import sys import time import calendar sys.path.insert(0, "/home/nicolas/prelude/dev/lib/libprelude/bindings/python") sys.path.insert(0, "/home/nicolas/prelude/dev/lib/libpreludedb/bindings/python") from preludedb import * from _prelude import * def _is_null(value): if not value: return True if type(value) is str and len(value) == 0: return True if value == "NULL": return True return False def get_idmef_object_type(name): object = idmef_object_new_fast(name) if not object: return None type = idmef_object_get_value_type(object) idmef_object_destroy(object) types = { IDMEF_VALUE_TYPE_INT16: "integer", IDMEF_VALUE_TYPE_UINT16: "integer", IDMEF_VALUE_TYPE_INT32: "integer", IDMEF_VALUE_TYPE_UINT32: "integer", IDMEF_VALUE_TYPE_INT64: "integer", IDMEF_VALUE_TYPE_UINT64: "integer", IDMEF_VALUE_TYPE_FLOAT: "float", IDMEF_VALUE_TYPE_DOUBLE: "float", IDMEF_VALUE_TYPE_STRING: "string", IDMEF_VALUE_TYPE_TIME: "time", IDMEF_VALUE_TYPE_DATA: "string", IDMEF_VALUE_TYPE_ENUM: "enum" } try: return types[type] except KeyError: return None class IDMEFAlert: def __init__(self, alert): self.alert = alert def __getitem__(self, object_name): value = self.alert[object_name] if _is_null(value): return "n/a" return str(value) def __getSourceOrTarget(self, element, index): address = self.alert["alert.%s(%d).node.address(0).address" % (element, index)] if not _is_null(address): port = self.alert["alert.%s(%d).service.port" % (element, index)] if not _is_null(port): address += ":%s" % port return address name = self.alert["alert.%s(%d).process.name" % (element, index)] if not _is_null(name): pid = self.alert["alert.%s(%d).process.pid" % (element, index)] if pid: return "%s (PID:%d)" % (name, pid) return name name = self.alert["alert.%s(%d).user.userid(0).name" % (element, index)] if not _is_null(name): uid = self.alert["alert.%s(%d).user.userid(0).number" % (element, index)] return "%s (UID:%d)" % (name, uid) return None def __getFirstSourceOrTarget(self, element): index = 0 while not self.alert["alert.%s(%d).ident" % (element, index)] is None: value = self.__getSourceOrTarget(element, index) if not value is None: return value index += 1 return "n/a" def getFirstSource(self): return self.__getFirstSourceOrTarget("source") def getFirstTarget(self): return self.__getFirstSourceOrTarget("target") def getElement(self, element, subElement): alert = self.alert index = 0 while not alert["alert.%s(%d).ident" % (element, index)] is None: value = alert["alert.%s(%d).%s" % (element, index, subElement)] if not _is_null(value): return str(value) index += 1 return "n/a" def getSensor(self): sensor = self.alert["alert.analyzer.model"] if _is_null(sensor): return "n/a" if sensor == "Prelude Log Monitoring Lackey": return "Prelude LML" if sensor == "Prelude Network Intrusion Detection System": return "Prelude NIDS" return sensor def getTime(self, object="alert.detect_time"): t = self.alert[object] if t: t = int(t) else: t = 0 tm = time.localtime(t) if tm[:3] == time.localtime()[:3]: return time.strftime("%H:%M:%S", tm) return time.strftime("%Y-%m-%d %H:%M:%S", tm) def getCreateTime(self): return self.getTime("alert.create_time") def __repr__(self): return self.alert.__repr__() class DB(PreludeDB): def __init__(self, conf): PreludeDB.__init__(self, type=conf.getDBtype(), host=conf.getDBhost(), port=conf.getDBport(), name=conf.getDBname(), user=conf.getDBuser(), password=conf.getDBpassword()) self.connect() self.enable_message_cache("/tmp/dbcache") def getAlert(self, analyzerid, ident): if analyzerid == "n/a": analyzerid = 0 alert = PreludeDB.get_alert(self, analyzerid, ident) return IDMEFAlert(alert) def getTotalAlertCount(self): return self.getValue("count(alert.ident)") def getSourceIPCount(self): return self.getUniqueCount("alert.source.node.address.address") def getTargetIPCount(self): return self.getUniqueCount("alert.target.node.address.address") def getAlertClassificationCount(self): return self.getUniqueCount("alert.classification.name") def getTargetProtocolCount(self): return self.getUniqueCount("alert.target.service.protocol") def getAnalyzerClassCount(self): return self.getUniqueCount("alert.analyzer.class") def getFirstAlertTime(self): return self.getValue("min(alert.detect_time)") def getLastAlertTime(self): return self.getValue("max(alert.detect_time)") def getUniqueCount(self, object): values = self.get_values(selection=["count(%s)" % object, "%s/group_by" % object]) if not values: return 0 return len(values) def getValue(self, object): values = PreludeDB.get_values(self, selection=[object]) try: return values[0][0] except (TypeError, IndexError): return None def getAlertIdentList(self, start, value, unit): if unit == "minute": unit = "min" type = "current" if start == 0: if unit in ("min", "hour"): type = "last" start -= 1 elif unit == "week": unit = "day" value = (value - 1) * 7 + time.localtime().tm_wday + 1 else: if unit == "week": unit = "day" value *= 7 start = (start - 1) * 7 + time.localtime().tm_wday + 1 criteria_str = ("alert.detect_time > '%s:%s-%d' && alert.detect_time <= '%s:%s-%d'" % (unit, type, start + value, unit, type, start)) # print criteria_str criteria = IDMEFCriteria(criteria_str) # print criteria return self.get_alert_ident_list(criteria)