Skip to content
Permalink
Browse files

removes mapping change in favor of rewriting summary

  • Loading branch information...
Phrozyn committed Oct 25, 2019
1 parent 30a5076 commit c6030ad4d7c638be192a2e1c69c2b229f3a04568
Showing with 43 additions and 27 deletions.
  1. +1 −1 cron/defaultMappingTemplate.json
  2. +32 −18 mq/plugins/broFixup.py
  3. +10 −8 tests/mq/plugins/test_broFixup.py
@@ -90,7 +90,7 @@
"type": "geo_point"
},
"success": {
"type": "keyword"
"type": "boolean"
},
"sourceport": {
"type": "keyword"
@@ -518,17 +518,24 @@ def onMessage(self, message, metadata):
newmessage['details']['client'] = 'unknown'
if 'service' not in newmessage['details']:
newmessage['details']['service'] = 'unknown'
if 'success' not in newmessage['details']:
newmessage['details']['success'] = 'unknown'
if 'error_msg' not in newmessage['details']:
newmessage['details']['error_msg'] = ''
newmessage['summary'] = (
'{sourceipaddress} -> '
'{destinationipaddress}:'
'{destinationport} '
'request {request_type} '
'success {success}'
).format(**newmessage['details'])
if 'success' not in newmessage['details']:
newmessage['summary'] = (
'{sourceipaddress} -> '
'{destinationipaddress}:'
'{destinationport} '
'request {request_type} '
'success unknown'
).format(**newmessage['details'])
else:
newmessage['summary'] = (
'{sourceipaddress} -> '
'{destinationipaddress}:'
'{destinationport} '
'request {request_type} '
'success {success}'
).format(**newmessage['details'])
return (newmessage, metadata)

if logtype == 'ntlm':
@@ -548,17 +555,24 @@ def onMessage(self, message, metadata):
del(newmessage['details']['username'])
else:
newmessage['details']['ntlm']['username'] = 'unknown'
if 'success' not in newmessage['details']:
newmessage['details']['success'] = 'unknown'
if 'status' not in newmessage['details']:
newmessage['details']['status'] = 'unknown'
newmessage['summary'] = (
'NTLM: {sourceipaddress} -> '
'{destinationipaddress}:'
'{destinationport} '
'success {success} '
'status {status}'
).format(**newmessage['details'])
if 'success' not in newmessage['details']:
newmessage['summary'] = (
'NTLM: {sourceipaddress} -> '
'{destinationipaddress}:'
'{destinationport} '
'success unknown '
'status {status}'
).format(**newmessage['details'])
else:
newmessage['summary'] = (
'NTLM: {sourceipaddress} -> '
'{destinationipaddress}:'
'{destinationport} '
'success {success} '
'status {status}'
).format(**newmessage['details'])
return (newmessage, metadata)

if logtype == 'smb_files':
@@ -1854,10 +1854,10 @@ def test_kerberos_log(self):
self.verify_metadata(metadata)
assert toUTC(MESSAGE['ts']).isoformat() == result['utctimestamp']
assert toUTC(MESSAGE['ts']).isoformat() == result['timestamp']
assert 'success' not in result['details']
for key in MESSAGE.keys():
if not key.startswith('id.'):
assert key in result['details']
assert MESSAGE[key] == result['details'][key]
assert result['summary'] == '10.26.40.121 -> 10.22.69.21:88 request TGS success unknown'

def test_kerberos_log2(self):
@@ -1876,7 +1876,7 @@ def test_kerberos_log2(self):
"request_type":"AS",
"client":"valid_client_principal/VLADG.NET",
"service":"krbtgt/VLADG.NET",
"success":'true',
"success":'True',
"till":1421708111.0,
"cipher":"aes256-cts-hmac-sha1-96",
"forwardable":'false',
@@ -1889,11 +1889,12 @@ def test_kerberos_log2(self):
self.verify_metadata(metadata)
assert toUTC(MESSAGE['ts']).isoformat() == result['utctimestamp']
assert toUTC(MESSAGE['ts']).isoformat() == result['timestamp']
assert MESSAGE['success'] == result['details']['success']
for key in MESSAGE.keys():
if not key.startswith('id.'):
assert key in result['details']
assert MESSAGE[key] == result['details'][key]
assert result['summary'] == '192.168.1.31 -> 192.168.1.32:88 request AS success true'
assert result['summary'] == '192.168.1.31 -> 192.168.1.32:88 request AS success True'

def test_kerberos_log3(self):
event = {
@@ -1911,7 +1912,7 @@ def test_kerberos_log3(self):
"request_type":"TGS",
"client":"valid_client_principal/VLADG.NET",
"service":"krbtgt/VLADG.NET",
"success":'false',
"success":'False',
"error_msg":"TICKET NOT RENEWABLE",
"till":1421708111.0,
"forwardable":'false',
@@ -1924,11 +1925,12 @@ def test_kerberos_log3(self):
self.verify_metadata(metadata)
assert toUTC(MESSAGE['ts']).isoformat() == result['utctimestamp']
assert toUTC(MESSAGE['ts']).isoformat() == result['timestamp']
assert MESSAGE['success'] == result['details']['success']
for key in MESSAGE.keys():
if not key.startswith('id.'):
assert key in result['details']
assert MESSAGE[key] == result['details'][key]
assert result['summary'] == '192.168.1.31 -> 192.168.1.32:88 request TGS success false'
assert result['summary'] == '192.168.1.31 -> 192.168.1.32:88 request TGS success False'

def test_ntlm_log(self):
event = {
@@ -1946,7 +1948,7 @@ def test_ntlm_log(self):
"username":"T-W864-IX-018$",
"hostname":"T-W864-IX-018",
"domainname":"RELENG",
"success":'true',
"success":'True',
"status":"SUCCESS",
}
event['MESSAGE'] = json.dumps(MESSAGE)
@@ -1961,7 +1963,7 @@ def test_ntlm_log(self):
assert MESSAGE['domainname'] == result['details']['ntlm']['domainname']
assert MESSAGE['success'] == result['details']['success']
assert MESSAGE['status'] == result['details']['status']
assert result['summary'] == 'NTLM: 10.26.40.48 -> 10.22.69.18:445 success true status SUCCESS'
assert result['summary'] == 'NTLM: 10.26.40.48 -> 10.22.69.18:445 success True status SUCCESS'

def test_ntlm_log2(self):
event = {
@@ -1987,7 +1989,7 @@ def test_ntlm_log2(self):
assert 'username' in result['details']['ntlm']
assert 'hostname' in result['details']['ntlm']
assert 'domainname' in result['details']['ntlm']
assert 'success' in result['details']
assert 'success' not in result['details']
assert 'status' in result['details']
assert result['summary'] == 'NTLM: 10.26.40.48 -> 10.22.69.18:445 success unknown status unknown'

0 comments on commit c6030ad

Please sign in to comment.
You can’t perform that action at this time.