Implementing REMOTE_SEVERITY_REGEX (Issue #13251)

core/log.py

@@ -190,18 +190,29 @@ def log_event(event_tuple, packet=None, skip_write=False, skip_condensing=False)
                     s = socket.socket(socket.AF_INET if len(_address) == 2 else socket.AF_INET6, socket.SOCK_DGRAM)
                     s.sendto(("%s %s" % (sec, event)).encode(UNICODE_ENCODING), _address)
 
-                if config.SYSLOG_SERVER:
-                    extension = "src=%s spt=%s dst=%s dpt=%s trail=%s ref=%s" % (src_ip, src_port, dst_ip, dst_port, trail, reference)
-                    _ = CEF_FORMAT.format(syslog_time=time.strftime("%b %d %H:%M:%S", time.localtime(int(sec))), host=HOSTNAME, device_vendor=NAME, device_product="sensor", device_version=VERSION, signature_id=time.strftime("%Y-%m-%d", time.localtime(os.path.getctime(config.TRAILS_FILE))), name=info, severity=0, extension=extension)
-                    remote_host, remote_port = config.SYSLOG_SERVER.split(':')
-                    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-                    s.sendto(_.encode(UNICODE_ENCODING), (remote_host, int(remote_port)))
-
-                if config.LOGSTASH_SERVER:
-                    _ = OrderedDict((("timestamp", sec), ("src_ip", src_ip), ("src_port", src_port), ("dst_ip", dst_ip), ("dst_port", dst_port), ("proto", proto), ("type", trail_type), ("trail", trail), ("info", info), ("reference", reference)))
-                    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-                    remote_host, remote_port = config.LOGSTASH_SERVER.split(':')
-                    s.sendto(json.dumps(_).encode(UNICODE_ENCODING), (remote_host, int(remote_port)))
+                if config.SYSLOG_SERVER or config.LOGSTASH_SERVER:
+                    severity = "medium"
+
+                    if config.REMOTE_SEVERITY_REGEX:
+                        match = re.search(config.REMOTE_SEVERITY_REGEX, info)
+                        if match:
+                            for _ in ("low", "medium", "high"):
+                                if match.group(_):
+                                    severity = _
+                                    break
+
+                    if config.SYSLOG_SERVER:
+                        extension = "src=%s spt=%s dst=%s dpt=%s trail=%s ref=%s" % (src_ip, src_port, dst_ip, dst_port, trail, reference)
+                        _ = CEF_FORMAT.format(syslog_time=time.strftime("%b %d %H:%M:%S", time.localtime(int(sec))), host=HOSTNAME, device_vendor=NAME, device_product="sensor", device_version=VERSION, signature_id=time.strftime("%Y-%m-%d", time.localtime(os.path.getctime(config.TRAILS_FILE))), name=info, severity={"low": 0, "medium": 1, "high": 2}.get(severity), extension=extension)
+                        remote_host, remote_port = config.SYSLOG_SERVER.split(':')
+                        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+                        s.sendto(_.encode(UNICODE_ENCODING), (remote_host, int(remote_port)))
+
+                    if config.LOGSTASH_SERVER:
+                        _ = OrderedDict((("timestamp", sec), ("sensor", HOSTNAME), ("severity", severity), ("src_ip", src_ip), ("src_port", src_port), ("dst_ip", dst_ip), ("dst_port", dst_port), ("proto", proto), ("type", trail_type), ("trail", trail), ("info", info), ("reference", reference)))
+                        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+                        remote_host, remote_port = config.LOGSTASH_SERVER.split(':')
+                        s.sendto(json.dumps(_).encode(UNICODE_ENCODING), (remote_host, int(remote_port)))
 
                 if (config.DISABLE_LOCAL_LOG_STORAGE and not any((config.LOG_SERVER, config.SYSLOG_SERVER))) or config.console:
                     sys.stderr.write(event)

core/settings.py

@@ -21,7 +21,7 @@
 from thirdparty.six.moves import urllib as _urllib
 
 NAME = "Maltrail"
-VERSION = "0.27.68"
+VERSION = "0.27.69"
 PLATFORM = os.name
 IS_WIN = PLATFORM == "nt"
 IS_SENSOR = "sensor" in sys.argv[0]

html/js/main.js

@@ -824,7 +824,7 @@ function init(url, from, to) {
                         severity = SEVERITY.HIGH;
                     else if (data[LOG_COLUMNS.INFO].contains("malware distribution"))
                         severity = SEVERITY.MEDIUM;
-                    else if (data[LOG_COLUMNS.INFO].contains( "mass scanner"))
+                    else if (data[LOG_COLUMNS.INFO].contains("mass scanner"))
                         severity = SEVERITY.LOW;
                     else {
                         for (var keyword in INFO_SEVERITY_KEYWORDS)

maltrail.conf

@@ -100,6 +100,9 @@ SENSOR_NAME $HOSTNAME
 # Remote address to send JSON events (e.g. Logstash)
 #LOGSTASH_SERVER 192.168.2.107:5000
 
+# Regular expression used for calculating severity attribute when sending events to SYSLOG_SERVER or LOGSTASH_SERVER
+REMOTE_SEVERITY_REGEX (?P<high>(remote )?custom\)|malwaredomainlist|malware(?! (distribution|site))|adversary|ransomware)|(?P<medium>potential malware site|malware distribution)|(?P<low>mass scanner|reputation|attacker|spammer|compromised|crawler|scanning)
+
 # Set only (!) in cases when LOG_SERVER should be exclusively used for log storage
 DISABLE_LOCAL_LOG_STORAGE false
 

sensor.py

@@ -963,6 +963,12 @@ def update_timer():
     if config.LOGSTASH_SERVER and not len(config.LOGSTASH_SERVER.split(':')) == 2:
         exit("[!] invalid configuration value for 'LOGSTASH_SERVER' ('%s')" % config.LOGSTASH_SERVER)
 
+    if config.REMOTE_SEVERITY_REGEX:
+        try:
+            re.compile(config.REMOTE_SEVERITY_REGEX)
+        except re.error:
+            exit("[!] invalid configuration value for 'REMOTE_SEVERITY_REGEX' ('%s')" % config.REMOTE_SEVERITY_REGEX)
+
     if config.CAPTURE_FILTER:
         print("[i] setting capture filter '%s'" % config.CAPTURE_FILTER)
         for _cap in _caps: