Граф коммитов

52 Коммитов

Автор SHA1 Сообщение Дата
Jeff Bryner 1ae54e25f6 Merge pull request #348 from pwnbus/standardize_bro_intel
Standardize other bro_* categories
2016-06-28 12:24:34 -07:00
Jeff Bryner 3568cc49e6 Merge pull request #347 from pwnbus/standardize_bro_notice
Update bro_notice category to bronotice
2016-06-28 12:24:22 -07:00
Brandon Myers 08a08f5e03 Standardize category bro_intel to brointel
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
2016-06-28 13:33:30 -05:00
Brandon Myers 0669b6594d Update bro_notice category to bronotice
Signed-off-by: Brandon Myers <bmyers@mozilla.com>
2016-06-28 13:26:33 -05:00
Aaron Meihm 2c18c50e94 take severity into account in geomodel alert plugin 2016-06-22 14:09:58 -05:00
Aaron Meihm 1f4799eeb8 unauth_ssh_pyes: allow additional characters in username 2016-04-11 16:08:52 -05:00
Jeff Bryner 32202d5eb6 update to a more universal match 2016-04-02 16:04:32 -07:00
Jeff Bryner d276290380 add ldap lockout alert, closes #320 2015-12-22 14:05:50 -08:00
Aaron Meihm b823fb99d6 fix issue in geomodel plugin, event type should be event 2015-11-24 12:02:08 -06:00
Aaron Meihm eb46f80462 Add a new alert plugin for events from geomodel 2015-11-24 09:43:33 -06:00
Guillaume Destuynder 816d7ffeb7 Initial support for squid alerts coming from EC2
Matches on DENIED string from squid ("1091084609.110 351 10.49.4.0 TCP_DENIED/407 2112 GET http://www.mozilla.org/ -
NONE/- text/html ") for ex.
2015-10-22 17:25:52 -07:00
Aaron Meihm c1dc15716a add an alert plugin for unauthorized ssh account usage 2015-08-25 17:17:10 -05:00
Jeff Bryner d2c1885338 fix up dashboard-style alerts to match new function names 2015-07-14 12:56:58 -07:00
Jeff Bryner f3f6edefa4 update alerts to match the new aggregation functions 2015-05-27 13:23:42 -07:00
Jeff Bryner dda10eca82 update aggregation mechanisms to allow specifying the dict path as key.subkey.subkey.etc, closes #275 2015-05-27 13:23:05 -07:00
Jeff Bryner ef3eeeb1c7 correct the search for duo fail open messages 2015-04-13 11:38:53 -07:00
Jeff Bryner 569dec6f2e minor: set example whitelists 2015-03-27 08:39:10 -07:00
Jeff Bryner 1a10323789 minor: include url as an example 2015-03-25 16:52:19 -07:00
Jeff Bryner 995c3d9487 update sample config.py to match new alert dict format 2015-03-25 09:00:03 -07:00
Jeff Bryner aa2bb2e1a9 add docs URL to alerts, closes #241 2015-03-24 15:37:29 -07:00
Jeff Bryner eefa26090a add pager duty sample alert plugin, closes #249 2015-03-22 21:01:34 -07:00
Jeff Bryner ad69a216f8 add alert plug in system, closes #162 2015-03-22 20:15:17 -07:00
Jeff Bryner 455e66e79d add deadman alerts, refactor celeryconfig to allow args/kwargs, closes #257 2015-03-20 12:51:31 -07:00
Jeff Bryner 9339276129 implement deadman alerts on events that should have matches, closes #250 2015-03-18 15:52:33 -07:00
Jeff Bryner 7dc1818d6a minor revision to ssh bruteforce alert 2015-03-12 16:11:10 -07:00
Jeff Bryner 448ec0ae08 minor cleanup of misc alerts 2015-03-03 12:06:01 -08:00
Jeff Bryner 26c1749de3 share credential config for celery setup with alerts lib 2015-02-26 16:47:20 -08:00
Michal Purzynski 0275e7a1fc Add tons of new alerts and improve some old ones. 2015-02-26 19:42:51 +01:00
Jeff Bryner 3bc9859fc4 add a mostCommon utility to summarize a list of dictionaries for use in alert text 2015-02-12 14:37:39 -08:00
Jeff Bryner ba3695bf24 smarter alert summary text for victim hostnames 2015-02-06 12:31:26 -08:00
Jeff Bryner cc62e0b5c5 change reference to _source to get details fields 2015-02-02 09:17:55 -08:00
Jeff Bryner aa53e904de lower the sample limit for noisy bruteforce alert 2015-01-30 09:25:58 -08:00
Jeff Bryner 40113b2006 add full list of events to aggregated alert, closes #229 2015-01-30 09:25:19 -08:00
Jeff Bryner 69ee2e0c3e fixup the selection criteria 2015-01-23 09:45:43 -08:00
Guillaume Destuynder 38078c65a2 New alert for https://github.com/mozilla-it/duo_openvpn
Alerts when fDuoSecurity contact fails, which is means either authentication was refused, either granted based on a
single authentication factor ("fail open").
2015-01-23 01:39:32 +01:00
Jeff Bryner 7b72733da2 minor comment/threshold change 2015-01-22 14:12:17 -08:00
Jeff Bryner e7dc4548d7 use the date range 2015-01-22 14:11:14 -08:00
Jeff Bryner e110cc1104 routing key should be the queue name rather than exchange name 2015-01-16 09:17:15 -08:00
Jeff Bryner 407f56728a match new fail2ban text 2014-08-15 14:14:04 -07:00
Jeff Bryner dc10161bda internz mix they tabs and spaces 2014-08-13 16:56:11 -07:00
Jeff Bryner b2806374ea explicitly set the timezone to get actual iso format and allow folks to run in whatever timezone 2014-08-13 15:47:21 -07:00
Jeff Bryner 111a4e2698 ship with sample config for alert tasks 2014-08-13 11:14:11 -07:00
Jeff Bryner 517301d1fa use json instead of pickle for default celery serialization 2014-08-13 11:12:20 -07:00
Jeff Bryner b7f13ce2ee correct the init of the alert exchange to match the bot 2014-08-03 08:33:21 -07:00
Anthony Verez 640186d2d3 averez-celery-less-queues: less queues due to celery 2014-08-01 16:54:26 -07:00
Anthony Verez 96316bf54b averez-147-celery-alerts: fix dashboard paths 2014-07-21 15:43:47 -07:00
Anthony Verez f96e4848b2 averez-147-celery-alerts: document examples and add examples using pyes 2014-07-17 23:53:24 -07:00
Anthony Verez ad4a1e56ab averez-147-celery-alerts: make some alerts public + adapt docker config 2014-07-17 23:17:00 -07:00
Anthony Verez 1540572483 averez-147-celery-alerts: more docs 2014-07-17 19:20:03 -07:00
Anthony Verez 0636fe0466 averez-147-celery-alerts: add some documentation 2014-07-17 15:04:56 -07:00