diff --git a/lib/hawat/blueprints/design_bs3/templates/_macros_chart.html b/lib/hawat/blueprints/design_bs3/templates/_macros_chart.html
index f484bb29ce69e01b01337ed30eb4120f083eeeea..ea5b462190f94c665e364f3b92a57d20576b1de1 100644
--- a/lib/hawat/blueprints/design_bs3/templates/_macros_chart.html
+++ b/lib/hawat/blueprints/design_bs3/templates/_macros_chart.html
@@ -814,6 +814,7 @@
('detectorsws', _('detector software')),
('detector_types', _('detector tags')),
('sources', _('sources')),
+ ('targets', _('targets')),
('source_ports', _('source ports')),
('target_ports', _('target ports')),
('protocols', _('protocols')),
@@ -923,6 +924,13 @@
'multi',
'ips'
),
+ (
+ 'targets',
+ _('Number of events per target IP'),
+ _('This view shows total numbers of IDEA events aggregated according to a <em>target IP address</em>. Because an event may contain multiple <em>target IP addresses</em>, the total numbers in these charts may differ from the total number of events displayed in the table above.'),
+ 'multi',
+ 'ips'
+ ),
(
'source_ports',
_('Number of events per source port'),
diff --git a/lib/hawat/blueprints/timeline/__init__.py b/lib/hawat/blueprints/timeline/__init__.py
index 500395caf1116c1cfc862262278dce2886ee74d9..6bf2701d98216a47118b7507700f40b4fcca1872 100644
--- a/lib/hawat/blueprints/timeline/__init__.py
+++ b/lib/hawat/blueprints/timeline/__init__.py
@@ -47,7 +47,7 @@ BLUEPRINT_NAME = 'timeline'
AGGREGATIONS = (
(mentat.stats.idea.ST_SKEY_CATEGORIES, {}, {"aggr_set": "category"}),
(mentat.stats.idea.ST_SKEY_SOURCES, {}, {"aggr_set": "source_ip"}),
- # ('', {"aggr_set": "target_ip"}),
+ (mentat.stats.idea.ST_SKEY_TARGETS, {}, {"aggr_set": "target_ip"}),
(mentat.stats.idea.ST_SKEY_SRCPORTS, {}, {"aggr_set": "source_port"}),
(mentat.stats.idea.ST_SKEY_TGTPORTS, {}, {"aggr_set": "target_port"}),
(mentat.stats.idea.ST_SKEY_SRCTYPES, {}, {"aggr_set": "source_type"}),
diff --git a/lib/mentat/stats/idea.py b/lib/mentat/stats/idea.py
index 94c6065df793de8b065cda8a64a9396d69eb8fae..de25327b06a0acd6e4d12f39850a81d90bba7b7b 100644
--- a/lib/mentat/stats/idea.py
+++ b/lib/mentat/stats/idea.py
@@ -40,6 +40,7 @@ ST_OVERALL = 'stats_overall'
# Literal constants for keywords of calculated statistics.
#
ST_SKEY_SOURCES = 'sources'
+ST_SKEY_TARGETS = 'targets'
ST_SKEY_IP4S = 'ip4s'
ST_SKEY_IP6S = 'ip6s'
ST_SKEY_ANALYZERS = 'analyzers'
@@ -91,6 +92,7 @@ LIST_STAT_GROUPS = (
LIST_AGGREGATIONS = (
[ST_SKEY_SOURCES, ('Source.IP4', 'Source.IP6'), KEY_UNKNOWN],
+ [ST_SKEY_TARGETS, ('Target.IP4', 'Target.IP6'), KEY_UNKNOWN],
#[ST_SKEY_IP4S, ('Source.IP4',), KEY_UNKNOWN],
#[ST_SKEY_IP6S, ('Source.IP6',), KEY_UNKNOWN],
[ST_SKEY_ANALYZERS, ('Node[#].SW',), KEY_UNKNOWN],
diff --git a/lib/mentat/stats/test_idea.py b/lib/mentat/stats/test_idea.py
index 9674579b133dabc3ecfda5a40cd7dd335f274789..acd99a02ab42c5f72fdb97dbcf2bfd8fc7389e47 100644
--- a/lib/mentat/stats/test_idea.py
+++ b/lib/mentat/stats/test_idea.py
@@ -40,6 +40,12 @@ class TestMentatStatsIdea(unittest.TestCase):
"IP6": ["2001:db8::ff00:42:0/112"]
}
],
+ "Target": [
+ {
+ "IP4": ["192.168.1.2-192.168.1.5", "192.168.1.0/25"],
+ "IP6": ["2001:db8::ff01:42:0/112"]
+ }
+ ],
"Node": [
{
"Name": "org.example.kippo",
@@ -92,6 +98,12 @@ class TestMentatStatsIdea(unittest.TestCase):
"IP6": ["2001:db8::ff00:42:0/112"]
}
],
+ "Target": [
+ {
+ "IP4": ["192.168.1.2-192.168.1.5", "192.168.1.0/25"],
+ "IP6": ["2001:db8::ff01:42:0/112"]
+ }
+ ],
"Node": [
{
"Name": "org.example.dionaea",
@@ -137,6 +149,11 @@ class TestMentatStatsIdea(unittest.TestCase):
"IP4": ["192.168.0.109", "192.168.0.200"]
}
],
+ "Target": [
+ {
+ "IP4": ["192.168.1.109", "192.168.1.200"]
+ }
+ ],
"Node": [
{
"Name": "org.example.labrea",
@@ -400,6 +417,14 @@ class TestMentatStatsIdea(unittest.TestCase):
'192.172.0.200': 1,
'2001:db8::ff00:42:0/112': 3
},
+ 'targets': {
+ '192.168.1.2-192.168.1.5': 2,
+ '192.168.1.0/25': 2,
+ '2001:db8::ff01:42:0/112': 2,
+ '192.168.1.109': 1,
+ '192.168.1.200': 1,
+ '__unknown__': 3
+ },
'list_ids': ['msg01', 'msg02', 'msg03', 'msg04', 'msg05', 'msg06'],
'severities': {'__unknown__': 6}
})
@@ -429,6 +454,7 @@ class TestMentatStatsIdea(unittest.TestCase):
'cz.cesnet.holly/Beekeeper': 1,
'org.example.kippo/Kippo': 2},
'sources': {'192.168.0.0/25': 3, '192.168.0.2-192.168.0.5': 3, '__REST__': 9},
+ 'targets': {'__unknown__': 3, '192.168.1.0/25': 2, '__REST__': 6},
'severities': {'__unknown__': 6}
}
)
@@ -457,6 +483,7 @@ class TestMentatStatsIdea(unittest.TestCase):
'org.example.kippo/Kippo': 2,
'org.example.labrea/LaBrea': 1},
'sources': {'192.168.0.0/25': 3, '__REST__': 12},
+ 'targets': {'__unknown__': 3, '__REST__': 8},
'severities': {'__unknown__': 6}
}
)
@@ -510,6 +537,8 @@ class TestMentatStatsIdea(unittest.TestCase):
'Source': [{'IP4': ['192.168.0.2-192.168.0.5', '192.168.0.0/25'],
'IP6': ['2001:db8::ff00:42:0/112'],
'Type': ['Phishing']}],
+ 'Target': [{'IP4': ['192.168.1.2-192.168.1.5', '192.168.1.0/25'],
+ 'IP6': ['2001:db8::ff01:42:0/112']}],
'_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
},
{
@@ -538,6 +567,8 @@ class TestMentatStatsIdea(unittest.TestCase):
'Source': [{'IP4': ['192.168.0.2-192.168.0.5', '192.168.0.0/25'],
'IP6': ['2001:db8::ff00:42:0/112'],
'Type': ['Phishing']}],
+ 'Target': [{'IP4': ['192.168.1.2-192.168.1.5', '192.168.1.0/25'],
+ 'IP6': ['2001:db8::ff01:42:0/112']}],
'_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
},
{
@@ -551,6 +582,7 @@ class TestMentatStatsIdea(unittest.TestCase):
'Tags': ['Protocol', 'Honeypot']}],
'Source': [{'IP4': ['192.168.0.109', '192.168.0.200'],
'Type': ['Exploit']}],
+ 'Target': [{"IP4": ["192.168.1.109", "192.168.1.200"]}],
'_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
}
],
@@ -567,6 +599,8 @@ class TestMentatStatsIdea(unittest.TestCase):
'Source': [{'IP4': ['192.168.0.2-192.168.0.5', '192.168.0.0/25'],
'IP6': ['2001:db8::ff00:42:0/112'],
'Type': ['Phishing']}],
+ 'Target': [{'IP4': ['192.168.1.2-192.168.1.5', '192.168.1.0/25'],
+ 'IP6': ['2001:db8::ff01:42:0/112']}],
'_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
},
{
@@ -595,6 +629,8 @@ class TestMentatStatsIdea(unittest.TestCase):
'Source': [{'IP4': ['192.168.0.2-192.168.0.5', '192.168.0.0/25'],
'IP6': ['2001:db8::ff00:42:0/112'],
'Type': ['Phishing']}],
+ 'Target': [{'IP4': ['192.168.1.2-192.168.1.5', '192.168.1.0/25'],
+ 'IP6': ['2001:db8::ff01:42:0/112']}],
'_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
},
{
@@ -620,6 +656,7 @@ class TestMentatStatsIdea(unittest.TestCase):
'Tags': ['Protocol', 'Honeypot']}],
'Source': [{'IP4': ['192.168.0.109', '192.168.0.200'],
'Type': ['Exploit']}],
+ 'Target': [{'IP4': ['192.168.1.109', '192.168.1.200']}],
'_Mentat': {'ResolvedAbuses': ['abuse@cesnet.cz']}
},
{
@@ -699,6 +736,12 @@ class TestMentatStatsIdea(unittest.TestCase):
'192.172.0.109': 3,
'192.172.0.200': 3,
'2001:db8::ff00:42:0/112': 9},
+ 'targets': {'192.168.1.2-192.168.1.5': 6,
+ '192.168.1.0/25': 6,
+ '2001:db8::ff01:42:0/112': 6,
+ '192.168.1.109': 3,
+ '192.168.1.200': 3,
+ '__unknown__': 9},
'severities': {'__unknown__': 18}
}
)