Sophie: prelude-correlator-5.0.1-1.mga7 noarch

prelude-correlator-5.0.1-1.mga7.noarch.rpm

# Copyright (C) 2006 G Ramon Gomez <gene at gomezbrothers dot com>
# Copyright (C) 2009-2018 CS-SI <support.prelude@c-s.fr>
#
# This file is part of the Prelude-Correlator program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

# Detect Eventscan:
# Playing multiple events from a single host against another single host

from preludecorrelator.context import Context
from preludecorrelator.pluginmanager import Plugin


# Detect Eventsweep:
# Playing the same event from a single host against multiple hosts
class EventSweepPlugin(Plugin):
    def run(self, idmef):
        classification = idmef.get("alert.classification.text")
        source = idmef.get("alert.source(*).node.address(*).address")
        target = idmef.get("alert.target(*).node.address(*).address")

        if not source or not target or not classification:
            return

        for saddr in source:
            ctx = Context(("SCAN EVENTSWEEP", classification, saddr),
                          {"expire": 60, "threshold": 30, "alert_on_expire": True}, overwrite=False, ruleid=self.name)
            if ctx.getUpdateCount() == 0:
                ctx.set("alert.correlation_alert.name",
                        "A single host has played the same event against multiple targets. This may be a network scan "
                        "for a specific vulnerability")
                ctx.set("alert.classification.text", "Eventsweep")
                ctx.set("alert.assessment.impact.severity", "high")

            cur = ctx.get("alert.target(*).node.address(*).address")
            if cur:
                for address in target:
                    if address in cur:
                        return

            ctx.update(idmef=idmef, timer_rst=ctx.getUpdateCount())