From b6eb062e73bea5a85fbd7c43e3661208796dc360 Mon Sep 17 00:00:00 2001
From: Eddie Arrage <eddie.arrage@huawei.com>
Date: Tue, 24 Apr 2018 00:22:07 +0000
Subject: Fix snort rule with blank content & WR packet in alert
- Fix bug with addition of content field in rule definition
that causes rules with a blank content fields to inhibit
snort from starting successfully.
- Write more of the packet data for snort alert into Redis
- Above includes X-Real-IP, X-Forwarded-For header fields
for http traffic from proxy that shows source IP
Some packet data is missing in alerts from snort.
Change-Id: I2c5c29e514d1ca9e8e5b9b3f7990afa87c6311b9
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
---
samples/services/snort_ids/docker/grpc/snort_alerts.py | 18 ++++++++++--------
samples/services/snort_ids/docker/grpc/snort_server.py | 14 ++++++++++----
2 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/samples/services/snort_ids/docker/grpc/snort_alerts.py b/samples/services/snort_ids/docker/grpc/snort_alerts.py
index 4cb87e2..25d1738 100644
--- a/samples/services/snort_ids/docker/grpc/snort_alerts.py
+++ b/samples/services/snort_ids/docker/grpc/snort_alerts.py
@@ -14,7 +14,7 @@ from idstools import unified2
HOST_IP = 'redis'
-PROXY_GRPC = 'proxy-access-control:50054'
+# PROXY_GRPC = 'proxy-access-control:50054'
logging.basicConfig(filename='alert.log', level=logging.DEBUG)
@@ -34,7 +34,7 @@ reader = unified2.SpoolRecordReader("/var/log/snort",
def sendGrpcAlert(event_id, redis_key):
try:
- channel = grpc.insecure_channel(PROXY_GRPC)
+ channel = grpc.insecure_channel('proxy-access-control:50054')
stub = nginx_pb2_grpc.ControllerStub(channel)
stub.ProcessAlerts(nginx_pb2.AlertMessage(
event_id=event_id, redis_key=redis_key))
@@ -45,13 +45,15 @@ def sendGrpcAlert(event_id, redis_key):
for record in reader:
try:
if isinstance(record, unified2.Event):
- snort_event = "snort_event:" + str(record['event-id'])
- r.sadd('snort_events', str(record['event-id']))
- r.hmset(snort_event, record)
- sendGrpcAlert(str(record['event-id']), 'snort_events')
- # elif isinstance(record, unified2.Packet):
- # print("Packet:")
+ event = record
+ elif isinstance(record, unified2.Packet):
+ packet = record
# elif isinstance(record, unified2.ExtraData):
# print("Extra-Data:")
+ snort_event = "snort_event:" + str(record['event-id'])
+ r.sadd('snort_events', str(record['event-id']))
+ event.update(packet)
+ r.hmset(snort_event, event)
+ sendGrpcAlert(str(record['event-id']), 'snort_events')
except Exception as e:
logging.debug(e)
diff --git a/samples/services/snort_ids/docker/grpc/snort_server.py b/samples/services/snort_ids/docker/grpc/snort_server.py
index 9ece832..223461a 100644
--- a/samples/services/snort_ids/docker/grpc/snort_server.py
+++ b/samples/services/snort_ids/docker/grpc/snort_server.py
@@ -33,10 +33,16 @@ class Controller(snort_pb2_grpc.ControllerServicer):
# file_local = 'testfile'
file_local = '/etc/snort/rules/local.rules'
f = open(file_local, 'a')
- rule = 'alert {} {} {} -> {} {} '.format(
- r.protocol, r.src_ip, r.src_port, r.dest_ip, r.dest_port) \
- + '(msg:"{}"; content:{}; sid:{}; rev:{};)\n'.format(
- r.msg, r.content, r.sid, r.rev)
+ if r.content:
+ rule = 'alert {} {} {} -> {} {} '.format(
+ r.protocol, r.src_ip, r.src_port, r.dest_ip, r.dest_port) \
+ + '(msg:"{}"; content:{}; sid:{}; rev:{};)\n'.format(
+ r.msg, r.content, r.sid, r.rev)
+ else:
+ rule = 'alert {} {} {} -> {} {} '.format(
+ r.protocol, r.src_ip, r.src_port, r.dest_ip, r.dest_port) \
+ + '(msg:"{}"; sid:{}; rev:{};)\n'.format(
+ r.msg, r.sid, r.rev)
f.write(rule)
f.close
msg = "Added to local rules"
--
cgit