def query_tests(self):
tests = {
QueryStringMatch('summary: test'): [
{
'summary': 'example summary'
},
{
'summary': 'example summary tes'
},
{
'summary': 'testing'
},
{
'note': 'test'
},
],
QueryStringMatch('summary: test conf'): [
{
'summary': 'testing'
},
{
'summary': 'configuration'
},
{
'summary': 'testing configuration'
},
],
}
return tests
def query_tests(self):
tests = {
QueryStringMatch('summary: test'): [
{'summary': 'test'},
],
QueryStringMatch('summary: test conf'): [
{'summary': 'test'},
{'summary': 'conf'},
{'summary': 'test conf'},
],
QueryStringMatch(hostname_test_regex): [
{'hostname': 'host.groupa.test.def.subdomain.company.com'},
{'hostname': 'host.groupa.test.def.subdomain.company.com'},
{'hostname': 'host.groupa.subdomain.domain.company.com'},
{'hostname': 'host.groupa.subdomain.domain1.company.com'},
{'hostname': 'host.groupa.subdomain.company.com'},
{'hostname': 'host1.groupa.subdomain.company.com'},
{'hostname': 'host1.groupa.test.subdomain.company.com'},
{'hostname': 'host-1.groupa.test.subdomain.domain.company.com'},
{'hostname': 'host-v2-test6.groupa.test.subdomain.domain.company.com'},
{'hostname': 'host1.groupa.subdomain.domain.company.com'},
{'hostname': 'someotherhost1.hgi.groupa.subdomain.domain1.company.com'},
{'hostname': 'host2.groupb.subdomain.domain.company.com'},
],
QueryStringMatch(filename_matcher): [
{'summary': 'test.exe'},
{'summary': 'test.sh'},
],
}
return tests
def main(self):
self.parse_config('proxy_drop_non_standard_port.conf',
['excludedports'])
search_query = SearchQuery(minutes=20)
search_query.add_must([
TermMatch('category', 'squid'),
TermMatch('tags', 'squid'),
TermMatch('details.proxyaction', 'TCP_DENIED/-'),
TermMatch('details.tcpaction', 'CONNECT')
])
# Only notify on certain ports from config
port_regex = "/.*:({0})/".format(
self.config.excludedports.replace(',', '|'))
search_query.add_must_not(
[QueryStringMatch('details.destination: {}'.format(port_regex))])
self.filtersManual(search_query)
# Search aggregations on field 'hostname', keep X samples of
# events at most
self.searchEventsAggregated('details.sourceipaddress', samplesLimit=10)
# alert when >= X matching events in an aggregation
# I think it makes sense to alert every time here
self.walkAggregations(threshold=1)
def main(self):
superquery = None
run = 0
for user in self._config['users']:
if run == 0:
superquery = PhraseMatch('summary', user)
else:
superquery |= PhraseMatch('summary', user)
run += 1
r1 = datetime.datetime.now().replace(hour=5, minute=50,
second=00).isoformat()
r2 = datetime.datetime.now().replace(hour=6, minute=0,
second=00).isoformat()
search_query = SearchQuery(minutes=5)
search_query.add_must([
TermMatch('_type', 'event'),
TermMatch('category', 'syslog'),
TermMatch('details.program', 'sshd'),
QueryStringMatch('summary:"session opened"'),
])
search_query.add_must_not([RangeMatch('utctimestamp', r1, r2)])
search_query.add_must(superquery)
self.filtersManual(search_query)
self.searchEventsAggregated('details.hostname', samplesLimit=10)
self.walkAggregations(threshold=1)
def main(self):
search_query = SearchQuery(minutes=15)
self.parse_config('ssh_access_signreleng.conf',
['hostfilter', 'ircchannel', 'exclusions'])
if self.config.ircchannel == '':
self.config.ircchannel = None
exclusions = json.loads(self.config.exclusions)
search_query.add_must([
TermMatch('tags', 'releng'),
TermMatch('details.program', 'sshd'),
QueryStringMatch('hostname: /{}/'.format(self.config.hostfilter)),
PhraseMatch('summary', 'Accepted publickey for ')
])
for exclusion in exclusions:
exclusion_query = None
for key, value in exclusion.iteritems():
phrase_exclusion = PhraseMatch(key, value)
if exclusion_query is None:
exclusion_query = phrase_exclusion
else:
exclusion_query = exclusion_query + phrase_exclusion
search_query.add_must_not(exclusion_query)
self.filtersManual(search_query)
self.searchEventsSimple()
self.walkEvents()
def searchForSSHKeys(es):
search_query = SearchQuery(minutes=5)
search_query.add_must([
TermMatch('_type', 'event'),
TermMatch('details.program', 'sshd'),
QueryStringMatch('summary:found matching key accepted publickey')
])
results = search_query.execute(es)
return results
def process_alert(self, alert_config):
search_query = SearchQuery(minutes=int(alert_config.time_window))
terms = []
for i in alert_config.filters:
terms.append(TermMatch(i[0], i[1]))
terms.append(QueryStringMatch(str(alert_config.search_string)))
search_query.add_must(terms)
self.filtersManual(search_query)
self.searchEventsAggregated(alert_config.aggregation_key, samplesLimit=int(alert_config.num_samples))
self.walkAggregations(threshold=int(alert_config.num_aggregations), config=alert_config)
def query_tests(self):
tests = {
QueryStringMatch('summary: test'): [
{
'summary': 'test'
},
],
QueryStringMatch('summary: test conf'): [
{
'summary': 'test'
},
{
'summary': 'conf'
},
{
'summary': 'test conf'
},
],
}
return tests
def query_tests(self):
tests = {
QueryStringMatch('summary: test'): [
{'summary': 'example summary'},
{'summary': 'example summary tes'},
{'summary': 'testing'},
{'note': 'test'},
],
QueryStringMatch('summary: test conf'): [
{'summary': 'testing'},
{'summary': 'configuration'},
{'summary': 'testing configuration'},
],
QueryStringMatch(hostname_test_regex): [
{'hostname': ''},
{'hostname': 'host.subdomain.company.com'},
{'hostname': 'host.subdomain.domain1.company.com'},
{'hostname': 'groupa.abc.company.com'},
{'hostname': 'asub.subdomain.company.com'},
{'hostname': 'example.com'},
{'hostname': 'abc.company.com'},
{'hostname': 'host1.groupa.asubdomain.company.com'},
{'hostname': 'host1.groupa.subdomaina.company.com'},
{'hostname': 'host1.groupaa.subdomain.company.com'},
{'hostname': 'host1.agroupb.subdomain.company.com'},
],
QueryStringMatch(filename_matcher): [
{'summary': 'test.exe.abcd'},
{'summary': 'testexe'},
{'summary': 'test.1234'},
{'summary': '.exe.test'},
],
}
return tests
def main(self):
search_query = SearchQuery(minutes=2)
search_query.add_must([
TermMatch('category', 'promiscuous'),
PhraseMatch('summary', 'promiscuous'),
PhraseMatch('summary', 'on')
])
search_query.add_must_not([
QueryStringMatch('details.dev: veth*'),
])
self.filtersManual(search_query)
self.searchEventsSimple()
self.walkEvents()
def main(self):
search_query = SearchQuery(minutes=2)
search_query.add_must([
TermMatch('category', 'syslog'),
PhraseMatch('summary', 'promiscuous'),
PhraseMatch('summary', 'entered')
])
search_query.add_must_not([
QueryStringMatch('summary: veth*'),
])
self.filtersManual(search_query)
self.searchEventsAggregated('hostname', samplesLimit=10)
self.walkAggregations(threshold=1)
def main(self):
# look for events in last X mins
search_query = SearchQuery(minutes=5)
search_query.add_must([
TermMatch('_type', 'auditd'),
TermMatch('details.user', 'confluence'),
QueryStringMatch('hostname: /.*(mana|confluence).*/'),
])
search_query.add_must_not(TermMatch('details.originaluser', 'root'))
self.filtersManual(search_query)
# Search aggregations on field 'sourceipaddress', keep X samples of
# events at most
self.searchEventsAggregated('hostname', samplesLimit=10)
# alert when >= X matching events in an aggregation
# in this case, always
self.walkAggregations(threshold=1)
def main(self):
search_query = SearchQuery(minutes=15)
self.parse_config('ssh_access_signreleng.conf', ['hostfilter', 'users', 'ircchannel'])
if self.config.ircchannel == '':
self.config.ircchannel = None
search_query.add_must([
TermMatch('tags', 'releng'),
TermMatch('details.program', 'sshd'),
QueryStringMatch('details.hostname: /{}/'.format(self.config.hostfilter)),
PhraseMatch('summary', 'Accepted publickey for ')
])
for x in self.config.users.split():
search_query.add_must_not(PhraseMatch('summary', x))
self.filtersManual(search_query)
self.searchEventsSimple()
self.walkEvents()
def main(self):
self.config_file = './unauth_ssh.conf'
self.config = None
self.initConfiguration()
search_query = SearchQuery(minutes=30)
search_query.add_must([
TermMatch('category', 'syslog'),
TermMatch('details.program', 'sshd'),
QueryStringMatch('details.hostname: /{}/'.format(
self.config.hostfilter)),
PhraseMatch('summary',
'Accepted publickey for {}'.format(self.config.user))
])
for x in self.config.skiphosts:
search_query.add_must_not(PhraseMatch('summary', x))
self.filtersManual(search_query)
self.searchEventsSimple()
self.walkEvents()
def main(self):
superquery = None
run = 0
for user in self._config['users'].values():
if run == 0:
superquery = PhraseMatch('summary', user)
else:
superquery |= PhraseMatch('summary', user)
run += 1
search_query = SearchQuery(minutes=10)
search_query.add_must([
TermMatch('_type', 'event'),
TermMatch('category', 'syslog'),
TermMatch('details.program', 'sshd'),
QueryStringMatch('summary:"session opened"'),
])
for expectedtime in self._config['scan_expected'].values():
r1 = datetime.datetime.now().replace(
hour=int(expectedtime['start_hour']),
minute=int(expectedtime['start_minute']),
second=int(expectedtime['start_second'])).isoformat()
r2 = datetime.datetime.now().replace(
hour=int(expectedtime['end_hour']),
minute=int(expectedtime['end_minute']),
second=int(expectedtime['end_second'])).isoformat()
search_query.add_must_not([RangeMatch('utctimestamp', r1, r2)])
search_query.add_must(superquery)
self.filtersManual(search_query)
self.searchEventsAggregated('details.program', samplesLimit=10)
self.walkAggregations(threshold=1)