Python PhraseMatch примеры использования

Пример #1

Файл: ssh_access_signreleng.py Проект: orenwf/MozDef

    def main(self):
        search_query = SearchQuery(minutes=15)

        self.parse_config('ssh_access_signreleng.conf',
                          ['hostfilter', 'ircchannel', 'exclusions'])

        if self.config.ircchannel == '':
            self.config.ircchannel = None

        exclusions = json.loads(self.config.exclusions)

        search_query.add_must([
            TermMatch('tags', 'releng'),
            TermMatch('details.program', 'sshd'),
            QueryStringMatch('hostname: /{}/'.format(self.config.hostfilter)),
            PhraseMatch('summary', 'Accepted publickey for ')
        ])

        for exclusion in exclusions:
            exclusion_query = None
            for key, value in exclusion.iteritems():
                phrase_exclusion = PhraseMatch(key, value)
                if exclusion_query is None:
                    exclusion_query = phrase_exclusion
                else:
                    exclusion_query = exclusion_query + phrase_exclusion

            search_query.add_must_not(exclusion_query)

        self.filtersManual(search_query)
        self.searchEventsSimple()
        self.walkEvents()

Пример #2

    def main(self):

        superquery = None
        run = 0

        for user in self._config['users']:
            if run == 0:
                superquery = PhraseMatch('summary', user)
            else:
                superquery |= PhraseMatch('summary', user)
            run += 1

        r1 = datetime.datetime.now().replace(hour=5, minute=50,
                                             second=00).isoformat()
        r2 = datetime.datetime.now().replace(hour=6, minute=0,
                                             second=00).isoformat()

        search_query = SearchQuery(minutes=5)

        search_query.add_must([
            TermMatch('_type', 'event'),
            TermMatch('category', 'syslog'),
            TermMatch('details.program', 'sshd'),
            QueryStringMatch('summary:"session opened"'),
        ])

        search_query.add_must_not([RangeMatch('utctimestamp', r1, r2)])
        search_query.add_must(superquery)

        self.filtersManual(search_query)
        self.searchEventsAggregated('details.hostname', samplesLimit=10)
        self.walkAggregations(threshold=1)

Пример #3

 def query_tests(self):
     tests = {
         PhraseMatch('summary', 'test run'): [
             {
                 'summary': 'test sample run'
             },
             {
                 'notes': 'test run'
             },
             {
                 'summary': 'example test running'
             },
         ],
         PhraseMatch('summary', 'test abc'): [
             {
                 'summary': 'example summary test'
             },
             {
                 'notes': 'we are test here source'
             },
         ],
         PhraseMatch('summary', 'test'): [
             {
                 'summary': 'we are testing'
             },
         ],
     }
     return tests

Пример #4

Файл: vpn_duo_auth_failures.py Проект: v2hack/MozDef

    def main(self):
        search_query = SearchQuery(minutes=2)

        search_query.add_must([
            TermMatch('category', 'event'),
            TermMatch('tags', 'duosecurity'),
            PhraseMatch('details.integration', 'global and external openvpn'),
            PhraseMatch('details.result', 'FAILURE')
        ])

        self.filtersManual(search_query)

        # Search aggregations on field 'username', keep X samples of events at most
        self.searchEventsAggregated('details.username', samplesLimit=5)
        # alert when >= X matching events in an aggregation
        self.walkAggregations(threshold=5)

Пример #5

    def main(self):
        search_query = SearchQuery(minutes=2)

        search_query.add_must([
            TermMatch('category', 'promiscuous'),
            PhraseMatch('summary', 'promiscuous'),
            PhraseMatch('summary', 'on')
        ])

        search_query.add_must_not([
            QueryStringMatch('details.dev: veth*'),
        ])

        self.filtersManual(search_query)
        self.searchEventsSimple()
        self.walkEvents()

Пример #6

def esSearch(es, macassignments=None):
    '''
    Search ES for an event that ties a username to a mac address
    This example searches for junos wifi correlations on authentication success
    Expecting an event like: user: [email protected]; mac: 5c:f9:38:b1:de:cf; author reason: roamed session; ssid: ANSSID; AP 46/2\n
    '''
    usermacre=re.compile(r'''user: (?P<username>.*?); mac: (?P<macaddress>.*?); ''',re.IGNORECASE)
    correlations={} # list of dicts to populate hits we find

    search_query = SearchQuery(minutes=options.correlationminutes)
    search_query.add_must(TermMatch('details.program', 'AUTHORIZATION-SUCCESS'))
    search_query.add_must_not(PhraseMatch('summary', 'last-resort'))

    try:
        full_results = search_query.execute(es)
        results = full_results['hits']

        for r in results:
            fields = re.search(usermacre,r['_source']['summary'])
            if fields:
                if '{0} {1}'.format(fields.group('username'),fields.group('macaddress')) not in correlations.keys():
                    if fields.group('macaddress')[0:8].lower() in macassignments.keys():
                        entity=macassignments[fields.group('macaddress')[0:8].lower()]
                    else:
                        entity='unknown'
                    correlations['{0} {1}'.format(fields.group('username'),fields.group('macaddress'))]=dict(username=fields.group('username'),
                                                                                                             macaddress=fields.group('macaddress'),
                                                                                                             entity=entity,
                                                                                                             utctimestamp=r['_source']['utctimestamp'])
        return correlations

    except ElasticsearchBadServer:
        logger.error('Elastic Search server could not be reached, check network connectivity')

Пример #7

    def main(self):

        search_query = SearchQuery(minutes=2)

        search_query.add_must([
            TermMatch('category', 'syslog'),
            PhraseMatch('summary', 'promiscuous'),
            PhraseMatch('summary', 'entered')
        ])

        search_query.add_must_not([
            QueryStringMatch('summary: veth*'),
        ])

        self.filtersManual(search_query)
        self.searchEventsAggregated('hostname', samplesLimit=10)
        self.walkAggregations(threshold=1)

Пример #8

Файл: collectAttackers.py Проект: ryzokuken/MozDef

def searchESForBROAttackers(es, threshold):
    search_query = SearchQuery(hours=2)
    search_query.add_must([
        PhraseMatch('category', 'bronotice'),
        PhraseMatch('details.note', 'MozillaHTTPErrors::Excessive_HTTP_Errors_Attacker')
    ])
    full_results = search_query.execute(es)
    results = full_results['hits']

    # Hit count is buried in the 'sub' field
    # as: 'sub': u'6 in 1.0 hr, eps: 0'
    # cull the records for hitcounts over the threshold before returning
    attackers = list()
    for r in results:
        hitcount = int(r['_source']['details']['sub'].split()[0])
        if hitcount > threshold:
            attackers.append(r)
    return attackers

Пример #9

Файл: ssh_lateral.py Проект: v2hack/MozDef

    def main(self):
        search_query = SearchQuery(minutes=2)
        search_query.add_must([
            TermMatch('category', 'syslog'),
            TermMatch('details.program', 'sshd'),
            PhraseMatch('summary', 'Accepted publickey')
        ])

        self.filtersManual(search_query)
        self.searchEventsAggregated('details.hostname', samplesLimit=10)
        self.walkAggregations(threshold=1)

Пример #10

Файл: bruteforce_ssh.py Проект: scriptonist/MozDef

    def main(self):
        self.parse_config('bruteforce_ssh.conf', ['skiphosts'])

        search_query = SearchQuery(minutes=2)

        search_query.add_must([
            PhraseMatch('summary', 'failed'),
            TermMatch('details.program', 'sshd'),
            TermsMatch('summary', ['login', 'invalid', 'ldap_count_entries'])
        ])

        for ip_address in self.config.skiphosts.split():
            search_query.add_must_not(PhraseMatch('summary', ip_address))

        self.filtersManual(search_query)

        # Search aggregations on field 'sourceipaddress', keep X samples of
        # events at most
        self.searchEventsAggregated('details.sourceipaddress', samplesLimit=10)
        # alert when >= X matching events in an aggregation
        self.walkAggregations(threshold=10)

Пример #11

    def main(self):
        search_query = SearchQuery(minutes=15)

        self.parse_config('ssh_access_signreleng.conf', ['hostfilter', 'users', 'ircchannel'])

        if self.config.ircchannel == '':
            self.config.ircchannel = None

        search_query.add_must([
            TermMatch('tags', 'releng'),
            TermMatch('details.program', 'sshd'),
            QueryStringMatch('details.hostname: /{}/'.format(self.config.hostfilter)),
            PhraseMatch('summary', 'Accepted publickey for ')
        ])

        for x in self.config.users.split():
            search_query.add_must_not(PhraseMatch('summary', x))

        self.filtersManual(search_query)
        self.searchEventsSimple()
        self.walkEvents()

Пример #12

    def main(self):
        search_query = SearchQuery(minutes=15)

        search_query.add_must([
            TermMatch('category', 'ldapChange'),
            TermMatch('details.changetype', 'modify'),
            PhraseMatch("summary", "groups")
        ])

        self.filtersManual(search_query)
        # Search events
        self.searchEventsSimple()
        self.walkEvents()

Пример #13

Файл: deadman.py Проект: v2hack/MozDef

    def main(self, *args, **kwargs):
        self.parse_config('deadman.conf', ['url'])
        # call with hostlist=['host1','host2','host3']
        # to search for missing events
        if kwargs and 'hostlist' in kwargs.keys():
            for host in kwargs['hostlist']:
                self.log.debug('checking deadman for host: {0}'.format(host))
                search_query = SearchQuery(minutes=20)

                search_query.add_must([
                    PhraseMatch("details.note",
                                "MozillaAlive::Bro_Is_Watching_You"),
                    PhraseMatch("details.peer_descr", host),
                    TermMatch('category', 'bro'),
                    TermMatch('source', 'notice')
                ])

                self.filtersManual(search_query)

                # Search events
                self.searchEventsSimple()
                self.walkEvents(hostname=host)

Пример #14

Файл: ldap_lockout.py Проект: ryzokuken/MozDef

    def main(self):
        search_query = SearchQuery(minutes=15)

        search_query.add_must([
            TermMatch('category', 'ldapChange'),
            TermMatch("details.actor", "cn=admin,dc=mozilla"),
            PhraseMatch('details.changepairs', 'replace:pwdAccountLockedTime')
        ])
        self.filtersManual(search_query)

        # Search events
        self.searchEventsSimple()
        self.walkEvents()

Пример #15

Файл: auditd_sftp.py Проект: orenwf/MozDef

    def main(self):
        search_query = SearchQuery(minutes=5)

        search_query.add_must([
            TermMatch('category', 'execve'),
            TermMatch('processname', 'audisp-json'),
            TermMatch('details.processname', 'ssh'),
            PhraseMatch('details.parentprocess', 'sftp')
        ])

        self.filtersManual(search_query)
        self.searchEventsSimple()
        self.walkEvents()

Пример #16

    def main(self):
        search_query = SearchQuery(minutes=15)

        search_query.add_must(PhraseMatch('summary', 'Failsafe Duo login'))

        self.filtersManual(search_query)

        # Search aggregations on field 'sourceipaddress', keep X samples of
        # events at most
        self.searchEventsAggregated('details.hostname', samplesLimit=10)
        # alert when >= X matching events in an aggregation
        # in this case, always
        self.walkAggregations(threshold=1)

Пример #17

Файл: unauth_ssh.py Проект: v2hack/MozDef

    def main(self):
        self.config_file = './unauth_ssh.conf'
        self.config = None
        self.initConfiguration()

        search_query = SearchQuery(minutes=30)

        search_query.add_must([
            TermMatch('category', 'syslog'),
            TermMatch('details.program', 'sshd'),
            QueryStringMatch('details.hostname: /{}/'.format(
                self.config.hostfilter)),
            PhraseMatch('summary',
                        'Accepted publickey for {}'.format(self.config.user))
        ])

        for x in self.config.skiphosts:
            search_query.add_must_not(PhraseMatch('summary', x))

        self.filtersManual(search_query)
        self.searchEventsSimple()
        self.walkEvents()

Пример #18

Файл: trace_audit.py Проект: orenwf/MozDef

    def main(self):
        self.parse_config('trace_audit.conf', ['hostfilter'])
        search_query = SearchQuery(minutes=5)

        search_query.add_must([
            TermMatch('details.processname', 'strace'),
        ])

        for host in self.config.hostfilter.split():
            search_query.add_must_not(PhraseMatch('hostname', host))

        self.filtersManual(search_query)
        self.searchEventsAggregated('details.originaluser', samplesLimit=10)
        self.walkAggregations(threshold=1)

Пример #19

Файл: host_scanner_alerts.py Проект: ryzokuken/MozDef

    def main(self):
        search_query = SearchQuery(minutes=15)

        search_query.add_must([
            TermMatch('_type', 'cef'),
            ExistsMatch('details.dhost'),
            PhraseMatch("details.signatureid", "sensitivefiles")
        ])

        self.filtersManual(search_query)
        # Search aggregations on field 'sourceipaddress', keep X samples of events at most
        self.searchEventsAggregated('details.dhost', samplesLimit=30)
        # alert when >= X matching events in an aggregation
        self.walkAggregations(threshold=1)

Пример #20

Файл: duo_authfail.py Проект: v2hack/MozDef

    def main(self):
        self.parse_config('duo_authfail.conf', ['url'])
        search_query = SearchQuery(minutes=15)

        search_query.add_must([
            TermMatch('category', 'event'),
            ExistsMatch('details.sourceipaddress'),
            ExistsMatch('details.username'),
            PhraseMatch('details.result', 'FRAUD')
        ])

        self.filtersManual(search_query)
        self.searchEventsSimple()
        self.walkEvents()

Пример #21

 def query_tests(self):
     tests = {
         PhraseMatch('summary', 'test run'): [
             {
                 'summary': 'test run'
             },
             {
                 'summary': 'this is test run source'
             },
             {
                 'summary': 'this is test run'
             },
         ],
         PhraseMatch('summary', 'test'): [
             {
                 'summary': 'test here'
             },
             {
                 'summary': 'we are test here source'
             },
             {
                 'summary': 'this is test'
             },
         ],
         PhraseMatch('summary', '/test/abc'): [
             {
                 'summary': '/test/abc'
             },
             {
                 'summary': '/test/abc/def'
             },
             {
                 'summary': 'path /test/abc'
             },
         ],
     }
     return tests

Пример #22

    def main(self):

        superquery = None
        run = 0

        for user in self._config['users'].values():
            if run == 0:
                superquery = PhraseMatch('summary', user)
            else:
                superquery |= PhraseMatch('summary', user)
            run += 1

        search_query = SearchQuery(minutes=10)

        search_query.add_must([
            TermMatch('_type', 'event'),
            TermMatch('category', 'syslog'),
            TermMatch('details.program', 'sshd'),
            QueryStringMatch('summary:"session opened"'),
        ])

        for expectedtime in self._config['scan_expected'].values():
            r1 = datetime.datetime.now().replace(
                hour=int(expectedtime['start_hour']),
                minute=int(expectedtime['start_minute']),
                second=int(expectedtime['start_second'])).isoformat()
            r2 = datetime.datetime.now().replace(
                hour=int(expectedtime['end_hour']),
                minute=int(expectedtime['end_minute']),
                second=int(expectedtime['end_second'])).isoformat()
            search_query.add_must_not([RangeMatch('utctimestamp', r1, r2)])

        search_query.add_must(superquery)

        self.filtersManual(search_query)
        self.searchEventsAggregated('details.program', samplesLimit=10)
        self.walkAggregations(threshold=1)

Пример #23

    def main(self):
        self.parse_config('http_auth_bruteforce.conf', ['url'])
        search_query = SearchQuery(minutes=15)

        search_query.add_must([
            TermMatch('_type', 'nsm'),
            TermMatch('category', 'bro'),
            TermMatch('source', 'notice'),
            PhraseMatch('details.note', 'AuthBruteforcing::HTTP_AuthBruteforcing_Attacker'),
        ])

        self.filtersManual(search_query)
        # Search events
        self.searchEventsSimple()
        self.walkEvents()

Пример #24

    def main(self):
        search_query = SearchQuery(hours=4)

        search_query.add_must([
            TermMatch('category', 'open_port_policy_violation'),
            PhraseMatch('tags', 'open_port_policy_violation')
        ])

        self.filtersManual(search_query)

        # Search aggregations on field 'sourceipaddress', keep X samples of
        # events at most
        self.searchEventsAggregated('details.destinationipaddress',
                                    samplesLimit=100)
        # alert when >= X matching events in an aggregation
        self.walkAggregations(threshold=1)

Пример #25

    def main(self):
        self.parse_config('ssh_bruteforce_bro.conf', ['url'])

        search_query = SearchQuery(minutes=15)

        search_query.add_must([
            TermMatch('category', 'bro'),
            TermMatch('source', 'notice'),
            PhraseMatch('details.note', 'SSH::Password_Guessing')
        ])

        self.filtersManual(search_query)

        # Search events
        self.searchEventsSimple()
        self.walkEvents()

Пример #26

    def main(self):
        self.parse_config('write_audit.conf', ['skipprocess'])
        search_query = SearchQuery(minutes=15)

        search_query.add_must([
            TermMatch('category', 'write'),
            TermMatch('details.auditkey', 'audit'),
        ])

        for processname in self.config.skipprocess.split():
            search_query.add_must_not(
                PhraseMatch('details.processname', processname))

        self.filtersManual(search_query)
        self.searchEventsAggregated('details.originaluser', samplesLimit=10)
        self.walkAggregations(threshold=2)

Пример #27

    def main(self):
        self.parse_config('correlated_alerts.conf', ['url'])

        # look for events in last 15 mins
        search_query = SearchQuery(minutes=15)
        search_query.add_must([
            TermMatch('_type', 'bro'),
            TermMatch('eventsource', 'nsm'),
            TermMatch('category', 'bronotice'),
            ExistsMatch('details.sourceipaddress'),
            PhraseMatch('details.note', 'CrowdStrike::Correlated_Alerts')
        ])
        self.filtersManual(search_query)

        # Search events
        self.searchEventsSimple()
        self.walkEvents()

Пример #28

    def main(self):
        self.parse_config('unauth_scan.conf', ['nsm_host', 'url'])

        search_query = SearchQuery(minutes=2)

        search_query.add_must([
            TermMatch('_type', 'bro'),
            TermMatch('category', 'bronotice'),
            TermMatch('eventsource', 'nsm'),
            TermMatch('hostname', self.config.nsm_host),
            ExistsMatch('details.indicators'),
            PhraseMatch('details.note', 'Scan::Address_Scan'),
        ])
        self.filtersManual(search_query)

        self.searchEventsSimple()
        self.walkEvents()

Пример #29

Файл: amo_failed_logins.py Проект: ryzokuken/MozDef

    def main(self):
        search_query = SearchQuery(minutes=10)

        search_query.add_must([
            TermMatch('_type', 'addons'),
            TermMatch('details.signatureid', 'authfail'),
            ExistsMatch('details.sourceipaddress'),
            PhraseMatch('details.msg', "The password was incorrect"),
            ExistsMatch('details.suser')
        ])

        self.filtersManual(search_query)

        # Search aggregations, keep X samples of events at most
        self.searchEventsAggregated('details.suser', samplesLimit=15)
        # alert when >= X matching events in an aggregation
        self.walkAggregations(threshold=20)

Пример #30

    def main(self):
        self.parse_config('http_errors.conf', ['url'])

        search_query = SearchQuery(minutes=15)

        search_query.add_must([
            TermMatch('_type', 'nsm'),
            TermMatch('category', 'bro'),
            TermMatch('source', 'notice'),
            PhraseMatch('details.note', 'MozillaHTTPErrors::Excessive_HTTP_Errors_Attacker'),
        ])

        self.filtersManual(search_query)

        # Search events
        self.searchEventsSimple()
        self.walkEvents()