示例#1
0
文件: scan.py 项目: yoannv/pycor
    def run(self, idmef):
        classification = idmef.Get("alert.classification.text")
        source = idmef.Get("alert.source(*).node.address(*).address")
        target = idmef.Get("alert.target(*).node.address(*).address")

        if not source or not target or not classification:
            return

        for saddr in source:
            ctx = Context("SCAN_EVENTSWEEP_" + classification + saddr, { "expire": 60, "threshold": 30 }, update = True)
            insert = True

            cur = ctx.Get("alert.target(*).node.address(*).address")
            if cur:
                for address in target:
                    if address in cur:
                        insert = False
                        break

            if insert:
                ctx.Set("alert.source(>>)", idmef.Get("alert.source"))
                ctx.Set("alert.target(>>)", idmef.Get("alert.target"))
                ctx.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid"))
                ctx.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1])

                if ctx.CheckAndDecThreshold():
                    ctx.Set("alert.correlation_alert.name", "A single host has played the same event against multiple targets. This may be a network scan for a specific vulnerability")
                    ctx.Set("alert.classification.text", "Eventsweep")
                    ctx.Set("alert.assessment.impact.severity", "high")
                    ctx.alert()
                    ctx.destroy()
示例#2
0
文件: scan.py 项目: yoannv/pycor
    def run(self, idmef):
        source = idmef.Get("alert.source(*).node.address(*).address")
        if not source:
            return

        for saddr in source:
            ctx = Context("SCAN_EVENTSTORM_" + saddr, { "expire": 120, "threshold": 150 }, update = True)

            ctx.Set("alert.source(>>)", idmef.Get("alert.source"))
            ctx.Set("alert.target(>>)", idmef.Get("alert.target"))
            ctx.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid"))
            ctx.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1])

            if ctx.CheckAndDecThreshold():
                ctx.Set("alert.correlation_alert.name", "A single host is producing an unusual amount of events")
                ctx.Set("alert.classification.text", "Eventstorm")
                ctx.Set("alert.assessment.impact.severity", "high")
                ctx.alert()
                ctx.destroy()
示例#3
0
    def _BruteUserForce(self, idmef):
        userid = idmef.Get("alert.target(*).user.user_id(*).name");
        if not userid:
            return

        for user in userid:
            ctx = Context("BRUTE_U_" + user, { "expire": 120, "threshold": 2 }, update = True)
            ctx.Set("alert.source(>>)", idmef.Get("alert.source"))
            ctx.Set("alert.target(>>)", idmef.Get("alert.target"))
            ctx.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid"))
            ctx.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1])

            if ctx.CheckAndDecThreshold():
                ctx.Set("alert.classification.text", "Brute force attack")
                ctx.Set("alert.correlation_alert.name", "Multiple failed login")
                ctx.Set("alert.assessment.impact.severity", "high")
                ctx.Set("alert.assessment.impact.description", "Multiple failed attempts have been made to login to a user account")
                ctx.alert()
                ctx.destroy()
示例#4
0
文件: scan.py 项目: yoannv/pycor
    def run(self, idmef):
        source = idmef.Get("alert.source(*).node.address(*).address")
        target = idmef.Get("alert.target(*).node.address(*).address")

        if not source or not target:
            return

        for saddr in source:
            for daddr in target:
                ctx = Context("SCAN_EVENTSCAN_" + saddr + daddr, { "expire": 60, "threshold": 30 }, update = True)
                ctx.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid"))
                ctx.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1])
                ctx.Set("alert.source(>>)", idmef.Get("alert.source"))
                ctx.Set("alert.target(>>)", idmef.Get("alert.target"))

                if ctx.CheckAndDecThreshold():
                    ctx.Set("alert.correlation_alert.name", "A single host has played many events against a single target. This may be a vulnerability scan")
                    ctx.Set("alert.classification.text", "Eventscan")
                    ctx.Set("alert.assessment.impact.severity", "high")
                    ctx.alert()
                    ctx.destroy()
示例#5
0
    def _BruteForce(self, idmef):
        sadd = idmef.Get("alert.source(*).node.address(*).address")
        tadd = idmef.Get("alert.target(*).node.address(*).address")
        if not sadd or not tadd:
            return

        for source in sadd:
            for target in tadd:
                ctx = Context("BRUTE_ST_" + source + target, { "expire": 2, "threshold": 5 }, update = True)
                ctx.Set("alert.source(>>)", idmef.Get("alert.source"))
                ctx.Set("alert.target(>>)", idmef.Get("alert.target"))
                ctx.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid"))
                ctx.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1])

                if ctx.CheckAndDecThreshold():
                    ctx.Set("alert.classification.text", "Brute force attack")
                    ctx.Set("alert.correlation_alert.name", "Multiple failed login")
                    ctx.Set("alert.assessment.impact.severity", "high")
                    ctx.Set("alert.assessment.impact.description", "Multiple failed attempts have been made to login to a user account")
                    ctx.alert()
                    ctx.destroy()
    def run(self, idmef):
        if idmef.Get("alert.analyzer(-1).manufacturer") != "OpenSSH":
                return

        if idmef.Get("alert.assessment.impact.completion") != "succeeded":
                return

        try:
                idx = idmef.Get("alert.additional_data(*).meaning").index("Authentication method")
        except:
                return

        data = idmef.Get("alert.additional_data(%d).data" % idx)

        for username in idmef.Get("alert.target(*).user.user_id(*).name"):
            for target in idmef.Get("alert.target(*).node.address(*).address"):
                ctx = Context("SSH_MAT_" + target + username, {"threshold": 1}, update = True)
                ctx.Set("alert.source(>>)", idmef.Get("alert.source"))
                ctx.Set("alert.target(>>)", idmef.Get("alert.target"))
                ctx.Set("alert.correlation_alert.alertident(>>).alertident", idmef.Get("alert.messageid"))
                ctx.Set("alert.correlation_alert.alertident(-1).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1])

                if not hasattr(ctx, "authtype"):
                    ctx.authtype = data
                elif ctx.authtype != data:
                    ctx.Set("alert.classification.text", "Multiple authentication methods")
                    ctx.Set("alert.correlation_alert.name", "Multiple authentication methods")
                    ctx.Set("alert.assessment.impact.severity", "medium")
                    ctx.Set("alert.assessment.impact.description", "Multiple ways of authenticating a single user have been found over SSH. If passphrase is the only allowed method, make sure you disable passwords.")
                    ctx.alert()
                    ctx.destroy()