Flowmon ADS connector: Several fixes and improvements

24c47296 · Václav Bartoš · a6762f35 · 24c47296
Commit 24c47296 authored 6 years ago by Václav Bartoš
--- a/flowmon-ads/warden3_flowmon_ads_filer.py
+++ b/flowmon-ads/warden3_flowmon_ads_filer.py
@@ -14,6 +14,8 @@ from warden_filer import SafeDir
 import json
 import csv
 from time import strptime, mktime
+import time
+import re
 from uuid import uuid4

 # Command line options handling
@@ -126,7 +128,7 @@ ads_types = {
    "ANOMALY": ["Anomaly.Behaviour"],
    "BLACKLIST": ["Other"],     # FIXME - will need to be set based on other data?
    "BPATTERNS": ["Attempt.Exploit"],   # FIXME - will need to be set based on other data?
-    "DNSANOMALY": ["Information.UnauthorizedAccess"],
+    "DNSANOMALY": ["information.UnauthorizedAccess"],
    "DNSQUERY": ["Anomaly.Traffic"],
    "DOS": ["Availability.DoS"],
    "GEODIST": ["Anomaly.Behaviour"],
@@ -172,7 +174,7 @@ def xlat_ads_proto(s):
        proto = "transport%s" % pnum
    except ValueError:
        # FIXME, will probably also need translation table
-        proto = s
+        proto = s.lower()
    return proto


@@ -184,7 +186,8 @@ def gen_idea_from_ads(ads, orig_data, anonymised_target, add_test):
       "Format": "IDEA0",
       "ID": str(uuid4()),
       "Category": xlat_ads_type(ads.get("Type")),
-       "DetectTime": format_time(*ts[0:6])
+       "DetectTime": format_time(*ts[0:6]),
+       "CreateTime": format_time(*time.localtime()[0:6])
    }

    if add_test:
@@ -218,7 +221,7 @@ def gen_idea_from_ads(ads, orig_data, anonymised_target, add_test):
    # Target related parts
    target = {}
    if ads["Ports"]:
-        target["Port"] = ads["Ports"]
+        target["Port"] = ads["Ports"] # FIXME are the ports related with Target, Source or does it depend on attack type?

    if ads["Protocol"]:
        target["Proto"] = [xlat_ads_proto(p) for p in ads["Protocol"]]
@@ -239,7 +242,7 @@ def gen_idea_from_ads(ads, orig_data, anonymised_target, add_test):
        event["Attach"] = [{
            "Content": "\t".join(orig_data),
            "Type": ["OrigData"],
-            "ContentType": "text/csv"
+            "ContentType": "text/tab-separated-values"
        }]

    # Insert subnodes into event
@@ -249,6 +252,23 @@ def gen_idea_from_ads(ads, orig_data, anonymised_target, add_test):
    if target:
        event["Target"] = [target]

+    # *** Modifications for specific alert types ***
+
+    if ads["Type"] == "DOS":
+        # Extract additional info from Note
+        match = re.search("service:\s*([^,)]*)", event.get("Note",""))
+        if match and match.group(1) != 'not specified':
+            source["Proto"] = match.group(1)
+        match = re.search("attackers:\s*(\d+)", event.get("Note",""))
+        if match:
+            # Note: Count field is not standardized, but it is sometimes used to
+            # tell the total number of sources when not all of them are listed.
+            target["Count"] = int(match.group(1)) 
+        # Swap Source and Target for DOS events
+        if source and target:
+            event["Source"] = [target]
+            event["Target"] = [source]
+
    return event