Fix snort rule with blank content & WR packet in alert

- Fix bug with addition of content field in rule definition that causes rules with a blank content fields to inhibit snort from starting successfully. - Write more of the packet data for snort alert into Redis - Above includes X-Real-IP, X-Forwarded-For header fields for http traffic from proxy that shows source IP Some packet data is missing in alerts from snort. Change-Id: I2c5c29e514d1ca9e8e5b9b3f7990afa87c6311b9 Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
author: Eddie Arrage <eddie.arrage@huawei.com> 2018-04-24 00:22:07 +0000
committer: Eddie Arrage <eddie.arrage@huawei.com> 2018-04-24 00:27:37 +0000
commit: b6eb062e73bea5a85fbd7c43e3661208796dc360 (patch)
tree: 04c0f3970e1ef81c0d8e8cffa32832d41c990d71 /samples/services/snort_ids/docker/grpc/snort_alerts.py
parent: 6774a5be4f59b325af1d51af3b88d06edd9f76c0 (diff)
1 files changed, 10 insertions, 8 deletions
diff --git a/samples/services/snort_ids/docker/grpc/snort_alerts.py b/samples/services/snort_ids/docker/grpc/snort_alerts.py
index 4cb87e2..25d1738 100644
--- a/samples/services/snort_ids/docker/grpc/snort_alerts.py
+++ b/samples/services/snort_ids/docker/grpc/snort_alerts.py
@@ -14,7 +14,7 @@ from idstools import unified2
 
 
 HOST_IP = 'redis'
-PROXY_GRPC = 'proxy-access-control:50054'
+# PROXY_GRPC = 'proxy-access-control:50054'
 
 logging.basicConfig(filename='alert.log', level=logging.DEBUG)
 
@@ -34,7 +34,7 @@ reader = unified2.SpoolRecordReader("/var/log/snort",
 
 def sendGrpcAlert(event_id, redis_key):
     try:
-        channel = grpc.insecure_channel(PROXY_GRPC)
+        channel = grpc.insecure_channel('proxy-access-control:50054')
         stub = nginx_pb2_grpc.ControllerStub(channel)
         stub.ProcessAlerts(nginx_pb2.AlertMessage(
             event_id=event_id, redis_key=redis_key))
@@ -45,13 +45,15 @@ def sendGrpcAlert(event_id, redis_key):
 for record in reader:
     try:
         if isinstance(record, unified2.Event):
-            snort_event = "snort_event:" + str(record['event-id'])
-            r.sadd('snort_events', str(record['event-id']))
-            r.hmset(snort_event, record)
-            sendGrpcAlert(str(record['event-id']), 'snort_events')
-        # elif isinstance(record, unified2.Packet):
-            # print("Packet:")
+            event = record
+        elif isinstance(record, unified2.Packet):
+            packet = record
         # elif isinstance(record, unified2.ExtraData):
             # print("Extra-Data:")
+        snort_event = "snort_event:" + str(record['event-id'])
+        r.sadd('snort_events', str(record['event-id']))
+        event.update(packet)
+        r.hmset(snort_event, event)
+        sendGrpcAlert(str(record['event-id']), 'snort_events')
     except Exception as e:
         logging.debug(e)
author	Eddie Arrage <eddie.arrage@huawei.com>	2018-04-24 00:22:07 +0000
committer	Eddie Arrage <eddie.arrage@huawei.com>	2018-04-24 00:27:37 +0000
commit	b6eb062e73bea5a85fbd7c43e3661208796dc360 (patch)
tree	04c0f3970e1ef81c0d8e8cffa32832d41c990d71 /samples/services/snort_ids/docker/grpc/snort_alerts.py
parent	6774a5be4f59b325af1d51af3b88d06edd9f76c0 (diff)