def run(self, idmef):
classification = idmef.get("alert.classification.text")
source = idmef.get("alert.source(*).node.address(*).address")
target = idmef.get("alert.target(*).node.address(*).address")
if not source or not target or not classification:
return
for saddr in source:
ctx = Context(("SCAN EVENTSWEEP", classification, saddr), {
"expire": 60,
"threshold": 30,
"alert_on_expire": True
},
overwrite=False,
ruleid=self.name)
if ctx.getUpdateCount() == 0:
ctx.set(
"alert.correlation_alert.name",
"A single host has played the same event against multiple targets. This may be a network scan "
"for a specific vulnerability")
ctx.set("alert.classification.text", "Eventsweep")
ctx.set("alert.assessment.impact.severity", "high")
cur = ctx.get("alert.target(*).node.address(*).address")
if cur:
for address in target:
if address in cur:
return
ctx.update(idmef=idmef, timer_rst=ctx.getUpdateCount())
def run(self, idmef):
classification = idmef.get("alert.classification.text")
source = idmef.get("alert.source(*).node.address(*).address")
target = idmef.get("alert.target(*).node.address(*).address")
if not source or not target or not classification:
return
for saddr in source:
ctx = Context(("SCAN EVENTSWEEP", classification, saddr), { "expire": 60, "threshold": 30, "alert_on_expire": True }, overwrite = False)
if ctx.getUpdateCount() == 0:
ctx.set("alert.correlation_alert.name", "A single host has played the same event against multiple targets. This may be a network scan for a specific vulnerability")
ctx.set("alert.classification.text", "Eventsweep")
ctx.set("alert.assessment.impact.severity", "high")
cur = ctx.get("alert.target(*).node.address(*).address")
if cur:
for address in target:
if address in cur:
insert = False
return
ctx.update(idmef=idmef, timer_rst=ctx.getUpdateCount())
