diff --git a/conf/mentat-inspector-b.py.conf b/conf/mentat-inspector-b.py.conf
index 58145d31ad9e80955201f4460885c4251f2348ea..d5c6929517a0fca5226c6cfae97c6e7074a68fcb 100644
--- a/conf/mentat-inspector-b.py.conf
+++ b/conf/mentat-inspector-b.py.conf
@@ -21,126 +21,126 @@
"name": "Check: EventTime > DetectTime",
"rule": "exists EventTime and exists DetectTime and EventTime > DetectTime",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.InspectionErrors[*]", "value": "EventTime_gt_DetectTime", "unique": true}}
+ {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "EventTime_gt_DetectTime", "unique": true}}
]
},
{
"name": "Check: CeaseTime > DetectTime",
"rule": "exists CeaseTime and exists DetectTime and CeaseTime > DetectTime",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.InspectionErrors[*]", "value": "CeaseTime_gt_DetectTime", "unique": true}}
+ {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "CeaseTime_gt_DetectTime", "unique": true}}
]
},
{
"name": "Check: WinStartTime > DetectTime",
"rule": "exists WinStartTime and exists DetectTime and WinStartTime > DetectTime",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.InspectionErrors[*]", "value": "WinStartTime_gt_DetectTime", "unique": true}}
+ {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "WinStartTime_gt_DetectTime", "unique": true}}
]
},
{
"name": "Check: DetectTime > CreateTime",
"rule": "exists DetectTime and exists CreateTime and DetectTime > CreateTime",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.InspectionErrors[*]", "value": "DetectTime_gt_CreateTime", "unique": true}}
+ {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "DetectTime_gt_CreateTime", "unique": true}}
]
},
{
"name": "Check: EventTime > CeaseTime",
"rule": "exists EventTime and exists CeaseTime and EventTime > CeaseTime",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.InspectionErrors[*]", "value": "EventTime_gt_CeaseTime", "unique": true}}
+ {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "EventTime_gt_CeaseTime", "unique": true}}
]
},
{
"name": "Check: WinStartTime > WinEndTime",
"rule": "exists WinStartTime and exists WinEndTime and WinStartTime > WinEndTime",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.InspectionErrors[*]", "value": "WinStartTime_gt_WinEndTime", "unique": true}}
+ {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "WinStartTime_gt_WinEndTime", "unique": true}}
]
},
{
"name": "Check: WinStartTime > EventTime",
"rule": "exists WinStartTime and exists EventTime and WinStartTime > EventTime",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.InspectionErrors[*]", "value": "WinStartTime_gt_EventTime", "unique": true}}
+ {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "WinStartTime_gt_EventTime", "unique": true}}
]
},
{
"name": "Check: Source port and TCP/UDP",
"rule": "exists Source.Port and not (Source.Proto in ['tcp', 'udp'])",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.InspectionErrors[*]", "value": "Used_Source_Port_and_missing_Proto", "unique": true}}
+ {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Used_Source_Port_and_missing_Proto", "unique": true}}
]
},
{
"name": "Check: Target port and TCP/UDP",
"rule": "exists Target.Port and not (Target.Proto in ['tcp', 'udp'])",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.InspectionErrors[*]", "value": "Used_Target_Port_and_missing_Proto", "unique": true}}
+ {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Used_Target_Port_and_missing_Proto", "unique": true}}
]
},
{
"name": "Check: DetectTime too old",
"rule": "DetectTime < (utcnow() - 3D00:00:00)",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.InspectionErrors[*]", "value": "DetectTime_too_old", "unique": true}}
+ {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "DetectTime_too_old", "unique": true}}
]
},
{
"name": "Check: DetectTime in the future",
"rule": "DetectTime > (utcnow() + 01:00:00)",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.InspectionErrors[*]", "value": "DetectTime_in_the_future", "unique": true}}
+ {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "DetectTime_in_the_future", "unique": true}}
]
},
{
"name": "Check: Category Test only",
"rule": "Category is ['Test']",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.InspectionErrors[*]", "value": "Category_Test_only", "unique": true}}
+ {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Category_Test_only", "unique": true}}
]
},
{
"name": "Check: Category Unknown",
"rule": "not Category in ['Abusive', 'Abusive.Spam', 'Abusive.Harassment', 'Abusive.Child', 'Abusive.Sexual', 'Abusive.Violence', 'Malware', 'Malware.Virus', 'Malware.Worm', 'Malware.Trojan', 'Malware.Spyware', 'Malware.Dialer', 'Malware.Rootkit', 'Recon', 'Recon.Scanning', 'Recon.Sniffing', 'Recon.SocialEngineering', 'Recon.Searching', 'Attempt', 'Attempt.Exploit', 'Attempt.Login', 'Attempt.NewSignature', 'Intrusion', 'Intrusion.AdminCompromise', 'Intrusion.UserCompromise', 'Intrusion.AppCompromise', 'Intrusion.Botnet', 'Availability', 'Availability.DoS', 'Availability.DDoS', 'Availability.Sabotage', 'Availability.Outage', 'Information', 'Information.UnauthorizedAccess', 'Information.UnauthorizedModification', 'Fraud', 'Fraud.UnauthorizedUsage', 'Fraud.Copyright', 'Fraud.Masquerade', 'Fraud.Phishing', 'Fraud.Scam', 'Vulnerable', 'Vulnerable.Open', 'Vulnerable.Config', 'Anomaly', 'Anomaly.Traffic', 'Anomaly.Connection', 'Anomaly.Protocol', 'Anomaly.System', 'Anomaly.Application', 'Anomaly.Behaviour', 'Other', 'Test']",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.InspectionErrors[*]", "value": "Category_unknown", "unique": true}}
+ {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Category_unknown", "unique": true}}
]
},
{
"name": "Check: Source Type Unknown",
"rule": "exists Source.Type and not Source.Type in ['Proxy', 'OriginMalware', 'OriginSandbox', 'OriginSpam', 'OriginBlacklist', 'Phishing', 'Malware', 'MITM', 'Spam', 'Backscatter', 'Open', 'Poisoned', 'FastFlux', 'Botnet', 'CC', 'Tor', 'Incomplete', 'Anonymised']",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.InspectionErrors[*]", "value": "Source_Type_unknown", "unique": true}}
+ {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Source_Type_unknown", "unique": true}}
]
},
{
"name": "Check: Target Type Unknown",
"rule": "exists Target.Type and not Target.Type in ['Proxy', 'OriginMalware', 'OriginSandbox', 'OriginSpam', 'Phishing', 'Malware', 'MITM', 'Spam', 'Backscatter', 'Open', 'Poisoned', 'FastFlux', 'Botnet', 'CC', 'Tor', 'Incomplete', 'Anonymised']",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.InspectionErrors[*]", "value": "Target_Type_unknown", "unique": true}}
+ {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Target_Type_unknown", "unique": true}}
]
},
{
"name": "Check: Node Type Unknown",
"rule": "exists Node.Type and not Node.Tag in ['Connection', 'Datagram', 'Content', 'Data', 'File', 'Flow', 'Log', 'Protocol', 'Host', 'Network', 'Correlation', 'External', 'Reporting', 'Blackhole', 'Signature', 'Statistical', 'Heuristic', 'Integrity', 'Policy', 'Honeypot', 'Tarpit', 'Recon', 'Monitor']",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.InspectionErrors[*]", "value": "Node_Type_unknown", "unique": true}}
+ {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Node_Type_unknown", "unique": true}}
]
},
{
"name": "Check: ID suspiciously short",
"rule": "strlen(ID) < 8",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.InspectionErrors[*]", "value": "ID_too_short", "unique": true}}
+ {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "ID_too_short", "unique": true}}
]
},
{
"name": "Check: Description suspiciously short or missing",
"rule": "strlen(Description) < 8",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.InspectionErrors[*]", "value": "Description_short_or_missing", "unique": true}}
+ {"action": "tag", "args": {"path": "_Mentat.InspectionErrors[*]", "value": "Description_short_or_missing", "unique": true}}
]
}
],
diff --git a/conf/mentat-inspector.py.conf b/conf/mentat-inspector.py.conf
index 015a9427f726528af6f202e8140dd76a94c2e41d..5a7cd6131dc24bd6a778de8450d1ea7fd1165ce7 100644
--- a/conf/mentat-inspector.py.conf
+++ b/conf/mentat-inspector.py.conf
@@ -22,184 +22,184 @@
"name": "Assign class - attempt-login-rdp",
"rule": "Category in ['Attempt.Login'] and (Target.Port in [3389] or Target.Proto in ['ms-wbt-server', 'rdp'])",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "attempt-login-rdp", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "attempt-login-rdp", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - attempt-login-telnet",
"rule": "Category in ['Attempt.Login'] and (Target.Proto in ['telnet'] or Source.Proto in ['telnet'] or Target.Port in [23])",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "attempt-login-telnet", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "attempt-login-telnet", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - attempt-login-ssh",
"rule": "Category in ['Attempt.Login'] and (Target.Proto in ['ssh'] or Source.Proto in ['ssh'] or Target.Port in [22])",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "attempt-login-ssh", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "attempt-login-ssh", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - attempt-login-sip",
"rule": "Category in ['Attempt.Login'] and (Target.Proto in ['sip', 'sip-tls'] or Source.Proto in ['sip', 'sip-tls'] or Target.Port in [5060])",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "attempt-login-sip", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "attempt-login-sip", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - attempt-exploit-http",
"rule": "Category in ['Attempt.Exploit'] and (Target.Port in [80, 443] or Source.Proto in ['http', 'https', 'http-alt'] or Target.Proto in ['http', 'https', 'http-alt'])",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "attempt-exploit-http", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "attempt-exploit-http", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - attempt-exploit",
"rule": "Category in ['Attempt.Exploit']",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "attempt-exploit", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "attempt-exploit", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - avail-ddos",
"rule": "Category in ['Availability.DoS', 'Availability.DDoS']",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "avail-ddos", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "avail-ddos", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - abusive-spam-backscatter",
"rule": "Category in ['Abusive.Spam'] and Source.Type in ['Backscatter']",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "abusive-spam-backscatter", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "low", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "abusive-spam-backscatter", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "low", "overwrite": false} }
]
},
{
"name": "Assign class - abusive-spam-spammer",
"rule": "Category in ['Abusive.Spam'] and Source.Type in ['Spam']",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "abusive-spam-spammer", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "abusive-spam-spammer", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - vulnerable-config-qotd",
"rule": "Category in ['Vulnerable.Config'] and (Source.Proto in ['qotd'] or Source.Port in [17])",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "vulnerable-config-qotd", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "vulnerable-config-qotd", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - vulnerable-config-ssdp",
"rule": "Category in ['Vulnerable.Config'] and (Source.Proto in ['ssdp'] or Source.Port in [1900])",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "vulnerable-config-ssdp", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "vulnerable-config-ssdp", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - vulnerable-config-ntp",
"rule": "Category in ['Vulnerable.Config'] and (Source.Proto in ['ntp'] or Source.Port in [123])",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "vulnerable-config-ntp", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "vulnerable-config-ntp", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - vulnerable-config-domain",
"rule": "Category in ['Vulnerable.Config'] and (Source.Proto in ['domain'] or Source.Port in [53])",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "vulnerable-config-domain", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "vulnerable-config-domain", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - vulnerable-config-netbios",
"rule": "Category in ['Vulnerable.Config'] and (Source.Proto in ['netbios-ns'] or Source.Port in [137])",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "vulnerable-config-netbios", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "vulnerable-config-netbios", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - vulnerable-config-ipmi",
"rule": "Category in ['Vulnerable.Config'] and (Source.Proto in ['ipmi', 'asf-rmcp'] or Source.Port in [623])",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "vulnerable-config-ipmi", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "vulnerable-config-ipmi", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - vulnerable-config-chargen",
"rule": "Category in ['Vulnerable.Config'] and (Source.Proto in ['chargen'] or Source.Port in [19])",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "vulnerable-config-chargen", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "vulnerable-config-chargen", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - vulnerable-config-snmp",
"rule": "Category in ['Vulnerable.Config'] and (Source.Proto in ['snmp'] or Source.Port in [161])",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "vulnerable-config-snmp", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "vulnerable-config-snmp", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - vulnerable-open-socks",
"rule": "Category in ['Vulnerable.Config', 'Vulnerable.Open'] and (Source.Proto in ['socks'] or Source.Port in [1080])",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "vulnerable-open-socks", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "vulnerable-open-socks", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - anomaly-traffic-url",
"rule": "Category in ['Anomaly.Traffic'] and Source.Type in ['OriginSandbox']",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "anomaly-traffic-url", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "low", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "anomaly-traffic-url", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "low", "overwrite": false} }
]
},
{
"name": "Assign class - anomaly-traffic",
"rule": "Category in ['Anomaly.Traffic']",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "anomaly-traffic", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "low", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "anomaly-traffic", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "low", "overwrite": false} }
]
},
{
"name": "Assign class - intrusion-botnet-bot",
"rule": "Category in ['Intrusion.Botnet'] and Source.Type in ['Botnet']",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "intrusion-botnet-bot", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "intrusion-botnet-bot", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - intrusion-botnet-cc",
"rule": "Category in ['Intrusion.Botnet'] and Source.Type in ['CC']",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "intrusion-botnet-cc", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "medium", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "intrusion-botnet-cc", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
]
},
{
"name": "Assign class - recon-scanning",
"rule": "Category in ['Recon.Scanning']",
"actions": [
- {"action": "tag", "args": {"path": "_CESNET.EventClass", "value": "recon-scanning", "overwrite": false} },
- {"action": "tag", "args": {"path": "_CESNET.EventSeverity", "value": "low", "overwrite": false} }
+ {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "recon-scanning", "overwrite": false} },
+ {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "low", "overwrite": false} }
]
}
],
diff --git a/conf/templates/idea/msg.01.idea.j2 b/conf/templates/idea/msg.01.idea.j2
index af69fbad09251901d0e4a8b897a0e854759143df..dd517d40a61154f184cb4402215a42c6635d5397 100644
--- a/conf/templates/idea/msg.01.idea.j2
+++ b/conf/templates/idea/msg.01.idea.j2
@@ -179,7 +179,7 @@
"Name": "{{ node_name }}"
}
],
- "_CESNET": {
+ "_Mentat": {
{%- if severity %}
"EventSeverity": "{{ severity }}"{%- if class %},{%- endif %}
{%- endif %}
diff --git a/doc/sphinx/_doclib/events.rst b/doc/sphinx/_doclib/events.rst
index 0b5d48e403aef96c5315d31258405743b692e51c..58513957fa45b626847d76a19f0bc339111321c5 100644
--- a/doc/sphinx/_doclib/events.rst
+++ b/doc/sphinx/_doclib/events.rst
@@ -12,7 +12,7 @@ Custom data attributes
--------------------------------------------------------------------------------
The Mentat system adds several custom data attributes to official `IDEA <https://idea.cesnet.cz>`__
-message format. All these new data attributes are contained within the ``_CESNET``
+message format. All these new data attributes are contained within the ``_Mentat``
data attribute.
diff --git a/lib/mentat/daemon/component/storage.py b/lib/mentat/daemon/component/storage.py
index fadef609f5537117cc2b0b1438cbd8ab9d8ddbb2..b8ab8c35d560cb018e4fe236165be20e34c5a9f4 100644
--- a/lib/mentat/daemon/component/storage.py
+++ b/lib/mentat/daemon/component/storage.py
@@ -253,8 +253,8 @@ class StorageDaemonComponent(pyzenkit.zendaemon.ZenDaemonComponent):
)
)
try:
- # Set current time as _CESNET.StorageTime.
- pynspect.jpath.jpath_set(args['idea'], '_CESNET.StorageTime', datetime.datetime.utcnow())
+ # Set current time as _Mentat.StorageTime.
+ pynspect.jpath.jpath_set(args['idea'], '_Mentat.StorageTime', datetime.datetime.utcnow())
# Attempt to store IDEA message into database.
self.event_gateway(daemon, args)
diff --git a/lib/mentat/daemon/component/test_commiter.py b/lib/mentat/daemon/component/test_commiter.py
index febf412efe09127b86e22b93a64f57e455fdaca5..6c689b4e46edc0a8de0341ab92b4f29e163012d0 100644
--- a/lib/mentat/daemon/component/test_commiter.py
+++ b/lib/mentat/daemon/component/test_commiter.py
@@ -41,7 +41,7 @@ class TestMentatDaemonCommiter(DaemonComponentTestCase):
'Note': 'SSH login attempt',
'Source': [{'IP4': ['188.14.166.39']}],
'Target': [{'IP4': ['195.113.165.128/25'], 'Port': [22]}],
- '_CESNET': {'StorageTime': '2016-06-21T14:00:07Z'}
+ '_Mentat': {'StorageTime': '2016-06-21T14:00:07Z'}
}
}
diff --git a/lib/mentat/daemon/component/test_inspector.py b/lib/mentat/daemon/component/test_inspector.py
index 8534be1531a8862fae6007a826e6005d1e7612c3..464ecc82ac573cb93534f1f7c57ebe91d4208584 100644
--- a/lib/mentat/daemon/component/test_inspector.py
+++ b/lib/mentat/daemon/component/test_inspector.py
@@ -43,7 +43,7 @@ class TestMentatDaemonInspector(DaemonComponentTestCase):
'Source': [{'IP4': ['188.14.166.39']}],
'Target': [{'IP4': ['195.113.165.128/25'], 'Port': [22]}],
'TestTag': {'ValueA1': 'A2', 'ValueA2': ['A4', 'A5']},
- '_CESNET': {'StorageTime': '2016-06-21T14:00:07Z'}
+ '_Mentat': {'StorageTime': '2016-06-21T14:00:07Z'}
}
},
'set': {
@@ -59,7 +59,7 @@ class TestMentatDaemonInspector(DaemonComponentTestCase):
'Source': [{'IP4': ['188.14.166.39']}],
'Target': [{'IP4': ['195.113.165.128/25'], 'Port': [22]}],
'TestTag': {'ValueA1': 1466910407, 'ValueA2': [1466514007, 1466517607]},
- '_CESNET': {'StorageTime': '2016-06-21T14:00:07Z'}
+ '_Mentat': {'StorageTime': '2016-06-21T14:00:07Z'}
}
},
'report': {
@@ -74,7 +74,7 @@ class TestMentatDaemonInspector(DaemonComponentTestCase):
'Note': 'SSH login attempt',
'Source': [{'IP4': ['188.14.166.39']}],
'Target': [{'IP4': ['195.113.165.128/25'], 'Port': [22]}],
- '_CESNET': {'StorageTime': '2016-06-21T14:00:07Z'}
+ '_Mentat': {'StorageTime': '2016-06-21T14:00:07Z'}
}
},
'drop': {
@@ -89,7 +89,7 @@ class TestMentatDaemonInspector(DaemonComponentTestCase):
'Note': 'SSH login attempt',
'Source': [{'IP4': ['188.14.166.39']}],
'Target': [{'IP4': ['195.113.165.128/25'], 'Port': [22]}],
- '_CESNET': {'StorageTime': '2016-06-21T14:00:07Z'}
+ '_Mentat': {'StorageTime': '2016-06-21T14:00:07Z'}
}
},
'dispatch': {
@@ -104,7 +104,7 @@ class TestMentatDaemonInspector(DaemonComponentTestCase):
'Note': 'SSH login attempt',
'Source': [{'IP4': ['188.14.166.39']}],
'Target': [{'IP4': ['195.113.165.128/25'], 'Port': [22]}],
- '_CESNET': {'StorageTime': '2016-06-21T14:00:07Z'}
+ '_Mentat': {'StorageTime': '2016-06-21T14:00:07Z'}
}
},
'duplicate': {
@@ -119,7 +119,7 @@ class TestMentatDaemonInspector(DaemonComponentTestCase):
'Note': 'SSH login attempt',
'Source': [{'IP4': ['188.14.166.39']}],
'Target': [{'IP4': ['195.113.165.128/25'], 'Port': [22]}],
- '_CESNET': {'StorageTime': '2016-06-21T14:00:07Z'}
+ '_Mentat': {'StorageTime': '2016-06-21T14:00:07Z'}
}
},
'log': {
@@ -134,7 +134,7 @@ class TestMentatDaemonInspector(DaemonComponentTestCase):
'Note': 'SSH login attempt',
'Source': [{'IP4': ['188.14.166.39']}],
'Target': [{'IP4': ['195.113.165.128/25'], 'Port': [22]}],
- '_CESNET': {'StorageTime': '2016-06-21T14:00:07Z'}
+ '_Mentat': {'StorageTime': '2016-06-21T14:00:07Z'}
}
}
}
@@ -301,12 +301,12 @@ class TestMentatDaemonInspector(DaemonComponentTestCase):
#'rule': 'Note EQ "SSH login attempt"',
#'name': 'rule_01',
#'actions': [
- #{'action': 'set', 'name': 'action_01', 'args': {'path': 'TestTag.ValueA1', 'expression': '_CESNET.StorageTime + 3600'}},
- #{'action': 'set', 'name': 'action_02', 'args': {'path': 'TestTag.ValueA1', 'expression': '_CESNET.StorageTime + 400000'}},
- #{'action': 'set', 'name': 'action_03', 'args': {'path': 'TestTag.ValueA1', 'expression': '_CESNET.StorageTime + 800000', 'overwrite': False}},
- #{'action': 'set', 'name': 'action_04', 'args': {'path': 'TestTag.ValueA2[*]', 'expression': '_CESNET.StorageTime + 3600', 'unique': True}},
- #{'action': 'set', 'name': 'action_05', 'args': {'path': 'TestTag.ValueA2[*]', 'expression': '_CESNET.StorageTime + 7200', 'unique': True}},
- #{'action': 'set', 'name': 'action_06', 'args': {'path': 'TestTag.ValueA2[*]', 'expression': '_CESNET.StorageTime + 7200', 'unique': True}},
+ #{'action': 'set', 'name': 'action_01', 'args': {'path': 'TestTag.ValueA1', 'expression': '_Mentat.StorageTime + 3600'}},
+ #{'action': 'set', 'name': 'action_02', 'args': {'path': 'TestTag.ValueA1', 'expression': '_Mentat.StorageTime + 400000'}},
+ #{'action': 'set', 'name': 'action_03', 'args': {'path': 'TestTag.ValueA1', 'expression': '_Mentat.StorageTime + 800000', 'overwrite': False}},
+ #{'action': 'set', 'name': 'action_04', 'args': {'path': 'TestTag.ValueA2[*]', 'expression': '_Mentat.StorageTime + 3600', 'unique': True}},
+ #{'action': 'set', 'name': 'action_05', 'args': {'path': 'TestTag.ValueA2[*]', 'expression': '_Mentat.StorageTime + 7200', 'unique': True}},
+ #{'action': 'set', 'name': 'action_06', 'args': {'path': 'TestTag.ValueA2[*]', 'expression': '_Mentat.StorageTime + 7200', 'unique': True}},
#]
#},
#],
@@ -349,30 +349,30 @@ class TestMentatDaemonInspector(DaemonComponentTestCase):
#daemon.logger.assert_has_calls([
#call.info("Inspecting message 'message01':'message01'"),
#call.info("Message 'message01':'message01' matched inspection rule 'rule_01'"),
- #call.debug("Set - Message 'message01' path 'TestTag.ValueA1':'_CESNET.StorageTime + 3600'=>1466514007 key successfully set (O:True U:False)"),
- #call.debug("Set - Message 'message01' path 'TestTag.ValueA1':'_CESNET.StorageTime + 400000'=>1466910407 key successfully set (O:True U:False)"),
- #call.debug("Set - Message 'message01' path 'TestTag.ValueA1':'_CESNET.StorageTime + 800000'=>1467310407 key already exists, not overwriting (O:False U:False)"),
- #call.debug("Set - Message 'message01' path 'TestTag.ValueA2[*]':'_CESNET.StorageTime + 3600'=>1466514007 key successfully set (O:True U:True)"),
- #call.debug("Set - Message 'message01' path 'TestTag.ValueA2[*]':'_CESNET.StorageTime + 7200'=>1466517607 key successfully set (O:True U:True)"),
- #call.debug("Set - Message 'message01' path 'TestTag.ValueA2[*]':'_CESNET.StorageTime + 7200'=>1466517607 value already exists, not inserting (O:True U:True)"),
+ #call.debug("Set - Message 'message01' path 'TestTag.ValueA1':'_Mentat.StorageTime + 3600'=>1466514007 key successfully set (O:True U:False)"),
+ #call.debug("Set - Message 'message01' path 'TestTag.ValueA1':'_Mentat.StorageTime + 400000'=>1466910407 key successfully set (O:True U:False)"),
+ #call.debug("Set - Message 'message01' path 'TestTag.ValueA1':'_Mentat.StorageTime + 800000'=>1467310407 key already exists, not overwriting (O:False U:False)"),
+ #call.debug("Set - Message 'message01' path 'TestTag.ValueA2[*]':'_Mentat.StorageTime + 3600'=>1466514007 key successfully set (O:True U:True)"),
+ #call.debug("Set - Message 'message01' path 'TestTag.ValueA2[*]':'_Mentat.StorageTime + 7200'=>1466517607 key successfully set (O:True U:True)"),
+ #call.debug("Set - Message 'message01' path 'TestTag.ValueA2[*]':'_Mentat.StorageTime + 7200'=>1466517607 value already exists, not inserting (O:True U:True)"),
#call.info("Inspecting message 'message01':'message01'"),
#call.info("Message 'message01':'message01' matched inspection rule 'rule_01'"),
- #call.debug("Set - Message 'message01' path 'TestTag.ValueA1':'_CESNET.StorageTime + 3600'=>1466514007 key successfully set (O:True U:False)"),
- #call.debug("Set - Message 'message01' path 'TestTag.ValueA1':'_CESNET.StorageTime + 400000'=>1466910407 key successfully set (O:True U:False)"),
- #call.debug("Set - Message 'message01' path 'TestTag.ValueA1':'_CESNET.StorageTime + 800000'=>1467310407 key already exists, not overwriting (O:False U:False)"),
- #call.debug("Set - Message 'message01' path 'TestTag.ValueA2[*]':'_CESNET.StorageTime + 3600'=>1466514007 key successfully set (O:True U:True)"),
- #call.debug("Set - Message 'message01' path 'TestTag.ValueA2[*]':'_CESNET.StorageTime + 7200'=>1466517607 key successfully set (O:True U:True)"),
- #call.debug("Set - Message 'message01' path 'TestTag.ValueA2[*]':'_CESNET.StorageTime + 7200'=>1466517607 value already exists, not inserting (O:True U:True)"),
+ #call.debug("Set - Message 'message01' path 'TestTag.ValueA1':'_Mentat.StorageTime + 3600'=>1466514007 key successfully set (O:True U:False)"),
+ #call.debug("Set - Message 'message01' path 'TestTag.ValueA1':'_Mentat.StorageTime + 400000'=>1466910407 key successfully set (O:True U:False)"),
+ #call.debug("Set - Message 'message01' path 'TestTag.ValueA1':'_Mentat.StorageTime + 800000'=>1467310407 key already exists, not overwriting (O:False U:False)"),
+ #call.debug("Set - Message 'message01' path 'TestTag.ValueA2[*]':'_Mentat.StorageTime + 3600'=>1466514007 key successfully set (O:True U:True)"),
+ #call.debug("Set - Message 'message01' path 'TestTag.ValueA2[*]':'_Mentat.StorageTime + 7200'=>1466517607 key successfully set (O:True U:True)"),
+ #call.debug("Set - Message 'message01' path 'TestTag.ValueA2[*]':'_Mentat.StorageTime + 7200'=>1466517607 value already exists, not inserting (O:True U:True)"),
#call.info("Inspecting message 'message01':'message01'"),
#call.info("Message 'message01':'message01' matched inspection rule 'rule_01'"),
- #call.debug("Set - Message 'message01' path 'TestTag.ValueA1':'_CESNET.StorageTime + 3600'=>1466514007 key successfully set (O:True U:False)"),
- #call.debug("Set - Message 'message01' path 'TestTag.ValueA1':'_CESNET.StorageTime + 400000'=>1466910407 key successfully set (O:True U:False)"),
- #call.debug("Set - Message 'message01' path 'TestTag.ValueA1':'_CESNET.StorageTime + 800000'=>1467310407 key already exists, not overwriting (O:False U:False)"),
- #call.debug("Set - Message 'message01' path 'TestTag.ValueA2[*]':'_CESNET.StorageTime + 3600'=>1466514007 key successfully set (O:True U:True)"),
- #call.debug("Set - Message 'message01' path 'TestTag.ValueA2[*]':'_CESNET.StorageTime + 7200'=>1466517607 key successfully set (O:True U:True)"),
- #call.debug("Set - Message 'message01' path 'TestTag.ValueA2[*]':'_CESNET.StorageTime + 7200'=>1466517607 value already exists, not inserting (O:True U:True)")
+ #call.debug("Set - Message 'message01' path 'TestTag.ValueA1':'_Mentat.StorageTime + 3600'=>1466514007 key successfully set (O:True U:False)"),
+ #call.debug("Set - Message 'message01' path 'TestTag.ValueA1':'_Mentat.StorageTime + 400000'=>1466910407 key successfully set (O:True U:False)"),
+ #call.debug("Set - Message 'message01' path 'TestTag.ValueA1':'_Mentat.StorageTime + 800000'=>1467310407 key already exists, not overwriting (O:False U:False)"),
+ #call.debug("Set - Message 'message01' path 'TestTag.ValueA2[*]':'_Mentat.StorageTime + 3600'=>1466514007 key successfully set (O:True U:True)"),
+ #call.debug("Set - Message 'message01' path 'TestTag.ValueA2[*]':'_Mentat.StorageTime + 7200'=>1466517607 key successfully set (O:True U:True)"),
+ #call.debug("Set - Message 'message01' path 'TestTag.ValueA2[*]':'_Mentat.StorageTime + 7200'=>1466517607 value already exists, not inserting (O:True U:True)")
#])
def test_04_report(self):
diff --git a/lib/mentat/daemon/component/test_parser.py b/lib/mentat/daemon/component/test_parser.py
index f0841a1512b270631963a0319abad6f2b19e18f4..c0045e8de5d19e8120b7ca66d0fd6e1ec7955365 100644
--- a/lib/mentat/daemon/component/test_parser.py
+++ b/lib/mentat/daemon/component/test_parser.py
@@ -84,7 +84,7 @@ class TestMentatDaemonParser(unittest.TestCase):
]
}
],
- "_CESNET" : {
+ "_Mentat" : {
"StorageTime" : "2016-06-21T14:00:07Z"
},
"WinEndTime" : "2016-06-21 12:00:02Z",
diff --git a/lib/mentat/daemon/component/test_storage.py b/lib/mentat/daemon/component/test_storage.py
index bcd4fd5a4dae4543711f81fb2b4e0b4d12094d65..fc481b509e1121515d00a82045e61f1c4b5856a8 100644
--- a/lib/mentat/daemon/component/test_storage.py
+++ b/lib/mentat/daemon/component/test_storage.py
@@ -94,7 +94,7 @@ class TestMentatDaemonStorage(unittest.TestCase):
]
}
],
- "_CESNET" : {
+ "_Mentat" : {
"StorageTime" : "2016-06-21T14:00:07Z"
},
"WinEndTime" : "2016-06-21 12:00:02Z",
diff --git a/lib/mentat/daemon/component/testsuite.py b/lib/mentat/daemon/component/testsuite.py
index 8647e2fe73643191f282c3fcc06f5ea7e8650306..a1c39b67d5c10b9aeface436470486507ff69628 100644
--- a/lib/mentat/daemon/component/testsuite.py
+++ b/lib/mentat/daemon/component/testsuite.py
@@ -57,7 +57,7 @@ messages_raw = [
]
}
],
- "_CESNET" : {
+ "_Mentat" : {
"StorageTime" : "2016-06-21T14:00:07Z"
},
"Format" : "IDEA0",
diff --git a/lib/mentat/emails/test_event.py b/lib/mentat/emails/test_event.py
index 5036ab6e5b6274dddb335523475251b2893452f3..58bca55bed9f145b4c20de6d9d99df22256c4145 100644
--- a/lib/mentat/emails/test_event.py
+++ b/lib/mentat/emails/test_event.py
@@ -68,7 +68,7 @@ class TestReportEmail(unittest.TestCase):
'Type': ['Connection','Honeypot','Recon']
}
],
- '_CESNET': {
+ '_Mentat': {
'StorageTime': '2016-06-21T14:00:07Z'
}
}]
diff --git a/lib/mentat/idea/internal.py b/lib/mentat/idea/internal.py
index 425f3cf47b455595619508d1722765f61bdf695e..48d77f7ff5a46a108e3195e72bcab22f9f6c92e8 100644
--- a/lib/mentat/idea/internal.py
+++ b/lib/mentat/idea/internal.py
@@ -101,7 +101,7 @@ def cesnet_dict_typedef(flavour, list_flavour, errors_list, abuses_list, addon=N
class CESNETDict(typedcols.TypedDict): # pylint: disable=locally-disabled,too-many-ancestors
"""
This type definition represents a custom subdictionary under key
- *_CESNET* in message root dictionary.
+ *_Mentat*/*_CESNET* in message root dictionary.
"""
allow_unknown = True
typedef = cesnet_dict_typedef(
@@ -126,6 +126,10 @@ def internal_base_addon_typedef(flavour, list_flavour, cesnet_dict, addon=None):
"description": "CESNET specific timestamp as native Unix timestamp",
"type": flavour["Integer"]
},
+ "_Mentat": {
+ "description": "Custom CESNET/Mentat abominations to IDEA definition",
+ "type": cesnet_dict
+ },
"_CESNET": {
"description": "Custom CESNET/Mentat abominations to IDEA definition",
"type": cesnet_dict
@@ -200,41 +204,51 @@ class Idea(idea.lite.Idea): # pylint: disable=locally-disabled,too-many-ancesto
"""
return self['DetectTime']
+ def get_custom_key(self):
+ """
+ Convenience method for returning the correct custom key.
+
+ :return: The value of _Mentat if present, otherwise the value of _CESNET if present.
+ If neither of those keys exist then empty dictionary is returned.
+ :rtype: cesnet_dict
+ """
+ return self.get('_Mentat') if '_Mentat' in self else self.get('_CESNET', {})
+
def get_storage_time(self):
"""
Convenience method for returning message storage time.
- :return: Value of message attribute ``idea['_CESNET']['StorageTime']``.
+ :return: Value of message attribute ``idea['_Mentat'/'_CESNET']['StorageTime']``.
:rtype: datetime.datetime
"""
- return self.get('_CESNET', {}).get('StorageTime', None)
+ return self.get_custom_key().get('StorageTime', None)
def get_class(self):
"""
Convenience method for returning message event class.
- :return: Value of message attribute ``idea['_CESNET']['EventClass']``.
+ :return: Value of message attribute ``idea['_Mentat'/'_CESNET']['EventClass']``.
:rtype: str
"""
- return self.get('_CESNET', {}).get('EventClass', None)
+ return self.get_custom_key().get('EventClass', None)
def get_severity(self):
"""
Convenience method for returning message event severity.
- :return: Value of message attribute ``idea['_CESNET']['EventSeverity']``.
+ :return: Value of message attribute ``idea['_Mentat'/'_CESNET']['EventSeverity']``.
:rtype: str
"""
- return self.get('_CESNET', {}).get('EventSeverity', None)
+ return self.get_custom_key().get('EventSeverity', None)
def get_abuses(self):
"""
Convenience method for returning list of all resolved abuses.
- :return: Value of message attribute ``idea['_CESNET']['ResolvedAbuses']``.
+ :return: Value of message attribute ``idea['_Mentat'/'_CESNET']['ResolvedAbuses']``.
:rtype: list of strings
"""
- return list(self.get('_CESNET', {}).get('ResolvedAbuses', list()))
+ return list(self.get_custom_key().get('ResolvedAbuses', list()))
def get_categories(self):
"""
@@ -338,32 +352,32 @@ class Idea(idea.lite.Idea): # pylint: disable=locally-disabled,too-many-ancesto
"""
Convenience method for returning list of all resolved source countries.
- :return: Value of message attribute ``idea['_CESNET']['SourceResolvedCountry']``.
+ :return: Value of message attribute ``idea['_Mentat'/'_CESNET']['SourceResolvedCountry']``.
:rtype: list of strings
"""
return list(
- self.get('_CESNET', {}).get('SourceResolvedCountry', [])
+ self.get_custom_key().get('SourceResolvedCountry', [])
)
def get_asns_src(self):
"""
Convenience method for returning list of all resolved source ASNs.
- :return: Value of message attribute ``idea['_CESNET']['SourceResolvedASN']``.
+ :return: Value of message attribute ``idea['_Mentat'/'_CESNET']['SourceResolvedASN']``.
:rtype: list of strings
"""
return list(
- self.get('_CESNET', {}).get('SourceResolvedASN', [])
+ self.get_custom_key().get('SourceResolvedASN', [])
)
def get_inspection_errors(self):
"""
Convenience method for returning a list of inspection errors.
- :return: List of values of ``idea['_CESNET']['InspectionErrors']``.
+ :return: List of values of ``idea['_Mentat']['InspectionErrors']``.
:rtype: list
"""
- return self.get_jpath_values('_CESNET.InspectionErrors')
+ return self.get_jpath_values('_Mentat.InspectionErrors' if '_Mentat' in self else '_CESNET.InspectionErrors')
def get_jpath_value(self, jpath):
"""
@@ -443,15 +457,15 @@ class IdeaGhost(Idea):
idea_raw.setdefault('Node', []).append(node)
if record.cesnet_resolvedabuses:
- idea_raw.setdefault('_CESNET', {})['ResolvedAbuses'] = list(record.cesnet_resolvedabuses)
+ idea_raw.setdefault('_Mentat', {})['ResolvedAbuses'] = list(record.cesnet_resolvedabuses)
if record.cesnet_storagetime:
- idea_raw.setdefault('_CESNET', {})['StorageTime'] = record.cesnet_storagetime
+ idea_raw.setdefault('_Mentat', {})['StorageTime'] = record.cesnet_storagetime
if record.cesnet_eventclass:
- idea_raw.setdefault('_CESNET', {})['EventClass'] = record.cesnet_eventclass
+ idea_raw.setdefault('_Mentat', {})['EventClass'] = record.cesnet_eventclass
if record.cesnet_eventseverity:
- idea_raw.setdefault('_CESNET', {})['EventSeverity'] = record.cesnet_eventseverity
+ idea_raw.setdefault('_Mentat', {})['EventSeverity'] = record.cesnet_eventseverity
if record.cesnet_inspectionerrors:
- idea_raw.setdefault('_CESNET', {})['InspectionErrors'] = list(record.cesnet_inspectionerrors)
+ idea_raw.setdefault('_Mentat', {})['InspectionErrors'] = list(record.cesnet_inspectionerrors)
try:
return cls(idea_raw)
@@ -475,7 +489,7 @@ class IDEAFilterCompiler(pynspect.compilers.IDEAFilterCompiler):
super(IDEAFilterCompiler, self).__init__()
self.register_variable_compilation(
- '_CESNET.StorageTime',
+ '_Mentat.StorageTime',
pynspect.compilers.compile_timeoper,
pynspect.rules.ListRule
)
diff --git a/lib/mentat/idea/jsondict.py b/lib/mentat/idea/jsondict.py
index 0c2f491b3f00cde0f15ab5ccddc38a4520cd98bc..5ae144eff28c03c372cd89003b03c568b20e7048 100644
--- a/lib/mentat/idea/jsondict.py
+++ b/lib/mentat/idea/jsondict.py
@@ -168,7 +168,7 @@ class NodeDict(typedcols.TypedDict): # pylint: disable=locally-disabled,too-man
class CESNETDict(typedcols.TypedDict): # pylint: disable=locally-disabled,too-many-ancestors
"""
- Typed dictionary representing *_CESNET* substructure in IDEA message structure.
+ Typed dictionary representing *_Mentat*/*_CESNET* substructure in IDEA message structure.
"""
allow_unknown = True
typedef = mentat.idea.internal.cesnet_dict_typedef(
diff --git a/lib/mentat/idea/sqldb.py b/lib/mentat/idea/sqldb.py
index 29cc566969da6d806594652ac0d1b1f57f935635..9b46a6d17026f9b1b06b1139395c615b21a73e51 100644
--- a/lib/mentat/idea/sqldb.py
+++ b/lib/mentat/idea/sqldb.py
@@ -40,8 +40,8 @@ message attributes:
* Protocol (both source and target, unique set)
* Node.Name
* Node.Type
-* _CESNET.ResolvedAbuses
-* _CESNET.StorageTime
+* _Mentat.ResolvedAbuses
+* _Mentat.StorageTime
As a side-effect of this approach, searching according to other IDEA message attributes
is not possible.
@@ -192,9 +192,7 @@ class Idea: # pylint: disable=locally-disabled,too-many-instance-attributes,t
if self.cesnet_eventseverity:
self.cesnet_eventseverity = self.cesnet_eventseverity.lower()
- self.cesnet_inspectionerrors = list(
- idea_event.get('_CESNET', {}).get('InspectionErrors', list())
- )
+ self.cesnet_inspectionerrors = idea_event.get_inspection_errors()
@staticmethod
def _aggr_iplist(ranges, rngcls):
diff --git a/lib/mentat/idea/test_internal.py b/lib/mentat/idea/test_internal.py
index 7a542f8779505052bd572c34fb99c547241a5214..2cfa5fd5dfaecb85c130f87750b4aaddc5a5e192 100644
--- a/lib/mentat/idea/test_internal.py
+++ b/lib/mentat/idea/test_internal.py
@@ -102,7 +102,7 @@ class TestMentatIdeaInternal(unittest.TestCase):
'AggrWin': '00:05:00'
}
],
- '_CESNET' : {
+ '_Mentat' : {
'StorageTime': '2017-04-05T10:21:39Z',
'EventTemplate': 'sserv-012',
'ResolvedAbuses': ['abuse@cesnet.cz'],
@@ -145,7 +145,7 @@ class TestMentatIdeaInternal(unittest.TestCase):
'Type': ['Connection','Honeypot','Recon']
}
],
- '_CESNET': {
+ '_Mentat': {
'StorageTime': '2016-06-21T14:00:07Z'
}
}
@@ -380,10 +380,10 @@ class TestIDEAFilterCompiler(unittest.TestCase):
res = self.cpl.compile(rule)
self.assertEqual(repr(res), "COMPBINOP(VARIABLE('WinEndTime') OP_EQ DATETIME(datetime.datetime(2016, 6, 21, 13, 8, 27)))")
- rule = self.psr.parse('(_CESNET.StorageTime == "2016-06-21T13:08:27Z")')
- self.assertEqual(repr(rule), "COMPBINOP(VARIABLE('_CESNET.StorageTime') OP_EQ CONSTANT('2016-06-21T13:08:27Z'))")
+ rule = self.psr.parse('(_Mentat.StorageTime == "2016-06-21T13:08:27Z")')
+ self.assertEqual(repr(rule), "COMPBINOP(VARIABLE('_Mentat.StorageTime') OP_EQ CONSTANT('2016-06-21T13:08:27Z'))")
res = self.cpl.compile(rule)
- self.assertEqual(repr(res), "COMPBINOP(VARIABLE('_CESNET.StorageTime') OP_EQ DATETIME(datetime.datetime(2016, 6, 21, 13, 8, 27)))")
+ self.assertEqual(repr(res), "COMPBINOP(VARIABLE('_Mentat.StorageTime') OP_EQ DATETIME(datetime.datetime(2016, 6, 21, 13, 8, 27)))")
def test_03_idea_ip_compilations(self):
"""
diff --git a/lib/mentat/idea/test_jsondict.py b/lib/mentat/idea/test_jsondict.py
index 89c9f0060ded22e2b56d400ed964678fb6b25cf0..8f220cc874c196205db45ffd9d1596f356be799e 100644
--- a/lib/mentat/idea/test_jsondict.py
+++ b/lib/mentat/idea/test_jsondict.py
@@ -98,7 +98,7 @@ class TestMentatIdeaJSON(unittest.TestCase):
"AggrWin": "00:05:00"
}
],
- "_CESNET" : {
+ "_Mentat" : {
"StorageTime" : "2017-04-05T10:21:39Z",
"EventTemplate" : "sserv-012",
"ResolvedAbuses" : [
diff --git a/lib/mentat/idea/test_sqldb.py b/lib/mentat/idea/test_sqldb.py
index 23c74455681402edb086650aa437d95903ead4a9..96244afbdc34c7e45ae263d440f96130c08e709f 100644
--- a/lib/mentat/idea/test_sqldb.py
+++ b/lib/mentat/idea/test_sqldb.py
@@ -103,7 +103,7 @@ class TestMentatIdeaJSON(unittest.TestCase):
'AggrWin': '00:05:00'
}
],
- '_CESNET' : {
+ '_Mentat' : {
'StorageTime': '2017-04-05T10:21:39Z',
'EventTemplate': 'sserv-012',
'ResolvedAbuses': ['abuse@cesnet.cz'],
diff --git a/lib/mentat/plugin/enricher/geoip.py b/lib/mentat/plugin/enricher/geoip.py
index b8d27e065799fb6c51f58acbe97409336b85adc1..346b873406897327278dee5bff9ee644919e292a 100644
--- a/lib/mentat/plugin/enricher/geoip.py
+++ b/lib/mentat/plugin/enricher/geoip.py
@@ -103,17 +103,17 @@ class GeoipEnricherPlugin(mentat.plugin.enricher.EnricherPlugin):
resolved_asn_src = sorted(resolved_asn_src.keys())
resolved_country_src = sorted(resolved_country_src.keys())
if resolved_asn_src:
- pynspect.jpath.jpath_set(message, '_CESNET.SourceResolvedASN', resolved_asn_src)
+ pynspect.jpath.jpath_set(message, '_Mentat.SourceResolvedASN', resolved_asn_src)
daemon.logger.debug(
- "GEOIP - Enriched message '%s' with attribute '_CESNET.SourceResolvedASN' and values %s",
+ "GEOIP - Enriched message '%s' with attribute '_Mentat.SourceResolvedASN' and values %s",
message_id,
pprint.pformat(resolved_asn_src)
)
changed = True
if resolved_country_src:
- pynspect.jpath.jpath_set(message, '_CESNET.SourceResolvedCountry', resolved_country_src)
+ pynspect.jpath.jpath_set(message, '_Mentat.SourceResolvedCountry', resolved_country_src)
daemon.logger.debug(
- "GEOIP - Enriched message '%s' with attribute '_CESNET.SourceResolvedCountry' and values %s",
+ "GEOIP - Enriched message '%s' with attribute '_Mentat.SourceResolvedCountry' and values %s",
message_id,
pprint.pformat(resolved_country_src)
)
diff --git a/lib/mentat/plugin/enricher/test_geoip.py b/lib/mentat/plugin/enricher/test_geoip.py
index 640d832f3c550b638e1f60a784064a31b864a258..4c411258c3d85577d3678c3beb41bb0649b32625 100644
--- a/lib/mentat/plugin/enricher/test_geoip.py
+++ b/lib/mentat/plugin/enricher/test_geoip.py
@@ -88,12 +88,12 @@ class TestMentatGeoipEnricherPlugin(MentatEnricherPluginTestCase):
mapplication.assert_has_calls([
call.logger.debug("GEOIP - processing message '%s'", 'msgid'),
- call.logger.debug("GEOIP - Enriched message '%s' with attribute '_CESNET.SourceResolvedASN' and values %s", 'msgid', '[2852]'),
- call.logger.debug("GEOIP - Enriched message '%s' with attribute '_CESNET.SourceResolvedCountry' and values %s", 'msgid', "['CZ']")
+ call.logger.debug("GEOIP - Enriched message '%s' with attribute '_Mentat.SourceResolvedASN' and values %s", 'msgid', '[2852]'),
+ call.logger.debug("GEOIP - Enriched message '%s' with attribute '_Mentat.SourceResolvedCountry' and values %s", 'msgid', "['CZ']")
])
self.assertEqual(msg, {
'Source': [{'IP4': '195.113.144.233'}],
- '_CESNET': {
+ '_Mentat': {
'SourceResolvedASN': [2852],
'SourceResolvedCountry': ['CZ']
}
diff --git a/lib/mentat/plugin/enricher/test_whois.py b/lib/mentat/plugin/enricher/test_whois.py
index 883624179e48af5f143cbe6e220febb383c03f63..2b32b324af1a8904bee968fa38b221e1a58ec426 100644
--- a/lib/mentat/plugin/enricher/test_whois.py
+++ b/lib/mentat/plugin/enricher/test_whois.py
@@ -208,11 +208,11 @@ class TestMentatWhoisEnricherPlugin(MentatEnricherPluginTestCase):
mapplication.assert_has_calls([
call.logger.debug("WHOIS - processing message '%s'", 'msgid'),
- call.logger.debug("WHOIS - Enriched message '%s' with attribute '_CESNET.ResolvedAbuses' and values %s", 'msgid', "['abuse@cesnet.cz']")
+ call.logger.debug("WHOIS - Enriched message '%s' with attribute '_Mentat.ResolvedAbuses' and values %s", 'msgid', "['abuse@cesnet.cz']")
])
self.assertEqual(msg, {
'Source': [{'IP4': '195.179.86.50'}],
- '_CESNET': {
+ '_Mentat': {
'ResolvedAbuses': ['abuse@cesnet.cz']
}
})
diff --git a/lib/mentat/plugin/enricher/whois.py b/lib/mentat/plugin/enricher/whois.py
index e2c9d857a6f308702970678709324275bcc18bba..95435f6c911d31ece81d7187500db129efaa855f 100644
--- a/lib/mentat/plugin/enricher/whois.py
+++ b/lib/mentat/plugin/enricher/whois.py
@@ -85,9 +85,9 @@ class WhoisEnricherPlugin:
changed = False
resolved_abuses = sorted(resolved_abuses.keys())
if resolved_abuses:
- pynspect.jpath.jpath_set(message, '_CESNET.ResolvedAbuses', resolved_abuses)
+ pynspect.jpath.jpath_set(message, '_Mentat.ResolvedAbuses', resolved_abuses)
daemon.logger.debug(
- "WHOIS - Enriched message '%s' with attribute '_CESNET.ResolvedAbuses' and values %s",
+ "WHOIS - Enriched message '%s' with attribute '_Mentat.ResolvedAbuses' and values %s",
message_id,
pprint.pformat(resolved_abuses)
)
diff --git a/lib/mentat/plugin/test/test.py b/lib/mentat/plugin/test/test.py
index 7550cf1f282eb4117c908cae1f2969e60a055d24..e9e39836d53725034c34d1732a80c43ba94f202d 100644
--- a/lib/mentat/plugin/test/test.py
+++ b/lib/mentat/plugin/test/test.py
@@ -94,8 +94,8 @@ class WhoisEnricherPlugin:
changed = False
resolved_abuses = sorted(resolved_abuses.keys())
if resolved_abuses:
- jpath_set(message, '_CESNET.ResolvedAbuses', resolved_abuses)
- daemon.logger.debug("Enriched message '{}' with attribute '_CESNET.ResolvedAbuses'".format(message_id))
+ jpath_set(message, '_Mentat.ResolvedAbuses', resolved_abuses)
+ daemon.logger.debug("Enriched message '{}' with attribute '_Mentat.ResolvedAbuses'".format(message_id))
changed = True
return (daemon.FLAG_CONTINUE, changed)
diff --git a/lib/mentat/reports/event.py b/lib/mentat/reports/event.py
index aa87abab539581f2d35c89d9598feb352c0ebdbd..42e3e6d4d5f019c5e06bbb92aaeb03b5eaba76e7 100644
--- a/lib/mentat/reports/event.py
+++ b/lib/mentat/reports/event.py
@@ -91,7 +91,7 @@ def csv_dict(idea):
concnt = jpath_value(idea, 'ConnCount')
note = jpath_value(idea, 'Note')
- impact = jpath_value(idea, '_CESNET.Impact')
+ impact = jpath_value(idea, '_Mentat.Impact')
#---
@@ -746,7 +746,8 @@ class EventReporter(BaseReporter):
result = {}
for ip in events.keys():
for event in events[ip]:
- event_class = str(jpath_value(event, '_CESNET.EventClass') or '__UNKNOWN__')
+ idea_event_class = jpath_value(event, '_Mentat.EventClass') or jpath_value(event, '_CESNET.EventClass')
+ event_class = str(idea_event_class or '__UNKNOWN__')
ip_result = result.setdefault(event_class, {}).setdefault(str(ip), {
"first_time": datetime.datetime.max,
"last_time": datetime.datetime.min,
diff --git a/lib/mentat/reports/test_event.py b/lib/mentat/reports/test_event.py
index 9fdc7510935a904422443d7e3763db326a48c81d..a4073fff149192f724f18e4f41e0b826facc3332 100644
--- a/lib/mentat/reports/test_event.py
+++ b/lib/mentat/reports/test_event.py
@@ -80,7 +80,7 @@ class TestMentatReportsEvent(unittest.TestCase):
'SW': ['Kippo']
}
],
- '_CESNET' : {
+ '_Mentat' : {
'ResolvedAbuses' : [
'abuse@cesnet.cz'
],
@@ -113,7 +113,7 @@ class TestMentatReportsEvent(unittest.TestCase):
}
],
'Note': 'Test note containing ; CSV delimiter.',
- '_CESNET' : {
+ '_Mentat' : {
'ResolvedAbuses' : [
'abuse@cesnet.cz'
],
@@ -153,7 +153,7 @@ class TestMentatReportsEvent(unittest.TestCase):
self.eventstorage.database_drop()
self.eventstorage.database_create()
for event in self.ideas_obj:
- event['_CESNET']['StorageTime'] = datetime.datetime.utcnow()
+ event['_Mentat']['StorageTime'] = datetime.datetime.utcnow()
self.eventstorage.insert_event(event)
group = GroupModel(name = 'abuse@cesnet.cz', source = 'manual', description = 'CESNET, z.s.p.o.')
diff --git a/lib/mentat/reports/test_utils.py b/lib/mentat/reports/test_utils.py
index a749ad0be15b3053abc08cd9a1b3dc4e1f965ec4..cf95819bdf1f7d3164ae1820484d37329771c8c3 100644
--- a/lib/mentat/reports/test_utils.py
+++ b/lib/mentat/reports/test_utils.py
@@ -79,7 +79,7 @@ class TestMentatReportsUtils(unittest.TestCase):
'SW': ['Kippo']
}
],
- '_CESNET' : {
+ '_Mentat' : {
'ResolvedAbuses' : [
'abuse@cesnet.cz'
],
@@ -111,7 +111,7 @@ class TestMentatReportsUtils(unittest.TestCase):
'SW': ['Dionaea']
}
],
- '_CESNET' : {
+ '_Mentat' : {
'ResolvedAbuses' : [
'abuse@cesnet.cz'
],
@@ -144,7 +144,7 @@ class TestMentatReportsUtils(unittest.TestCase):
self.eventstorage.database_drop()
self.eventstorage.database_create()
for event in self.ideas_obj:
- event['_CESNET']['StorageTime'] = datetime.datetime.utcnow()
+ event['_Mentat']['StorageTime'] = datetime.datetime.utcnow()
self.eventstorage.insert_event(event)
group = GroupModel(name = 'abuse@cesnet.cz', source = 'manual', description = 'CESNET, z.s.p.o.')
diff --git a/lib/mentat/reports/utils.py b/lib/mentat/reports/utils.py
index df10a6be0b88caaba1fe784f24fd13a33bc3b7bc..946adf24ad1909f3e58a9d9a7374c70f8cba4af8 100644
--- a/lib/mentat/reports/utils.py
+++ b/lib/mentat/reports/utils.py
@@ -411,7 +411,7 @@ class ThresholdingCache:
:return: Cache key as strings.
:rtype: str
"""
- event_class = jpath_value(event, '_CESNET.EventClass')
+ event_class = jpath_value(event, '_Mentat.EventClass') or jpath_value(event, '_CESNET.EventClass')
if not event_class:
event_class = '/'.join(jpath_values(event, 'Category'))
return '+++'.join((event_class, str(source)))
diff --git a/lib/mentat/script/test_fetcher.py b/lib/mentat/script/test_fetcher.py
index d945291624d29a769272f25cfd323c13f7c9f5bf..494a589b97f48cc48bdc5b323e0db4cf2dcfd740 100644
--- a/lib/mentat/script/test_fetcher.py
+++ b/lib/mentat/script/test_fetcher.py
@@ -111,7 +111,7 @@ class TestMentatFetcherScript(unittest.TestCase):
"AggrWin": "00:05:00"
}
],
- "_CESNET" : {
+ "_Mentat" : {
"EventTemplate" : "sserv-012",
"ResolvedAbuses" : [
"abuse@cesnet.cz"
@@ -175,7 +175,7 @@ class TestMentatFetcherScript(unittest.TestCase):
# This currently writes into production database, FIX it.
#idea_internal = mentat.idea.internal.Idea(self.idea_raw)
- #idea_internal['_CESNET']['StorageTime'] = time.time()
+ #idea_internal['_Mentat']['StorageTime'] = time.time()
#self.script.eventservice.insert_event(idea_internal)
#(time_high, time_low) = self.script.calculate_interval_thresholds(time.time(), '5_minutes')
diff --git a/lib/mentat/services/bench_eventstorage.py b/lib/mentat/services/bench_eventstorage.py
index d45773a6b123e97e1d3049f1f63af3cb14648d49..17e117f95c0667378f5af36c4ba01179f70d99bc 100644
--- a/lib/mentat/services/bench_eventstorage.py
+++ b/lib/mentat/services/bench_eventstorage.py
@@ -92,7 +92,7 @@ IDEA_INTO = mentat.idea.internal.Idea({
'AggrWin': '00:05:00'
}
],
- '_CESNET' : {
+ '_Mentat' : {
'StorageTime' : '2017-04-05T10:21:39Z',
'EventTemplate' : 'sserv-012',
'ResolvedAbuses' : [
diff --git a/lib/mentat/services/test_eventstorage.py b/lib/mentat/services/test_eventstorage.py
index d5b7ef5240d6bb5505e99c943757c79c01d12636..7ecf458181643c15e8e573a5d6beae99009bdac8 100644
--- a/lib/mentat/services/test_eventstorage.py
+++ b/lib/mentat/services/test_eventstorage.py
@@ -111,7 +111,7 @@ class TestMentatStorage(unittest.TestCase):
'AggrWin': '00:05:00'
}
],
- '_CESNET' : {
+ '_Mentat' : {
'StorageTime' : '2017-04-05T10:21:39Z',
'EventTemplate' : 'sserv-012',
'ResolvedAbuses' : [
@@ -162,7 +162,7 @@ class TestMentatStorage(unittest.TestCase):
"Proto": ["tcp"]
}
],
- "_CESNET": {
+ "_Mentat": {
'StorageTime' : '2017-04-05T10:21:39Z',
"EventClass": "attempt-login-telnet",
"EventSeverity": "medium",
@@ -1513,7 +1513,7 @@ class TestMentatStorage(unittest.TestCase):
# ---
idea_into = mentat.idea.internal.Idea(self.IDEA_RAW_1)
- idea_into['_CESNET']['StorageTime'] = datetime.datetime.utcnow()
+ idea_into['_Mentat']['StorageTime'] = datetime.datetime.utcnow()
storage.insert_event(idea_into)
self.assertEqual(storage.count_events(), 1)
time.sleep(1)
diff --git a/lib/mentat/stats/bench_idea.py b/lib/mentat/stats/bench_idea.py
index 64cc8296a063f4110c1095d38330aed915bbd53a..c61436dc8dc0a35195df7f379a3517965438204d 100644
--- a/lib/mentat/stats/bench_idea.py
+++ b/lib/mentat/stats/bench_idea.py
@@ -33,7 +33,7 @@ ideas_raw = [
"SW": ["Kippo"]
}
],
- "_CESNET" : {
+ "_Mentat" : {
"ResolvedAbuses" : [
"abuse@cesnet.cz"
]
@@ -59,7 +59,7 @@ ideas_raw = [
"SW": ["Kippo"]
}
],
- "_CESNET" : {
+ "_Mentat" : {
"ResolvedAbuses" : [
"abuse@cesnet.cz"
]
@@ -85,7 +85,7 @@ ideas_raw = [
"SW": ["Kippo"]
}
],
- "_CESNET" : {
+ "_Mentat" : {
"ResolvedAbuses" : [
"abuse@cesnet.cz"
]
@@ -130,7 +130,7 @@ ideas_raw = [
"SW": ["LaBrea"]
}
],
- "_CESNET" : {
+ "_Mentat" : {
"ResolvedAbuses" : [
"abuse@cesnet.cz"
]
diff --git a/lib/mentat/stats/idea.py b/lib/mentat/stats/idea.py
index a4babb2458234adf66e94ffd6f623886ce0dfc9b..af898ce169fc7127e92b3dfcd120afd5ef47a53f 100644
--- a/lib/mentat/stats/idea.py
+++ b/lib/mentat/stats/idea.py
@@ -96,11 +96,11 @@ LIST_AGGREGATIONS = (
[ST_SKEY_ANALYZERS, 'Node[#].SW', KEY_UNKNOWN],
[ST_SKEY_CATEGORIES, 'Category', KEY_UNKNOWN],
[ST_SKEY_DETECTORS, 'Node[#].Name', KEY_UNKNOWN],
- [ST_SKEY_ABUSES, '_CESNET.ResolvedAbuses', KEY_UNKNOWN],
- [ST_SKEY_ASNS, '_CESNET.SourceResolvedASN', KEY_UNKNOWN],
- [ST_SKEY_COUNTRIES, '_CESNET.SourceResolvedCountry', KEY_UNKNOWN],
- [ST_SKEY_CLASSES, '_CESNET.EventClass', KEY_UNKNOWN],
- [ST_SKEY_SEVERITIES, '_CESNET.EventSeverity', KEY_UNKNOWN]
+ [ST_SKEY_ABUSES, '_Mentat.ResolvedAbuses', KEY_UNKNOWN],
+ [ST_SKEY_ASNS, '_Mentat.SourceResolvedASN', KEY_UNKNOWN],
+ [ST_SKEY_COUNTRIES, '_Mentat.SourceResolvedCountry', KEY_UNKNOWN],
+ [ST_SKEY_CLASSES, '_Mentat.EventClass', KEY_UNKNOWN],
+ [ST_SKEY_SEVERITIES, '_Mentat.EventSeverity', KEY_UNKNOWN]
)
"""List of statistical aggregations."""
@@ -532,7 +532,8 @@ def evaluate_dbstats_events(stats):
def group_events(events):
"""
- Group events according to the presence of the ``_CESNET.ResolvedAbuses`` key.
+ Group events according to the presence of the ``_Mentat.ResolvedAbuses`` (or
+ ``_CESNET.ResolvedAbuses``) key.
Each event will be added to group ``overall`` and then to either ``internal``,
or ``external`` based on the presence of the key mentioned above.
@@ -543,7 +544,7 @@ def group_events(events):
result = {ST_OVERALL: [], ST_INTERNAL: [], ST_EXTERNAL: []}
for msg in events:
result[ST_OVERALL].append(msg)
- values = jpath_values(msg, '_CESNET.ResolvedAbuses')
+ values = jpath_values(msg, '_Mentat.ResolvedAbuses') or jpath_values(msg, '_CESNET.ResolvedAbuses')
if values:
result[ST_INTERNAL].append(msg)
else:
diff --git a/lib/mentat/stats/test_idea.py b/lib/mentat/stats/test_idea.py
index 085c187aaf6ee934290f7879c09c325ce230dfab..a990fbb905fc436b5a33dbafe1f734416264eeae 100644
--- a/lib/mentat/stats/test_idea.py
+++ b/lib/mentat/stats/test_idea.py
@@ -47,7 +47,7 @@ class TestMentatStatsIdea(unittest.TestCase):
"SW": ["Kippo"]
}
],
- "_CESNET" : {
+ "_Mentat" : {
"ResolvedAbuses" : [
"abuse@cesnet.cz"
]
@@ -73,7 +73,7 @@ class TestMentatStatsIdea(unittest.TestCase):
"SW": ["Kippo"]
}
],
- "_CESNET" : {
+ "_Mentat" : {
"ResolvedAbuses" : [
"abuse@cesnet.cz"
]
@@ -99,7 +99,7 @@ class TestMentatStatsIdea(unittest.TestCase):
"SW": ["Kippo"]
}
],
- "_CESNET" : {
+ "_Mentat" : {
"ResolvedAbuses" : [
"abuse@cesnet.cz"
]
@@ -144,7 +144,7 @@ class TestMentatStatsIdea(unittest.TestCase):
"SW": ["LaBrea"]
}
],
- "_CESNET" : {
+ "_Mentat" : {
"ResolvedAbuses" : [
"abuse@cesnet.cz"
]
@@ -509,7 +509,7 @@ class TestMentatStatsIdea(unittest.TestCase):
'Source': [{'IP4': ['192.168.0.2-192.168.0.5', '192.168.0.0/25'],
'IP6': ['2001:db8::ff00:42:0/112'],
'Type': ['Phishing']}],
- '_CESNET': {'ResolvedAbuses': ['abuse@cesnet.cz']}
+ '_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
},
{
'Category': ['Fraud.Phishing'],
@@ -523,7 +523,7 @@ class TestMentatStatsIdea(unittest.TestCase):
'Source': [{'IP4': ['192.168.0.2-192.168.0.5', '192.168.0.0/25'],
'IP6': ['2001:db8::ff00:42:0/112'],
'Type': ['Phishing']}],
- '_CESNET': {'ResolvedAbuses': ['abuse@cesnet.cz']}
+ '_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
},
{
'Category': ['Fraud.Phishing'],
@@ -537,7 +537,7 @@ class TestMentatStatsIdea(unittest.TestCase):
'Source': [{'IP4': ['192.168.0.2-192.168.0.5', '192.168.0.0/25'],
'IP6': ['2001:db8::ff00:42:0/112'],
'Type': ['Phishing']}],
- '_CESNET': {'ResolvedAbuses': ['abuse@cesnet.cz']}
+ '_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
},
{
'Category': ['Exploit'],
@@ -550,7 +550,7 @@ class TestMentatStatsIdea(unittest.TestCase):
'Tags': ['Protocol', 'Honeypot']}],
'Source': [{'IP4': ['192.168.0.109', '192.168.0.200'],
'Type': ['Exploit']}],
- '_CESNET': {'ResolvedAbuses': ['abuse@cesnet.cz']}
+ '_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
}
],
'stats_overall': [
@@ -566,7 +566,7 @@ class TestMentatStatsIdea(unittest.TestCase):
'Source': [{'IP4': ['192.168.0.2-192.168.0.5', '192.168.0.0/25'],
'IP6': ['2001:db8::ff00:42:0/112'],
'Type': ['Phishing']}],
- '_CESNET': {'ResolvedAbuses': ['abuse@cesnet.cz']}
+ '_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
},
{
'Category': ['Fraud.Phishing'],
@@ -580,7 +580,7 @@ class TestMentatStatsIdea(unittest.TestCase):
'Source': [{'IP4': ['192.168.0.2-192.168.0.5', '192.168.0.0/25'],
'IP6': ['2001:db8::ff00:42:0/112'],
'Type': ['Phishing']}],
- '_CESNET': {'ResolvedAbuses': ['abuse@cesnet.cz']}
+ '_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
},
{
'Category': ['Fraud.Phishing'],
@@ -594,7 +594,7 @@ class TestMentatStatsIdea(unittest.TestCase):
'Source': [{'IP4': ['192.168.0.2-192.168.0.5', '192.168.0.0/25'],
'IP6': ['2001:db8::ff00:42:0/112'],
'Type': ['Phishing']}],
- '_CESNET': {'ResolvedAbuses': ['abuse@cesnet.cz']}
+ '_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
},
{
'Category': ['Spam'],
@@ -619,7 +619,7 @@ class TestMentatStatsIdea(unittest.TestCase):
'Tags': ['Protocol', 'Honeypot']}],
'Source': [{'IP4': ['192.168.0.109', '192.168.0.200'],
'Type': ['Exploit']}],
- '_CESNET': {'ResolvedAbuses': ['abuse@cesnet.cz']}
+ '_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
},
{
'Category': ['Exploit'],