Permalink
Browse files

Merge branch 'master' of github.com:Phrozyn/MozDef

  • Loading branch information...
Phrozyn committed Aug 10, 2016
2 parents 687e423 + 9fbf79f commit d264a1298261896a087973c448ce8b8c8a31223d
@@ -38,7 +38,7 @@
"1": {
"type": "querystring",
"field": "category",
"query": "bro_intel",
"query": "brointel",
"mandate": "must",
"active": true,
"alias": "",
View
@@ -18,7 +18,7 @@ def main(self):
# Configure filters using pyes
must = [
pyes.TermFilter('_type', 'event'),
pyes.TermFilter('category', 'bro_intel'),
pyes.TermFilter('category', 'brointel'),
pyes.ExistsFilter('seenindicator')
]
self.filtersManual(date_timedelta, must=must)
@@ -38,7 +38,7 @@
"1": {
"type": "field",
"field": "category",
"query": "\"bro_notice\"",
"query": "\"bronotice\"",
"mandate": "must",
"active": true,
"alias": "",
View
@@ -12,6 +12,9 @@
import pyes
class AlertGeomodel(AlertTask):
# The minimum event severity we will create an alert for
MINSEVERITY = 2
def main(self):
date_timedelta = dict(minutes=30)
@@ -27,7 +30,16 @@ def main(self):
def onEvent(self, event):
category = 'geomodel'
tags = ['geomodel']
severity = 'NOTICE'
severity = 'WARNING'
ev = event['_source']
# If the event severity is below what we want, just ignore
# the event.
if 'details' not in ev or 'severity' not in ev['details']:
return None
if ev['details']['severity'] < self.MINSEVERITY:
return None
summary = event['_source']['summary']
summary = ev['summary']
return self.createAlertDict(summary, category, tags, [event], severity)
@@ -0,0 +1,25 @@
[supervisord]
#Set true for debug
nodaemon=false
autostart=true
autorestart=true
logfile=/home/mozdef/envs/mozdef/logs/supervisord.log
childlogdir=/home/mozdef/envs/mozdef/logs/
pidfile=/home/mozdef/envs/mozdef/alerts/plugins/supervisord.pid
user=mozdef
[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
[unix_http_server]
file=/home/mozdef/envs/mozdef/supervisorctl.sock
[supervisorctl]
serverurl=unix:///home/mozdef/envs/mozdef/supervisorctl.sock
[program:alerts]
priority=2
command=celery -A celeryconfig worker --loglevel=info --beat
user=mozdef
group=mozdef
directory=/home/mozdef/envs/mozdef/alerts
@@ -0,0 +1,21 @@
[uwsgi]
chdir = /home/mozdef/envs/mozdef/alerts
uid = mozdef
mule = alertWorker.py
mule = alertWorker.py
mule = alertWorker.py
mule = alertWorker.py
pyargv = -c /home/mozdef/envs/mozdef/alerts/alertWorker.conf
py-auto-reload=30s
;stats = 127.0.0.1:9192
;py-auto-reload=30s
daemonize = /home/mozdef/envs/mozdef/logs/uwsgi.AlertPluginsMules.log
;ignore normal operations that generate nothing but normal response
log-drain = generated 0 bytes
log-date = %%a %%b %%d %%H:%%M:%%S
socket = /home/mozdef/envs/mozdef/alerts/AlertPluginsMules.socket
virtualenv = /home/mozdef/envs/mozdef/
master-fifo = /home/mozdef/envs/mozdef/alerts/AlertPluginsMules.fifo
never-swap
pidfile= /home/mozdef/envs/mozdef/alerts/AlertPluginsMules.pid
vacuum = true
View
@@ -30,7 +30,7 @@ def initLogger():
logger.level=logging.INFO
formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
formatter.formatTime = loggerTimeStamp
if options.output=='syslog':
if options.output=='syslog':
logger.addHandler(SysLogHandler(address=(options.sysloghostname,options.syslogport)))
else:
sh=logging.StreamHandler(sys.stderr)
@@ -45,15 +45,15 @@ def toUTC(suspectedDate,localTimeZone="US/Pacific"):
objDate=parse(suspectedDate,fuzzy=True)
elif type(suspectedDate)==datetime:
objDate=suspectedDate
if objDate.tzinfo is None:
objDate=pytz.timezone(localTimeZone).localize(objDate)
objDate=utc.normalize(objDate)
else:
objDate=utc.normalize(objDate)
if objDate is not None:
objDate=utc.normalize(objDate)
return objDate
def flattenDict(dictIn):
@@ -68,7 +68,7 @@ def alertToMessageQueue(alertDict):
channel = connection.channel()
#declare the exchanges
channel.exchange_declare(exchange=options.alertexchange,type='topic', durable=True)
#cherry pick items from the alertDict to send to the alerts messageQueue
mqAlert=dict(severity='INFO',category='')
if 'severity' in alertDict.keys():
@@ -80,7 +80,7 @@ def alertToMessageQueue(alertDict):
if 'eventtimestamp' in alertDict.keys():
mqAlert['eventtimestamp']=alertDict['eventtimestamp']
mqAlert['summary']=alertDict['summary']
channel.basic_publish(exchange=options.alertexchange,routing_key=options.alertqueue,body=json.dumps(mqAlert))
channel.basic_publish(exchange=options.alertexchange,routing_key=options.alertqueue,body=json.dumps(mqAlert))
except Exception as e:
logger.error('Exception while sending alert to message queue: {0}'.format(e))
@@ -93,15 +93,15 @@ def alertToES(es,alertDict):
def esBroIntelEvents():
begindateUTC= toUTC(datetime.now() - timedelta(minutes=30))
enddateUTC= toUTC(datetime.now())
enddateUTC= toUTC(datetime.now())
#search for events within the date range that haven't already been alerted (i.e. given an alerttimestamp)
qDate=pyes.RangeQuery(qrange=pyes.ESRange('utctimestamp',from_value=begindateUTC,to_value=enddateUTC))
qType=pyes.TermFilter('_type','event')
qEvents=pyes.TermsFilter('category',['brointel'])
qalerted=pyes.ExistsFilter('alerttimestamp')
q=pyes.ConstantScoreQuery(pyes.MatchAllQuery())
q.filters.append(pyes.BoolFilter(
must=[qType,
must=[qType,
qDate,
qEvents,
pyes.ExistsFilter('seenindicator')
@@ -117,11 +117,11 @@ def esBroXSSEvents():
enddateUTC= toUTC(datetime.now())
qDate = pyes.RangeQuery(qrange=pyes.ESRange('utctimestamp', from_value=begindateUTC, to_value=enddateUTC))
qType = pyes.TermFilter('_type', 'event')
qEvents = pyes.TermFilter("category","bro_xss_log")
qEvents = pyes.TermFilter("category","broxsslog")
qalerted = pyes.ExistsFilter('alerttimestamp')
q=pyes.ConstantScoreQuery(pyes.MatchAllQuery())
q.filters.append(pyes.BoolFilter(
must=[qType,
must=[qType,
qDate,
qEvents,
pyes.ExistsFilter('uri')
@@ -161,7 +161,7 @@ def esRunSearch(es, query, aggregateField, detailLimit=5):
return indicatorList
except pyes.exceptions.NoServerAvailable:
logger.error('Elastic Search server could not be reached, check network connectivity')
logger.error('Elastic Search server could not be reached, check network connectivity')
def createAlerts(es, indicatorCounts, threshold, description):
@@ -195,14 +195,14 @@ def createAlerts(es, indicatorCounts, threshold, description):
# append the relevant events in text format to avoid errant ES issues.
# should be able to just set eventsource to i['events'] but different versions of ES 1.0 complain
alert['eventsource'].append(flattenDict(e))
logger.debug(alert['summary'])
logger.debug(alert['events'])
logger.debug(alert)
# save alert to alerts index, update events index with alert ID for cross reference
alertResult = alertToES(es, alert)
##logger.debug(alertResult)
# for each event in this list of indicatorCounts
# update with the alertid/index
@@ -212,28 +212,28 @@ def createAlerts(es, indicatorCounts, threshold, description):
e['_source']['alerts'] = []
e['_source']['alerts'].append(dict(index=alertResult['_index'], type=alertResult['_type'], id=alertResult['_id']))
e['_source']['alerttimestamp'] = toUTC(datetime.now()).isoformat()
es.update(e['_index'], e['_type'], e['_id'], document=e['_source'])
alertToMessageQueue(alert)
except ValueError as e:
logger.error("Exception %r when creating alerts " % e)
def main():
logger.debug('starting')
logger.debug(options)
es=pyes.ES((list('{0}'.format(s) for s in options.esservers)))
# search for brointel
#indicatorCounts=esSearch(es)
#createAlerts(es,indicatorCounts)
indicatorCounts=esRunSearch(es,esBroIntelEvents(),'seenindicator', 50)
createAlerts(es,indicatorCounts, 5, 'bro intel match')
# search for xss events
indicatorCounts=esRunSearch(es,esBroXSSEvents(),'cluster_client_ip', 50)
createAlerts(es,indicatorCounts, 5, 'bro xss')
createAlerts(es,indicatorCounts, 5, 'bro xss')
logger.debug('finished')
def initConfig():
@@ -249,7 +249,7 @@ def initConfig():
options.syslogport=getConfig('syslogport',514,options.configfile) #syslog port
#elastic search server settings
options.esservers=list(getConfig('esservers','http://localhost:9200',options.configfile).split(','))
if __name__ == '__main__':
parser=OptionParser()
parser.add_option("-c", dest='configfile' , default=sys.argv[0].replace('.py','.conf'), help="configuration file to use")
Oops, something went wrong.

0 comments on commit d264a12

Please sign in to comment.