mozilla
/
MozDef
зеркало из https://github.com/mozilla/MozDef.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
5 345 коммитов 4 Ветки 53 Теги 68 MiB
Граф коммитов

97 Коммитов

Автор SHA1 Сообщение Дата
Brandon Myers d224a47525
Merge pull request #1410 from mozilla/fix-port-scan-enrich 
Fix port scan enrich
 2019-08-20 14:20:44 -05:00
Emma Rose bbc6cc60c7
Store recentconnections under alert.details 2019-08-15 16:13:57 -04:00
Emma Rose 69173b70ef
Have recent connections listed at the top-level of an alert & add events to correct place in test 2019-08-14 17:20:44 -04:00
Jan Andre Ikenmeyer 51822417a3
Update MPL license to https 2019-08-02 01:41:37 +02:00
Emma Rose f8446b0510
Use documentsource for alerts, not _source (for events) 2019-08-01 15:34:50 -04:00
Emma Rose 823694f601
Merge branch 'master' into fix-port-scan-enrich 2019-08-01 15:18:35 -04:00
Brandon Myers 211ab423e7
Update regex strings 2019-07-31 18:01:26 -05:00
Michal Purzynski 4ab371440a remove the iqrisk plugin 2019-07-31 13:11:41 -07:00
Michal Purzynski 10b68d7379 fixups to address python3 issues 2019-07-31 12:49:16 -07:00
Michal Purzynski 70b013d04d Merge branch 'master' of https://github.com/mozilla/mozdef into ipaddr_alert_plugin 2019-07-31 12:45:43 -07:00
Emma Rose e1e3ee2235
Extract the sourceipaddress from the first event in the alert 2019-07-31 13:37:09 -04:00
Brandon Myers bfa8640b57
Modify registration for port scan alert plugin 2019-07-16 16:12:56 -04:00
Brandon Myers 9d7ea147a9
Add check for details on alert in plugin 2019-07-16 15:19:02 -04:00
Brandon Myers fc3bd5e770
Add registration to alert plugins 2019-07-16 12:23:50 -05:00
Michal Purzynski dd76be369c Merge branch 'master' of https://github.com/mozilla/mozdef into ipaddr_alert_plugin 2019-07-10 12:42:41 -07:00
Brandon Myers 3c394a1365
Update map to list for ipv6 2019-06-28 17:45:21 -05:00
Brandon Myers f64a512c3b
Merge pull request #1294 from mozilla/port-scan-enrichment 
Port scan enrichment
 2019-06-05 19:09:24 -05:00
Emma Rose d9a0c44c53
Use a TermMatch instead of a PhraseMatch 2019-05-31 17:12:21 -04:00
Emma Rose 0a1783e8fc
Don't need to copy the alert before modifying; mutation is part of the interface expectations 2019-05-31 17:03:18 -04:00
Emma Rose 7904b32b44
Use a timestamp example consistent with the format we actually use 2019-05-31 17:02:59 -04:00
Emma Rose bd3d2ba510
Default to searching the events-weekly index since this is more appropriate in most cases 2019-05-29 18:31:48 -04:00
Emma Rose 749979280b
Add missing json import... again? 2019-05-29 16:29:03 -04:00
Emma Rose cc9d76e576
Handle the default values for the matchTags configuration option 2019-05-27 19:11:32 -04:00
Emma Rose bd80492c4d
Syntax and formatting fixups 2019-05-27 19:05:10 -04:00
Emma Rose 01de6d0911
Abstract the ElasticSearchClient interface away to facilitate dependency injection in the enrich function 2019-05-27 18:37:33 -04:00
Emma Rose 4277079868
Implement the _load_config function 2019-05-27 18:36:52 -04:00
Emma Rose 0ce491f474
First take at implementing an alert plugin to enrich port scan alerts with info about recent connections 2019-05-27 17:27:00 -04:00
Emma Rose e191cb2e4a
Resolving PEP 8 errors 2019-05-21 20:43:41 -04:00
Emma Rose 88a43b942a
Implement _load_config to just naively try to open and parse the config file specified; not going to supply a default because we probably want to know if the file doenst exist 2019-05-21 20:42:40 -04:00
Emma Rose c4ac61f24d
Satisfy tests 2019-05-16 13:54:18 -04:00
Emma Rose 91d7fe21e3
Document and test for a more detailed format for listing sites 2019-05-16 13:45:18 -04:00
Emma Rose 3fb2c046ee
Make 'site' a parameter to format 2019-05-14 19:25:28 -04:00
Emma Rose b6f48f50a6
Add the name of the office/vpn/whatever to details.site 2019-05-13 17:26:50 -04:00
Emma Rose 27f80e4477
removed unused ipVersion from config; add 'site' field that will be made distinct entry in alert details 2019-05-13 17:19:57 -04:00
Emma Rose e2e5978ea8
Follow standard for json config file naming 2019-05-13 17:18:05 -04:00
Emma Rose 5a6cc454cb
Fixed syntax 2019-05-13 12:35:53 -04:00
Emma Rose 1d95a8f25e
IPv6 regex returns a tuple, so we need to parse the first item out 2019-05-08 12:56:17 -04:00
Emma Rose 3148479ffd
Fixup 2019-05-06 18:45:12 -04:00
Emma Rose 58d6da7d31
Fixed up syntax, removed self argument from enrich function 2019-04-30 20:34:18 -04:00
Emma Rose 46c2979d8e
Implement some simple code to find IP addresses in strings using regular expressions 2019-04-29 21:45:44 -04:00
Emma Rose d3ba77a886
Refactoring code to match the preferred interface 2019-04-29 20:42:37 -04:00
Emma Rose 1b5a3066fe
Started to lay out a new alert plugin for enriching alerts with information about the physical source of IPs 2019-04-25 20:46:46 -04:00
Brandon Myers 71dd920f45
Create alert plugins directory 2019-03-22 17:13:20 -05:00
Brandon Myers 2337e95505
Revert "Create alert plugins folder" 
This reverts commit 4cb0a81b0b.
 2019-03-21 14:54:47 -05:00
Brandon Myers 4cb0a81b0b
Create alert plugins folder 2019-03-21 14:41:18 -05:00
Michal Purzynski 9ffed7b520 New alert plugin - enrich Zeek and Suricata alerts with intelligence from ET 2019-03-20 17:47:52 -07:00
Michal Purzynski 1dc8852e1b New alert plugin - extract the source IP address from the event, if present and promote to the alert 2019-03-20 17:44:34 -07:00
Michal Purzynski ec5be706a3 Rename alert plugins to alert actions again 2019-03-12 15:53:17 -07:00
Brandon Myers e16ec577bf
Remove .keys() call during key exists comparison 2019-02-15 12:11:15 -06:00
Brandon Myers 46be867d2f
Fixup unused variables check 2018-12-14 14:06:21 -06:00