def run(customer, result_type, server):
global BLACKLIST_COUNT
global ht_data
ht_data = ESServer([server])
# Yaaayyy, colors
print(colors.bcolors.OKBLUE + '[-] Finding blacklisted URLS for customer '
+ colors.bcolors.HEADER + customer
+ colors.bcolors.OKBLUE + ' [-]'
+ colors.bcolors.ENDC)
# Delete Previous Results
ht_data.delete_results(customer, result_type)
find_blacklisted_ipvoid(customer, result_type)
# Report number of connections to blacklisted IPs found
hits, scroll_id, scroll_size = ht_data.get_data(customer, 'results', [], [{'result_type':result_type}], [], '', 1000)
print(colors.bcolors.FAIL + '[!] Found ' + str(scroll_size) + ' connections to blacklisted URLs in log entries [!]'
+ colors.bcolors.ENDC)
print(colors.bcolors.OKGREEN + '[+] Finished finding blacklisted URLS for customer '
+ colors.bcolors.HEADER + customer
+ colors.bcolors.OKGREEN + ' [+]'
+ colors.bcolors.ENDC)
def run(customer, proto, threshold, graph, graph_thresh, potential_save_dir, result_type, server):
global ht_data
ht_data = ESServer(server)
print(colors.bcolors.OKBLUE + '[-] Checking potential port scans for '
+ colors.bcolors.HEADER + customer),
if proto != "":
print(colors.bcolors.OKBLUE + ' with protocol '
+ colors.bcolors.HEADER + proto ),
print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC)
# Get start time
time_start = time.time()
# Delete Previous Results
ht_data.delete_results(customer, result_type)
scan_analysis(customer, proto, threshold, graph, graph_thresh, potential_save_dir, result_type)
time_end = time.time()
time_elapsed = time_end - time_start
print(colors.bcolors.OKGREEN + '[+] Finished checking potential port scans for '
+ colors.bcolors.HEADER + customer),
if proto != "":
print(colors.bcolors.OKBLUE + ' with protocol '
+ colors.bcolors.HEADER + proto ),
print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC)
print(colors.bcolors.OKGREEN + '[+] Time for scan analysis: ' + str(time_elapsed) + ' [+]' + colors.bcolors.ENDC)
def run(customer, proto, threshold, graph, potential_save_dir, result_type, server):
global ht_data
ht_data = ESServer(server)
print(colors.bcolors.OKBLUE + '[-] Checking potential port scans for '
+ colors.bcolors.HEADER + customer),
if proto != "":
print(colors.bcolors.OKBLUE + ' with protocol '
+ colors.bcolors.HEADER + proto ),
print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC)
# Get start time
time_start = time.time()
# Delete Previous Results
ht_data.delete_results(customer, result_type)
scan_analysis(customer, proto, threshold, graph, potential_save_dir, result_type)
time_end = time.time()
time_elapsed = time_end - time_start
# Report number of potential scans found
hits, scroll_id, scroll_size = ht_data.get_data(customer, 'results', [], [{'result_type':result_type}], [], '', 1000)
print(colors.bcolors.FAIL + '[!] Found ' + str(scroll_size) + ' potential port scans [!]'
+ colors.bcolors.ENDC)
print(colors.bcolors.OKGREEN + '[+] Finished checking potential port scans for '
+ colors.bcolors.HEADER + customer),
if proto != "":
print(colors.bcolors.OKBLUE + ' with protocol '
+ colors.bcolors.HEADER + proto ),
print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC)
print(colors.bcolors.OKGREEN + '[+] Time for scan analysis: ' + str(time_elapsed) + ' [+]' + colors.bcolors.ENDC)
def run(customer, result_type, server):
global BLACKLIST_COUNT
global ht_data
ht_data = ESServer([server])
# Yaaayyy, colors
print(colors.bcolors.OKBLUE +
'[-] Finding blacklisted URLS for customer ' +
colors.bcolors.HEADER + customer + colors.bcolors.OKBLUE + ' [-]' +
colors.bcolors.ENDC)
# Delete Previous Results
ht_data.delete_results(customer, result_type)
find_blacklisted_ipvoid(customer, result_type)
# Report number of connections to blacklisted IPs found
hits, scroll_id, scroll_size = ht_data.get_data(
customer, 'results', [], [{
'result_type': result_type
}], [], '', 1000)
print(colors.bcolors.FAIL + '[!] Found ' + str(scroll_size) +
' connections to blacklisted URLs in log entries [!]' +
colors.bcolors.ENDC)
print(colors.bcolors.OKGREEN +
'[+] Finished finding blacklisted URLS for customer ' +
colors.bcolors.HEADER + customer + colors.bcolors.OKGREEN + ' [+]' +
colors.bcolors.ENDC)
def run(customer, threshold, result_type, server):
global ht_data
ht_data = ESServer([server])
print(colors.bcolors.OKBLUE + '[-] Finding long URLs for customer ' +
colors.bcolors.HEADER + customer + colors.bcolors.OKBLUE + ' [-]' +
colors.bcolors.ENDC)
# Delete Previous Results
ht_data.delete_results(customer, result_type)
find_long_urls(customer, threshold, result_type)
print(colors.bcolors.OKGREEN +
'[+] Finished checking long URLs for customer ' +
colors.bcolors.HEADER + customer + colors.bcolors.OKGREEN + ' [+]' +
colors.bcolors.ENDC)
def run(customer, threshold, result_type, server="http://localhost:5000/"):
global ht_data
ht_data = ESServer(server)
print(colors.bcolors.OKBLUE + '[-] Finding long connections for customer '
+ colors.bcolors.HEADER + customer
+ colors.bcolors.OKBLUE + ' [-]'
+ colors.bcolors.ENDC)
# Delete Previous Results
ht_data.delete_results(customer, result_type)
find_long_durations(customer, threshold, result_type)
print(colors.bcolors.OKGREEN + '[+] Finished checking long connections for customer '
+ colors.bcolors.HEADER + customer
+ colors.bcolors.OKGREEN + ' [+]'
+ colors.bcolors.ENDC)
def run(customer, threshold, result_type, server):
global ht_data
ht_data = ESServer([server])
print(colors.bcolors.OKBLUE + '[-] Finding long URLs for customer '
+ colors.bcolors.HEADER + customer
+ colors.bcolors.OKBLUE + ' [-]'
+ colors.bcolors.ENDC)
# Delete Previous Results
ht_data.delete_results(customer, result_type)
find_long_urls(customer, threshold, result_type)
print(colors.bcolors.OKGREEN + '[+] Finished checking long URLs for customer '
+ colors.bcolors.HEADER + customer
+ colors.bcolors.OKGREEN + ' [+]'
+ colors.bcolors.ENDC)
def run(customer, result_type, server):
global ht_data
ht_data = ESServer(server)
# Yaaayyy, colors
print(colors.bcolors.OKBLUE + '[-] Performing cross-analysis of malicious behaviors for customer '
+ colors.bcolors.HEADER + customer
+ colors.bcolors.OKBLUE + ' [-]'
+ colors.bcolors.ENDC)
# Delete Previous Results
ht_data.delete_results(customer, result_type)
find_cross_analysis(customer, result_type)
print(colors.bcolors.OKGREEN + '[+] Finished performing cross-analysis of malicious behaviors for customer '
+ colors.bcolors.HEADER + customer
+ colors.bcolors.OKGREEN + ' [+]'
+ colors.bcolors.ENDC)
def run(customer, result_type, server):
global ht_data
ht_data = ESServer(server)
# Yaaayyy, colors
print(colors.bcolors.OKBLUE +
'[-] Finding concurrent logins for customer ' +
colors.bcolors.HEADER + customer + colors.bcolors.OKBLUE + ' [-]' +
colors.bcolors.ENDC)
# Delete Previous Results
ht_data.delete_results(customer, result_type)
find_concurrent(customer, result_type)
print(colors.bcolors.OKGREEN +
'[+] Finished finding concurrent logins for customer ' +
colors.bcolors.HEADER + customer + colors.bcolors.OKGREEN + ' [+]' +
colors.bcolors.ENDC)
def run(customer, result_type, server):
global ht_data
ht_data = ESServer(server)
# Yaaayyy, colors
print(colors.bcolors.OKBLUE + '[-] Finding concurrent logins for customer '
+ colors.bcolors.HEADER + customer
+ colors.bcolors.OKBLUE + ' [-]'
+ colors.bcolors.ENDC)
# Delete Previous Results
ht_data.delete_results(customer, result_type)
find_concurrent(customer, result_type)
print(colors.bcolors.OKGREEN + '[+] Finished finding concurrent logins for customer '
+ colors.bcolors.HEADER + customer
+ colors.bcolors.OKGREEN + ' [+]'
+ colors.bcolors.ENDC)
def run(customer, proto, threshold_likely, threshold_unlikely, graph_likely,
graph_unlikely, potential_save_dir, unlikely_save_dir, result_type,
server):
global ht_data
ht_data = ESServer(server)
print(colors.bcolors.OKBLUE +
'[-] Checking potential beacons for customer ' +
colors.bcolors.HEADER + customer),
if proto != "":
print(colors.bcolors.OKBLUE + ' with protocol ' +
colors.bcolors.HEADER + proto),
print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC)
# Get start time
time_start = time.time()
# Delete Previous Results
ht_data.delete_results(customer, result_type)
ht_data.delete_results(customer, 'likely_beacons')
ht_data.delete_results(customer, 'unlikely_beacons')
beacon_analysis(customer, proto, result_type)
analyze_fft_data(customer, proto, threshold_likely, threshold_unlikely,
result_type)
if graph_likely:
category = 'likely_beacons'
print(colors.bcolors.OKBLUE +
'[-] Graphing potential beacons customer ' +
colors.bcolors.HEADER + customer + colors.bcolors.OKBLUE +
' with beaconing logs under result name ' +
colors.bcolors.HEADER + result_type + colors.bcolors.OKBLUE +
' of type ' + colors.bcolors.HEADER + category),
if proto != "":
print(colors.bcolors.OKBLUE + ' with protocol ' +
colors.bcolors.HEADER + proto),
print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC)
find_beacons_graph(customer, proto, category, potential_save_dir)
if graph_unlikely:
category = 'unlikely_beacons'
print(colors.bcolors.OKBLUE +
'[-] Graphing potential beacons customer ' +
colors.bcolors.HEADER + customer + colors.bcolors.OKBLUE +
' with beaconing logs under result name ' +
colors.bcolors.HEADER + result_type + colors.bcolors.OKBLUE +
' of type ' + colors.bcolors.HEADER + category),
if proto != "":
print(colors.bcolors.OKBLUE + ' with protocol ' +
colors.bcolors.HEADER + proto),
print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC)
find_beacons_graph(customer, proto, category, unlikely_save_dir)
time_end = time.time()
time_elapsed = time_end - time_start
print(colors.bcolors.OKGREEN +
'[+] Finished checking potential beacons for ' +
colors.bcolors.HEADER + customer),
if proto != "":
print(colors.bcolors.OKBLUE + ' with protocol ' +
colors.bcolors.HEADER + proto),
print(colors.bcolors.OKGREEN + '[+]' + colors.bcolors.ENDC)
print(colors.bcolors.OKGREEN + '[+] Time for scan analysis: ' +
str(time_elapsed) + ' [+]' + colors.bcolors.ENDC)
def run(customer, proto, threshold_likely, threshold_unlikely, graph_likely, graph_unlikely, potential_save_dir, unlikely_save_dir, result_type, server):
global ht_data
ht_data = ESServer(server)
print(colors.bcolors.OKBLUE + '[-] Checking potential beacons for customer '
+ colors.bcolors.HEADER + customer),
if proto != "":
print(colors.bcolors.OKBLUE + ' with protocol '
+ colors.bcolors.HEADER + proto ),
print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC)
# Get start time
time_start = time.time()
# Delete Previous Results
ht_data.delete_results(customer, result_type)
ht_data.delete_results(customer, 'likely_beacons')
ht_data.delete_results(customer, 'unlikely_beacons')
beacon_analysis(customer, proto, result_type)
analyze_fft_data(customer, proto, threshold_likely, threshold_unlikely, result_type)
if graph_likely:
category = 'likely_beacons'
print(colors.bcolors.OKBLUE + '[-] Graphing potential beacons customer '
+ colors.bcolors.HEADER + customer
+ colors.bcolors.OKBLUE + ' with beaconing logs under result name '
+ colors.bcolors.HEADER + result_type
+ colors.bcolors.OKBLUE + ' of type '
+ colors.bcolors.HEADER + category),
if proto != "":
print(colors.bcolors.OKBLUE + ' with protocol '
+ colors.bcolors.HEADER + proto ),
print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC)
find_beacons_graph(customer, proto, category, potential_save_dir)
if graph_unlikely:
category = 'unlikely_beacons'
print(colors.bcolors.OKBLUE + '[-] Graphing potential beacons customer '
+ colors.bcolors.HEADER + customer
+ colors.bcolors.OKBLUE + ' with beaconing logs under result name '
+ colors.bcolors.HEADER + result_type
+ colors.bcolors.OKBLUE + ' of type '
+ colors.bcolors.HEADER + category),
if proto != "":
print(colors.bcolors.OKBLUE + ' with protocol '
+ colors.bcolors.HEADER + proto ),
print(colors.bcolors.OKBLUE + '[-]' + colors.bcolors.ENDC)
find_beacons_graph(customer, proto, category, unlikely_save_dir)
time_end = time.time()
time_elapsed = time_end - time_start
print(colors.bcolors.OKGREEN + '[+] Finished checking potential beacons for '
+ colors.bcolors.HEADER + customer),
if proto != "":
print(colors.bcolors.OKBLUE + ' with protocol '
+ colors.bcolors.HEADER + proto ),
print(colors.bcolors.OKGREEN + '[+]' + colors.bcolors.ENDC)
print(colors.bcolors.OKGREEN + '[+] Time for scan analysis: ' + str(time_elapsed) + ' [+]' + colors.bcolors.ENDC)
