def __init__(self, config):
Process.__init__(self)
self.name = 'RuleEngine'
self.config = config
self.database = DatabaseHandler(self.config.name)
self.logutil = KBLogUtil(self.config.name, self.name)
self.wids = WIDSClient(self.config.server_ip, self.config.server_port)
self.active = None
self.rules = []
#///dev///
self.rules.append(rule1)
def __init__(self, settings, config, shutdown_event, name):
Process.__init__(self)
self.name = name
self.settings = settings
self.config = config
self.shutdown_event = shutdown_event
self.database = DatabaseHandler(self.config.name)
self.logutil = KBLogUtil(self.config.name, self.name, None)
self.wids_api = WIDSClient(self.config.server_ip,
self.config.server_port)
self.tasks = {}
self.active = False
self.running = False
def __init__(self, config):
Process.__init__(self)
self.name = 'RuleEngine'
self.config = config
self.database = DatabaseHandler(self.config.name)
self.logutil = KBLogUtil(self.config.name, self.name)
self.wids = WIDSClient(self.config.server_ip, self.config.server_port)
self.active = None
self.rules = []
#///dev///
self.rules.append(rule1)
def __init__(self, settings, config, shutdown_event, name):
Process.__init__(self)
self.name = name
self.settings = settings
self.config = config
self.shutdown_event = shutdown_event
self.database = DatabaseHandler(self.config.name)
self.logutil = KBLogUtil(self.config.name, self.name, None)
self.wids_api = WIDSClient(self.config.server_ip, self.config.server_port)
self.tasks = {}
self.active = False
self.running = False
class RuleEngine(Process):
def __init__(self, config):
Process.__init__(self)
self.name = 'RuleEngine'
self.config = config
self.database = DatabaseHandler(self.config.name)
self.logutil = KBLogUtil(self.config.name, self.name)
self.wids = WIDSClient(self.config.server_ip, self.config.server_port)
self.active = None
self.rules = []
#///dev///
self.rules.append(rule1)
#////////
def run(self):
self.logutil.log('Starting Execution')
self.active = True
self.start_time = dateToMicro(datetime.utcnow())
while self.active:
if DEV_DEBUG:
self.logutil.debug('Checking for new rules')
time.sleep(3)
# check server for new rules: 'GET /rules/updatecheck', if so load new rules
'''
if self.wids.checkNewRules():
new_rules = self.wids.getNewRules()
'''
# evaluate each rule serially
self.logutil.debug('Evaluating rules')
for RuleObject in self.rules:
self.evaluateRule(RuleObject)
self.logutil.log('Terminating Execution')
# TODO - replace the internal database with a REST call to query database for events
def evaluateRule(self, RuleObject):
try:
self.logutil.dev('Evaluating Rule: {0} (EventIndex: {1})'.format(RuleObject.name, RuleObject.event_index))
for condition in RuleObject.conditions:
module = condition[0]
event = condition[1]
count = condition[2]
# TODO - replace this direct database query with REST call ????
query = self.database.session.query(Event).filter(Event.module == module).filter(Event.name == event).filter(Event.datetime > self.start_time).filter(Event.id > RuleObject.event_index)
results_count = query.limit(count).count()
self.logutil.dev('Event: {0} - Found: {1} (Events Needed: {2})'.format(event, results_count, count))
if not results_count >= count:
return False
last_result = query.order_by(Event.id.desc()).limit(count).first()
RuleObject.event_index = last_result.id
self.logutil.log('>>> Rule Conditions Met ({0})'.format(RuleObject.name))
for action in RuleObject.actions:
actionType = action[0]
actionParams = action[1]
if actionType == 'GenerateAlert':
self.action_GenerateAlert(RuleObject.name, actionParams)
if actionType == 'GenerateLog':
self.action_GenerateLog(RuleObject.name, actionParams)
except Exception:
traceback.print_exc()
def action_GenerateLog(self, rule_name, action_parameters):
self.logutil.log('Execution GenerateLog Action for Rule {0}'.format(rule_name))
pass
def action_GenerateAlert(self, rule_name, action_parameters):
self.logutil.log('Executing GenerateAlert Action for Rule {0}'.format(rule_name))
self.wids.generateAlert(rule_name)
def shutdown(self):
self.active = False
self.terminate()
class AnalyticModule(Process):
def __init__(self, settings, config, shutdown_event, name):
Process.__init__(self)
self.name = name
self.settings = settings
self.config = config
self.shutdown_event = shutdown_event
self.database = DatabaseHandler(self.config.name)
self.logutil = KBLogUtil(self.config.name, self.name, None)
self.wids_api = WIDSClient(self.config.server_ip, self.config.server_port)
self.tasks = {}
self.active = False
self.running = False
def SIGTERM(self,a,b):
self.logutil.log('SIGTERM')
self.shutdown()
def moduleIndex(self):
return self.settings.get('module_index')
def waitForWIDS(self):
while not self.wids_api.isActive():
sleep(0.1)
def taskDrone(self, droneIndexList, task_plugin, task_channel, task_parameters, module_index):
try:
task_uuid = str((uuid4()))
(error,data) = self.wids_api.taskDrone(droneIndexList, task_uuid, task_plugin, task_channel, task_parameters, module_index)
if error == None:
self.tasks[task_uuid] = {'plugin':task_plugin, 'channel':task_channel, 'parameters':task_parameters, 'drones':droneIndexList, 'uuid':task_uuid, 'module_index':module_index}
return task_uuid
else:
return False
except Exception:
etb = traceback.format_exc()
self.logutil.trace(etb)
return False
def detaskDrone(self, droneIndexList, uuid):
self.logutil.log('Detasking UUID: {0} from Drones: {1}'.format(uuid,droneIndexList))
try:
self.wids_api.detaskDrone(droneIndexList, uuid)
except Exception:
etb = traceback.format_exc()
self.logutil.trace(etb)
def detaskAll(self):
self.logutil.log('Detasking all active tasks ({0} found)'.format(len(self.tasks.values())))
for task in self.tasks.values():
uuid = task.get('uuid')
droneIndexList = task.get('drones')
self.detaskDrone(droneIndexList, uuid)
def getPackets(self, valueFilterList=[], uuidFilterList=[], new=False, maxcount=0, count=False):
return self.database.getPackets(valueFilterList, uuidFilterList, new, maxcount, count)
def getEvents(self, valueFilterList=[], new=False, maxcount=0, count=False):
return self.database.getPackets(valueFilterList, new, maxcount, count)
def registerEvent(self, name, details={}, related_packets=[], related_uuids=[]):
event_data = {'module':self.name, 'name':name, 'details':details, 'related_packets':related_packets, 'related_uuids':related_uuids, 'datetime':dateToMicro(datetime.utcnow())}
return self.database.storeEvent(event_data)
def generateAlert(self, alert_name):
return self.database.storeAlert(alert_name)
def cleanup(self):
'''
This should be overridden by modules which need to do housekeeping
before shutdown.
'''
pass
def shutdown(self, detask=True):
self.logutil.log('Received Shutdown Request')
self.cleanup()
self.logutil.log('Module Shutdown Complete')
sys.exit()
class AnalyticModule(Process):
def __init__(self, settings, config, shutdown_event, name):
Process.__init__(self)
self.name = name
self.settings = settings
self.config = config
self.shutdown_event = shutdown_event
self.database = DatabaseHandler(self.config.name)
self.logutil = KBLogUtil(self.config.name, self.name, None)
self.wids_api = WIDSClient(self.config.server_ip,
self.config.server_port)
self.tasks = {}
self.active = False
self.running = False
def SIGTERM(self, a, b):
self.logutil.log('SIGTERM')
self.shutdown()
def moduleIndex(self):
return self.settings.get('module_index')
def waitForWIDS(self):
while not self.wids_api.isActive():
sleep(0.1)
def taskDrone(self, droneIndexList, task_plugin, task_channel,
task_parameters, module_index):
try:
task_uuid = str((uuid4()))
(error, data) = self.wids_api.taskDrone(droneIndexList, task_uuid,
task_plugin, task_channel,
task_parameters,
module_index)
if error == None:
self.tasks[task_uuid] = {
'plugin': task_plugin,
'channel': task_channel,
'parameters': task_parameters,
'drones': droneIndexList,
'uuid': task_uuid,
'module_index': module_index
}
return task_uuid
else:
return False
except Exception:
etb = traceback.format_exc()
self.logutil.trace(etb)
return False
def detaskDrone(self, droneIndexList, uuid):
self.logutil.log('Detasking UUID: {0} from Drones: {1}'.format(
uuid, droneIndexList))
try:
self.wids_api.detaskDrone(droneIndexList, uuid)
except Exception:
etb = traceback.format_exc()
self.logutil.trace(etb)
def detaskAll(self):
self.logutil.log('Detasking all active tasks ({0} found)'.format(
len(self.tasks.values())))
for task in self.tasks.values():
uuid = task.get('uuid')
droneIndexList = task.get('drones')
self.detaskDrone(droneIndexList, uuid)
def getPackets(self,
valueFilterList=[],
uuidFilterList=[],
new=False,
maxcount=0,
count=False):
return self.database.getPackets(valueFilterList, uuidFilterList, new,
maxcount, count)
def getEvents(self,
valueFilterList=[],
new=False,
maxcount=0,
count=False):
return self.database.getPackets(valueFilterList, new, maxcount, count)
def registerEvent(self,
name,
details={},
related_packets=[],
related_uuids=[]):
event_data = {
'module': self.name,
'name': name,
'details': details,
'related_packets': related_packets,
'related_uuids': related_uuids,
'datetime': dateToMicro(datetime.utcnow())
}
return self.database.storeEvent(event_data)
def generateAlert(self, alert_name):
return self.database.storeAlert(alert_name)
def cleanup(self):
'''
This should be overridden by modules which need to do housekeeping
before shutdown.
'''
pass
def shutdown(self, detask=True):
self.logutil.log('Received Shutdown Request')
self.cleanup()
self.logutil.log('Module Shutdown Complete')
sys.exit()
class RuleEngine(Process):
def __init__(self, config):
Process.__init__(self)
self.name = 'RuleEngine'
self.config = config
self.database = DatabaseHandler(self.config.name)
self.logutil = KBLogUtil(self.config.name, self.name)
self.wids = WIDSClient(self.config.server_ip, self.config.server_port)
self.active = None
self.rules = []
#///dev///
self.rules.append(rule1)
#////////
def run(self):
self.logutil.log('Starting Execution')
self.active = True
self.start_time = dateToMicro(datetime.utcnow())
while self.active:
if DEV_DEBUG:
self.logutil.debug('Checking for new rules')
time.sleep(3)
# check server for new rules: 'GET /rules/updatecheck', if so load new rules
'''
if self.wids.checkNewRules():
new_rules = self.wids.getNewRules()
'''
# evaluate each rule serially
self.logutil.debug('Evaluating rules')
for RuleObject in self.rules:
self.evaluateRule(RuleObject)
self.logutil.log('Terminating Execution')
# TODO - replace the internal database with a REST call to query database for events
def evaluateRule(self, RuleObject):
try:
self.logutil.dev('Evaluating Rule: {0} (EventIndex: {1})'.format(
RuleObject.name, RuleObject.event_index))
for condition in RuleObject.conditions:
module = condition[0]
event = condition[1]
count = condition[2]
# TODO - replace this direct database query with REST call ????
query = self.database.session.query(Event).filter(
Event.module == module).filter(Event.name == event).filter(
Event.datetime > self.start_time).filter(
Event.id > RuleObject.event_index)
results_count = query.limit(count).count()
self.logutil.dev(
'Event: {0} - Found: {1} (Events Needed: {2})'.format(
event, results_count, count))
if not results_count >= count:
return False
last_result = query.order_by(
Event.id.desc()).limit(count).first()
RuleObject.event_index = last_result.id
self.logutil.log('>>> Rule Conditions Met ({0})'.format(
RuleObject.name))
for action in RuleObject.actions:
actionType = action[0]
actionParams = action[1]
if actionType == 'GenerateAlert':
self.action_GenerateAlert(RuleObject.name,
actionParams)
if actionType == 'GenerateLog':
self.action_GenerateLog(RuleObject.name, actionParams)
except Exception:
traceback.print_exc()
def action_GenerateLog(self, rule_name, action_parameters):
self.logutil.log(
'Execution GenerateLog Action for Rule {0}'.format(rule_name))
pass
def action_GenerateAlert(self, rule_name, action_parameters):
self.logutil.log(
'Executing GenerateAlert Action for Rule {0}'.format(rule_name))
self.wids.generateAlert(rule_name)
def shutdown(self):
self.active = False
self.terminate()
