for each attacker and victim, store all the evidence and the number o…

…f each one in redis
stratosphereips · Dec 6, 2023 · 5c6892c · 5c6892c
1 parent c3cd747
commit 5c6892c
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 33 deletions.
diff --git a/slips_files/core/database/database_manager.py b/slips_files/core/database/database_manager.py
@@ -854,6 +854,9 @@ def get_flows_count(self, *args, **kwargs):
     def get_redis_pid(self, *args, **kwargs):
         return self.rdb.get_redis_pid(*args, **kwargs)
 
+    def increment_attack_counter(self, *args, **kwargs):
+        return self.rdb.increment_attack_counter(*args, **kwargs)
+
     def export_labeled_flows(self, *args, **kwargs):
         """
         exports the labeled flows and altflows stored in sqlite

diff --git a/slips_files/core/database/redis_db/alert_handler.py b/slips_files/core/database/redis_db/alert_handler.py
@@ -12,6 +12,24 @@ class AlertHandler:
     """
     name = 'DB'
 
+    def increment_attack_counter(
+            self,
+            attacker: str,
+            victim: str,
+            evidence_type: str
+        ):
+        """
+        increments the value of the hash profile_attacker_evidence_summary
+        of the given victim
+        :param attacker: is a profileid
+        :param victim: IP of a victim
+        :param evidence_type: e.g. MaliciousJA3, DataExfiltration, etc.
+        """
+        self.r.hincrby(
+            f'{attacker}_evidence_sumamry',
+            f"{victim}_{evidence_type}",
+            1)
+
     def set_evidence_causing_alert(self, profileid, twid, alert_ID, evidence_IDs: list):
         """
         When we have a bunch of evidence causing an alert,

diff --git a/slips_files/core/evidence.py b/slips_files/core/evidence.py
@@ -93,37 +93,6 @@ def read_configuration(self):
         if IS_IN_A_DOCKER_CONTAINER:
             self.popup_alerts = False
 
-
-    def format_evidence_string(self, ip, detection_module, attacker,
-                               description) -> str:
-        """
-        Function to add the dns resolution of the src and dst ips of
-         each evidence
-        :return : string with a correct evidence displacement
-        """
-        evidence_string = ''
-        dns_resolution_attacker = self.db.get_dns_resolution(attacker)
-        dns_resolution_attacker = dns_resolution_attacker.get(
-            'domains', []
-        )
-        dns_resolution_attacker = dns_resolution_attacker[
-                                        :3] if dns_resolution_attacker else ''
-
-        dns_resolution_ip = self.db.get_dns_resolution(ip)
-        dns_resolution_ip = dns_resolution_ip.get('domains', [])
-        if len(dns_resolution_ip) >= 1:
-            dns_resolution_ip = dns_resolution_ip[0]
-        elif len(dns_resolution_ip) == 0:
-            dns_resolution_ip = ''
-
-        # dns_resolution_ip_final = f' DNS: {dns_resolution_ip[:3]}. ' if dns_resolution_attacker and len(
-        #     dns_resolution_ip[:3]
-        #     ) > 0 else '. '
-
-
-        return f'{evidence_string}'
-
-
     def line_wrap(self, txt):
         """
         is called for evidence that are goinng to be printed in the terminal
@@ -594,6 +563,26 @@ def get_evidence_to_log(
                        f'Detected {description}'
 
             return evidence
+    def increment_attack_counter(
+            self,
+            attacker: str,
+            victim: str,
+            evidence_type: str
+            ):
+        """
+        increments the number of attacks of this type from the given
+        attacker-> the given victim
+        used for displaying alert summary
+        """
+        # this method is here instead of the db bc here we check
+        # if the evidence is whitelisted, alerted before, etc. before we
+        # consider it as  valid evidence. this filtering is not done in the db
+        self.db.increment_attack_counter(
+            attacker,
+            victim,
+            evidence_type
+            )
+
 
     def main(self):
         while not self.should_stop():
@@ -609,7 +598,7 @@ def main(self):
                 attacker = data.get(
                     'attacker'
                 )   # example: ip, port, inTuple, outTuple, domain
-                evidence_type = data.get(
+                evidence_type: str = data.get(
                     'evidence_type'
                 )   # example: PortScan, ThreatIntelligence, etc..
                 description = data.get('description')
@@ -623,7 +612,7 @@ def main(self):
                 proto = data.get('proto', False)
                 source_target_tag = data.get('source_target_tag', False)
                 evidence_ID = data.get('ID', False)
-                victim = data.get('victim', '')
+                victim: str = data.get('victim', '')
 
                 # FP whitelisted alerts happen when the db returns an evidence
                 # that isn't processed in this channel, in the tw_evidence below
@@ -673,6 +662,8 @@ def main(self):
                 # Add the evidence to alerts.log
                 self.add_to_log_file(evidence_to_log)
 
+                self.increment_attack_counter(profileid, victim, evidence_type)
+
                 tw_evidence: dict = self.get_evidence_for_tw(profileid, twid)
                 # The accumulated threat level is for all the types of evidence for this profile
                 accumulated_threat_level: float = \