deprecating fxa logic (#1669)

2020-08-03 10:57:32 -05:00 · 2020-08-03 10:57:32 -05:00 · ce13d3c32a
--- a/alerts/fxa_alerts.py
+++ b/alerts/fxa_alerts.py
@ -1,51 +0,0 @@
 #!/usr/bin/env python
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at https://mozilla.org/MPL/2.0/.
 # Copyright (c) 2017 Mozilla Corporation
 from lib.alerttask import AlertTask
 from mozdef_util.query_models import SearchQuery, TermMatch, PhraseMatch, WildcardMatch
 class AlertAccountCreations(AlertTask):
    def main(self):
        search_query = SearchQuery(minutes=10)
        search_query.add_must([
            TermMatch('tags', 'firefoxaccounts'),
            PhraseMatch('details.action', 'accountCreate')
        ])
        # ignore test accounts and attempts to create accounts that already exist.
        search_query.add_must_not([
            WildcardMatch('details.email', '*restmail.net'),
        ])
        self.filtersManual(search_query)
        # Search aggregations on field 'ip', keep X samples of events at most
        self.searchEventsAggregated('details.ip', samplesLimit=10)
        # alert when >= X matching events in an aggregation
        self.walkAggregations(threshold=10)
    # Set alert properties
    def onAggregation(self, aggreg):
        # aggreg['count']: number of items in the aggregation, ex: number of failed login attempts
        # aggreg['value']: value of the aggregation field, ex: toto@example.com
        # aggreg['events']: list of events in the aggregation
        category = 'fxa'
        tags = ['fxa']
        severity = 'INFO'
        summary = ('{0} fxa account creation attempts by {1}'.format(aggreg['count'], aggreg['value']))
        emails = self.mostCommon(aggreg['allevents'], '_source.details.email')
        # did they try to create more than one email account?
        # or just retry an existing one
        if len(emails) > 1:
            for i in emails[:5]:
                summary += ' {0} ({1} hits)'.format(i[0], i[1])
            # Create the alert object based on these properties
            return self.createAlertDict(summary, category, tags, aggreg['events'], severity)
--- a/mq/plugins/fxaFixup.py
+++ b/mq/plugins/fxaFixup.py
@ -1,109 +0,0 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at https://mozilla.org/MPL/2.0/.
 # Copyright (c) 2017 Mozilla Corporation
 import netaddr
 def isIP(ip):
    try:
        netaddr.IPNetwork(ip)
        return True
    except:
        return False
 class message(object):
    def __init__(self):
        '''register our criteria for being passed a message
           as a list of lower case strings or values to match with an event's dictionary of keys or values
           set the priority if you have a preference for order of plugins to run. 0 goes first, 100 is assumed/default if not sent
        '''
        # get specific categories
        # for firefox accounts data sent by heka
        self.registration = ['fxaauthwebserver',
                             'fxaauth',
                             'fxacontentwebserver',
                             'fxacustoms',
                             'fxaoauthwebserver',
                             'fxabrowseridwebserver',
                             'fxaprofilewebserver',
                             'fxa-auth-server',
                             'fxa-customsmozsvc'
                             ]
        self.priority = 10
    def onMessage(self, message, metadata):
        if 'eventsource' not in message:
            return (message, metadata)
        # drop non-relevant messages
        if message['eventsource'] in ('Fxa-customsMozSvc', 'FxaContentWebserver', 'FxaAuthWebserver', 'FxaOauthWebserver', 'FxaAuth', 'fxa-auth-server'):
            if 'details' in message:
                if 'status' in message['details']:
                    if message['details']['status'] == 200:
                        # normal 200 returns for web content
                        return(None, metadata)
                # FxaAuth sends http status as 'code'
                if 'code' in message['details']:
                    if message['details']['code'] == 200:
                        # normal 200 returns for web content
                        return(None, metadata)
                if 'op' in message['details']:
                    if message['details']['op'] == 'mailer.send.1':
                        # Due to status flag not being a string
                        return(None, metadata)
        # tag the message
        if 'tags' in message and isinstance(message['tags'], list):
            message['tags'].append('firefoxaccounts')
        else:
            message['tags'] = ['firefoxaccounts']
        # fix various fields
        if 'details' in message and isinstance(message['details'], dict):
            # elastic search needs valid IPs for ip fields.
            if 'http_x_forwarded_for' in message['details']:
                if message['details']['http_x_forwarded_for'] == '-':
                    message['details']['http_x_forwarded_for'] = '0.0.0.0'
            if 'upstream_response_time' in message['details']:
                if message['details']['upstream_response_time'] == '-':
                    message['details']['upstream_response_time'] = 0
            # category fixes
            if 'name' in message['details']:
                if message['details']['name'] == 'fxa-auth-server':
                    message['category'] = 'fxa-auth-server'
            if message['eventsource'] in ('FxaContentWebserver', 'FxaAuthWebserver'):
                if message['category'] == 'logfile':
                    message['category'] = 'weblog'
            if 'remoteaddresschain' in message['details']:
                if isinstance(message['details']['remoteaddresschain'], list):
                    sourceIP = message['details']['remoteaddresschain'][0]
                    if isIP(sourceIP):
                        message['details']['sourceipaddress'] = sourceIP
                # handle the case of an escaped list:
                # "remoteaddresschain": "[\"1.2.3.4\",\"5.6.7.8\",\"127.0.0.1\"]"
                if (isinstance(message['details']['remoteaddresschain'], str) and
                        message['details']['remoteaddresschain'][0] == '[' and
                        message['details']['remoteaddresschain'][-1] == ']'):
                    # remove the brackets and double quotes
                    for i in ['[', ']', '"']:
                        message['details']['remoteaddresschain'] = message['details']['remoteaddresschain'].replace(i, '')
                    # make sure it's still a list
                    if ',' in message['details']['remoteaddresschain']:
                        sourceIP = message['details']['remoteaddresschain'].split(',')[0]
                        if isIP(sourceIP):
                            message['details']['sourceipaddress'] = sourceIP
            # fxacustoms sends source ip as just 'ip'
            if 'ip' in message['details']:
                if isIP(message['details']['ip']):
                    message['details']['sourceipaddress'] = message['details']['ip']
        return (message, metadata)
--- a/mq/plugins/lower_keys.py
+++ b/mq/plugins/lower_keys.py
@ -12,7 +12,7 @@ class message(object):
        and sets the keys to lowercase
        '''
-        self.registration = ['cloudtrail', 'fxa-customsmozsvc', 'vidyo', 'suricata', 'guardduty', 'uptycs']
+        self.registration = ['cloudtrail', 'vidyo', 'suricata', 'guardduty', 'uptycs']
        self.priority = 4
    def onMessage(self, message, metadata):