From 31705e58c957f8641b77df30dc58f3400c4ad08f Mon Sep 17 00:00:00 2001
From: Pavel Eis <xeispa00@stud.fit.vutbr.cz>
Date: Wed, 7 Feb 2018 16:46:22 +0100
Subject: [PATCH] Suricata connector - fixed timestamp and logger setup moved
before daemonization with added get_logger_files function for not closing
logger file desriptors.
---
suricata/SuricataToIdea.py | 46 ++++++++++++++++++++++++--------------
suricata/get_CVE_list.py | 1 -
2 files changed, 29 insertions(+), 18 deletions(-)
diff --git a/suricata/SuricataToIdea.py b/suricata/SuricataToIdea.py
index 082e944..c48f414 100644
--- a/suricata/SuricataToIdea.py
+++ b/suricata/SuricataToIdea.py
@@ -160,7 +160,7 @@ class IdeaGen(object):
'Anomaly.Application': re.compile("web application(?! Attack)")}
vulnerability_re = re.compile("vulnerability|vulnerable")
- confidence_re = re.compile("(?i)(?:suspicious|possible|potential)")
+ confidence_re = re.compile("(?i)(?:suspicious|most likely|possible|potential)")
confidence_likely_re = re.compile("(?i)most likely")
cve_list_file = open("CVE_list.txt")
@@ -184,7 +184,7 @@ class IdeaGen(object):
event = {
'Format': "IDEA0",
'ID': str(uuid4()),
- 'DetectTime': timestamp,
+ 'DetectTime': timestamp[0:19] + "Z",
'Category': [category] + (["Test"] if self.test else []),
'Note': incident_desription,
}
@@ -233,6 +233,17 @@ class IdeaGen(object):
return event
+def get_logger_files(logger):
+ """ Return file objects of loggers """
+ files = []
+ for handler in logger.handlers:
+ if hasattr(handler, 'stream') and hasattr(handler.stream, 'fileno'):
+ files.append(handler.stream)
+ if hasattr(handler, 'socket') and hasattr(handler.socket, 'fileno'):
+ files.append(handler.socket)
+ return files
+
+
def daemonize(
work_dir=None, chroot_dir=None,
umask=None, uid=None, gid=None,
@@ -399,6 +410,21 @@ def main():
optp.print_help()
sys.exit()
+ log_format = "%(message)s"
+ logger = logging.getLogger()
+ if opts.oneshot:
+ handler = logging.StreamHandler()
+ handler.setFormatter(logging.Formatter("%(asctime)s - " + log_format))
+ else:
+ if "/" in opts.log:
+ handler = logging.handlers.WatchedFileHandler(opts.log)
+ handler.setFormatter(logging.Formatter("%(asctime)s - " + log_format))
+ else:
+ handler = logging.handlers.SysLogHandler(adress="/dev/log", facility=opts.log)
+ handler.setFormatter(logging.Formatter(log_format))
+ logger.addHandler(handler)
+ logger.setLevel(logging.DEBUG if opts.verbose else logging.INFO)
+
if opts.oneshot:
signal.signal(signal.SIGINT, terminate_me)
signal.signal(signal.SIGTERM, terminate_me)
@@ -408,6 +434,7 @@ def main():
pidfile=opts.pid,
uid=opts.uid,
gid=opts.gid,
+ files_preserve = get_logger_files(logger),
signals={
signal.SIGINT: terminate_me,
signal.SIGTERM: terminate_me,
@@ -417,21 +444,6 @@ def main():
filer = Filer(opts.dir)
idea_gen = IdeaGen(opts.name, opts.test)
- log_format = "%(message)s"
- logger = logging.getLogger()
- if opts.oneshot:
- handler = logging.StreamHandler()
- handler.setFormatter(logging.Formatter("%(asctime)s - " + log_format))
- else:
- if "/" in opts.log:
- handler = logging.handlers.WatchedFileHandler(opts.log)
- handler.setFormatter(logging.Formatter("%(asctime)s - " + log_format))
- else:
- handler = logging.handlers.SysLogHandler(address="/dev/log", facility=opts.log)
- handler.setFormatter(logging.Formatter(log_format))
- logger.addHandler(handler)
- logger.setLevel(logging.DEBUG if opts.verbose else logging.INFO)
-
while running_flag:
for log_file in files:
while True:
diff --git a/suricata/get_CVE_list.py b/suricata/get_CVE_list.py
index 2e2c8a7..1c51df7 100644
--- a/suricata/get_CVE_list.py
+++ b/suricata/get_CVE_list.py
@@ -51,7 +51,6 @@ def main():
if processed_rules_list:
processed_rules_file.write("\n".join(sorted(processed_rules_list)))
processed_rules_file.write("\n")
- processed_rules_list = []
if __name__ == "__main__":
--
GitLab