Permalink
Browse files

Work around the lower_case plugin changes

  • Loading branch information...
Michal Purzynski
Michal Purzynski committed Dec 26, 2018
1 parent ac3a356 commit d93b2cbb2952e432e1b2d419e7bccb06cca671a1
Showing with 32 additions and 31 deletions.
  1. +13 −12 mq/plugins/suricataFixup.py
  2. +19 −19 tests/mq/plugins/test_suricataFixup.py
@@ -3,6 +3,7 @@
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Copyright (c) 2018 Mozilla Corporation

import netaddr
import json
from datetime import datetime
from platform import node
@@ -46,21 +47,21 @@ def onMessage(self, message, metadata):
newmessage = dict()

try:
newmessage['details'] = json.loads(message['MESSAGE'])
newmessage['details'] = json.loads(message['message'])
except:
newmessage['details'] = {}
newmessage['rawdetails'] = message

# move some fields that are expected at the event 'root' where they belong
if 'HOST_FROM' in message:
newmessage['hostname'] = message['HOST_FROM']
if 'host_from' in message:
newmessage['hostname'] = message['host_from']
if 'tags' in message:
newmessage['tags'] = message['tags']
if 'category' in message:
newmessage['category'] = message['category']
newmessage[u'source'] = u'unknown'
if 'SOURCE' in message:
newmessage[u'source'] = message['SOURCE']
if 'source' in message:
newmessage[u'source'] = message['source']
logtype = newmessage['source']
newmessage[u'event_type'] = u'unknown'
if 'event_type' in message:
@@ -103,12 +104,12 @@ def onMessage(self, message, metadata):
newmessage[u'details'][u'destinationport'] = newmessage['details']['dest_port']
del(newmessage['details']['dest_port'])

if 'FILE_NAME' in newmessage['details']:
del(newmessage['details']['FILE_NAME'])
if 'MESSAGE' in newmessage['details']:
del(newmessage['details']['MESSAGE'])
if 'SOURCE' in newmessage['details']:
del(newmessage['details']['SOURCE'])
if 'file_name' in newmessage['details']:
del(newmessage['details']['file_name'])
if 'message' in newmessage['details']:
del(newmessage['details']['message'])
if 'source' in newmessage['details']:
del(newmessage['details']['source'])

if logtype == 'eve-log':
if eventtype == 'alert':
@@ -174,7 +175,7 @@ def onMessage(self, message, metadata):
if 'ET.http.javaclient' in newmessage['details']['vars']['flowbits']:
if 'ET.http.javaclient.vulnerable':
del(newmessage['details']['vars']['flowbits']['ET.http.javaclient'])
newmessage['details']['vars']['flowbits']['et.http.javaclient.vulnerable'] = "True"
newmessage['details']['vars']['flowbits']['ET.http.javaclient.vulnerable'] = "True"
newmessage[u'summary'] = (
u'{sourceipaddress}:'+
u'{sourceport} -> '+
@@ -56,7 +56,7 @@ def test_suricata_nocustomendpoint_log(self):
}
event = {
'category': 'suricata',
'SOURCE': 'eve-log',
'source': 'eve-log',
'event_type': 'alert'
}

@@ -72,7 +72,7 @@ def test_suricata_nocategory_log(self):
}
event = {
'customendpoint': '',
'SOURCE': 'eve-log',
'source': 'eve-log',
'event_type': 'alert'
}

@@ -89,7 +89,7 @@ def test_suricata_wrongcategory_log(self):
event = {
'customendpoint': '',
'category': 'alamakota',
'SOURCE': 'eve-log',
'source': 'eve-log',
'event_type': 'alert'
}

@@ -108,7 +108,7 @@ def test_suricata_notype_log(self):
'category': 'suricata',
'customendpoint': '',
'category': 'suricata',
'SOURCE': 'eve-log'
'source': 'eve-log'
}

result, metadata = self.plugin.onMessage(event, metadata)
@@ -125,7 +125,7 @@ def test_suricata_wrongtype_log(self):
event = {
'customendpoint': '',
'category': 'suricata',
'SOURCE': 'eve-log',
'source': 'eve-log',
'event_type': 'alamakota'
}

@@ -143,7 +143,7 @@ def test_suricata_nosource_log(self):
MESSAGE = {
'ts': 1505701210.163043
}
event['MESSAGE'] = json.dumps(MESSAGE)
event['message'] = json.dumps(MESSAGE)

result, metadata = self.plugin.onMessage(event, self.metadata)
assert result['category'] == 'suricata'
@@ -154,13 +154,13 @@ def test_suricata_wrongsource_log(self):
event = {
'customendpoint': '',
'category': 'suricata',
'SOURCE': 'alamakota',
'source': 'alamakota',
'event_type': 'alert'
}
MESSAGE = {
'ts': 1505701210.163043
}
event['MESSAGE'] = json.dumps(MESSAGE)
event['message'] = json.dumps(MESSAGE)

result, metadata = self.plugin.onMessage(event, self.metadata)
assert result['category'] == 'suricata'
@@ -174,7 +174,7 @@ def test_defaults(self):
event = {
'customendpoint': '',
'category': 'suricata',
'SOURCE': 'eve-log',
'source': 'eve-log',
'event_type': 'alert'
}
result, metadata = self.plugin.onMessage(event, self.metadata)
@@ -273,7 +273,7 @@ def test_eve_log_alert_flow(self):
event = {
'customendpoint': '',
'category': 'suricata',
'SOURCE': 'eve-log',
'source': 'eve-log',
'event_type': 'alert'
}
MESSAGE = {
@@ -312,7 +312,7 @@ def test_eve_log_alert_flow(self):
"linktype":1
}
}
event['MESSAGE'] = json.dumps(MESSAGE)
event['message'] = json.dumps(MESSAGE)

result, metadata = self.plugin.onMessage(event, self.metadata)
self.verify_defaults(result)
@@ -335,7 +335,7 @@ def test_eve_log_alert_http(self):
event = {
'customendpoint': '',
'category': 'suricata',
'SOURCE': 'eve-log',
'source': 'eve-log',
'event_type': 'alert'
}
MESSAGE = {
@@ -384,7 +384,7 @@ def test_eve_log_alert_http(self):
"redirect":"afakedestination"
},
}
event['MESSAGE'] = json.dumps(MESSAGE)
event['message'] = json.dumps(MESSAGE)

result, metadata = self.plugin.onMessage(event, self.metadata)
self.verify_defaults(result)
@@ -403,7 +403,7 @@ def test_eve_log_alert_truncate(self):
event = {
'customendpoint': '',
'category': 'suricata',
'SOURCE': 'eve-log',
'source': 'eve-log',
'event_type': 'alert'
}
MESSAGE = {
@@ -456,7 +456,7 @@ def test_eve_log_alert_truncate(self):
MESSAGE['payload_printable'] = large_pseudorandom_string
MESSAGE['http']['http_response_body'] = large_pseudorandom_string
MESSAGE['http']['http_response_body_printable'] = large_pseudorandom_string
event['MESSAGE'] = json.dumps(MESSAGE)
event['message'] = json.dumps(MESSAGE)

result, metadata = self.plugin.onMessage(event, self.metadata)
self.verify_defaults(result)
@@ -478,7 +478,7 @@ def test_eve_log_alert_flowbits(self):
event = {
'customendpoint': '',
'category': 'suricata',
'SOURCE': 'eve-log',
'source': 'eve-log',
'event_type': 'alert'
}
MESSAGE = {
@@ -524,7 +524,7 @@ def test_eve_log_alert_flowbits(self):
}
}
}
event['MESSAGE'] = json.dumps(MESSAGE)
event['message'] = json.dumps(MESSAGE)

result, metadata = self.plugin.onMessage(event, self.metadata)
self.verify_defaults(result)
@@ -538,7 +538,7 @@ def test_eve_log_alert_rename(self):
event = {
'customendpoint': '',
'category': 'suricata',
'SOURCE': 'eve-log',
'source': 'eve-log',
'event_type': 'alert'
}
MESSAGE = {
@@ -577,7 +577,7 @@ def test_eve_log_alert_rename(self):
"linktype":1
}
}
event['MESSAGE'] = json.dumps(MESSAGE)
event['message'] = json.dumps(MESSAGE)

result, metadata = self.plugin.onMessage(event, self.metadata)
self.verify_defaults(result)

0 comments on commit d93b2cb

Please sign in to comment.