Commit 75a30f1dfcfeceb358b54a7396dcdbc8ecf56dd5

Authored by Thanasis Naskos
1 parent 887080ac3b

MLTD taking the source and desstination/target ip from the last message from XLSIEM

Showing 4 changed files with 12 additions and 8 deletions

MLTD/src/OnlinePrediction.py View file @ 75a30f1
... ... @@ -31,6 +31,8 @@
31 31 def __init__(self):
32 32 self.data_dates = []
33 33 self.data_values = []
  34 + self.source_ip = "10.0.2.15"
  35 + self.target_ip = "10.0.2.15"
34 36 self.read_log_conf(LOGGING_CONF_FILE)
35 37 self.logger = logging.getLogger("mltd-online")
36 38 self.logger.info("Online MLTD is running")
... ... @@ -86,6 +88,8 @@
86 88 # "%Y-%m-%dT%H:%M:%SZ"
87 89 # )
88 90 # )
  91 + self.source_ip = measDict["event_alarm"][event]["source_ip"]
  92 + self.target_ip = measDict["event_alarm"][event]["destination_ip"]
89 93 event_alarm_id = measDict["event_alarm"][event]["event_alarm_id"]
90 94 data_values.append(event_alarm_id)
91 95  
92 96  
... ... @@ -126,12 +130,12 @@
126 130 f" - Expected timeframe: {round(timeframe,2)} secs")
127 131  
128 132 ReportSyslog.report(
129   - self.asset_id, max(predictions) * 100, timeframe
  133 + self.asset_id, max(predictions) * 100, timeframe, self.source_ip, self.target_ip
130 134 )
131 135 ReportTimeDB.report(
132 136 self.time_db_client, self.asset_id, max(predictions) * 100, timeframe
133 137 )
134   - self.logger.info(f"The incident was reportered on TimescaleDB")
  138 + self.logger.info(f"The incident was reportered on TimescaleDB and Rsyslog server")
135 139 else:
136 140 self.logger.info(
137 141 f"The predicted risk {round(max(predictions),2)} is "
MLTD/src/ReportSyslog.py View file @ 75a30f1
1 1 import logging.handlers
2 2  
3   -def report(asset_id, risk, timeframe):
  3 +def report(asset_id, risk, timeframe, source_ip, target_ip):
4 4 my_logger = logging.getLogger('MyLogger')
5 5 my_logger.setLevel(logging.DEBUG)
6 6  
... ... @@ -10,5 +10,5 @@
10 10 formatter = logging.Formatter(' %(message)s')
11 11 handler.setFormatter(formatter)
12 12 my_logger.addHandler(handler)
13   - my_logger.critical(f'source_ip: 10.0.2.15 target_ip: 10.0.2.15 asset: {asset_id} risk: {risk} timeframe: {timeframe}')
  13 + my_logger.critical(f'source_ip: {source_ip} target_ip: {target_ip} asset: {asset_id} risk: {risk} timeframe: {timeframe}')
pcap-data/mltd1-unix.json View file @ 75a30f1
... ... @@ -6,9 +6,9 @@
6 6 "event_alarm_id": "danger",
7 7 "event_alarm_char": "danger",
8 8 "name": "danger",
9   - "source_ip": "192.168.1.1",
  9 + "source_ip": "10.0.2.15",
10 10 "source_port": 1234,
11   - "destination_ip": "192.168.1.50",
  11 + "destination_ip": "10.0.2.15",
12 12 "destination_port": 1231,
13 13 "priority": 0,
14 14 "confidence": 0
pcap-data/mltd2-unix.json View file @ 75a30f1
... ... @@ -6,9 +6,9 @@
6 6 "event_alarm_id": "danger",
7 7 "event_alarm_char": "danger",
8 8 "name": "danger",
9   - "source_ip": "192.168.1.1",
  9 + "source_ip": "10.0.2.15",
10 10 "source_port": 1234,
11   - "destination_ip": "192.168.1.50",
  11 + "destination_ip": "10.0.2.15",
12 12 "destination_port": 1231,
13 13 "priority": 0,
14 14 "confidence": 0