Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
OSSIM plugin for MS TMG 2010 (Using SNARE Epilog for send FWS and WEB w3c formated logs to syslog)

There are two plugins for parsing FWS and WEB w3c logs from MS TMG 2010 on AlienVaul OSSIM and modified ParserUtil.py

tmg-web plugin and PerserUtil.py modified for add event sid 2 - Exchange ActyveSync Sync command

# Alienvault plugin
# Author: Eugene Sokolov at esguardian@outlook.com
# Plugin tmg-fws id:9005 version: 0.0.1
# Last modification: 2015-06-09 20:35
#
# Accepted products:
# microsoft - TMG 2010
#
# /etc/rsyslog.d/tmg.conf
# if ($rawmsg contains 'ISAFWSLog') then /var/log/tmg-fws.log
# if ($rawmsg contains 'ISAWebLog') then /var/log/tmg-web.log
[DEFAULT]
plugin_id=9005
[config]
type=detector
enable=yes
source=log
location=/var/log/tmg-fws.log
create_file=false
process=
start=yes
stop=no
startup=
shutdown=
[tmg-fws-plain]
event_type=event
regexp="(?P<sl_date>\SYSLOG_DATE).*ISAFWSLog#011.*?#011.*?#011(?P<date>.*?)#011(?P<time>.*?)#011(?P<ip_proto>.*?)#011(?P<s_ip>.*?):(?P<s_port>.*?)#011(?P<d_ip>.*?):(?P<d_port>.*?)#011(?P<or_ip>.*?)#011(?P<s_net>.*?)#011(?P<d_net>.*?)#011(?P<action>.*?)#011(?P<status>.*?)#011(?P<rule>.*?)#011(?P<app_proto>.*?)#011(?P<b_sent>.*?)#011(?P<b_sent_inter>.*?)#011(?P<b_received>.*?)#011(?P<b_received_inter>.*?)#011(?P<con_time>.*?)#011(?P<con_time_inter>.*?)#011(?P<username>.*?)#011(?P<agent>.*?)#011(?P<session_id>.*?)#011(?P<con_id>.*?)#011(?P<nis_result>.*?)#011(?P<nis_signature>.*?)#011(?P<nat_addr>.*?)#011(?P<fwc_app_path>.*?)#011(?P<internal_service_info>.*?)#011(?P<nis_app_proto>[\S\s]+?)"
# regexp="(?P<client_ip>\d+\.\d+\.\d+\.\d+)\s+(?P<user>\S+)\s+(?P<user_agent>.*)\s+[N|Y]\s+(?P<date>\S+)\s+(?P<time>\S+)\s+(?P<service_name>\S+)\s+(?P<computername>\S+)\s+(?P<referrer>\S+)\s+(?P<remote_name>\S+)\s+(?P<target_ip>\S+)\s+(?P<remote_port>\S+)\s+(?P<time_taken>\S+)\s+(?P<bytes>\S+)\s+(?P<sc_bytes>\S+)\s+(?P<http_type>\S+)\s+(?P<protocol>\S+)\s+(?P<operation>\S+)\s+(?P<uri>\S+)\s+(?P<encoding>.*)\s+Inet\s+(?P<status>\d+)\s+"
src_ip={$or_ip}
#src_port={$s_port}
dst_ip={$d_ip}
dst_port={$d_port}
plugin_sid=1
date={normalize_date($sl_date)}
username={$username}
userdata1={$action}
userdata2={$b_received}
userdata3={$b_sent}
userdata4={$ip_proto}
userdata5={$app_proto}
userdata6={$status}
userdata7={$rule}
userdata8={$fwc_app_path}
#userdata9={$rule}
-- tmg-fws
-- plugin_id: 9005
DELETE FROM plugin WHERE id = "9005";
DELETE FROM plugin_sid where plugin_id = "9005";
INSERT IGNORE INTO plugin (id, type, name, description) VALUES (9005, 1, 'TMG-FWS', 'TMG-FWS logger');
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9005, 1, NULL, NULL, 'TMG FWS Record',1, 3);
# Alienvault plugin
# Author: Eugene Sokolov at esguardian@outlook.com
# Plugin tmg-web id:9004 version: 0.0.2
# Last modification: 2015-06-10 16:10
#
# Accepted products:
# microsoft - TMG 2010
#
# /etc/rsyslog.d/tmg.conf
# if ($rawmsg contains 'ISAFWSLog') then /var/log/tmg-fws.log
# if ($rawmsg contains 'ISAWebLog') then /var/log/tmg-web.log
[DEFAULT]
plugin_id=9004
[config]
type=detector
enable=yes
#custom_functions_file=/etc/ossim/agent/plugins/custom_functions/my_tmg_custom_functions.cfg
source=log
location=/var/log/tmg-web.log
create_file=false
process=
start=yes
stop=no
startup=
shutdown=
[tmg-web-plain]
event_type=event
regexp="(?P<sl_date>\SYSLOG_DATE).*ISAWebLog#011\S#011(?P<c_ip>\S+?)#011(?P<cs_username>[\S\s]+?)#011(?P<c_agent>[\S\s]+?)#011(?P<date>[\S\s]+?)#011(?P<time>[\S\s]+?)#011(?P<cs_compname>[\S\s]+?)#011(?P<cs_reffered>[\S\s]+?)#011(?P<r_host>[\S\s]+?)#011(?P<r_ip>[\S\s]+?)#011(?P<r_port>[\S\s]+?)#011(?P<time_taken>[\S\s]+?)#011(?P<sc_bytes>[\S\s]+?)#011(?P<cs_bytes>[\S\s]+?)#011(?P<cs_protocol>[\S\s]+?)#011(?P<s_oper>[\S\s]+?)#011(?P<cs_uri>[\S\s]+?)#011(?P<cs_mime_type>[\S\s]+?)#011(?P<s_object_source>[\S\s]+?)#011(?P<sc_status>[\S\s]+?)#011(?P<rule>[\S\s]+?)#011(?P<filter_info>[\S\s]+?)#011(?P<cs_network>[\S\s]+?)#011(?P<sc_network>[\S\s]+?)#011(?P<error_info>[\S\s]+?)#011(?P<action>[\S\s]+?)#011(?P<authServer>[\S\s]+?)#011(?P<nis_scan_result>[\S\s]+?)#011(?P<nis_signature>[\S\s]+?)#011(?P<threat_name>[\S\s]+?)#011(?P<malware_inspection_action>[\S\s]+?)#011(?P<malware_inspection_result>[\S\s]+?)#011(?P<url_category>[\S\s]+?)#011(?P<MI_delivery_method>[\S\s]+?)#011(?P<MI_duration>[\S\s]+?)#011(?P<MI_threat_level>[\S\s]+?)#011(?P<internal_service_info>[\S\s]+?)#011(?P<NIS_app_protocol>[\S\s]+?)#011(?P<NAT_address>[\S\s]+?)#011(?P<url_categorization_reason>[\S\s]+?)#011(?P<session_type>[\S\s]+?)#011(?P<url_dest_host>[\S\s]+?)#011(?P<s_port>[\S\s]+?)#011(?P<soft_block_action>[\S\s]+?)"
# regexp="(?P<client_ip>\d+\.\d+\.\d+\.\d+)\s+(?P<user>\S+)\s+(?P<user_agent>.*)\s+[N|Y]\s+(?P<date>\S+)\s+(?P<time>\S+)\s+(?P<service_name>\S+)\s+(?P<computername>\S+)\s+(?P<referrer>\S+)\s+(?P<remote_name>\S+)\s+(?P<target_ip>\S+)\s+(?P<remote_port>\S+)\s+(?P<time_taken>\S+)\s+(?P<bytes>\S+)\s+(?P<sc_bytes>\S+)\s+(?P<http_type>\S+)\s+(?P<protocol>\S+)\s+(?P<operation>\S+)\s+(?P<uri>\S+)\s+(?P<encoding>.*)\s+Inet\s+(?P<status>\d+)\s+"
src_ip={$c_ip}
dst_ip={$r_ip}
dst_port={$r_port}
plugin_sid={my_tmg_web_sid($sc_bytes,$cs_bytes,$r_host,$cs_uri)}
#attention function my_tmg_web_sid i have added as internal function in ParserUtil.py
username={$cs_username}
date={normalize_date($sl_date)}
userdata1={$r_host}
userdata2={$cs_bytes}
userdata3={$sc_bytes}
userdata4={$cs_protocol}
userdata5={$s_oper}
userdata6={$sc_status}
userdata9={$cs_uri}
userdata8={$cs_reffered}
userdata7={$rule}
-- tmg-web
-- plugin_id: 9004
DELETE FROM plugin WHERE id = "9004";
DELETE FROM plugin_sid where plugin_id = "9004";
INSERT IGNORE INTO plugin (id, type, name, description) VALUES (9004, 1, 'tmg-web', 'TMG-WEB Logger');
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 1, NULL, NULL, 'TMG WEB Record',1, 3);
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 2, NULL, NULL, 'Exchange ActiveSync Sync command',1, 3);
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 11, NULL, NULL, 'TMG WEB Client sent more than received',1, 3);
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 101, NULL, NULL, 'TMG WEB Client sent large amount of data',1, 3);
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 111, NULL, NULL, 'TMG WEB Client sent large amount of data and more than received',1, 3);
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 1001, NULL, NULL, 'TMG WEB unwanted url',1, 3);
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 1011, NULL, NULL, 'TMG WEB Client sent more than received for unwanted url',1, 3);
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 1101, NULL, NULL, 'TMG WEB Client sent large amount of data for unwanted url',1, 3);
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 1111, NULL, NULL, 'TMG WEB Client sent large amount of data and more than received for unwanted url',1, 3);
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 2000, NULL, NULL, 'TMG WEB Possible data leek',8, 3);
# /usr/share/alienvaul/ossim-agent/ParserUtil.py
# this is modified ParserUtil.py from AlienVault OSSIM
# two section added in the begining of the original file
# and marked as 'my additional code <number> .... end of my code <number>'
# License:
#
# Copyright (c) 2003-2006 ossim.net
# Copyright (c) 2007-2014 AlienVault
# All rights reserved.
#
# This package is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 dated June, 1991.
# You may not use, modify or distribute this program under any other version
# of the GNU General Public License.
#
# This package is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this package; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
# MA 02110-1301 USA
#
#
# On Debian GNU/Linux systems, the complete text of the GNU General
# Public License can be found in `/usr/share/common-licenses/GPL-2'.
#
# Otherwise you can read it here: http://www.gnu.org/licenses/gpl-2.0.txt
#
#
# GLOBAL IMPORTS
#
import datetime
from hashlib import md5
import re
import socket
import time
import pickle
import os
import GeoIP
GEOIPDB=GeoIP.open("/usr/share/geoip/GeoLiteCity.dat",GeoIP.GEOIP_STANDARD)
# my additional code 1
UNWANTED_URLS=[]
with open("/etc/my_ossim/unwanted_urls.list","r") as f:
UNWANTED_URLS=[line.rstrip() for line in f]
f.close()
# end of my code 1
# LOCAL IMPORTS
#
from Logger import Logger
logger = Logger.logger
from SiteProtectorMap import *
from NetScreenMap import *
#
# GLOBAL VARIABLES
#
HOST_RESOLV_CACHE = {}
PROTO_TABLE = {
'1': 'icmp',
'6': 'tcp',
'17': 'udp',
}
"""Set of functions to be used in plugin configuration."""
HOST_BLACK_LIST = {}
# my additional code 2
def my_tmg_web_sid(bsent=0, breceived=0, url='0', uri=''):
if 'Microsoft-Server-ActiveSync' in uri and 'Cmd=Sync' in uri:
return 2
sid = 1
if 'in-bank.ru' in url:
return sid
bsent = int(bsent)
breceived = int (breceived)
if bsent > 1000000:
return 2000
if bsent > breceived:
sid = sid + 10
if bsent > 200000:
sid = sid + 100
for elem in UNWANTED_URLS:
dot_elem="."+elem
if elem == url or dot_elem in url:
sid = sid + 1000
break
return sid
# end of my code 2
def geoip_getData(addr,field):
record = GEOIPDB.record_by_addr(addr)
if record:
if record.has_key(field):
return record[field]
return ""
def geoip_getCity(addr):
return geoip_getData(addr,'city')
def geoip_getCountryCode(addr):
return geoip_getData(addr,'country_code')
def geoip_getCountryCode3(addr):
return geoip_getData(addr,'country_code3')
def geoip_getCountryName(addr):
return geoip_getData(addr,'country_name')
def geoip_getDmaCode(addr):
return geoip_getData(addr,'dma_code')
def geoip_getLatitude(addr):
return geoip_getData(addr,'latitude')
def geoip_getLongitude(addr):
return geoip_getData(addr,'longitude')
def geoip_getMetroCode(addr):
return geoip_getData(addr,'metro_code')
def geoip_getPostalCode(addr):
return geoip_getData(addr,'postal_code')
def geoip_getRegionCode(addr):
return geoip_getData(addr,'region')
def geoip_getRegionName(addr):
return geoip_getData(addr,'region_name')
def geoip_getTimeZone(addr):
return geoip_getData(addr,'time_zone')
def resolv(host):
"""Translate a host name to IPv4 address."""
host = host.lower()
addr=host
if HOST_RESOLV_CACHE.has_key(host):
return HOST_RESOLV_CACHE[host]
#check if we have the host in my interna cache.
if HostResolv.HOST_RESOLV_DYNAMIC_CACHE.has_key(host):
return HostResolv.HOST_RESOLV_DYNAMIC_CACHE[host][0]#returns the first ip assigned to the host.
try:
dnsquery = True
if HOST_BLACK_LIST.has_key(host):
if HOST_BLACK_LIST[host] - time.time() <=120:#timeout=5mins
dnsquery = False
if dnsquery:
addr = socket.gethostbyname(host)
HOST_RESOLV_CACHE[host] = addr
HOST_BLACK_LIST[host] = time.time()
except socket.gaierror:
addr=host
HOST_BLACK_LIST[host] = time.time()
return addr
def resolv_ip(addr):
"""Translate an IPv4 address to host name."""
try:
(hostname, aliaslist, ipaddrlist) = socket.gethostbyaddr(addr)
except socket.gaierror:
return addr
return hostname
def resolv_port(port):
"""Translate a port name into it's number."""
try:
port = socket.getservbyname(port.lower())
except socket.error:
return port
return port
def resolv_iface(iface):
"""Normalize interface name."""
if re.match("(ext|wan1).*", iface):
iface = "ext"
elif re.match("(int|port|dmz|wan).*", iface):
iface = "int"
return iface
def md5sum(datastring,plugin_obj_id=0):
m = md5()
m.update (datastring)
return m.hexdigest()
def snort_id(id):
return str(1000 + int(id))
def normalize_protocol(protocol):
"""Fill protocols table reading /etc/protocols.
try:
fd = open('/etc/protocols')
except IOError:
pass
else:
pattern = re.compile("(\w+)\s+(\d+)\s+\w+")
for line in fd.readlines():
result = pattern.search(line)
if result:
proto_name = result.groups()[0]
proto_number = result.groups()[1]
if not proto_table.has_key(proto_number):
proto_table[proto_number] = proto_name
fd.close()
"""
if PROTO_TABLE.has_key(str(protocol)):
return PROTO_TABLE[str(protocol)]
return str(protocol).lower()
### normalize_date function ###
# convert date strings to isoformat
# you must tag regular expressions with the following names:
# <year>, <month>, <minute>, <hour>, <minute>, <second>
# or <timestamp> for timestamps
# array of date regexp, sorted by probability
# change this order to suite your needs
DATE_REGEXPS = [
#DC 2/15/2012 12:00:36 PM
re.compile(r'(?P<month>\d{1,2})/(?P<day>\d{1,2})/(?P<year>\d{4})\s+(?P<hour>\d{1,2}):(?P<minute>\d\d):(?P<second>\d\d)\s+(?P<pm_am>PM|AM)'),
# Syslog -- Oct 27 10:50:46
re.compile(r'^(?P<month>\w+)\s+(?P<day>\d+)\s+(?P<hour>\d\d):(?P<minute>\d\d):(?P<second>\d\d)'),
# apache-error-log -- Fri Aug 07 17:52:19 2009
re.compile(r'(\w+)\s+(?P<month>\w+)\s+(?P<day>\d+)\s+(?P<hour>\d\d):(?P<minute>\d\d):(?P<second>\d\d)\s+(?P<year>\d\d\d\d)'),
# syslog-ng -- Oct 27 2007 10:50:46
re.compile(r'(?P<month>\w+)\s+(?P<day>\d+)\s+(?P<year>\d\d\d\d)\s+(?P<hour>\d\d):(?P<minute>\d\d):(?P<second>\d\d)'),
# bind9 -- 10-Aug-2009 07:53:44
re.compile(r'(?P<day>\d+)-(?P<month>\w+)-(?P<year>\d\d\d\d)\s+(?P<hour>\d\d):(?P<minute>\d\d):(?P<second>\d\d)'),
# Snare -- Sun Jan 28 15:15:32 2007
re.compile(r'\S+\s+(?P<month>\S+)\s+(?P<day>\d+)\s+(?P<hour>\d\d):(?P<minute>\d\d):(?P<second>\d\d)\s+(?P<year>\d+)'),
# snort -- 11/08-19:19:06
re.compile(r'^(?P<month>\d\d)/(?P<day>\d\d)(/?(?P<year>\d\d))?-(?P<hour>\d\d):(?P<minute>\d\d):(?P<second>\d\d)'),
# arpwatch -- Monday, March 15, 2004 15:39:19 +0000
re.compile(r'(\w+), (?P<month>\w+) (?P<day>\d{1,2}), (?P<year>\d{4}) (?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'),
# heartbeat -- 2006/10/19_11:40:05
# raslog(1581) -- 2009/03/05-11:04:36
re.compile(r'(?P<year>\d+)/(?P<month>\d+)/(?P<day>\d+)[_-](?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'),
# netgear -- 11/03/2004 19:45:46
re.compile(r'(?P<day>\d+)/(?P<month>\d+)/(?P<year>\d{4})\s(?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'),
# tarantella -- 2007/10/18 14:38:03
re.compile(r'(?P<year>\d{4})/(?P<month>\d+)/(?P<day>\d+)\s(?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'),
# citrix 02/28/2013:12:00:00
re.compile(r'(?P<month>(0?[1-9])|(1[0-2]))/(?P<day>(1[0-9])|(2[0-9])|(3[0-1])|(0?[0-9]))/(?P<year>\d{4}):(?P<hour>\d{1,2}):(?P<minute>\d{1,2}):(?P<second>\d{1,2})'),
# OSSEC -- 2007 Nov 17 06:26:18
# Intrushield -- 2007-Nov-17 06:26:18 CET
re.compile(r'(?P<year>\d{4})[-\s](?P<month>\w{3})[-\s](?P<day>\d{2})\s+(?P<hour>\d{2}):(?P<minute>\d{2}):(?P<second>\d{2})'),
# ibm applications -- 11/03/07 19:22:22
# apache -- 29/Jan/2007:17:02:20
re.compile(r'(?P<day>\d+)/(?P<month>\w+)/(?P<year>\d+)[\s:](?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'),
# lucent brick hhmmss
# hhmmss,timestamp
re.compile(r'^(?P<hour>\d\d)(?P<minute>\d\d)(?P<second>\d\d),(?P<timestamp>\d+)$'),
re.compile(r'^(?P<hour>\d\d)(?P<minute>\d\d)(?P<second>\d\d)(?:\+|\-)$'),
re.compile(r'^(?P<hour>\d\d)(?P<minute>\d\d)(?P<second>\d\d)$'),
# rrd, nagios -- 1162540224
re.compile(r'^(?P<timestamp>\d+)$'),
#FileZilla -- 11.03.2009 19:45:46
re.compile(r'(?P<day>\d+)\.(?P<month>\d+)\.(?P<year>\d{4})\s(?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'),
# hp eva -- 2 18 2009 14 9 52
re.compile(r'(?P<month>\d{1,2}) (?P<day>\d{1,2}) (?P<year>\d{4}) (?P<hour>\d{1,2}) (?P<minute>\d{1,2}) (?P<second>\d{1,2})'),
# Websense -- Wed 14 Apr 2010 12:35:10
# Websense2 -- 11 Jan 2011 09:44:18 AM
# nessus 12 May 2012 00:00:03
re.compile(r'(?P<day>\d{1,2})\s+(?P<month>\w{3})\s+(?P<year>\d{4})\s+(?P<hour>\d\d):(?P<minute>\d\d):(?P<second>\d\d)(\s+(?P<pm_am>AM|PM))?'),
# Exchange Message Tracking Log -- 2011-07-08T14:13:42.237Z
re.compile(r'(?P<year>\d+)-(?P<month>\d+)-(?P<day>\d+)T(?P<hour>\d\d):(?P<minute>\d\d):(?P<second>\d\d).+'),
# SonicWall -- 2011-05-12 07 59 01
re.compile(r'(?P<year>\d{4})-(?P<month>\d+)-(?P<day>\d+)\s(?P<hour>\d+)\s(?P<minute>\d+)\s(?P<second>\d+)'),
# CSV format date -- 09/30/2011,10:56:11
re.compile('(?P<month>[0-9][0-9])/(?P<day>[0-3][0-9])/(?P<year>\d{4})\,(?P<hour>[0-2][0-9]):(?P<minute>[0-6][0-9]):(?P<second>[0-6][0-9])'),
# honeyd -- 2011-05-17-09:42:24
re.compile(r'(?P<year>\d{4})-(?P<month>\d+)-(?P<day>\d+)-(?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'),
#Epilog de logparser 2011-11-21 06: 15:02
re .compile(r'(?P<year>\d{4})-(?P<month>\d+)-(?P<day>\d+)\s+(?P<hour>\d+):\s+(?P<minute>\d+):(?P<second>\d+)'),
#WMI -- 20111111084344.000000-000
re.compile(r'(?P<year>\d{4})(?P<month>\d{2})(?P<day>\d{2})(?P<hour>\d{2})(?P<minute>\d{2})(?P<second>\d{2}).'),
#20120202 12:12:12
re.compile(r'(?P<year>\d{4})(?P<month>\d{2})(?P<day>\d{2}) (?P<hour>\d{2}):(?P<minute>\d{2}):(?P<second>\d{2})'),
#SNMPTRAP -- mar 07 feb, 2012 - 08:39:49
re.compile(r'\S+\s+(?P<day>\d{2})\s(?P<month>\w+),\s(?P<year>\d{4})\s-\s(?P<hour>\d{2}):(?P<minute>\d{2}):(?P<second>\d{2})'),
#CheckPoint-LML-raw - 1Feb2012;0:05:58/1Feb2012 0:05:58
re.compile(r'(?P<day>\d{1,2})(?P<month>\w+)(?P<year>\d{4})(?:\s|;)+(?P<hour>\d{1,2}):(?P<minute>\d{1,2}):(?P<second>\d{1,2})'),
# Lilian Date -- 11270 02:00:16
# Lilian is the number of days since the beginning of the Gregorian Calendar on October 15, 1582,
re.compile(r'(?P<lilian>\d{5})\s+(?P<hour>\d{2}):(?P<minute>\d{2}):(?P<second>\d{2})'),
#bluecoat -- 2011-05-17 09:42:24
re.compile(r'(?P<year>\d{4})-(?P<month>\d+)-(?P<day>\d+)\s+(?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'),
#suricata -- 03/20/2012-12:12:24.376349
re.compile(r'(?P<month>\d+)/(?P<day>\d+)/(?P<year>\d+)-(?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'),
#Fortigate date=2015-03-17 time=22:03:55
re.compile('(?P<year>\d{4})-(?P<month>\d+)-(?P<day>\d+)\s+time=(?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'),
]
def normalize_date_american(string_date):
date = normalize_date(string_date, True)
return date
def normalize_date(string, american_format=False):
"""For adding new date formats you should only
add a new regexp in the above array
"""
local_datetime = datetime.datetime.utcnow()
if not isinstance(string, basestring) or string == "":
logger.warning("No string for normalize_date '%s'" % string)
return ""
try_other = True
dict = {}
matched = False
if american_format:
american_regex = re.compile("(?P<month>\d{2})\/(?P<day>\d{2})\/(?P<year>\d{4})\s+(?P<hour>\d{2}):(?P<minute>\d{2}):(?P<second>\d{2})")
result = american_regex.search(string)
if result:
dict = result.groupdict()
try_other = False
matched = True
if try_other:
for pattern in DATE_REGEXPS:
result = pattern.match(string)
if result is None:
continue
matched = True
dict = result.groupdict()
if dict.has_key('month') and str(dict['month']).isdigit():
try:
month_int = int(str(dict['month']))
if month_int > 12:
logger.info("invalid moth:%s" % dict['month'])
dict.clear()
continue
except Exception, e:
dict.clear()
continue
if dict.has_key('day')and str(dict['day']).isdigit():
try:
day_int = int(str(dict['day']))
if day_int > 31:
dict.clear()
continue
except Exception, e :
dict.clear()
continue
break
if not matched:
logger.warning("Date: %s not matched" % string)
return string
if dict.has_key('hour') and dict.has_key('pm_am'):
try:
hour = int(dict['hour'])
pm_am = dict['pm_am'].lower()
if pm_am == "pm":
if hour == 12:
hour = 0
else:
hour += 12
dict['hour'] = str(hour)
except Exception, e:
pass
### put here all sanity transformations you need
if dict.has_key('timestamp'):
(dict['year'], dict['month'], dict['day'],
dict['hour'], dict['minute'], dict['second'], a, b, c) = \
time.localtime(float(dict['timestamp']))
elif dict.has_key('lilian'):
stringlilian="%s %s:%s:%s"% (dict['lilian'],dict['hour'],dict['minute'],dict['second'])
return datetime.datetime.strptime(stringlilian, "%y%j %H:%M:%S")
# year
if dict.has_key('year') and not dict['year']:
dict['year'] = str(local_datetime.year)
#dict['year'] = \
# time.strftime('%Y', time.localtime(time.time()))
elif not dict.has_key('year'):
dict['year'] = str(local_datetime.year)
#dict['year'] = \
# time.strftime('%Y', time.localtime(time.time()))
elif len(str(dict['year'])) == 2:
dict['year'] = '20' + str(dict['year'])
# month
if not dict.has_key('month'):
dict['month'] = \
time.strftime('%m', time.localtime(time.time()))
elif dict.has_key('month') and not dict['month']:
dict['month'] = \
time.strftime('%m', time.localtime(time.time()))
elif len(str(dict['month'])) == 1:
dict['month'] = '0' + str(dict['month'])
# day
if not dict.has_key('day'):
dict['day'] = \
time.strftime('%d', time.localtime(time.time()))
elif dict.has_key('day') and not dict['day']:
dict['day'] = \
time.strftime('%d', time.localtime(time.time()))
elif len(str(dict['day'])) == 1:
dict['day'] = '0' + str(dict['day'])
# Fix month
if not str(dict['month']).isdigit():
try:
dict['month'] = \
time.strftime('%m', time.strptime(dict['month'], "%b"))
except ValueError:
try:
dict['month'] = \
time.strftime('%m', time.strptime(dict['month'], "%B"))
except ValueError:
pass
except Exception,e:
pass
# seconds
if not dict.has_key('second'):
dict['second'] = 00
# 31st Dic fix
try:
datemonth = int(dict['month'])
if datemonth == 12 and local_datetime.month == 1:
dict['year'] = str(local_datetime.year - 1)
except:
pass
### end of transformations
# now, let's go to translate string
try:
date = datetime.datetime(year=int(dict['year']),
month=int(dict['month']),
day=int(dict['day']),
hour=int(dict['hour']),
minute=int(dict['minute']),
second=int(dict['second'])).isoformat(' ')
except Exception, e:
logger.error("There was an error in normalize_date() function: %s" % str(e))
else:
return date
return string
def upper(string):
return string.upper()
def sanitize(data):
return data.replace("\n", "\r")
def hextoint(string):
try:
return int(string, 16)
except ValueError:
pass
def intrushield_sid(mcafee_sid, mcafee_name):
# All McAfee Intrushield id are divisible by 256, and this length doesn't fit in OSSIM's table
mcafee_sid = hextoint(mcafee_sid) / 256
mcafee_name = mcafee_name.replace('-', ':')
# Calculate hash based in event name
mcafee_subsid = abs(mcafee_name.__hash__())
# Ugly method to avoid duplicated sids
mcafee_hash2 = 0
for i in range(0, len(mcafee_name)):
mcafee_hash2 = mcafee_hash2 + ord(mcafee_name[i])
ossim_sid = int(str(mcafee_hash2)[-1:] + str(int(str(mcafee_subsid)[-7:]) + mcafee_sid))
return ossim_sid
def netscreen_idp_sid(message):
if NETSCREEN_IDP_SID_TRANSLATION_TABLE.has_key(message):
return NETSCREEN_IDP_SID_TRANSLATION_TABLE[message]
# missing sid
return '99999'
#Dummy function
def checkValue(val):
if val is not None and val != 0 and val != "0" and val != "" and val != "" and val != 1 and val != "1":
return 1
elif val is not None:
return 0
else:
return None
def iss_siteprotector_sid(message):
if ISS_SITEPROTECTOR_SID_TRANSLATION_MAP.has_key(message):
return ISS_SITEPROTECTOR_SID_TRANSLATION_MAP[message]
return '99999'
#Funtion to translate Windows Security Audit Event Accesses IDs to text
#From http://my.opera.com/Lee_Harvey/blog/2008/10/14/microsoft-windows-security-audit-event-accesses-ids
def translate_wsaea_IDs(string):
string_translated = ''
ids = { '%%279': 'Undefined Access (no effect) Bit 7',
'%%1536': 'Unused message ID',
'%%1537': 'DELETE',
'%%1538': 'READ_CONTROL',
'%%1539': 'WRITE_DAC',
'%%1540': 'WRITE_OWNER',
'%%1541': 'SYNCHRONIZE',
'%%1542': 'ACCESS_SYS_SEC',
'%%1543': 'MAX_ALLOWED',
'%%1552': 'Unknown specific access (bit 0)',
'%%1553': 'Unknown specific access (bit 1)',
'%%1554': 'Unknown specific access (bit 2)',
'%%1555': 'Unknown specific access (bit 3)',
'%%1556': 'Unknown specific access (bit 4)',
'%%1557': 'Unknown specific access (bit 5)',
'%%1558': 'Unknown specific access (bit 6)',
'%%1559': 'Unknown specific access (bit 7)',
'%%1560': 'Unknown specific access (bit 8)',
'%%1561': 'Unknown specific access (bit 9)',
'%%1562': 'Unknown specific access (bit 10)',
'%%1563': 'Unknown specific access (bit 11)',
'%%1564': 'Unknown specific access (bit 12)',
'%%1565': 'Unknown specific access (bit 13)',
'%%1566': 'Unknown specific access (bit 14)',
'%%1567': 'Unknown specific access (bit 15)',
'%%1601': 'Not used',
'%%1603': 'Assign Primary Token Privilege',
'%%1604': 'Lock Memory Privilege',
'%%1605': 'Increase Memory Quota Privilege',
'%%1606': 'Unsolicited Input Privilege',
'%%1607': 'Trusted Computer Base Privilege',
'%%1608': 'Security Privilege',
'%%1609': 'Take Ownership Privilege',
'%%1610': 'Load/Unload Driver Privilege',
'%%1611': 'Profile System Privilege',
'%%1612': 'Set System Time Privilege',
'%%1613': 'Profile Single Process Privilege',
'%%1614': 'Increment Base Priority Privilege',
'%%1615': 'Create Pagefile Privilege',
'%%1616': 'Create Permanent Object Privilege',
'%%1617': 'Backup Privilege',
'%%1618': 'Restore From Backup Privilege',
'%%1619': 'Shutdown System Privilege',
'%%1620': 'Debug Privilege',
'%%1621': 'View or Change Audit Log Privilege',
'%%1622': 'Change Hardware Environment Privilege',
'%%1623': 'Change Notify (and Traverse) Privilege',
'%%1624': 'Remotely Shut System Down Privilege',
'%%4352': 'Device Access Bit 0',
'%%4353': 'Device Access Bit 1',
'%%4354': 'Device Access Bit 2',
'%%4355': 'Device Access Bit 3',
'%%4356': 'Device Access Bit 4',
'%%4357': 'Device Access Bit 5',
'%%4358': 'Device Access Bit 6',
'%%4359': 'Device Access Bit 7',
'%%4360': 'Device Access Bit 8',
'%%4361': 'Undefined Access (no effect) Bit 9',
'%%4362': 'Undefined Access (no effect) Bit 10',
'%%4363': 'Undefined Access (no effect) Bit 11',
'%%4364': 'Undefined Access (no effect) Bit 12',
'%%4365': 'Undefined Access (no effect) Bit 13',
'%%4366': 'Undefined Access (no effect) Bit 14',
'%%4367': 'Undefined Access (no effect) Bit 15',
'%%4368': 'Query directory',
'%%4369': 'Traverse',
'%%4370': 'Create object in directory',
'%%4371': 'Create sub-directory',
'%%4372': 'Undefined Access (no effect) Bit 4',
'%%4373': 'Undefined Access (no effect) Bit 5',
'%%4374': 'Undefined Access (no effect) Bit 6',
'%%4375': 'Undefined Access (no effect) Bit 7',
'%%4376': 'Undefined Access (no effect) Bit 8',
'%%4377': 'Undefined Access (no effect) Bit 9',
'%%4378': 'Undefined Access (no effect) Bit 10',
'%%4379': 'Undefined Access (no effect) Bit 11',
'%%4380': 'Undefined Access (no effect) Bit 12',
'%%4381': 'Undefined Access (no effect) Bit 13',
'%%4382': 'Undefined Access (no effect) Bit 14',
'%%4383': 'Undefined Access (no effect) Bit 15',
'%%4384': 'Query event state',
'%%4385': 'Modify event state',
'%%4386': 'Undefined Access (no effect) Bit 2',
'%%4387': 'Undefined Access (no effect) Bit 3',
'%%4388': 'Undefined Access (no effect) Bit 4',
'%%4389': 'Undefined Access (no effect) Bit 5',
'%%4390': 'Undefined Access (no effect) Bit 6',
'%%4391': 'Undefined Access (no effect) Bit 7',
'%%4392': 'Undefined Access (no effect) Bit 8',
'%%4393': 'Undefined Access (no effect) Bit 9',
'%%4394': 'Undefined Access (no effect) Bit 10',
'%%4395': 'Undefined Access (no effect) Bit 11',
'%%4396': 'Undefined Access (no effect) Bit 12',
'%%4397': 'Undefined Access (no effect) Bit 13',
'%%4398': 'Undefined Access (no effect) Bit 14',
'%%4399': 'Undefined Access (no effect) Bit 15',
'%%4416': 'ReadData (or ListDirectory)',
'%%4417': 'WriteData (or AddFile)',
'%%4418': 'AppendData (or AddSubdirectory or CreatePipeInstance)',
'%%4419': 'ReadEA',
'%%4420': 'WriteEA',
'%%4421': 'Execute/Traverse',
'%%4422': 'DeleteChild',
'%%4423': 'ReadAttributes',
'%%4424': 'WriteAttributes',
'%%4425': 'Undefined Access (no effect) Bit 9',
'%%4426': 'Undefined Access (no effect) Bit 10',
'%%4427': 'Undefined Access (no effect) Bit 11',
'%%4428': 'Undefined Access (no effect) Bit 12',
'%%4429': 'Undefined Access (no effect) Bit 13',
'%%4430': 'Undefined Access (no effect) Bit 14',
'%%4431': 'Undefined Access (no effect) Bit 15',
'%%4432': 'Query key value',
'%%4433': 'Set key value',
'%%4434': 'Create sub-key',
'%%4435': 'Enumerate sub-keys',
'%%4436': 'Notify about changes to keys',
'%%4437': 'Create Link',
'%%4438': 'Undefined Access (no effect) Bit 6',
'%%4439': 'Undefined Access (no effect) Bit 7',
'%%4440': 'Undefined Access (no effect) Bit 8',
'%%4441': 'Undefined Access (no effect) Bit 9',
'%%4442': 'Undefined Access (no effect) Bit 10',
'%%4443': 'Undefined Access (no effect) Bit 11',
'%%4444': 'Undefined Access (no effect) Bit 12',
'%%4445': 'Undefined Access (no effect) Bit 13',
'%%4446': 'Undefined Access (no effect) Bit 14',
'%%4447': 'Undefined Access (no effect) Bit 15',
'%%4448': 'Query mutant state',
'%%4449': 'Undefined Access (no effect) Bit 1',
'%%4450': 'Undefined Access (no effect) Bit 2',
'%%4451': 'Undefined Access (no effect) Bit 3',
'%%4452': 'Undefined Access (no effect) Bit 4',
'%%4453': 'Undefined Access (no effect) Bit 5',
'%%4454': 'Undefined Access (no effect) Bit 6',
'%%4455': 'Undefined Access (no effect) Bit 7',
'%%4456': 'Undefined Access (no effect) Bit 8',
'%%4457': 'Undefined Access (no effect) Bit 9',
'%%4458': 'Undefined Access (no effect) Bit 10',
'%%4459': 'Undefined Access (no effect) Bit 11',
'%%4460': 'Undefined Access (no effect) Bit 12',
'%%4461': 'Undefined Access (no effect) Bit 13',
'%%4462': 'Undefined Access (no effect) Bit 14',
'%%4463': 'Undefined Access (no effect) Bit 15',
'%%4464': 'Communicate using port',
'%%4465': 'Undefined Access (no effect) Bit 1',
'%%4466': 'Undefined Access (no effect) Bit 2',
'%%4467': 'Undefined Access (no effect) Bit 3',
'%%4468': 'Undefined Access (no effect) Bit 4',
'%%4469': 'Undefined Access (no effect) Bit 5',
'%%4470': 'Undefined Access (no effect) Bit 6',
'%%4471': 'Undefined Access (no effect) Bit 7',
'%%4472': 'Undefined Access (no effect) Bit 8',
'%%4473': 'Undefined Access (no effect) Bit 9',
'%%4474': 'Undefined Access (no effect) Bit 10',
'%%4475': 'Undefined Access (no effect) Bit 11',
'%%4476': 'Undefined Access (no effect) Bit 12',
'%%4477': 'Undefined Access (no effect) Bit 13',
'%%4478': 'Undefined Access (no effect) Bit 14',
'%%4479': 'Undefined Access (no effect) Bit 15',
'%%4480': 'Force process termination',
'%%4481': 'Create new thread in process',
'%%4482': 'Unused access bit',
'%%4483': 'Perform virtual memory operation',
'%%4484': 'Read from process memory',
'%%4485': 'Write to process memory',
'%%4486': 'Duplicate handle into or out of process',
'%%4487': 'Create a subprocess of process',
'%%4488': 'Set process quotas',
'%%4489': 'Set process information',
'%%4490': 'Query process information',
'%%4491': 'Set process termination port',
'%%4492': 'Undefined Access (no effect) Bit 12',
'%%4493': 'Undefined Access (no effect) Bit 13',
'%%4494': 'Undefined Access (no effect) Bit 14',
'%%4495': 'Undefined Access (no effect) Bit 15',
'%%4496': 'Control profile',
'%%4497': 'Undefined Access (no effect) Bit 1',
'%%4498': 'Undefined Access (no effect) Bit 2',
'%%4499': 'Undefined Access (no effect) Bit 3',
'%%4500': 'Undefined Access (no effect) Bit 4',
'%%4501': 'Undefined Access (no effect) Bit 5',
'%%4502': 'Undefined Access (no effect) Bit 6',
'%%4503': 'Undefined Access (no effect) Bit 7',
'%%4504': 'Undefined Access (no effect) Bit 8',
'%%4505': 'Undefined Access (no effect) Bit 9',
'%%4506': 'Undefined Access (no effect) Bit 10',
'%%4507': 'Undefined Access (no effect) Bit 11',
'%%4508': 'Undefined Access (no effect) Bit 12',
'%%4509': 'Undefined Access (no effect) Bit 13',
'%%4510': 'Undefined Access (no effect) Bit 14',
'%%4511': 'Undefined Access (no effect) Bit 15',
'%%4512': 'Query section state',
'%%4513': 'Map section for write',
'%%4514': 'Map section for read',
'%%4515': 'Map section for execute',
'%%4516': 'Extend size',
'%%4517': 'Undefined Access (no effect) Bit 5',
'%%4518': 'Undefined Access (no effect) Bit 6',
'%%4519': 'Undefined Access (no effect) Bit 7',
'%%4520': 'Undefined Access (no effect) Bit 8',
'%%4521': 'Undefined Access (no effect) Bit 9',
'%%4522': 'Undefined Access (no effect) Bit 10',
'%%4523': 'Undefined Access (no effect) Bit 11',
'%%4524': 'Undefined Access (no effect) Bit 12',
'%%4525': 'Undefined Access (no effect) Bit 13',
'%%4526': 'Undefined Access (no effect) Bit 14',
'%%4527': 'Undefined Access (no effect) Bit 15',
'%%4528': 'Query semaphore state',
'%%4529': 'Modify semaphore state',
'%%4530': 'Undefined Access (no effect) Bit 2',
'%%4531': 'Undefined Access (no effect) Bit 3',
'%%4532': 'Undefined Access (no effect) Bit 4',
'%%4533': 'Undefined Access (no effect) Bit 5',
'%%4534': 'Undefined Access (no effect) Bit 6',
'%%4535': 'Undefined Access (no effect) Bit 7',
'%%4536': 'Undefined Access (no effect) Bit 8',
'%%4537': 'Undefined Access (no effect) Bit 9',
'%%4538': 'Undefined Access (no effect) Bit 10',
'%%4539': 'Undefined Access (no effect) Bit 11',
'%%4540': 'Undefined Access (no effect) Bit 12',
'%%4541': 'Undefined Access (no effect) Bit 13',
'%%4542': 'Undefined Access (no effect) Bit 14',
'%%4543': 'Undefined Access (no effect) Bit 15',
'%%4544': 'Use symbolic link',
'%%4545': 'Undefined Access (no effect) Bit 1',
'%%4546': 'Undefined Access (no effect) Bit 2',
'%%4547': 'Undefined Access (no effect) Bit 3',
'%%4548': 'Undefined Access (no effect) Bit 4',
'%%4549': 'Undefined Access (no effect) Bit 5',
'%%4550': 'Undefined Access (no effect) Bit 6',
'%%4551': 'Undefined Access (no effect) Bit 7',
'%%4552': 'Undefined Access (no effect) Bit 8',
'%%4553': 'Undefined Access (no effect) Bit 9',
'%%4554': 'Undefined Access (no effect) Bit 10',
'%%4555': 'Undefined Access (no effect) Bit 11',
'%%4556': 'Undefined Access (no effect) Bit 12',
'%%4557': 'Undefined Access (no effect) Bit 13',
'%%4558': 'Undefined Access (no effect) Bit 14',
'%%4559': 'Undefined Access (no effect) Bit 15',
'%%4560': 'Force thread termination',
'%%4561': 'Suspend or resume thread',
'%%4562': 'Send an alert to thread',
'%%4563': 'Get thread context',
'%%4564': 'Set thread context',
'%%4565': 'Set thread information',
'%%4566': 'Query thread information',
'%%4567': 'Assign a token to the thread',
'%%4568': 'Cause thread to directly impersonate another thread',
'%%4569': 'Directly impersonate this thread',
'%%4570': 'Undefined Access (no effect) Bit 10',
'%%4571': 'Undefined Access (no effect) Bit 11',
'%%4572': 'Undefined Access (no effect) Bit 12',
'%%4573': 'Undefined Access (no effect) Bit 13',
'%%4574': 'Undefined Access (no effect) Bit 14',
'%%4575': 'Undefined Access (no effect) Bit 15',
'%%4576': 'Query timer state',
'%%4577': 'Modify timer state',
'%%4578': 'Undefined Access (no effect) Bit 2',
'%%4579': 'Undefined Access (no effect) Bit 3',
'%%4580': 'Undefined Access (no effect) Bit 4',
'%%4581': 'Undefined Access (no effect) Bit 5',
'%%4582': 'Undefined Access (no effect) Bit 6',
'%%4584': 'Undefined Access (no effect) Bit 8',
'%%4585': 'Undefined Access (no effect) Bit 9',
'%%4586': 'Undefined Access (no effect) Bit 10',
'%%4587': 'Undefined Access (no effect) Bit 11',
'%%4588': 'Undefined Access (no effect) Bit 12',
'%%4589': 'Undefined Access (no effect) Bit 13',
'%%4590': 'Undefined Access (no effect) Bit 14',
'%%4591': 'Undefined Access (no effect) Bit 15',
'%%4592': 'AssignAsPrimary',
'%%4593': 'Duplicate',
'%%4594': 'Impersonate',
'%%4595': 'Query',
'%%4596': 'QuerySource',
'%%4597': 'AdjustPrivileges',
'%%4598': 'AdjustGroups',
'%%4599': 'AdjustDefaultDacl',
'%%4600': 'Undefined Access (no effect) Bit 8',
'%%4601': 'Undefined Access (no effect) Bit 9',
'%%4602': 'Undefined Access (no effect) Bit 10',
'%%4603': 'Undefined Access (no effect) Bit 11',
'%%4604': 'Undefined Access (no effect) Bit 12',
'%%4605': 'Undefined Access (no effect) Bit 13',
'%%4606': 'Undefined Access (no effect) Bit 14',
'%%4607': 'Undefined Access (no effect) Bit 15',
'%%4608': 'Create instance of object type',
'%%4609': 'Undefined Access (no effect) Bit 1',
'%%4610': 'Undefined Access (no effect) Bit 2',
'%%4611': 'Undefined Access (no effect) Bit 3',
'%%4612': 'Undefined Access (no effect) Bit 4',
'%%4613': 'Undefined Access (no effect) Bit 5',
'%%4614': 'Undefined Access (no effect) Bit 6',
'%%4615': 'Undefined Access (no effect) Bit 7',
'%%4616': 'Undefined Access (no effect) Bit 8',
'%%4617': 'Undefined Access (no effect) Bit 9',
'%%4618': 'Undefined Access (no effect) Bit 10',
'%%4619': 'Undefined Access (no effect) Bit 11',
'%%4620': 'Undefined Access (no effect) Bit 12',
'%%4621': 'Undefined Access (no effect) Bit 13',
'%%4622': 'Undefined Access (no effect) Bit 14',
'%%4623': 'Undefined Access (no effect) Bit 15',
'%%4864': 'Query State',
'%%4865': 'Modify State',
'%%5120': 'Channel read message',
'%%5121': 'Channel write message',
'%%5122': 'Channel query information',
'%%5123': 'Channel set information',
'%%5124': 'Undefined Access (no effect) Bit 4',
'%%5125': 'Undefined Access (no effect) Bit 5',
'%%5126': 'Undefined Access (no effect) Bit 6',
'%%5127': 'Undefined Access (no effect) Bit 7',
'%%5128': 'Undefined Access (no effect) Bit 8',
'%%5129': 'Undefined Access (no effect) Bit 9',
'%%5130': 'Undefined Access (no effect) Bit 10',
'%%5131': 'Undefined Access (no effect) Bit 11',
'%%5132': 'Undefined Access (no effect) Bit 12',
'%%5133': 'Undefined Access (no effect) Bit 13',
'%%5134': 'Undefined Access (no effect) Bit 14',
'%%5135': 'Undefined Access (no effect) Bit 15',
'%%5136': 'Assign process',
'%%5137': 'Set Attributes',
'%%5138': 'Query Attributes',
'%%5139': 'Terminate Job',
'%%5140': 'Set Security Attributes',
'%%5141': 'Undefined Access (no effect) Bit 5',
'%%5142': 'Undefined Access (no effect) Bit 6',
'%%5143': 'Undefined Access (no effect) Bit 7',
'%%5144': 'Undefined Access (no effect) Bit 8',
'%%5145': 'Undefined Access (no effect) Bit 9',
'%%5146': 'Undefined Access (no effect) Bit 10',
'%%5147': 'Undefined Access (no effect) Bit 11',
'%%5148': 'Undefined Access (no effect) Bit 12',
'%%5149': 'Undefined Access (no effect) Bit 13',
'%%5150': 'Undefined Access (no effect) Bit 14',
'%%5151': 'Undefined Access (no effect) Bit 15',
'%%5376': 'ConnectToServer',
'%%5377': 'ShutdownServer',
'%%5378': 'InitializeServer',
'%%5379': 'CreateDomain',
'%%5380': 'EnumerateDomains',
'%%5381': 'LookupDomain',
'%%5382': 'Undefined Access (no effect) Bit 6',
'%%5383': 'Undefined Access (no effect) Bit 7',
'%%5384': 'Undefined Access (no effect) Bit 8',
'%%5385': 'Undefined Access (no effect) Bit 9',
'%%5386': 'Undefined Access (no effect) Bit 10',
'%%5387': 'Undefined Access (no effect) Bit 11',
'%%5388': 'Undefined Access (no effect) Bit 12',
'%%5389': 'Undefined Access (no effect) Bit 13',
'%%5390': 'Undefined Access (no effect) Bit 14',
'%%5391': 'Undefined Access (no effect) Bit 15',
'%%5392': 'ReadPasswordParameters',
'%%5393': 'WritePasswordParameters',
'%%5394': 'ReadOtherParameters',
'%%5395': 'WriteOtherParameters',
'%%5396': 'CreateUser',
'%%5397': 'CreateGlobalGroup',
'%%5398': 'CreateLocalGroup',
'%%5399': 'GetLocalGroupMembership',
'%%5400': 'ListAccounts',
'%%5401': 'LookupIDs',
'%%5402': 'AdministerServer',
'%%5408': 'ReadInformation',
'%%5409': 'WriteAccount',
'%%5410': 'AddMember',
'%%5411': 'RemoveMember',
'%%5412': 'ListMembers',
'%%5424': 'AddMember',
'%%5425': 'RemoveMember',
'%%5426': 'ListMembers',
'%%5427': 'ReadInformation',
'%%5428': 'WriteAccount',
'%%5440': 'ReadGeneralInformation',
'%%5441': 'ReadPreferences',
'%%5442': 'WritePreferences',
'%%5443': 'ReadLogon',
'%%5444': 'ReadAccount',
'%%5445': 'WriteAccount',
'%%5446': 'ChangePassword (with knowledge of old password)',
'%%5447': 'SetPassword (without knowledge of old password)',
'%%5448': 'ListGroups',
'%%5449': 'ReadGroupMembership',
'%%5450': 'ChangeGroupMembership',
'%%5632': 'View non-sensitive policy information',
'%%5633': 'View system audit requirements',
'%%5634': 'Get sensitive policy information',
'%%5635': 'Modify domain trust relationships',
'%%5636': 'Create special accounts (for assignment of user rights)',
'%%5637': 'Create a secret object',
'%%5638': 'Create a privilege',
'%%5639': 'Set default quota limits',
'%%5640': 'Change system audit requirements',
'%%5641': 'Administer audit log attributes',
'%%5642': 'Enable/Disable LSA',
'%%5643': 'Lookup Names/SIDs',
'%%5648': 'Change secret value',
'%%5649': 'Query secret value',
'%%5664': 'Query trusted domain name/SID',
'%%5665': 'Retrieve the controllers in the trusted domain',
'%%5666': 'Change the controllers in the trusted domain',
'%%5667': 'Query the Posix ID offset assigned to the trusted domain',
'%%5668': 'Change the Posix ID offset assigned to the trusted domain',
'%%5680': 'Query account information',
'%%5681': 'Change privileges assigned to account',
'%%5682': 'Change quotas assigned to account',
'%%5683': 'Change logon capabilities assigned to account',
'%%6656': 'Enumerate desktops',
'%%6657': 'Read attributes',
'%%6658': 'Access Clipboard',
'%%6659': 'Create desktop',
'%%6660': 'Write attributes',
'%%6661': 'Access global atoms',
'%%6662': 'Exit windows',
'%%6663': 'Unused Access Flag',
'%%6664': 'Include this windowstation in enumerations',
'%%6665': 'Read screen',
'%%6672': 'Read Objects',
'%%6673': 'Create window',
'%%6674': 'Create menu',
'%%6675': 'Hook control',
'%%6676': 'Journal (record)',
'%%6677': 'Journal (playback)',
'%%6678': 'Include this desktop in enumerations',
'%%6679': 'Write objects',
'%%6680': 'Switch to this desktop',
'%%6912': 'Administer print server',
'%%6913': 'Enumerate printers',
'%%6930': 'Full Control',
'%%6931': 'Print',
'%%6948': 'Administer Document',
'%%7168': 'Connect to service controller',
'%%7169': 'Create a new service',
'%%7170': 'Enumerate services',
'%%7171': 'Lock service database for exclusive access',
'%%7172': 'Query service database lock state',
'%%7173': 'Set last-known-good state of service database',
'%%7184': 'Query service configuration information',
'%%7185': 'Set service configuration information',
'%%7186': 'Query status of service',
'%%7187': 'Enumerate dependencies of service',
'%%7188': 'Start the service',
'%%7189': 'Stop the service',
'%%7190': 'Pause or continue the service',
'%%7191': 'Query information from service',
'%%7192': 'Issue service-specific control commands',
'%%7424': 'DDE Share Read',
'%%7425': 'DDE Share Write',
'%%7426': 'DDE Share Initiate Static',
'%%7427': 'DDE Share Initiate Link',
'%%7428': 'DDE Share Request',
'%%7429': 'DDE Share Advise',
'%%7430': 'DDE Share Poke',
'%%7431': 'DDE Share Execute',
'%%7432': 'DDE Share Add Items',
'%%7433': 'DDE Share List Items',
'%%7680': 'Create Child',
'%%7681': 'Delete Child',
'%%7682': 'List Contents',
'%%7683': 'Write Self',
'%%7684': 'Read Property',
'%%7685': 'Write Property',
'%%7686': 'Delete Tree',
'%%7687': 'List Object',
'%%7688': 'Control Access' }
for id, text in ids.iteritems():
if string.find(id) >= 0:
string_translated = string_translated + text + ", "
return string_translated
class HostResolv():
HOST_RESOLV_DYNAMIC_CACHE = {}
# Dynamic host-ip cache.
def refreshCache(data):
''' Refresh the HOST dynamic cache'''
#action="refresh_asset_list" list={ossim-unstable-pro=192.168.2.18,crosa=192.168.2.130} id=all transaction="50653"
logger.debug("Updating dynamic host cache... %s" % data)
#HostResolv.HOST_RESOLV_DYNAMIC_CACHE.clear()
pattern = "action=\"refresh_asset_list\"\s+list={(?P<list>.*)}"
ipv4_reg = "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
hostname_valid = "(([a-zA-Z]|[a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z]|[A-Za-z][A-Za-z0-9\-]*[A-Za-z0-9])"
reg_comp = re.compile(pattern)
res = reg_comp.match(data)
host_list = []
new_cache = {}
if res is not None:
tmp_list = res.group('list')
if tmp_list is not None:
host_list = tmp_list.split(';')
logger.debug("HOST_LIST: %s" % host_list)
for asset in host_list:
if asset == '':
continue
ip, hostnames = asset.split('=')
hostname_list = hostnames.split(',')
logger.debug ("IP = %s , hostnamelist: %s" % (ip, hostname_list))
for hostname in hostname_list:
hostname = hostname.strip()
hostname = hostname.lower()
if re.match(ipv4_reg, ip) and re.match(hostname_valid, hostname):
if new_cache.has_key(hostname):
if ip not in new_cache[hostname]:
new_cache[hostname].append(ip)
else:
new_cache[hostname] = []
new_cache[hostname].append(ip)
HostResolv.HOST_RESOLV_DYNAMIC_CACHE = new_cache
HostResolv.printCache()
HostResolv.saveHostCache()
refreshCache = staticmethod(refreshCache)
def saveHostCache():
logger.info("Saving dynamic host cache in /etc/ossim/agent/host_cache.dic")
pickle.dump(HostResolv.HOST_RESOLV_DYNAMIC_CACHE, open("/etc/ossim/agent/host_cache.dic", "wb"))
saveHostCache = staticmethod(saveHostCache)
def loadHostCache():
if os.path.isfile("/etc/ossim/agent/host_cache.dic"):
try:
logger.debug("Loading dynamic host cache from '/etc/ossim/agent/host_cache.dic'")
HostResolv.HOST_RESOLV_DYNAMIC_CACHE = pickle.load(open("/etc/ossim/agent/host_cache.dic"))
HostResolv.printCache()
except:
logger.warning("Deleting corrupt file host_cache_pro.dic")
os.remove("/etc/ossim/agent/host_cache_pro.dic")
return False
else:
return False
return True
loadHostCache = staticmethod(loadHostCache)
def printCache():
logger.debug("------------------ Dynamic cache ---------------------")
for host, ip in HostResolv.HOST_RESOLV_DYNAMIC_CACHE.items():
logger.debug("%s -------->> %s" % (host, ip))
logger.debug ("------------------------------------------------------")
printCache = staticmethod(printCache)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.