← Back to branch summary

~ubuntu-branches/ubuntu/natty/prelude-correlator/natty

« back to all changes in this revision

Viewing changes to PreludeCorrelator/plugins/firewall.py

  • Committer: Bazaar Package Importer
  • Author(s): Pierre Chifflier
  • Date: 2009-06-19 14:30:51 UTC
  • mfrom: (1.1.1 upstream)
  • Revision ID: james.westby@ubuntu.com-20090619143051-m68mjtjcye0ei0e3
Tags: 0.9.0~beta5-1
* New upstream release
  - Prelude Correlator has switched to Python, see
  http://lists.prelude-ids.org/pipermail/prelude-user/2009-April/005163.html
  for the explanation.
  - Support DShield <http://www.dshield.org/> correlation
* Switch package to architecture-independant
* Use python-support
* Bump standards version to 3.8.2 (no changes)

Show diffs side-by-side

added added

removed removed

Lines of Context:
PreludeCorrelator/plugins/firewall.py
 
1
# Copyright (C) 2009 PreludeIDS Technologies. All Rights Reserved.
 
2
# Author: Yoann Vandoorselaere <yoann.v@prelude-ids.com>
 
3
#
 
4
# This file is part of the Prelude-Correlator program.
 
5
#
 
6
# This program is free software; you can redistribute it and/or modify
 
7
# it under the terms of the GNU General Public License as published by
 
8
# the Free Software Foundation; either version 2, or (at your option)
 
9
# any later version.
 
10
#
 
11
# This program is distributed in the hope that it will be useful,
 
12
# but WITHOUT ANY WARRANTY; without even the implied warranty of
 
13
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 
14
# GNU General Public License for more details.
 
15
#
 
16
# You should have received a copy of the GNU General Public License
 
17
# along with this program; see the file COPYING.  If not, write to
 
18
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
 
19
 
 
20
import re
 
21
from PreludeCorrelator import context
 
22
from PreludeCorrelator.pluginmanager import Plugin
 
23
 
 
24
class FirewallPlugin(Plugin):
 
25
    def run(self, idmef):
 
26
        source = idmef.Get("alert.source(0).node.address(0).address")
 
27
        sport = idmef.Get("alert.source(0).service.port", 0)
 
28
        target = idmef.Get("alert.target(0).node.address(0).address")
 
29
        dport = idmef.Get("alert.target(0).service.port", 0)
 
30
 
 
31
        if not source or not target:
 
32
                return
 
33
 
 
34
        ctxname = "FIREWALL_" + source + str(sport) + target + str(dport)
 
35
 
 
36
        if idmef.match("alert.classification.text", re.compile("[Pp]acket [Dd]ropped|[Dd]enied")):
 
37
                # Update context if any, removing the alert_on_expire attribute.
 
38
                ctx = context.Context(ctxname, { "expire": 10 }, update = True)
 
39
        else:
 
40
                # Begins a timer for every event that contains a source and a target
 
41
                # address which has not been matched by an observed packet denial.  If a packet
 
42
                # denial is not observed in the next 10 seconds, an event alert is generated.
 
43
 
 
44
                if not context.search(ctxname):
 
45
                        ctx = context.Context(ctxname, { "expire": 10, "alert_on_expire": True })
 
46
                        ctx.Set("alert.source", idmef.Get("alert.source"))
 
47
                        ctx.Set("alert.target", idmef.Get("alert.target"))
 
48
                        ctx.Set("alert.assessment", idmef.Get("alert.assessment"))
 
49
                        ctx.Set("alert.classification", idmef.Get("alert.classification"))
 
50
                        ctx.Set("alert.correlation_alert.name", "Events to firewall correlation")
 
51
                        ctx.Set("alert.correlation_alert.alertident(0).analyzerid", idmef.Get("alert.analyzer(*).analyzerid")[-1])
 
52
                        ctx.Set("alert.correlation_alert.alertident(0).alertident", idmef.Get("alert.messageid"))