Skip to content
Permalink
Browse files

removes mapping change in favor of rewriting summary

  • Loading branch information
Phrozyn committed Oct 25, 2019
1 parent 30a5076 commit c6030ad4d7c638be192a2e1c69c2b229f3a04568
Showing with 43 additions and 27 deletions.
  1. +1 −1 cron/defaultMappingTemplate.json
  2. +32 −18 mq/plugins/broFixup.py
  3. +10 −8 tests/mq/plugins/test_broFixup.py
@@ -90,7 +90,7 @@
"type": "geo_point" "type": "geo_point"
}, },
"success": { "success": {
"type": "keyword" "type": "boolean"
}, },
"sourceport": { "sourceport": {
"type": "keyword" "type": "keyword"
@@ -518,17 +518,24 @@ def onMessage(self, message, metadata):
newmessage['details']['client'] = 'unknown' newmessage['details']['client'] = 'unknown'
if 'service' not in newmessage['details']: if 'service' not in newmessage['details']:
newmessage['details']['service'] = 'unknown' newmessage['details']['service'] = 'unknown'
if 'success' not in newmessage['details']:
newmessage['details']['success'] = 'unknown'
if 'error_msg' not in newmessage['details']: if 'error_msg' not in newmessage['details']:
newmessage['details']['error_msg'] = '' newmessage['details']['error_msg'] = ''
newmessage['summary'] = ( if 'success' not in newmessage['details']:
'{sourceipaddress} -> ' newmessage['summary'] = (
'{destinationipaddress}:' '{sourceipaddress} -> '
'{destinationport} ' '{destinationipaddress}:'
'request {request_type} ' '{destinationport} '
'success {success}' 'request {request_type} '
).format(**newmessage['details']) 'success unknown'
).format(**newmessage['details'])
else:
newmessage['summary'] = (
'{sourceipaddress} -> '
'{destinationipaddress}:'
'{destinationport} '
'request {request_type} '
'success {success}'
).format(**newmessage['details'])
return (newmessage, metadata) return (newmessage, metadata)


if logtype == 'ntlm': if logtype == 'ntlm':
@@ -548,17 +555,24 @@ def onMessage(self, message, metadata):
del(newmessage['details']['username']) del(newmessage['details']['username'])
else: else:
newmessage['details']['ntlm']['username'] = 'unknown' newmessage['details']['ntlm']['username'] = 'unknown'
if 'success' not in newmessage['details']:
newmessage['details']['success'] = 'unknown'
if 'status' not in newmessage['details']: if 'status' not in newmessage['details']:
newmessage['details']['status'] = 'unknown' newmessage['details']['status'] = 'unknown'
newmessage['summary'] = ( if 'success' not in newmessage['details']:
'NTLM: {sourceipaddress} -> ' newmessage['summary'] = (
'{destinationipaddress}:' 'NTLM: {sourceipaddress} -> '
'{destinationport} ' '{destinationipaddress}:'
'success {success} ' '{destinationport} '
'status {status}' 'success unknown '
).format(**newmessage['details']) 'status {status}'
).format(**newmessage['details'])
else:
newmessage['summary'] = (
'NTLM: {sourceipaddress} -> '
'{destinationipaddress}:'
'{destinationport} '
'success {success} '
'status {status}'
).format(**newmessage['details'])
return (newmessage, metadata) return (newmessage, metadata)


if logtype == 'smb_files': if logtype == 'smb_files':
@@ -1854,10 +1854,10 @@ def test_kerberos_log(self):
self.verify_metadata(metadata) self.verify_metadata(metadata)
assert toUTC(MESSAGE['ts']).isoformat() == result['utctimestamp'] assert toUTC(MESSAGE['ts']).isoformat() == result['utctimestamp']
assert toUTC(MESSAGE['ts']).isoformat() == result['timestamp'] assert toUTC(MESSAGE['ts']).isoformat() == result['timestamp']
assert 'success' not in result['details']
for key in MESSAGE.keys(): for key in MESSAGE.keys():
if not key.startswith('id.'): if not key.startswith('id.'):
assert key in result['details'] assert key in result['details']
assert MESSAGE[key] == result['details'][key]
assert result['summary'] == '10.26.40.121 -> 10.22.69.21:88 request TGS success unknown' assert result['summary'] == '10.26.40.121 -> 10.22.69.21:88 request TGS success unknown'


def test_kerberos_log2(self): def test_kerberos_log2(self):
@@ -1876,7 +1876,7 @@ def test_kerberos_log2(self):
"request_type":"AS", "request_type":"AS",
"client":"valid_client_principal/VLADG.NET", "client":"valid_client_principal/VLADG.NET",
"service":"krbtgt/VLADG.NET", "service":"krbtgt/VLADG.NET",
"success":'true', "success":'True',
"till":1421708111.0, "till":1421708111.0,
"cipher":"aes256-cts-hmac-sha1-96", "cipher":"aes256-cts-hmac-sha1-96",
"forwardable":'false', "forwardable":'false',
@@ -1889,11 +1889,12 @@ def test_kerberos_log2(self):
self.verify_metadata(metadata) self.verify_metadata(metadata)
assert toUTC(MESSAGE['ts']).isoformat() == result['utctimestamp'] assert toUTC(MESSAGE['ts']).isoformat() == result['utctimestamp']
assert toUTC(MESSAGE['ts']).isoformat() == result['timestamp'] assert toUTC(MESSAGE['ts']).isoformat() == result['timestamp']
assert MESSAGE['success'] == result['details']['success']
for key in MESSAGE.keys(): for key in MESSAGE.keys():
if not key.startswith('id.'): if not key.startswith('id.'):
assert key in result['details'] assert key in result['details']
assert MESSAGE[key] == result['details'][key] assert MESSAGE[key] == result['details'][key]
assert result['summary'] == '192.168.1.31 -> 192.168.1.32:88 request AS success true' assert result['summary'] == '192.168.1.31 -> 192.168.1.32:88 request AS success True'


def test_kerberos_log3(self): def test_kerberos_log3(self):
event = { event = {
@@ -1911,7 +1912,7 @@ def test_kerberos_log3(self):
"request_type":"TGS", "request_type":"TGS",
"client":"valid_client_principal/VLADG.NET", "client":"valid_client_principal/VLADG.NET",
"service":"krbtgt/VLADG.NET", "service":"krbtgt/VLADG.NET",
"success":'false', "success":'False',
"error_msg":"TICKET NOT RENEWABLE", "error_msg":"TICKET NOT RENEWABLE",
"till":1421708111.0, "till":1421708111.0,
"forwardable":'false', "forwardable":'false',
@@ -1924,11 +1925,12 @@ def test_kerberos_log3(self):
self.verify_metadata(metadata) self.verify_metadata(metadata)
assert toUTC(MESSAGE['ts']).isoformat() == result['utctimestamp'] assert toUTC(MESSAGE['ts']).isoformat() == result['utctimestamp']
assert toUTC(MESSAGE['ts']).isoformat() == result['timestamp'] assert toUTC(MESSAGE['ts']).isoformat() == result['timestamp']
assert MESSAGE['success'] == result['details']['success']
for key in MESSAGE.keys(): for key in MESSAGE.keys():
if not key.startswith('id.'): if not key.startswith('id.'):
assert key in result['details'] assert key in result['details']
assert MESSAGE[key] == result['details'][key] assert MESSAGE[key] == result['details'][key]
assert result['summary'] == '192.168.1.31 -> 192.168.1.32:88 request TGS success false' assert result['summary'] == '192.168.1.31 -> 192.168.1.32:88 request TGS success False'


def test_ntlm_log(self): def test_ntlm_log(self):
event = { event = {
@@ -1946,7 +1948,7 @@ def test_ntlm_log(self):
"username":"T-W864-IX-018$", "username":"T-W864-IX-018$",
"hostname":"T-W864-IX-018", "hostname":"T-W864-IX-018",
"domainname":"RELENG", "domainname":"RELENG",
"success":'true', "success":'True',
"status":"SUCCESS", "status":"SUCCESS",
} }
event['MESSAGE'] = json.dumps(MESSAGE) event['MESSAGE'] = json.dumps(MESSAGE)
@@ -1961,7 +1963,7 @@ def test_ntlm_log(self):
assert MESSAGE['domainname'] == result['details']['ntlm']['domainname'] assert MESSAGE['domainname'] == result['details']['ntlm']['domainname']
assert MESSAGE['success'] == result['details']['success'] assert MESSAGE['success'] == result['details']['success']
assert MESSAGE['status'] == result['details']['status'] assert MESSAGE['status'] == result['details']['status']
assert result['summary'] == 'NTLM: 10.26.40.48 -> 10.22.69.18:445 success true status SUCCESS' assert result['summary'] == 'NTLM: 10.26.40.48 -> 10.22.69.18:445 success True status SUCCESS'


def test_ntlm_log2(self): def test_ntlm_log2(self):
event = { event = {
@@ -1987,7 +1989,7 @@ def test_ntlm_log2(self):
assert 'username' in result['details']['ntlm'] assert 'username' in result['details']['ntlm']
assert 'hostname' in result['details']['ntlm'] assert 'hostname' in result['details']['ntlm']
assert 'domainname' in result['details']['ntlm'] assert 'domainname' in result['details']['ntlm']
assert 'success' in result['details'] assert 'success' not in result['details']
assert 'status' in result['details'] assert 'status' in result['details']
assert result['summary'] == 'NTLM: 10.26.40.48 -> 10.22.69.18:445 success unknown status unknown' assert result['summary'] == 'NTLM: 10.26.40.48 -> 10.22.69.18:445 success unknown status unknown'


0 comments on commit c6030ad

Please sign in to comment.
You can’t perform that action at this time.