def putSSConfig():
config = {
'defaultIsolate': 0,
'defaultLogRetention': 0,
'defaultMonitor': 0,
'defaultFW': 0
}
config['lastModified'] = str(int(round(time.time() * 1000)))
es.write(esService, config, 'sweet_security', 'configuration')
return "done"
def dnsSearch(ip, mac):
numFound = 0
dnsData = getLogs(ip, '/opt/nsm/bro/logs/current/dns.log')
knownQueries = []
knownDnsQuery = {"query": {"match_phrase": {"mac": {"query": mac}}}}
knownDnsData = es.search(esService, knownDnsQuery, 'tardis',
'known_dnsqueries')
for query in knownDnsData['hits']['hits']:
if query['_source']['query'] not in knownQueries:
knownQueries.append(query['_source']['query'])
for log in dnsData['hits']['hits']:
if log['_source']['query'] not in knownQueries:
numFound += 1
knownQueries.append(log['_source']['query'])
dnsData = {'mac': mac, 'query': log['_source']['query']}
es.write(esService, dnsData, 'tardis', 'known_dnsqueries')
alertMessage = 'A new DNS query was added to the baseline: %s' % log[
'_source']['query']
alert.send('Baseliner', alertMessage, log['_id'], log['_index'])
return numFound
def connSearch(ip, mac):
numFound = 0
connData = getLogs(ip, '/opt/nsm/bro/logs/current/conn.log')
knownHosts = []
knownHostQuery = {"query": {"match_phrase": {"mac": {"query": mac}}}}
knownHostData = es.search(esService, knownHostQuery, 'tardis',
'known_hosts')
for device in knownHostData['hits']['hits']:
if device['_source']['ip'] not in knownHosts:
knownHosts.append(device['_source']['ip'])
for log in connData['hits']['hits']:
if log['_source']['resp_h'] not in knownHosts:
numFound += 1
knownHosts.append(log['_source']['resp_h'])
hostData = {'mac': mac, 'ip': log['_source']['resp_h']}
es.write(esService, hostData, 'tardis', 'known_hosts')
alertMessage = 'A new IP was added to the baseline: %s' % log[
'_source']['resp_h']
alert.send('Baseliner', alertMessage, log['_id'], log['_index'])
return numFound
def httpSearch(ip, mac):
numFound = 0
httpData = getLogs(ip, '/opt/nsm/bro/logs/current/http.log')
knownWebsites = []
knownHostQuery = {"query": {"match_phrase": {"mac": {"query": mac}}}}
knownHostData = es.search(esService, knownHostQuery, 'tardis',
'known_websites')
for url in knownHostData['hits']['hits']:
if url['_source']['server_name'] not in knownWebsites:
knownWebsites.append(url['_source']['server_name'])
for log in httpData['hits']['hits']:
if log['_source']['server_name'] not in knownWebsites:
numFound += 1
knownWebsites.append(log['_source']['server_name'])
hostData = {
'mac': mac,
'server_name': log['_source']['server_name']
}
es.write(esService, hostData, 'tardis', 'known_websites')
alertMessage = 'A new website was added to the baseline: %s' % log[
'_source']['server_name']
alert.send('Baseliner', alertMessage, log['_id'], log['_index'])
return numFound