Last active
January 20, 2019 07:50
-
-
Save Nishan8583/c87b874fe9d97a749f208182053788c1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
from elasticsearch import Elasticsearch | |
import sys | |
from elasticsearch import helpers | |
import json | |
from slackclient import SlackClient | |
def search_brute_force(): | |
s = SlackClient("<Slack API Key here>") | |
try: | |
es = Elasticsearch('localhost:9200') # trying to connect to the elastic server | |
print "[+] SUCCESSFULLY CONNECTED TO ELASTICSEARCH SERVER" | |
except: | |
print "[-] ERROR, COULD NOT CONNECT TO THE ELASTICSEARCH SERVER, CHECK YOU NETWORK CONNECTION" | |
print "[-] NOW EXITING !!!!!!!!!!!!!!!" | |
sys.exit(-1) | |
body1 = { | |
"query": | |
{ | |
"match_all": {} # An elasticsearch query to match all, You can modify it to match your needs | |
} | |
} | |
results = helpers.scan(es,query=body1,index='fun-2018.02.16') | |
users = {} # will add users here | |
print "[*] Successfully sent the query and here is the result" | |
prob = ['high','medium','normal'] | |
'''The function below scans for possible brute force attacks''' | |
for i in results: # JSON object, after these keys the real values we need start | |
print i['_source']["event_id"] | |
if i['_source']["event_id"] == 4625: # 4625 for login failure | |
print "One event" | |
if i['_source']['log_name'] in users: # get login username | |
print "Count increasing {}".format(i['_source']['log_name']) | |
users[i['_source']['log_name']] = users[i['_source']['log_name']] + 1 # increase the cound | |
else: | |
print "new user {}".format(i['_source']['log_name']) | |
users[i['_source']['log_name']] = 1 # add the cound | |
print "_______________________________________________________" | |
print" NEXT " | |
print "______________________________________________________" | |
for user in users: | |
if users[user] > 20: # Becuse the number of failured login for a single day should not be so high | |
print "[*] Possible brute force {}".format(user) | |
msg = "[*] Possible brute force attempt by {}".format(user) | |
msg = msg + "\n\n" | |
s.api_call("chat.postMessage",channel='project',text=msg) | |
search_brute_force() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment