def test_event(self): events = EventManager(time_range='CUSTOM', start_time=datetime.now() - timedelta(days=QUERY_TIMERANGE), end_time=datetime.now() + timedelta(days=1), limit=1) events.load_data() event = events[0] event_from_ips_get_alert_data = Event(id=event['IPSIDAlertID']) self.assertEqual( event['IPSIDAlertID'], '|'.join([ str(event_from_ips_get_alert_data['ipsId']['id']), str(event_from_ips_get_alert_data['alertId']) ])) if msiempy.NitroSession().api_v == 2: print('CREATING EVENT MANUALLY FROM ID') data = Event().data_from_id(id=event['IPSIDAlertID'], use_query=True) event_from_direct_id_query = Event(data) print('EVENT RETREIVED : {}'.format(event_from_direct_id_query)) print('ORIGINAL EVENT : {}'.format(event)) self.assertEqual(event_from_direct_id_query, data)
def event_examples(): print('EVENT QUERY #1 : Simple event query sorted by AlertID') events = EventManager( time_range='LAST_3_DAYS', fields=['SrcIP', 'AlertID'], # SrcIP and AlertID are not queried by default filters=[ FieldFilter('DstIP', [ '0.0.0.0/0', ]), FieldFilter('HostID', ['mail'], operator='CONTAINS') ], # Please replace "mail" by a test hostname order=(('ASCENDING', 'AlertID')), limit=10) events.load_data() print(events) print(events.get_text(fields=['AlertID', 'LastTime', 'SrcIP', 'Rule.msg'])) print('EVENT QUERY #2 : Deeper event query') events = msiempy.event.EventManager( time_range='LAST_3_DAYS', fields=['SrcIP', 'AlertID'], # SrcIP and AlertID are not queried by default limit=3) events.load_data(slots=3, max_query_depth=1) print(events) print(events.get_text(fields=['AlertID', 'LastTime', 'SrcIP', 'Rule.msg']))
def event_examples(): print("EVENT QUERY #1 : Simple event query sorted by AlertID") events = EventManager( time_range="LAST_3_DAYS", fields=["SrcIP", "AlertID"], # SrcIP and AlertID are not queried by default filters=[ FieldFilter( "DstIP", [ "0.0.0.0/0", ], ), FieldFilter("HostID", ["mail"], operator="CONTAINS"), ], # Please replace "mail" by a test hostname order=(("ASCENDING", "AlertID")), limit=10, ) events.load_data() print(events) print(events.get_text(fields=["AlertID", "LastTime", "SrcIP", "Rule.msg"])) print("EVENT QUERY #2 : Deeper event query") events = msiempy.event.EventManager( time_range="LAST_3_DAYS", fields=["SrcIP", "AlertID"], # SrcIP and AlertID are not queried by default limit=3, ) events.load_data(slots=3, max_query_depth=1) print(events) print(events.get_text(fields=["AlertID", "LastTime", "SrcIP", "Rule.msg"]))
def test_query_splitted_with_timedelta(self): events_no_split = EventManager( time_range='CUSTOM', start_time=datetime.now() - timedelta(days=QUERY_TIMERANGE), end_time=datetime.now() + timedelta(days=1), order=(('ASCENDING', 'AlertID')), limit=10) events_no_split.load_data() print('events_no_split'.upper()) print(events_no_split.text) events = EventManager( time_range='CUSTOM', start_time=datetime.now() - timedelta(days=QUERY_TIMERANGE), end_time=datetime.now() + timedelta(days=1), order=(('ASCENDING', 'AlertID')), limit=5, max_query_depth=1 # Generate warning and ignore ) events.load_data(slots=2, max_query_depth=1) # Works print('events_splitted'.upper()) print(events.text) l1 = events_no_split[:5] l2 = events[:5] self.assertEqual( l1, l2, 'Firts part of the splitted query doesn\'t correspond to the genuine query. This can happen when some event are generated at the exact same moment the query is submitted, retry the test ?' )
def test_add_note(self): events = EventManager(time_range='CUSTOM', start_time=datetime.now() - timedelta(days=QUERY_TIMERANGE), end_time=datetime.now() + timedelta(days=1), limit=2) events.load_data() for event in events: event.set_note("Test note") genuine_event = Event(id=event['IPSIDAlertID']) self.assertRegexpMatches( genuine_event['note'], "Test note", "The doesn't seem to have been added to the event \n" + str(event))
def test_unique_keys(self): ukeys=EventManager(fields=["Rule.msg","Alert.SrcIP","Alert.DstIP","Alert.IPSIDAlertID","Alert.LastTime","SrcMac","Alert.SrcMac","Alert.DstMac","Alert.NormID","Alert.BIN(4)","HostID","Alert.BIN(7)","DSID","Alert.EventCount"]).fields print("Got") print(sorted(ukeys)) print("EXPECTED") print(sorted(['Alert.NormID', 'DSID', 'DstIP', 'DstMac', 'EventCount', 'HostID', 'IPSIDAlertID', 'LastTime', 'Rule.msg', 'SrcIP', 'SrcMac', 'UserIDSrc'])) self.assertEqual(sorted(ukeys), sorted(['Alert.NormID', 'DSID', 'DstIP', 'DstMac', 'EventCount', 'HostID', 'IPSIDAlertID', 'LastTime', 'Rule.msg', 'SrcIP', 'SrcMac', 'UserIDSrc']))
def get_events(self, ds_id, window='LAST_HOUR'): """Returns most recent event for the given datasource ID Arguments: ds_id (str) -- datasource ID, aka IPSID Keyword Arguments: window (str) -- time window to query data in minutes (default: {'LAST_HOUR'}) """ events = EventManager( time_range=window, fields=['HostID', 'UserIDSrc'], order=('ASCENDING', 'LastTime'), filters=[FieldFilter('IPSID', ds_id, operator='EQUALS')], limit=1, max_query_depth=1) events.load_data() return events
def test_query(self): events = EventManager(time_range='CUSTOM', start_time=datetime.now() - timedelta(days=QUERY_TIMERANGE), end_time=datetime.now() + timedelta(days=1), fields=Event.REGULAR_EVENT_FIELDS, limit=10) events.load_data() for e in events: self.assertNotEqual(e['Alert.SrcIP'], '', "An event doesn't have proper source IP") self.assertGreater(len(events), 0) print('EVENTS KEYS\n' + str(events.keys)) print('EVENTS TEXT\n' + str(events)) print('EVENT JSON\n' + events.json)
def test_ordered_query(self): events_no_split = EventManager( time_range='CUSTOM', start_time=datetime.now() - timedelta(days=QUERY_TIMERANGE), end_time=datetime.now() + timedelta(days=1), fields=['Alert.AlertID'], order=(('ASCENDING', 'AlertID')), limit=10, ) events_no_split.load_data() last_event = None for event in events_no_split: if not last_event: last_event = event continue self.assertGreater(int(event['Alert.AlertID']), int(last_event['Alert.AlertID'])) last_event = event
def test_unique_keys(self): ukeys = EventManager(fields=[ "Rule.msg", "Alert.SrcIP", "Alert.DstIP", "Alert.IPSIDAlertID", "Alert.LastTime", "SrcMac", "Alert.SrcMac", "Alert.DstMac", "Alert.NormID", "Alert.BIN(4)", "HostID", "Alert.BIN(7)", "DSID", "Alert.EventCount", ]).fields print("Got") print(sorted(ukeys)) print("EXPECTED") print( sorted([ "Alert.NormID", "DSID", "DstIP", "DstMac", "EventCount", "HostID", "IPSIDAlertID", "LastTime", "Rule.msg", "SrcIP", "SrcMac", "UserIDSrc", ])) self.assertEqual( sorted(ukeys), sorted([ "Alert.NormID", "DSID", "DstIP", "DstMac", "EventCount", "HostID", "IPSIDAlertID", "LastTime", "Rule.msg", "SrcIP", "SrcMac", "UserIDSrc", ]), )
def test_filtered_query(self): qry_filters = [FieldFilter(name='SrcIP', values=['22.0.0.0/8'])] e = EventManager(fields=['SrcIP'], filters=qry_filters).load_data() for event in e: self.assertIn('22.', event['SrcIP']) qry_filters = [ GroupFilter([ FieldFilter(name='SrcIP', values=['22.0.0.0/8']), FieldFilter('AppID', 'CRON', operator='EQUALS') ], logic='AND') ] e = EventManager(fields=['SrcIP', 'AppID'], filters=qry_filters).load_data() for event in e: self.assertIn('22.', event['SrcIP']) self.assertEqual(event['AppID'], 'CRON')
def test_getitem(self): events = EventManager(time_range='CUSTOM', start_time=datetime.now() - timedelta(days=QUERY_TIMERANGE), end_time=datetime.now() + timedelta(days=1), fields=Event.REGULAR_EVENT_FIELDS, limit=5) events.load_data() print(events) print( events.get_text(fields=[ "Rule.msg", "SrcIP", "DstIP", "SrcMac", "DstMac", "NormID", "HostID", "UserIDSrc", "ObjectID", "Severity", "LastTime", "DSIDSigID", "IPSIDAlertID" ], format='csv')) print( events.get_text(fields=[ "Rule.msg", "SrcIP", "DstIP", "SrcMac", "DstMac", "NormID", "HostID", "UserIDSrc", "ObjectID", "Severity", "LastTime", "DSIDSigID", "IPSIDAlertID" ], format='prettytable', max_column_width=50)) an_event = events[1] print(an_event) self.assertTrue('Rule.msg' in an_event) self.assertTrue('DstIP' in an_event) self.assertTrue('HostID' in an_event) for key in [ "Rule.msg", "SrcIP", "DstIP", "SrcMac", "DstMac", "NormID", "HostID" ]: del an_event[key] [ self.assertFalse(key in an_event) for key in [ "Rule.msg", "Alert.SrcIP", "Alert.DstIP", "Alert.SrcMac", "Alert.DstMac", "Alert.NormID", "Alert.BIN(4)" ] ] [ self.assertFalse(key in an_event) for key in [ "Rule.msg", "SrcIP", "DstIP", "SrcMac", "DstMac", "NormID", "HostID" ] ]
def test_manager(self): events = EventManager(alist=T.TEST_EVENTS) print("get_text(fields=['SrcIP', 'DstIP', 'LastTime'])") print(events.get_text(fields=['SrcIP', 'DstIP', 'LastTime']))
if __name__ == "__main__": args = parse_args() #print(args) filters=list() if args.user: filters.append(('UserIDSrc',args.user)) if args.ip: filters.append(('SrcIP',args.ip)) if args.host: filters.append(('HostID',args.host)) if args.macaddr: filters.append(('SrcMac', args.macaddr)) if len(filters)==0: print('You must specify a filter. One of the arguments --user --ip --host --macaddr is required') exit(-1) events = EventManager( time_range=args.timerange, fields=['SrcMac','SrcIP','UserIDSrc','HostID','EventCount'], filters=filters) events.load_data(delta='2h', max_query_depth=5) if len(events)==0: print('No event found, sorry') exit(0) for e in events: del e['IPSIDAlertID'] del e['LastTime'] del e['Rule.msg'] print("Loaded {} events".format(len(events)))
""" Print raw events results hour by hour for the past 24h """ from datetime import datetime from msiempy.event import EventManager from msiempy.__utils__ import parse_timedelta, divide_times # Generate last 24h tuples (start_time, end_time) periods = divide_times( first=datetime.now() - parse_timedelta("24h"), last=datetime.now(), slots=24 ) periods_results = list() for time in periods: query = EventManager( start_time=time[0], end_time=time[1], filters=[("SrcIP", ["22.0.0.0/8", "127.0.0.1"])], ) query.load_data() periods_results.append(query) for i, p in enumerate(periods_results): print("{} hours ago, query got {}".format(24 - i, periods_results[i]))
""" Print raw events results hour by hour for the past 24h """ from datetime import datetime from msiempy.event import EventManager from msiempy.__utils__ import parse_timedelta, divide_times # Generate last 24h tuples (start_time, end_time) periods = divide_times( first = datetime.now() - parse_timedelta('24h'), last = datetime.now(), slots=24 ) periods_results = list() for time in periods: query = EventManager( start_time=time[0], end_time=time[1], filters=[ ('SrcIP', ['22.0.0.0/8', '127.0.0.1'] ) ] ) query.load_data() periods_results.append(query) for i, p in enumerate(periods_results): print("{} hours ago, query got {}".format(24-i, periods_results[i]))