def set_sID_cID():
if hasattr(event, 'sguilID'):
event.setAttribute('sguilID', prompt='Alert ID', header= '', force=True)
else:
event.setAttribute('sguilID', prompt='Alert ID', header="Sguil Initial Indicator")
event.setAttribute('alertID', event.sguilID, force=True)
event.setAttribute('alertType', 'Sguil', force=True)
try:
splitID = event.sguilID.split('.')
event.setAttribute('_sID', value=splitID[0], force=True)
event.setAttribute('_cID', value=splitID[1], force=True)
query = 'SELECT timestamp, INET_NTOA(src_ip), INET_NTOA(dst_ip), signature FROM event WHERE sid in (%s) AND cid in (%s);' % (event._sID, event._cID)
log.debug('msg="MySQL query statement for alert id" alertID="%s" query="%s"' % (event.sguilID, query))
queryResults = getSguilSql('SELECT timestamp, INET_NTOA(src_ip), INET_NTOA(dst_ip), signature FROM event WHERE sid in (%s) AND cid in (%s);' % (event._sID, event._cID), sguilserver=SGUIL_SERVER, tableSplit=True)
return queryResults[-1]
except(IndexError):
print('Invalid AlertID or DB Error. Try again.\n')
return set_sID_cID()
def execute(event):
print('Querying Sguil DB...\n')
if (datetime.datetime.now() - event._startDate).days < 1:
start = event._DT - datetime.timedelta(days=1)
else:
start = event._startDate
if not hasattr(event, 'ip_address_list'):
event.ip_address_list = [event.ip_address]
for ip in event.ip_address_list:
print("Pulling flow for %s..." % ip)
query = "( SELECT sensor.hostname, sancp.sid, sancp.sancpid, sancp.start_time as datetime, sancp.end_time, "
query += "INET_NTOA(sancp.src_ip), sancp.src_port, INET_NTOA(sancp.dst_ip), sancp.dst_port, sancp.ip_proto, "
query += "sancp.src_pkts, sancp.src_bytes, sancp.dst_pkts, sancp.dst_bytes FROM sancp IGNORE INDEX (p_key) "
query += "INNER JOIN sensor ON sancp.sid=sensor.sid WHERE sancp.start_time > '%s' AND sancp.src_ip = INET_ATON('%s')) " % (start.date().isoformat(),
ip)
query += "UNION "
query += "( SELECT sensor.hostname, sancp.sid, sancp.sancpid, sancp.start_time as datetime, sancp.end_time, "
query += "INET_NTOA(sancp.src_ip), sancp.src_port, INET_NTOA(sancp.dst_ip), sancp.dst_port, sancp.ip_proto, "
query += "sancp.src_pkts, sancp.src_bytes, sancp.dst_pkts, sancp.dst_bytes FROM sancp IGNORE INDEX (p_key) "
query += "INNER JOIN sensor ON sancp.sid=sensor.sid WHERE sancp.start_time > '%s' AND sancp.dst_ip = INET_ATON('%s')) " % (start.date().isoformat(),
ip)
query += "ORDER BY datetime, src_port ASC LIMIT %s;" % event._sqlLimit
log.debug('msg="Sguil Flow Query" query="%s"' % query)
queryResults = getSguilSql(query, sguilserver=so_server, tableSplit=True)
orf = '%s.%s' % (event._baseFilePath, confVars.outputExtension)
outRawFile = open(orf, 'a')
for line in queryResults:
outRawFile.write(','.join(line) + '\n')
outRawFile.close()
# splunkSguilFlow = []
# for line in open(orf, 'rb'):
# if 'INET_NTOA' not in line:
# splunkSguilFlow.append(line)
# event._splunk.push(sourcetype=confVars.splunkSourcetype, eventList=splunkSguilFlow, exclusionRegex='INET_NTOA')
event._splunk.push(sourcetype=confVars.splunkSourcetype, filename=orf, exclusionRegex='INET_NTOA')
print('\n%s results saved to: %s' % (FORMAL_NAME, orf))
