Skip to content

Commit

Permalink
Merge branch 'development' of https://github.com/mmguero-dev/Malcolm
Browse files Browse the repository at this point in the history
…into v24.07.0_merge_cisagov
  • Loading branch information
mmguero committed Jul 30, 2024
2 parents 0ec9549 + dd5084c commit 7b27173
Show file tree
Hide file tree
Showing 3 changed files with 63 additions and 27 deletions.
49 changes: 29 additions & 20 deletions filebeat/scripts/clean-processed-folder.py
Original file line number Diff line number Diff line change
Expand Up @@ -104,16 +104,22 @@ def pruneFiles():
return

# look for regular Zeek files in the processed/ directory
zeekFoundFiles = [
(os.path.join(root, filename))
for root, dirnames, filenames in os.walk(zeekProcessedDir)
for filename in filenames
]
zeekFoundFiles = (
[
(os.path.join(root, filename))
for root, dirnames, filenames in os.walk(zeekProcessedDir)
for filename in filenames
]
if os.path.isdir(zeekProcessedDir)
else []
)

# look for rotated files from live zeek instance
zeekRotatedFiles = [
(os.path.join(root, filename)) for root, dirnames, filenames in os.walk(zeekLiveDir) for filename in filenames
]
zeekRotatedFiles = (
[(os.path.join(root, filename)) for root, dirnames, filenames in os.walk(zeekLiveDir) for filename in filenames]
if os.path.isdir(zeekLiveDir)
else []
)

# look up the filebeat registry file and try to read it
fbReg = None
Expand All @@ -128,18 +134,20 @@ def pruneFiles():
checkFile(file, filebeatReg=None, checkLogs=False, checkArchives=True)

# clean up any broken symlinks in the Zeek current/ directory
for current in os.listdir(zeekCurrentDir):
currentFileSpec = os.path.join(zeekCurrentDir, current)
if os.path.islink(currentFileSpec) and not os.path.exists(currentFileSpec):
print(f'removing dead symlink "{currentFileSpec}"')
silentRemove(currentFileSpec)
if os.path.isdir(zeekCurrentDir):
for current in os.listdir(zeekCurrentDir):
currentFileSpec = os.path.join(zeekCurrentDir, current)
if os.path.islink(currentFileSpec) and not os.path.exists(currentFileSpec):
print(f'removing dead symlink "{currentFileSpec}"')
silentRemove(currentFileSpec)

# clean up any old and empty directories in Zeek processed/ directory
cleanDirSeconds = min(i for i in (cleanLogSeconds, cleanZipSeconds) if i > 0)
candidateDirs = []
for root, dirs, files in os.walk(zeekProcessedDir, topdown=False):
if root and dirs:
candidateDirs += [os.path.join(root, tmpDir) for tmpDir in dirs]
if os.path.isdir(zeekProcessedDir):
for root, dirs, files in os.walk(zeekProcessedDir, topdown=False):
if root and dirs:
candidateDirs += [os.path.join(root, tmpDir) for tmpDir in dirs]
candidateDirs = list(set(candidateDirs))
candidateDirs.sort(reverse=True)
candidateDirs.sort(key=len, reverse=True)
Expand All @@ -155,10 +163,11 @@ def pruneFiles():

# check the suricata logs (live and otherwise) as well
for surDir in [suricataDir, suricataLiveDir]:
for eve in os.listdir(surDir):
eveFile = os.path.join(surDir, eve)
if os.path.isfile(eveFile):
checkFile(eveFile, filebeatReg=fbReg, checkLogs=True, checkArchives=False)
if os.path.isdir(surDir):
for eve in os.listdir(surDir):
eveFile = os.path.join(surDir, eve)
if os.path.isfile(eveFile):
checkFile(eveFile, filebeatReg=fbReg, checkLogs=True, checkArchives=False)


def main():
Expand Down
17 changes: 17 additions & 0 deletions scripts/malcolm_utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -352,6 +352,23 @@ def isipaddress(value):
return result


###################################################################################################
# check a string or list to see if something is a private IP address or subnet
def isprivateip(value):
result = True
try:
if isinstance(value, list) or isinstance(value, tuple) or isinstance(value, set):
for v in value:
result = result and ipaddress.ip_network(value).is_private
if not result:
break
else:
result = ipaddress.ip_network(value).is_private
except Exception:
result = False
return result


###################################################################################################
# return the primary IP (the one with a default route) on the local box
def get_primary_ip():
Expand Down
24 changes: 17 additions & 7 deletions shared/bin/zeek_threat_feed_utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@
import requests
import urllib3

from malcolm_utils import eprint, base64_decode_if_prefixed, LoadStrIfJson, LoadFileIfJson
from malcolm_utils import eprint, base64_decode_if_prefixed, LoadStrIfJson, LoadFileIfJson, isprivateip

# keys for dict returned by map_stix_indicator_to_zeek for Zeek intel file fields
ZEEK_INTEL_INDICATOR = 'indicator'
Expand Down Expand Up @@ -316,9 +316,14 @@ def map_stix_indicator_to_zeek(
parsed = urlparse(ioc_value)
scheme = f"{parsed.scheme}://"
ioc_value = parsed.geturl().replace(scheme, "", 1)
elif zeek_type == "ADDR" and re.match(".+/.+", ioc_value):
# elevate to subnet if possible
zeek_type = "SUBNET"
elif zeek_type == "ADDR":
if not isprivateip(ioc_value):
if re.match(".+/.+", ioc_value):
# elevate to subnet if possible
zeek_type = "SUBNET"
else:
# ignore private IP-space ADDR avlues
continue

# ... "fields containing only a hyphen are considered to be null values"
zeekItem = defaultdict(lambda: '-')
Expand Down Expand Up @@ -395,9 +400,14 @@ def map_misp_attribute_to_zeek(
parsed = urlparse(attribute_value)
scheme = f"{parsed.scheme}://"
attribute_value = parsed.geturl().replace(scheme, "", 1)
elif zeek_type == "ADDR" and re.match(".+/.+", attribute_value):
# elevate to subnet if possible
zeek_type = "SUBNET"
elif zeek_type == "ADDR":
if not isprivateip(attribute_value):
if re.match(".+/.+", attribute_value):
# elevate to subnet if possible
zeek_type = "SUBNET"
else:
# ignore private IP-space ADDR avlues
continue

# ... "fields containing only a hyphen are considered to be null values"
zeekItem = defaultdict(lambda: '-')
Expand Down

0 comments on commit 7b27173

Please sign in to comment.