def statistic():
result = {}
activity = Activity()
data = activity.statistic_status_level()
result["total"] = activity.count()
result["data"] = data
return output_json({"errno": 0, "data": result})
def mistake():
post_data = request.get_json()
# 将某个活动标记为误报
activity = Activity()
activity.mistake(post_data["id"])
# 设置规则,之后自动排除该类误报
# m = Mistake(post_data["alert_code"])
# m.exclude(**post_data)
return output_json({"errno": 0, "data": ""})
def ignore():
post_data = request.get_json()
ignore_type = post_data["ignore_type"]
activity = Activity()
activity.ignore(post_data["id"])
if ignore_type == "add_rule":
i = Ignore(post_data["alert_code"])
result = i.add_ignore_rule(post_data["rules"])
if not result:
return output_json({"errno": 1, "error": "规则格式或内容有误"})
return output_json({"errno": 0, "data": ""})
def fuzz_search(self, name, page_size=5, **kwargs) -> list:
result = []
condition = "(&(cn=*{name}*)(|(objectClass=computer)(objectClass=user)(objectClass=group)))".format(
name=name)
entries = self.ldap.search_by_custom(condition,
attributes=[
"cn", "distinguishedName",
"userAccountControl",
"objectSid", "adminCount",
"memberOf", "objectClass",
"description"
],
paged_size=page_size)
if not entries:
return result
for entry in entries:
temp = {}
entry_attributes = entry.entry_attributes_as_dict
if "computer" in entry_attributes["objectClass"]:
temp["entry_type"] = "computer"
elif "group" in entry_attributes["objectClass"]:
temp["entry_type"] = "group"
elif "user" in entry_attributes["objectClass"]:
temp["entry_type"] = "user"
else:
continue
for key, value in entry_attributes.items():
if key == "distinguishedName":
temp["domain"] = get_netbios_domain(
get_domain_from_dn(value[0]))
elif temp[
"entry_type"] != "group" and key == "userAccountControl":
temp["is_disabled"] = self.uac_parser.has_one_flag(
value[0], "ACCOUNT_DISABLE")
elif key == "objectSid":
# TODO 改为敏感组的判断方式
temp["is_sensitive"] = self.user_is_sensitive(
value[0],
admin_count=entry_attributes["adminCount"],
member_of=entry_attributes["memberOf"])
elif key == "cn":
temp["cn"] = value[0]
elif key == "description" and len(value) > 0:
temp["description"] = value[0]
temp["alert_count"] = Activity().related_count(
temp["entry_type"], temp["domain"], temp["cn"])
result.append(temp)
return result
class Invasion(object):
def __init__(self):
self.invasion_mongo = MongoHelper(MongoConfig.invasions_collection)
self.activity = Activity()
def list(self, data: dict) -> list:
query = {}
search = self.invasion_mongo.find_all(query)
page = data["page"]
start = (page - 1) * 10
fetcher = search.sort("end_time", -1).skip(start).limit(10)
result = []
for each in fetcher:
each["start_time"] = datetime_to_utc(each["start_time"])
each["end_time"] = datetime_to_utc(each["end_time"])
each["activity_list"] = self.activity.list_naive(each["_id"])
result.append(each)
return result
def close():
post_data = request.get_json()
activity = Activity()
activity.close(post_data["id"])
return output_json({"errno": 0, "data": ""})
def delete(activity_id):
activity = Activity()
result = activity.delete(activity_id)
return output_json({"errno": 0, "data": result})
def related_list():
post_data = request.get_json()
activity = Activity()
result = activity.related_list(data=post_data)
return output_json({"errno": 0, "data": result})
def __init__(self):
self.invasion_mongo = MongoHelper(MongoConfig.invasions_collection)
self.activity = Activity()