Skip to content

Minor updates to alarms #137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
xychix wants to merge 1 commit into from
Closed

Minor updates to alarms #137

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 10 additions & 5 deletions elkserver/docker/redelk-base/redelkinstalldata/scripts/alarm.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,13 @@

from modules.helpers import *
from config import alarms, notifications
import config as localconfig
import itertools

LOG_LEVEL = logging.DEBUG
if localconfig.DEBUG:
LOG_LEVEL = logging.DEBUG
else:
LOG_LEVEL = logging.INFO
Comment on lines -21 to +25
Copy link
Collaborator

@fastlorenzo fastlorenzo Jan 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add a loglevel variable in the config, so we can have more than just info and debug

Copy link
Collaborator

@fastlorenzo fastlorenzo Mar 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MarcOverIP this still needs to be addressed before merging

Copy link
Collaborator Author

@xychix xychix Mar 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree. let's implant a config.DEBUGLEVEL
This was just a quick fix to avoid disk from filling 100% in days


if __name__ == '__main__':
logging.basicConfig(
Expand Down Expand Up @@ -74,27 +78,28 @@
if a in alarms and alarms[a]['enabled']:
logger.debug('Alarm %s enabled, processing hits' % a)
r = aD[a]['result']
alarm_name = aD[a]['info']['submodule']
#logger.debug('Alarm results: %s' % aD[a]['result'])
for rHit in r['hits']['hits']:
alarm_name = aD[a]['info']['submodule']
# Let's tag the doc with the alarm name
setTags(alarm_name, [rHit])
# First check if there is a mutation data to add
if rHit['_id'] in r['mutations']:
m = r['mutations'][rHit['_id']]
else:
m = {}
# And now, let's add mutations data to the doc and update back the hits
rHit = addAlarmData(rHit, m, alarm_name)
# Let's tag the doc with the alarm name
setTags(alarm_name, r['hits']['hits'])
logger.info('calling settags %s (%d hits)' % (alarm_name, r['hits']['total']))
# Needed as groupHits will change r['hits']['hits'] and different alarms might do different grouping
r = copy.deepcopy(aD[a]['result'])
for c in cD:
# connector will process ['hits']['hits'] which contains a list of 'jsons' looking like an ES line
# connector will report the fields in ['hits']['fields'] for each of the lines in the list
if c in notifications and notifications[c]['enabled']:
logger.info('connector %s enabled, sending alarm (%d hits)' % (c, r['hits']['total']))
connector = cD[c]['m'].Module()
if r['hits']['total'] > 0:
logger.info('connector %s enabled, sending alarm (%d hits)' % (c, r['hits']['total']))
# Group the hits before sending it to the alarm, based on the 'groubpby' array returned by the alarm
gb = list(r['groupby'])
r['hits']['hits'] = groupHits(r['hits']['hits'], gb)
Expand Down
4 changes: 2 additions & 2 deletions elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_dummy/module.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ def __init__(self):
def run(self):
ret = initial_alarm_result
ret['info'] = info
ret['fields'] = ['@timestamp', 'host.name', 'user.name', 'ioc.type', 'file.name', 'file.hash.md5', 'ioc.domain', 'c2.message', 'alarm.alarm_filehash']
ret['fields'] = ['agent.hostname','@timestamp', 'host.name', 'user.name', 'ioc.type', 'file.name', 'file.hash.md5', 'ioc.domain', 'c2.message', 'alarm.alarm_filehash']
ret['groupby'] = []
self.logger.debug('Running dummy alarm')
for r in self.alarm_dummy():
Expand All @@ -40,7 +40,7 @@ def run(self):
return(ret)

def alarm_dummy(self):
q = "c2.log.type:ioc AND NOT tags:%s"%(info['submodule'])
q = "c2.log.type:ioc AND NOT tags:alarm_*"
Copy link
Collaborator

@fastlorenzo fastlorenzo Mar 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would keep the submodule name so it will alert for everything that has not been alerted by alarm_dummy before (to keep the behavior consistent with other alarms.

Copy link
Collaborator Author

@xychix xychix Mar 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

makes sense.

report = {}
report['alarm'] = False
report['fname'] = "alarm_check2"
Expand Down
2 changes: 1 addition & 1 deletion elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_filehash/module.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ def __init__(self):
def run(self):
ret = initial_alarm_result
ret['info'] = info
ret['fields'] = ['@timestamp', 'host.name', 'user.name', 'ioc.type', 'file.name', 'file.hash.md5', 'c2.message', 'alarm.alarm_filehash']
ret['fields'] = ['agent.hostname','@timestamp', 'host.name', 'user.name', 'ioc.type', 'file.name', 'file.hash.md5', 'c2.message', 'alarm.alarm_filehash']
ret['groupby'] = ['file.hash.md5']
try:
report = self.alarm_check()
Expand Down
4 changes: 2 additions & 2 deletions elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_httptraffic/module.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ def __init__(self):
def run(self):
ret = initial_alarm_result
ret['info'] = info
ret['fields'] = ['source.ip', 'source.nat.ip', 'source.geo.country_name', 'source.as.organization.name', 'redir.frontend.name', 'redir.backend.name', 'infra.attack_scenario', 'tags', 'redir.timestamp']
ret['fields'] = ['agent.hostname','source.ip', 'source.nat.ip', 'source.geo.country_name', 'source.as.organization.name', 'redir.frontend.name', 'redir.backend.name', 'infra.attack_scenario', 'tags', 'redir.timestamp']
ret['groupby'] = ['source.ip']
try:
report = self.alarm_check()
Expand All @@ -45,7 +45,7 @@ def run(self):

def alarm_check(self):
# This check queries for IP's that aren't listed in any iplist* but do talk to c2* paths on redirectors\n
q = "NOT tags:iplist_* AND redir.backend.name:c2* AND tags:enriched_* AND NOT tags:%s"%(info['submodule'])
Copy link
Collaborator

@fastlorenzo fastlorenzo Jan 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be self.info and not info, that's the bug I think

Copy link
Collaborator Author

@xychix xychix Mar 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

info is fine, the dict is global.

q = "NOT tags:iplist_* AND redir.backend.name:c2* AND NOT tags:alarm_httptraffic AND tags:enriched_*"
i = countQuery(q)
if i >= 10000:
i = 10000
Expand Down
5 changes: 3 additions & 2 deletions elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_useragent/module.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,13 @@
class Module():
def __init__(self):
self.logger = logging.getLogger(info['submodule'])
#print("class init")
pass

def run(self):
ret = initial_alarm_result
ret['info'] = info
ret['fields'] = ['@timestamp','source.ip','http.headers.useragent','source.nat.ip','redir.frontend.name','redir.backend.name','infra.attack_scenario']
ret['fields'] = ['agent.hostname','@timestamp','source.ip','http.headers.useragent','source.nat.ip','redir.frontend.name','redir.backend.name','infra.attack_scenario']
ret['groupby'] = ['source.ip','http.headers.useragent']
try:
report = self.alarm_check()
Expand Down Expand Up @@ -65,7 +66,7 @@ def alarm_check(self):
qSub = qSub + " OR http.headers.useragent:%s" % keyword
qSub = qSub + ") "
#q = "%s AND redir.backendname:c2* AND tags:enrich_* AND NOT tags:alarm_* "%qSub
q = "%s AND redir.backend.name:c2* AND NOT tags:%s"%(qSub,info['submodule'])
q = "%s AND redir.backend.name:c2* AND NOT tags:alarm_useragent" % qSub
Copy link
Collaborator

@fastlorenzo fastlorenzo Mar 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use the submodule name instead of hardcoding alarm_useragent

Copy link
Collaborator Author

@xychix xychix Mar 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

true, likely has to be self.info as mentioned in some other item.

i = countQuery(q)
if i >= 10000:
i = 10000
Expand Down
2 changes: 1 addition & 1 deletion elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/email/module.py
View file
Open in desktop

Large diffs are not rendered by default.

1 change: 0 additions & 1 deletion elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/helpers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,6 @@ def guiQueryWindow(q,start,end):
return(q)

def countQuery(query, index="redirtraffic-*"):
print('count')
q3 = {'query': {'query_string': {'query': query}}}
r3 = es.search(index=index, body=q3, size=0)
return(r3['hits']['total']['value'])
Expand Down