Suricata connector - fixed timestamp and logger setup moved before...

Suricata connector - fixed timestamp and logger setup moved before daemonization with added get_logger_files function for not closing logger file desriptors.

suricata/SuricataToIdea.py

@@ -160,7 +160,7 @@ class IdeaGen(object):
                        'Anomaly.Application': re.compile("web application(?! Attack)")}
 
     vulnerability_re = re.compile("vulnerability|vulnerable")
-    confidence_re = re.compile("(?i)(?:suspicious|possible|potential)")
+    confidence_re = re.compile("(?i)(?:suspicious|most likely|possible|potential)")
     confidence_likely_re = re.compile("(?i)most likely")
     
     cve_list_file = open("CVE_list.txt")
@@ -184,7 +184,7 @@ class IdeaGen(object):
         event = {
             'Format': "IDEA0",
             'ID': str(uuid4()),
-            'DetectTime': timestamp,
+            'DetectTime': timestamp[0:19] + "Z",
             'Category': [category] + (["Test"] if self.test else []),
             'Note': incident_desription,
         }
@@ -233,6 +233,17 @@ class IdeaGen(object):
         return event
 
 
+def get_logger_files(logger):
+    """ Return file objects of loggers """
+    files = []
+    for handler in logger.handlers:
+        if hasattr(handler, 'stream') and hasattr(handler.stream, 'fileno'):
+            files.append(handler.stream)
+        if hasattr(handler, 'socket') and hasattr(handler.socket, 'fileno'):
+            files.append(handler.socket)
+    return files
+
+
 def daemonize(
         work_dir=None, chroot_dir=None,
         umask=None, uid=None, gid=None,
@@ -399,6 +410,21 @@ def main():
         optp.print_help()
         sys.exit()
 
+    log_format = "%(message)s"
+    logger = logging.getLogger()
+    if opts.oneshot:
+        handler = logging.StreamHandler()
+        handler.setFormatter(logging.Formatter("%(asctime)s - " + log_format))
+    else:
+        if "/" in opts.log:
+            handler = logging.handlers.WatchedFileHandler(opts.log)
+            handler.setFormatter(logging.Formatter("%(asctime)s - " + log_format))
+        else:
+            handler = logging.handlers.SysLogHandler(adress="/dev/log", facility=opts.log)
+            handler.setFormatter(logging.Formatter(log_format))
+    logger.addHandler(handler)
+    logger.setLevel(logging.DEBUG if opts.verbose else logging.INFO)
+
     if opts.oneshot:
         signal.signal(signal.SIGINT, terminate_me)
         signal.signal(signal.SIGTERM, terminate_me)
@@ -408,6 +434,7 @@ def main():
             pidfile=opts.pid,
             uid=opts.uid,
             gid=opts.gid,
+            files_preserve = get_logger_files(logger),
             signals={
                 signal.SIGINT: terminate_me,
                 signal.SIGTERM: terminate_me,
@@ -417,21 +444,6 @@ def main():
     filer = Filer(opts.dir)
     idea_gen = IdeaGen(opts.name, opts.test)
 
-    log_format = "%(message)s"
-    logger = logging.getLogger()
-    if opts.oneshot:
-        handler = logging.StreamHandler()
-        handler.setFormatter(logging.Formatter("%(asctime)s - " + log_format))
-    else:
-        if "/" in opts.log:
-            handler = logging.handlers.WatchedFileHandler(opts.log)
-            handler.setFormatter(logging.Formatter("%(asctime)s - " + log_format))
-        else:       
-            handler = logging.handlers.SysLogHandler(address="/dev/log", facility=opts.log)
-            handler.setFormatter(logging.Formatter(log_format))
-    logger.addHandler(handler)
-    logger.setLevel(logging.DEBUG if opts.verbose else logging.INFO)
-    
     while running_flag:
         for log_file in files:
             while True:

suricata/get_CVE_list.py

@@ -51,7 +51,6 @@ def main():
             if processed_rules_list:
                 processed_rules_file.write("\n".join(sorted(processed_rules_list)))
                 processed_rules_file.write("\n")
-            processed_rules_list = []
 
 
 if __name__ == "__main__":