def run(self): """ run the module """ ret = get_initial_alarm_result() ret['info'] = info # First check the last sync time now = datetime.datetime.utcnow() last_sync = self.get_last_sync() ival = datetime.timedelta(seconds=self.cache) last_sync_max = now - ival should_sync = last_sync < last_sync_max if should_sync: self.logger.info('Tor cache expired, fetching latest exit nodes list. Will skip enrichment (will be run next time)') iplist = self.sync_tor_exitnodes() else: iplist = self.get_es_tor_exitnodes() if iplist: hits = self.enrich_tor(iplist) ret['hits']['hits'] = hits ret['hits']['total'] = len(hits) self.logger.info('finished running module. result: %s hits', ret['hits']['total']) return ret
def run(self): """ run the module """ ret = get_initial_alarm_result() ret['info'] = info try: # First check the last sync time now = datetime.datetime.utcnow() last_sync = self.get_last_sync() ival = datetime.timedelta(seconds=self.cache) last_sync_max = now - ival should_sync = last_sync < last_sync_max if should_sync: self.logger.info( 'Tor cache expired, fetching latest exit nodes list. Will skip enrichment (will be run next time)' ) iplist = self.sync_tor_exitnodes() else: iplist = self.get_es_tor_exitnodes() if iplist: hits = self.enrich_tor(iplist) ret['hits']['hits'] = hits ret['hits']['total'] = len(hits) except Exception as error: # pylint: disable=broad-except stack_trace = traceback.format_exc() ret['error'] = stack_trace self.logger.exception(error) self.logger.info('finished running module. result: %s hits', ret['hits']['total']) return ret
def run(self): ret = get_initial_alarm_result() ret['info'] = info try: self.now = datetime.datetime.utcnow() # 1. get all IPs from the different IP lists (except tor) ip_lists = self.get_iplists() self.logger.info('IP Lists: %s' % ip_lists) # 2. Get all entries in redirtraffic that have not the enrich_iplist tag redirtraffic = self.get_redirtraffic() # 3. loop through each result and find all IPs that matches in redirtraffic res = self.update_traffic(ip_lists) # 4. Return all hits so they can be tagged ret['hits']['hits'] = redirtraffic ret['hits']['total'] = res except Exception as e: stackTrace = traceback.format_exc() ret['error'] = stackTrace self.logger.exception(e) pass self.logger.info('finished running module. result: %s hits' % ret['hits']['total']) return (ret)
def run(self): """ run the enrich module """ ret = get_initial_alarm_result() ret['info'] = info hits = self.enrich_greynoise() ret['hits']['hits'] = hits ret['hits']['total'] = len(hits) self.logger.info('finished running module. result: %s hits', ret['hits']['total']) return ret
def run(self): """ Run the alarm module """ ret = get_initial_alarm_result() ret['info'] = info ret['fields'] = ['source.ip', 'source.cdn.ip', 'source.geo.country_name', 'source.as.organization.name', 'redir.frontend.name', 'redir.backend.name', 'infra.attack_scenario', 'tags', 'redir.timestamp'] ret['groupby'] = ['source.ip'] report = self.alarm_check() ret['hits']['hits'] = report['hits'] ret['hits']['total'] = len(report['hits']) self.logger.info('finished running module. result: %s hits', ret['hits']['total']) return ret
def run(self): """ Run the alarm module """ ret = get_initial_alarm_result() ret['info'] = info ret['fields'] = ['@timestamp', 'source.ip', 'http.headers.useragent', 'source.cdn.ip', 'redir.frontend.name', 'redir.backend.name', 'infra.attack_scenario'] ret['groupby'] = ['source.ip', 'http.headers.useragent'] report = self.alarm_check() ret['hits']['hits'] = report['hits'] ret['hits']['total'] = len(report['hits']) self.logger.info('finished running module. result: %s hits', ret['hits']['total']) return ret
def run(self): """ Run the alarm module """ ret = get_initial_alarm_result() ret['info'] = info ret['fields'] = ['agent.hostname', '@timestamp', 'host.name', 'user.name', 'ioc.type', 'file.name', 'file.hash.md5', 'c2.message', 'alarm.alarm_filehash'] ret['groupby'] = ['file.hash.md5'] report = self.alarm_check() ret['hits']['hits'] = report['hits'] ret['mutations'] = report['mutations'] ret['hits']['total'] = len(report['hits']) self.logger.info('finished running module. result: %s hits', ret['hits']['total']) return ret
def run(self): """ run the module """ ret = get_initial_alarm_result() ret['info'] = info hits = [] for iplist in self.iplists: self.sync_iplist(iplist) ret['hits']['hits'] = hits ret['hits']['total'] = len(hits) self.logger.info('finished running module. result: %s hits', ret['hits']['total']) return ret
def run(self): ret = get_initial_alarm_result() ret['info'] = info try: hits = self.enrich_beacon_data() ret['hits']['hits'] = hits ret['hits']['total'] = len(hits) except Exception as e: stackTrace = traceback.format_exc() ret['error'] = stackTrace self.logger.exception(e) pass self.logger.info('finished running module. result: %s hits' % ret['hits']['total']) return (ret)
def run(self): """ run the enrich module """ ret = get_initial_alarm_result() ret['info'] = info try: hits = self.enrich_beacon_data() ret['hits']['hits'] = hits ret['hits']['total'] = len(hits) # pylint: disable=broad-except except Exception as error: stack_trace = traceback.format_exc() ret['error'] = stack_trace self.logger.exception(error) self.logger.info('finished running module. result: %s hits', ret['hits']['total']) return ret
def run(self): ret = get_initial_alarm_result() ret['info'] = info ret['fields'] = ['source.ip', 'source.nat.ip', 'source.geo.country_name', 'source.as.organization.name', 'redir.frontend.name', 'redir.backend.name', 'infra.attack_scenario', 'tags', 'redir.timestamp'] ret['groupby'] = ['source.ip'] try: report = self.alarm_check() ret['hits']['hits'] = report['hits'] ret['hits']['total'] = len(report['hits']) except Exception as e: stackTrace = traceback.format_exc() ret['error'] = stackTrace self.logger.exception(e) pass self.logger.info('finished running module. result: %s hits' % ret['hits']['total']) return(ret)
def run(self): ret = get_initial_alarm_result() ret['info'] = info try: hits = [] for iplist in self.iplists: self.sync_iplist(iplist) ret['hits']['hits'] = hits ret['hits']['total'] = len(hits) except Exception as e: stackTrace = traceback.format_exc() ret['error'] = stackTrace self.logger.exception(e) pass self.logger.info('finished running module. result: %s hits' % ret['hits']['total']) return (ret)
def run(self): """ run the module """ ret = get_initial_alarm_result() ret['info'] = info try: hits = [] for iplist in self.iplists: self.sync_iplist(iplist) ret['hits']['hits'] = hits ret['hits']['total'] = len(hits) except Exception as error: # pylint: disable=broad-except stack_trace = traceback.format_exc() ret['error'] = stack_trace self.logger.exception(error) self.logger.info('finished running module. result: %s hits', ret['hits']['total']) return ret
def run(self): ret = get_initial_alarm_result() ret['info'] = info ret['fields'] = [ 'agent.hostname', '@timestamp', 'host.name', 'user.name', 'ioc.type', 'file.name', 'file.hash.md5', 'ioc.domain', 'c2.message', 'alarm.alarm_filehash' ] ret['groupby'] = [] self.logger.debug('Running dummy alarm') for r in self.alarm_dummy(): ret['hits']['hits'].append(r) ret['mutations'][r['_id']] = {'test': 'extra_data'} ret['hits']['total'] += 1 self.logger.info('finished running module. result: %s hits' % ret['hits']['total']) self.logger.debug(ret) return (ret)
def run(self): """ Run the alarm module """ ret = get_initial_alarm_result() ret['info'] = info ret['fields'] = [ '@timestamp', 'source.ip', 'http.headers.useragent', 'source.nat.ip', 'redir.frontend.name', 'redir.backend.name', 'infra.attack_scenario' ] ret['groupby'] = ['source.ip', 'http.headers.useragent'] try: report = self.alarm_check() ret['hits']['hits'] = report['hits'] ret['hits']['total'] = len(report['hits']) # pylint: disable=broad-except except Exception as error: stack_trace = traceback.format_exc() ret['error'] = stack_trace self.logger.exception(error) self.logger.info('finished running module. result: %s hits', ret['hits']['total']) return ret
def run(self): """ Run the alarm module """ ret = get_initial_alarm_result() ret['info'] = info ret['fields'] = [ 'agent.hostname', '@timestamp', 'host.name', 'user.name', 'ioc.type', 'file.name', 'file.hash.md5', 'c2.message', 'alarm.alarm_filehash' ] ret['groupby'] = ['file.hash.md5'] try: report = self.alarm_check() ret['hits']['hits'] = report['hits'] ret['mutations'] = report['mutations'] ret['hits']['total'] = len(report['hits']) except Exception as error: stack_trace = traceback.format_exc() ret['error'] = stack_trace self.logger.exception(error) raise self.logger.info('finished running module. result: %s hits', ret['hits']['total']) return ret
def run(self): """ Run the alarm module """ ret = get_initial_alarm_result() ret['info'] = info ret['fields'] = [ 'agent.hostname', 'source.ip', 'source.nat.ip', 'source.geo.country_name', 'source.as.organization.name', 'redir.frontend.name', 'redir.backend.name', 'infra.attack_scenario', 'tags', 'redir.timestamp' ] ret['groupby'] = ['source.ip'] try: alarmed_ips = self.get_alarmed_ips() report = self.alarm_check(alarmed_ips) ret['hits']['hits'] = report ret['hits']['total'] = len(report) # pylint: disable=broad-except except Exception as error: stack_trace = traceback.format_exc() ret['error'] = stack_trace self.logger.exception(error) self.logger.info('finished running module. result: %s hits', ret['hits']['total']) return ret
def run(self): """ run the enrich module """ ret = get_initial_alarm_result() ret['info'] = info self.now = datetime.datetime.utcnow() # 1. get all IPs from the different IP lists (except tor) ip_lists = self.get_iplists() self.logger.debug('IP Lists: %s', ip_lists) # 2. Get all entries in redirtraffic that have not the enrich_iplist tag redirtraffic = self.get_redirtraffic() # 3. loop through each result and find all IPs that matches in redirtraffic res = self.update_traffic(ip_lists) # 4. Return all hits so they can be tagged ret['hits']['hits'] = redirtraffic ret['hits']['total'] = res self.logger.info('finished running module. result: %s hits', ret['hits']['total']) return ret