def statistic(): result = {} activity = Activity() data = activity.statistic_status_level() result["total"] = activity.count() result["data"] = data return output_json({"errno": 0, "data": result})
def mistake(): post_data = request.get_json() # 将某个活动标记为误报 activity = Activity() activity.mistake(post_data["id"]) # 设置规则,之后自动排除该类误报 # m = Mistake(post_data["alert_code"]) # m.exclude(**post_data) return output_json({"errno": 0, "data": ""})
def ignore(): post_data = request.get_json() ignore_type = post_data["ignore_type"] activity = Activity() activity.ignore(post_data["id"]) if ignore_type == "add_rule": i = Ignore(post_data["alert_code"]) result = i.add_ignore_rule(post_data["rules"]) if not result: return output_json({"errno": 1, "error": "规则格式或内容有误"}) return output_json({"errno": 0, "data": ""})
def fuzz_search(self, name, page_size=5, **kwargs) -> list: result = [] condition = "(&(cn=*{name}*)(|(objectClass=computer)(objectClass=user)(objectClass=group)))".format( name=name) entries = self.ldap.search_by_custom(condition, attributes=[ "cn", "distinguishedName", "userAccountControl", "objectSid", "adminCount", "memberOf", "objectClass", "description" ], paged_size=page_size) if not entries: return result for entry in entries: temp = {} entry_attributes = entry.entry_attributes_as_dict if "computer" in entry_attributes["objectClass"]: temp["entry_type"] = "computer" elif "group" in entry_attributes["objectClass"]: temp["entry_type"] = "group" elif "user" in entry_attributes["objectClass"]: temp["entry_type"] = "user" else: continue for key, value in entry_attributes.items(): if key == "distinguishedName": temp["domain"] = get_netbios_domain( get_domain_from_dn(value[0])) elif temp[ "entry_type"] != "group" and key == "userAccountControl": temp["is_disabled"] = self.uac_parser.has_one_flag( value[0], "ACCOUNT_DISABLE") elif key == "objectSid": # TODO 改为敏感组的判断方式 temp["is_sensitive"] = self.user_is_sensitive( value[0], admin_count=entry_attributes["adminCount"], member_of=entry_attributes["memberOf"]) elif key == "cn": temp["cn"] = value[0] elif key == "description" and len(value) > 0: temp["description"] = value[0] temp["alert_count"] = Activity().related_count( temp["entry_type"], temp["domain"], temp["cn"]) result.append(temp) return result
class Invasion(object): def __init__(self): self.invasion_mongo = MongoHelper(MongoConfig.invasions_collection) self.activity = Activity() def list(self, data: dict) -> list: query = {} search = self.invasion_mongo.find_all(query) page = data["page"] start = (page - 1) * 10 fetcher = search.sort("end_time", -1).skip(start).limit(10) result = [] for each in fetcher: each["start_time"] = datetime_to_utc(each["start_time"]) each["end_time"] = datetime_to_utc(each["end_time"]) each["activity_list"] = self.activity.list_naive(each["_id"]) result.append(each) return result
def close(): post_data = request.get_json() activity = Activity() activity.close(post_data["id"]) return output_json({"errno": 0, "data": ""})
def delete(activity_id): activity = Activity() result = activity.delete(activity_id) return output_json({"errno": 0, "data": result})
def related_list(): post_data = request.get_json() activity = Activity() result = activity.related_list(data=post_data) return output_json({"errno": 0, "data": result})
def __init__(self): self.invasion_mongo = MongoHelper(MongoConfig.invasions_collection) self.activity = Activity()