python lib for mozdef clients
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
AUTHORS.rst
LICENSE
Makefile
README.rst
TODO.rst
__init__.py
mozdef.py
requirements.txt
setup.py

README.rst

DEPRECATION WARNING

Warning

This lib has been superseded by mozdef_client: https://github.com/gdestuynder/mozdef_client This has been done to avoid confusion with "internal" mozdef libs and imports.

If converting to the new lib, you'll need to import mozdef_client instead of mozdef.

import mozdef_client

mozdef_lib

Python lib for MozDef clients.

Install

As a python module

Manually: .. code:

make install

As a rpm/deb package .. code:

make rpm
make deb
rpm -i <package.rpm>
dpkg -i <package.deb>

From the code/integrate in my code

Add to your project with:

git submodule add https://github.com/gdestuynder/mozdef_lib mozdef
git commit -a

Python dependencies

  • requests_futures for python2 (optional but highly recommended, else messages are synchronous)
  • pytz

Usage

Note

If you can, it is recommended to fill-in details={}, category='' and severity='' even thus those are optional.

Syslog compatibility

Should you be needing Syslog compatibility (for example to stay compatible with non-MozDef setups without having to handle the conversion to syslog on your own) just set sendToSyslog to True for your message.

The message will be flattened out and fields that syslog already provide will be stripped. Additionally, an attempt will be made to map the severity field to syslog's priority field if possible (the field name has to match a syslog priority field name).

Example:

#JSON/MozDef output
{
    "category": "event",
    "details": {},
    "hostname": "kang-vp",
    "processid": 16347,
    "processname": "mozdef.py",
    "severity": "INFO",
    "summary": "test msg",
    "tags": [],
    "timestamp": "2014-05-13T14:59:54.093572+00:00"
}
[...]

#Syslog output
May 13 14:59:54 kang-vp mozdef.py[16347]: details: {} tags: [] category: event summary: test syslog msg
May 13 14:59:54 kang-vp mozdef.py[16347]: details: {'uid': 0, 'username': 'kang'} tags: ['bro', 'auth'] category:
authentication summary: new test msg
May 13 14:59:54 kang-vp mozdef.py[16347]: details: {} tags: [] category: event summary: another test msg

MozDef message structure

These are also the 'internal attributes' which you can modify.

{
    "category": "authentication",
        "details": {
            "uid": 0,
            "username": "kang"
        },
        "hostname": "blah.private.scl3.mozilla.com",
        "processid": 14619,
        "processname": "./mozdef.py",
        "severity": "CRITICAL",
        "summary": "new test msg",
        "tags": [
            "bro",
        "auth"
            ],
        "timestamp": "2014-03-18T23:20:31.013344+00:00"
}

Certificate handling

During testing with self-signed certificates, it may be useful to disable certificate checking while connecting to MozDef. It may also just be that you have a custom CA file that you want to point to.

That's how you do all this:

msg.verify_certificate = False # not recommended, security issue.
msg.verify_certificate = True # uses default certs from /etc/ssl/certs
msg.verify_certificate = '/etc/path/to/custom/cert'

Note

Disabling certificate checking introduce a security issue and is generally not recommended, specially for production.