223 lines
26 KiB
Python
223 lines
26 KiB
Python
#!/usr/bin/python3
|
|
|
|
import argparse
|
|
import datetime
|
|
import logging
|
|
import re
|
|
from logging.handlers import SysLogHandler, SYSLOG_UDP_PORT
|
|
|
|
FIREWALL_LOG_TEMPLATE = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5|pfalert|PF rule alert|8|cs1=63 cs2=deviceInboundInterface=lo0 act=разрешение (pass) src=127.0.0.1 deviceDirection=in proto=icmp dst=127.0.0.1 spt=46084 dpt=53 rt=1604793739000 log_from=filterlog cid=None\n'
|
|
FIREWALL_LOG2_TEMPLATE = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5|pfalert|PF rule alert|5|cs1=61 cs2=deviceInboundInterface=igb0 act=block deviceDirection=in proto=icmp src=127.0.0.1 dst=127.0.0.2 rt=1604793739000 deviceFacility=vfilterlog cid=None\n'
|
|
FIREWALL_LOG3_TEMPLATE3 = '<1>CEF:0|InfoWatch ARMA|ARMAIF|3.5|pfalert|PF rule alert|0|cs1=80 cs2=deviceInboundInterface=lo0 act=pass deviceDirection=in class=0x00 flowlabel=0x00000 src=127.0.0.1 dst=127.0.0.2 hlim=1 proto=udp payload-length=76 rt=1604793739000 deviceFacility=filterlog cid=None __line=Oct 27 17:14:09 arma.localdomain filterlog: 80,,,0,lo0,match,pass,in,6,0x00,0x00000,1,udp,17,76,fe80::20c:29ff:fe69:de4d,ff02::1:2,546,547,76'
|
|
FIREWALL_LOG4_TEMPLATE = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5|pfalert|PF rule alert|0|cs1=73 deviceInboundInterface=em0 act=pass deviceDirection=0 proto=tcp seq=273959436 rt=1611148012000 deviceFacility=filterlog src=192.168.56.1 dst=192.168.56.104 spt=53738 dpt=80 cs1Label=RuleNumber'
|
|
SURICATA_LOG_TEMPLATE = 'CEF:0|InfoWatch ARMA|ARMAIF|3.0|idspower|IDS power|5|rt=1604793739000 log_from=suricata deviceFacility=28775 gid=1 cs1=429496728 cs1Label=Signature cs2=12 cs2Label=line_number rev=1 classification=null priority=3 proto=TCP ip_src=10.20.30.50 port_src=80 ip_dst=10.20.30.1 port_dst=34568 act=start'
|
|
SURICATA_LOG_SEVERITY = 'CEF:0|InfoWatch ARMA|ARMAIF|3.0|idspower|IDS power|8|rt=1604793739000 log_from=suricata deviceFacility=28775 gid=1 cs1=429496728 cs1Label=Signature cs2=12 cs2Label=line_number rev=1 classification=null priority=3 proto=TCP ip_src=10.20.30.50 port_src=80 ip_dst=10.20.30.1 port_dst=34568 act=start'
|
|
SURICATA_LOG_MMS = 'CEF:0|InfoWatch ARMA|ARMAIF|3.0|idspower|IDS power|5|rt=1604793739000 log_from=suricata deviceFacility=28775 gid=1 cs1=429496728 cs1Label=Signature cs2=12 cs2Label=line_number rev=1 priority=3 proto=TCP ip_src=10.20.30.50 port_src=80 ip_dst=10.20.30.1 port_dst=34568 act=start'
|
|
NTP_LOG_TEMPLATE = "CEF:0|InfoWatch ARMA|ARMAIF|3.5|ntppower|Ntp power|4|rt=1611238449000 deviceFacility=ntpd dvcpid=61184 cs1=4.2.8p14@1.3728-o msg=Starting cs1Label=ntpd version act=start"
|
|
NTP_LOG2_TEMPLATE = "CEF:0|InfoWatch ARMA|ARMAIF|3.8.0-dev.19|ntpmanualsync|NTP manual sync|3|rt=1664869933000 deviceFacility=ntp msg=Successfully synced time after 1 attempts cs1=1 cs1Label=attemptsCount"
|
|
WEB_LOGIN_LOG_TEMPLATE = "CEF:0|InfoWatch ARMA|ARMAIF|3.5|webauth|Web authentication|0|rt=1604793739000 log_from=armaif cid=None url=/index.php msg=Successful login suser=root src=10.20.30.1 outcome=failure reason=no_idea\n"
|
|
WEB_LOGIN_LOG2_TEMPLATE = "CEF:0|InfoWatch ARMA|ARMAIF|3.5|webauth|Web authentication|0|rt=1604793739000 log_from=armaif cid=None url=/index.php msg=Successful login suser=root src=192.168.2.106 __line=Feb 21 11:31:37 arma armaif: /index.php: Successful login for user 'root' from: 192.168.2.106 outcome=success"
|
|
WEB_LOGIN_LOG3_TEMPLATE = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5|webauth|Web authentication|0|rt=1611148011000 deviceFacility=armaif request=/index.php msg=Successful login suser=root src=192.168.56.1 outcome=success'
|
|
WEB_LOGIN_LOG4_TEMPLATE = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5|webauth|Web authentication|0|rt=1611148011000 deviceFacility=armaif request=/index.php msg=Successful login suser=root src=192.168.56.1 outcome=success'
|
|
WEB_ACCESS_LOG_TEMPLATE = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5|lighttpdaccess|Lighttpd Access|5|rt=1604793739000 deviceFacility=lighttpd dvcpid=29727 src=10.20.30.1 dst=10.20.30.50 requestMethod=GET url_relative=/api/core/menu/search/?_\\=1569482291550 app=HTTP/1.1 cs1=200 cs2=65734 cs1Label=responseCode cs2Label=bodyLength request=http://10.20.30.50/ui/netsnmp/general/index requestClientApplication=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0 mechanic=Lighttpd" \n'
|
|
WEB_ACCESS_LOG2_TEMPLATE = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5|lighttpdaccess|Lighttpd Access|5|rt=1604793739000 deviceFacility=lighttpd dvcpid=79894 src=192.168.2.106 dst=192.168.2.1 requestMethod=GET request=/widgets/api/get.php?load\=system%2Cgateway%2Cinterfaces&_\=1582284700985 app=HTTP/1.1 cs1=200 cs2=2425 cs1Label=responseCode cs2Label=bodyLength requestContext=http://192.168.2.1/index.php requestClientApplication=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 __line=Feb 21 11:34:33 arma lighttpd[79894]: 192.168.2.106 192.168.2.1 - [21/Feb/2020:11:34:33 +0000] "GET /widgets/api/get.php?load\=system%2Cgateway%2Cinterfaces&_\=1582284700985 HTTP/1.1" 200 2425 "http://192.168.2.1/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"'
|
|
WEB_ACCESS_LOG3_TEMPLATE = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5|lighttpdaccess|Lighttpd Access|8|rt=1604793739000 deviceFacility=lighttpd dvcpid=79894 src=192.168.2.106 dst=192.168.2.1 requestMethod=GET request=/widgets/api/get.php?load\=system%2Cgateway%2Cinterfaces&_\=1582284700985 app=HTTP/1.1 cs1=200 cs2=2425 cs1Label=responseCode cs2Label=bodyLength requestContext=http://192.168.2.1/index.php requestClientApplication=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 __line=Feb 21 11:34:33 arma lighttpd[79894]: 192.168.2.106 192.168.2.1 - [21/Feb/2020:11:34:33 +0000] "GET /widgets/api/get.php?load\=system%2Cgateway%2Cinterfaces&_\=1582284700985 HTTP/1.1" 200 2425 "http://192.168.2.1/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"'
|
|
WEB_ACCESS_LOG4_TEMPLATE = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5|lighttpdaccess|Lighttpd Access|5|rt=1605610654000 deviceFacility=lighttpd dvcpid=44121 src=10.20.30.1 dst=10.20.30.54 requestMethod=GET request=/api/core/menu/search/?_\=1574012278012 app=HTTP/1.1 cs1=302 cs2=66085 requestContext=http://10.20.30.54/ui/captiveportal requestClientApplication=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0 cs1Label=responseCode cs2Label=bodyLength'
|
|
WEB_ACCESS_LOG5_TEMPLATE = 'CEF:0|InfoWatch ARMA|ARMAIF|3.6-rc2|accessalert|Acess alert|1|rt=1620805384000 deviceFacility=lighttpd dvcpid=94479 src=192.168.1.201 dst=192.168.1.101 requestMethod=GET request=/ui/arpwatcher/general app=HTTP/1.1 cs1=200 cs2=118524 requestContext=https://192.168.1.101/ui/arpwatcher/index requestClientApplication=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 cs1Label=responseCode cs2Label=bodyLength'
|
|
ARPWATCH_LOG_TEMPLATE = 'CEF:0|InfoWatch ARMA|ARMAIF|3.0|arpwatchalert|Arpwatch alert|6|rt=1604793739000 deviceFacility=arpwatch cid=None message=new station src=10.0.3.2 src_old=None mac_src=52:54:0:12:35:2 mac_src_old=None mechanic=Arpwatch act=Destroy_all_humanity __line=Jan 30 08:41:33 arma arpwatch: new station 10.0.3.2 52:54:0:12:35:2#012 description=Было выявлено несанкционированное подключение устройства IP: 10.0.3.2, MAC: 52:54:0:12:35:2\n'
|
|
ARPWATCH_LOG_TEMPLATE2 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5|arpwatchalert|Arpwatch alert|5|rt=1604793739000 deviceFacility=arpwatch cid=None message=new station src=192.168.1.100 src_old=None mac_src=0:c:29:e6:74:14 mac_src_old=None mechanic=Arpwatch __line=May 15 14:08:36 arma arpwatch: new station 192.168.1.100 0:c:29:e6:74:14 description=Было выявлено несанкционированное подключение устройства IP: 192.168.1.100, MAC: 0:c:29:e6:74:14\n'
|
|
ARPWATCH_LOG_TEMPLATE3 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.0|arpwatchalert|Arpwatch alert|5|rt=1604793739000 deviceFacility=arpwatch cid=None message=new station src=192.168.1.100 src_old=None act=Destroy_all_humanity mac_src=0:c:29:e6:74:14 mac_src_old=None mechanic=Arpwatch __line=May 15 14:08:36 arma arpwatch: new station 192.168.1.100 0:c:29:e6:74:14 description=Было выявлено несанкционированное подключение устройства IP: 192.168.1.100, MAC: 0:c:29:e6:74:14\n'
|
|
ARPWATCH_LOG_TEMPLATE4 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.6-rc2|arpwatchalert|Arpwatch alert|7|rt=1620805293000 deviceFacility=arpwatch act=new station src=192.168.1.101 smac=00:50:56:bd:86:c5 cs1Label=src_old cs2Label=smac_old'
|
|
|
|
# These logs are for networkmap
|
|
ARPWATCH_CONNECT_LOG_1 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5.2_7|arpwatchalert|Arpwatch alert|5|rt=1613559551000 deviceFacility=arpwatch act=new station src=192.168.1.20 smac=0a:00:27:00:00:00 cs1Label=src_old cs2Label=smac_old'
|
|
ARPWATCH_CONNECT_LOG_2 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5.2_7|arpwatchalert|Arpwatch alert|5|rt=1613559551000 deviceFacility=arpwatch act=new station src=192.168.1.21 smac=0a:00:28:00:00:00 cs1Label=src_old cs2Label=smac_old'
|
|
ARPWATCH_CONNECT_LOG_3 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5.2_7|arpwatchalert|Arpwatch alert|5|rt=1613559551000 deviceFacility=arpwatch act=new station src=10.10.1.11 smac=0a:00:29:00:00:00 cs1Label=src_old cs2Label=smac_old'
|
|
ARPWATCH_CONNECT_LOG_4 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5.2_7|arpwatchalert|Arpwatch alert|5|rt=1613559551000 deviceFacility=arpwatch act=new station src=10.10.1.21 smac=0a:00:30:00:00:00 cs1Label=src_old cs2Label=smac_old'
|
|
ARPWATCH_CONNECT_LOG_5 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5.2_7|arpwatchalert|Arpwatch alert|5|rt=1613559551000 deviceFacility=arpwatch act=new station src=17.234.12.34 smac=0a:00:31:00:00:00 cs1Label=src_old cs2Label=smac_old'
|
|
SURICATA_CONNECT_LOG_1 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.0|idspower|IDS power|5|rt=1604793739000 log_from=suricata deviceFacility=28775 gid=1 cs1=429496728 cs1Label=Signature cs2=12 cs2Label=line_number msg=Test message 1 rev=1 priority=3 proto=TCP ip_src=192.168.1.20 port_src=80 ip_dst=192.168.1.21 port_dst=34568 act=start\n'
|
|
SURICATA_CONNECT_LOG_2 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.0|idspower|IDS power|5|rt=1604793739000 log_from=suricata deviceFacility=28775 gid=1 cs1=429496728 cs1Label=Signature cs2=12 cs2Label=line_number rev=1 msg=Test message 2 priority=3 proto=TCP ip_src=17.234.12.34 port_src=80 ip_dst=192.168.1.21 port_dst=34568 act=start\n'
|
|
SURICATA_CONNECT_LOG_3 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.0|idspower|IDS power|5|rt=1604793739000 log_from=suricata deviceFacility=28775 gid=1 cs1=429496728 cs1Label=Signature cs2=12 cs2Label=line_number rev=1 msg=Test message 3 priority=3 proto=TCP ip_src=192.168.1.21 port_src=80 ip_dst=10.10.1.11 port_dst=34568 act=start\n'
|
|
SURICATA_CONNECT_LOG_4 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.6|idsalert|IDS alert|5|rt=1604793739000 deviceFacility=suricata dvcpid=7814 cs1=1 act=429496728 cs2=1 msg=ARMA_S7Comm_PLC_Stop proto=TCP src=192.168.1.1 spt=49238 dst=192.168.2.2 dpt=102 cs1Label=gid cs2Label=rev'
|
|
SURICATA_CONNECT_LOG_5 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.6.rc.36|idsalert|IDS Alert|5|rt=1639485803000 deviceFacility=suricata dvcpid=81078 cs1=1 act=2002752 cs2=4 msg=ET POLICY Reserved Internal IP Traffic proto=UDP src=192.168.244.1 spt=68 dst=192.168.244.254 dpt=67 cs1Label=gid cs2Label=rev'
|
|
SURICATA_CONNECT_LOG_6 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.6.rc.36|idspower|IDS power|3|rt=1639485268000 deviceFacility=suricata msg=Test message 5 dvcpid=36147 act=shutdown'
|
|
SURICATA_CONNECT_LOG_7 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.6.rc.36|idsalert|IDS rule alert|5|rt=1639485222000 deviceFacility=suricata dvcpid=36147 msg=Suricate message cs1=alert modbus any any -> any any (msg:\"SURICATA Modbus invalid Length\"; app-layer-event:modbus.invalid_length; classtype:protocol-command-decode; sid:2250003; rev:2;) filePath=/usr/local/etc/suricata/opnsense.rules/modbus-events.rules cs2=6 reason=parse signature error cs1Label=signature cs2Label=lineNumber'
|
|
SURICATA_CONNECT_LOG_8 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.6.rc.36|idsalert|IDS Alert|5|rt=1639471522000 deviceFacility=suricata dvcpid=51009 cs1=1 act=2210056 cs2=1 msg=SURICATA STREAM bad window update proto=TCP src=192.168.0.1 spt=51784 dst=192.168.0.3 dpt=51033 cs1Label=gid cs2Label=rev'
|
|
SURICATA_CONNECT_LOG_9 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.6.rc.36|idsalert|IDS Alert|5|rt=1639485548000 deviceFacility=suricata dvcpid=81078 cs1=1 act=2002752 cs2=4 msg=ET POLICY Reserved Internal IP Traffic proto=TCP src=192.168.0.204 spt=443 dst=192.168.0.23 dpt=52659 cs1Label=gid cs2Label=rev'
|
|
SURICATA_CONNECT_LOG_10 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.6.rc.36|idsalert|IDS rule alert|5|rt=1639470621000 deviceFacility=suricata dvcpid=51009 msg=Suricata message 3 cs1=alert http any any -> any any (msg:\"Black list checksum match and extract SHA256\"; filesha256:fileextraction-chksum.list; filestore; sid:30; rev:1;) filePath=/usr/local/etc/suricata/opnsense.rules/files.rules cs2=52 reason=parse signature error cs1Label=signature cs2Label=lineNumber'
|
|
SURICATA_CONNECT_LOG_11 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.6-rc12|idsalert|IDS rule alert|5|rt=1634546072000 deviceFacility=suricata dvcpid=77565 msg=Suricata message 6 cs1=alert modbus any any -> any any (msg:"SURICATA Modbus invalid Unit Identifier"; app-layer-event:modbus.invalid_unit_identifier; classtype:protocol-command-decode; sid:2250004; rev:2;) filePath=/usr/local/etc/suricata/opnsense.rules/modbus-events.rules cs2=8 reason=parse signature error cs1Label=signature cs2Label=lineNumber'
|
|
SURICATA_CONNECT_LOG_12 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.6-rc.55|integrityalert|Integrity alert|0|rt=1647277200000 msg=Test message 5 outcome=success deviceFacility=integrity'
|
|
|
|
FIREWALL_CONNECT_LOG_1 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5|pfalert|PF rule alert|0|cs1=73 deviceInboundInterface=em0 act=pass deviceDirection=0 proto=tcp seq=273959436 rt=1611148012000 deviceFacility=filterlog src=192.168.1.21 dst=10.10.1.21 spt=53738 dpt=80 cs1Label=RuleNumber'
|
|
FIREWALL_CONNECT_LOG_2 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5|pfalert|PF rule alert|0|cs1=73 deviceInboundInterface=em0 act=pass deviceDirection=0 proto=tcp seq=273959436 rt=1611148012000 deviceFacility=filterlog src=10.10.1.11 dst=10.10.1.21 spt=53738 dpt=80 cs1Label=RuleNumber'
|
|
FIREWALL_CONNECT_LOG_3 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5|pfalert|PF rule alert|0|cs1=73 deviceInboundInterface=em0 act=pass deviceDirection=0 proto=tcp seq=273959436 rt=1611148012000 deviceFacility=filterlog src=192.168.1.20 dst=10.10.1.11 spt=53738 dpt=80 cs1Label=RuleNumber'
|
|
FIREWALL_CONNECT_LOG_4 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5|pfalert|PF rule alert|0|cs1=73 deviceInboundInterface=em0 act=pass deviceDirection=0 proto=tcp seq=273959436 rt=1611148012000 deviceFacility=filterlog src=1.1.1.1 dst=2.2.2.2 spt=53738 dpt=80 cs1Label=RuleNumber'
|
|
FIREWALL_CONNECT_LOG_5 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.6.rc.36|pfalert|PF rule alert|0|cs1=79 deviceInboundInterface=le0 act=pass deviceDirection=1 proto=udp rt=1639065415000 deviceFacility=filterlog src=192.168.157.132 dst=192.168.157.2 spt=58642 dpt=53 cs1Label=RuleNumber'
|
|
ARPWATCH_CONNECT_LOG_6 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5.2_7|arpwatchalert|Arpwatch alert|5|rt=1613559551000 deviceFacility=arpwatch act=new station src=1.1.1.1 smac=0a:00:27:00:00:00 cs1Label=src_old cs2Label=smac_old'
|
|
ARPWATCH_CONNECT_LOG_7 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.5.2_7|arpwatchalert|Arpwatch alert|5|rt=1613559551000 deviceFacility=arpwatch act=new station src=2.2.2.2 smac=0a:00:27:00:00:00 cs1Label=src_old cs2Label=smac_old'
|
|
|
|
FIREWALL_PF_LOG = '<134>Mar 2 09:57:56 arma.localdomain filterlog: CEF:0|InfoWatch ARMA|ARMAIF|3.6-rc.55|pfalert|PF rule alert|0|cs1=63 deviceInboundInterface=vmx1 act=pass deviceDirection=1 class=0x00 flowlabel=0x00000 hlim=1 proto=udp payload-length=76 rt=1646215076000 deviceFacility=filterlog src=fe80::250:56ff:febd:4716 dst=ff02::1:2 spt=546 dpt=547 cs1Label=RuleNumber'
|
|
|
|
# Endpoint
|
|
ENDPOINT_TEMPLATE_1 = 'CEF:0|InfoWatch ARMA|ARMAIE|2.3.4|white_list|White list|6|rt=1639592220 act=DENIED cat=not whitelisted fname=Firefox Setup 95.0.msi filePath=\\\\Device\\\\HarddiskVolume4\\\\Firefox Setup 95.0.msi\n'
|
|
ENDPOINT_TEMPLATE_2 = 'CEF:0|InfoWatch ARMA|ARMAIE|3.5.2_7|integrity_control|Integrity control|5|rt=1613559558000 act=CREATE fname=test.bat filePath=C:\\temp\\test.bat '
|
|
ENDPOINT_TEMPLATE_3 = 'CEF:0|InfoWatch ARMA|ARMAIE|3.5.2_7|integrity_control|Integrity control|5|rt=1613559555000 act=WRITE fname=Hello — копия (2).txt filePath=C:\\temp\\file.exe'
|
|
ENDPOINT_TEMPLATE_4 = 'CEF:0|InfoWatch ARMA|ARMAIE|3.5.2_7|integrity_control|Integrity control|5|rt=1613559581000 act=REMOVE fname=Hello — копия (2).txt filePath=C:\\temp\\Hello — копия (2).txt'
|
|
ENDPOINT_TEMPLATE_5 = 'CEF:0|InfoWatch ARMA|ARMAIE|3.5.2_7|integrity_control|Integrity control|5|rt=1639592258 act=RENAME fname=C:\temp\Hello.txt filePath=C:\\temp\\Goodbye.txt'
|
|
ENDPOINT_TEMPLATE_6 = 'CEF:0|InfoWatch ARMA|ARMAIE|3.5.2_7|integrity_control|Integrity control|5|rt=1604793739000 act=MOVE fname=13245 — копия (3).txt filePath=C:\\temp\\Test_dir\\13245 — копия (3).txt'
|
|
ENDPOINT_TEMPLATE_7 = 'CEF:0|InfoWatch ARMA|ARMAIE|2.3.4|white_list|White list|6|rt=1639592258 act=DENIED cat=not whitelisted fname=vc_runtimeAdditional_x86.msi filePath=\\\\Device\\\\HarddiskVolume4\\\\ProgramData\\\\Package Cache\\\\{572DCD10-CF2E-43D1-8151-8BD9AC9086D0}v14.28.29913\\\\packages\\\\vcRuntimeAdditional_x86\\\\vc_runtimeAdditional_x86.msi\n'
|
|
ENDPOINT_TEMPLATE_8 = 'CEF:0|InfoWatch ARMA|ARMAIE|2.3.4|usb|USB|6|rt=1639592452 act=DENIED cs1Label=pid cs1=1000 cs2Label=vid cs2=8564 cs3Label=serial_number cs3=JKPQMZ1G msg=class:8 subclass:6;class:0 subclass:0;class:0 subclass:0;class:0 subclass:0;class:0 subclass:0;class:0 subclass:0;class:0 subclass:0;class:0 subclass:0;class:0 subclass:0;class:0 subclass:0\n'
|
|
ENDPOINT_TEMPLATE_9 = 'CEF:0|InfoWatch ARMA|ARMAIE|3.5.2_7|usb|USB|5|rt=1604793739000 act=DENIED cs1Label=pid cs1=1000 cs1Labe2=vid cs2=90c cs3Label=serial_number cs3=0376119070023321 msg=[class:c1 subclass:s1;class:s2 subclass:s2]'
|
|
ENDPOINT_TEMPLATE_10 = 'CEF:0|InfoWatch ARMA|ARMAIE|3.5.2_7|usb|USB|5|rt=1604793739000 act=ALLOWED ccs1Label=pid cs1=1000 cs1Labe2=vid cs2=90c cs3Label=serial_number cs3=0376119070023852 msg=[class:8 subclass:6]'
|
|
ENDPOINT_TEMPLATE_11 = 'CEF:0|InfoWatch ARMA|ARMAIE|2.3.4|usb|USB|6|rt=1639592541 act=DENIED cs1Label=pid cs1=810 cs2Label=vid cs2=45e cs3Label=serial_number cs3=Љ msg=class:239 subclass:2;class:14 subclass:1;class:14 subclass:2;class:1 subclass:1;class:1 subclass:2;class:0 subclass:0;class:0 subclass:0;class:0 subclass:0;class:0 subclass:0;class:0 subclass:0\n'
|
|
ENDPOINT_TEMPLATE_12 = 'CEF:0|InfoWatch ARMA|ARMAIE|3.5.2_7|antivirus|Antivirus|5|rt=1613559551000 act=scan_start fname=file_1.exe filePath=C:\\temp\\file_1.exe'
|
|
ENDPOINT_TEMPLATE_13 = 'CEF:0|InfoWatch ARMA|ARMAIE|3.5.2_7|antivirus|Antivirus|5|rt=1604793739000 act=scan_stop fname=file_2.exe filePath=C:\\dir_2\\file_2.exe'
|
|
ENDPOINT_TEMPLATE_14 = 'CEF:0|InfoWatch ARMA|ARMAIE|3.5.2_7|antivirus|Antivirus|5|rt=1605610654000 act=remove_scan_tasc fname=file_3.exe filePath=C:\\dir_2\\file_2.exe'
|
|
ENDPOINT_TEMPLATE_15 = 'CEF:0|InfoWatch ARMA|ARMAIE|3.5.2_7|antivirus|Antivirus|5|rt=1604793739000 act=find_virus fname=file_bad.exe filePath=C:\\Documents\\file_bad.exe cs1Label=virus_name cs1=drakula'
|
|
ENDPOINT_TEMPLATE_16 = 'CEF:0|InfoWatch ARMA|ARMAIE|3.5.2_7|antivirus|Antivirus|5|rt=1639485222000 act=file_deleted fname=file_2.bat filePath=C:\\windows\\file_2.bat'
|
|
ENDPOINT_TEMPLATE_17 = 'CEF:0|InfoWatch ARMA|ARMAIE|3.5.2_7|antivirus|Antivirus|5|rt=1604793739000 act=scan_error fname=file_3.exe filePath=C:\\windows\\file_3.exe cs1Label=errfor_name cs1=File not found'
|
|
ENDPOINT_TEMPLATE_18 = 'CEF:0|InfoWatch ARMA|ARMAIE|3.5.2_7|antivirus|Antivirus|5|rt=1639592258 act=scan_failed fname=file_4.bat filePath=C:\\system32\\file_4.bat cs1Label=errfor_name cs1=Scan error'
|
|
# ClamAv
|
|
ANTIVIRUS_1 = 'CEF:0|InfoWatch ARMA|ARMAIF|3.7.2-dev.3|clamav_alert|CLAMAV alert|5|cs1=https://secure.eicar.org/eicar.com cs2=Win.Test.EICAR_HDB-1 src=192.168.1.100 rt=1657668458000 act=blocked deviceFacility=clamav cs1Label=Request URL cs2Label=Virus Name'
|
|
|
|
LOG_TYPE = {
|
|
'suricata': [SURICATA_LOG_TEMPLATE, SURICATA_LOG_MMS, SURICATA_LOG_SEVERITY, SURICATA_CONNECT_LOG_1,
|
|
SURICATA_CONNECT_LOG_2, SURICATA_CONNECT_LOG_3, SURICATA_CONNECT_LOG_4, SURICATA_CONNECT_LOG_5,
|
|
SURICATA_CONNECT_LOG_6, SURICATA_CONNECT_LOG_7, SURICATA_CONNECT_LOG_8, SURICATA_CONNECT_LOG_9,
|
|
SURICATA_CONNECT_LOG_10, SURICATA_CONNECT_LOG_11, SURICATA_CONNECT_LOG_12],
|
|
'pf': [FIREWALL_LOG_TEMPLATE, FIREWALL_LOG2_TEMPLATE, FIREWALL_LOG3_TEMPLATE3, FIREWALL_LOG4_TEMPLATE,
|
|
FIREWALL_PF_LOG],
|
|
'ntp': [NTP_LOG_TEMPLATE, NTP_LOG2_TEMPLATE],
|
|
'web_login': [WEB_LOGIN_LOG_TEMPLATE, WEB_LOGIN_LOG2_TEMPLATE, WEB_LOGIN_LOG3_TEMPLATE, WEB_LOGIN_LOG4_TEMPLATE],
|
|
'web_access': [WEB_ACCESS_LOG_TEMPLATE, WEB_ACCESS_LOG2_TEMPLATE, WEB_ACCESS_LOG3_TEMPLATE,
|
|
WEB_ACCESS_LOG4_TEMPLATE],
|
|
'arp': [ARPWATCH_LOG_TEMPLATE, ARPWATCH_LOG_TEMPLATE2, ARPWATCH_LOG_TEMPLATE3, ARPWATCH_LOG_TEMPLATE4],
|
|
'endpoint': [ENDPOINT_TEMPLATE_1, ENDPOINT_TEMPLATE_2, ENDPOINT_TEMPLATE_3,
|
|
ENDPOINT_TEMPLATE_4, ENDPOINT_TEMPLATE_5, ENDPOINT_TEMPLATE_6,
|
|
ENDPOINT_TEMPLATE_7, ENDPOINT_TEMPLATE_8, ENDPOINT_TEMPLATE_9,
|
|
ENDPOINT_TEMPLATE_10, ENDPOINT_TEMPLATE_11, ENDPOINT_TEMPLATE_12,
|
|
ENDPOINT_TEMPLATE_13, ENDPOINT_TEMPLATE_14, ENDPOINT_TEMPLATE_15,
|
|
ENDPOINT_TEMPLATE_16, ENDPOINT_TEMPLATE_17, ENDPOINT_TEMPLATE_18
|
|
],
|
|
'antivirus': [ANTIVIRUS_1]
|
|
}
|
|
|
|
CONNECT_LOG_TEST = {
|
|
'arp': [ARPWATCH_CONNECT_LOG_1,
|
|
ARPWATCH_CONNECT_LOG_2,
|
|
ARPWATCH_CONNECT_LOG_3,
|
|
ARPWATCH_CONNECT_LOG_4,
|
|
ARPWATCH_CONNECT_LOG_5],
|
|
'suricata': [SURICATA_CONNECT_LOG_1, SURICATA_CONNECT_LOG_2, SURICATA_CONNECT_LOG_3],
|
|
'pf': [FIREWALL_CONNECT_LOG_1, FIREWALL_CONNECT_LOG_2, FIREWALL_CONNECT_LOG_3, FIREWALL_CONNECT_LOG_4,
|
|
FIREWALL_CONNECT_LOG_5]
|
|
}
|
|
|
|
parser = argparse.ArgumentParser(description='Log spamer', epilog="For Endpoint, select simple format")
|
|
parser.add_argument('-d', '--destination', help='Host to send logs', type=str, default='localhost')
|
|
parser.add_argument('-p', '--port', help='Port to send logs', type=int, default=SYSLOG_UDP_PORT)
|
|
parser.add_argument('-n', '--number', help='Number of logs to send', type=int, default=1)
|
|
parser.add_argument('-t',
|
|
'--type',
|
|
help='Type of logs to send',
|
|
type=str,
|
|
choices=['all', 'suricata', 'pf', 'ntp', 'web_login', 'web_access', 'arp', 'endpoint', 'antivirus'],
|
|
default='all')
|
|
parser.add_argument('-f', '--format', help='Format of log', type=str, choices=['simple', 'syslog'], default='simple')
|
|
parser.add_argument('--replace-time',
|
|
dest='replace_time',
|
|
action='store_true',
|
|
help='Replace timestamp in log template with current timestamp')
|
|
parser.add_argument('--simulate', dest='simulate', action='store_true', help='Instead of sending logs, just print it')
|
|
parser.add_argument('--timezone',
|
|
dest='timezone',
|
|
type=int,
|
|
help="How many hours we different from UTC. Default is 3 with is 03:00 (Moscow)")
|
|
parser.add_argument('--timezone-negative', dest="timezone_negative", action='store_true', help="Timezone sign")
|
|
parser.set_defaults(timezone_negative=False)
|
|
parser.set_defaults(timezone=3)
|
|
parser.add_argument('--netmap-test',
|
|
dest='netmap_test',
|
|
action='store_true',
|
|
help='Send logs to test network map rendering')
|
|
parser.set_defaults(replace_time_utc=False)
|
|
parser.set_defaults(replace_time=False)
|
|
parser.set_defaults(simulate=False)
|
|
parser.set_defaults(netmap_test=False)
|
|
args = parser.parse_args()
|
|
|
|
if args.type == "all" or args.type == "endpoint":
|
|
if args.format != "simple":
|
|
print("Error! Bad arguments combination")
|
|
print("For 'endpoint' type, use 'simple' format")
|
|
exit(1)
|
|
|
|
|
|
def init_syslog_logging2(addr, port):
|
|
logger = logging.getLogger('cef_syslog_export')
|
|
logger.setLevel(logging.DEBUG)
|
|
|
|
shandler = SysLogHandler(address=(addr, port))
|
|
shandler.setLevel(logging.DEBUG)
|
|
|
|
if args.format == 'syslog':
|
|
formatter = logging.Formatter('%(asctime)s: %(message)s', '%b %d %H:%M:%S')
|
|
shandler.setFormatter(formatter)
|
|
else:
|
|
fmt = logging.Formatter(f'%(message)s')
|
|
shandler.setFormatter(fmt)
|
|
|
|
logger.addHandler(shandler)
|
|
|
|
return logger
|
|
|
|
|
|
def send_logs(type, number, logger):
|
|
logs = []
|
|
logs_source = CONNECT_LOG_TEST if args.netmap_test else LOG_TYPE
|
|
if type == 'all':
|
|
print(f"Due to type \"{type}\" selected, endpoint logs will be ignored")
|
|
for key in logs_source:
|
|
if key != "endpoint":
|
|
logs.append(key)
|
|
else:
|
|
logs.append(type)
|
|
|
|
counter = 0
|
|
|
|
for i in range(number):
|
|
for cur in logs:
|
|
for template in logs_source[cur]:
|
|
if args.replace_time:
|
|
# For endpoint
|
|
if '2021-04-14T09:35:25+03:00' in template:
|
|
delta = datetime.timedelta(hours=args.timezone)
|
|
now = datetime.datetime.now(datetime.timezone.utc)
|
|
if args.timezone_negative:
|
|
now = now - delta
|
|
sign = "-"
|
|
else:
|
|
now = now + delta
|
|
sign = "+"
|
|
template = template.replace("2021-04-14T09:35:25+03:00", now.replace(microsecond=0).isoformat())
|
|
template = template.replace("+00:00", "{0}{1:02}:00".format(sign, args.timezone))
|
|
else:
|
|
now = datetime.datetime.now(datetime.timezone.utc).timestamp()
|
|
if args.timezone_negative:
|
|
now = now - args.timezone * 60 * 60
|
|
else:
|
|
now = now + args.timezone * 60 * 60
|
|
template = re.sub(r'unixdate=\d+\.?\d+?', f'unixdate={round(now * 1000)}', template)
|
|
template = re.sub(r'rt=\d+\.?\d+?', f'rt={round(now * 1000)}', template)
|
|
if not args.simulate:
|
|
logger.info(template.strip())
|
|
else:
|
|
print(template)
|
|
counter += 1
|
|
|
|
print(f'Total records sended: {counter}')
|
|
|
|
|
|
logger = init_syslog_logging2(args.destination, args.port)
|
|
|
|
send_logs(args.type, args.number, logger)
|