Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Port scan enrichment #1294

Merged
merged 14 commits into from Jun 6, 2019

Conversation

Projects
None yet
3 participants
@arcrose
Copy link
Member

commented May 28, 2019

No description provided.

arcrose added some commits May 27, 2019

arcrose added some commits May 29, 2019

for hit in results.get('hits', [])
]

alert = alert.copy()

This comment has been minimized.

Copy link
@pwnbus

pwnbus May 31, 2019

Collaborator

I don't think we need to do the copy here, the expectation is that plugins will modify the alert object directly

'destinationipaddress': '1.2.3.4',
'destinationport': 80
},
'timestamp': '30 minutes ago'

This comment has been minimized.

Copy link
@pwnbus

pwnbus May 31, 2019

Collaborator

Since the timestamp will be ISO 8601 formatted, can we have the sample data be the same? IE: 2016-07-13 22:33:31.625443+00:00

search_query.add_must([
TermMatch('category', 'bro'),
TermMatch('source', 'conn'),
PhraseMatch(

This comment has been minimized.

Copy link
@pwnbus

pwnbus May 31, 2019

Collaborator

I think we want to use a TermMatch here, since details.sourceipaddress will be only the actual IP with no other text, we can do an exact match essentially.

@pwnbus
Copy link
Collaborator

left a comment

A couple comments about the test data and using TermMatch instead of PhraseMatch.

arcrose added some commits May 31, 2019

@pwnbus

pwnbus approved these changes May 31, 2019

@pwnbus pwnbus merged commit f64a512 into master Jun 6, 2019

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@pwnbus pwnbus deleted the port-scan-enrichment branch Jun 6, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.