Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue #41 item 4 added an alarm, patched a few others #118

Merged
merged 1 commit into from
Nov 27, 2020
Merged

Issue #41 item 4 added an alarm, patched a few others #118

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_backendalarm/module.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
#!/usr/bin/python3
#
# Part of RedELK
#
# Authors:
# - Outflank B.V. / Mark Bergman (@xychix)
# - Lorenzo Bernardi (@fastlorenzo)
#
from modules.helpers import *
import traceback
import logging

info = {
'version': 0.1,
'name': 'backend alarm module',
'alarmmsg': 'TRAFFIC TO ANY BACKEND WITH THE WORD ALARM IN THE NAME',
'description': 'This check queries for calls to backends that have alarm in their name',
'type': 'redelk_alarm', # Could also contain redelk_enrich if it was an enrichment module
'submodule': 'alarm_backendalarm'
}


class Module():
def __init__(self):
#print("class init")
pass

def run(self):
ret = initial_alarm_result
ret['info'] = info
ret['fields'] = ['@timestamp','source.ip','http.headers.useragent','source.nat.ip','redir.frontend.name','redir.backend.name','infra.attack_scenario']
ret['groupby'] = ['source.ip','http.headers.useragent']
try:
report = self.alarm_check()
ret['hits']['hits'] = report['hits']
ret['mutations'] = report['mutations']
ret['hits']['total'] = len(report['hits'])
except Exception as e:
stackTrace = traceback.format_exc()
ret['error'] = stackTrace
self.logger.exception(e)
pass
self.logger.info('finished running module. result: %s hits' % ret['hits']['total'])
return(ret)

def alarm_check(self):
# This check queries for calls to backends that have *alarm* in their name\n
q = "redir.backend.name:*alarm* AND NOT tags:%s"%(info['submodule'])
i = countQuery(q)
if i >= 10000:
i = 10000
r = getQuery(q, i)
if type(r) != type([]):
r = []
report = {}
report['mutations'] = {}
report['hits'] = r
return(report)
2 changes: 1 addition & 1 deletion elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_dummy/module.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ def run(self):
return(ret)

def alarm_dummy(self):
q = "c2.log.type:ioc AND NOT tags:alarm_*"
q = "c2.log.type:ioc AND NOT tags:%s"%(info['submodule'])
report = {}
report['alarm'] = False
report['fname'] = "alarm_check2"
Expand Down
2 changes: 1 addition & 1 deletion elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_httptraffic/module.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ def run(self):

def alarm_check(self):
# This check queries for IP's that aren't listed in any iplist* but do talk to c2* paths on redirectors\n
q = "NOT tags:iplist_* AND redir.backend.name:c2* AND NOT tags:alarm_httptraffic AND tags:enriched_*"
q = "NOT tags:iplist_* AND redir.backend.name:c2* AND tags:enriched_* AND NOT tags:%s"%(info['submodule'])
i = countQuery(q)
if i >= 10000:
i = 10000
Expand Down
2 changes: 1 addition & 1 deletion elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_useragent/module.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ def alarm_check(self):
qSub = qSub + " OR http.headers.useragent:%s" % keyword
qSub = qSub + ") "
#q = "%s AND redir.backendname:c2* AND tags:enrich_* AND NOT tags:alarm_* "%qSub
q = "%s AND redir.backend.name:c2* AND NOT tags:alarm_useragent" % qSub
q = "%s AND redir.backend.name:c2* AND NOT tags:%s"%(qSub,info['submodule'])
i = countQuery(q)
if i >= 10000:
i = 10000
Expand Down