diff --git a/alerts/fxa_alerts.py b/alerts/fxa_alerts.py deleted file mode 100644 index bc12aadd..00000000 --- a/alerts/fxa_alerts.py +++ /dev/null @@ -1,51 +0,0 @@ -#!/usr/bin/env python - -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at https://mozilla.org/MPL/2.0/. -# Copyright (c) 2017 Mozilla Corporation - -from lib.alerttask import AlertTask -from mozdef_util.query_models import SearchQuery, TermMatch, PhraseMatch, WildcardMatch - - -class AlertAccountCreations(AlertTask): - def main(self): - search_query = SearchQuery(minutes=10) - - search_query.add_must([ - TermMatch('tags', 'firefoxaccounts'), - PhraseMatch('details.action', 'accountCreate') - ]) - - # ignore test accounts and attempts to create accounts that already exist. - search_query.add_must_not([ - WildcardMatch('details.email', '*restmail.net'), - ]) - - self.filtersManual(search_query) - - # Search aggregations on field 'ip', keep X samples of events at most - self.searchEventsAggregated('details.ip', samplesLimit=10) - # alert when >= X matching events in an aggregation - self.walkAggregations(threshold=10) - - # Set alert properties - def onAggregation(self, aggreg): - # aggreg['count']: number of items in the aggregation, ex: number of failed login attempts - # aggreg['value']: value of the aggregation field, ex: toto@example.com - # aggreg['events']: list of events in the aggregation - category = 'fxa' - tags = ['fxa'] - severity = 'INFO' - - summary = ('{0} fxa account creation attempts by {1}'.format(aggreg['count'], aggreg['value'])) - emails = self.mostCommon(aggreg['allevents'], '_source.details.email') - # did they try to create more than one email account? - # or just retry an existing one - if len(emails) > 1: - for i in emails[:5]: - summary += ' {0} ({1} hits)'.format(i[0], i[1]) - - # Create the alert object based on these properties - return self.createAlertDict(summary, category, tags, aggreg['events'], severity) diff --git a/mq/plugins/fxaFixup.py b/mq/plugins/fxaFixup.py deleted file mode 100644 index c67eb3ce..00000000 --- a/mq/plugins/fxaFixup.py +++ /dev/null @@ -1,109 +0,0 @@ -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at https://mozilla.org/MPL/2.0/. -# Copyright (c) 2017 Mozilla Corporation - -import netaddr - - -def isIP(ip): - try: - netaddr.IPNetwork(ip) - return True - except: - return False - - -class message(object): - def __init__(self): - '''register our criteria for being passed a message - as a list of lower case strings or values to match with an event's dictionary of keys or values - set the priority if you have a preference for order of plugins to run. 0 goes first, 100 is assumed/default if not sent - ''' - # get specific categories - # for firefox accounts data sent by heka - self.registration = ['fxaauthwebserver', - 'fxaauth', - 'fxacontentwebserver', - 'fxacustoms', - 'fxaoauthwebserver', - 'fxabrowseridwebserver', - 'fxaprofilewebserver', - 'fxa-auth-server', - 'fxa-customsmozsvc' - ] - self.priority = 10 - - def onMessage(self, message, metadata): - - if 'eventsource' not in message: - return (message, metadata) - # drop non-relevant messages - if message['eventsource'] in ('Fxa-customsMozSvc', 'FxaContentWebserver', 'FxaAuthWebserver', 'FxaOauthWebserver', 'FxaAuth', 'fxa-auth-server'): - if 'details' in message: - if 'status' in message['details']: - if message['details']['status'] == 200: - # normal 200 returns for web content - return(None, metadata) - # FxaAuth sends http status as 'code' - if 'code' in message['details']: - if message['details']['code'] == 200: - # normal 200 returns for web content - return(None, metadata) - if 'op' in message['details']: - if message['details']['op'] == 'mailer.send.1': - # Due to status flag not being a string - return(None, metadata) - - # tag the message - if 'tags' in message and isinstance(message['tags'], list): - message['tags'].append('firefoxaccounts') - else: - message['tags'] = ['firefoxaccounts'] - - # fix various fields - if 'details' in message and isinstance(message['details'], dict): - # elastic search needs valid IPs for ip fields. - if 'http_x_forwarded_for' in message['details']: - if message['details']['http_x_forwarded_for'] == '-': - message['details']['http_x_forwarded_for'] = '0.0.0.0' - - if 'upstream_response_time' in message['details']: - if message['details']['upstream_response_time'] == '-': - message['details']['upstream_response_time'] = 0 - - # category fixes - if 'name' in message['details']: - if message['details']['name'] == 'fxa-auth-server': - message['category'] = 'fxa-auth-server' - - if message['eventsource'] in ('FxaContentWebserver', 'FxaAuthWebserver'): - if message['category'] == 'logfile': - message['category'] = 'weblog' - - if 'remoteaddresschain' in message['details']: - if isinstance(message['details']['remoteaddresschain'], list): - sourceIP = message['details']['remoteaddresschain'][0] - if isIP(sourceIP): - message['details']['sourceipaddress'] = sourceIP - - # handle the case of an escaped list: - # "remoteaddresschain": "[\"1.2.3.4\",\"5.6.7.8\",\"127.0.0.1\"]" - if (isinstance(message['details']['remoteaddresschain'], str) and - message['details']['remoteaddresschain'][0] == '[' and - message['details']['remoteaddresschain'][-1] == ']'): - # remove the brackets and double quotes - for i in ['[', ']', '"']: - message['details']['remoteaddresschain'] = message['details']['remoteaddresschain'].replace(i, '') - # make sure it's still a list - if ',' in message['details']['remoteaddresschain']: - sourceIP = message['details']['remoteaddresschain'].split(',')[0] - if isIP(sourceIP): - message['details']['sourceipaddress'] = sourceIP - - # fxacustoms sends source ip as just 'ip' - if 'ip' in message['details']: - if isIP(message['details']['ip']): - message['details']['sourceipaddress'] = message['details']['ip'] - - return (message, metadata) diff --git a/mq/plugins/lower_keys.py b/mq/plugins/lower_keys.py index c633fdc5..7122d432 100644 --- a/mq/plugins/lower_keys.py +++ b/mq/plugins/lower_keys.py @@ -12,7 +12,7 @@ class message(object): and sets the keys to lowercase ''' - self.registration = ['cloudtrail', 'fxa-customsmozsvc', 'vidyo', 'suricata', 'guardduty', 'uptycs'] + self.registration = ['cloudtrail', 'vidyo', 'suricata', 'guardduty', 'uptycs'] self.priority = 4 def onMessage(self, message, metadata):