From e2b35580a0d1a73806eeb29a901d669edc771417 Mon Sep 17 00:00:00 2001
From: mark <mark@bergman.nl>
Date: Tue, 17 Nov 2020 20:49:02 +0100
Subject: [PATCH] Issue #41 item 4 added an alarm, patched a few others

Issue #41 item 4 added an alarm, patched a few others
Alarm is alarm_backendalarm, which alarms if there are new lines related to a backend with *alarm* in it's name,
---
 .../modules/alarm_backendalarm/module.py      | 58 +++++++++++++++++++
 .../scripts/modules/alarm_dummy/module.py     |  2 +-
 .../modules/alarm_httptraffic/module.py       |  2 +-
 .../scripts/modules/alarm_useragent/module.py |  2 +-
 4 files changed, 61 insertions(+), 3 deletions(-)
 create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_backendalarm/module.py

diff --git a/elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_backendalarm/module.py b/elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_backendalarm/module.py
new file mode 100644
index 00000000..92cbe0fd
--- /dev/null
+++ b/elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_backendalarm/module.py
@@ -0,0 +1,58 @@
+#!/usr/bin/python3
+#
+# Part of RedELK
+#
+# Authors:
+# - Outflank B.V. / Mark Bergman (@xychix)
+# - Lorenzo Bernardi (@fastlorenzo)
+#
+from modules.helpers import *
+import traceback
+import logging
+
+info = {
+    'version': 0.1,
+    'name': 'backend alarm module',
+    'alarmmsg': 'TRAFFIC TO ANY BACKEND WITH THE WORD ALARM IN THE NAME',
+    'description': 'This check queries for calls to backends that have alarm in their name',
+    'type': 'redelk_alarm',   # Could also contain redelk_enrich if it was an enrichment module
+    'submodule': 'alarm_backendalarm'
+}
+
+
+class Module():
+    def __init__(self):
+        #print("class init")
+        pass
+
+    def run(self):
+        ret = initial_alarm_result
+        ret['info'] = info
+        ret['fields'] = ['@timestamp','source.ip','http.headers.useragent','source.nat.ip','redir.frontend.name','redir.backend.name','infra.attack_scenario']
+        ret['groupby'] = ['source.ip','http.headers.useragent']
+        try:
+            report = self.alarm_check()
+            ret['hits']['hits'] = report['hits']
+            ret['mutations'] = report['mutations']
+            ret['hits']['total'] = len(report['hits'])
+        except Exception as e:
+            stackTrace = traceback.format_exc()
+            ret['error'] = stackTrace
+            self.logger.exception(e)
+            pass
+        self.logger.info('finished running module. result: %s hits' % ret['hits']['total'])
+        return(ret)
+
+    def alarm_check(self):
+        # This check queries for calls to backends that have *alarm* in their name\n
+        q = "redir.backend.name:*alarm* AND NOT tags:%s"%(info['submodule'])
+        i = countQuery(q)
+        if i >= 10000:
+            i = 10000
+        r = getQuery(q, i)
+        if type(r) != type([]):
+            r = []
+        report = {}
+        report['mutations'] = {}
+        report['hits'] = r
+        return(report)
diff --git a/elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_dummy/module.py b/elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_dummy/module.py
index 9358a892..cb8ffec6 100755
--- a/elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_dummy/module.py
+++ b/elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_dummy/module.py
@@ -40,7 +40,7 @@ def run(self):
         return(ret)
 
     def alarm_dummy(self):
-        q = "c2.log.type:ioc AND NOT tags:alarm_*"
+        q = "c2.log.type:ioc AND NOT tags:%s"%(info['submodule'])
         report = {}
         report['alarm'] = False
         report['fname'] = "alarm_check2"
diff --git a/elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_httptraffic/module.py b/elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_httptraffic/module.py
index bdbf693b..24b16622 100755
--- a/elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_httptraffic/module.py
+++ b/elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_httptraffic/module.py
@@ -45,7 +45,7 @@ def run(self):
 
     def alarm_check(self):
         # This check queries for IP's that aren't listed in any iplist* but do talk to c2* paths on redirectors\n
-        q = "NOT tags:iplist_* AND redir.backend.name:c2* AND NOT tags:alarm_httptraffic AND tags:enriched_*"
+        q = "NOT tags:iplist_* AND redir.backend.name:c2* AND tags:enriched_* AND NOT tags:%s"%(info['submodule'])
         i = countQuery(q)
         if i >= 10000:
             i = 10000
diff --git a/elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_useragent/module.py b/elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_useragent/module.py
index 5244e424..03d39db0 100755
--- a/elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_useragent/module.py
+++ b/elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_useragent/module.py
@@ -65,7 +65,7 @@ def alarm_check(self):
                 qSub = qSub + " OR http.headers.useragent:%s" % keyword
         qSub = qSub + ") "
         #q = "%s AND redir.backendname:c2* AND tags:enrich_* AND NOT tags:alarm_* "%qSub
-        q = "%s AND redir.backend.name:c2* AND NOT tags:alarm_useragent" % qSub
+        q = "%s AND redir.backend.name:c2* AND NOT tags:%s"%(qSub,info['submodule'])
         i = countQuery(q)
         if i >= 10000:
             i = 10000