Skip to content

Commit

Permalink
Merge pull request #17 from satta/bloom-alert-prefix
Browse files Browse the repository at this point in the history
make Bloom filter alert prefix configurable
  • Loading branch information
Robert Haist authored Dec 11, 2018
2 parents 713cae3 + 756c071 commit 872029e
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 18 deletions.
5 changes: 4 additions & 1 deletion cmd/fever/cmds/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -188,10 +188,11 @@ func mainfunc(cmd *cobra.Command, args []string) {

// Bloom filter setup
bloomFilePath := viper.GetString("bloom.file")
bloomAlertPrefix := viper.GetString("bloom.alert-prefix")
bloomCompressed := viper.GetBool("bloom.zipped")
var bloomHandler *processing.BloomHandler
if bloomFilePath != "" {
bloomHandler, err = processing.MakeBloomHandlerFromFile(bloomFilePath, bloomCompressed, eventChan, forwardHandler)
bloomHandler, err = processing.MakeBloomHandlerFromFile(bloomFilePath, bloomCompressed, eventChan, forwardHandler, bloomAlertPrefix)
if err != nil {
log.Fatal(err)
}
Expand Down Expand Up @@ -528,6 +529,8 @@ func init() {
viper.BindPFlag("bloom.file", runCmd.PersistentFlags().Lookup("bloom-file"))
runCmd.PersistentFlags().BoolP("bloom-zipped", "z", false, "use gzipped Bloom filter file")
viper.BindPFlag("bloom.zipped", runCmd.PersistentFlags().Lookup("bloom-zipped"))
runCmd.PersistentFlags().StringP("bloom-alert-prefix", "", "BLF", "String prefix for Bloom filter alerts")
viper.BindPFlag("bloom.alert-prefix", runCmd.PersistentFlags().Lookup("bloom-alert-prefix"))

// Flow extraction options
runCmd.PersistentFlags().BoolP("flowextract-enable", "", false, "extract and forward flow metadata")
Expand Down
1 change: 1 addition & 0 deletions fever.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@ flowextract:
#bloom:
# file: ./in.bloom.gz
# zipped: true
# alert-prefix: BLF

logging:
# Insert file name here to redirect logs to separate file.
Expand Down
30 changes: 16 additions & 14 deletions processing/bloom_handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,17 +18,17 @@ import (
)

var sigs = map[string]string{
"http-url": "BLF Possibly bad HTTP URL: ",
"http-host": "BLF Possibly bad HTTP host: ",
"tls-sni": "BLF Possibly bad TLS SNI: ",
"dns": "BLF Possibly bad DNS lookup to ",
"http-url": "%s Possibly bad HTTP URL: ",
"http-host": "%s Possibly bad HTTP host: ",
"tls-sni": "%s Possibly bad TLS SNI: ",
"dns": "%s Possibly bad DNS lookup to ",
}

// MakeAlertEntryForHit returns an alert Entry as raised by an external
// indicator match, e.g. a Bloom filter hit. The resulting alert will retain
// the triggering event's metadata (e.g. 'dns' or 'http' objects) as well as
// its timestamp.
func MakeAlertEntryForHit(e types.Entry, eType string) types.Entry {
func MakeAlertEntryForHit(e types.Entry, eType string, alertPrefix string) types.Entry {
var eve types.EveEvent
var newEve types.EveEvent
var err = json.Unmarshal([]byte(e.JSONLine), &eve)
Expand All @@ -45,7 +45,7 @@ func MakeAlertEntryForHit(e types.Entry, eType string) types.Entry {
} else if eType == "tls-sni" {
value = e.TLSSni
}
var sig = "BLF Possibly bad traffic "
var sig = "%s Possibly bad traffic: "
if v, ok := sigs[eType]; ok {
sig = v
}
Expand All @@ -54,7 +54,7 @@ func MakeAlertEntryForHit(e types.Entry, eType string) types.Entry {
Alert: &types.AlertEvent{
Action: "allowed",
Category: "Potentially Bad Traffic",
Signature: sig + value,
Signature: fmt.Sprintf(sig, alertPrefix) + value,
},
Stream: eve.Stream,
InIface: eve.InIface,
Expand Down Expand Up @@ -96,6 +96,7 @@ type BloomHandler struct {
DatabaseEventChan chan types.Entry
ForwardHandler Handler
DoForwardAlert bool
AlertPrefix string
}

// BloomNoFileErr is an error thrown when a file-based operation (e.g.
Expand All @@ -114,7 +115,7 @@ func (e *BloomNoFileErr) Error() string {
// Bloom filter and sending alerts to databaseChan as well as forwarding them
// to a given forwarding handler.
func MakeBloomHandler(iocBloom *bloom.BloomFilter,
databaseChan chan types.Entry, forwardHandler Handler) *BloomHandler {
databaseChan chan types.Entry, forwardHandler Handler, alertPrefix string) *BloomHandler {
bh := &BloomHandler{
Logger: log.WithFields(log.Fields{
"domain": "bloom",
Expand All @@ -123,6 +124,7 @@ func MakeBloomHandler(iocBloom *bloom.BloomFilter,
DatabaseEventChan: databaseChan,
ForwardHandler: forwardHandler,
DoForwardAlert: (util.ForwardAllEvents || util.AllowType("alert")),
AlertPrefix: alertPrefix,
}
log.WithFields(log.Fields{
"N": iocBloom.N,
Expand All @@ -133,7 +135,7 @@ func MakeBloomHandler(iocBloom *bloom.BloomFilter,
// MakeBloomHandlerFromFile returns a new BloomHandler created from a new
// Bloom filter specified by the given file name.
func MakeBloomHandlerFromFile(bloomFilename string, compressed bool,
databaseChan chan types.Entry, forwardHandler Handler) (*BloomHandler, error) {
databaseChan chan types.Entry, forwardHandler Handler, alertPrefix string) (*BloomHandler, error) {
iocBloom, err := bloom.LoadFilter(bloomFilename, compressed)
if err != nil {
if err == io.EOF {
Expand All @@ -144,7 +146,7 @@ func MakeBloomHandlerFromFile(bloomFilename string, compressed bool,
return nil, err
}
}
bh := MakeBloomHandler(iocBloom, databaseChan, forwardHandler)
bh := MakeBloomHandler(iocBloom, databaseChan, forwardHandler, alertPrefix)
bh.BloomFilename = bloomFilename
bh.BloomFileIsCompressed = compressed
return bh, nil
Expand Down Expand Up @@ -179,12 +181,12 @@ func (a *BloomHandler) Consume(e *types.Entry) error {
checkStr = "http://" + e.HTTPHost + e.HTTPUrl
}
if a.IocBloom.Check([]byte(checkStr)) {
n := MakeAlertEntryForHit(*e, "http-url")
n := MakeAlertEntryForHit(*e, "http-url", a.AlertPrefix)
a.DatabaseEventChan <- n
a.ForwardHandler.Consume(&n)
}
if a.IocBloom.Check([]byte(e.HTTPHost)) {
n := MakeAlertEntryForHit(*e, "http-host")
n := MakeAlertEntryForHit(*e, "http-host", a.AlertPrefix)
a.DatabaseEventChan <- n
a.ForwardHandler.Consume(&n)
}
Expand All @@ -193,7 +195,7 @@ func (a *BloomHandler) Consume(e *types.Entry) error {
if e.EventType == "dns" {
a.Lock()
if a.IocBloom.Check([]byte(e.DNSRRName)) {
n := MakeAlertEntryForHit(*e, "dns")
n := MakeAlertEntryForHit(*e, "dns", a.AlertPrefix)
a.DatabaseEventChan <- n
a.ForwardHandler.Consume(&n)
}
Expand All @@ -202,7 +204,7 @@ func (a *BloomHandler) Consume(e *types.Entry) error {
if e.EventType == "tls" {
a.Lock()
if a.IocBloom.Check([]byte(e.TLSSni)) {
n := MakeAlertEntryForHit(*e, "tls-sni")
n := MakeAlertEntryForHit(*e, "tls-sni", a.AlertPrefix)
a.DatabaseEventChan <- n
a.ForwardHandler.Consume(&n)
}
Expand Down
6 changes: 3 additions & 3 deletions processing/bloom_handler_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -237,7 +237,7 @@ func TestBloomHandler(t *testing.T) {
close(consumeWaitChan)
}()

bh := MakeBloomHandler(&bf, dbChan, fwhandler)
bh := MakeBloomHandler(&bf, dbChan, fwhandler, "FOO BAR")

err := bh.Reload()
if err == nil {
Expand Down Expand Up @@ -372,7 +372,7 @@ func TestBloomHandlerFromFile(t *testing.T) {
dbChan := make(chan types.Entry, 10)
defer close(dbChan)

bh, err := MakeBloomHandlerFromFile(b1File.Name(), false, dbChan, fwhandler)
bh, err := MakeBloomHandlerFromFile(b1File.Name(), false, dbChan, fwhandler, "FOO BAR")
if err != nil {
t.Fatal(err)
}
Expand Down Expand Up @@ -441,7 +441,7 @@ func TestBloomHandlerEmptyInput(t *testing.T) {
dbChan := make(chan types.Entry, 10)
defer close(dbChan)

bf, err := MakeBloomHandlerFromFile(blFile.Name(), false, dbChan, nil)
bf, err := MakeBloomHandlerFromFile(blFile.Name(), false, dbChan, nil, "FOO BAR")
if err != nil {
t.Fatal(err)
}
Expand Down

0 comments on commit 872029e

Please sign in to comment.