prelude-correlator 1.0.0-1 / usr / share / pyshared / PreludeCorrelator / plugins / dshield.py

This file is indexed.

/usr/share/pyshared/PreludeCorrelator/plugins/dshield.py is in prelude-correlator 1.0.0-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
# Copyright (C) 2009 PreludeIDS Technologies. All Rights Reserved.
# Author: Yoann Vandoorselaere <yoann.v@prelude-ids.com>
# Author: Sebastien Tricaud <stricaud@inl.fr>
#
# This file is part of the Prelude-Correlator program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING.  If not, write to
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.

import os, httplib, time
from PreludeCorrelator import context
from PreludeCorrelator import require
from PreludeCorrelator.idmef import IDMEF
from PreludeCorrelator.pluginmanager import Plugin


class DshieldPlugin(Plugin):
    DSHIELD_RELOAD = 7 * 24 * 60 * 60
    DSHIELD_SERVER = "www.dshield.org"
    DSHIELD_URI = "/ipsascii.html?limit=10000"
    DSHIELD_TIMEOUT = 10
    DSHIELD_FILENAME = require.get_data_filename(__name__, "dshield.dat")

    def __ipNormalize(self, ip):
        return ".".join([ i.lstrip("0") for i in ip.split(".") ])

    def __loadData(self, age=0):
        self.__iphash.clear()

        for line in open(self.__filename, "r"):
            if line[0] == '#':
                continue

            ip, reports, attacks, first_seen, last_seen = line.split('\t')
            self.__iphash[self.__ipNormalize(ip)] = (int(reports), int(attacks), first_seen, last_seen)

        if self.__reload > 0:
            context.Timer(self.__reload - age, self.__retrieveData).start()

    def __downloadData(self):
        self.info("Downloading host list, this might take some time...")

        try:
            con = httplib.HTTPConnection(self.__server, timeout=self.__timeout)
        except TypeError:
            con = httplib.HTTPConnection(self.__server)

        con.request("GET", self.__uri)
        r = con.getresponse()
        if r.status != 200:
            raise Exception, "Could not download DShield host list, error %d" % r.status

        fd = open(self.__filename, "w")
        fd.write(r.read())
        fd.close()

        self.info("Downloading done, processing data.")

    def __retrieveData(self, timer=None):
        try:
            st = os.stat(self.__filename)
            if self.__reload <= 0 or time.time() - st.st_mtime < self.__reload:
                return self.__loadData(time.time() - st.st_mtime)
        except OSError:
            pass

        self.__downloadData()
        self.__loadData()


    def __init__(self, env):
        Plugin.__init__(self, env)

        self.__iphash = { }
        self.__reload = self.getConfigValue("reload", self.DSHIELD_RELOAD, type=int)
        self.__filename = self.getConfigValue("filename", self.DSHIELD_FILENAME)
        self.__server = self.getConfigValue("server", self.DSHIELD_SERVER)
        self.__uri = self.getConfigValue("uri", self.DSHIELD_URI)
        self.__timeout = self.getConfigValue("timeout", self.DSHIELD_TIMEOUT, type=float)
        self.__retrieveData()

    def run(self, idmef):
        for source in idmef.Get("alert.source(*).node.address(*).address"):
            entry = self.__iphash.get(source, None)
            if entry:
                ca = context.Context(("DSHIELD", source), { "expire": 300, "alert_on_expire": True }, update = True, idmef = idmef)
                if ca.getUpdateCount() == 0:
                    ca.Set("alert.classification.text", "IP source matching Dshield database")
                    ca.Set("alert.correlation_alert.name", "IP source matching Dshield database")
                    ca.Set("alert.assessment.impact.description", "Dshield gathered this IP address from firewall drops logs (%s - reports: %d, attacks: %d, first/last seen: %s - %s)" % (source, entry[0], entry[1], entry[2], entry[3]))
                    ca.Set("alert.assessment.impact.severity", "high")

APT Browse - Built by Thomas Orozco.