MozDef

Граф коммитов

Автор	SHA1	Сообщение	Дата
Phrozyn	3e02f27d14	modified esservers to new cluster.	2017-06-15 15:04:45 -05:00
Brandon Myers	b59cd49fc3	Fix differences in alerts dir Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:44 -05:00
Brandon Myers	ef6e483c7e	First import of existing files from prod Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:44 -05:00
Brandon Myers	0722ae4740	Add missing files from prod Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:43 -05:00
Brandon Myers	4ff618cca3	Update ssh_releng config hostfilter Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:43 -05:00
Brandon Myers	0b0c58ff6a	Update missing paths to /opt/mozdef Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:43 -05:00
Brandon Myers	50a7cb772a	Modify .ini scripts to use /opt dir Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:40 -05:00
Brandon Myers	81a07bc2d5	Rename mozdefqa1 to localhost in configs Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:40 -05:00
Brandon Myers	16db61383a	Fixup email message for ssh_access_signreleng Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:39 -05:00
Phrozyn	ec2396a27c	pushing un-encrypted alertPluginsmules.ini	2017-06-15 15:03:35 -05:00
Brandon Myers	fdf38bf2b3	Fix up remaining pyes comments Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:34 -05:00
Brandon Myers	d804fe5f1f	Remove leftover pyes Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:34 -05:00
Brandon Myers	1e5d6f18fd	Fix alerts config ssh bruteforce Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:34 -05:00
Brandon Myers	3ee067d29e	Change alerts config without pyes Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:34 -05:00
Brandon Myers	26326f243d	Remove pyes from alert filenames Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:34 -05:00
Brandon Myers	ea17b5883c	Fix toUTC isoformat problem Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:33 -05:00
Brandon Myers	731da67eba	Fix timestamp related issues in tests Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:22 -05:00
Brandon Myers	113b4c8125	Remove filtersFromKibana feature Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:06 -05:00
Brandon Myers	176886e1a2	Remove unused alerts Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:03:06 -05:00
Brandon Myers	d1265dd651	Add two cloudtrail alerts to run Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:48 -05:00
Brandon Myers	e4f1046961	Fix cloudtrail_pyes Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:48 -05:00
Brandon Myers	18091b58af	Update formatting weirdness in alerts Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:48 -05:00
Brandon Myers	63ddffc11e	Fix alerttask import Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:47 -05:00
Brandon Myers	6caaad320d	Remove duplicate definitions of toUTC Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:46 -05:00
Brandon Myers	3a3221987f	Add cloudtrail couple alerts Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:12 -05:00
Brandon Myers	2d55f2f1f5	Convert releng alert to non pyes Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:12 -05:00
Brandon Myers	02ad68ed25	Fix bruteforce_ssh_pyes alert Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:11 -05:00
Brandon Myers	8e52a89c4c	Finish updating alert unit tests to new format Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:11 -05:00
Brandon Myers	76174add7d	Update mq directory with search class Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:02:01 -05:00
Brandon Myers	4590d88efa	Update alert task with search query execute Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:24 -05:00
Brandon Myers	7ccf36f75c	Update alert specs for new event format Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:24 -05:00
Brandon Myers	5631e494de	Add unit tests for some rest routes Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:23 -05:00
Brandon Myers	db711fe24f	Add space at top of class bruteforce_ssh_pyes Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:23 -05:00
Brandon Myers	a1f67935ec	Update alerts for new model names Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:23 -05:00
Brandon Myers	edba77e664	Remove pyes from vpn_duo_auth alert Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:22 -05:00
Brandon Myers	73882f9606	Rename alerttask filter name Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:22 -05:00
Brandon Myers	861340c311	Update kibana dashboard alert task Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:22 -05:00
Brandon Myers	94ff87d681	Update WildcardQuery to WildcardMatch Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:22 -05:00
Brandon Myers	a5c92149bf	Update ExistsFilter to ExistsMatch Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:21 -05:00
Brandon Myers	6917f0b244	Update TermsFilter to TermsMatch Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:21 -05:00
Brandon Myers	b05a6b03e9	Update TermFilter to TermMatch Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:21 -05:00
Brandon Myers	5dd094f0f3	Fix correlated_alerts_pyes Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:21 -05:00
Brandon Myers	0c17e0428b	Update correlated_alerts Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:20 -05:00
Brandon Myers	a4e08fe60c	Update lib.query_classes to query_models Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:20 -05:00
Brandon Myers	93d717dd95	Improve elasticsearch client and query models Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:17 -05:00
Brandon Myers	8adba67da9	Update alerts to use search query class Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:07 -05:00
Brandon Myers	2aad6424e4	Change initial group of alerts to search class Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:01:06 -05:00
Phrozyn	d455a816fd	Removed unused libs from script.	2017-06-15 15:01:06 -05:00
Phrozyn	c395f67045	Moved time of login to beginning of email rather than end on ssh_access_releng.py	2017-06-15 15:01:06 -05:00
Phrozyn	0dc53c68fe	Adding new ssh_access_signreleng plugin	2017-06-15 15:01:05 -05:00
A Smith	a8d9c19f17	changed timeframe of ssh_access_signreleng_pyes alert from 20 to 10	2017-06-15 15:00:49 -05:00
Brandon Myers	1804008cc0	Update alerts to use US/Pacific Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 15:00:48 -05:00
A Smith	1c50ef1e3b	Reverting to original alerttask.py Reverting to original until Michal's changes are solid.	2017-06-15 15:00:46 -05:00
Phrozyn	e88bf198b3	Adjusted timing of notifyRelengSSHAccesstimedelta and ssh_access_signreleng_pyes timedelta.	2017-06-15 15:00:44 -05:00
Phrozyn	fd7b8ef864	modified timedelta for celery for signing releng infra logins.	2017-06-15 15:00:43 -05:00
Phrozyn	c9c2dfaa08	Corrected ssh_access_signreleng_pyes.py	2017-06-15 15:00:43 -05:00
Phrozyn	a3d4109936	modified timedelta for celery of ssh_access_signreleng_pyes alert.	2017-06-15 15:00:43 -05:00
Phrozyn	6430b8f2d0	Added logic to filter out infrasec logins.	2017-06-15 15:00:43 -05:00
A Smith	3a49c0eb3f	Modified summary language Modified summary language	2017-06-15 15:00:42 -05:00
Phrozyn	44915e6066	Correction of releng signing infra alert(Regex and inclusion of conf in alert)	2017-06-15 15:00:42 -05:00
Phrozyn	ac27701052	added new alert for SSH logins to Releng Signing infra.	2017-06-15 15:00:41 -05:00
Phrozyn	d525c7f74f	Updated alertPluginsmules.ini to use threading.	2017-06-15 15:00:36 -05:00
Michal Purzynski	8b63d90c69	Refactor dict2List and clean debug messages.	2017-06-15 14:59:40 -05:00
Michal Purzynski	f026493df4	Sync with upstream	2017-06-15 14:59:39 -05:00
Michal Purzynski	ff3e6afa00	Synchronize with upstream before sending pull request	2017-06-15 14:59:39 -05:00
Michal Purzynski	b85f78cbec	Move the alert plugins logic into the library and kill the separate process. Allows alert plugins to be read-write.	2017-06-15 14:59:39 -05:00
Brandon Myers	820854e3cb	Add tests directory to QA repo Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2017-06-15 14:59:39 -05:00
Brandon Myers	1d8c59b93f	Setup codebase for merge of two repos	2017-06-15 14:56:47 -05:00
Phrozyn	db91d3ab06	Adding updated uwsgi ini config file for mozdefalertplugins init script.	2016-08-10 14:45:07 -05:00
Phrozyn	56cd65f4e1	adding ini for alert plugins mule.	2016-07-25 18:39:34 -05:00
A Smith	0b3c6a6c46	Merge pull request #360 from Phrozyn/master Corrected mozdefalerts init script and added supervisord.alerts.conf	2016-07-01 15:31:53 -05:00
Phrozyn	73a13cb037	corrected mozdefalerts init script to avoid race conditions with other supervisord processes, also adding supervisord.alerts.conf to repo.	2016-07-01 14:44:52 -05:00
Jeff Bryner	1ae54e25f6	Merge pull request #348 from pwnbus/standardize_bro_intel Standardize other bro_* categories	2016-06-28 12:24:34 -07:00
Jeff Bryner	3568cc49e6	Merge pull request #347 from pwnbus/standardize_bro_notice Update bro_notice category to bronotice	2016-06-28 12:24:22 -07:00
Brandon Myers	08a08f5e03	Standardize category bro_intel to brointel Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2016-06-28 13:33:30 -05:00
Brandon Myers	0669b6594d	Update bro_notice category to bronotice Signed-off-by: Brandon Myers <bmyers@mozilla.com>	2016-06-28 13:26:33 -05:00
Aaron Meihm	2c18c50e94	take severity into account in geomodel alert plugin	2016-06-22 14:09:58 -05:00
Aaron Meihm	1f4799eeb8	unauth_ssh_pyes: allow additional characters in username	2016-04-11 16:08:52 -05:00
Jeff Bryner	32202d5eb6	update to a more universal match	2016-04-02 16:04:32 -07:00
Jeff Bryner	d276290380	add ldap lockout alert, closes #320	2015-12-22 14:05:50 -08:00
Aaron Meihm	b823fb99d6	fix issue in geomodel plugin, event type should be event	2015-11-24 12:02:08 -06:00
Aaron Meihm	eb46f80462	Add a new alert plugin for events from geomodel	2015-11-24 09:43:33 -06:00
Guillaume Destuynder	816d7ffeb7	Initial support for squid alerts coming from EC2 Matches on DENIED string from squid ("1091084609.110 351 10.49.4.0 TCP_DENIED/407 2112 GET http://www.mozilla.org/ - NONE/- text/html ") for ex.	2015-10-22 17:25:52 -07:00
Aaron Meihm	c1dc15716a	add an alert plugin for unauthorized ssh account usage	2015-08-25 17:17:10 -05:00
Jeff Bryner	d2c1885338	fix up dashboard-style alerts to match new function names	2015-07-14 12:56:58 -07:00
Jeff Bryner	f3f6edefa4	update alerts to match the new aggregation functions	2015-05-27 13:23:42 -07:00
Jeff Bryner	dda10eca82	update aggregation mechanisms to allow specifying the dict path as key.subkey.subkey.etc, closes #275	2015-05-27 13:23:05 -07:00
Jeff Bryner	ef3eeeb1c7	correct the search for duo fail open messages	2015-04-13 11:38:53 -07:00
Jeff Bryner	569dec6f2e	minor: set example whitelists	2015-03-27 08:39:10 -07:00
Jeff Bryner	1a10323789	minor: include url as an example	2015-03-25 16:52:19 -07:00
Jeff Bryner	995c3d9487	update sample config.py to match new alert dict format	2015-03-25 09:00:03 -07:00
Jeff Bryner	aa2bb2e1a9	add docs URL to alerts, closes #241	2015-03-24 15:37:29 -07:00
Jeff Bryner	eefa26090a	add pager duty sample alert plugin, closes #249	2015-03-22 21:01:34 -07:00
Jeff Bryner	ad69a216f8	add alert plug in system, closes #162	2015-03-22 20:15:17 -07:00
Jeff Bryner	455e66e79d	add deadman alerts, refactor celeryconfig to allow args/kwargs, closes #257	2015-03-20 12:51:31 -07:00
Jeff Bryner	9339276129	implement deadman alerts on events that should have matches, closes #250	2015-03-18 15:52:33 -07:00
Jeff Bryner	7dc1818d6a	minor revision to ssh bruteforce alert	2015-03-12 16:11:10 -07:00
Jeff Bryner	448ec0ae08	minor cleanup of misc alerts	2015-03-03 12:06:01 -08:00
Jeff Bryner	26c1749de3	share credential config for celery setup with alerts lib	2015-02-26 16:47:20 -08:00
Michal Purzynski	0275e7a1fc	Add tons of new alerts and improve some old ones.	2015-02-26 19:42:51 +01:00
Jeff Bryner	3bc9859fc4	add a mostCommon utility to summarize a list of dictionaries for use in alert text	2015-02-12 14:37:39 -08:00
Jeff Bryner	ba3695bf24	smarter alert summary text for victim hostnames	2015-02-06 12:31:26 -08:00
Jeff Bryner	cc62e0b5c5	change reference to _source to get details fields	2015-02-02 09:17:55 -08:00
Jeff Bryner	aa53e904de	lower the sample limit for noisy bruteforce alert	2015-01-30 09:25:58 -08:00
Jeff Bryner	40113b2006	add full list of events to aggregated alert, closes #229	2015-01-30 09:25:19 -08:00
Jeff Bryner	69ee2e0c3e	fixup the selection criteria	2015-01-23 09:45:43 -08:00
Guillaume Destuynder	38078c65a2	New alert for https://github.com/mozilla-it/duo_openvpn Alerts when fDuoSecurity contact fails, which is means either authentication was refused, either granted based on a single authentication factor ("fail open").	2015-01-23 01:39:32 +01:00
Jeff Bryner	7b72733da2	minor comment/threshold change	2015-01-22 14:12:17 -08:00
Jeff Bryner	e7dc4548d7	use the date range	2015-01-22 14:11:14 -08:00
Jeff Bryner	e110cc1104	routing key should be the queue name rather than exchange name	2015-01-16 09:17:15 -08:00
Jeff Bryner	407f56728a	match new fail2ban text	2014-08-15 14:14:04 -07:00
Jeff Bryner	dc10161bda	internz mix they tabs and spaces	2014-08-13 16:56:11 -07:00
Jeff Bryner	b2806374ea	explicitly set the timezone to get actual iso format and allow folks to run in whatever timezone	2014-08-13 15:47:21 -07:00
Jeff Bryner	111a4e2698	ship with sample config for alert tasks	2014-08-13 11:14:11 -07:00
Jeff Bryner	517301d1fa	use json instead of pickle for default celery serialization	2014-08-13 11:12:20 -07:00
Jeff Bryner	b7f13ce2ee	correct the init of the alert exchange to match the bot	2014-08-03 08:33:21 -07:00
Anthony Verez	640186d2d3	averez-celery-less-queues: less queues due to celery	2014-08-01 16:54:26 -07:00
Anthony Verez	96316bf54b	averez-147-celery-alerts: fix dashboard paths	2014-07-21 15:43:47 -07:00
Anthony Verez	f96e4848b2	averez-147-celery-alerts: document examples and add examples using pyes	2014-07-17 23:53:24 -07:00
Anthony Verez	ad4a1e56ab	averez-147-celery-alerts: make some alerts public + adapt docker config	2014-07-17 23:17:00 -07:00
Anthony Verez	1540572483	averez-147-celery-alerts: more docs	2014-07-17 19:20:03 -07:00
Anthony Verez	0636fe0466	averez-147-celery-alerts: add some documentation	2014-07-17 15:04:56 -07:00
Anthony Verez	024520b2de	averez-147-celery-alerts: more comments in the code	2014-07-15 16:31:21 -07:00
Anthony Verez	9578b319ff	averez-147-celery-alerts: add the lib	2014-07-15 16:13:30 -07:00

... 3 4 5 6 7

324 Коммитов