django-restit 4.2.77__py3-none-any.whl → 4.2.78__py3-none-any.whl

{django_restit-4.2.77.dist-info → django_restit-4.2.78.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: django-restit
-Version: 4.2.77
+Version: 4.2.78
 Summary: A Rest Framework for DJANGO
 License: MIT
 Author: Ian Starnes

{django_restit-4.2.77.dist-info → django_restit-4.2.78.dist-info}/RECORD

@@ -114,7 +114,7 @@ incident/models/ossec.py,sha256=p1ptr-8lnaj1EP_VmPR58b2LmaYBGaYYKAMqhWK5yZM,2227
 incident/models/rules.py,sha256=SMlDRw_r3fGv-vmRojRLmsklqRRxDcjrSLVBIz-gadA,6884
 incident/models/ticket.py,sha256=S3kqGQpYLE6Y4M9IKu_60sgW-f592xNr8uufqHnvDoU,2302
 incident/parsers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-incident/parsers/ossec.py,sha256=jBvZh5RAYSIRSm-sLrvwdIVDfJxNULxzanoaYI-Z2Tw,7881
+incident/parsers/ossec.py,sha256=uh9LFLUa0uL7a-3l9w3Kd7YmTZGYbS24uoDwPWM_s58,8415
 incident/periodic.py,sha256=eX1rQK6v65A9ugofTvJPSmAWei6C-3EYgzCMuGZ03jM,381
 incident/rpc.py,sha256=3y0rfxRR9DikmCmj3IRcMaCLtzLCMrtH64lrjY1w2Og,7992
 incident/templates/email/incident_change.html,sha256=tQYphypwLukkVdwH0TB2Szz2VEJ7GnsfRS3_ZJ-MYeE,13895
@@ -502,7 +502,7 @@ ws4redis/servers/uwsgi.py,sha256=VyhoCI1DnVFqBiJYHoxqn5Idlf6uJPHvfBKgkjs34mo,172
 ws4redis/settings.py,sha256=K0yBiLUuY81iDM4Yr-k8hbvjn5VVHu5zQhmMK8Dtz0s,1536
 ws4redis/utf8validator.py,sha256=S0OlfjeGRP75aO6CzZsF4oTjRQAgR17OWE9rgZdMBZA,5122
 ws4redis/websocket.py,sha256=R0TUyPsoVRD7Y_oU7w2I6NL4fPwiz5Vl94-fUkZgLHA,14848
-django_restit-4.2.77.dist-info/LICENSE.md,sha256=VHN4hhEeVOoFjtG-5fVv4jesA4SWi0Z-KgOzzN6a1ps,1068
-django_restit-4.2.77.dist-info/METADATA,sha256=uVn8E8Ts3Hiv_mvZKMK3nZois8Z1zy79o0BhcdbtGrY,7645
-django_restit-4.2.77.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
-django_restit-4.2.77.dist-info/RECORD,,
+django_restit-4.2.78.dist-info/LICENSE.md,sha256=VHN4hhEeVOoFjtG-5fVv4jesA4SWi0Z-KgOzzN6a1ps,1068
+django_restit-4.2.78.dist-info/METADATA,sha256=wKYW-bztLqxjiqvXiiFHkxyo4_uLm5shsfOU3xnJnbE,7645
+django_restit-4.2.78.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
+django_restit-4.2.78.dist-info/RECORD,,

incident/parsers/ossec.py

@@ -45,7 +45,7 @@ def extractUrlPath(text):
 
 def extractMetaData(alert):
     irule = int(alert.rule_id)
-    if irule == 31301:
+    if irule in [31301, 31302, 31303]:
         patterns = {
             "src_ip": re.compile(r"Src IP: (\S+)"),
             "path": re.compile(r"request: (\S+ \S+)"),
@@ -171,13 +171,24 @@ def parseAlert(request, data):
             remote_file = m.group(1)
             alert.title = f"New file detected: '{remote_file}'"
     elif irule == 31101:
-        m = re.search(r"GET\s+(http://[^\s]+)\s+HTTP/\d\.\d\s+(\d+)", data.text)
+        m = re.search(r"(GET|POST|DELETE|PUT)\s+(http://[^\s]+)\s+HTTP/\d\.\d\s+(\d+)", data.text)
         if m and m.groups():
-            code = m.group(2)
-            request_path = m.group(1)
-            alert.title = f"HTTP {code}: {request_path}"
-    elif irule == 31301:
-        m = re.search(r"(\[error\]|\[crit\])[^\*]*\*\d*\s+(.*?),", text)
+            code = m.group(3)
+            method = m.group(1)
+            request_path = m.group(2)
+            alert.title = f"HTTP {code}: {METHOD} {request_path}"
+    elif irule == 31104 or irule == 31516:
+        m = re.search(r"(GET|POST|DELETE|PUT)\s+(http://[^\s]+)\s+HTTP/\d\.\d\s+(\d+)", data.text)
+        if m and m.groups():
+            code = m.group(3)
+            method = m.group(1)
+            request_path = m.group(2)
+            kind = "Common"
+            if irule == 31516:
+                kind = "Suspect"
+            alert.title = f"{kind} Attack {code}: {METHOD} {request_path}"
+    elif irule in [31301, 31302, 31303]:
+        m = re.search(r"(\[error\]|\[crit\])[^\*]*\*\d*\s+(.*?),", data.text)
         if m and len(m.groups()) >=2:
             alert.title = error
     elif irule == 100020: