/usr/share/pyshared/PreludeCorrelator/plugins/firewall.py is in prelude-correlator 1.0.0-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 | # Copyright (C) 2009 PreludeIDS Technologies. All Rights Reserved.
# Author: Yoann Vandoorselaere <yoann.v@prelude-ids.com>
#
# This file is part of the Prelude-Correlator program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING. If not, write to
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
import re, time
from PreludeCorrelator import context
from PreludeCorrelator.pluginmanager import Plugin
def _evict(ctx):
now = time.time()
for target, values in ctx._protected_hosts.items():
if now - values[0] > ctx._flush_protected_hosts:
ctx._protected_hosts.pop(target)
ctx.reset()
def _alert(ctx):
cnt = 0
fw = context.search("FIREWALL INFOS")
for idmef in ctx.candidates:
source = idmef.Get("alert.source(0).node.address(0).address")
target = idmef.Get("alert.target(0).node.address(0).address")
dport = str(idmef.Get("alert.target(0).service.port", 0))
if not fw._protected_hosts.has_key(target):
continue
if fw._protected_hosts[target][1].has_key(source + dport):
continue
cnt += 1
ctx.addAlertReference(idmef)
if cnt > 0:
ctx.Set("alert.classification.text", "Events hit target")
ctx.Set("alert.assessment.impact.severity", "medium")
ctx.Set("alert.assessment.impact.description", "The target are known to be protected by a Firewall device, but a set of event have not been dropped")
ctx.Set("alert.correlation_alert.name", "No firewall block observed")
ctx.alert()
ctx.destroy()
class FirewallPlugin(Plugin):
def __init__(self, env):
Plugin.__init__(self, env)
self._flush_protected_hosts = self.getConfigValue("flush-protected-hosts", 3600, type=int)
def run(self, idmef):
source = idmef.Get("alert.source(0).node.address(0).address")
scat = idmef.Get("alert.source(0).node.address(0).category")
target = idmef.Get("alert.target(0).node.address(0).address")
tcat = idmef.Get("alert.target(0).node.address(0).category")
dport = idmef.Get("alert.target(0).service.port")
if not source or not target or not dport:
return
if scat not in ("ipv4-addr", "ipv6-addr") or tcat not in ("ipv4-addr", "ipv6-addr"):
return
ctx = context.Context("FIREWALL INFOS", { "expire": self._flush_protected_hosts, "alert_on_expire": _evict }, update=True)
if ctx.getUpdateCount() == 0:
ctx._protected_hosts = {}
ctx._flush_protected_hosts = self._flush_protected_hosts
if idmef.match("alert.classification.text", re.compile("[Pp]acket [Dd]ropped|[Dd]enied")):
if not ctx._protected_hosts.has_key(target):
ctx._protected_hosts[target] = [0, {}]
ctx._protected_hosts[target][0] = float(idmef.getTime())
ctx._protected_hosts[target][1][source + str(dport)] = True
else:
if not ctx._protected_hosts.has_key(target):
return
if time.time() - ctx._protected_hosts[target][0] > self._flush_protected_hosts:
ctx._protected_hosts.pop(target)
return;
if ctx._protected_hosts[target][1].has_key(source + str(dport)):
return
ctx = context.Context(("FIREWALL", source), { "expire": 120, "alert_on_expire": _alert }, update=True)
if ctx.getUpdateCount() == 0:
ctx.candidates = []
ctx.candidates.append(idmef)
|