mozilla
/
mozdef_client
зеркало из https://github.com/mozilla/mozdef_client.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
DEPRECATED - MozDef client library (send events, etc.)
11 коммитов 1 ветка 4 Теги 186 KiB
Python 94.4%
Makefile 5.6%
Перейти к файлу
Guillaume Destuynder 31ca70bc8c LICENSE 2014-03-31 19:54:58 -07:00
AUTHORS.rst moved authors/todo to separate docs, removed cruft that is already in 2014-03-31 14:35:24 -07:00
LICENSE s/GPL/MPL/ 2014-03-31 13:53:35 -07:00
Makefile LICENSE 2014-03-31 19:54:58 -07:00
README.rst Updated readme to mirror the new targets 2014-03-31 14:59:50 -07:00
TODO.rst moved authors/todo to separate docs, removed cruft that is already in 2014-03-31 14:35:24 -07:00
__init__.py LICENSE 2014-03-31 19:54:28 -07:00
mozdef.py moved authors/todo to separate docs, removed cruft that is already in 2014-03-31 14:35:24 -07:00
requirements.txt Add support for setup tools 2014-03-31 14:52:13 -07:00
setup.py LICENSE 2014-03-31 19:54:47 -07:00

README.rst 

mozdef_lib
==========

Python lib for `MozDef clients <https://github.com/jeffbryner/MozDef/>`_.

Install
--------
As a python module
~~~~~~~~~~~~~~~~~~

Manually:
.. code::

    make install

As a rpm/deb package
.. code::

   make rpm
   make deb
   rpm -i <package.rpm>
   dpkg -i <package.deb>

From the code/integrate in my code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Add to your project with:

.. code::

   git submodule add https://github.com/gdestuynder/mozdef_lib mozdef
   git commit -a

Python dependencies
~~~~~~~~~~~~~~~~~~~

* requests_futures for python2 (optional but highly recommended, else messages are synchronous)
* pytz

Usage
-----

.. code::
   # The simple way
   import mozdef
   msg = mozdef.MozDefMsg('https://127.0.0.1:8443/events', tags['openvpn', 'duosecurity'])
   msg.send('User logged in', details={'username': user})

   # Some more possibilities
   another_msg = mozdef.MozDefMsg('https://127.0.0.1:8443/events', tags=['bro'])
   another_msg.send('knock knock')
   another_msg.log['some-internal-attribute'] = 'smth'
   another_msg.send('who's there?')
   # etc.

.. note::

   If you can, it is recommended to fill-in details={}, category='' and severity='' even thus those are optional.

MozDef message structure
------------------------
These are also the 'internal attributes' which you can modify.

.. code::

    {
        "category": "authentication",
            "details": {
                "uid": 0,
                "username": "kang"
            },
            "hostname": "blah.private.scl3.mozilla.com",
            "processid": 14619,
            "processname": "./mozdef.py",
            "severity": "CRITICAL",
            "summary": "new test msg",
            "tags": [
                "bro",
            "auth"
                ],
            "timestamp": "2014-03-18T23:20:31.013344+00:00"
    }

Certificate handling
--------------------

During testing with self-signed certificates, it may be useful to disable certificate checking while connecting to MozDef.
It may also just be that you have a custom CA file that you want to point to.

That's how you do all this:

.. code::

    msg.verify_certificate = False # not recommended, security issue.
    msg.verify_certificate = True # uses default certs from /etc/ssl/certs
    msg.verify_certificate = '/etc/path/to/custom/cert'

.. note::

   Disabling certificate checking introduce a security issue and is generally not recommended, specially for production.