ineso22
/

Mozdef

Model card Files Files and versions

Mozdef / mq /plugins /filterlog.py

ineso22's picture

Upload folder using huggingface_hub

7c89ed7 verified 3 months ago

history blame contribute delete

4.16 kB

	# This Source Code Form is subject to the terms of the Mozilla Public
	# License, v. 2.0. If a copy of the MPL was not distributed with this
	# file, You can obtain one at https://mozilla.org/MPL/2.0/.
	# Copyright (c) 2017 Mozilla Corporation


	class message(object):
	def __init__(self):
	'''
	Plugin used to parse a filterlog type firewall message
	'''
	self.registration = ['filterlog']
	self.priority = 10

	def onMessage(self, message, metadata):
	if 'summary' not in message:
	return (message, metadata)

	if message['summary'].count(',') < 9:
	return (message, metadata)

	if 'details' not in message:
	message['details'] = {}

	summary_items = message['summary'].split(',')
	message['details']['rulenumber'] = summary_items[0]
	message['details']['subrulenumber'] = summary_items[1]
	message['details']['anchor'] = summary_items[2]
	message['details']['trackor'] = summary_items[3]
	message['details']['interface'] = summary_items[4]
	message['details']['reason'] = summary_items[5]
	message['details']['action'] = summary_items[6]
	message['details']['direction'] = summary_items[7]
	message['details']['ipversion'] = summary_items[8]

	ip_version = int(message['details']['ipversion'])
	if ip_version == 4:
	if 'ip' not in message['details']:
	message['details']['ip'] = {}

	message['details']['ip']['version'] = 4
	message['details']['ip']['tos'] = summary_items[9]
	message['details']['ip']['ecn'] = summary_items[10]
	message['details']['ip']['ttl'] = summary_items[11]
	message['details']['ip']['id'] = summary_items[12]
	message['details']['ip']['offset'] = summary_items[13]
	message['details']['ip']['flags'] = summary_items[14]
	message['details']['ip']['protocolid'] = summary_items[15]
	message['details']['ip']['protocoltext'] = summary_items[16]
	last_index = 16
	elif ip_version == 6:
	if 'ip' not in message['details']:
	message['details']['ip'] = {}

	message['details']['ip']['version'] = 6
	message['details']['ip']['class'] = summary_items[9]
	message['details']['ip']['flow_label'] = summary_items[10]
	message['details']['ip']['hoplimit'] = summary_items[11]
	message['details']['ip']['protocol'] = summary_items[12]
	message['details']['ip']['protocolid'] = summary_items[13]
	last_index = 13

	if ip_version == 4 or ip_version == 6:
	message['details']['ip']['length'] = summary_items[last_index + 1]
	message['details']['sourceipaddress'] = summary_items[last_index + 2]
	message['details']['destinationipaddress'] = summary_items[last_index + 3]

	proto_id = int(message['details']['ip']['protocolid'])

	if proto_id == 6:
	if 'tcp' not in message['details']:
	message['details']['tcp'] = {}

	message['details']['sourceport'] = summary_items[last_index + 4]
	message['details']['destinationport'] = summary_items[last_index + 5]
	message['details']['datalength'] = summary_items[last_index + 6]
	message['details']['tcp']['flags'] = summary_items[last_index + 7]
	message['details']['tcp']['seqnumber'] = summary_items[last_index + 8]
	message['details']['tcp']['acknumber'] = summary_items[last_index + 9]
	message['details']['tcp']['window'] = summary_items[last_index + 10]
	message['details']['tcp']['urg'] = summary_items[last_index + 11]
	message['details']['tcp']['options'] = summary_items[last_index + 12]
	elif proto_id == 17:
	message['details']['sourceport'] = summary_items[last_index + 4]
	message['details']['destinationport'] = summary_items[last_index + 5]
	message['details']['datalength'] = summary_items[last_index + 6]

	return (message, metadata)