Skip to content
Permalink
Browse files

Merge conflict resolution

  • Loading branch information...
arcrose committed Oct 29, 2019
2 parents ddba691 + 18c65ce commit b875356bf465a9dcd4caa708797dfe7f1c615716
Showing with 413 additions and 905 deletions.
  1. +9 −0 Makefile
  2. +1 −1 alerts/geomodel_location.py
  3. +4 −0 alerts/ldap_bruteforce_global.conf
  4. +8 −4 alerts/{ldap_password_spray.py → ldap_bruteforce_global.py}
  5. 0 alerts/{ldap_bruteforce.conf → ldap_bruteforce_user.conf}
  6. +3 −3 alerts/{ldap_bruteforce.py → ldap_bruteforce_user.py}
  7. +0 −3 alerts/ldap_password_spray.conf
  8. +2 −0 alerts/proxy_drop_ip.conf
  9. +5 −0 alerts/proxy_drop_ip.py
  10. 0 cloudy_mozdef/lambda_layer/build/{lib/__init__.py → .gitkeep}
  11. +0 −66 cloudy_mozdef/lambda_layer/build/lambdalert.py
  12. +0 −12 cloudy_mozdef/lambda_layer/build/lib/alert_plugin_set.py
  13. +0 −549 cloudy_mozdef/lambda_layer/build/lib/alerttask.py
  14. +0 −82 cloudy_mozdef/lambda_layer/build/lib/config.py
  15. +0 −9 cloudy_mozdef/lambda_layer/build/lib/deadman_alerttask.py
  16. +4 −1 cron/update_geolite_db.conf
  17. +16 −11 cron/update_geolite_db.py
  18. +11 −0 docker/compose/dev-docs.yml
  19. +0 −1 docker/compose/mozdef_base/Dockerfile
  20. +0 −1 docker/compose/mozdef_meteor/Dockerfile
  21. +0 −5 docs/source/code.rst
  22. +11 −0 docs/source/development.rst
  23. +1 −17 docs/source/index.rst
  24. +0 −27 docs/source/overview.rst
  25. +5 −2 docs/source/references.rst
  26. +5 −1 meteor/client/layout.js
  27. +0 −4 meteor/imports/themes/side_nav_dark/mozdef.css
  28. +13 −8 mq/plugins/broFixup.py
  29. +8 −0 mq/plugins/cloudtrail.py
  30. +25 −37 mq/plugins/geoip.py
  31. +31 −0 mq/plugins/ldap_fixup.py
  32. +21 −5 mq/plugins/zoom_fixup.py
  33. +1 −20 requirements.txt
  34. +20 −20 tests/alerts/test_geomodel_location.py
  35. +15 −5 tests/alerts/{test_ldap_password_spray.py → test_ldap_bruteforce_global.py}
  36. +3 −3 tests/alerts/{test_ldap_bruteforce.py → test_ldap_bruteforce_user.py}
  37. +9 −0 tests/alerts/test_proxy_drop_ip.py
  38. +14 −8 tests/mq/plugins/test_broFixup.py
  39. +36 −0 tests/mq/plugins/test_ldap_fixup.py
  40. +132 −0 tests/mq/plugins/test_zoom_fixup.py
@@ -139,3 +139,12 @@ rebuild: clean build-from-cwd
.PHONY: new-alert
new-alert: ## Create an example alert and working alert unit test
python tests/alert_templater.py

.PHONY: run-docs
run-docs: stop-docs ## Start container to serve up documentation for development
docker-compose -f docker/compose/dev-docs.yml up -d
@echo "Visit http://localhost:8000 - Feel free to update source code and then refresh webpage!"

.PHONY: stop-docs
stop-docs: ## Stop the docs development container if running
-docker-compose -f docker/compose/dev-docs.yml stop
@@ -147,7 +147,7 @@ def onAggregation(self, agg):
summary = alert.summary(new_alert)

alert_dict = self.createAlertDict(
summary, 'geomodel', ['geomodel'], events, 'INFO')
summary, 'geomodel', ['geomodel'], events, 'WARNING')

# TODO: When we update to Python 3.7+, change to asdict(alert_produced)
alert_dict['details'] = {
@@ -0,0 +1,4 @@
[options]
threshold_count = 1
search_depth_min = 60
host_exclusions = foo.example.com,bar.example.com
@@ -11,10 +11,14 @@
import re


class AlertLdapPasswordSpray(AlertTask):
class AlertLdapBruteforceGlobal(AlertTask):
def main(self):
self.parse_config('ldap_password_spray.conf', ['threshold_count', 'search_depth_min'])
self.parse_config('ldap_bruteforce_global.conf', ['threshold_count', 'search_depth_min', 'host_exclusions'])
search_query = SearchQuery(minutes=int(self.config.search_depth_min))

for host_exclusion in self.config.host_exclusions.split(","):
search_query.add_must_not([TermMatch("details.server", host_exclusion)])

search_query.add_must([
TermMatch('category', 'ldap'),
TermMatch('details.response.error', 'LDAP_INVALID_CREDENTIALS')
@@ -24,7 +28,7 @@ def main(self):
self.walkAggregations(threshold=int(self.config.threshold_count))

def onAggregation(self, aggreg):
category = 'ldap'
category = 'bruteforce'
tags = ['ldap']
severity = 'WARNING'
email_list = set()
@@ -41,7 +45,7 @@ def onAggregation(self, aggreg):
# if len(email_list) == 0:
# return None

summary = 'LDAP Password Spray Attack in Progress from {0} targeting the following account(s): {1}'.format(
summary = 'Global LDAP Bruteforce Attack in Progress from {0} targeting the following account(s): {1}'.format(
aggreg['value'],
", ".join(sorted(email_list)[:10])
)
File renamed without changes.
@@ -10,9 +10,9 @@
from mozdef_util.query_models import SearchQuery, TermMatch


class AlertLdapBruteforce(AlertTask):
class AlertLdapBruteforceUser(AlertTask):
def main(self):
self.parse_config('ldap_bruteforce.conf', ['threshold_count', 'search_depth_min', 'host_exclusions'])
self.parse_config('ldap_bruteforce_user.conf', ['threshold_count', 'search_depth_min', 'host_exclusions'])
search_query = SearchQuery(minutes=int(self.config.search_depth_min))
search_query.add_must_not(TermMatch('details.user', ''))
search_query.add_must([
@@ -28,7 +28,7 @@ def main(self):
self.walkAggregations(threshold=int(self.config.threshold_count))

def onAggregation(self, aggreg):
category = 'ldap'
category = 'bruteforce'
tags = ['ldap']
severity = 'WARNING'
client_list = set()

This file was deleted.

@@ -0,0 +1,2 @@
[options]
ip_whitelist = 169.254.169.254
@@ -13,6 +13,8 @@

class AlertProxyDropIP(AlertTask):
def main(self):
self.parse_config("proxy_drop_ip.conf", ["ip_whitelist"])

search_query = SearchQuery(minutes=20)

search_query.add_must(
@@ -28,6 +30,9 @@ def main(self):

search_query.add_must([QueryStringMatch("details.host: {}".format(ip_regex))])

for ip in self.config.ip_whitelist.split(","):
search_query.add_must_not([TermMatch("details.host", ip)])

self.filtersManual(search_query)
self.searchEventsAggregated("details.sourceipaddress", samplesLimit=10)
self.walkAggregations(threshold=1)
File renamed without changes.

This file was deleted.

This file was deleted.

0 comments on commit b875356

Please sign in to comment.
You can’t perform that action at this time.