Thanasis Naskos / CUREX - Knowledge Extraction Analytics - KEA

xlsiem_rabbitmq_client.py 4.49 KB
edit raw blame history 
   1
   2
   3
   4
   5
   6
   7
   8
   9
  10
  11
  12
  13
  14
  15
  16
  17
  18
  19
  20
  21
  22
  23
  24
  25
  26
  27
  28
  29
  30
  31
  32
  33
  34
  35
  36
  37
  38
  39
  40
  41
  42
  43
  44
  45
  46
  47
  48
  49
  50
  51
  52
  53
  54
  55
  56
  57
  58
  59
  60
  61
  62
  63
  64
  65
  66
  67
  68
  69
  70
  71
  72
  73
  74
  75
  76
  77
  78
  79
  80
  81
  82
  83
  84
  85
  86
  87
  88
  89
  90
  91
  92
  93
  94
  95
  96
  97
  98
  99
 100
 101
 102
 103
 104
 105
 106
 107
 108
 109
 110
 111
 112
 113
 114
 115
 116
 117
 118
 119
 120
 121
__author__ = "Jesus Villalobos, Ruben Trapero"
__copyright__ = "Copyright (C) 2020 ATOS"
__license__ = "LGPLv3"
__version__ = "1.0"

import atexit
import json
import re
import base64
import requests
import time
from messageReader import MessageReader
from multiprocessing import Process

def callback(ch, method, properties, body):
    global first_message
    global unique_events
    global access_token
    try:
        event_dict = json.loads(body)
        date = json.loads(event_dict["message"])["event"]["date"]
        src_ip = json.loads(event_dict["message"])["event"]["src_ip"]
        src_port = json.loads(event_dict["message"])["event"]["src_port"]
        dst_ip = json.loads(event_dict["message"])["event"]["dst_ip"]
        dst_port = json.loads(event_dict["message"])["event"]["dst_port"]
        organization = json.loads(event_dict["message"])["event"]["organization"]
        log = json.loads(event_dict["message"])["event"]["log"]
        base64_bytes = log.encode('ascii')
        message_bytes = base64.b64decode(base64_bytes)
        log = message_bytes.decode('ascii')
        classification_match = re.match(r".*\[\*\*\]\s\[Classification:\s(.*)\]\s\[", log)
        if classification_match:
            event = classification_match.group(1)

        message = {"asset_id": "server",
            "timestamp": int(date),
            "event_alarm": [
                {"event_alarm_id": event, "event_alarm_char": event,
                    "name": "xlsiem_event", "source_ip": src_ip,
                    "source_port": int(src_port), "destination_ip": dst_ip,
                    "destination_port": int(dst_port), "priority": 0, "confidence": 0, }], }


        if len(first_message) == 0:
            first_message = message
            unique_events.add(event)
        else:
            if message["timestamp"]-first_message["timestamp"] < 10:
                if event not in unique_events:
                    first_message["event_alarm"] += message["event_alarm"]
                    unique_events.add(event)
            else:
                print(unique_events)
                url = "http://webserver/api/v1/xlsiem"
                headers = {'Content-Type': 'application/json','Authorization': f'Bearer {access_token}'}
                payload = json.dumps(first_message)
                response = requests.request("POST", url, headers=headers, data=payload)
                print(f"Event sent to KEA: {response}")
                first_message = {}
                unique_events = set()
        # ch.basic_ack(delivery_tag=method.delivery_tag)

    except Exception as e:
        headers = {'Content-Type': 'application/x-www-form-urlencoded'}
        authBody = {
            "username": "testUser",
            "password": "73T$a2W3ght!8X1721R5",
            "grant_type": "password",
            "client_id": "KEA"
        }
        url = "https://keycloak.fphag.curex-project.eu/auth/realms/master/protocol/openid-connect/token"
        response = requests.request("POST", url, headers=headers, data=authBody)
        access_token = json.loads(response.text)['access_token']
        print(e)


def clean():
    reader.clean()

def cleaner():
    while True:
        print('cleaner: starting')
        global first_message
        global unique_events
        if len(first_message)>0:
            url = "http://webserver/api/v1/xlsiem"
            headers = {'Content-Type': 'application/json'}
            payload = json.dumps(first_message)
            response = requests.request("POST", url, headers=headers, data=payload)
            print(f"Event sent to KEA: {response}")
            first_message = {}
            unique_events = set()
        print('cleaner: finished')
        time.sleep(60)

unique_events = set()
first_message = {}

#p2 = Process(target=cleaner)
#p2.start()

# time.sleep(30)
# with open("events.log","r") as f:
#      for line in f.readlines():
#          callback(None,None,None,line)

headers = {'Content-Type': 'application/x-www-form-urlencoded'}
authBody = {
    "username": "testUser",
    "password": "73T$a2W3ght!8X1721R5",
    "grant_type": "password",
    "client_id": "KEA"
}
url = "https://keycloak.fphag.curex-project.eu/auth/realms/master/protocol/openid-connect/token"
response = requests.request("POST", url, headers=headers, data=authBody)
access_token = json.loads(response.text)['access_token']

reader = MessageReader()
reader.connect()
reader.read(callback)
atexit.register(clean)