Last active
October 11, 2016 09:56
-
-
Save dvas0004/3cac9cbe20b379732a0c to your computer and use it in GitHub Desktop.
EPS Monitor Script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import MySQLdb | |
| import ConfigParser | |
| import smtplib | |
| import os | |
| #get database settings | |
| # hack to comply with Alienvault config file format: | |
| from io import StringIO | |
| filename = '/etc/ossim/ossim_setup.conf' | |
| vfile = StringIO(u'[misc]\n%s' % open(filename).read()) | |
| db_config = ConfigParser.ConfigParser() | |
| db_config.readfp(vfile) | |
| db_ip=db_config.get("database", "db_ip") | |
| db_user=db_config.get("database", "user") | |
| db_password=db_config.get("database", "pass") | |
| #read settings from config file | |
| ## sample config file | |
| # [settings] | |
| # default_interval_mins=5 | |
| # default_threshold=1000 | |
| # smtp_server=127.0.0.1 | |
| # recipient=someone@example.com | |
| # sender=alienvault@example.com | |
| # | |
| # [thresholds] | |
| # sensorname=1000 | |
| eps_config = ConfigParser.ConfigParser() | |
| eps_config.read("/etc/ossim/eps_monitor.conf") | |
| default_interval_mins=eps_config.get("settings", "default_interval_mins") | |
| default_threshold=eps_config.get("settings", "default_threshold") | |
| thresholds=eps_config.options("thresholds") | |
| db = MySQLdb.connect( db_ip, db_user, db_password, "alienvault" ) | |
| cursor = db.cursor() | |
| # execute SQL query using execute() method. | |
| cursor.execute("select hex(id),name from sensor") | |
| results = cursor.fetchall() | |
| db.close() | |
| for row in results: | |
| print os.linesep | |
| db = MySQLdb.connect( db_ip, db_user, db_password, "alienvault_siem" ) | |
| cursor = db.cursor() | |
| sql ='select COUNT(*) from acid_event WHERE device_id in (select id from device where hex(sensor_id)="'+row[0]+'") AND timestamp > now() - INTERVAL '+default_interval_mins+' MINUTE;' | |
| cursor.execute(sql) | |
| result = cursor.fetchone() | |
| print "%s: %s" % (row[1],result[0]) | |
| if row[1].lower() in thresholds: | |
| sensor_threshold = int(eps_config.get('thresholds', row[1])) | |
| else: | |
| sensor_threshold = int(default_threshold) | |
| if result[0] < sensor_threshold: | |
| sender = eps_config.get('settings', 'sender') | |
| recipient = eps_config.get('settings', 'recipient') | |
| smtp_server = eps_config.get('settings', 'smtp_server') | |
| message = """From: AlienVault EPS Monitor <%s> | |
| To: <%s> | |
| Subject: AlienVault EPS monitor alert | |
| This alert has been triggered since the generated EPS of sensor %s is currently %s | |
| """ % (sender, recipient, row[1], result[0]) | |
| try: | |
| smtpObj = smtplib.SMTP(smtp_server) | |
| smtpObj.sendmail(sender, recipient, message) | |
| print "Successfully sent email" | |
| except SMTPException: | |
| print "Error: unable to send email" | |
| else: | |
| print "looking good..." | |
| db.close() | |
| print os.linesep |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment