def run(self, idmef): classification = idmef.get("alert.classification.text") source = idmef.get("alert.source(*).node.address(*).address") target = idmef.get("alert.target(*).node.address(*).address") if not source or not target or not classification: return for saddr in source: ctx = Context(("SCAN EVENTSWEEP", classification, saddr), { "expire": 60, "threshold": 30, "alert_on_expire": True }, overwrite=False, ruleid=self.name) if ctx.getUpdateCount() == 0: ctx.set( "alert.correlation_alert.name", "A single host has played the same event against multiple targets. This may be a network scan " "for a specific vulnerability") ctx.set("alert.classification.text", "Eventsweep") ctx.set("alert.assessment.impact.severity", "high") cur = ctx.get("alert.target(*).node.address(*).address") if cur: for address in target: if address in cur: return ctx.update(idmef=idmef, timer_rst=ctx.getUpdateCount())
def run(self, idmef): classification = idmef.get("alert.classification.text") source = idmef.get("alert.source(*).node.address(*).address") target = idmef.get("alert.target(*).node.address(*).address") if not source or not target or not classification: return for saddr in source: ctx = Context(("SCAN EVENTSWEEP", classification, saddr), { "expire": 60, "threshold": 30, "alert_on_expire": True }, overwrite = False) if ctx.getUpdateCount() == 0: ctx.set("alert.correlation_alert.name", "A single host has played the same event against multiple targets. This may be a network scan for a specific vulnerability") ctx.set("alert.classification.text", "Eventsweep") ctx.set("alert.assessment.impact.severity", "high") cur = ctx.get("alert.target(*).node.address(*).address") if cur: for address in target: if address in cur: insert = False return ctx.update(idmef=idmef, timer_rst=ctx.getUpdateCount())