From b6eb062e73bea5a85fbd7c43e3661208796dc360 Mon Sep 17 00:00:00 2001 From: Eddie Arrage Date: Tue, 24 Apr 2018 00:22:07 +0000 Subject: Fix snort rule with blank content & WR packet in alert - Fix bug with addition of content field in rule definition that causes rules with a blank content fields to inhibit snort from starting successfully. - Write more of the packet data for snort alert into Redis - Above includes X-Real-IP, X-Forwarded-For header fields for http traffic from proxy that shows source IP Some packet data is missing in alerts from snort. Change-Id: I2c5c29e514d1ca9e8e5b9b3f7990afa87c6311b9 Signed-off-by: Eddie Arrage --- samples/services/snort_ids/docker/grpc/snort_alerts.py | 18 ++++++++++-------- samples/services/snort_ids/docker/grpc/snort_server.py | 14 ++++++++++---- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/samples/services/snort_ids/docker/grpc/snort_alerts.py b/samples/services/snort_ids/docker/grpc/snort_alerts.py index 4cb87e2..25d1738 100644 --- a/samples/services/snort_ids/docker/grpc/snort_alerts.py +++ b/samples/services/snort_ids/docker/grpc/snort_alerts.py @@ -14,7 +14,7 @@ from idstools import unified2 HOST_IP = 'redis' -PROXY_GRPC = 'proxy-access-control:50054' +# PROXY_GRPC = 'proxy-access-control:50054' logging.basicConfig(filename='alert.log', level=logging.DEBUG) @@ -34,7 +34,7 @@ reader = unified2.SpoolRecordReader("/var/log/snort", def sendGrpcAlert(event_id, redis_key): try: - channel = grpc.insecure_channel(PROXY_GRPC) + channel = grpc.insecure_channel('proxy-access-control:50054') stub = nginx_pb2_grpc.ControllerStub(channel) stub.ProcessAlerts(nginx_pb2.AlertMessage( event_id=event_id, redis_key=redis_key)) @@ -45,13 +45,15 @@ def sendGrpcAlert(event_id, redis_key): for record in reader: try: if isinstance(record, unified2.Event): - snort_event = "snort_event:" + str(record['event-id']) - r.sadd('snort_events', str(record['event-id'])) - r.hmset(snort_event, record) - sendGrpcAlert(str(record['event-id']), 'snort_events') - # elif isinstance(record, unified2.Packet): - # print("Packet:") + event = record + elif isinstance(record, unified2.Packet): + packet = record # elif isinstance(record, unified2.ExtraData): # print("Extra-Data:") + snort_event = "snort_event:" + str(record['event-id']) + r.sadd('snort_events', str(record['event-id'])) + event.update(packet) + r.hmset(snort_event, event) + sendGrpcAlert(str(record['event-id']), 'snort_events') except Exception as e: logging.debug(e) diff --git a/samples/services/snort_ids/docker/grpc/snort_server.py b/samples/services/snort_ids/docker/grpc/snort_server.py index 9ece832..223461a 100644 --- a/samples/services/snort_ids/docker/grpc/snort_server.py +++ b/samples/services/snort_ids/docker/grpc/snort_server.py @@ -33,10 +33,16 @@ class Controller(snort_pb2_grpc.ControllerServicer): # file_local = 'testfile' file_local = '/etc/snort/rules/local.rules' f = open(file_local, 'a') - rule = 'alert {} {} {} -> {} {} '.format( - r.protocol, r.src_ip, r.src_port, r.dest_ip, r.dest_port) \ - + '(msg:"{}"; content:{}; sid:{}; rev:{};)\n'.format( - r.msg, r.content, r.sid, r.rev) + if r.content: + rule = 'alert {} {} {} -> {} {} '.format( + r.protocol, r.src_ip, r.src_port, r.dest_ip, r.dest_port) \ + + '(msg:"{}"; content:{}; sid:{}; rev:{};)\n'.format( + r.msg, r.content, r.sid, r.rev) + else: + rule = 'alert {} {} {} -> {} {} '.format( + r.protocol, r.src_ip, r.src_port, r.dest_ip, r.dest_port) \ + + '(msg:"{}"; sid:{}; rev:{};)\n'.format( + r.msg, r.sid, r.rev) f.write(rule) f.close msg = "Added to local rules" -- cgit 1.2.3-korg