Permalink
Browse files

Resolve E128 continuation line under indented

  • Loading branch information...
pwnbus committed Oct 31, 2018
1 parent 3fbeae4 commit 3b07f12cc90e4ee99c6430d0c564aa20f9af5f1d
View
@@ -9,7 +9,6 @@ ignore =
E123 # closing bracket does not match indentation of opening bracket's line
E124 # closing bracket does not match visual indentation
E125 # continuation line with same indent as next logical line
E128 # continuation line under-indented for visual indent
E225 # missing whitespace around operator
E226 # missing whitespace around arithmetic operator
E228 # missing whitespace around modulo operator
View
@@ -172,9 +172,11 @@ def alertToMessageQueue(self, alertDict):
self.mqproducer,
self.mqproducer.publish,
max_retries=10)
ensurePublish(alertDict,
ensurePublish(
alertDict,
exchange=self.alertExchange,
routing_key=RABBITMQ['alertqueue'])
routing_key=RABBITMQ['alertqueue']
)
self.log.debug('alert sent to the alert queue')
except Exception as e:
self.log.error('Exception while sending alert to message queue: {0}'.format(e))
View
@@ -71,8 +71,14 @@ def bugzilla_search(self):
return
for bug in res['bugs']:
bugsummary = bug['summary'].encode('utf-8', 'replace')
self.controller.client.msg(self.channel, "\x037\x02WARNING\x03\x02 \x032\x02NEW\x03\x02 bug: {url}{bugid} {summary}".format(summary=bugsummary,
url=self.url, bugid=bug['id']))
self.controller.client.msg(
self.channel,
"\x037\x02WARNING\x03\x02 \x032\x02NEW\x03\x02 bug: {url}{bugid} {summary}".format(
summary=bugsummary,
url=self.url,
bugid=bug['id']
)
)
def start(self, *args, **kwargs):
super(Zilla, self).start(*args, **kwargs)
View
@@ -447,8 +447,10 @@ def main():
print("No configuration file 'auth02mozdef.json' found.")
sys.exit(1)
headers = {'Authorization': 'Bearer {}'.format(config.auth0.token),
'Accept': 'application/json'}
headers = {
'Authorization': 'Bearer {}'.format(config.auth0.token),
'Accept': 'application/json'
}
fromid = load_state(config.state_file)
# Auth0 will interpret a 0 state as an error on our hosted instance, but will accept an empty parameter "as if it was 0"
View
@@ -83,9 +83,11 @@ def main():
snapshot_config = {
'indices': index_to_snapshot
}
epoch=calendar.timegm(datetime.utcnow().utctimetuple())
r = requests.put('{0}/_snapshot/s3backup/{1}-{2}?wait_for_completion=true'.format(esserver,index_to_snapshot,epoch),
data=json.dumps(snapshot_config))
epoch = calendar.timegm(datetime.utcnow().utctimetuple())
r = requests.put(
'{0}/_snapshot/s3backup/{1}-{2}?wait_for_completion=true'.format(esserver, index_to_snapshot, epoch),
data=json.dumps(snapshot_config)
)
if 'status' in r.json():
logger.error('Error snapshotting %s: %s' % (index_to_snapshot, r.json()))
else:
View
@@ -309,9 +309,11 @@ def broadcastAttacker(attacker):
mqproducer,
mqproducer.publish,
max_retries=10)
ensurePublish(mqAlert,
ensurePublish(
mqAlert,
exchange=alertExchange,
routing_key=options.routingkey)
routing_key=options.routingkey
)
except Exception as e:
logger.error('Exception while publishing attacker: {0}'.format(e))
@@ -391,10 +393,12 @@ def updateMongoWithESEvents(mozdefdb, results):
# potentially with a max mask value (i.e. asn is /8, limit attackers to /24)
sourceIP.prefixlen = 24
if not sourceIP.ip.is_loopback() and not sourceIP.ip.is_private() and not sourceIP.ip.is_reserved():
esrecord = dict(documentid=r['_id'],
documenttype=r['_type'],
documentindex=r['_index'],
documentsource=r['_source'])
esrecord = dict(
documentid=r['_id'],
documenttype=r['_type'],
documentindex=r['_index'],
documentsource=r['_source']
)
logger.debug('Trying to find existing attacker at ' + str(sourceIP))
attacker = attackers.find_one({'indicators.ipv4address': str(sourceIP)})
@@ -406,7 +410,7 @@ def updateMongoWithESEvents(mozdefdb, results):
logger.debug('Creating new attacker from ' + str(sourceIP))
newAttacker = genNewAttacker()
#expand the source ip to a /24 for the indicator match.
# expand the source ip to a /24 for the indicator match.
sourceIP.prefixlen = 24
# str sourceIP to get the ip/cidr rather than netblock cidr.
newAttacker['indicators'].append(dict(ipv4address=str(sourceIP)))
@@ -165,15 +165,15 @@ def initConfig():
# default time period in minutes to look back in time for the aggregation
options.correlationminutes = getConfig('correlationminutes',
150,
options.configfile)
150,
options.configfile)
# default location of the OUI file from IEEE for resolving mac prefixes
# Expects the OUI file from IEEE:
# wget http://www.ieee.org/netstorage/standards/oui.txt
options.ouifilename = getConfig('ouifilename',
'oui.txt',
options.configfile)
'oui.txt',
options.configfile)
if __name__ == '__main__':
View
@@ -118,8 +118,8 @@ def initConfig():
# default time period in minutes to look back in time for the aggregation
options.aggregationminutes = getConfig('aggregationminutes',
15,
options.configfile)
15,
options.configfile)
# configure the index to save events to
options.index = getConfig('index', 'mozdefstate', options.configfile)
View
@@ -34,8 +34,12 @@ def initLogger():
if options.output == 'syslog':
logger.addHandler(
SysLogHandler(
address=(options.sysloghostname,
options.syslogport)))
address=(
options.sysloghostname,
options.syslogport
)
)
)
else:
sh = logging.StreamHandler(sys.stderr)
sh.setFormatter(formatter)
@@ -165,13 +169,13 @@ def initConfig():
options.output = getConfig('output', 'stdout', options.configfile)
# syslog hostname
options.sysloghostname = getConfig('sysloghostname', 'localhost',
options.configfile)
options.configfile)
# syslog port
options.syslogport = getConfig('syslogport', 514, options.configfile)
# elastic search server settings
options.esservers = list(getConfig('esservers', 'http://localhost:9200',
options.configfile).split(','))
options.configfile).split(','))
options.mongohost = getConfig('mongohost', 'localhost', options.configfile)
options.mongoport = getConfig('mongoport', 3001, options.configfile)
View
@@ -39,26 +39,25 @@ def read_state_file(self):
try:
with open(self.filename, 'r') as f:
self.data = json.load(f)
iterator = iter(self.data)
except IOError:
self.data = {}
except ValueError:
logger.error("%s state file found but isn't a recognized json format" %
self.filename)
logger.error("%s state file found but isn't a recognized json format" % self.filename)
raise
except TypeError:
logger.error("%s state file found and parsed but it doesn't contain an iterable object" %
self.filename)
logger.error("%s state file found and parsed but it doesn't contain an iterable object" % self.filename)
raise
def write_state_file(self):
'''Write the self.data value into the state file'''
with open(self.filename, 'w') as f:
json.dump(self.data,
f,
sort_keys=True,
indent=4,
separators=(',', ': '))
json.dump(
self.data,
f,
sort_keys=True,
indent=4,
separators=(',', ': ')
)
def main():
View
@@ -18,66 +18,69 @@ def onMessage(self, message, metadata):
# check for messages we have vetted as n/a and prevalent
# from a sec standpoint and drop them
# drop sensitive logs
#if 'details' in message \
#and 'command' in message['details'] \
#and 'ldappasswd' in message['details']['command']:
#return(None, metadata)
# ganglia monitor daemon
if 'details' in message \
and 'parentprocess' in message['details'] \
and message['details']['parentprocess'] == 'gmond' \
and 'duser' in message['details'] \
and message['details']['duser'] == 'nobody' \
and 'command' in message['details'] \
and message['details']['command'] == '/bin/sh -c netstat -t -a -n':
if ('details' in message and
'parentprocess' in message['details'] and
message['details']['parentprocess'] == 'gmond' and
'duser' in message['details'] and
message['details']['duser'] == 'nobody' and
'command' in message['details'] and
message['details']['command'] == '/bin/sh -c netstat -t -a -n'):
return(None, metadata)
# rabbitmq
if ('details' in message
and 'parentprocess' in message['details']
and message['details']['parentprocess'] == 'beam.smp'
and 'duser' in message['details']
and message['details']['duser'] == 'rabbitmq'
and 'command' in message['details']) \
and (message['details']['command'] == '/usr/lib64/erlang/erts-5.8.5/bin/epmd -daemon'
or message['details']['command'].startswith('inet_gethost 4')
or message['details']['command'].startswith('sh -c exec inet_gethost 4')
or message['details']['command'].startswith('/bin/sh -s unix:cmd')
or message['details']['command'].startswith('sh -c exec /bin/sh -s unix:cmd')):
if (
('details' in message and
'parentprocess' in message['details'] and
message['details']['parentprocess'] == 'beam.smp' and
'duser' in message['details'] and
message['details']['duser'] == 'rabbitmq' and
'command' in message['details']
) and
(
message['details']['command'] == '/usr/lib64/erlang/erts-5.8.5/bin/epmd -daemon' or
message['details']['command'].startswith('inet_gethost 4') or
message['details']['command'].startswith('sh -c exec inet_gethost 4') or
message['details']['command'].startswith('/bin/sh -s unix:cmd') or
message['details']['command'].startswith('sh -c exec /bin/sh -s unix:cmd'))):
return(None, metadata)
# sshd
if 'details' in message \
and 'parentprocess' in message['details'] \
and message['details']['parentprocess'] == 'sshd' \
and 'duser' in message['details'] \
and message['details']['duser'] == 'root' \
and 'command' in message['details'] \
and message['details']['command'] == '/usr/sbin/sshd -R':
if ('details' in message and
'parentprocess' in message['details'] and
message['details']['parentprocess'] == 'sshd' and
'duser' in message['details'] and
message['details']['duser'] == 'root' and
'command' in message['details'] and
message['details']['command'] == '/usr/sbin/sshd -R'):
return(None, metadata)
# chkconfig
if ('details' in message
and 'parentprocess' in message['details']
and message['details']['parentprocess'] == 'chkconfig'
and 'suser' in message['details']
and message['details']['suser'] == 'root'
and 'command' in message['details']) \
and (message['details']['command'].startswith('/sbin/runlevel')
or message['details']['command'].startswith('sh -c /sbin/runlevel')):
if (
('details' in message and
'parentprocess' in message['details'] and
message['details']['parentprocess'] == 'chkconfig' and
'suser' in message['details'] and
message['details']['suser'] == 'root' and
'command' in message['details']
) and
(
message['details']['command'].startswith('/sbin/runlevel') or
message['details']['command'].startswith('sh -c /sbin/runlevel'))):
return(None, metadata)
# nagios
if ('details' in message
and 'duser' in message['details']
and message['details']['duser'] == 'nagios'
and 'suser' in message['details']
and message['details']['suser'] == 'root'
and 'command' in message['details']) \
and (message['details']['command'].startswith('/usr/lib64/nagios/plugins')
or message['details']['command'].startswith('sh -c /usr/lib64/nagios/plugins')):
if (
('details' in message and
'duser' in message['details'] and
message['details']['duser'] == 'nagios' and
'suser' in message['details'] and
message['details']['suser'] == 'root' and
'command' in message['details']
) and
(
message['details']['command'].startswith('/usr/lib64/nagios/plugins') or
message['details']['command'].startswith('sh -c /usr/lib64/nagios/plugins'))):
return(None, metadata)
# fix auid from long to int
@@ -86,17 +89,17 @@ def onMessage(self, message, metadata):
message['details']['auid'] = '-1'
if 'ses' in message['details'].keys() and message['details']['ses'] == "4294967295":
message['details']['ses'] = '-1'
#fix '(null)' string records to fit in a long
for k,v in message['details'].iteritems():
if v=='(null)' and 'id' in k:
message['details'][k]=-1
# fix '(null)' string records to fit in a long
for k, v in message['details'].iteritems():
if v == '(null)' and 'id' in k:
message['details'][k] = -1
# fix occasional gid errant parsing
if 'details' in message.keys() and isinstance(message['details'], dict):
if 'gid' in message['details'].keys() and ',' in message['details']['gid']:
#gid didn't parse right, should just be an integer
#move it to a new field to not trigger errors in ES indexing
#as it tries to convert gid to long
# gid didn't parse right, should just be an integer
# move it to a new field to not trigger errors in ES indexing
# as it tries to convert gid to long
message['details']['gidstring'] = message['details']['gid']
del message['details']['gid']
@@ -111,7 +114,7 @@ def onMessage(self, message, metadata):
if 'category' not in message.keys():
message['category'] = 'auditd'
#set doctype
# set doctype
metadata['doc_type'] = 'auditd'
return (message, metadata)
View
@@ -377,8 +377,7 @@ def onMessage(self, message, metadata):
if newmessage['details']['actions'] == "Notice::ACTION_LOG":
# retrieve indicator ip addresses from the sub field
# "sub": "Indicator: 1.2.3.4, Indicator: 5.6.7.8"
newmessage['details']['indicators'] = [ip for ip
in findIPv4(newmessage['details']['sub'])]
newmessage['details']['indicators'] = [ip for ip in findIPv4(newmessage['details']['sub'])]
# remove the details.src field and add it to indicators
# as it may not be the actual source.
if 'src' in newmessage['details']:
Oops, something went wrong.

0 comments on commit 3b07f12

Please sign in to comment.