Skip to content

Commit

Permalink
Merge pull request #428 from stratosphereips/alya/alerts_summary
Browse files Browse the repository at this point in the history
Store the number of attacks done by all attackers to all victims in the db
  • Loading branch information
AlyaGomaa authored Dec 6, 2023
2 parents 6e035b2 + 5c6892c commit ceb3436
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 33 deletions.
3 changes: 3 additions & 0 deletions slips_files/core/database/database_manager.py
Original file line number Diff line number Diff line change
Expand Up @@ -854,6 +854,9 @@ def get_flows_count(self, *args, **kwargs):
def get_redis_pid(self, *args, **kwargs):
return self.rdb.get_redis_pid(*args, **kwargs)

def increment_attack_counter(self, *args, **kwargs):
return self.rdb.increment_attack_counter(*args, **kwargs)

def export_labeled_flows(self, *args, **kwargs):
"""
exports the labeled flows and altflows stored in sqlite
Expand Down
18 changes: 18 additions & 0 deletions slips_files/core/database/redis_db/alert_handler.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,24 @@ class AlertHandler:
"""
name = 'DB'

def increment_attack_counter(
self,
attacker: str,
victim: str,
evidence_type: str
):
"""
increments the value of the hash profile_attacker_evidence_summary
of the given victim
:param attacker: is a profileid
:param victim: IP of a victim
:param evidence_type: e.g. MaliciousJA3, DataExfiltration, etc.
"""
self.r.hincrby(
f'{attacker}_evidence_sumamry',
f"{victim}_{evidence_type}",
1)

def set_evidence_causing_alert(self, profileid, twid, alert_ID, evidence_IDs: list):
"""
When we have a bunch of evidence causing an alert,
Expand Down
57 changes: 24 additions & 33 deletions slips_files/core/evidence.py
Original file line number Diff line number Diff line change
Expand Up @@ -93,37 +93,6 @@ def read_configuration(self):
if IS_IN_A_DOCKER_CONTAINER:
self.popup_alerts = False


def format_evidence_string(self, ip, detection_module, attacker,
description) -> str:
"""
Function to add the dns resolution of the src and dst ips of
each evidence
:return : string with a correct evidence displacement
"""
evidence_string = ''
dns_resolution_attacker = self.db.get_dns_resolution(attacker)
dns_resolution_attacker = dns_resolution_attacker.get(
'domains', []
)
dns_resolution_attacker = dns_resolution_attacker[
:3] if dns_resolution_attacker else ''

dns_resolution_ip = self.db.get_dns_resolution(ip)
dns_resolution_ip = dns_resolution_ip.get('domains', [])
if len(dns_resolution_ip) >= 1:
dns_resolution_ip = dns_resolution_ip[0]
elif len(dns_resolution_ip) == 0:
dns_resolution_ip = ''

# dns_resolution_ip_final = f' DNS: {dns_resolution_ip[:3]}. ' if dns_resolution_attacker and len(
# dns_resolution_ip[:3]
# ) > 0 else '. '


return f'{evidence_string}'


def line_wrap(self, txt):
"""
is called for evidence that are goinng to be printed in the terminal
Expand Down Expand Up @@ -594,6 +563,26 @@ def get_evidence_to_log(
f'Detected {description}'

return evidence
def increment_attack_counter(
self,
attacker: str,
victim: str,
evidence_type: str
):
"""
increments the number of attacks of this type from the given
attacker-> the given victim
used for displaying alert summary
"""
# this method is here instead of the db bc here we check
# if the evidence is whitelisted, alerted before, etc. before we
# consider it as valid evidence. this filtering is not done in the db
self.db.increment_attack_counter(
attacker,
victim,
evidence_type
)


def main(self):
while not self.should_stop():
Expand All @@ -609,7 +598,7 @@ def main(self):
attacker = data.get(
'attacker'
) # example: ip, port, inTuple, outTuple, domain
evidence_type = data.get(
evidence_type: str = data.get(
'evidence_type'
) # example: PortScan, ThreatIntelligence, etc..
description = data.get('description')
Expand All @@ -623,7 +612,7 @@ def main(self):
proto = data.get('proto', False)
source_target_tag = data.get('source_target_tag', False)
evidence_ID = data.get('ID', False)
victim = data.get('victim', '')
victim: str = data.get('victim', '')

# FP whitelisted alerts happen when the db returns an evidence
# that isn't processed in this channel, in the tw_evidence below
Expand Down Expand Up @@ -673,6 +662,8 @@ def main(self):
# Add the evidence to alerts.log
self.add_to_log_file(evidence_to_log)

self.increment_attack_counter(profileid, victim, evidence_type)

tw_evidence: dict = self.get_evidence_for_tw(profileid, twid)
# The accumulated threat level is for all the types of evidence for this profile
accumulated_threat_level: float = \
Expand Down

0 comments on commit ceb3436

Please sign in to comment.