There are two plugins for parsing FWS and WEB w3c logs from MS TMG 2010 on AlienVaul OSSIM and modified ParserUtil.py
tmg-web plugin and PerserUtil.py modified for add event sid 2 - Exchange ActyveSync Sync command
Last active
August 29, 2015 14:23
-
-
Save ESGuardian/42db54d60b440e820118 to your computer and use it in GitHub Desktop.
OSSIM plugin for MS TMG 2010 (Using SNARE Epilog for send FWS and WEB w3c formated logs to syslog)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Alienvault plugin | |
| # Author: Eugene Sokolov at esguardian@outlook.com | |
| # Plugin tmg-fws id:9005 version: 0.0.1 | |
| # Last modification: 2015-06-09 20:35 | |
| # | |
| # Accepted products: | |
| # microsoft - TMG 2010 | |
| # | |
| # /etc/rsyslog.d/tmg.conf | |
| # if ($rawmsg contains 'ISAFWSLog') then /var/log/tmg-fws.log | |
| # if ($rawmsg contains 'ISAWebLog') then /var/log/tmg-web.log | |
| [DEFAULT] | |
| plugin_id=9005 | |
| [config] | |
| type=detector | |
| enable=yes | |
| source=log | |
| location=/var/log/tmg-fws.log | |
| create_file=false | |
| process= | |
| start=yes | |
| stop=no | |
| startup= | |
| shutdown= | |
| [tmg-fws-plain] | |
| event_type=event | |
| regexp="(?P<sl_date>\SYSLOG_DATE).*ISAFWSLog#011.*?#011.*?#011(?P<date>.*?)#011(?P<time>.*?)#011(?P<ip_proto>.*?)#011(?P<s_ip>.*?):(?P<s_port>.*?)#011(?P<d_ip>.*?):(?P<d_port>.*?)#011(?P<or_ip>.*?)#011(?P<s_net>.*?)#011(?P<d_net>.*?)#011(?P<action>.*?)#011(?P<status>.*?)#011(?P<rule>.*?)#011(?P<app_proto>.*?)#011(?P<b_sent>.*?)#011(?P<b_sent_inter>.*?)#011(?P<b_received>.*?)#011(?P<b_received_inter>.*?)#011(?P<con_time>.*?)#011(?P<con_time_inter>.*?)#011(?P<username>.*?)#011(?P<agent>.*?)#011(?P<session_id>.*?)#011(?P<con_id>.*?)#011(?P<nis_result>.*?)#011(?P<nis_signature>.*?)#011(?P<nat_addr>.*?)#011(?P<fwc_app_path>.*?)#011(?P<internal_service_info>.*?)#011(?P<nis_app_proto>[\S\s]+?)" | |
| # regexp="(?P<client_ip>\d+\.\d+\.\d+\.\d+)\s+(?P<user>\S+)\s+(?P<user_agent>.*)\s+[N|Y]\s+(?P<date>\S+)\s+(?P<time>\S+)\s+(?P<service_name>\S+)\s+(?P<computername>\S+)\s+(?P<referrer>\S+)\s+(?P<remote_name>\S+)\s+(?P<target_ip>\S+)\s+(?P<remote_port>\S+)\s+(?P<time_taken>\S+)\s+(?P<bytes>\S+)\s+(?P<sc_bytes>\S+)\s+(?P<http_type>\S+)\s+(?P<protocol>\S+)\s+(?P<operation>\S+)\s+(?P<uri>\S+)\s+(?P<encoding>.*)\s+Inet\s+(?P<status>\d+)\s+" | |
| src_ip={$or_ip} | |
| #src_port={$s_port} | |
| dst_ip={$d_ip} | |
| dst_port={$d_port} | |
| plugin_sid=1 | |
| date={normalize_date($sl_date)} | |
| username={$username} | |
| userdata1={$action} | |
| userdata2={$b_received} | |
| userdata3={$b_sent} | |
| userdata4={$ip_proto} | |
| userdata5={$app_proto} | |
| userdata6={$status} | |
| userdata7={$rule} | |
| userdata8={$fwc_app_path} | |
| #userdata9={$rule} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- tmg-fws | |
| -- plugin_id: 9005 | |
| DELETE FROM plugin WHERE id = "9005"; | |
| DELETE FROM plugin_sid where plugin_id = "9005"; | |
| INSERT IGNORE INTO plugin (id, type, name, description) VALUES (9005, 1, 'TMG-FWS', 'TMG-FWS logger'); | |
| INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9005, 1, NULL, NULL, 'TMG FWS Record',1, 3); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Alienvault plugin | |
| # Author: Eugene Sokolov at esguardian@outlook.com | |
| # Plugin tmg-web id:9004 version: 0.0.2 | |
| # Last modification: 2015-06-10 16:10 | |
| # | |
| # Accepted products: | |
| # microsoft - TMG 2010 | |
| # | |
| # /etc/rsyslog.d/tmg.conf | |
| # if ($rawmsg contains 'ISAFWSLog') then /var/log/tmg-fws.log | |
| # if ($rawmsg contains 'ISAWebLog') then /var/log/tmg-web.log | |
| [DEFAULT] | |
| plugin_id=9004 | |
| [config] | |
| type=detector | |
| enable=yes | |
| #custom_functions_file=/etc/ossim/agent/plugins/custom_functions/my_tmg_custom_functions.cfg | |
| source=log | |
| location=/var/log/tmg-web.log | |
| create_file=false | |
| process= | |
| start=yes | |
| stop=no | |
| startup= | |
| shutdown= | |
| [tmg-web-plain] | |
| event_type=event | |
| regexp="(?P<sl_date>\SYSLOG_DATE).*ISAWebLog#011\S#011(?P<c_ip>\S+?)#011(?P<cs_username>[\S\s]+?)#011(?P<c_agent>[\S\s]+?)#011(?P<date>[\S\s]+?)#011(?P<time>[\S\s]+?)#011(?P<cs_compname>[\S\s]+?)#011(?P<cs_reffered>[\S\s]+?)#011(?P<r_host>[\S\s]+?)#011(?P<r_ip>[\S\s]+?)#011(?P<r_port>[\S\s]+?)#011(?P<time_taken>[\S\s]+?)#011(?P<sc_bytes>[\S\s]+?)#011(?P<cs_bytes>[\S\s]+?)#011(?P<cs_protocol>[\S\s]+?)#011(?P<s_oper>[\S\s]+?)#011(?P<cs_uri>[\S\s]+?)#011(?P<cs_mime_type>[\S\s]+?)#011(?P<s_object_source>[\S\s]+?)#011(?P<sc_status>[\S\s]+?)#011(?P<rule>[\S\s]+?)#011(?P<filter_info>[\S\s]+?)#011(?P<cs_network>[\S\s]+?)#011(?P<sc_network>[\S\s]+?)#011(?P<error_info>[\S\s]+?)#011(?P<action>[\S\s]+?)#011(?P<authServer>[\S\s]+?)#011(?P<nis_scan_result>[\S\s]+?)#011(?P<nis_signature>[\S\s]+?)#011(?P<threat_name>[\S\s]+?)#011(?P<malware_inspection_action>[\S\s]+?)#011(?P<malware_inspection_result>[\S\s]+?)#011(?P<url_category>[\S\s]+?)#011(?P<MI_delivery_method>[\S\s]+?)#011(?P<MI_duration>[\S\s]+?)#011(?P<MI_threat_level>[\S\s]+?)#011(?P<internal_service_info>[\S\s]+?)#011(?P<NIS_app_protocol>[\S\s]+?)#011(?P<NAT_address>[\S\s]+?)#011(?P<url_categorization_reason>[\S\s]+?)#011(?P<session_type>[\S\s]+?)#011(?P<url_dest_host>[\S\s]+?)#011(?P<s_port>[\S\s]+?)#011(?P<soft_block_action>[\S\s]+?)" | |
| # regexp="(?P<client_ip>\d+\.\d+\.\d+\.\d+)\s+(?P<user>\S+)\s+(?P<user_agent>.*)\s+[N|Y]\s+(?P<date>\S+)\s+(?P<time>\S+)\s+(?P<service_name>\S+)\s+(?P<computername>\S+)\s+(?P<referrer>\S+)\s+(?P<remote_name>\S+)\s+(?P<target_ip>\S+)\s+(?P<remote_port>\S+)\s+(?P<time_taken>\S+)\s+(?P<bytes>\S+)\s+(?P<sc_bytes>\S+)\s+(?P<http_type>\S+)\s+(?P<protocol>\S+)\s+(?P<operation>\S+)\s+(?P<uri>\S+)\s+(?P<encoding>.*)\s+Inet\s+(?P<status>\d+)\s+" | |
| src_ip={$c_ip} | |
| dst_ip={$r_ip} | |
| dst_port={$r_port} | |
| plugin_sid={my_tmg_web_sid($sc_bytes,$cs_bytes,$r_host,$cs_uri)} | |
| #attention function my_tmg_web_sid i have added as internal function in ParserUtil.py | |
| username={$cs_username} | |
| date={normalize_date($sl_date)} | |
| userdata1={$r_host} | |
| userdata2={$cs_bytes} | |
| userdata3={$sc_bytes} | |
| userdata4={$cs_protocol} | |
| userdata5={$s_oper} | |
| userdata6={$sc_status} | |
| userdata9={$cs_uri} | |
| userdata8={$cs_reffered} | |
| userdata7={$rule} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- tmg-web | |
| -- plugin_id: 9004 | |
| DELETE FROM plugin WHERE id = "9004"; | |
| DELETE FROM plugin_sid where plugin_id = "9004"; | |
| INSERT IGNORE INTO plugin (id, type, name, description) VALUES (9004, 1, 'tmg-web', 'TMG-WEB Logger'); | |
| INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 1, NULL, NULL, 'TMG WEB Record',1, 3); | |
| INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 2, NULL, NULL, 'Exchange ActiveSync Sync command',1, 3); | |
| INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 11, NULL, NULL, 'TMG WEB Client sent more than received',1, 3); | |
| INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 101, NULL, NULL, 'TMG WEB Client sent large amount of data',1, 3); | |
| INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 111, NULL, NULL, 'TMG WEB Client sent large amount of data and more than received',1, 3); | |
| INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 1001, NULL, NULL, 'TMG WEB unwanted url',1, 3); | |
| INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 1011, NULL, NULL, 'TMG WEB Client sent more than received for unwanted url',1, 3); | |
| INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 1101, NULL, NULL, 'TMG WEB Client sent large amount of data for unwanted url',1, 3); | |
| INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 1111, NULL, NULL, 'TMG WEB Client sent large amount of data and more than received for unwanted url',1, 3); | |
| INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (9004, 2000, NULL, NULL, 'TMG WEB Possible data leek',8, 3); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /usr/share/alienvaul/ossim-agent/ParserUtil.py | |
| # this is modified ParserUtil.py from AlienVault OSSIM | |
| # two section added in the begining of the original file | |
| # and marked as 'my additional code <number> .... end of my code <number>' | |
| # License: | |
| # | |
| # Copyright (c) 2003-2006 ossim.net | |
| # Copyright (c) 2007-2014 AlienVault | |
| # All rights reserved. | |
| # | |
| # This package is free software; you can redistribute it and/or modify | |
| # it under the terms of the GNU General Public License as published by | |
| # the Free Software Foundation; version 2 dated June, 1991. | |
| # You may not use, modify or distribute this program under any other version | |
| # of the GNU General Public License. | |
| # | |
| # This package is distributed in the hope that it will be useful, | |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| # GNU General Public License for more details. | |
| # | |
| # You should have received a copy of the GNU General Public License | |
| # along with this package; if not, write to the Free Software | |
| # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, | |
| # MA 02110-1301 USA | |
| # | |
| # | |
| # On Debian GNU/Linux systems, the complete text of the GNU General | |
| # Public License can be found in `/usr/share/common-licenses/GPL-2'. | |
| # | |
| # Otherwise you can read it here: http://www.gnu.org/licenses/gpl-2.0.txt | |
| # | |
| # | |
| # GLOBAL IMPORTS | |
| # | |
| import datetime | |
| from hashlib import md5 | |
| import re | |
| import socket | |
| import time | |
| import pickle | |
| import os | |
| import GeoIP | |
| GEOIPDB=GeoIP.open("/usr/share/geoip/GeoLiteCity.dat",GeoIP.GEOIP_STANDARD) | |
| # my additional code 1 | |
| UNWANTED_URLS=[] | |
| with open("/etc/my_ossim/unwanted_urls.list","r") as f: | |
| UNWANTED_URLS=[line.rstrip() for line in f] | |
| f.close() | |
| # end of my code 1 | |
| # LOCAL IMPORTS | |
| # | |
| from Logger import Logger | |
| logger = Logger.logger | |
| from SiteProtectorMap import * | |
| from NetScreenMap import * | |
| # | |
| # GLOBAL VARIABLES | |
| # | |
| HOST_RESOLV_CACHE = {} | |
| PROTO_TABLE = { | |
| '1': 'icmp', | |
| '6': 'tcp', | |
| '17': 'udp', | |
| } | |
| """Set of functions to be used in plugin configuration.""" | |
| HOST_BLACK_LIST = {} | |
| # my additional code 2 | |
| def my_tmg_web_sid(bsent=0, breceived=0, url='0', uri=''): | |
| if 'Microsoft-Server-ActiveSync' in uri and 'Cmd=Sync' in uri: | |
| return 2 | |
| sid = 1 | |
| if 'in-bank.ru' in url: | |
| return sid | |
| bsent = int(bsent) | |
| breceived = int (breceived) | |
| if bsent > 1000000: | |
| return 2000 | |
| if bsent > breceived: | |
| sid = sid + 10 | |
| if bsent > 200000: | |
| sid = sid + 100 | |
| for elem in UNWANTED_URLS: | |
| dot_elem="."+elem | |
| if elem == url or dot_elem in url: | |
| sid = sid + 1000 | |
| break | |
| return sid | |
| # end of my code 2 | |
| def geoip_getData(addr,field): | |
| record = GEOIPDB.record_by_addr(addr) | |
| if record: | |
| if record.has_key(field): | |
| return record[field] | |
| return "" | |
| def geoip_getCity(addr): | |
| return geoip_getData(addr,'city') | |
| def geoip_getCountryCode(addr): | |
| return geoip_getData(addr,'country_code') | |
| def geoip_getCountryCode3(addr): | |
| return geoip_getData(addr,'country_code3') | |
| def geoip_getCountryName(addr): | |
| return geoip_getData(addr,'country_name') | |
| def geoip_getDmaCode(addr): | |
| return geoip_getData(addr,'dma_code') | |
| def geoip_getLatitude(addr): | |
| return geoip_getData(addr,'latitude') | |
| def geoip_getLongitude(addr): | |
| return geoip_getData(addr,'longitude') | |
| def geoip_getMetroCode(addr): | |
| return geoip_getData(addr,'metro_code') | |
| def geoip_getPostalCode(addr): | |
| return geoip_getData(addr,'postal_code') | |
| def geoip_getRegionCode(addr): | |
| return geoip_getData(addr,'region') | |
| def geoip_getRegionName(addr): | |
| return geoip_getData(addr,'region_name') | |
| def geoip_getTimeZone(addr): | |
| return geoip_getData(addr,'time_zone') | |
| def resolv(host): | |
| """Translate a host name to IPv4 address.""" | |
| host = host.lower() | |
| addr=host | |
| if HOST_RESOLV_CACHE.has_key(host): | |
| return HOST_RESOLV_CACHE[host] | |
| #check if we have the host in my interna cache. | |
| if HostResolv.HOST_RESOLV_DYNAMIC_CACHE.has_key(host): | |
| return HostResolv.HOST_RESOLV_DYNAMIC_CACHE[host][0]#returns the first ip assigned to the host. | |
| try: | |
| dnsquery = True | |
| if HOST_BLACK_LIST.has_key(host): | |
| if HOST_BLACK_LIST[host] - time.time() <=120:#timeout=5mins | |
| dnsquery = False | |
| if dnsquery: | |
| addr = socket.gethostbyname(host) | |
| HOST_RESOLV_CACHE[host] = addr | |
| HOST_BLACK_LIST[host] = time.time() | |
| except socket.gaierror: | |
| addr=host | |
| HOST_BLACK_LIST[host] = time.time() | |
| return addr | |
| def resolv_ip(addr): | |
| """Translate an IPv4 address to host name.""" | |
| try: | |
| (hostname, aliaslist, ipaddrlist) = socket.gethostbyaddr(addr) | |
| except socket.gaierror: | |
| return addr | |
| return hostname | |
| def resolv_port(port): | |
| """Translate a port name into it's number.""" | |
| try: | |
| port = socket.getservbyname(port.lower()) | |
| except socket.error: | |
| return port | |
| return port | |
| def resolv_iface(iface): | |
| """Normalize interface name.""" | |
| if re.match("(ext|wan1).*", iface): | |
| iface = "ext" | |
| elif re.match("(int|port|dmz|wan).*", iface): | |
| iface = "int" | |
| return iface | |
| def md5sum(datastring,plugin_obj_id=0): | |
| m = md5() | |
| m.update (datastring) | |
| return m.hexdigest() | |
| def snort_id(id): | |
| return str(1000 + int(id)) | |
| def normalize_protocol(protocol): | |
| """Fill protocols table reading /etc/protocols. | |
| try: | |
| fd = open('/etc/protocols') | |
| except IOError: | |
| pass | |
| else: | |
| pattern = re.compile("(\w+)\s+(\d+)\s+\w+") | |
| for line in fd.readlines(): | |
| result = pattern.search(line) | |
| if result: | |
| proto_name = result.groups()[0] | |
| proto_number = result.groups()[1] | |
| if not proto_table.has_key(proto_number): | |
| proto_table[proto_number] = proto_name | |
| fd.close() | |
| """ | |
| if PROTO_TABLE.has_key(str(protocol)): | |
| return PROTO_TABLE[str(protocol)] | |
| return str(protocol).lower() | |
| ### normalize_date function ### | |
| # convert date strings to isoformat | |
| # you must tag regular expressions with the following names: | |
| # <year>, <month>, <minute>, <hour>, <minute>, <second> | |
| # or <timestamp> for timestamps | |
| # array of date regexp, sorted by probability | |
| # change this order to suite your needs | |
| DATE_REGEXPS = [ | |
| #DC 2/15/2012 12:00:36 PM | |
| re.compile(r'(?P<month>\d{1,2})/(?P<day>\d{1,2})/(?P<year>\d{4})\s+(?P<hour>\d{1,2}):(?P<minute>\d\d):(?P<second>\d\d)\s+(?P<pm_am>PM|AM)'), | |
| # Syslog -- Oct 27 10:50:46 | |
| re.compile(r'^(?P<month>\w+)\s+(?P<day>\d+)\s+(?P<hour>\d\d):(?P<minute>\d\d):(?P<second>\d\d)'), | |
| # apache-error-log -- Fri Aug 07 17:52:19 2009 | |
| re.compile(r'(\w+)\s+(?P<month>\w+)\s+(?P<day>\d+)\s+(?P<hour>\d\d):(?P<minute>\d\d):(?P<second>\d\d)\s+(?P<year>\d\d\d\d)'), | |
| # syslog-ng -- Oct 27 2007 10:50:46 | |
| re.compile(r'(?P<month>\w+)\s+(?P<day>\d+)\s+(?P<year>\d\d\d\d)\s+(?P<hour>\d\d):(?P<minute>\d\d):(?P<second>\d\d)'), | |
| # bind9 -- 10-Aug-2009 07:53:44 | |
| re.compile(r'(?P<day>\d+)-(?P<month>\w+)-(?P<year>\d\d\d\d)\s+(?P<hour>\d\d):(?P<minute>\d\d):(?P<second>\d\d)'), | |
| # Snare -- Sun Jan 28 15:15:32 2007 | |
| re.compile(r'\S+\s+(?P<month>\S+)\s+(?P<day>\d+)\s+(?P<hour>\d\d):(?P<minute>\d\d):(?P<second>\d\d)\s+(?P<year>\d+)'), | |
| # snort -- 11/08-19:19:06 | |
| re.compile(r'^(?P<month>\d\d)/(?P<day>\d\d)(/?(?P<year>\d\d))?-(?P<hour>\d\d):(?P<minute>\d\d):(?P<second>\d\d)'), | |
| # arpwatch -- Monday, March 15, 2004 15:39:19 +0000 | |
| re.compile(r'(\w+), (?P<month>\w+) (?P<day>\d{1,2}), (?P<year>\d{4}) (?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'), | |
| # heartbeat -- 2006/10/19_11:40:05 | |
| # raslog(1581) -- 2009/03/05-11:04:36 | |
| re.compile(r'(?P<year>\d+)/(?P<month>\d+)/(?P<day>\d+)[_-](?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'), | |
| # netgear -- 11/03/2004 19:45:46 | |
| re.compile(r'(?P<day>\d+)/(?P<month>\d+)/(?P<year>\d{4})\s(?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'), | |
| # tarantella -- 2007/10/18 14:38:03 | |
| re.compile(r'(?P<year>\d{4})/(?P<month>\d+)/(?P<day>\d+)\s(?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'), | |
| # citrix 02/28/2013:12:00:00 | |
| re.compile(r'(?P<month>(0?[1-9])|(1[0-2]))/(?P<day>(1[0-9])|(2[0-9])|(3[0-1])|(0?[0-9]))/(?P<year>\d{4}):(?P<hour>\d{1,2}):(?P<minute>\d{1,2}):(?P<second>\d{1,2})'), | |
| # OSSEC -- 2007 Nov 17 06:26:18 | |
| # Intrushield -- 2007-Nov-17 06:26:18 CET | |
| re.compile(r'(?P<year>\d{4})[-\s](?P<month>\w{3})[-\s](?P<day>\d{2})\s+(?P<hour>\d{2}):(?P<minute>\d{2}):(?P<second>\d{2})'), | |
| # ibm applications -- 11/03/07 19:22:22 | |
| # apache -- 29/Jan/2007:17:02:20 | |
| re.compile(r'(?P<day>\d+)/(?P<month>\w+)/(?P<year>\d+)[\s:](?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'), | |
| # lucent brick hhmmss | |
| # hhmmss,timestamp | |
| re.compile(r'^(?P<hour>\d\d)(?P<minute>\d\d)(?P<second>\d\d),(?P<timestamp>\d+)$'), | |
| re.compile(r'^(?P<hour>\d\d)(?P<minute>\d\d)(?P<second>\d\d)(?:\+|\-)$'), | |
| re.compile(r'^(?P<hour>\d\d)(?P<minute>\d\d)(?P<second>\d\d)$'), | |
| # rrd, nagios -- 1162540224 | |
| re.compile(r'^(?P<timestamp>\d+)$'), | |
| #FileZilla -- 11.03.2009 19:45:46 | |
| re.compile(r'(?P<day>\d+)\.(?P<month>\d+)\.(?P<year>\d{4})\s(?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'), | |
| # hp eva -- 2 18 2009 14 9 52 | |
| re.compile(r'(?P<month>\d{1,2}) (?P<day>\d{1,2}) (?P<year>\d{4}) (?P<hour>\d{1,2}) (?P<minute>\d{1,2}) (?P<second>\d{1,2})'), | |
| # Websense -- Wed 14 Apr 2010 12:35:10 | |
| # Websense2 -- 11 Jan 2011 09:44:18 AM | |
| # nessus 12 May 2012 00:00:03 | |
| re.compile(r'(?P<day>\d{1,2})\s+(?P<month>\w{3})\s+(?P<year>\d{4})\s+(?P<hour>\d\d):(?P<minute>\d\d):(?P<second>\d\d)(\s+(?P<pm_am>AM|PM))?'), | |
| # Exchange Message Tracking Log -- 2011-07-08T14:13:42.237Z | |
| re.compile(r'(?P<year>\d+)-(?P<month>\d+)-(?P<day>\d+)T(?P<hour>\d\d):(?P<minute>\d\d):(?P<second>\d\d).+'), | |
| # SonicWall -- 2011-05-12 07 59 01 | |
| re.compile(r'(?P<year>\d{4})-(?P<month>\d+)-(?P<day>\d+)\s(?P<hour>\d+)\s(?P<minute>\d+)\s(?P<second>\d+)'), | |
| # CSV format date -- 09/30/2011,10:56:11 | |
| re.compile('(?P<month>[0-9][0-9])/(?P<day>[0-3][0-9])/(?P<year>\d{4})\,(?P<hour>[0-2][0-9]):(?P<minute>[0-6][0-9]):(?P<second>[0-6][0-9])'), | |
| # honeyd -- 2011-05-17-09:42:24 | |
| re.compile(r'(?P<year>\d{4})-(?P<month>\d+)-(?P<day>\d+)-(?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'), | |
| #Epilog de logparser 2011-11-21 06: 15:02 | |
| re .compile(r'(?P<year>\d{4})-(?P<month>\d+)-(?P<day>\d+)\s+(?P<hour>\d+):\s+(?P<minute>\d+):(?P<second>\d+)'), | |
| #WMI -- 20111111084344.000000-000 | |
| re.compile(r'(?P<year>\d{4})(?P<month>\d{2})(?P<day>\d{2})(?P<hour>\d{2})(?P<minute>\d{2})(?P<second>\d{2}).'), | |
| #20120202 12:12:12 | |
| re.compile(r'(?P<year>\d{4})(?P<month>\d{2})(?P<day>\d{2}) (?P<hour>\d{2}):(?P<minute>\d{2}):(?P<second>\d{2})'), | |
| #SNMPTRAP -- mar 07 feb, 2012 - 08:39:49 | |
| re.compile(r'\S+\s+(?P<day>\d{2})\s(?P<month>\w+),\s(?P<year>\d{4})\s-\s(?P<hour>\d{2}):(?P<minute>\d{2}):(?P<second>\d{2})'), | |
| #CheckPoint-LML-raw - 1Feb2012;0:05:58/1Feb2012 0:05:58 | |
| re.compile(r'(?P<day>\d{1,2})(?P<month>\w+)(?P<year>\d{4})(?:\s|;)+(?P<hour>\d{1,2}):(?P<minute>\d{1,2}):(?P<second>\d{1,2})'), | |
| # Lilian Date -- 11270 02:00:16 | |
| # Lilian is the number of days since the beginning of the Gregorian Calendar on October 15, 1582, | |
| re.compile(r'(?P<lilian>\d{5})\s+(?P<hour>\d{2}):(?P<minute>\d{2}):(?P<second>\d{2})'), | |
| #bluecoat -- 2011-05-17 09:42:24 | |
| re.compile(r'(?P<year>\d{4})-(?P<month>\d+)-(?P<day>\d+)\s+(?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'), | |
| #suricata -- 03/20/2012-12:12:24.376349 | |
| re.compile(r'(?P<month>\d+)/(?P<day>\d+)/(?P<year>\d+)-(?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'), | |
| #Fortigate date=2015-03-17 time=22:03:55 | |
| re.compile('(?P<year>\d{4})-(?P<month>\d+)-(?P<day>\d+)\s+time=(?P<hour>\d+):(?P<minute>\d+):(?P<second>\d+)'), | |
| ] | |
| def normalize_date_american(string_date): | |
| date = normalize_date(string_date, True) | |
| return date | |
| def normalize_date(string, american_format=False): | |
| """For adding new date formats you should only | |
| add a new regexp in the above array | |
| """ | |
| local_datetime = datetime.datetime.utcnow() | |
| if not isinstance(string, basestring) or string == "": | |
| logger.warning("No string for normalize_date '%s'" % string) | |
| return "" | |
| try_other = True | |
| dict = {} | |
| matched = False | |
| if american_format: | |
| american_regex = re.compile("(?P<month>\d{2})\/(?P<day>\d{2})\/(?P<year>\d{4})\s+(?P<hour>\d{2}):(?P<minute>\d{2}):(?P<second>\d{2})") | |
| result = american_regex.search(string) | |
| if result: | |
| dict = result.groupdict() | |
| try_other = False | |
| matched = True | |
| if try_other: | |
| for pattern in DATE_REGEXPS: | |
| result = pattern.match(string) | |
| if result is None: | |
| continue | |
| matched = True | |
| dict = result.groupdict() | |
| if dict.has_key('month') and str(dict['month']).isdigit(): | |
| try: | |
| month_int = int(str(dict['month'])) | |
| if month_int > 12: | |
| logger.info("invalid moth:%s" % dict['month']) | |
| dict.clear() | |
| continue | |
| except Exception, e: | |
| dict.clear() | |
| continue | |
| if dict.has_key('day')and str(dict['day']).isdigit(): | |
| try: | |
| day_int = int(str(dict['day'])) | |
| if day_int > 31: | |
| dict.clear() | |
| continue | |
| except Exception, e : | |
| dict.clear() | |
| continue | |
| break | |
| if not matched: | |
| logger.warning("Date: %s not matched" % string) | |
| return string | |
| if dict.has_key('hour') and dict.has_key('pm_am'): | |
| try: | |
| hour = int(dict['hour']) | |
| pm_am = dict['pm_am'].lower() | |
| if pm_am == "pm": | |
| if hour == 12: | |
| hour = 0 | |
| else: | |
| hour += 12 | |
| dict['hour'] = str(hour) | |
| except Exception, e: | |
| pass | |
| ### put here all sanity transformations you need | |
| if dict.has_key('timestamp'): | |
| (dict['year'], dict['month'], dict['day'], | |
| dict['hour'], dict['minute'], dict['second'], a, b, c) = \ | |
| time.localtime(float(dict['timestamp'])) | |
| elif dict.has_key('lilian'): | |
| stringlilian="%s %s:%s:%s"% (dict['lilian'],dict['hour'],dict['minute'],dict['second']) | |
| return datetime.datetime.strptime(stringlilian, "%y%j %H:%M:%S") | |
| # year | |
| if dict.has_key('year') and not dict['year']: | |
| dict['year'] = str(local_datetime.year) | |
| #dict['year'] = \ | |
| # time.strftime('%Y', time.localtime(time.time())) | |
| elif not dict.has_key('year'): | |
| dict['year'] = str(local_datetime.year) | |
| #dict['year'] = \ | |
| # time.strftime('%Y', time.localtime(time.time())) | |
| elif len(str(dict['year'])) == 2: | |
| dict['year'] = '20' + str(dict['year']) | |
| # month | |
| if not dict.has_key('month'): | |
| dict['month'] = \ | |
| time.strftime('%m', time.localtime(time.time())) | |
| elif dict.has_key('month') and not dict['month']: | |
| dict['month'] = \ | |
| time.strftime('%m', time.localtime(time.time())) | |
| elif len(str(dict['month'])) == 1: | |
| dict['month'] = '0' + str(dict['month']) | |
| # day | |
| if not dict.has_key('day'): | |
| dict['day'] = \ | |
| time.strftime('%d', time.localtime(time.time())) | |
| elif dict.has_key('day') and not dict['day']: | |
| dict['day'] = \ | |
| time.strftime('%d', time.localtime(time.time())) | |
| elif len(str(dict['day'])) == 1: | |
| dict['day'] = '0' + str(dict['day']) | |
| # Fix month | |
| if not str(dict['month']).isdigit(): | |
| try: | |
| dict['month'] = \ | |
| time.strftime('%m', time.strptime(dict['month'], "%b")) | |
| except ValueError: | |
| try: | |
| dict['month'] = \ | |
| time.strftime('%m', time.strptime(dict['month'], "%B")) | |
| except ValueError: | |
| pass | |
| except Exception,e: | |
| pass | |
| # seconds | |
| if not dict.has_key('second'): | |
| dict['second'] = 00 | |
| # 31st Dic fix | |
| try: | |
| datemonth = int(dict['month']) | |
| if datemonth == 12 and local_datetime.month == 1: | |
| dict['year'] = str(local_datetime.year - 1) | |
| except: | |
| pass | |
| ### end of transformations | |
| # now, let's go to translate string | |
| try: | |
| date = datetime.datetime(year=int(dict['year']), | |
| month=int(dict['month']), | |
| day=int(dict['day']), | |
| hour=int(dict['hour']), | |
| minute=int(dict['minute']), | |
| second=int(dict['second'])).isoformat(' ') | |
| except Exception, e: | |
| logger.error("There was an error in normalize_date() function: %s" % str(e)) | |
| else: | |
| return date | |
| return string | |
| def upper(string): | |
| return string.upper() | |
| def sanitize(data): | |
| return data.replace("\n", "\r") | |
| def hextoint(string): | |
| try: | |
| return int(string, 16) | |
| except ValueError: | |
| pass | |
| def intrushield_sid(mcafee_sid, mcafee_name): | |
| # All McAfee Intrushield id are divisible by 256, and this length doesn't fit in OSSIM's table | |
| mcafee_sid = hextoint(mcafee_sid) / 256 | |
| mcafee_name = mcafee_name.replace('-', ':') | |
| # Calculate hash based in event name | |
| mcafee_subsid = abs(mcafee_name.__hash__()) | |
| # Ugly method to avoid duplicated sids | |
| mcafee_hash2 = 0 | |
| for i in range(0, len(mcafee_name)): | |
| mcafee_hash2 = mcafee_hash2 + ord(mcafee_name[i]) | |
| ossim_sid = int(str(mcafee_hash2)[-1:] + str(int(str(mcafee_subsid)[-7:]) + mcafee_sid)) | |
| return ossim_sid | |
| def netscreen_idp_sid(message): | |
| if NETSCREEN_IDP_SID_TRANSLATION_TABLE.has_key(message): | |
| return NETSCREEN_IDP_SID_TRANSLATION_TABLE[message] | |
| # missing sid | |
| return '99999' | |
| #Dummy function | |
| def checkValue(val): | |
| if val is not None and val != 0 and val != "0" and val != "" and val != "" and val != 1 and val != "1": | |
| return 1 | |
| elif val is not None: | |
| return 0 | |
| else: | |
| return None | |
| def iss_siteprotector_sid(message): | |
| if ISS_SITEPROTECTOR_SID_TRANSLATION_MAP.has_key(message): | |
| return ISS_SITEPROTECTOR_SID_TRANSLATION_MAP[message] | |
| return '99999' | |
| #Funtion to translate Windows Security Audit Event Accesses IDs to text | |
| #From http://my.opera.com/Lee_Harvey/blog/2008/10/14/microsoft-windows-security-audit-event-accesses-ids | |
| def translate_wsaea_IDs(string): | |
| string_translated = '' | |
| ids = { '%%279': 'Undefined Access (no effect) Bit 7', | |
| '%%1536': 'Unused message ID', | |
| '%%1537': 'DELETE', | |
| '%%1538': 'READ_CONTROL', | |
| '%%1539': 'WRITE_DAC', | |
| '%%1540': 'WRITE_OWNER', | |
| '%%1541': 'SYNCHRONIZE', | |
| '%%1542': 'ACCESS_SYS_SEC', | |
| '%%1543': 'MAX_ALLOWED', | |
| '%%1552': 'Unknown specific access (bit 0)', | |
| '%%1553': 'Unknown specific access (bit 1)', | |
| '%%1554': 'Unknown specific access (bit 2)', | |
| '%%1555': 'Unknown specific access (bit 3)', | |
| '%%1556': 'Unknown specific access (bit 4)', | |
| '%%1557': 'Unknown specific access (bit 5)', | |
| '%%1558': 'Unknown specific access (bit 6)', | |
| '%%1559': 'Unknown specific access (bit 7)', | |
| '%%1560': 'Unknown specific access (bit 8)', | |
| '%%1561': 'Unknown specific access (bit 9)', | |
| '%%1562': 'Unknown specific access (bit 10)', | |
| '%%1563': 'Unknown specific access (bit 11)', | |
| '%%1564': 'Unknown specific access (bit 12)', | |
| '%%1565': 'Unknown specific access (bit 13)', | |
| '%%1566': 'Unknown specific access (bit 14)', | |
| '%%1567': 'Unknown specific access (bit 15)', | |
| '%%1601': 'Not used', | |
| '%%1603': 'Assign Primary Token Privilege', | |
| '%%1604': 'Lock Memory Privilege', | |
| '%%1605': 'Increase Memory Quota Privilege', | |
| '%%1606': 'Unsolicited Input Privilege', | |
| '%%1607': 'Trusted Computer Base Privilege', | |
| '%%1608': 'Security Privilege', | |
| '%%1609': 'Take Ownership Privilege', | |
| '%%1610': 'Load/Unload Driver Privilege', | |
| '%%1611': 'Profile System Privilege', | |
| '%%1612': 'Set System Time Privilege', | |
| '%%1613': 'Profile Single Process Privilege', | |
| '%%1614': 'Increment Base Priority Privilege', | |
| '%%1615': 'Create Pagefile Privilege', | |
| '%%1616': 'Create Permanent Object Privilege', | |
| '%%1617': 'Backup Privilege', | |
| '%%1618': 'Restore From Backup Privilege', | |
| '%%1619': 'Shutdown System Privilege', | |
| '%%1620': 'Debug Privilege', | |
| '%%1621': 'View or Change Audit Log Privilege', | |
| '%%1622': 'Change Hardware Environment Privilege', | |
| '%%1623': 'Change Notify (and Traverse) Privilege', | |
| '%%1624': 'Remotely Shut System Down Privilege', | |
| '%%4352': 'Device Access Bit 0', | |
| '%%4353': 'Device Access Bit 1', | |
| '%%4354': 'Device Access Bit 2', | |
| '%%4355': 'Device Access Bit 3', | |
| '%%4356': 'Device Access Bit 4', | |
| '%%4357': 'Device Access Bit 5', | |
| '%%4358': 'Device Access Bit 6', | |
| '%%4359': 'Device Access Bit 7', | |
| '%%4360': 'Device Access Bit 8', | |
| '%%4361': 'Undefined Access (no effect) Bit 9', | |
| '%%4362': 'Undefined Access (no effect) Bit 10', | |
| '%%4363': 'Undefined Access (no effect) Bit 11', | |
| '%%4364': 'Undefined Access (no effect) Bit 12', | |
| '%%4365': 'Undefined Access (no effect) Bit 13', | |
| '%%4366': 'Undefined Access (no effect) Bit 14', | |
| '%%4367': 'Undefined Access (no effect) Bit 15', | |
| '%%4368': 'Query directory', | |
| '%%4369': 'Traverse', | |
| '%%4370': 'Create object in directory', | |
| '%%4371': 'Create sub-directory', | |
| '%%4372': 'Undefined Access (no effect) Bit 4', | |
| '%%4373': 'Undefined Access (no effect) Bit 5', | |
| '%%4374': 'Undefined Access (no effect) Bit 6', | |
| '%%4375': 'Undefined Access (no effect) Bit 7', | |
| '%%4376': 'Undefined Access (no effect) Bit 8', | |
| '%%4377': 'Undefined Access (no effect) Bit 9', | |
| '%%4378': 'Undefined Access (no effect) Bit 10', | |
| '%%4379': 'Undefined Access (no effect) Bit 11', | |
| '%%4380': 'Undefined Access (no effect) Bit 12', | |
| '%%4381': 'Undefined Access (no effect) Bit 13', | |
| '%%4382': 'Undefined Access (no effect) Bit 14', | |
| '%%4383': 'Undefined Access (no effect) Bit 15', | |
| '%%4384': 'Query event state', | |
| '%%4385': 'Modify event state', | |
| '%%4386': 'Undefined Access (no effect) Bit 2', | |
| '%%4387': 'Undefined Access (no effect) Bit 3', | |
| '%%4388': 'Undefined Access (no effect) Bit 4', | |
| '%%4389': 'Undefined Access (no effect) Bit 5', | |
| '%%4390': 'Undefined Access (no effect) Bit 6', | |
| '%%4391': 'Undefined Access (no effect) Bit 7', | |
| '%%4392': 'Undefined Access (no effect) Bit 8', | |
| '%%4393': 'Undefined Access (no effect) Bit 9', | |
| '%%4394': 'Undefined Access (no effect) Bit 10', | |
| '%%4395': 'Undefined Access (no effect) Bit 11', | |
| '%%4396': 'Undefined Access (no effect) Bit 12', | |
| '%%4397': 'Undefined Access (no effect) Bit 13', | |
| '%%4398': 'Undefined Access (no effect) Bit 14', | |
| '%%4399': 'Undefined Access (no effect) Bit 15', | |
| '%%4416': 'ReadData (or ListDirectory)', | |
| '%%4417': 'WriteData (or AddFile)', | |
| '%%4418': 'AppendData (or AddSubdirectory or CreatePipeInstance)', | |
| '%%4419': 'ReadEA', | |
| '%%4420': 'WriteEA', | |
| '%%4421': 'Execute/Traverse', | |
| '%%4422': 'DeleteChild', | |
| '%%4423': 'ReadAttributes', | |
| '%%4424': 'WriteAttributes', | |
| '%%4425': 'Undefined Access (no effect) Bit 9', | |
| '%%4426': 'Undefined Access (no effect) Bit 10', | |
| '%%4427': 'Undefined Access (no effect) Bit 11', | |
| '%%4428': 'Undefined Access (no effect) Bit 12', | |
| '%%4429': 'Undefined Access (no effect) Bit 13', | |
| '%%4430': 'Undefined Access (no effect) Bit 14', | |
| '%%4431': 'Undefined Access (no effect) Bit 15', | |
| '%%4432': 'Query key value', | |
| '%%4433': 'Set key value', | |
| '%%4434': 'Create sub-key', | |
| '%%4435': 'Enumerate sub-keys', | |
| '%%4436': 'Notify about changes to keys', | |
| '%%4437': 'Create Link', | |
| '%%4438': 'Undefined Access (no effect) Bit 6', | |
| '%%4439': 'Undefined Access (no effect) Bit 7', | |
| '%%4440': 'Undefined Access (no effect) Bit 8', | |
| '%%4441': 'Undefined Access (no effect) Bit 9', | |
| '%%4442': 'Undefined Access (no effect) Bit 10', | |
| '%%4443': 'Undefined Access (no effect) Bit 11', | |
| '%%4444': 'Undefined Access (no effect) Bit 12', | |
| '%%4445': 'Undefined Access (no effect) Bit 13', | |
| '%%4446': 'Undefined Access (no effect) Bit 14', | |
| '%%4447': 'Undefined Access (no effect) Bit 15', | |
| '%%4448': 'Query mutant state', | |
| '%%4449': 'Undefined Access (no effect) Bit 1', | |
| '%%4450': 'Undefined Access (no effect) Bit 2', | |
| '%%4451': 'Undefined Access (no effect) Bit 3', | |
| '%%4452': 'Undefined Access (no effect) Bit 4', | |
| '%%4453': 'Undefined Access (no effect) Bit 5', | |
| '%%4454': 'Undefined Access (no effect) Bit 6', | |
| '%%4455': 'Undefined Access (no effect) Bit 7', | |
| '%%4456': 'Undefined Access (no effect) Bit 8', | |
| '%%4457': 'Undefined Access (no effect) Bit 9', | |
| '%%4458': 'Undefined Access (no effect) Bit 10', | |
| '%%4459': 'Undefined Access (no effect) Bit 11', | |
| '%%4460': 'Undefined Access (no effect) Bit 12', | |
| '%%4461': 'Undefined Access (no effect) Bit 13', | |
| '%%4462': 'Undefined Access (no effect) Bit 14', | |
| '%%4463': 'Undefined Access (no effect) Bit 15', | |
| '%%4464': 'Communicate using port', | |
| '%%4465': 'Undefined Access (no effect) Bit 1', | |
| '%%4466': 'Undefined Access (no effect) Bit 2', | |
| '%%4467': 'Undefined Access (no effect) Bit 3', | |
| '%%4468': 'Undefined Access (no effect) Bit 4', | |
| '%%4469': 'Undefined Access (no effect) Bit 5', | |
| '%%4470': 'Undefined Access (no effect) Bit 6', | |
| '%%4471': 'Undefined Access (no effect) Bit 7', | |
| '%%4472': 'Undefined Access (no effect) Bit 8', | |
| '%%4473': 'Undefined Access (no effect) Bit 9', | |
| '%%4474': 'Undefined Access (no effect) Bit 10', | |
| '%%4475': 'Undefined Access (no effect) Bit 11', | |
| '%%4476': 'Undefined Access (no effect) Bit 12', | |
| '%%4477': 'Undefined Access (no effect) Bit 13', | |
| '%%4478': 'Undefined Access (no effect) Bit 14', | |
| '%%4479': 'Undefined Access (no effect) Bit 15', | |
| '%%4480': 'Force process termination', | |
| '%%4481': 'Create new thread in process', | |
| '%%4482': 'Unused access bit', | |
| '%%4483': 'Perform virtual memory operation', | |
| '%%4484': 'Read from process memory', | |
| '%%4485': 'Write to process memory', | |
| '%%4486': 'Duplicate handle into or out of process', | |
| '%%4487': 'Create a subprocess of process', | |
| '%%4488': 'Set process quotas', | |
| '%%4489': 'Set process information', | |
| '%%4490': 'Query process information', | |
| '%%4491': 'Set process termination port', | |
| '%%4492': 'Undefined Access (no effect) Bit 12', | |
| '%%4493': 'Undefined Access (no effect) Bit 13', | |
| '%%4494': 'Undefined Access (no effect) Bit 14', | |
| '%%4495': 'Undefined Access (no effect) Bit 15', | |
| '%%4496': 'Control profile', | |
| '%%4497': 'Undefined Access (no effect) Bit 1', | |
| '%%4498': 'Undefined Access (no effect) Bit 2', | |
| '%%4499': 'Undefined Access (no effect) Bit 3', | |
| '%%4500': 'Undefined Access (no effect) Bit 4', | |
| '%%4501': 'Undefined Access (no effect) Bit 5', | |
| '%%4502': 'Undefined Access (no effect) Bit 6', | |
| '%%4503': 'Undefined Access (no effect) Bit 7', | |
| '%%4504': 'Undefined Access (no effect) Bit 8', | |
| '%%4505': 'Undefined Access (no effect) Bit 9', | |
| '%%4506': 'Undefined Access (no effect) Bit 10', | |
| '%%4507': 'Undefined Access (no effect) Bit 11', | |
| '%%4508': 'Undefined Access (no effect) Bit 12', | |
| '%%4509': 'Undefined Access (no effect) Bit 13', | |
| '%%4510': 'Undefined Access (no effect) Bit 14', | |
| '%%4511': 'Undefined Access (no effect) Bit 15', | |
| '%%4512': 'Query section state', | |
| '%%4513': 'Map section for write', | |
| '%%4514': 'Map section for read', | |
| '%%4515': 'Map section for execute', | |
| '%%4516': 'Extend size', | |
| '%%4517': 'Undefined Access (no effect) Bit 5', | |
| '%%4518': 'Undefined Access (no effect) Bit 6', | |
| '%%4519': 'Undefined Access (no effect) Bit 7', | |
| '%%4520': 'Undefined Access (no effect) Bit 8', | |
| '%%4521': 'Undefined Access (no effect) Bit 9', | |
| '%%4522': 'Undefined Access (no effect) Bit 10', | |
| '%%4523': 'Undefined Access (no effect) Bit 11', | |
| '%%4524': 'Undefined Access (no effect) Bit 12', | |
| '%%4525': 'Undefined Access (no effect) Bit 13', | |
| '%%4526': 'Undefined Access (no effect) Bit 14', | |
| '%%4527': 'Undefined Access (no effect) Bit 15', | |
| '%%4528': 'Query semaphore state', | |
| '%%4529': 'Modify semaphore state', | |
| '%%4530': 'Undefined Access (no effect) Bit 2', | |
| '%%4531': 'Undefined Access (no effect) Bit 3', | |
| '%%4532': 'Undefined Access (no effect) Bit 4', | |
| '%%4533': 'Undefined Access (no effect) Bit 5', | |
| '%%4534': 'Undefined Access (no effect) Bit 6', | |
| '%%4535': 'Undefined Access (no effect) Bit 7', | |
| '%%4536': 'Undefined Access (no effect) Bit 8', | |
| '%%4537': 'Undefined Access (no effect) Bit 9', | |
| '%%4538': 'Undefined Access (no effect) Bit 10', | |
| '%%4539': 'Undefined Access (no effect) Bit 11', | |
| '%%4540': 'Undefined Access (no effect) Bit 12', | |
| '%%4541': 'Undefined Access (no effect) Bit 13', | |
| '%%4542': 'Undefined Access (no effect) Bit 14', | |
| '%%4543': 'Undefined Access (no effect) Bit 15', | |
| '%%4544': 'Use symbolic link', | |
| '%%4545': 'Undefined Access (no effect) Bit 1', | |
| '%%4546': 'Undefined Access (no effect) Bit 2', | |
| '%%4547': 'Undefined Access (no effect) Bit 3', | |
| '%%4548': 'Undefined Access (no effect) Bit 4', | |
| '%%4549': 'Undefined Access (no effect) Bit 5', | |
| '%%4550': 'Undefined Access (no effect) Bit 6', | |
| '%%4551': 'Undefined Access (no effect) Bit 7', | |
| '%%4552': 'Undefined Access (no effect) Bit 8', | |
| '%%4553': 'Undefined Access (no effect) Bit 9', | |
| '%%4554': 'Undefined Access (no effect) Bit 10', | |
| '%%4555': 'Undefined Access (no effect) Bit 11', | |
| '%%4556': 'Undefined Access (no effect) Bit 12', | |
| '%%4557': 'Undefined Access (no effect) Bit 13', | |
| '%%4558': 'Undefined Access (no effect) Bit 14', | |
| '%%4559': 'Undefined Access (no effect) Bit 15', | |
| '%%4560': 'Force thread termination', | |
| '%%4561': 'Suspend or resume thread', | |
| '%%4562': 'Send an alert to thread', | |
| '%%4563': 'Get thread context', | |
| '%%4564': 'Set thread context', | |
| '%%4565': 'Set thread information', | |
| '%%4566': 'Query thread information', | |
| '%%4567': 'Assign a token to the thread', | |
| '%%4568': 'Cause thread to directly impersonate another thread', | |
| '%%4569': 'Directly impersonate this thread', | |
| '%%4570': 'Undefined Access (no effect) Bit 10', | |
| '%%4571': 'Undefined Access (no effect) Bit 11', | |
| '%%4572': 'Undefined Access (no effect) Bit 12', | |
| '%%4573': 'Undefined Access (no effect) Bit 13', | |
| '%%4574': 'Undefined Access (no effect) Bit 14', | |
| '%%4575': 'Undefined Access (no effect) Bit 15', | |
| '%%4576': 'Query timer state', | |
| '%%4577': 'Modify timer state', | |
| '%%4578': 'Undefined Access (no effect) Bit 2', | |
| '%%4579': 'Undefined Access (no effect) Bit 3', | |
| '%%4580': 'Undefined Access (no effect) Bit 4', | |
| '%%4581': 'Undefined Access (no effect) Bit 5', | |
| '%%4582': 'Undefined Access (no effect) Bit 6', | |
| '%%4584': 'Undefined Access (no effect) Bit 8', | |
| '%%4585': 'Undefined Access (no effect) Bit 9', | |
| '%%4586': 'Undefined Access (no effect) Bit 10', | |
| '%%4587': 'Undefined Access (no effect) Bit 11', | |
| '%%4588': 'Undefined Access (no effect) Bit 12', | |
| '%%4589': 'Undefined Access (no effect) Bit 13', | |
| '%%4590': 'Undefined Access (no effect) Bit 14', | |
| '%%4591': 'Undefined Access (no effect) Bit 15', | |
| '%%4592': 'AssignAsPrimary', | |
| '%%4593': 'Duplicate', | |
| '%%4594': 'Impersonate', | |
| '%%4595': 'Query', | |
| '%%4596': 'QuerySource', | |
| '%%4597': 'AdjustPrivileges', | |
| '%%4598': 'AdjustGroups', | |
| '%%4599': 'AdjustDefaultDacl', | |
| '%%4600': 'Undefined Access (no effect) Bit 8', | |
| '%%4601': 'Undefined Access (no effect) Bit 9', | |
| '%%4602': 'Undefined Access (no effect) Bit 10', | |
| '%%4603': 'Undefined Access (no effect) Bit 11', | |
| '%%4604': 'Undefined Access (no effect) Bit 12', | |
| '%%4605': 'Undefined Access (no effect) Bit 13', | |
| '%%4606': 'Undefined Access (no effect) Bit 14', | |
| '%%4607': 'Undefined Access (no effect) Bit 15', | |
| '%%4608': 'Create instance of object type', | |
| '%%4609': 'Undefined Access (no effect) Bit 1', | |
| '%%4610': 'Undefined Access (no effect) Bit 2', | |
| '%%4611': 'Undefined Access (no effect) Bit 3', | |
| '%%4612': 'Undefined Access (no effect) Bit 4', | |
| '%%4613': 'Undefined Access (no effect) Bit 5', | |
| '%%4614': 'Undefined Access (no effect) Bit 6', | |
| '%%4615': 'Undefined Access (no effect) Bit 7', | |
| '%%4616': 'Undefined Access (no effect) Bit 8', | |
| '%%4617': 'Undefined Access (no effect) Bit 9', | |
| '%%4618': 'Undefined Access (no effect) Bit 10', | |
| '%%4619': 'Undefined Access (no effect) Bit 11', | |
| '%%4620': 'Undefined Access (no effect) Bit 12', | |
| '%%4621': 'Undefined Access (no effect) Bit 13', | |
| '%%4622': 'Undefined Access (no effect) Bit 14', | |
| '%%4623': 'Undefined Access (no effect) Bit 15', | |
| '%%4864': 'Query State', | |
| '%%4865': 'Modify State', | |
| '%%5120': 'Channel read message', | |
| '%%5121': 'Channel write message', | |
| '%%5122': 'Channel query information', | |
| '%%5123': 'Channel set information', | |
| '%%5124': 'Undefined Access (no effect) Bit 4', | |
| '%%5125': 'Undefined Access (no effect) Bit 5', | |
| '%%5126': 'Undefined Access (no effect) Bit 6', | |
| '%%5127': 'Undefined Access (no effect) Bit 7', | |
| '%%5128': 'Undefined Access (no effect) Bit 8', | |
| '%%5129': 'Undefined Access (no effect) Bit 9', | |
| '%%5130': 'Undefined Access (no effect) Bit 10', | |
| '%%5131': 'Undefined Access (no effect) Bit 11', | |
| '%%5132': 'Undefined Access (no effect) Bit 12', | |
| '%%5133': 'Undefined Access (no effect) Bit 13', | |
| '%%5134': 'Undefined Access (no effect) Bit 14', | |
| '%%5135': 'Undefined Access (no effect) Bit 15', | |
| '%%5136': 'Assign process', | |
| '%%5137': 'Set Attributes', | |
| '%%5138': 'Query Attributes', | |
| '%%5139': 'Terminate Job', | |
| '%%5140': 'Set Security Attributes', | |
| '%%5141': 'Undefined Access (no effect) Bit 5', | |
| '%%5142': 'Undefined Access (no effect) Bit 6', | |
| '%%5143': 'Undefined Access (no effect) Bit 7', | |
| '%%5144': 'Undefined Access (no effect) Bit 8', | |
| '%%5145': 'Undefined Access (no effect) Bit 9', | |
| '%%5146': 'Undefined Access (no effect) Bit 10', | |
| '%%5147': 'Undefined Access (no effect) Bit 11', | |
| '%%5148': 'Undefined Access (no effect) Bit 12', | |
| '%%5149': 'Undefined Access (no effect) Bit 13', | |
| '%%5150': 'Undefined Access (no effect) Bit 14', | |
| '%%5151': 'Undefined Access (no effect) Bit 15', | |
| '%%5376': 'ConnectToServer', | |
| '%%5377': 'ShutdownServer', | |
| '%%5378': 'InitializeServer', | |
| '%%5379': 'CreateDomain', | |
| '%%5380': 'EnumerateDomains', | |
| '%%5381': 'LookupDomain', | |
| '%%5382': 'Undefined Access (no effect) Bit 6', | |
| '%%5383': 'Undefined Access (no effect) Bit 7', | |
| '%%5384': 'Undefined Access (no effect) Bit 8', | |
| '%%5385': 'Undefined Access (no effect) Bit 9', | |
| '%%5386': 'Undefined Access (no effect) Bit 10', | |
| '%%5387': 'Undefined Access (no effect) Bit 11', | |
| '%%5388': 'Undefined Access (no effect) Bit 12', | |
| '%%5389': 'Undefined Access (no effect) Bit 13', | |
| '%%5390': 'Undefined Access (no effect) Bit 14', | |
| '%%5391': 'Undefined Access (no effect) Bit 15', | |
| '%%5392': 'ReadPasswordParameters', | |
| '%%5393': 'WritePasswordParameters', | |
| '%%5394': 'ReadOtherParameters', | |
| '%%5395': 'WriteOtherParameters', | |
| '%%5396': 'CreateUser', | |
| '%%5397': 'CreateGlobalGroup', | |
| '%%5398': 'CreateLocalGroup', | |
| '%%5399': 'GetLocalGroupMembership', | |
| '%%5400': 'ListAccounts', | |
| '%%5401': 'LookupIDs', | |
| '%%5402': 'AdministerServer', | |
| '%%5408': 'ReadInformation', | |
| '%%5409': 'WriteAccount', | |
| '%%5410': 'AddMember', | |
| '%%5411': 'RemoveMember', | |
| '%%5412': 'ListMembers', | |
| '%%5424': 'AddMember', | |
| '%%5425': 'RemoveMember', | |
| '%%5426': 'ListMembers', | |
| '%%5427': 'ReadInformation', | |
| '%%5428': 'WriteAccount', | |
| '%%5440': 'ReadGeneralInformation', | |
| '%%5441': 'ReadPreferences', | |
| '%%5442': 'WritePreferences', | |
| '%%5443': 'ReadLogon', | |
| '%%5444': 'ReadAccount', | |
| '%%5445': 'WriteAccount', | |
| '%%5446': 'ChangePassword (with knowledge of old password)', | |
| '%%5447': 'SetPassword (without knowledge of old password)', | |
| '%%5448': 'ListGroups', | |
| '%%5449': 'ReadGroupMembership', | |
| '%%5450': 'ChangeGroupMembership', | |
| '%%5632': 'View non-sensitive policy information', | |
| '%%5633': 'View system audit requirements', | |
| '%%5634': 'Get sensitive policy information', | |
| '%%5635': 'Modify domain trust relationships', | |
| '%%5636': 'Create special accounts (for assignment of user rights)', | |
| '%%5637': 'Create a secret object', | |
| '%%5638': 'Create a privilege', | |
| '%%5639': 'Set default quota limits', | |
| '%%5640': 'Change system audit requirements', | |
| '%%5641': 'Administer audit log attributes', | |
| '%%5642': 'Enable/Disable LSA', | |
| '%%5643': 'Lookup Names/SIDs', | |
| '%%5648': 'Change secret value', | |
| '%%5649': 'Query secret value', | |
| '%%5664': 'Query trusted domain name/SID', | |
| '%%5665': 'Retrieve the controllers in the trusted domain', | |
| '%%5666': 'Change the controllers in the trusted domain', | |
| '%%5667': 'Query the Posix ID offset assigned to the trusted domain', | |
| '%%5668': 'Change the Posix ID offset assigned to the trusted domain', | |
| '%%5680': 'Query account information', | |
| '%%5681': 'Change privileges assigned to account', | |
| '%%5682': 'Change quotas assigned to account', | |
| '%%5683': 'Change logon capabilities assigned to account', | |
| '%%6656': 'Enumerate desktops', | |
| '%%6657': 'Read attributes', | |
| '%%6658': 'Access Clipboard', | |
| '%%6659': 'Create desktop', | |
| '%%6660': 'Write attributes', | |
| '%%6661': 'Access global atoms', | |
| '%%6662': 'Exit windows', | |
| '%%6663': 'Unused Access Flag', | |
| '%%6664': 'Include this windowstation in enumerations', | |
| '%%6665': 'Read screen', | |
| '%%6672': 'Read Objects', | |
| '%%6673': 'Create window', | |
| '%%6674': 'Create menu', | |
| '%%6675': 'Hook control', | |
| '%%6676': 'Journal (record)', | |
| '%%6677': 'Journal (playback)', | |
| '%%6678': 'Include this desktop in enumerations', | |
| '%%6679': 'Write objects', | |
| '%%6680': 'Switch to this desktop', | |
| '%%6912': 'Administer print server', | |
| '%%6913': 'Enumerate printers', | |
| '%%6930': 'Full Control', | |
| '%%6931': 'Print', | |
| '%%6948': 'Administer Document', | |
| '%%7168': 'Connect to service controller', | |
| '%%7169': 'Create a new service', | |
| '%%7170': 'Enumerate services', | |
| '%%7171': 'Lock service database for exclusive access', | |
| '%%7172': 'Query service database lock state', | |
| '%%7173': 'Set last-known-good state of service database', | |
| '%%7184': 'Query service configuration information', | |
| '%%7185': 'Set service configuration information', | |
| '%%7186': 'Query status of service', | |
| '%%7187': 'Enumerate dependencies of service', | |
| '%%7188': 'Start the service', | |
| '%%7189': 'Stop the service', | |
| '%%7190': 'Pause or continue the service', | |
| '%%7191': 'Query information from service', | |
| '%%7192': 'Issue service-specific control commands', | |
| '%%7424': 'DDE Share Read', | |
| '%%7425': 'DDE Share Write', | |
| '%%7426': 'DDE Share Initiate Static', | |
| '%%7427': 'DDE Share Initiate Link', | |
| '%%7428': 'DDE Share Request', | |
| '%%7429': 'DDE Share Advise', | |
| '%%7430': 'DDE Share Poke', | |
| '%%7431': 'DDE Share Execute', | |
| '%%7432': 'DDE Share Add Items', | |
| '%%7433': 'DDE Share List Items', | |
| '%%7680': 'Create Child', | |
| '%%7681': 'Delete Child', | |
| '%%7682': 'List Contents', | |
| '%%7683': 'Write Self', | |
| '%%7684': 'Read Property', | |
| '%%7685': 'Write Property', | |
| '%%7686': 'Delete Tree', | |
| '%%7687': 'List Object', | |
| '%%7688': 'Control Access' } | |
| for id, text in ids.iteritems(): | |
| if string.find(id) >= 0: | |
| string_translated = string_translated + text + ", " | |
| return string_translated | |
| class HostResolv(): | |
| HOST_RESOLV_DYNAMIC_CACHE = {} | |
| # Dynamic host-ip cache. | |
| def refreshCache(data): | |
| ''' Refresh the HOST dynamic cache''' | |
| #action="refresh_asset_list" list={ossim-unstable-pro=192.168.2.18,crosa=192.168.2.130} id=all transaction="50653" | |
| logger.debug("Updating dynamic host cache... %s" % data) | |
| #HostResolv.HOST_RESOLV_DYNAMIC_CACHE.clear() | |
| pattern = "action=\"refresh_asset_list\"\s+list={(?P<list>.*)}" | |
| ipv4_reg = "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | |
| hostname_valid = "(([a-zA-Z]|[a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z]|[A-Za-z][A-Za-z0-9\-]*[A-Za-z0-9])" | |
| reg_comp = re.compile(pattern) | |
| res = reg_comp.match(data) | |
| host_list = [] | |
| new_cache = {} | |
| if res is not None: | |
| tmp_list = res.group('list') | |
| if tmp_list is not None: | |
| host_list = tmp_list.split(';') | |
| logger.debug("HOST_LIST: %s" % host_list) | |
| for asset in host_list: | |
| if asset == '': | |
| continue | |
| ip, hostnames = asset.split('=') | |
| hostname_list = hostnames.split(',') | |
| logger.debug ("IP = %s , hostnamelist: %s" % (ip, hostname_list)) | |
| for hostname in hostname_list: | |
| hostname = hostname.strip() | |
| hostname = hostname.lower() | |
| if re.match(ipv4_reg, ip) and re.match(hostname_valid, hostname): | |
| if new_cache.has_key(hostname): | |
| if ip not in new_cache[hostname]: | |
| new_cache[hostname].append(ip) | |
| else: | |
| new_cache[hostname] = [] | |
| new_cache[hostname].append(ip) | |
| HostResolv.HOST_RESOLV_DYNAMIC_CACHE = new_cache | |
| HostResolv.printCache() | |
| HostResolv.saveHostCache() | |
| refreshCache = staticmethod(refreshCache) | |
| def saveHostCache(): | |
| logger.info("Saving dynamic host cache in /etc/ossim/agent/host_cache.dic") | |
| pickle.dump(HostResolv.HOST_RESOLV_DYNAMIC_CACHE, open("/etc/ossim/agent/host_cache.dic", "wb")) | |
| saveHostCache = staticmethod(saveHostCache) | |
| def loadHostCache(): | |
| if os.path.isfile("/etc/ossim/agent/host_cache.dic"): | |
| try: | |
| logger.debug("Loading dynamic host cache from '/etc/ossim/agent/host_cache.dic'") | |
| HostResolv.HOST_RESOLV_DYNAMIC_CACHE = pickle.load(open("/etc/ossim/agent/host_cache.dic")) | |
| HostResolv.printCache() | |
| except: | |
| logger.warning("Deleting corrupt file host_cache_pro.dic") | |
| os.remove("/etc/ossim/agent/host_cache_pro.dic") | |
| return False | |
| else: | |
| return False | |
| return True | |
| loadHostCache = staticmethod(loadHostCache) | |
| def printCache(): | |
| logger.debug("------------------ Dynamic cache ---------------------") | |
| for host, ip in HostResolv.HOST_RESOLV_DYNAMIC_CACHE.items(): | |
| logger.debug("%s -------->> %s" % (host, ip)) | |
| logger.debug ("------------------------------------------------------") | |
| printCache = staticmethod(printCache) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment