risk_old = %s" %
                             (risk_new > risk_old))
                if risk_new <= risk_old: continue

                # save the new risk value
                query = "UPDATE action_risk SET risk = %d WHERE action_id = unhex('%s') AND backlog_id = unhex('%s')" % (
                    int(risk_new), action_id, backlog_id)
                logger.debug(": %s" % query)
                self.__db.exec_query(query)

                # cleanup the action_risk table
                query = "DELETE FROM action_risk WHERE backlog_id NOT IN (SELECT id FROM backlog)"
                logger.debug(": %s" % query)
                self.__db.exec_query(query)

            ####################################################################

            # email notification
            logger.info("Successful Response with action: %s" %
                        action['descr'])
            if action['name'] == 'email':
                self.get_mail_server_data()
                if not self.__email_server_relay_enabled:
                    logger.warning(
                        "Email server relay not enabled. Using local postfix.."
                    )
                query = "SELECT * FROM action_email WHERE action_id = unhex('%s')" % \
                    (action_id)
                for action_email in self.__db.exec_query(query):
                    email_from = action_email['_from']
                    email_to = action_email['_to'].split(',')
                    if len(email_to) == 1:
                        email_to = action_email['_to'].split(';')
                    email_subject = action_email['subject']
                    email_message = action_email['message']

                    for replace in replaces:
                        if replaces[replace]:
                            email_from = email_from.replace(
                                replace, replaces[replace])
                            for to_mail in email_to:
                                to_mail = to_mail.strip()
                                to_mail = to_mail.replace(replace, \
                                                          replaces[replace])
                            replace_variable = r'\b%s\b' % replace
                            value_to_replace = replaces[replace].encode(
                                'string_escape')
                            email_subject = re.sub(replace_variable,
                                                   value_to_replace,
                                                   email_subject)
                            # email_subject= email_subject.replace(replace, replaces[replace])
                            if replace == 'DATE':
                                value_to_replace += " (UTC time)"
                            email_message = re.sub(replace_variable,
                                                   value_to_replace,
                                                   email_message)
                            # email_message = email_message.replace(replace, replaces[replace])
                    use_local_server = not self.__email_server_relay_enabled
                    m = ActionMail(self.__email_server,
                                   self.__email_server_port,
                                   self.__email_server_user,
                                   self.__email_server_passwd,
                                   use_local_server)
                    # logger.info(email_message)

                    for mail in email_to:
                        m.sendmail(email_from,
                                   mail,
                                   email_subject,
                                   email_message + \
                                   "\n\n" + self.requestRepr(self.__request, mail))
                    del (m)

            # execute external command
            elif action['name'] == 'exec':
                query = "SELECT * FROM action_exec WHERE action_id = unhex('%s')" % \
                    (action_id)
                for action_exec in self.__db.exec_query(query):
                    action = action_exec['command']
                    for replace in replaces:
                        replace_variable = r'\b%s\b' % replace
                        action = re.sub(
                            replace_variable,
                            replaces[replace].encode('string_escape'), action)
                        # action = action.replace(replace, replaces[replace])
                    c = ActionExec()
                    c.execCommand(action)
                    del (c)

            elif action['name'] == 'syslog':
                pass
#                syslog(self.__request)
            elif action['name'] == 'ticket':
                descr = action['descr']
                plugin_id = int(self.__request.get('plugin_id', ''))
                plugin_sid = int(self.__request.get('plugin_sid', ''))
                title = 'Automatic Incident Ticket'
                namequery = "select if((select name from plugin_sid where plugin_id='%s' and sid='%s')!='',(select name from plugin_sid where plugin_id='%s' and sid='%s')  , 'Automatic Incident Ticket') as name;" % (
                    plugin_id, plugin_sid, plugin_id, plugin_sid)
                data = self.__db.exec_query(namequery)
                if data != []:
                    title = data[0]['name']
                regexp = re.compile('(?P<data>.*)##@##(?P<username>.*)')
                matches = regexp.search(descr)
                in_charge = 'admin'
                if matches:
                    in_charge = matches.group('username')
                    descr = matches.group('data')

                priority = int(self.__request.get('priority', '')) * 2
                incident_uuid = "%s" % uuid.uuid4()
                incident_uuid = incident_uuid.replace('-', '')
                ctx = self.__request.get('context_id', '')
                for replace in replaces:
                    if replaces[replace]:
                        replace_variable = r'\b%s\b' % replace
                        descr = re.sub(
                            replace_variable,
                            replaces[replace].encode('string_escape'), descr)

                ctx = ctx.replace('-', '')
                insert_query = """insert into incident (uuid,ctx,title,date,ref,type_id,priority,status,last_update,in_charge,submitter,event_start,event_end) values (unhex('%s'),unhex('%s'),'%s',utc_timestamp(),'Event','Generic','%s','Open',utc_timestamp(),'%s','admin',utc_timestamp(),utc_timestamp()); """ % (
                    incident_uuid, ctx, title, priority, in_charge)
                self.__db.exec_query(insert_query)
                logger.debug("Query: %s" % insert_query)

                src_ip = self.__request.get('src_ip', '')
                src_port = int(self.__request.get('src_port', ''))
                dst_ip = self.__request.get('dst_ip', '')
                dst_port = int(self.__request.get('dst_port', ''))
                #    last_id_ie = data[0]['id'] +1
                """ We need the last id from incident in order to insert it. """
                get_last_id_query = "select max(id) as id from incident;"
                data = self.__db.exec_query(get_last_id_query)
                if data != []:
                    last_id = data[0]['id']
                insert_incident_event_query = """ insert into incident_event (incident_id,src_ips,src_ports,dst_ips,dst_ports) values ('%s','%s','%s','%s','%s'); """ % (
                    last_id, src_ip, src_port, dst_ip, dst_port)
                data = self.__db.exec_query(
                    "select max(id)+1 as id from incident_ticket;")
                newid = '0'
                if data != []:
                    newid = data[0]['id']

                self.__db.exec_query(insert_incident_event_query)
                insert_ticket_query = """ insert into incident_ticket(id,incident_id,date,status,priority,description,in_charge,users) values ('%s','%s',utc_timestamp(),'Open','%s','%s','%s','');""" % (
                    newid, last_id, priority, descr, in_charge)
                self.__db.exec_query(insert_ticket_query)

                # Check if this context has an IRS webservice linked.
                ticket_data = {
                    'type': '',
                    'op': 'INSERT',
                    'incident_id': last_id,
                    'date': time.asctime(),
                    'in_charge': in_charge,
                    'description': descr,
                    'status': 'Open'
                }
                ws_query = "SELECT id, type FROM webservice WHERE ctx = UNHEX('%s') AND type IN (%s)" % (
                    ctx, '(' + ','.join(IRS_TYPES) + ')')
                ws_data = self.__db.exec_query(ws_query)
                for item in ws_data:
                    ticket_data['type'] = ws_data['type']
                    # Create webservices, if available.
                    handler = WSHandler(self.__conf, item['id'])
                    if handler != None:
                        ret = handler.process_db(ticket_data)

            else:
                logger.error("Invalid action_type: '%s'" %
                             action['action_type'])