mozilla
/
MozDef
зеркало из https://github.com/mozilla/MozDef.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Remove LDAP global, LDAP user provides more specific coverage

This commit is contained in:
Jonathan Claudius 2019-11-07 10:51:19 -05:00
Родитель 41ded2fec4
Коммит 727345f176
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: D6F8816A5EEC606D
3 изменённых файлов: 0 добавлений и 168 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

4
alerts/ldap_bruteforce_global.conf
Просмотреть файл

@ -1,4 +0,0 @@
[options]
threshold_count = 1
search_depth_min = 60
host_exclusions = foo.example.com,bar.example.com

55
alerts/ldap_bruteforce_global.py
Просмотреть файл

@ -1,55 +0,0 @@
#!/usr/bin/env python
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at https://mozilla.org/MPL/2.0/.
# Copyright (c) 2014 Mozilla Corporation
from lib.alerttask import AlertTask
from mozdef_util.query_models import SearchQuery, TermMatch
import re
class AlertLdapBruteforceGlobal(AlertTask):
def main(self):
self.parse_config('ldap_bruteforce_global.conf', ['threshold_count', 'search_depth_min', 'host_exclusions'])
search_query = SearchQuery(minutes=int(self.config.search_depth_min))
for host_exclusion in self.config.host_exclusions.split(","):
search_query.add_must_not([TermMatch("details.server", host_exclusion)])
search_query.add_must([
TermMatch('category', 'ldap'),
TermMatch('details.response.error', 'LDAP_INVALID_CREDENTIALS')
])
self.filtersManual(search_query)
self.searchEventsAggregated('details.client', samplesLimit=10)
self.walkAggregations(threshold=int(self.config.threshold_count))
def onAggregation(self, aggreg):
category = 'bruteforce'
tags = ['ldap']
severity = 'WARNING'
email_list = set()
email_regex = r'.*mail=([a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.[a-zA-Z0-9_-]+)'
for event in aggreg['allevents']:
for request in event['_source']['details']['requests']:
for detail in request['details']:
match_object = re.match(email_regex, detail)
if match_object:
email_list.add(match_object.group(1))
# If no emails, don't throw alert
# if len(email_list) == 0:
# return None
summary = 'Global LDAP Bruteforce Attack in Progress from {0} targeting the following account(s): {1}'.format(
aggreg['value'],
", ".join(sorted(email_list)[:10])
)
if len(email_list) >= 10:
summary += '...'
return self.createAlertDict(summary, category, tags, aggreg['events'], severity)

109
tests/alerts/test_ldap_bruteforce_global.py
Просмотреть файл

@ -1,109 +0,0 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at https://mozilla.org/MPL/2.0/.
# Copyright (c) 2017 Mozilla Corporation
from .positive_alert_test_case import PositiveAlertTestCase
from .negative_alert_test_case import NegativeAlertTestCase
from .alert_test_suite import AlertTestSuite
class TestAlertLdapBruteforceGlobal(AlertTestSuite):
alert_filename = "ldap_bruteforce_global"
# This event is the default positive event that will cause the
# alert to trigger
default_event = {
"_source": {
"category": "ldap",
"details": {
"client": "1.2.3.4",
"requests": [
{
'verb': 'BIND',
'details': [
'method=128'
'dn="mail=jsmith@example.com,o=com,dc=example"',
]
}
],
"server": "ldap.example.com",
"response": {
"error": 'LDAP_INVALID_CREDENTIALS',
}
}
}
}
# This alert is the expected result from running this task
default_alert = {
"category": "bruteforce",
"tags": ["ldap"],
"severity": "WARNING",
"summary": "Global LDAP Bruteforce Attack in Progress from 1.2.3.4 targeting the following account(s): jsmith@example.com",
}
# This alert is the expected result from this task against multiple matching events
default_alert_aggregated = AlertTestSuite.copy(default_alert)
default_alert_aggregated[
"summary"
] = "Global LDAP Bruteforce Attack in Progress from 1.2.3.4 targeting the following account(s): jsmith@example.com"
test_cases = []
test_cases.append(
PositiveAlertTestCase(
description="Positive test with default events and default alert expected",
events=AlertTestSuite.create_events(default_event, 1),
expected_alert=default_alert,
)
)
test_cases.append(
PositiveAlertTestCase(
description="Positive test with default events and default alert expected - dedup",
events=AlertTestSuite.create_events(default_event, 2),
expected_alert=default_alert,
)
)
events = AlertTestSuite.create_events(default_event, 10)
for event in events:
event["_source"]["details"]["response"]["error"] = "LDAP_SUCCESS"
test_cases.append(
NegativeAlertTestCase(
description="Negative test with default negative event", events=events
)
)
events = AlertTestSuite.create_events(default_event, 10)
for event in events:
event["_source"]["details"]["server"] = "foo.example.com"
test_cases.append(
NegativeAlertTestCase(
description="Negative test with default negative event", events=events
)
)
events = AlertTestSuite.create_events(default_event, 10)
for event in events:
event["_source"]["category"] = "bad"
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with events with incorrect category",
events=events,
)
)
events = AlertTestSuite.create_events(default_event, 10)
for event in events:
event["_source"][
"utctimestamp"
] = AlertTestSuite.subtract_from_timestamp_lambda({"minutes": 241})
event["_source"][
"receivedtimestamp"
] = AlertTestSuite.subtract_from_timestamp_lambda({"minutes": 241})
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with old timestamp", events=events
)
)