From c6030ad4d7c638be192a2e1c69c2b229f3a04568 Mon Sep 17 00:00:00 2001 From: Phrozyn Date: Fri, 25 Oct 2019 11:57:07 -0500 Subject: [PATCH] removes mapping change in favor of rewriting summary --- cron/defaultMappingTemplate.json | 2 +- mq/plugins/broFixup.py | 50 ++++++++++++++++++++----------- tests/mq/plugins/test_broFixup.py | 18 ++++++----- 3 files changed, 43 insertions(+), 27 deletions(-) diff --git a/cron/defaultMappingTemplate.json b/cron/defaultMappingTemplate.json index 1a7122a30..b518c274d 100644 --- a/cron/defaultMappingTemplate.json +++ b/cron/defaultMappingTemplate.json @@ -90,7 +90,7 @@ "type": "geo_point" }, "success": { - "type": "keyword" + "type": "boolean" }, "sourceport": { "type": "keyword" diff --git a/mq/plugins/broFixup.py b/mq/plugins/broFixup.py index 03031d624..1e415c4e5 100644 --- a/mq/plugins/broFixup.py +++ b/mq/plugins/broFixup.py @@ -518,17 +518,24 @@ def onMessage(self, message, metadata): newmessage['details']['client'] = 'unknown' if 'service' not in newmessage['details']: newmessage['details']['service'] = 'unknown' - if 'success' not in newmessage['details']: - newmessage['details']['success'] = 'unknown' if 'error_msg' not in newmessage['details']: newmessage['details']['error_msg'] = '' - newmessage['summary'] = ( - '{sourceipaddress} -> ' - '{destinationipaddress}:' - '{destinationport} ' - 'request {request_type} ' - 'success {success}' - ).format(**newmessage['details']) + if 'success' not in newmessage['details']: + newmessage['summary'] = ( + '{sourceipaddress} -> ' + '{destinationipaddress}:' + '{destinationport} ' + 'request {request_type} ' + 'success unknown' + ).format(**newmessage['details']) + else: + newmessage['summary'] = ( + '{sourceipaddress} -> ' + '{destinationipaddress}:' + '{destinationport} ' + 'request {request_type} ' + 'success {success}' + ).format(**newmessage['details']) return (newmessage, metadata) if logtype == 'ntlm': @@ -548,17 +555,24 @@ def onMessage(self, message, metadata): del(newmessage['details']['username']) else: newmessage['details']['ntlm']['username'] = 'unknown' - if 'success' not in newmessage['details']: - newmessage['details']['success'] = 'unknown' if 'status' not in newmessage['details']: newmessage['details']['status'] = 'unknown' - newmessage['summary'] = ( - 'NTLM: {sourceipaddress} -> ' - '{destinationipaddress}:' - '{destinationport} ' - 'success {success} ' - 'status {status}' - ).format(**newmessage['details']) + if 'success' not in newmessage['details']: + newmessage['summary'] = ( + 'NTLM: {sourceipaddress} -> ' + '{destinationipaddress}:' + '{destinationport} ' + 'success unknown ' + 'status {status}' + ).format(**newmessage['details']) + else: + newmessage['summary'] = ( + 'NTLM: {sourceipaddress} -> ' + '{destinationipaddress}:' + '{destinationport} ' + 'success {success} ' + 'status {status}' + ).format(**newmessage['details']) return (newmessage, metadata) if logtype == 'smb_files': diff --git a/tests/mq/plugins/test_broFixup.py b/tests/mq/plugins/test_broFixup.py index 41b9b70e0..9c3c1fd06 100644 --- a/tests/mq/plugins/test_broFixup.py +++ b/tests/mq/plugins/test_broFixup.py @@ -1854,10 +1854,10 @@ def test_kerberos_log(self): self.verify_metadata(metadata) assert toUTC(MESSAGE['ts']).isoformat() == result['utctimestamp'] assert toUTC(MESSAGE['ts']).isoformat() == result['timestamp'] + assert 'success' not in result['details'] for key in MESSAGE.keys(): if not key.startswith('id.'): assert key in result['details'] - assert MESSAGE[key] == result['details'][key] assert result['summary'] == '10.26.40.121 -> 10.22.69.21:88 request TGS success unknown' def test_kerberos_log2(self): @@ -1876,7 +1876,7 @@ def test_kerberos_log2(self): "request_type":"AS", "client":"valid_client_principal/VLADG.NET", "service":"krbtgt/VLADG.NET", - "success":'true', + "success":'True', "till":1421708111.0, "cipher":"aes256-cts-hmac-sha1-96", "forwardable":'false', @@ -1889,11 +1889,12 @@ def test_kerberos_log2(self): self.verify_metadata(metadata) assert toUTC(MESSAGE['ts']).isoformat() == result['utctimestamp'] assert toUTC(MESSAGE['ts']).isoformat() == result['timestamp'] + assert MESSAGE['success'] == result['details']['success'] for key in MESSAGE.keys(): if not key.startswith('id.'): assert key in result['details'] assert MESSAGE[key] == result['details'][key] - assert result['summary'] == '192.168.1.31 -> 192.168.1.32:88 request AS success true' + assert result['summary'] == '192.168.1.31 -> 192.168.1.32:88 request AS success True' def test_kerberos_log3(self): event = { @@ -1911,7 +1912,7 @@ def test_kerberos_log3(self): "request_type":"TGS", "client":"valid_client_principal/VLADG.NET", "service":"krbtgt/VLADG.NET", - "success":'false', + "success":'False', "error_msg":"TICKET NOT RENEWABLE", "till":1421708111.0, "forwardable":'false', @@ -1924,11 +1925,12 @@ def test_kerberos_log3(self): self.verify_metadata(metadata) assert toUTC(MESSAGE['ts']).isoformat() == result['utctimestamp'] assert toUTC(MESSAGE['ts']).isoformat() == result['timestamp'] + assert MESSAGE['success'] == result['details']['success'] for key in MESSAGE.keys(): if not key.startswith('id.'): assert key in result['details'] assert MESSAGE[key] == result['details'][key] - assert result['summary'] == '192.168.1.31 -> 192.168.1.32:88 request TGS success false' + assert result['summary'] == '192.168.1.31 -> 192.168.1.32:88 request TGS success False' def test_ntlm_log(self): event = { @@ -1946,7 +1948,7 @@ def test_ntlm_log(self): "username":"T-W864-IX-018$", "hostname":"T-W864-IX-018", "domainname":"RELENG", - "success":'true', + "success":'True', "status":"SUCCESS", } event['MESSAGE'] = json.dumps(MESSAGE) @@ -1961,7 +1963,7 @@ def test_ntlm_log(self): assert MESSAGE['domainname'] == result['details']['ntlm']['domainname'] assert MESSAGE['success'] == result['details']['success'] assert MESSAGE['status'] == result['details']['status'] - assert result['summary'] == 'NTLM: 10.26.40.48 -> 10.22.69.18:445 success true status SUCCESS' + assert result['summary'] == 'NTLM: 10.26.40.48 -> 10.22.69.18:445 success True status SUCCESS' def test_ntlm_log2(self): event = { @@ -1987,7 +1989,7 @@ def test_ntlm_log2(self): assert 'username' in result['details']['ntlm'] assert 'hostname' in result['details']['ntlm'] assert 'domainname' in result['details']['ntlm'] - assert 'success' in result['details'] + assert 'success' not in result['details'] assert 'status' in result['details'] assert result['summary'] == 'NTLM: 10.26.40.48 -> 10.22.69.18:445 success unknown status unknown'