Merge pull request #1256 from mozilla/fixup_watchlist_alert

Fixup watchlist alert to have auth be configurable

alerts/get_watchlist.conf

@@ -2,3 +2,4 @@
 # set the following to your protected endpoint api_url
 api_url = http://localhost:8081/getwatchlist
 jwt_secret = secret
+use_auth = false

alerts/get_watchlist.py

@@ -17,27 +17,23 @@ from mozdef_util.query_models import SearchQuery, QueryStringMatch
 
 class AlertWatchList(AlertTask):
     def main(self):
-        self.parse_config('get_watchlist.conf', ['api_url', 'jwt_secret'])
+        self.parse_config('get_watchlist.conf', ['api_url', 'jwt_secret', 'use_auth'])
 
-        jwt_token = JWTAuth(self.config.jwt_secret)
-        jwt_token.set_header_format('Bearer %s')
+        jwt_token = None
+        if self.config.use_auth.lower() != 'false':
+            jwt_token = JWTAuth(self.config.jwt_secret)
+            jwt_token.set_header_format('Bearer %s')
 
-        # Connect to rest api and grab response
         r = requests.get(self.config.api_url, auth=jwt_token)
-        status = r.status_code
-        index = 0
-        if status == 200:
-            status = r.status_code
+        # Connect to rest api and grab response
+        if r.ok:
             response = r.text
             terms_list = json.loads(response)
-            while index < len(terms_list):
-                term = terms_list[index]
-                term = '"{}"'.format(term)
+            for term in terms_list:
                 self.watchterm = term
-                index += 1
-                self.process_alert(term)
+                self.process_alert()
         else:
-            logger.error('The watchlist request failed. Status {0}.\n'.format(status))
+            logger.error('The watchlist request failed. Status {0}.\n'.format(r))
 
     def process_alert(self, term):
         search_query = SearchQuery(minutes=20)

docker/compose/mozdef_alerts/Dockerfile

@@ -4,6 +4,7 @@ LABEL maintainer="mozdef@mozilla.com"
 
 COPY alerts /opt/mozdef/envs/mozdef/alerts
 COPY docker/compose/mozdef_alerts/files/config.py /opt/mozdef/envs/mozdef/alerts/lib/
+COPY docker/compose/mozdef_alerts/files/get_watchlist.conf /opt/mozdef/envs/mozdef/alerts/get_watchlist.conf
 
 RUN chown -R mozdef:mozdef /opt/mozdef/envs/mozdef/alerts
 

docker/compose/mozdef_alerts/files/config.py

@@ -12,6 +12,7 @@ import logging
 ALERTS = {
     'bruteforce_ssh.AlertBruteforceSsh': {'schedule': crontab(minute='*/1')},
     'unauth_ssh.AlertUnauthSSH': {'schedule': crontab(minute='*/1')},
+    'get_watchlist.AlertWatchList': {'schedule': crontab(minute='*/1')},
 }
 
 ALERT_PLUGINS = [

docker/compose/mozdef_alerts/files/get_watchlist.conf

@@ -0,0 +1,5 @@
+[options]
+# set the following to your protected endpoint api_url
+api_url = http://rest:8081/getwatchlist
+jwt_secret = secret
+use_auth = false