diff options
author | Eddie Arrage <eddie.arrage@huawei.com> | 2018-04-24 00:22:07 +0000 |
---|---|---|
committer | Eddie Arrage <eddie.arrage@huawei.com> | 2018-04-24 00:27:37 +0000 |
commit | b6eb062e73bea5a85fbd7c43e3661208796dc360 (patch) | |
tree | 04c0f3970e1ef81c0d8e8cffa32832d41c990d71 /samples/services/snort_ids/docker/grpc/snort_alerts.py | |
parent | 6774a5be4f59b325af1d51af3b88d06edd9f76c0 (diff) |
Fix snort rule with blank content & WR packet in alert
- Fix bug with addition of content field in rule definition
that causes rules with a blank content fields to inhibit
snort from starting successfully.
- Write more of the packet data for snort alert into Redis
- Above includes X-Real-IP, X-Forwarded-For header fields
for http traffic from proxy that shows source IP
Some packet data is missing in alerts from snort.
Change-Id: I2c5c29e514d1ca9e8e5b9b3f7990afa87c6311b9
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
Diffstat (limited to 'samples/services/snort_ids/docker/grpc/snort_alerts.py')
-rw-r--r-- | samples/services/snort_ids/docker/grpc/snort_alerts.py | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/samples/services/snort_ids/docker/grpc/snort_alerts.py b/samples/services/snort_ids/docker/grpc/snort_alerts.py index 4cb87e2..25d1738 100644 --- a/samples/services/snort_ids/docker/grpc/snort_alerts.py +++ b/samples/services/snort_ids/docker/grpc/snort_alerts.py @@ -14,7 +14,7 @@ from idstools import unified2 HOST_IP = 'redis' -PROXY_GRPC = 'proxy-access-control:50054' +# PROXY_GRPC = 'proxy-access-control:50054' logging.basicConfig(filename='alert.log', level=logging.DEBUG) @@ -34,7 +34,7 @@ reader = unified2.SpoolRecordReader("/var/log/snort", def sendGrpcAlert(event_id, redis_key): try: - channel = grpc.insecure_channel(PROXY_GRPC) + channel = grpc.insecure_channel('proxy-access-control:50054') stub = nginx_pb2_grpc.ControllerStub(channel) stub.ProcessAlerts(nginx_pb2.AlertMessage( event_id=event_id, redis_key=redis_key)) @@ -45,13 +45,15 @@ def sendGrpcAlert(event_id, redis_key): for record in reader: try: if isinstance(record, unified2.Event): - snort_event = "snort_event:" + str(record['event-id']) - r.sadd('snort_events', str(record['event-id'])) - r.hmset(snort_event, record) - sendGrpcAlert(str(record['event-id']), 'snort_events') - # elif isinstance(record, unified2.Packet): - # print("Packet:") + event = record + elif isinstance(record, unified2.Packet): + packet = record # elif isinstance(record, unified2.ExtraData): # print("Extra-Data:") + snort_event = "snort_event:" + str(record['event-id']) + r.sadd('snort_events', str(record['event-id'])) + event.update(packet) + r.hmset(snort_event, event) + sendGrpcAlert(str(record['event-id']), 'snort_events') except Exception as e: logging.debug(e) |