зеркало из https://github.com/mozilla/MozDef.git
Update alerts for new model names
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
This commit is contained in:
Brandon Myers
Родитель
8faad73d0b
Коммит
a1f67935ec
|
|
@ -9,7 +9,7 @@
|
|||
# Anthony Verez averez@mozilla.com
|
||||
|
||||
from lib.alerttask import AlertTask
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, QueryFilter, MatchQuery
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, PhraseMatch
|
||||
|
||||
|
||||
class AlertFailedAMOLogin(AlertTask):
|
||||
|
|
@ -20,7 +20,7 @@ class AlertFailedAMOLogin(AlertTask):
|
|||
TermMatch('_type', 'addons'),
|
||||
TermMatch('signatureid', 'authfail'),
|
||||
ExistsMatch('details.sourceipaddress'),
|
||||
QueryFilter(MatchQuery("msg","The password was incorrect","phrase")),
|
||||
PhraseMatch("msg", "The password was incorrect"),
|
||||
ExistsMatch('suser')
|
||||
])
|
||||
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# Alicia Smith <asmith@mozilla.com>
|
||||
|
||||
from lib.alerttask import AlertTask
|
||||
from query_models import SearchQuery, TermMatch, QueryFilter, MatchQuery
|
||||
from query_models import SearchQuery, TermMatch, PhraseMatch
|
||||
|
||||
|
||||
class AlertSFTPEvent(AlertTask):
|
||||
|
|
@ -25,7 +25,7 @@ class AlertSFTPEvent(AlertTask):
|
|||
TermMatch('category', 'execve'),
|
||||
TermMatch('processname', 'audisp-json'),
|
||||
TermMatch('details.processname', 'ssh'),
|
||||
QueryFilter(MatchQuery('details.parentprocess', 'sftp', 'phrase')),
|
||||
PhraseMatch('details.parentprocess', 'sftp'),
|
||||
])
|
||||
|
||||
self.filtersManual(search_query)
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
# Michal Purzynski michal@mozilla.com
|
||||
|
||||
from lib.alerttask import AlertTask
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, QueryFilter, MatchQuery
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, PhraseMatch
|
||||
|
||||
|
||||
class AlertBugzillaPBruteforce(AlertTask):
|
||||
|
|
@ -21,7 +21,7 @@ class AlertBugzillaPBruteforce(AlertTask):
|
|||
TermMatch('eventsource', 'nsm'),
|
||||
TermMatch('category', 'bronotice'),
|
||||
ExistsMatch('details.sourceipaddress'),
|
||||
QueryFilter(MatchQuery('details.note','BugzBruteforcing::HTTP_BugzBruteforcing_Attacker','phrase')),
|
||||
PhraseMatch('details.note', 'BugzBruteforcing::HTTP_BugzBruteforcing_Attacker'),
|
||||
])
|
||||
|
||||
self.filtersManual(search_query)
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
# Jonathan Claudius jclaudius@mozilla.com
|
||||
|
||||
from lib.alerttask import AlertTask
|
||||
from query_models import SearchQuery, TermMatch, QueryFilter, QueryStringQuery
|
||||
from query_models import SearchQuery, TermMatch, QueryStringMatch
|
||||
|
||||
|
||||
class AlertConfluenceShellUsage(AlertTask):
|
||||
|
|
@ -20,7 +20,7 @@ class AlertConfluenceShellUsage(AlertTask):
|
|||
search_query.add_must([
|
||||
TermMatch('_type', 'auditd'),
|
||||
TermMatch('details.user', 'confluence'),
|
||||
QueryFilter(QueryStringQuery('hostname: /.*(mana|confluence).*/')),
|
||||
QueryStringMatch('hostname: /.*(mana|confluence).*/'),
|
||||
])
|
||||
|
||||
search_query.add_must_not(TermMatch('details.originaluser', 'root'))
|
||||
|
|
|
|||
|
|
@ -12,7 +12,8 @@
|
|||
# to alert on a dead input source.
|
||||
|
||||
from lib.alerttask import AlertTask
|
||||
from query_models import SearchQuery, QueryFilter, TermMatch, MatchQuery
|
||||
from query_models import SearchQuery, TermMatch, PhraseMatch
|
||||
|
||||
|
||||
def fakeEvent():
|
||||
# make a fake event
|
||||
|
|
@ -26,6 +27,7 @@ def fakeEvent():
|
|||
event['_id'] = ''
|
||||
return event
|
||||
|
||||
|
||||
class broNSM(AlertTask):
|
||||
def main(self, *args, **kwargs):
|
||||
# call with hostlist=['host1','host2','host3']
|
||||
|
|
@ -36,8 +38,8 @@ class broNSM(AlertTask):
|
|||
search_query = SearchQuery(minutes=20)
|
||||
|
||||
search_query.add_must([
|
||||
QueryFilter(MatchQuery("details.note","MozillaAlive::Bro_Is_Watching_You","phrase")),
|
||||
QueryFilter(MatchQuery("details.peer_descr", host, "phrase")),
|
||||
PhraseMatch("details.note", "MozillaAlive::Bro_Is_Watching_You"),
|
||||
PhraseMatch("details.peer_descr", host),
|
||||
TermMatch('category', 'bronotice'),
|
||||
TermMatch('_type', 'bro')
|
||||
])
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
# Alicia Smith <asmith@mozilla.com>
|
||||
|
||||
from lib.alerttask import AlertTask
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, QueryFilter, MatchQuery
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, PhraseMatch
|
||||
|
||||
|
||||
class AlertDuoAuthFail(AlertTask):
|
||||
|
|
@ -20,7 +20,7 @@ class AlertDuoAuthFail(AlertTask):
|
|||
TermMatch('category', 'event'),
|
||||
ExistsMatch('details.ip'),
|
||||
ExistsMatch('details.username'),
|
||||
QueryFilter(MatchQuery('details.result', 'FRAUD', 'phrase')),
|
||||
PhraseMatch('details.result', 'FRAUD'),
|
||||
])
|
||||
|
||||
self.filtersManual(search_query)
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
# Anthony Verez averez@mozilla.com
|
||||
|
||||
from lib.alerttask import AlertTask
|
||||
from query_models import SearchQuery, TermMatch, QueryFilter, MatchQuery
|
||||
from query_models import SearchQuery, TermMatch, PhraseMatch
|
||||
|
||||
|
||||
class AlertFail2ban(AlertTask):
|
||||
|
|
@ -19,7 +19,7 @@ class AlertFail2ban(AlertTask):
|
|||
search_query.add_must([
|
||||
TermMatch('_type', 'event'),
|
||||
TermMatch('program', 'fail2ban'),
|
||||
QueryFilter(MatchQuery("summary","banned for","phrase"))
|
||||
PhraseMatch("summary", "banned for")
|
||||
])
|
||||
|
||||
self.filtersManual(search_query)
|
||||
|
|
|
|||
|
|
@ -19,14 +19,13 @@ class AlertAccountCreations(AlertTask):
|
|||
search_query.add_must([
|
||||
TermMatch('_type', 'event'),
|
||||
TermMatch('tags', 'firefoxaccounts'),
|
||||
PhraseMatch('details.path','/v1/account/create','phrase')
|
||||
|
||||
PhraseMatch('details.path', '/v1/account/create')
|
||||
])
|
||||
|
||||
#ignore test accounts and attempts to create accounts that already exist.
|
||||
# ignore test accounts and attempts to create accounts that already exist.
|
||||
search_query.add_must_not([
|
||||
WildcardMatch(field='details.email',value='*restmail.net'),
|
||||
TermMatch('details.code','429')
|
||||
WildcardMatch(field='details.email', value='*restmail.net'),
|
||||
TermMatch('details.code', '429')
|
||||
])
|
||||
|
||||
self.filtersManual(search_query)
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
# Jeff Bryner jbryner@mozilla.com
|
||||
|
||||
from lib.alerttask import AlertTask
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, QueryFilter, MatchQuery
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, PhraseMatch
|
||||
|
||||
|
||||
class AlertHostScannerFinding(AlertTask):
|
||||
|
|
@ -20,7 +20,7 @@ class AlertHostScannerFinding(AlertTask):
|
|||
search_query.add_must([
|
||||
TermMatch('_type', 'cef'),
|
||||
ExistsMatch('details.dhost'),
|
||||
QueryFilter(MatchQuery("signatureid","sensitivefiles","phrase"))
|
||||
PhraseMatch("signatureid", "sensitivefiles")
|
||||
])
|
||||
|
||||
self.filtersManual(search_query)
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
# Michal Purzynski michal@mozilla.com
|
||||
|
||||
from lib.alerttask import AlertTask
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, QueryFilter, MatchQuery
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, PhraseMatch
|
||||
|
||||
|
||||
class AlertHTTPBruteforce(AlertTask):
|
||||
|
|
@ -21,7 +21,7 @@ class AlertHTTPBruteforce(AlertTask):
|
|||
TermMatch('eventsource', 'nsm'),
|
||||
TermMatch('category', 'bronotice'),
|
||||
ExistsMatch('details.sourceipaddress'),
|
||||
QueryFilter(MatchQuery('details.note','AuthBruteforcing::HTTP_AuthBruteforcing_Attacker','phrase')),
|
||||
PhraseMatch('details.note', 'AuthBruteforcing::HTTP_AuthBruteforcing_Attacker'),
|
||||
])
|
||||
|
||||
self.filtersManual(search_query)
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
# Michal Purzynski michal@mozilla.com
|
||||
|
||||
from lib.alerttask import AlertTask
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, QueryFilter, MatchQuery
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, PhraseMatch
|
||||
|
||||
|
||||
class AlertHTTPErrors(AlertTask):
|
||||
|
|
@ -21,7 +21,7 @@ class AlertHTTPErrors(AlertTask):
|
|||
TermMatch('eventsource', 'nsm'),
|
||||
TermMatch('category', 'bronotice'),
|
||||
ExistsMatch('details.sourceipaddress'),
|
||||
QueryFilter(MatchQuery('details.note','MozillaHTTPErrors::Excessive_HTTP_Errors_Attacker','phrase')),
|
||||
PhraseMatch('details.note', 'MozillaHTTPErrors::Excessive_HTTP_Errors_Attacker'),
|
||||
])
|
||||
|
||||
self.filtersManual(search_query)
|
||||
|
|
@ -43,4 +43,3 @@ class AlertHTTPErrors(AlertTask):
|
|||
|
||||
# Create the alert object based on these properties
|
||||
return self.createAlertDict(summary, category, tags, [event], severity=severity, url=url)
|
||||
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
# Jeff Bryner jbryner@mozilla.com
|
||||
|
||||
from lib.alerttask import AlertTask
|
||||
from query_models import SearchQuery, TermMatch, QueryFilter, MatchQuery
|
||||
from query_models import SearchQuery, TermMatch
|
||||
|
||||
|
||||
class ldapGroupModify(AlertTask):
|
||||
|
|
@ -19,7 +19,7 @@ class ldapGroupModify(AlertTask):
|
|||
search_query.add_must([
|
||||
TermMatch('category', 'ldapChange'),
|
||||
TermMatch('changetype', 'modify'),
|
||||
QueryFilter(MatchQuery("summary","groups"))
|
||||
TermMatch("summary", "groups")
|
||||
])
|
||||
|
||||
self.filtersManual(search_query)
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
# Jeff Bryner jbryner@mozilla.com
|
||||
|
||||
from lib.alerttask import AlertTask
|
||||
from query_models import SearchQuery, TermMatch, QueryFilter, MatchQuery
|
||||
from query_models import SearchQuery, TermMatch, PhraseMatch
|
||||
|
||||
|
||||
class ldapLockout(AlertTask):
|
||||
|
|
@ -19,7 +19,7 @@ class ldapLockout(AlertTask):
|
|||
search_query.add_must([
|
||||
TermMatch('category', 'ldapChange'),
|
||||
TermMatch("actor", "cn=admin,dc=mozilla"),
|
||||
QueryFilter(MatchQuery('changepairs', 'replace:pwdAccountLockedTime','phrase'))
|
||||
PhraseMatch('changepairs', 'replace:pwdAccountLockedTime')
|
||||
])
|
||||
self.filtersManual(search_query)
|
||||
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@
|
|||
# Michal Purzynski <mpurzynski@mozilla.com>
|
||||
|
||||
from lib.alerttask import AlertTask
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, QueryFilter, MatchQuery
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, TermsMatch
|
||||
|
||||
|
||||
class AlertMultipleIntelHits(AlertTask):
|
||||
|
|
@ -23,7 +23,7 @@ class AlertMultipleIntelHits(AlertTask):
|
|||
TermMatch('eventsource', 'nsm'),
|
||||
TermMatch('category', 'brointel'),
|
||||
ExistsMatch('seenindicator'),
|
||||
QueryFilter(MatchQuery('hostname', 'sensor1 sensor2 sensor3', 'boolean'))
|
||||
TermsMatch('hostname', ['sensor1', 'sensor2', 'sensor3'])
|
||||
])
|
||||
|
||||
self.filtersManual(search_query)
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@
|
|||
# ]
|
||||
|
||||
from lib.alerttask import AlertTask
|
||||
from query_models import SearchQuery, TermMatch, QueryFilter, MatchQuery
|
||||
from query_models import SearchQuery, TermMatch, PhraseMatch
|
||||
|
||||
|
||||
class AlertHTTPErrors(AlertTask):
|
||||
|
|
@ -52,7 +52,7 @@ class AlertHTTPErrors(AlertTask):
|
|||
TermMatch('tags', 'nubis_events_prod'),
|
||||
TermMatch('category', 'syslog'),
|
||||
TermMatch('details.__tag', 'ec2.forward.squid.access'),
|
||||
QueryFilter(MatchQuery('details.summary','is DENIED, because it matched','phrase')),
|
||||
PhraseMatch('details.summary', 'is DENIED, because it matched'),
|
||||
])
|
||||
|
||||
self.filtersManual(search_query)
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
# Michal Purzynski michal@mozilla.com
|
||||
|
||||
from lib.alerttask import AlertTask
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, QueryFilter, MatchQuery
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, PhraseMatch
|
||||
|
||||
|
||||
class AlertSSHManyConns(AlertTask):
|
||||
|
|
@ -21,7 +21,7 @@ class AlertSSHManyConns(AlertTask):
|
|||
TermMatch('eventsource', 'nsm'),
|
||||
TermMatch('category', 'bronotice'),
|
||||
ExistsMatch('details.sourceipaddress'),
|
||||
QueryFilter(MatchQuery('details.note','SSH::Password_Guessing','phrase')),
|
||||
PhraseMatch('details.note', 'SSH::Password_Guessing'),
|
||||
])
|
||||
|
||||
self.filtersManual(search_query)
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# Alicia Smith <asmith@mozilla.com>
|
||||
|
||||
from lib.alerttask import AlertTask
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, QueryFilter, MatchQuery
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, PhraseMatch
|
||||
|
||||
|
||||
class AlertUnauthPortScan(AlertTask):
|
||||
|
|
@ -25,7 +25,7 @@ class AlertUnauthPortScan(AlertTask):
|
|||
TermMatch('category', 'bronotice'),
|
||||
TermMatch('eventsource', 'nsm'),
|
||||
ExistsMatch('details.sourceipaddress'),
|
||||
QueryFilter(MatchQuery('details.note', 'Scan::Port_Scan', 'phrase')),
|
||||
PhraseMatch('details.note', 'Scan::Port_Scan'),
|
||||
])
|
||||
|
||||
self.filtersManual(search_query)
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# Alicia Smith <asmith@mozilla.com>
|
||||
|
||||
from lib.alerttask import AlertTask
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, QueryFilter, MatchQuery
|
||||
from query_models import SearchQuery, TermMatch, ExistsMatch, PhraseMatch
|
||||
|
||||
|
||||
class AlertUnauthInternalScan(AlertTask):
|
||||
|
|
@ -26,7 +26,7 @@ class AlertUnauthInternalScan(AlertTask):
|
|||
TermMatch('eventsource', 'nsm'),
|
||||
TermMatch('hostname', 'nsmserver1'),
|
||||
ExistsMatch('details.sourceipaddress'),
|
||||
QueryFilter(MatchQuery('details.note', 'Scan::Address_Scan', 'phrase')),
|
||||
PhraseMatch('details.note', 'Scan::Address_Scan'),
|
||||
])
|
||||
|
||||
self.filtersManual(search_query)
|
||||
|
|
|
|||
|
|
@ -9,8 +9,7 @@
|
|||
# Aaron Meihm <ameihm@mozilla.com>
|
||||
|
||||
from lib.alerttask import AlertTask
|
||||
from query_models import SearchQuery, TermMatch, QueryFilter, QueryStringQuery, MatchQuery
|
||||
import json
|
||||
from query_models import SearchQuery, TermMatch, QueryStringMatch, PhraseMatch
|
||||
import re
|
||||
from configlib import getConfig, OptionParser
|
||||
|
||||
|
|
@ -23,6 +22,7 @@ from configlib import getConfig, OptionParser
|
|||
# user username
|
||||
# skiphosts 1.2.3.4 2.3.4.5
|
||||
|
||||
|
||||
class AlertUnauthSSH(AlertTask):
|
||||
def main(self):
|
||||
self.config_file = './unauth_ssh_pyes.conf'
|
||||
|
|
@ -35,12 +35,12 @@ class AlertUnauthSSH(AlertTask):
|
|||
TermMatch('_type', 'event'),
|
||||
TermMatch('category', 'syslog'),
|
||||
TermMatch('details.program', 'sshd'),
|
||||
QueryFilter(QueryStringQuery('details.hostname: /{}/'.format(self.config.hostfilter))),
|
||||
QueryFilter(MatchQuery('summary', 'Accepted publickey {}'.format(self.config.user), operator='and'))
|
||||
QueryStringMatch('details.hostname: /{}/'.format(self.config.hostfilter)),
|
||||
PhraseMatch('summary', 'Accepted publickey {}'.format(self.config.user))
|
||||
])
|
||||
|
||||
for x in self.config.skiphosts:
|
||||
search_query.add_must_not(QueryFilter(MatchQuery('summary', x)))
|
||||
search_query.add_must_not(PhraseMatch('summary', x))
|
||||
|
||||
self.filtersManual(search_query)
|
||||
self.searchEventsSimple()
|
||||
|
|
|
|||
|
|
@ -21,8 +21,8 @@ class AlertManyVPNDuoAuthFailures(AlertTask):
|
|||
TermMatch('_type', 'event'),
|
||||
TermMatch('category', 'event'),
|
||||
TermMatch('tags', 'duosecurity'),
|
||||
PhraseMatch('details.integration','global and external openvpn','phrase'),
|
||||
PhraseMatch('details.result','FAILURE','phrase'),
|
||||
PhraseMatch('details.integration', 'global and external openvpn'),
|
||||
PhraseMatch('details.result', 'FAILURE'),
|
||||
])
|
||||
|
||||
self.filtersManual(search_query)
|
||||
|
|
@ -42,7 +42,7 @@ class AlertManyVPNDuoAuthFailures(AlertTask):
|
|||
severity = 'NOTICE'
|
||||
|
||||
summary = ('{0} openvpn authentication attempts by {1}'.format(aggreg['count'], aggreg['value']))
|
||||
sourceip = self.mostCommon(aggreg['allevents'],'_source.details.ip')
|
||||
sourceip = self.mostCommon(aggreg['allevents'], '_source.details.ip')
|
||||
for i in sourceip[:5]:
|
||||
summary += ' {0} ({1} hits)'.format(i[0], i[1])
|
||||
|
||||
|
|
|
|||
|
|
@ -20,6 +20,11 @@ class TestPhraseMatchPositiveTestSuite(PositiveTestSuite):
|
|||
{'summary': 'we are test here source'},
|
||||
{'summary': 'this is test'},
|
||||
],
|
||||
PhraseMatch('summary', '/test/abc'): [
|
||||
{'summary': '/test/abc'},
|
||||
{'summary': '/test/abc/def'},
|
||||
{'summary': 'path /test/abc'},
|
||||
],
|
||||
}
|
||||
return tests
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче