1
# Copyright (C) 2009 PreludeIDS Technologies. All Rights Reserved.
2
# Author: Yoann Vandoorselaere <yoann.v@prelude-ids.com>
4
# This file is part of the Prelude-Correlator program.
6
# This program is free software; you can redistribute it and/or modify
7
# it under the terms of the GNU General Public License as published by
8
# the Free Software Foundation; either version 2, or (at your option)
11
# This program is distributed in the hope that it will be useful,
12
# but WITHOUT ANY WARRANTY; without even the implied warranty of
13
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
# GNU General Public License for more details.
16
# You should have received a copy of the GNU General Public License
17
# along with this program; see the file COPYING. If not, write to
18
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
21
from PreludeCorrelator import context
22
from PreludeCorrelator.pluginmanager import Plugin
24
class FirewallPlugin(Plugin):
26
source = idmef.Get("alert.source(0).node.address(0).address")
27
sport = idmef.Get("alert.source(0).service.port", 0)
28
target = idmef.Get("alert.target(0).node.address(0).address")
29
dport = idmef.Get("alert.target(0).service.port", 0)
31
if not source or not target:
34
ctxname = "FIREWALL_" + source + str(sport) + target + str(dport)
36
if idmef.match("alert.classification.text", re.compile("[Pp]acket [Dd]ropped|[Dd]enied")):
37
# Update context if any, removing the alert_on_expire attribute.
38
ctx = context.Context(ctxname, { "expire": 10 }, update = True)
40
# Begins a timer for every event that contains a source and a target
41
# address which has not been matched by an observed packet denial. If a packet
42
# denial is not observed in the next 10 seconds, an event alert is generated.
44
if not context.search(ctxname):
45
ctx = context.Context(ctxname, { "expire": 10, "alert_on_expire": True })
46
ctx.Set("alert.source", idmef.Get("alert.source"))
47
ctx.Set("alert.target", idmef.Get("alert.target"))
48
ctx.Set("alert.assessment", idmef.Get("alert.assessment"))
49
ctx.Set("alert.classification", idmef.Get("alert.classification"))
50
ctx.Set("alert.correlation_alert.name", "Events to firewall correlation")
51
ctx.Set("alert.correlation_alert.alertident(0).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1])
52
ctx.Set("alert.correlation_alert.alertident(0).alertident", idmef.Get("alert.messageid"))