[prev in list] [next in list] [prev in thread] [next in thread]
List: prelude-cvslog
Subject: [prelude-cvslog] prelude-correlator/master: Provide a specialized
From: noreply () prelude-ids ! com
Date: 2010-01-29 17:02:50
Message-ID: 20100129170250.616DF8A016A () inferno ! prelude-ids ! com
[Download RAW message or body]
commit 69ab7f2a89ad1ee5c8730c8624c787fda7c2e33f
Author: Yoann Vandoorselaere <yoann.v@prelude-ids.com>
Date: Wed Jan 20 21:57:44 2010 +0100
Provide a specialized function for escaping context name
========================================
PreludeCorrelator/context.py | 21 +++++++++++++++++++++
PreludeCorrelator/plugins/bruteforce.py | 4 ++--
PreludeCorrelator/plugins/dshield.py | 2 +-
PreludeCorrelator/plugins/firewall.py | 2 +-
PreludeCorrelator/plugins/opensshauth.py | 2 +-
PreludeCorrelator/plugins/scan.py | 6 +++---
PreludeCorrelator/plugins/spamhausdrop.py | 2 +-
PreludeCorrelator/plugins/worm.py | 4 ++--
8 files changed, 32 insertions(+), 11 deletions(-)
========================================
diff --git a/PreludeCorrelator/context.py b/PreludeCorrelator/context.py
index f2d8853..34ad74f 100644
--- a/PreludeCorrelator/context.py
+++ b/PreludeCorrelator/context.py
@@ -88,6 +88,7 @@ class Context(IDMEF, Timer):
IDMEF.__init__(self)
Timer.__init__(self, 0)
+ name = getName(name)
self._name = name
self._update_count = 0
@@ -103,6 +104,8 @@ class Context(IDMEF, Timer):
self.addAlertReference(idmef)
def __new__(cls, name, options={}, overwrite=True, update=False, \
idmef=None): + name = getName(name)
+
if update or (overwrite is False):
ctx = search(name)
if ctx:
@@ -171,7 +174,25 @@ class Context(IDMEF, Timer):
del(_CONTEXT_TABLE[self._name])
+def getName(arg):
+ def escape(s):
+ return s.replace("_", "\\_")
+
+ if type(arg) is str:
+ return escape(arg)
+
+ cnt = 0
+ name = ""
+ for i in arg:
+ if cnt > 0:
+ name += "_"
+ name += escape(str(i))
+ cnt += 1
+
+ return name
+
def search(name):
+ name = getName(name)
if _CONTEXT_TABLE.has_key(name):
return _CONTEXT_TABLE[name]
diff --git a/PreludeCorrelator/plugins/bruteforce.py \
b/PreludeCorrelator/plugins/bruteforce.py index 4bdeeb5..8a0196a 100644
--- a/PreludeCorrelator/plugins/bruteforce.py
+++ b/PreludeCorrelator/plugins/bruteforce.py
@@ -30,7 +30,7 @@ class BruteForcePlugin(Plugin):
for source in sadd:
for target in tadd:
- ctx = Context("BRUTE_ST_" + source + target, { "expire": 120, \
"threshold": 5, "alert_on_expire": True }, update=True, idmef = idmef) + \
ctx = Context(("BRUTE ST", source, target), { "expire": 120, "threshold": 5, \
"alert_on_expire": True }, update=True, idmef = idmef) if ctx.getUpdateCount() == 0:
ctx.Set("alert.classification.text", "Brute Force attack")
ctx.Set("alert.correlation_alert.name", "Multiple failed login")
@@ -43,7 +43,7 @@ class BruteForcePlugin(Plugin):
return
for user in userid:
- ctx = Context("BRUTE_U_" + user, { "expire": 120, "threshold": 5, \
"alert_on_expire": True }, update=True, idmef=idmef) + ctx = \
Context(("BRUTE USER", user), { "expire": 120, "threshold": 5, "alert_on_expire": \
True }, update=True, idmef=idmef) if ctx.getUpdateCount() == 0:
ctx.Set("alert.classification.text", "Brute Force attack")
ctx.Set("alert.correlation_alert.name", "Multiple failed login \
against a single account")
diff --git a/PreludeCorrelator/plugins/dshield.py \
b/PreludeCorrelator/plugins/dshield.py index 5f6396a..1bff2b5 100644
--- a/PreludeCorrelator/plugins/dshield.py
+++ b/PreludeCorrelator/plugins/dshield.py
@@ -94,7 +94,7 @@ class DshieldPlugin(Plugin):
for source in idmef.Get("alert.source(*).node.address(*).address"):
entry = self.__iphash.get(source, None)
if entry:
- ca = context.Context("DSHIELD_" + source, { "expire": 300, \
"alert_on_expire": True }, update = True, idmef = idmef) + ca = \
context.Context(("DSHIELD", source), { "expire": 300, "alert_on_expire": True }, \
update = True, idmef = idmef) if ca.getUpdateCount() == 0:
ca.Set("alert.classification.text", "IP source matching Dshield \
database")
ca.Set("alert.correlation_alert.name", "IP source matching \
Dshield database")
diff --git a/PreludeCorrelator/plugins/firewall.py \
b/PreludeCorrelator/plugins/firewall.py index 5c360aa..f21a35f 100644
--- a/PreludeCorrelator/plugins/firewall.py
+++ b/PreludeCorrelator/plugins/firewall.py
@@ -30,7 +30,7 @@ class FirewallPlugin(Plugin):
if not source or not target:
return
- ctxname = "FIREWALL_" + source + target + str(dport)
+ ctxname = context.getName("FIREWALL", source, target, dport)
if idmef.match("alert.classification.text", re.compile("[Pp]acket \
[Dd]ropped|[Dd]enied")): # overwrite any existing context, with the same name.
diff --git a/PreludeCorrelator/plugins/opensshauth.py \
b/PreludeCorrelator/plugins/opensshauth.py index c6faad4..f28eff0 100644
--- a/PreludeCorrelator/plugins/opensshauth.py
+++ b/PreludeCorrelator/plugins/opensshauth.py
@@ -47,7 +47,7 @@ class OpenSSHAuthPlugin(Plugin):
for username in idmef.Get("alert.target(*).user.user_id(*).name"):
for target in idmef.Get("alert.target(*).node.address(*).address"):
- ctx = Context("SSH_MAT_" + target + username, { "expire": 30, \
"alert_on_expire": alert }, update=True) + ctx = Context(("SSHAUTH", \
target, username), { "expire": 30, "alert_on_expire": alert }, update=True) if \
ctx.getUpdateCount() == 0: ctx.authtype = { data: True }
ctx.addAlertReference(idmef)
diff --git a/PreludeCorrelator/plugins/scan.py b/PreludeCorrelator/plugins/scan.py
index 9246689..9565760 100644
--- a/PreludeCorrelator/plugins/scan.py
+++ b/PreludeCorrelator/plugins/scan.py
@@ -33,7 +33,7 @@ class EventScanPlugin(Plugin):
for saddr in source:
for daddr in target:
- ctx = Context("SCAN_EVENTSCAN_" + saddr + daddr, { "expire": 60, \
"threshold": 30, "alert_on_expire": True }, update = True, idmef=idmef) + \
ctx = Context(("SCAN EVENTSCAN", saddr, daddr), { "expire": 60, "threshold": 30, \
"alert_on_expire": True }, update = True, idmef=idmef) if ctx.getUpdateCount() == 0:
ctx.Set("alert.correlation_alert.name", "A single host has \
played many events against a single target. This may be a vulnerability scan") \
ctx.Set("alert.classification.text", "Eventscan") @@ -52,7 +52,7 @@ class \
EventSweepPlugin(Plugin): return
for saddr in source:
- ctx = Context("SCAN_EVENTSWEEP_" + classification + saddr, { "expire": \
60, "threshold": 30, "alert_on_expire": True }, overwrite = False) + ctx = \
Context(("SCAN EVENTSWEEP", classification, saddr), { "expire": 60, "threshold": 30, \
"alert_on_expire": True }, overwrite = False) if ctx.getUpdateCount() == 0:
ctx.Set("alert.correlation_alert.name", "A single host has played \
the same event against multiple targets. This may be a network scan for a specific \
vulnerability") ctx.Set("alert.classification.text", "Eventsweep")
@@ -77,7 +77,7 @@ class EventStormPlugin(Plugin):
return
for saddr in source:
- ctx = Context("SCAN_EVENTSTORM_" + saddr, { "expire": 120, "threshold": \
150, "alert_on_expire": True }, update = True, idmef = idmef) + ctx = \
Context(("SCAN EVENTSTORM", saddr), { "expire": 120, "threshold": 150, \
"alert_on_expire": True }, update = True, idmef = idmef) if ctx.getUpdateCount() == \
0:
ctx.Set("alert.correlation_alert.name", "A single host is producing \
an unusual amount of events") ctx.Set("alert.classification.text", "Eventstorm")
diff --git a/PreludeCorrelator/plugins/spamhausdrop.py \
b/PreludeCorrelator/plugins/spamhausdrop.py index 63c028b..4eff606 100644
--- a/PreludeCorrelator/plugins/spamhausdrop.py
+++ b/PreludeCorrelator/plugins/spamhausdrop.py
@@ -113,7 +113,7 @@ class SpamhausDropPlugin(Plugin):
continue
if addr in self.__mynets:
- ca = Context("SPAMHAUS_" + source, { "expire": 300, \
"alert_on_expire": True }, update = True, idmef = idmef) + ca = \
Context(("SPAMHAUS", source), { "expire": 300, "alert_on_expire": True }, update = \
True, idmef = idmef) if ca.getUpdateCount() == 0:
ca.Set("alert.classification.text", "IP source matching \
Spamhaus DROP dataset")
ca.Set("alert.correlation_alert.name", "IP source matching \
Spamhaus DROP dataset")
diff --git a/PreludeCorrelator/plugins/worm.py b/PreludeCorrelator/plugins/worm.py
index ad4cd08..40637e3 100644
--- a/PreludeCorrelator/plugins/worm.py
+++ b/PreludeCorrelator/plugins/worm.py
@@ -40,7 +40,7 @@ class WormPlugin(Plugin):
# Create context for classification combined with all the target.
tlist = {}
for target in idmef.Get("alert.target(*).node.address(*).address"):
- ctx = context.Context("WORM_HOST_" + ctxt + target, { "expire": 300 }, \
overwrite=False, idmef=idmef) + ctx = context.Context(("WORM HOST", ctxt, \
target), { "expire": 300 }, overwrite=False, idmef=idmef) if ctx.getUpdateCount() == \
0: ctx._target_list = {}
@@ -50,7 +50,7 @@ class WormPlugin(Plugin):
# We are trying to see whether a previous target is now attacking other \
hosts
# thus, we check whether a context exist with this classification \
combined to # this source.
- ctx = context.search("WORM_HOST_" + ctxt + source)
+ ctx = context.search(("WORM HOST", ctxt, source))
if not ctx:
continue
_______________________________________________
Prelude-cvslog site list
Prelude-cvslog@prelude-ids.org
http://lists.prelude-ids.org/mailman/listinfo/prelude-cvslog
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic