mozilla
/
MozDef
зеркало из https://github.com/mozilla/MozDef.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Add filterlog firewall mq plugin

This commit is contained in:
Brandon Myers 2017-11-13 22:21:40 -06:00
Родитель 34176bcc64
Коммит f97b0f0c70
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 8AA79AD83045BBC7
2 изменённых файлов: 148 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

95
mq/plugins/filterlog.py Normal file
Просмотреть файл

@ -0,0 +1,95 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Copyright (c) 2017 Mozilla Corporation
#
# Contributors:
# Brandon Myers bmyers@mozilla.com
class message(object):
def __init__(self):
'''register our criteria for being passed a message
as a list of lower case strings or values to match with an event's dictionary of keys or values
set the priority if you have a preference for order of plugins to run. 0 goes first, 100 is assumed/default if not sent
'''
self.registration = ['filterlog']
self.priority = 10
def onMessage(self, message, metadata):
if 'summary' not in message:
return (message, metadata)
if message['summary'].count(',') < 9:
return (message, metadata)
if 'details' not in message:
message['details'] = {}
summary_items = message['summary'].split(',')
message['details']['rule_number'] = summary_items[0]
message['details']['sub_rule_number'] = summary_items[1]
message['details']['anchor'] = summary_items[2]
message['details']['trackor'] = summary_items[3]
message['details']['interface'] = summary_items[4]
message['details']['reason'] = summary_items[5]
message['details']['action'] = summary_items[6]
message['details']['direction'] = summary_items[7]
message['details']['ip_version'] = summary_items[8]
ip_version = int(message['details']['ip_version'])
if ip_version == 4:
if 'ip' not in message['details']:
message['details']['ip'] = {}
message['details']['ip']['version'] = 4
message['details']['ip']['tos'] = summary_items[9]
message['details']['ip']['ecn'] = summary_items[10]
message['details']['ip']['ttl'] = summary_items[11]
message['details']['ip']['id'] = summary_items[12]
message['details']['ip']['offset'] = summary_items[13]
message['details']['ip']['flags'] = summary_items[14]
message['details']['ip']['protocol_id'] = summary_items[15]
message['details']['ip']['protocol_text'] = summary_items[16]
last_index = 16
elif ip_version == 6:
if 'ip' not in message['details']:
message['details']['ip'] = {}
message['details']['ip']['version'] = 6
message['details']['ip']['class'] = summary_items[9]
message['details']['ip']['flow_label'] = summary_items[10]
message['details']['ip']['hop_limit'] = summary_items[11]
message['details']['ip']['protocol'] = summary_items[12]
message['details']['ip']['protocol_id'] = summary_items[13]
last_index = 13
if ip_version == 4 or ip_version == 6:
message['details']['ip']['length'] = summary_items[last_index + 1]
message['details']['sourceipaddress'] = summary_items[last_index + 2]
message['details']['destinationipaddress'] = summary_items[last_index + 3]
proto_id = int(message['details']['ip']['protocol_id'])
if proto_id == 6:
if 'tcp' not in message['details']:
message['details']['tcp'] = {}
message['details']['tcp']['source_port'] = summary_items[last_index + 4]
message['details']['tcp']['destination_port'] = summary_items[last_index + 5]
message['details']['tcp']['data_length'] = summary_items[last_index + 6]
message['details']['tcp']['flags'] = summary_items[last_index + 7]
message['details']['tcp']['seq_number'] = summary_items[last_index + 8]
message['details']['tcp']['ack_number'] = summary_items[last_index + 9]
message['details']['tcp']['window'] = summary_items[last_index + 10]
message['details']['tcp']['urg'] = summary_items[last_index + 11]
message['details']['tcp']['options'] = summary_items[last_index + 12]
elif proto_id == 17:
if 'udp' not in message['details']:
message['details']['udp'] = {}
message['details']['udp']['source_port'] = summary_items[last_index + 4]
message['details']['udp']['destination_port'] = summary_items[last_index + 5]
message['details']['udp']['data_length'] = summary_items[last_index + 6]
return (message, metadata)

53
tests/mq/plugins/test_filterlog.py Normal file
Просмотреть файл

@ -0,0 +1,53 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Copyright (c) 2017 Mozilla Corporation
#
# Contributors:
# Brandon Myers bmyers@mozilla.com
import os
import sys
sys.path.append(os.path.join(os.path.dirname(__file__), "../../../mq/plugins"))
from filterlog import message
class TestFilterlog():
def setup(self):
self.plugin = message()
self.msg = {}
self.msg['summary'] = '9,,,1000000103,igb0,match,block,in,4,0x0,,6,60624,0,DF,17,udp,92,175.41.7.2,21.143.56.109,57434,33443,72'
def test_onMessage(self):
metadata = {}
metadata['doc_type'] = 'event'
expected_return_message = {'details': {'action': 'block',
'anchor': '',
'destinationipaddress': '21.143.56.109',
'direction': 'in',
'interface': 'igb0',
'ip': {'ecn': '',
'flags': 'DF',
'id': '60624',
'length': '92',
'offset': '0',
'protocol_id': '17',
'protocol_text': 'udp',
'tos': '0x0',
'ttl': '6',
'version': 4},
'ip_version': '4',
'reason': 'match',
'rule_number': '9',
'sourceipaddress': '175.41.7.2',
'sub_rule_number': '',
'trackor': '1000000103',
'udp': {'data_length': '72',
'destination_port': '33443',
'source_port': '57434'}},
'summary': '9,,,1000000103,igb0,match,block,in,4,0x0,,6,60624,0,DF,17,udp,92,175.41.7.2,21.143.56.109,57434,33443,72'}
(retmessage, retmeta) = self.plugin.onMessage(self.msg, metadata)
assert retmessage == expected_return_message