def run(self):
""" run the module """
ret = get_initial_alarm_result()
ret['info'] = info
# First check the last sync time
now = datetime.datetime.utcnow()
last_sync = self.get_last_sync()
ival = datetime.timedelta(seconds=self.cache)
last_sync_max = now - ival
should_sync = last_sync < last_sync_max
if should_sync:
self.logger.info('Tor cache expired, fetching latest exit nodes list. Will skip enrichment (will be run next time)')
iplist = self.sync_tor_exitnodes()
else:
iplist = self.get_es_tor_exitnodes()
if iplist:
hits = self.enrich_tor(iplist)
ret['hits']['hits'] = hits
ret['hits']['total'] = len(hits)
self.logger.info('finished running module. result: %s hits', ret['hits']['total'])
return ret
def run(self):
""" run the module """
ret = get_initial_alarm_result()
ret['info'] = info
try:
# First check the last sync time
now = datetime.datetime.utcnow()
last_sync = self.get_last_sync()
ival = datetime.timedelta(seconds=self.cache)
last_sync_max = now - ival
should_sync = last_sync < last_sync_max
if should_sync:
self.logger.info(
'Tor cache expired, fetching latest exit nodes list. Will skip enrichment (will be run next time)'
)
iplist = self.sync_tor_exitnodes()
else:
iplist = self.get_es_tor_exitnodes()
if iplist:
hits = self.enrich_tor(iplist)
ret['hits']['hits'] = hits
ret['hits']['total'] = len(hits)
except Exception as error: # pylint: disable=broad-except
stack_trace = traceback.format_exc()
ret['error'] = stack_trace
self.logger.exception(error)
self.logger.info('finished running module. result: %s hits',
ret['hits']['total'])
return ret
def run(self):
ret = get_initial_alarm_result()
ret['info'] = info
try:
self.now = datetime.datetime.utcnow()
# 1. get all IPs from the different IP lists (except tor)
ip_lists = self.get_iplists()
self.logger.info('IP Lists: %s' % ip_lists)
# 2. Get all entries in redirtraffic that have not the enrich_iplist tag
redirtraffic = self.get_redirtraffic()
# 3. loop through each result and find all IPs that matches in redirtraffic
res = self.update_traffic(ip_lists)
# 4. Return all hits so they can be tagged
ret['hits']['hits'] = redirtraffic
ret['hits']['total'] = res
except Exception as e:
stackTrace = traceback.format_exc()
ret['error'] = stackTrace
self.logger.exception(e)
pass
self.logger.info('finished running module. result: %s hits' %
ret['hits']['total'])
return (ret)
def run(self):
""" run the enrich module """
ret = get_initial_alarm_result()
ret['info'] = info
hits = self.enrich_greynoise()
ret['hits']['hits'] = hits
ret['hits']['total'] = len(hits)
self.logger.info('finished running module. result: %s hits', ret['hits']['total'])
return ret
def run(self):
""" Run the alarm module """
ret = get_initial_alarm_result()
ret['info'] = info
ret['fields'] = ['source.ip', 'source.cdn.ip', 'source.geo.country_name', 'source.as.organization.name', 'redir.frontend.name', 'redir.backend.name', 'infra.attack_scenario', 'tags', 'redir.timestamp']
ret['groupby'] = ['source.ip']
report = self.alarm_check()
ret['hits']['hits'] = report['hits']
ret['hits']['total'] = len(report['hits'])
self.logger.info('finished running module. result: %s hits', ret['hits']['total'])
return ret
def run(self):
""" Run the alarm module """
ret = get_initial_alarm_result()
ret['info'] = info
ret['fields'] = ['@timestamp', 'source.ip', 'http.headers.useragent', 'source.cdn.ip', 'redir.frontend.name', 'redir.backend.name', 'infra.attack_scenario']
ret['groupby'] = ['source.ip', 'http.headers.useragent']
report = self.alarm_check()
ret['hits']['hits'] = report['hits']
ret['hits']['total'] = len(report['hits'])
self.logger.info('finished running module. result: %s hits', ret['hits']['total'])
return ret
def run(self):
""" Run the alarm module """
ret = get_initial_alarm_result()
ret['info'] = info
ret['fields'] = ['agent.hostname', '@timestamp', 'host.name', 'user.name', 'ioc.type', 'file.name', 'file.hash.md5', 'c2.message', 'alarm.alarm_filehash']
ret['groupby'] = ['file.hash.md5']
report = self.alarm_check()
ret['hits']['hits'] = report['hits']
ret['mutations'] = report['mutations']
ret['hits']['total'] = len(report['hits'])
self.logger.info('finished running module. result: %s hits', ret['hits']['total'])
return ret
def run(self):
""" run the module """
ret = get_initial_alarm_result()
ret['info'] = info
hits = []
for iplist in self.iplists:
self.sync_iplist(iplist)
ret['hits']['hits'] = hits
ret['hits']['total'] = len(hits)
self.logger.info('finished running module. result: %s hits', ret['hits']['total'])
return ret
def run(self):
ret = get_initial_alarm_result()
ret['info'] = info
try:
hits = self.enrich_beacon_data()
ret['hits']['hits'] = hits
ret['hits']['total'] = len(hits)
except Exception as e:
stackTrace = traceback.format_exc()
ret['error'] = stackTrace
self.logger.exception(e)
pass
self.logger.info('finished running module. result: %s hits' %
ret['hits']['total'])
return (ret)
def run(self):
""" run the enrich module """
ret = get_initial_alarm_result()
ret['info'] = info
try:
hits = self.enrich_beacon_data()
ret['hits']['hits'] = hits
ret['hits']['total'] = len(hits)
# pylint: disable=broad-except
except Exception as error:
stack_trace = traceback.format_exc()
ret['error'] = stack_trace
self.logger.exception(error)
self.logger.info('finished running module. result: %s hits', ret['hits']['total'])
return ret
def run(self):
ret = get_initial_alarm_result()
ret['info'] = info
ret['fields'] = ['source.ip', 'source.nat.ip', 'source.geo.country_name', 'source.as.organization.name', 'redir.frontend.name', 'redir.backend.name', 'infra.attack_scenario', 'tags', 'redir.timestamp']
ret['groupby'] = ['source.ip']
try:
report = self.alarm_check()
ret['hits']['hits'] = report['hits']
ret['hits']['total'] = len(report['hits'])
except Exception as e:
stackTrace = traceback.format_exc()
ret['error'] = stackTrace
self.logger.exception(e)
pass
self.logger.info('finished running module. result: %s hits' % ret['hits']['total'])
return(ret)
def run(self):
ret = get_initial_alarm_result()
ret['info'] = info
try:
hits = []
for iplist in self.iplists:
self.sync_iplist(iplist)
ret['hits']['hits'] = hits
ret['hits']['total'] = len(hits)
except Exception as e:
stackTrace = traceback.format_exc()
ret['error'] = stackTrace
self.logger.exception(e)
pass
self.logger.info('finished running module. result: %s hits' %
ret['hits']['total'])
return (ret)
def run(self):
""" run the module """
ret = get_initial_alarm_result()
ret['info'] = info
try:
hits = []
for iplist in self.iplists:
self.sync_iplist(iplist)
ret['hits']['hits'] = hits
ret['hits']['total'] = len(hits)
except Exception as error: # pylint: disable=broad-except
stack_trace = traceback.format_exc()
ret['error'] = stack_trace
self.logger.exception(error)
self.logger.info('finished running module. result: %s hits',
ret['hits']['total'])
return ret
def run(self):
ret = get_initial_alarm_result()
ret['info'] = info
ret['fields'] = [
'agent.hostname', '@timestamp', 'host.name', 'user.name',
'ioc.type', 'file.name', 'file.hash.md5', 'ioc.domain',
'c2.message', 'alarm.alarm_filehash'
]
ret['groupby'] = []
self.logger.debug('Running dummy alarm')
for r in self.alarm_dummy():
ret['hits']['hits'].append(r)
ret['mutations'][r['_id']] = {'test': 'extra_data'}
ret['hits']['total'] += 1
self.logger.info('finished running module. result: %s hits' %
ret['hits']['total'])
self.logger.debug(ret)
return (ret)
def run(self):
""" Run the alarm module """
ret = get_initial_alarm_result()
ret['info'] = info
ret['fields'] = [
'@timestamp', 'source.ip', 'http.headers.useragent',
'source.nat.ip', 'redir.frontend.name', 'redir.backend.name',
'infra.attack_scenario'
]
ret['groupby'] = ['source.ip', 'http.headers.useragent']
try:
report = self.alarm_check()
ret['hits']['hits'] = report['hits']
ret['hits']['total'] = len(report['hits'])
# pylint: disable=broad-except
except Exception as error:
stack_trace = traceback.format_exc()
ret['error'] = stack_trace
self.logger.exception(error)
self.logger.info('finished running module. result: %s hits',
ret['hits']['total'])
return ret
def run(self):
""" Run the alarm module """
ret = get_initial_alarm_result()
ret['info'] = info
ret['fields'] = [
'agent.hostname', '@timestamp', 'host.name', 'user.name',
'ioc.type', 'file.name', 'file.hash.md5', 'c2.message',
'alarm.alarm_filehash'
]
ret['groupby'] = ['file.hash.md5']
try:
report = self.alarm_check()
ret['hits']['hits'] = report['hits']
ret['mutations'] = report['mutations']
ret['hits']['total'] = len(report['hits'])
except Exception as error:
stack_trace = traceback.format_exc()
ret['error'] = stack_trace
self.logger.exception(error)
raise
self.logger.info('finished running module. result: %s hits',
ret['hits']['total'])
return ret
def run(self):
""" Run the alarm module """
ret = get_initial_alarm_result()
ret['info'] = info
ret['fields'] = [
'agent.hostname', 'source.ip', 'source.nat.ip',
'source.geo.country_name', 'source.as.organization.name',
'redir.frontend.name', 'redir.backend.name',
'infra.attack_scenario', 'tags', 'redir.timestamp'
]
ret['groupby'] = ['source.ip']
try:
alarmed_ips = self.get_alarmed_ips()
report = self.alarm_check(alarmed_ips)
ret['hits']['hits'] = report
ret['hits']['total'] = len(report)
# pylint: disable=broad-except
except Exception as error:
stack_trace = traceback.format_exc()
ret['error'] = stack_trace
self.logger.exception(error)
self.logger.info('finished running module. result: %s hits',
ret['hits']['total'])
return ret
def run(self):
""" run the enrich module """
ret = get_initial_alarm_result()
ret['info'] = info
self.now = datetime.datetime.utcnow()
# 1. get all IPs from the different IP lists (except tor)
ip_lists = self.get_iplists()
self.logger.debug('IP Lists: %s', ip_lists)
# 2. Get all entries in redirtraffic that have not the enrich_iplist tag
redirtraffic = self.get_redirtraffic()
# 3. loop through each result and find all IPs that matches in redirtraffic
res = self.update_traffic(ip_lists)
# 4. Return all hits so they can be tagged
ret['hits']['hits'] = redirtraffic
ret['hits']['total'] = res
self.logger.info('finished running module. result: %s hits',
ret['hits']['total'])
return ret
