def execute(event):
print('Checking nbtscan...')
cmd = 'nbtscan %s' % event.ip_address
nbt = runBash(cmd)
results = nbt.read().splitlines()[-1]
print('\n' + results)
if not re.match('-', results):
try:
ip, netName, server, user, mac = results.split()
except(ValueError):
log.error("nbtscan results failed to parse")
return
event.setAttribute('netbios_name', netName.lower())
event.setAttribute('hostname', netName.lower())
if 'server' not in server:
event.setAttribute('netbios_server', netName.lower())
if 'unknown' not in user:
event.setAttribute('netbios_user', netName.lower())
event.setAttribute('netbios_mac', mac)
event.setAttribute('mac_address', mac)
def execute(event):
print('Executing dig...')
a_record = runBash('dig -x %s +short' % event.ip_address).read().strip().rstrip('.')
if a_record:
event.setAttribute('a_record', a_record)
event.setAttribute('hostname', a_record.split('.')[0])
def queueFile(self, filename, filepath, submissionSettings):
submitURL = self.baseURL + 'submissions'
curlCmd = '''curl -qgsSkH "Content-Type: multipart/form-data" --no-progress-bar --header "X-FEApi-Token: %s" -F "filename=@%s" -F "options=%s" %s''' % (self.token, filepath, simplejson.dumps(submissionSettings).replace('"', '\\"'), submitURL)
response = runBash(curlCmd).read()
if response:
print response
return simplejson.loads(response)[0]['ID']
def mergePCAPGroups(event):
for name, match in [x.strip().split(':') for x in confVars.mergeGroups.split(',')]:
matched = [x for x in event.pcaps if match in x]
if matched:
stdWriteFlush('Merging %s sensor group...\n' % name)
mergedPCAP = '%s.%s.pcap' % (event._baseFilePath, name)
out = runBash('mergecap -w %s %s' % (mergedPCAP, ' '.join(matched)))
for pcap in matched:
event.pcaps.remove(pcap)
event.pcaps.append(mergedPCAP)
def tcpdumpFiles(event, ssh, server, dailies):
def pcapNotEmpty(ssh, pcapFile):
stdin, stdout, stderr = ssh.exec_command('/usr/sbin/tcpdump -s 1515 -nn -c 1 -r %s' % (pcapFile))
output = stdout.readlines()
return len(output)
#event.pcaps = []
for sensor, logs in dailies.iteritems():
tmpPath = '/tmp/%s_%s' % (os.path.basename(event._baseFilePath), sensor)
i = 0
count = 1
total = len(logs)
absTempPaths = []
tempFiles = []
#stdWriteFlush()
for pcapFile in logs:
stdWriteFlush(precentComplete('Processing PCAPs on %s: ' % sensor, count, total))
count += 1
#stdWriteFlush('.')
absTempPath = "%s%06d" % (tmpPath, i)
stdin, stdout, stderr = ssh.exec_command('/usr/sbin/tcpdump -s 1515 -nn -r %s -w %s %s' % (pcapFile, absTempPath, event._pcapBPF))
error = stderr.read()
stdout.read()
if 'tcpdump: syntax error' in error:
log.error("Error: Invalid BPF, '%s'" % event._pcapBPF)
log.debug('msg="invalid bpf" bpf="%s"' % event._pcapBPF)
raise error
if pcapNotEmpty(ssh, absTempPath):
i += 1
absTempPaths.append(absTempPath)
tempFiles.append(absTempPath.split('/')[-1])
stdWriteFlush('\n')
if absTempPaths:
concatPCAPs(ssh, tmpPath, sensor, absTempPaths)
#print('scp %s:%sconcatenated %s.%s.pcap' % (server, tmpPath, event._baseFilePath, sensor))
print('Transferring PCAP from %s...\n' % sensor)
dstPCAP = '%s.%s.pcap' % (event._baseFilePath, sensor)
event.pcaps.append(dstPCAP)
out = runBash('scp %s:%sconcatenated %s.%s.pcap' % (server, tmpPath, event._baseFilePath, sensor))
ssh.exec_command('rm %s*' % tmpPath)
def execute(event):
if not os.path.exists(confVars.broPath):
log.error('Bro does not exist check installation and [%s] in sources.conf' % __name__)
log.debug('msg="configured bro path invalid" path="%s"' % confVars.broPath)
return
if not os.path.exists('%s/bro/extract.bro' % (event._resourcesPath)):
log.error('Bro extract script does not exist check CIRTA resources directory')
log.debug('msg="bro extract resource path invalid" path="%s"' % '%s/bro/extract.bro' % (event._resourcesPath))
return
extracted = []
for pcap in event.pcaps:
outDir = os.path.dirname(os.path.abspath(pcap))
try:
tempPath = tempfile.mkdtemp(dir=outDir)
except(OSError):
log.warning("Warning: problem creating temporary directory at '%s'. Skipping..." % outDir)
log.debug('msg="unable to create temp pcap directory" path="%s" result="skipping"' % outDir)
break
printStatusMsg(os.path.basename(pcap), length=20, char='-', color=colors.HEADER2)
os.chdir(tempPath)
pcapBase = "%s/%s" % (outDir, '.'.join(os.path.basename(pcap).split('.')[:-1]))
runBash("%s -r %s %s/bro/extract.bro" % (confVars.broPath, pcap, event._resourcesPath))
logs = ["%s/%s" % (tempPath,x) for x in os.listdir(tempPath)]
for log in [x for x in logs if '.log' in x]:
dest = '.'.join([pcapBase, 'bro', os.path.basename(log)])
os.rename(log, dest)
if 'files.log' in dest:
filesPath = dest
print('Bro Generated: %s' % dest)
event._splunk.push(sourcetype="brospect_" + dest.split('.')[-2], filename=dest, exclusionRegex='^#')
if os.path.exists(tempPath + '/extract_files'):
files = open(filesPath).read().splitlines()
print('')
extractBase = os.sep.join([outDir, 'bin', '.'.join(os.path.basename(pcap).split('.')[:-1])])
for extract in ["%s/%s/%s" % (tempPath,'extract_files',x) for x in os.listdir(tempPath + '/extract_files')]:
extractName = os.path.basename(extract)
filename = [x for x in files if extractName in x][0].split('\t')[9]
if filename != '-':
newName = '.'.join([extractBase, filename, extractName])
else:
newName = '.'.join([extractBase, extractName])
os.rename(extract, newName)
print('Bro Extracted: %s' % newName)
extracted.append(newName)
runBash('rm -r %s' % tempPath)
if not extracted:
extracted = None
event.setAttribute('extracted_files', extracted)
os.chdir(outDir)
def refreshForwardZone(fzPath, nameServer, domain):
runBash('dig @%s -t AXFR %s > %s' % (nameServer, domain, fzPath))
