Adds script to submit jobs#158
Conversation
|
|
||
| DALTON_URL = os.getenv("DALTON_URL", "localhost") | ||
|
|
||
| # this file needs to include the sensor configuration in yaml format. Make sure that the files are in the proper directory. |
There was a problem hiding this comment.
You can use the API to dynamically populate this if you wanted to.
To get current Suricata or Snort sensors (https://github.com/secureworks/dalton/blob/master/app/dalton.py#L2328):
DALTON_URL/dalton/controller_api/get-current-sensors/suricata
DALTON_URL/dalton/controller_api/get-current-sensors/snort
Or to get all sensors (https://github.com/secureworks/dalton/blob/master/app/dalton.py#L2361):
DALTON_URL/dalton/controller_api/get-current-sensors-json-full
Then take the the sensor_tech or tech (for all sensors JSON) value and use that to pull the YAML (https://github.com/secureworks/dalton/blob/master/app/dalton.py#L418):
DALTON_URL/dalton/controller_api/request_engine_conf?sensor=<sensor_tech
There was a problem hiding this comment.
I added three API calls in the api client:
get_current_sensorsimplements API call to: DALTON_URL/dalton/controller_api/get-current-sensors-json-fullget_sensor_tech
DALTON_URL/dalton/controller_api/get-current-sensors/
I am using these then to create the parameters for the submit_job API call
| data = { | ||
| "sensor_tech": "suricata/6.0.4/suricata.yaml", | ||
| "optionProdRuleset": "prod", | ||
| "prod_ruleset": "/opt/dalton/rulesets/suricata/suricata.rules", |
There was a problem hiding this comment.
You can dynamically pull lists of rulesets by sensor too (https://github.com/secureworks/dalton/blob/master/app/dalton.py#L213):
DALTON_URL/dalton/controller_api/get-prod-rulesets/suricata
DALTON_URL/dalton/controller_api/get-prod-rulesets/snort
There was a problem hiding this comment.
Added the API call: get_prod_rulesets for endpoints:
DALTON_URL/dalton/controller_api/get-prod-rulesets/
Used it to create the parameter for submit_jobs
|
|
||
| # test_job.pcap can be substituted with any target pcap name. | ||
| pcap = open('test_job.pcap', 'rb') | ||
| files = {"coverage-pcap0": ("test_job.pcap", pcap)} |
There was a problem hiding this comment.
Also, there is a (configurable) max number of pcap files that can be submitted at one time. To get that limit, call (https://github.com/secureworks/dalton/blob/master/app/dalton.py#L2367-L2374):
DALTON_URL/dalton/controller_api/get-max-pcap-files
There was a problem hiding this comment.
Added the call get_max_pcaps to serve the endpoint DALTON_URL/dalton/controller_api/get-max-pcap-files
|
@whartond thanks for the review. This helped a lot to improve the contribution. As I was reading your comments, I realized that it would be worth to create an API client and use all these calls in an example. So I added:
I think with these two additions I have addressed all your comments. |
3 participants
api/dalton.pyas a generic Dalton API clientapi/examples/job_submission.pyto give an example on how to use the job submission and other methods from the API.Addresses #157