def __init__(self, config): Process.__init__(self) self.name = 'RuleEngine' self.config = config self.database = DatabaseHandler(self.config.name) self.logutil = KBLogUtil(self.config.name, self.name) self.wids = WIDSClient(self.config.server_ip, self.config.server_port) self.active = None self.rules = [] #///dev/// self.rules.append(rule1)
def __init__(self, settings, config, shutdown_event, name): Process.__init__(self) self.name = name self.settings = settings self.config = config self.shutdown_event = shutdown_event self.database = DatabaseHandler(self.config.name) self.logutil = KBLogUtil(self.config.name, self.name, None) self.wids_api = WIDSClient(self.config.server_ip, self.config.server_port) self.tasks = {} self.active = False self.running = False
def __init__(self, config): Process.__init__(self) self.name = 'RuleEngine' self.config = config self.database = DatabaseHandler(self.config.name) self.logutil = KBLogUtil(self.config.name, self.name) self.wids = WIDSClient(self.config.server_ip, self.config.server_port) self.active = None self.rules = [] #///dev/// self.rules.append(rule1)
def __init__(self, settings, config, shutdown_event, name): Process.__init__(self) self.name = name self.settings = settings self.config = config self.shutdown_event = shutdown_event self.database = DatabaseHandler(self.config.name) self.logutil = KBLogUtil(self.config.name, self.name, None) self.wids_api = WIDSClient(self.config.server_ip, self.config.server_port) self.tasks = {} self.active = False self.running = False
class RuleEngine(Process): def __init__(self, config): Process.__init__(self) self.name = 'RuleEngine' self.config = config self.database = DatabaseHandler(self.config.name) self.logutil = KBLogUtil(self.config.name, self.name) self.wids = WIDSClient(self.config.server_ip, self.config.server_port) self.active = None self.rules = [] #///dev/// self.rules.append(rule1) #//////// def run(self): self.logutil.log('Starting Execution') self.active = True self.start_time = dateToMicro(datetime.utcnow()) while self.active: if DEV_DEBUG: self.logutil.debug('Checking for new rules') time.sleep(3) # check server for new rules: 'GET /rules/updatecheck', if so load new rules ''' if self.wids.checkNewRules(): new_rules = self.wids.getNewRules() ''' # evaluate each rule serially self.logutil.debug('Evaluating rules') for RuleObject in self.rules: self.evaluateRule(RuleObject) self.logutil.log('Terminating Execution') # TODO - replace the internal database with a REST call to query database for events def evaluateRule(self, RuleObject): try: self.logutil.dev('Evaluating Rule: {0} (EventIndex: {1})'.format(RuleObject.name, RuleObject.event_index)) for condition in RuleObject.conditions: module = condition[0] event = condition[1] count = condition[2] # TODO - replace this direct database query with REST call ???? query = self.database.session.query(Event).filter(Event.module == module).filter(Event.name == event).filter(Event.datetime > self.start_time).filter(Event.id > RuleObject.event_index) results_count = query.limit(count).count() self.logutil.dev('Event: {0} - Found: {1} (Events Needed: {2})'.format(event, results_count, count)) if not results_count >= count: return False last_result = query.order_by(Event.id.desc()).limit(count).first() RuleObject.event_index = last_result.id self.logutil.log('>>> Rule Conditions Met ({0})'.format(RuleObject.name)) for action in RuleObject.actions: actionType = action[0] actionParams = action[1] if actionType == 'GenerateAlert': self.action_GenerateAlert(RuleObject.name, actionParams) if actionType == 'GenerateLog': self.action_GenerateLog(RuleObject.name, actionParams) except Exception: traceback.print_exc() def action_GenerateLog(self, rule_name, action_parameters): self.logutil.log('Execution GenerateLog Action for Rule {0}'.format(rule_name)) pass def action_GenerateAlert(self, rule_name, action_parameters): self.logutil.log('Executing GenerateAlert Action for Rule {0}'.format(rule_name)) self.wids.generateAlert(rule_name) def shutdown(self): self.active = False self.terminate()
class AnalyticModule(Process): def __init__(self, settings, config, shutdown_event, name): Process.__init__(self) self.name = name self.settings = settings self.config = config self.shutdown_event = shutdown_event self.database = DatabaseHandler(self.config.name) self.logutil = KBLogUtil(self.config.name, self.name, None) self.wids_api = WIDSClient(self.config.server_ip, self.config.server_port) self.tasks = {} self.active = False self.running = False def SIGTERM(self,a,b): self.logutil.log('SIGTERM') self.shutdown() def moduleIndex(self): return self.settings.get('module_index') def waitForWIDS(self): while not self.wids_api.isActive(): sleep(0.1) def taskDrone(self, droneIndexList, task_plugin, task_channel, task_parameters, module_index): try: task_uuid = str((uuid4())) (error,data) = self.wids_api.taskDrone(droneIndexList, task_uuid, task_plugin, task_channel, task_parameters, module_index) if error == None: self.tasks[task_uuid] = {'plugin':task_plugin, 'channel':task_channel, 'parameters':task_parameters, 'drones':droneIndexList, 'uuid':task_uuid, 'module_index':module_index} return task_uuid else: return False except Exception: etb = traceback.format_exc() self.logutil.trace(etb) return False def detaskDrone(self, droneIndexList, uuid): self.logutil.log('Detasking UUID: {0} from Drones: {1}'.format(uuid,droneIndexList)) try: self.wids_api.detaskDrone(droneIndexList, uuid) except Exception: etb = traceback.format_exc() self.logutil.trace(etb) def detaskAll(self): self.logutil.log('Detasking all active tasks ({0} found)'.format(len(self.tasks.values()))) for task in self.tasks.values(): uuid = task.get('uuid') droneIndexList = task.get('drones') self.detaskDrone(droneIndexList, uuid) def getPackets(self, valueFilterList=[], uuidFilterList=[], new=False, maxcount=0, count=False): return self.database.getPackets(valueFilterList, uuidFilterList, new, maxcount, count) def getEvents(self, valueFilterList=[], new=False, maxcount=0, count=False): return self.database.getPackets(valueFilterList, new, maxcount, count) def registerEvent(self, name, details={}, related_packets=[], related_uuids=[]): event_data = {'module':self.name, 'name':name, 'details':details, 'related_packets':related_packets, 'related_uuids':related_uuids, 'datetime':dateToMicro(datetime.utcnow())} return self.database.storeEvent(event_data) def generateAlert(self, alert_name): return self.database.storeAlert(alert_name) def cleanup(self): ''' This should be overridden by modules which need to do housekeeping before shutdown. ''' pass def shutdown(self, detask=True): self.logutil.log('Received Shutdown Request') self.cleanup() self.logutil.log('Module Shutdown Complete') sys.exit()
class AnalyticModule(Process): def __init__(self, settings, config, shutdown_event, name): Process.__init__(self) self.name = name self.settings = settings self.config = config self.shutdown_event = shutdown_event self.database = DatabaseHandler(self.config.name) self.logutil = KBLogUtil(self.config.name, self.name, None) self.wids_api = WIDSClient(self.config.server_ip, self.config.server_port) self.tasks = {} self.active = False self.running = False def SIGTERM(self, a, b): self.logutil.log('SIGTERM') self.shutdown() def moduleIndex(self): return self.settings.get('module_index') def waitForWIDS(self): while not self.wids_api.isActive(): sleep(0.1) def taskDrone(self, droneIndexList, task_plugin, task_channel, task_parameters, module_index): try: task_uuid = str((uuid4())) (error, data) = self.wids_api.taskDrone(droneIndexList, task_uuid, task_plugin, task_channel, task_parameters, module_index) if error == None: self.tasks[task_uuid] = { 'plugin': task_plugin, 'channel': task_channel, 'parameters': task_parameters, 'drones': droneIndexList, 'uuid': task_uuid, 'module_index': module_index } return task_uuid else: return False except Exception: etb = traceback.format_exc() self.logutil.trace(etb) return False def detaskDrone(self, droneIndexList, uuid): self.logutil.log('Detasking UUID: {0} from Drones: {1}'.format( uuid, droneIndexList)) try: self.wids_api.detaskDrone(droneIndexList, uuid) except Exception: etb = traceback.format_exc() self.logutil.trace(etb) def detaskAll(self): self.logutil.log('Detasking all active tasks ({0} found)'.format( len(self.tasks.values()))) for task in self.tasks.values(): uuid = task.get('uuid') droneIndexList = task.get('drones') self.detaskDrone(droneIndexList, uuid) def getPackets(self, valueFilterList=[], uuidFilterList=[], new=False, maxcount=0, count=False): return self.database.getPackets(valueFilterList, uuidFilterList, new, maxcount, count) def getEvents(self, valueFilterList=[], new=False, maxcount=0, count=False): return self.database.getPackets(valueFilterList, new, maxcount, count) def registerEvent(self, name, details={}, related_packets=[], related_uuids=[]): event_data = { 'module': self.name, 'name': name, 'details': details, 'related_packets': related_packets, 'related_uuids': related_uuids, 'datetime': dateToMicro(datetime.utcnow()) } return self.database.storeEvent(event_data) def generateAlert(self, alert_name): return self.database.storeAlert(alert_name) def cleanup(self): ''' This should be overridden by modules which need to do housekeeping before shutdown. ''' pass def shutdown(self, detask=True): self.logutil.log('Received Shutdown Request') self.cleanup() self.logutil.log('Module Shutdown Complete') sys.exit()
class RuleEngine(Process): def __init__(self, config): Process.__init__(self) self.name = 'RuleEngine' self.config = config self.database = DatabaseHandler(self.config.name) self.logutil = KBLogUtil(self.config.name, self.name) self.wids = WIDSClient(self.config.server_ip, self.config.server_port) self.active = None self.rules = [] #///dev/// self.rules.append(rule1) #//////// def run(self): self.logutil.log('Starting Execution') self.active = True self.start_time = dateToMicro(datetime.utcnow()) while self.active: if DEV_DEBUG: self.logutil.debug('Checking for new rules') time.sleep(3) # check server for new rules: 'GET /rules/updatecheck', if so load new rules ''' if self.wids.checkNewRules(): new_rules = self.wids.getNewRules() ''' # evaluate each rule serially self.logutil.debug('Evaluating rules') for RuleObject in self.rules: self.evaluateRule(RuleObject) self.logutil.log('Terminating Execution') # TODO - replace the internal database with a REST call to query database for events def evaluateRule(self, RuleObject): try: self.logutil.dev('Evaluating Rule: {0} (EventIndex: {1})'.format( RuleObject.name, RuleObject.event_index)) for condition in RuleObject.conditions: module = condition[0] event = condition[1] count = condition[2] # TODO - replace this direct database query with REST call ???? query = self.database.session.query(Event).filter( Event.module == module).filter(Event.name == event).filter( Event.datetime > self.start_time).filter( Event.id > RuleObject.event_index) results_count = query.limit(count).count() self.logutil.dev( 'Event: {0} - Found: {1} (Events Needed: {2})'.format( event, results_count, count)) if not results_count >= count: return False last_result = query.order_by( Event.id.desc()).limit(count).first() RuleObject.event_index = last_result.id self.logutil.log('>>> Rule Conditions Met ({0})'.format( RuleObject.name)) for action in RuleObject.actions: actionType = action[0] actionParams = action[1] if actionType == 'GenerateAlert': self.action_GenerateAlert(RuleObject.name, actionParams) if actionType == 'GenerateLog': self.action_GenerateLog(RuleObject.name, actionParams) except Exception: traceback.print_exc() def action_GenerateLog(self, rule_name, action_parameters): self.logutil.log( 'Execution GenerateLog Action for Rule {0}'.format(rule_name)) pass def action_GenerateAlert(self, rule_name, action_parameters): self.logutil.log( 'Executing GenerateAlert Action for Rule {0}'.format(rule_name)) self.wids.generateAlert(rule_name) def shutdown(self): self.active = False self.terminate()