Skip to content
Snippets Groups Projects
Commit d425c333 authored by Rajmund Hruška's avatar Rajmund Hruška
Browse files

Fix: Search not reported events also by previous names of a group. (Redmine issue: #7200)

parent 1f2e1ae2
No related branches found
No related tags found
No related merge requests found
...@@ -486,7 +486,7 @@ class EventReporter(BaseReporter): ...@@ -486,7 +486,7 @@ class EventReporter(BaseReporter):
count, events = self.eventservice.search_events({ count, events = self.eventservice.search_events({
'st_from': time_l, 'st_from': time_l,
'st_to': time_h, 'st_to': time_h,
'groups': [abuse_group.name], 'groups': self._get_previous_names(abuse_group),
'severities': [severity], 'severities': [severity],
'categories': ['Test'], 'categories': ['Test'],
'not_categories': not testdata 'not_categories': not testdata
......
...@@ -31,7 +31,7 @@ import mentat.idea.internal ...@@ -31,7 +31,7 @@ import mentat.idea.internal
import mentat.reports.utils import mentat.reports.utils
import mentat.reports.event import mentat.reports.event
from mentat.datatype.sqldb import GroupModel, FilterModel, NetworkModel, \ from mentat.datatype.sqldb import GroupModel, FilterModel, NetworkModel, \
SettingsReportingModel, EventReportModel SettingsReportingModel, EventReportModel, UserModel, ItemChangeLogModel
from pynspect.jpath import jpath_values from pynspect.jpath import jpath_values
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
...@@ -120,6 +120,37 @@ class TestMentatReportsEvent(unittest.TestCase): ...@@ -120,6 +120,37 @@ class TestMentatReportsEvent(unittest.TestCase):
'EventClass' : 'anomaly-traffic', 'EventClass' : 'anomaly-traffic',
'EventSeverity': 'low' 'EventSeverity': 'low'
} }
},
{
'Format': 'IDEA0',
'ID': 'msg03',
'DetectTime': '2022-02-01T13:00:00Z',
'Category': ['Recon.Scanning'],
'Description': 'Synthetic example 03',
'Source': [
{
'IP4': ['9.9.0.0-9.9.255.255']
}
],
'Target': [
{
'IP4': ['11.2.2.0/24']
}
],
'Node': [
{
'Name': 'org.example.dionaea',
'SW': ['Dionaea']
}
],
'Note': 'Test note containing ; CSV delimiter.',
'_Mentat' : {
'ResolvedAbuses' : [
'DEMO_GROUP'
],
'EventClass' : 'anomaly-traffic',
'EventSeverity': 'low'
}
} }
] ]
...@@ -157,15 +188,42 @@ class TestMentatReportsEvent(unittest.TestCase): ...@@ -157,15 +188,42 @@ class TestMentatReportsEvent(unittest.TestCase):
self.eventstorage.insert_event(event) self.eventstorage.insert_event(event)
group = GroupModel(name = 'abuse@cesnet.cz', source = 'manual', description = 'CESNET, z.s.p.o.') group = GroupModel(name = 'abuse@cesnet.cz', source = 'manual', description = 'CESNET, z.s.p.o.')
groups_dict = {'abuse@cesnet.cz': group} group2 = GroupModel(name = 'abuse@example.com', source = 'manual', description = 'Test group')
groups_dict = {'abuse@cesnet.cz': group, 'abuse@example.com': group2}
FilterModel(group = group, name = 'FLT1', type = 'basic', filter = 'Node.Name == "org.example.kippo_honey"', description = 'DESC1', enabled = True) FilterModel(group = group, name = 'FLT1', type = 'basic', filter = 'Node.Name == "org.example.kippo_honey"', description = 'DESC1', enabled = True)
FilterModel(group = group, name = 'FLT2', type = 'basic', filter = 'Source.IP4 IN [10.0.0.0/24]', description = 'DESC2', enabled = True) FilterModel(group = group, name = 'FLT2', type = 'basic', filter = 'Source.IP4 IN [10.0.0.0/24]', description = 'DESC2', enabled = True)
FilterModel(group = group, name = 'FLT3', type = 'basic', filter = 'Source.IP4 IN [10.0.1.0/28]', description = 'DESC3', enabled = True) FilterModel(group = group, name = 'FLT3', type = 'basic', filter = 'Source.IP4 IN [10.0.1.0/28]', description = 'DESC3', enabled = True)
NetworkModel(group = group, netname = 'UNET1', source = 'manual', network = '10.0.0.0/8') NetworkModel(group = group, netname = 'UNET1', source = 'manual', network = '10.0.0.0/8')
NetworkModel(group = group2, netname = 'UNET2', source = 'manual', network = '9.9.0.0/16')
SettingsReportingModel(group = group) SettingsReportingModel(group = group)
SettingsReportingModel(group = group2)
# Create simple user and a changelog capturing renaming of a group.
test_user = UserModel(login = 'test_user_123', fullname = 'Test User', email = 'user@example.com', organization = 'example.com')
ItemChangeLogModel(
author = test_user,
model_id = 2,
model = 'GroupModel',
endpoint = 'groups.update',
module = 'groups',
operation = 'update',
# Use simplified dictionary containing just one attribute.
before = '''{
"name": "DEMO_GROUP"
}''',
after = '''{
"name": "abuse@example.com"
}''',
diff = '''{
-"name": "DEMO_GROUP"
+"name": "abuse@example.com"
}'''
)
self.sqlstorage.session.add(group) self.sqlstorage.session.add(group)
self.sqlstorage.session.add(group2)
self.sqlstorage.session.add(test_user)
self.sqlstorage.session.commit() self.sqlstorage.session.commit()
self.reporting_settings = mentat.reports.utils.ReportingSettings(group) self.reporting_settings = mentat.reports.utils.ReportingSettings(group)
...@@ -338,6 +396,7 @@ class TestMentatReportsEvent(unittest.TestCase): ...@@ -338,6 +396,7 @@ class TestMentatReportsEvent(unittest.TestCase):
self.maxDiff = None self.maxDiff = None
abuse_group = self.sqlstorage.session.query(GroupModel).filter(GroupModel.name == 'abuse@cesnet.cz').one() abuse_group = self.sqlstorage.session.query(GroupModel).filter(GroupModel.name == 'abuse@cesnet.cz').one()
abuse_group2 = self.sqlstorage.session.query(GroupModel).filter(GroupModel.name == 'abuse@example.com').one()
self.sqlstorage.session.commit() self.sqlstorage.session.commit()
events = self.reporter.fetch_severity_events( events = self.reporter.fetch_severity_events(
...@@ -348,6 +407,15 @@ class TestMentatReportsEvent(unittest.TestCase): ...@@ -348,6 +407,15 @@ class TestMentatReportsEvent(unittest.TestCase):
) )
self.assertEqual(list(map(lambda x: x['ID'], events)), ['msg01', 'msg02']) self.assertEqual(list(map(lambda x: x['ID'], events)), ['msg01', 'msg02'])
# Fetch severity events with the previous name of the abuse group.
events = self.reporter.fetch_severity_events(
abuse_group2,
'low',
datetime.datetime.utcnow() - datetime.timedelta(seconds = 7200),
datetime.datetime.utcnow() + datetime.timedelta(seconds = 7200)
)
self.assertEqual(list(map(lambda x: x['ID'], events)), ['msg03'])
events = self.reporter.fetch_severity_events( events = self.reporter.fetch_severity_events(
abuse_group, abuse_group,
'medium', 'medium',
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment