MozDef

Граф коммитов

Автор	SHA1	Сообщение	Дата
Brandon Myers	db4c09fae3	Add ircchannel to ssh access alert	2017-06-27 13:17:28 -07:00
Brandon Myers	48ec5095b7	Add logic to auto override notify if ircchannel set	2017-06-27 13:17:22 -07:00
Brandon Myers	95b4b28a08	Allow alerttask to exclude mozdefbot from severity	2017-06-27 13:16:43 -07:00
Brandon Myers	43aebfd492	Allow alerts to set ircchannel	2017-06-27 13:16:34 -07:00
Aaron Meihm	88dfd6af24	ssh_lateral: set level to WARNING	2017-06-15 15:17:38 -05:00
Brandon Myers	11ac4dd835	Update files that were diff between two repos	2017-06-15 15:14:57 -05:00
Brandon Myers	63b3cf2194	Remove old leftover files	2017-06-15 15:13:03 -05:00
Michal Purzynski	2b389b3e19	Bump severity level in http alerts to warning	2017-06-15 15:07:46 -05:00
Michal Purzynski	76a2248ffe	Send Cloudtrail logging disabled alert to MOC	2017-06-15 15:07:45 -05:00
Michal Purzynski	6bb91c1dd8	Add a pagerduty notification to the open port policy violation alert	2017-06-15 15:07:45 -05:00
Brandon Myers	29e3dec9ed	Add alerts to use config files	2017-06-15 15:07:42 -05:00
Aaron Meihm	f66bf9f8dd	ssh_lateral: add sample config file	2017-06-15 15:07:42 -05:00
Aaron Meihm	dd0cb003ff	add initial work around ssh_lateral alert Intended to generate alerts where SSH authentication occurs on devices where the origin falls into a specific CIDR range (e.g., other devices on the internal network). Exceptions can be built into the configuration file for the alert to exempt certain networks or users as required.	2017-06-15 15:07:42 -05:00
Brandon Myers	ca5bd81c30	Add deadman alert for sqs queues from tag	2017-06-15 15:07:29 -05:00
Phrozyn	ceec55ad18	Changing verbiage of alert to be less specific.	2017-06-15 15:07:29 -05:00
Phrozyn	f031d2b8d8	Adding log drain back to uwsgi ini files.	2017-06-15 15:07:29 -05:00
Brandon Myers	07f05e0dff	Add comment to email script	2017-06-15 15:07:27 -05:00
Brandon Myers	4d611116c0	Restrict time import statement	2017-06-15 15:07:27 -05:00
Brandon Myers	984ee5b701	Fix dumb timestamp issue in email send	2017-06-15 15:07:26 -05:00
Brandon Myers	453c3069ad	Add support for multiple recipients	2017-06-15 15:07:26 -05:00
Brandon Myers	ec99f356fb	Remove unactionable cloudtrail alert	2017-06-15 15:07:26 -05:00
Brandon Myers	b9d9b21bf3	Remove cloudtrail delete alert	2017-06-15 15:07:25 -05:00
Phrozyn	0c17c8643a	Moving to syslog from uwsgi controlled logging.	2017-06-15 15:07:24 -05:00
Phrozyn	99ec4338b9	moving supervisord logs to a subdir of /var/log/mozdef/supervisord/	2017-06-15 15:07:23 -05:00
Phrozyn	af2bf96b23	Moving uwsgi to syslog, moving supervisord logs to /var/log/mozdef with rotation at 50MB.	2017-06-15 15:07:22 -05:00
Michal Purzynski	60e54d78b1	Add a comma after every hostname in the generic alerts, so the MozDef UI can break them into multiple lines	2017-06-15 15:07:21 -05:00
Michal Purzynski	caff1fb15e	Remove unit tests and config files of the removed alerts	2017-06-15 15:07:03 -05:00
Aaron Meihm	798b706efa	derive geomodel MozDef alert severity from geomodel severity value Closes #198	2017-06-15 15:06:34 -05:00
Brandon Myers	333234ae9a	Remove example alert plugin Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:06:31 -05:00
Brandon Myers	805b382bfd	Fix broken alert unit tests	2017-06-15 15:06:31 -05:00
Michal Purzynski	45ed3b080f	More cleanups for the critical opened sessions alerting	2017-06-15 15:06:29 -05:00
Michal Purzynski	2511d3844e	Make the ssh_fail_critical an aggregated alert	2017-06-15 15:06:28 -05:00
Michal Purzynski	b4ff8b47ad	A rewrite of an alert to make it generic while fetching the correct hostname from details dict	2017-06-15 15:06:28 -05:00
Michal Purzynski	7019a4eafd	A rewrite of an alert to an aggregation one	2017-06-15 15:06:28 -05:00
Michal Purzynski	1063bc35d4	Make the ssh fail critical alert more generic - catch more cases.	2017-06-15 15:06:24 -05:00
Brandon Myers	7df71f7400	Improve alert unit tests Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:06:24 -05:00
Brandon Myers	b44365871a	Add logger statement in alert plugins Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:06:22 -05:00
Michal Purzynski	98acbee884	Make the time window in which the duo_authfail alert looks for events several times longer than the duo cron job period	2017-06-15 15:06:21 -05:00
Brandon Myers	14491ad7d0	Add pentest server to ssh whitelist Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:06:21 -05:00
Brandon Myers	b8399efbc2	Change config name in generic alerts Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:06:21 -05:00
Brandon Myers	fb0ae880a1	Improve generic alert keynames Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:06:20 -05:00
Brandon Myers	9a919cb114	Add additional logic in summary alert field Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:06:20 -05:00
Michal Purzynski	b153a49111	Default to dict even if not dict is present in a config file	2017-06-15 15:06:20 -05:00
Michal Purzynski	d9412421c4	Add more tags to match on to the duo fraud alert	2017-06-15 15:06:20 -05:00
Michal Purzynski	89e43ca1e9	Prevent the pagerduty plugin from failing with incorrect configuration file	2017-06-15 15:06:20 -05:00
Michal Purzynski	cc9dd681c4	Bruteforce ssh fixes	2017-06-15 15:06:19 -05:00
Michal Purzynski	f542334505	Bring the duo_authfail to the newest message format, several fixups.	2017-06-15 15:06:19 -05:00
Michal Purzynski	62d72c74c9	Whitelist changes	2017-06-15 15:06:19 -05:00
Brandon Myers	87ddd04a78	Add cloudtrail new alerts Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:06:17 -05:00
Brandon Myers	a5fc302094	Remove fake event generation in deadman alert Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:06:15 -05:00
Brandon Myers	a0bb668465	Fixup deadman alert Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:06:15 -05:00
Michal Purzynski	c7cd94ce88	Change the level of all alerts to WARNING	2017-06-15 15:06:14 -05:00
Brandon Myers	42d1178a8f	Modify generic alert loader with validation Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:06:07 -05:00
Guillaume Destuynder (kang)	c314c16fcb	Add support for loading alert defaults and fail when required alert fields are missing	2017-06-15 15:06:07 -05:00
Guillaume Destuynder (kang)	32db0d63a1	Add url to the alert so that it shows up in the alert dashboard as per `a09e83c5cc/meteor/app/client/alertdetails.html (L36)`	2017-06-15 15:06:07 -05:00
Michal Purzynski	a18f2d6b2e	More cosmetics for the pagerduty alert plugin	2017-06-15 15:06:06 -05:00
Brandon Myers	e2aa079c66	Allow aggregation key to be specified generic loader Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:06:06 -05:00
Brandon Myers	01c8d0edb5	Modify generic alert loader to use hjson Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:06:06 -05:00
Michal Purzynski	718d1f2749	Create an example configuration file for the pagerduty plugin	2017-06-15 15:06:06 -05:00
Michal Purzynski	c166472751	Change the duo_auth_fail category to a meaningful one	2017-06-15 15:06:05 -05:00
Michal Purzynski	3ea54c9f5f	Cleanups.	2017-06-15 15:06:05 -05:00
Michal Purzynski	0cd6b57449	Make the plugin more configurable and parametrized	2017-06-15 15:06:04 -05:00
Michal Purzynski	8258c5c59d	Bring the pagerduty alert back to what it used to be, once.	2017-06-15 15:06:04 -05:00
Michal Purzynski	2976b9c160	Do not import modules that we do not need	2017-06-15 15:06:04 -05:00
Michal Purzynski	b7e42340ec	Alert when a promiscuous mode is enabled. Kernel logs detection.	2017-06-15 15:06:04 -05:00
Michal Purzynski	0fb8261f94	Alert when any interface (if not whitelisted) has a promisc mode enabled. Powered by Auditd.	2017-06-15 15:06:03 -05:00
Michal Purzynski	a0c57ec27d	C&P does bad things to people	2017-06-15 15:06:03 -05:00
Michal Purzynski	42f226890f	New alert - failed SSH to critical host	2017-06-15 15:06:03 -05:00
Michal Purzynski	21b1defad9	Use example hostnames, provide a configuration file	2017-06-15 15:06:03 -05:00
Michal Purzynski	e945e7d05b	New alert - session opened on one of the critical hosts	2017-06-15 15:06:03 -05:00
Brandon Myers	26231a14fa	Modify generic alerts path Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:06:02 -05:00
Brandon Myers	80b27c7bf4	Modify generic alert to use new config location Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:06:02 -05:00
Guillaume Destuynder (kang)	c94d7ff846	Move try catch to allow processing other alerts when processing for one fails	2017-06-15 15:06:01 -05:00
Guillaume Destuynder (kang)	0cf75e3a0c	Fix stray tabs	2017-06-15 15:06:01 -05:00
Guillaume Destuynder (kang)	b0e10616fc	Generic alert loader	2017-06-15 15:06:01 -05:00
Brandon Myers	f87c94a088	Unencrypt config files Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:05:55 -05:00
Brandon Myers	4e75aee0a3	Update email in ssh releng alert notification Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:05:44 -05:00
Phrozyn	d845997abb	Updated PhraseMatch in unauth_ssh.py so that this alert would correctly trigger. Tested. Works.	2017-06-15 15:05:43 -05:00
Brandon Myers	7ca03dbbe9	Generalize configs for alert directory Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:05:40 -05:00
Brandon Myers	c2b3d43ab3	Fix fxaAlert function call Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:05:35 -05:00
Phrozyn	a3d62281ae	Changing naming convention of supervisord.alerts.conf to an ini. This file contains no secrets and an ini is more inline with how this file operates.	2017-06-15 15:05:35 -05:00
Brandon Myers	3933cc67bb	Add open port alert to config Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:05:35 -05:00
Jonathan Claudius	f935917a01	Fix copyright	2017-06-15 15:05:34 -05:00
Jonathan Claudius	993424c053	Add open port violation alert	2017-06-15 15:05:34 -05:00
Michal Purzynski	63349a4ae8	Match only records where details.indicators exists	2017-06-15 15:05:34 -05:00
Michal Purzynski	619ff1e337	Use the details.indicators field to look for the scan source.	2017-06-15 15:05:33 -05:00
Michal Purzynski	a29d2a8250	Use the details.indicators field to look for a host initiating a scan.	2017-06-15 15:05:33 -05:00
Brandon Myers	4fbfd1f71e	Update smtp host for ssh releng emails Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:05:31 -05:00
Brandon Myers	d05b7616c6	Revert confluence shell fieldname Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:05:07 -05:00
Brandon Myers	4adebb797d	Fixup ldaplockout changepairs fieldname Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:05:07 -05:00
Brandon Myers	2fdd2be8a4	Fix incorrect ES field names Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:05:06 -05:00
Brandon Myers	399bc98f44	Fix hostname in details field Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:05:06 -05:00
Brandon Myers	547c25896c	Fix program field Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:05:06 -05:00
Brandon Myers	98b645d085	Fixup final references to bad mq password Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:05:02 -05:00
Brandon Myers	5359a2b78a	Add alerts config to git-crypt Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:05:02 -05:00
Phrozyn	60c95be71e	Updating alertWorker.conf with mquser and pass.	2017-06-15 15:05:01 -05:00
Phrozyn	2a1c1264e6	backing out some of the changes to the mozdefalerts service.	2017-06-15 15:04:54 -05:00
Phrozyn	d09955dc56	adding alertPlugins restructured ini and mozdefalerts systemd.service.	2017-06-15 15:04:54 -05:00
Phrozyn	b86413db27	Updated pid path for all uwsgi instances to run from /var/run/	2017-06-15 15:04:53 -05:00
Brandon Myers	36d284ff6d	Fix hash in config Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:04:52 -05:00
Phrozyn	3e02f27d14	modified esservers to new cluster.	2017-06-15 15:04:45 -05:00
Brandon Myers	b59cd49fc3	Fix differences in alerts dir Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:44 -05:00
Brandon Myers	ef6e483c7e	First import of existing files from prod Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:44 -05:00
Brandon Myers	0722ae4740	Add missing files from prod Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:43 -05:00
Brandon Myers	4ff618cca3	Update ssh_releng config hostfilter Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:43 -05:00
Brandon Myers	0b0c58ff6a	Update missing paths to /opt/mozdef Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:43 -05:00
Brandon Myers	50a7cb772a	Modify .ini scripts to use /opt dir Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:40 -05:00
Brandon Myers	81a07bc2d5	Rename mozdefqa1 to localhost in configs Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:40 -05:00
Brandon Myers	16db61383a	Fixup email message for ssh_access_signreleng Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:39 -05:00
Phrozyn	ec2396a27c	pushing un-encrypted alertPluginsmules.ini	2017-06-15 15:03:35 -05:00
Brandon Myers	fdf38bf2b3	Fix up remaining pyes comments Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:34 -05:00
Brandon Myers	d804fe5f1f	Remove leftover pyes Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:34 -05:00
Brandon Myers	1e5d6f18fd	Fix alerts config ssh bruteforce Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:34 -05:00
Brandon Myers	3ee067d29e	Change alerts config without pyes Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:34 -05:00
Brandon Myers	26326f243d	Remove pyes from alert filenames Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:34 -05:00
Brandon Myers	ea17b5883c	Fix toUTC isoformat problem Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:33 -05:00
Brandon Myers	731da67eba	Fix timestamp related issues in tests Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:22 -05:00
Brandon Myers	113b4c8125	Remove filtersFromKibana feature Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:06 -05:00
Brandon Myers	176886e1a2	Remove unused alerts Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:06 -05:00
Brandon Myers	d1265dd651	Add two cloudtrail alerts to run Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:48 -05:00
Brandon Myers	e4f1046961	Fix cloudtrail_pyes Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:48 -05:00
Brandon Myers	18091b58af	Update formatting weirdness in alerts Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:48 -05:00
Brandon Myers	63ddffc11e	Fix alerttask import Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:47 -05:00
Brandon Myers	6caaad320d	Remove duplicate definitions of toUTC Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:46 -05:00
Brandon Myers	3a3221987f	Add cloudtrail couple alerts Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:12 -05:00
Brandon Myers	2d55f2f1f5	Convert releng alert to non pyes Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:12 -05:00
Brandon Myers	02ad68ed25	Fix bruteforce_ssh_pyes alert Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:11 -05:00
Brandon Myers	8e52a89c4c	Finish updating alert unit tests to new format Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:11 -05:00
Brandon Myers	76174add7d	Update mq directory with search class Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:01 -05:00
Brandon Myers	4590d88efa	Update alert task with search query execute Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:24 -05:00
Brandon Myers	7ccf36f75c	Update alert specs for new event format Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:24 -05:00
Brandon Myers	5631e494de	Add unit tests for some rest routes Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:23 -05:00
Brandon Myers	db711fe24f	Add space at top of class bruteforce_ssh_pyes Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:23 -05:00
Brandon Myers	a1f67935ec	Update alerts for new model names Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:23 -05:00
Brandon Myers	edba77e664	Remove pyes from vpn_duo_auth alert Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:22 -05:00
Brandon Myers	73882f9606	Rename alerttask filter name Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:22 -05:00
Brandon Myers	861340c311	Update kibana dashboard alert task Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:22 -05:00
Brandon Myers	94ff87d681	Update WildcardQuery to WildcardMatch Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:22 -05:00
Brandon Myers	a5c92149bf	Update ExistsFilter to ExistsMatch Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:21 -05:00
Brandon Myers	6917f0b244	Update TermsFilter to TermsMatch Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:21 -05:00
Brandon Myers	b05a6b03e9	Update TermFilter to TermMatch Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:21 -05:00
Brandon Myers	5dd094f0f3	Fix correlated_alerts_pyes Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:21 -05:00
Brandon Myers	0c17e0428b	Update correlated_alerts Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:20 -05:00
Brandon Myers	a4e08fe60c	Update lib.query_classes to query_models Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:20 -05:00
Brandon Myers	93d717dd95	Improve elasticsearch client and query models Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:17 -05:00
Brandon Myers	8adba67da9	Update alerts to use search query class Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:07 -05:00
Brandon Myers	2aad6424e4	Change initial group of alerts to search class Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:06 -05:00
Phrozyn	d455a816fd	Removed unused libs from script.	2017-06-15 15:01:06 -05:00
Phrozyn	c395f67045	Moved time of login to beginning of email rather than end on ssh_access_releng.py	2017-06-15 15:01:06 -05:00
Phrozyn	0dc53c68fe	Adding new ssh_access_signreleng plugin	2017-06-15 15:01:05 -05:00

1 2 3 4 5 ...

324 Коммитов