diff --git a/managers/redis_manager.py b/managers/redis_manager.py index 2162eac1c..b01473bde 100644 --- a/managers/redis_manager.py +++ b/managers/redis_manager.py @@ -255,8 +255,16 @@ def get_open_redis_servers(self) -> Dict[int,int]: continue line = line.split(',') - pid, port = int(line[3]), int(line[2]) - self.open_servers_pids[pid] = port + + try: + pid, port = int(line[3]), int(line[2]) + self.open_servers_pids[pid] = port + except ValueError: + # sometimes slips can't get the server pid and logs "False" + # in the lofile instead of the PID + # there's nothing we can do about it + pass + return self.open_servers_pids diff --git a/modules/threat_intelligence/threat_intelligence.py b/modules/threat_intelligence/threat_intelligence.py index 0f2a9d165..2275db312 100644 --- a/modules/threat_intelligence/threat_intelligence.py +++ b/modules/threat_intelligence/threat_intelligence.py @@ -650,9 +650,7 @@ def is_ignored_domain(self, domain): - def set_evidence_malicious_hash(self, - file_info: dict - ): + def set_evidence_malicious_hash(self,file_info: dict): """ :param file_info: dict with flow, profileid, twid, and confidence of file """ @@ -868,10 +866,17 @@ def is_malicious_ip(self, ip, uid, daddr, timestamp, profileid, twid, ip_state) ) return True - def is_malicious_hash(self, flow_info): + def is_malicious_hash(self, flow_info: dict): """ :param flow_info: dict with uid, twid, ts, md5 etc. """ + if not flow_info['flow']['md5']: + # some lines in the zeek files.log doesn't have a hash for example + # {"ts":293.713187,"fuid":"FpvjEj3U0Qoj1fVCQc","tx_hosts":["94.127.78.125"],"rx_hosts":["10.0.2.19"], + # "conn_uids":["CY7bgw3KI8QyV67jqa","CZEkWx4wAvHJv0HTw9","CmM1ggccDvwnwPCl3","CBwoAH2RcIueFH4eu9","CZVfkc4BGLqRR7wwD5"], + # "source":"HTTP","depth":0,"analyzers":["SHA1","SHA256","MD5"] .. } + return + if blacklist_details := self.search_online_for_hash(flow_info): # the md5 appeared in a blacklist # update the blacklist_details dict with uid, @@ -1030,6 +1035,6 @@ def main(self): ) if msg:= self.get_msg('new_downloaded_file'): - file_info = json.loads(msg['data']) + file_info: dict = json.loads(msg['data']) if file_info['type'] == 'zeek': self.is_malicious_hash(file_info) diff --git a/slips_files/core/helpers/flow_handler.py b/slips_files/core/helpers/flow_handler.py index bd95aea65..172373099 100644 --- a/slips_files/core/helpers/flow_handler.py +++ b/slips_files/core/helpers/flow_handler.py @@ -315,7 +315,10 @@ def handle_dhcp(self): def handle_files(self): - """ Send files.log data to new_downloaded_file channel in vt module to see if it's malicious""" + """ + Send files.log data to new_downloaded_file channel in the TI module to see if it's malicious + """ + # files slips sees can be of 2 types: suricata or zeek to_send = { 'flow': asdict(self.flow),