Skip to content
Snippets Groups Projects
Commit e122ba52 authored by Václav Bartoš's avatar Václav Bartoš
Browse files

Flowmon ADS connector: Several fixes and improvements

parent a6762f35
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
flowmon-ads/warden3_flowmon_ads_filer.py
+ 24
4
View file @ e122ba52
...@@ -14,6 +14,8 @@ from warden_filer import SafeDir ...@@ -14,6 +14,8 @@ from warden_filer import SafeDir
import json import json
import csv import csv
from time import strptime, mktime from time import strptime, mktime
import time
import re
from uuid import uuid4 from uuid import uuid4
# Command line options handling # Command line options handling
...@@ -172,7 +174,7 @@ def xlat_ads_proto(s): ...@@ -172,7 +174,7 @@ def xlat_ads_proto(s):
proto = "transport%s" % pnum proto = "transport%s" % pnum
except ValueError: except ValueError:
# FIXME, will probably also need translation table # FIXME, will probably also need translation table
proto = s proto = s.lower()
return proto return proto
...@@ -184,7 +186,8 @@ def gen_idea_from_ads(ads, orig_data, anonymised_target, add_test): ...@@ -184,7 +186,8 @@ def gen_idea_from_ads(ads, orig_data, anonymised_target, add_test):
"Format": "IDEA0", "Format": "IDEA0",
"ID": str(uuid4()), "ID": str(uuid4()),
"Category": xlat_ads_type(ads.get("Type")), "Category": xlat_ads_type(ads.get("Type")),
"DetectTime": format_time(*ts[0:6]) "DetectTime": format_time(*ts[0:6]),
"CreateTime": format_time(*time.localtime()[0:6])
} }
if add_test: if add_test:
...@@ -218,7 +221,7 @@ def gen_idea_from_ads(ads, orig_data, anonymised_target, add_test): ...@@ -218,7 +221,7 @@ def gen_idea_from_ads(ads, orig_data, anonymised_target, add_test):
# Target related parts # Target related parts
target = {} target = {}
if ads["Ports"]: if ads["Ports"]:
target["Port"] = ads["Ports"] target["Port"] = ads["Ports"] # FIXME are the ports related with Target, Source or does it depend on attack type?
if ads["Protocol"]: if ads["Protocol"]:
target["Proto"] = [xlat_ads_proto(p) for p in ads["Protocol"]] target["Proto"] = [xlat_ads_proto(p) for p in ads["Protocol"]]
...@@ -239,7 +242,7 @@ def gen_idea_from_ads(ads, orig_data, anonymised_target, add_test): ...@@ -239,7 +242,7 @@ def gen_idea_from_ads(ads, orig_data, anonymised_target, add_test):
event["Attach"] = [{ event["Attach"] = [{
"Content": "\t".join(orig_data), "Content": "\t".join(orig_data),
"Type": ["OrigData"], "Type": ["OrigData"],
"ContentType": "text/csv" "ContentType": "text/tab-separated-values"
}] }]
# Insert subnodes into event # Insert subnodes into event
...@@ -249,6 +252,23 @@ def gen_idea_from_ads(ads, orig_data, anonymised_target, add_test): ...@@ -249,6 +252,23 @@ def gen_idea_from_ads(ads, orig_data, anonymised_target, add_test):
if target: if target:
event["Target"] = [target] event["Target"] = [target]
# *** Modifications for specific alert types ***
if ads["Type"] == "DOS":
# Extract additional info from Note
match = re.search("service:\s*([^,)]*)", event.get("Note",""))
if match and match.group(1) != 'not specified':
source["Proto"] = match.group(1)
match = re.search("attackers:\s*(\d+)", event.get("Note",""))
if match:
# Note: Count field is not standardized, but it is sometimes used to
# tell the total number of sources when not all of them are listed.
target["Count"] = int(match.group(1))
# Swap Source and Target for DOS events
if source and target:
event["Source"] = [target]
event["Target"] = [source]
return event return event
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment