diff --git a/alerts/ldap_bruteforce_global.conf b/alerts/ldap_bruteforce_global.conf deleted file mode 100644 index 9b8b0108..00000000 --- a/alerts/ldap_bruteforce_global.conf +++ /dev/null @@ -1,4 +0,0 @@ -[options] -threshold_count = 1 -search_depth_min = 60 -host_exclusions = foo.example.com,bar.example.com \ No newline at end of file diff --git a/alerts/ldap_bruteforce_global.py b/alerts/ldap_bruteforce_global.py deleted file mode 100644 index 636d2a34..00000000 --- a/alerts/ldap_bruteforce_global.py +++ /dev/null @@ -1,55 +0,0 @@ -#!/usr/bin/env python - -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at https://mozilla.org/MPL/2.0/. -# Copyright (c) 2014 Mozilla Corporation - - -from lib.alerttask import AlertTask -from mozdef_util.query_models import SearchQuery, TermMatch -import re - - -class AlertLdapBruteforceGlobal(AlertTask): - def main(self): - self.parse_config('ldap_bruteforce_global.conf', ['threshold_count', 'search_depth_min', 'host_exclusions']) - search_query = SearchQuery(minutes=int(self.config.search_depth_min)) - - for host_exclusion in self.config.host_exclusions.split(","): - search_query.add_must_not([TermMatch("details.server", host_exclusion)]) - - search_query.add_must([ - TermMatch('category', 'ldap'), - TermMatch('details.response.error', 'LDAP_INVALID_CREDENTIALS') - ]) - self.filtersManual(search_query) - self.searchEventsAggregated('details.client', samplesLimit=10) - self.walkAggregations(threshold=int(self.config.threshold_count)) - - def onAggregation(self, aggreg): - category = 'bruteforce' - tags = ['ldap'] - severity = 'WARNING' - email_list = set() - email_regex = r'.*mail=([a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.[a-zA-Z0-9_-]+)' - - for event in aggreg['allevents']: - for request in event['_source']['details']['requests']: - for detail in request['details']: - match_object = re.match(email_regex, detail) - if match_object: - email_list.add(match_object.group(1)) - - # If no emails, don't throw alert - # if len(email_list) == 0: - # return None - - summary = 'Global LDAP Bruteforce Attack in Progress from {0} targeting the following account(s): {1}'.format( - aggreg['value'], - ", ".join(sorted(email_list)[:10]) - ) - if len(email_list) >= 10: - summary += '...' - - return self.createAlertDict(summary, category, tags, aggreg['events'], severity) diff --git a/tests/alerts/test_ldap_bruteforce_global.py b/tests/alerts/test_ldap_bruteforce_global.py deleted file mode 100644 index bc45db6b..00000000 --- a/tests/alerts/test_ldap_bruteforce_global.py +++ /dev/null @@ -1,109 +0,0 @@ -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at https://mozilla.org/MPL/2.0/. -# Copyright (c) 2017 Mozilla Corporation -from .positive_alert_test_case import PositiveAlertTestCase -from .negative_alert_test_case import NegativeAlertTestCase - -from .alert_test_suite import AlertTestSuite - - -class TestAlertLdapBruteforceGlobal(AlertTestSuite): - alert_filename = "ldap_bruteforce_global" - # This event is the default positive event that will cause the - # alert to trigger - default_event = { - "_source": { - "category": "ldap", - "details": { - "client": "1.2.3.4", - "requests": [ - { - 'verb': 'BIND', - 'details': [ - 'method=128' - 'dn="mail=jsmith@example.com,o=com,dc=example"', - ] - } - ], - "server": "ldap.example.com", - "response": { - "error": 'LDAP_INVALID_CREDENTIALS', - } - } - } - } - - # This alert is the expected result from running this task - default_alert = { - "category": "bruteforce", - "tags": ["ldap"], - "severity": "WARNING", - "summary": "Global LDAP Bruteforce Attack in Progress from 1.2.3.4 targeting the following account(s): jsmith@example.com", - } - - # This alert is the expected result from this task against multiple matching events - default_alert_aggregated = AlertTestSuite.copy(default_alert) - default_alert_aggregated[ - "summary" - ] = "Global LDAP Bruteforce Attack in Progress from 1.2.3.4 targeting the following account(s): jsmith@example.com" - - test_cases = [] - - test_cases.append( - PositiveAlertTestCase( - description="Positive test with default events and default alert expected", - events=AlertTestSuite.create_events(default_event, 1), - expected_alert=default_alert, - ) - ) - - test_cases.append( - PositiveAlertTestCase( - description="Positive test with default events and default alert expected - dedup", - events=AlertTestSuite.create_events(default_event, 2), - expected_alert=default_alert, - ) - ) - - events = AlertTestSuite.create_events(default_event, 10) - for event in events: - event["_source"]["details"]["response"]["error"] = "LDAP_SUCCESS" - test_cases.append( - NegativeAlertTestCase( - description="Negative test with default negative event", events=events - ) - ) - - events = AlertTestSuite.create_events(default_event, 10) - for event in events: - event["_source"]["details"]["server"] = "foo.example.com" - test_cases.append( - NegativeAlertTestCase( - description="Negative test with default negative event", events=events - ) - ) - - events = AlertTestSuite.create_events(default_event, 10) - for event in events: - event["_source"]["category"] = "bad" - test_cases.append( - NegativeAlertTestCase( - description="Negative test case with events with incorrect category", - events=events, - ) - ) - - events = AlertTestSuite.create_events(default_event, 10) - for event in events: - event["_source"][ - "utctimestamp" - ] = AlertTestSuite.subtract_from_timestamp_lambda({"minutes": 241}) - event["_source"][ - "receivedtimestamp" - ] = AlertTestSuite.subtract_from_timestamp_lambda({"minutes": 241}) - test_cases.append( - NegativeAlertTestCase( - description="Negative test case with old timestamp", events=events - ) - )