Jeff Bryner
1ae54e25f6
Merge pull request #348 from pwnbus/standardize_bro_intel
...
Standardize other bro_* categories
2016-06-28 12:24:34 -07:00
Jeff Bryner
3568cc49e6
Merge pull request #347 from pwnbus/standardize_bro_notice
...
Update bro_notice category to bronotice
2016-06-28 12:24:22 -07:00
Brandon Myers
08a08f5e03
Standardize category bro_intel to brointel
...
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
2016-06-28 13:33:30 -05:00
Brandon Myers
0669b6594d
Update bro_notice category to bronotice
...
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
2016-06-28 13:26:33 -05:00
Aaron Meihm
2c18c50e94
take severity into account in geomodel alert plugin
2016-06-22 14:09:58 -05:00
Aaron Meihm
1f4799eeb8
unauth_ssh_pyes: allow additional characters in username
2016-04-11 16:08:52 -05:00
Jeff Bryner
32202d5eb6
update to a more universal match
2016-04-02 16:04:32 -07:00
Jeff Bryner
d276290380
add ldap lockout alert, closes #320
2015-12-22 14:05:50 -08:00
Aaron Meihm
b823fb99d6
fix issue in geomodel plugin, event type should be event
2015-11-24 12:02:08 -06:00
Aaron Meihm
eb46f80462
Add a new alert plugin for events from geomodel
2015-11-24 09:43:33 -06:00
Guillaume Destuynder
816d7ffeb7
Initial support for squid alerts coming from EC2
...
Matches on DENIED string from squid ("1091084609.110 351 10.49.4.0 TCP_DENIED/407 2112 GET http://www.mozilla.org/ -
NONE/- text/html ") for ex.
2015-10-22 17:25:52 -07:00
Aaron Meihm
c1dc15716a
add an alert plugin for unauthorized ssh account usage
2015-08-25 17:17:10 -05:00
Jeff Bryner
d2c1885338
fix up dashboard-style alerts to match new function names
2015-07-14 12:56:58 -07:00
Jeff Bryner
f3f6edefa4
update alerts to match the new aggregation functions
2015-05-27 13:23:42 -07:00
Jeff Bryner
dda10eca82
update aggregation mechanisms to allow specifying the dict path as key.subkey.subkey.etc, closes #275
2015-05-27 13:23:05 -07:00
Jeff Bryner
ef3eeeb1c7
correct the search for duo fail open messages
2015-04-13 11:38:53 -07:00
Jeff Bryner
569dec6f2e
minor: set example whitelists
2015-03-27 08:39:10 -07:00
Jeff Bryner
1a10323789
minor: include url as an example
2015-03-25 16:52:19 -07:00
Jeff Bryner
995c3d9487
update sample config.py to match new alert dict format
2015-03-25 09:00:03 -07:00
Jeff Bryner
aa2bb2e1a9
add docs URL to alerts, closes #241
2015-03-24 15:37:29 -07:00
Jeff Bryner
eefa26090a
add pager duty sample alert plugin, closes #249
2015-03-22 21:01:34 -07:00
Jeff Bryner
ad69a216f8
add alert plug in system, closes #162
2015-03-22 20:15:17 -07:00
Jeff Bryner
455e66e79d
add deadman alerts, refactor celeryconfig to allow args/kwargs, closes #257
2015-03-20 12:51:31 -07:00
Jeff Bryner
9339276129
implement deadman alerts on events that should have matches, closes #250
2015-03-18 15:52:33 -07:00
Jeff Bryner
7dc1818d6a
minor revision to ssh bruteforce alert
2015-03-12 16:11:10 -07:00
Jeff Bryner
448ec0ae08
minor cleanup of misc alerts
2015-03-03 12:06:01 -08:00
Jeff Bryner
26c1749de3
share credential config for celery setup with alerts lib
2015-02-26 16:47:20 -08:00
Michal Purzynski
0275e7a1fc
Add tons of new alerts and improve some old ones.
2015-02-26 19:42:51 +01:00
Jeff Bryner
3bc9859fc4
add a mostCommon utility to summarize a list of dictionaries for use in alert text
2015-02-12 14:37:39 -08:00
Jeff Bryner
ba3695bf24
smarter alert summary text for victim hostnames
2015-02-06 12:31:26 -08:00
Jeff Bryner
cc62e0b5c5
change reference to _source to get details fields
2015-02-02 09:17:55 -08:00
Jeff Bryner
aa53e904de
lower the sample limit for noisy bruteforce alert
2015-01-30 09:25:58 -08:00
Jeff Bryner
40113b2006
add full list of events to aggregated alert, closes #229
2015-01-30 09:25:19 -08:00
Jeff Bryner
69ee2e0c3e
fixup the selection criteria
2015-01-23 09:45:43 -08:00
Guillaume Destuynder
38078c65a2
New alert for https://github.com/mozilla-it/duo_openvpn
...
Alerts when fDuoSecurity contact fails, which is means either authentication was refused, either granted based on a
single authentication factor ("fail open").
2015-01-23 01:39:32 +01:00
Jeff Bryner
7b72733da2
minor comment/threshold change
2015-01-22 14:12:17 -08:00
Jeff Bryner
e7dc4548d7
use the date range
2015-01-22 14:11:14 -08:00
Jeff Bryner
e110cc1104
routing key should be the queue name rather than exchange name
2015-01-16 09:17:15 -08:00
Jeff Bryner
407f56728a
match new fail2ban text
2014-08-15 14:14:04 -07:00
Jeff Bryner
dc10161bda
internz mix they tabs and spaces
2014-08-13 16:56:11 -07:00
Jeff Bryner
b2806374ea
explicitly set the timezone to get actual iso format and allow folks to run in whatever timezone
2014-08-13 15:47:21 -07:00
Jeff Bryner
111a4e2698
ship with sample config for alert tasks
2014-08-13 11:14:11 -07:00
Jeff Bryner
517301d1fa
use json instead of pickle for default celery serialization
2014-08-13 11:12:20 -07:00
Jeff Bryner
b7f13ce2ee
correct the init of the alert exchange to match the bot
2014-08-03 08:33:21 -07:00
Anthony Verez
640186d2d3
averez-celery-less-queues: less queues due to celery
2014-08-01 16:54:26 -07:00
Anthony Verez
96316bf54b
averez-147-celery-alerts: fix dashboard paths
2014-07-21 15:43:47 -07:00
Anthony Verez
f96e4848b2
averez-147-celery-alerts: document examples and add examples using pyes
2014-07-17 23:53:24 -07:00
Anthony Verez
ad4a1e56ab
averez-147-celery-alerts: make some alerts public + adapt docker config
2014-07-17 23:17:00 -07:00
Anthony Verez
1540572483
averez-147-celery-alerts: more docs
2014-07-17 19:20:03 -07:00
Anthony Verez
0636fe0466
averez-147-celery-alerts: add some documentation
2014-07-17 15:04:56 -07:00