django-restit 4.2.77__py3-none-any.whl → 4.2.79__py3-none-any.whl

{django_restit-4.2.77.dist-info → django_restit-4.2.79.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: django-restit
-Version: 4.2.77
+Version: 4.2.79
 Summary: A Rest Framework for DJANGO
 License: MIT
 Author: Ian Starnes

{django_restit-4.2.77.dist-info → django_restit-4.2.79.dist-info}/RECORD

@@ -108,15 +108,16 @@ incident/migrations/0013_rulecheck_is_required.py,sha256=cL7tOj5XGPpKd2f5BojIKfN
 incident/migrations/0014_event_group_alter_rulecheck_index.py,sha256=v3gm5k0LVoas27qUDOt7el7YtK4yjFVLeEpuFUCoXaQ,724
 incident/migrations/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 incident/models/__init__.py,sha256=NMphuhb0RTMf7Ov4QkNv7iv6_I8Wtr3xQ54yjX_a31M,209
-incident/models/event.py,sha256=WRNzvjo0jypdnQNBksOOyi-_0kVT4qWUrDZf0Aw_MPM,7355
+incident/models/event.py,sha256=i02lRMdBcjIty5w_wdZnYnW-RNXDANNfnsFouwlDYO8,7414
 incident/models/incident.py,sha256=HPbi6J9qm7_-FMjnDUPV9NcbmP_60WU-IO9HJSpoLTY,19360
-incident/models/ossec.py,sha256=p1ptr-8lnaj1EP_VmPR58b2LmaYBGaYYKAMqhWK5yZM,2227
+incident/models/ossec.py,sha256=eUDRGawzuLWobKEVGKfdZisDnyjS_Hlxi0T_GCSLCCI,2252
 incident/models/rules.py,sha256=SMlDRw_r3fGv-vmRojRLmsklqRRxDcjrSLVBIz-gadA,6884
 incident/models/ticket.py,sha256=S3kqGQpYLE6Y4M9IKu_60sgW-f592xNr8uufqHnvDoU,2302
 incident/parsers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-incident/parsers/ossec.py,sha256=jBvZh5RAYSIRSm-sLrvwdIVDfJxNULxzanoaYI-Z2Tw,7881
+incident/parsers/ossec.py,sha256=8SUma8wb2KmrcgACc6jESD_gXklCsMnKVyY7GrXYrtY,10812
 incident/periodic.py,sha256=eX1rQK6v65A9ugofTvJPSmAWei6C-3EYgzCMuGZ03jM,381
-incident/rpc.py,sha256=3y0rfxRR9DikmCmj3IRcMaCLtzLCMrtH64lrjY1w2Og,7992
+incident/rpc.py,sha256=viJt873b8T8SiAq10EM57lF8g7ghyj3ymdkaXzh2Ass,8181
+incident/server.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 incident/templates/email/incident_change.html,sha256=tQYphypwLukkVdwH0TB2Szz2VEJ7GnsfRS3_ZJ-MYeE,13895
 incident/templates/email/incident_msg.html,sha256=MZdKhTddUF2MpiH8Z3RTQEmW_ko1n3ajeZ11KLtiLlU,13780
 incident/templates/email/incident_new.html,sha256=W6nwFQROnyDfMlXub8s02ws4hGnJp16pfgp9xTm_aEc,15185
@@ -401,7 +402,7 @@ rest/middleware/request.py,sha256=JchRNy5L-bGd-7h-KFYekGRvREe2eCkZXKOYqIkP2hI,41
 rest/middleware/session.py,sha256=zHSoQpIzRLmpqr_JvW406wzpvU3W3gDbm5JhtzLAMlE,10240
 rest/middleware/session_store.py,sha256=1nSdeXK8PyuYgGgIufqrS6j6QpIrQ7zbMNT0ol75e6U,1901
 rest/models/__init__.py,sha256=M8pvFDq-WCF-QcM58X7pMufYYe0aaQ3U0PwGe9TKbbY,130
-rest/models/base.py,sha256=MIZUQStR5Y2ndSjmOSu-NSIg3SZs9IFoMlRQ2re75OE,69565
+rest/models/base.py,sha256=bPcTeCX7KvhkcVMKEyLmu9eYc7ccJGkIP1n3cctJPVE,69675
 rest/models/cacher.py,sha256=eKz8TINVhWEqKhJGMsRkKZTtBUIv5rN3NHbZwOC56Uk,578
 rest/models/metadata.py,sha256=65GvfFbc26_7wJz8qEAzU7fEOZWVz0ttO5j5m_gs4hk,12860
 rest/net.py,sha256=LcB2QV6VNRtsSdmiQvYZgwQUDwOPMn_VBdRiZ6OpI-I,2974
@@ -502,7 +503,7 @@ ws4redis/servers/uwsgi.py,sha256=VyhoCI1DnVFqBiJYHoxqn5Idlf6uJPHvfBKgkjs34mo,172
 ws4redis/settings.py,sha256=K0yBiLUuY81iDM4Yr-k8hbvjn5VVHu5zQhmMK8Dtz0s,1536
 ws4redis/utf8validator.py,sha256=S0OlfjeGRP75aO6CzZsF4oTjRQAgR17OWE9rgZdMBZA,5122
 ws4redis/websocket.py,sha256=R0TUyPsoVRD7Y_oU7w2I6NL4fPwiz5Vl94-fUkZgLHA,14848
-django_restit-4.2.77.dist-info/LICENSE.md,sha256=VHN4hhEeVOoFjtG-5fVv4jesA4SWi0Z-KgOzzN6a1ps,1068
-django_restit-4.2.77.dist-info/METADATA,sha256=uVn8E8Ts3Hiv_mvZKMK3nZois8Z1zy79o0BhcdbtGrY,7645
-django_restit-4.2.77.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
-django_restit-4.2.77.dist-info/RECORD,,
+django_restit-4.2.79.dist-info/LICENSE.md,sha256=VHN4hhEeVOoFjtG-5fVv4jesA4SWi0Z-KgOzzN6a1ps,1068
+django_restit-4.2.79.dist-info/METADATA,sha256=7Hya_J4qnHewCMwlz5m2Y2JLnN2b4TpVX2pVekbpjCw,7645
+django_restit-4.2.79.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
+django_restit-4.2.79.dist-info/RECORD,,

incident/models/event.py

@@ -73,6 +73,7 @@ class Event(JSONMetaData, rm.RestModel):
 
     level = models.IntegerField(default=0, db_index=True)
     category = models.CharField(max_length=124, db_index=True)
+    # code = models.IntegerField(default=0, db_index=True)
 
     group = models.ForeignKey(
         "account.Group", on_delete=models.SET_NULL, 

incident/models/ossec.py

@@ -47,5 +47,7 @@ class ServerOssecAlert(models.Model, rm.RestModel):
     title       = models.CharField(max_length=200, blank=True, null=True, default=None)
     geoip       = models.ForeignKey("location.GeoIP", blank=True, null=True, default=None, on_delete=models.DO_NOTHING)
     
+    metadata = None
+    
     def __str__(self):
         return f'{self.hostname}: {self.title}'

incident/parsers/ossec.py

@@ -13,6 +13,25 @@ LEVEL_REMAP_BY_RULE = {
     5710: 5
 }
 
+NGINX_PARSE_PATTERN = re.compile(
+    r'(?P<src_ip>\d+\.\d+\.\d+\.\d+) - - \[(?P<http_time>.+?)\] '
+    r'(?P<http_method>\w+) (?P<http_url>.+?) (?P<http_protocol>[\w/.]+) '
+    r'(?P<http_status>\d+) (?P<http_bytes>\d+) (?P<http_referer>.+?) '
+    r'(?P<user_agent>.+?) (?P<http_elapsed>\d\.\d{3})'
+)
+
+def parse_nginx_line(line):
+    if "\n" in line:
+        for l in line.split('\n'):
+            match = NGINX_PARSE_PATTERN.match(l)
+            if match:
+                return match.groupdict()
+        return None
+    match = NGINX_PARSE_PATTERN.match(line)
+    if match:
+        return match.groupdict()
+    return None
+
 
 def removeNonAscii(input_str):
     """Remove all non-ASCII characters and escaped byte sequences from the input string."""
@@ -23,9 +42,9 @@ def removeNonAscii(input_str):
 
 
 def extractURL(text):
-    match = re.search(r"GET\s+(https?://[^\s]+)\s+HTTP/\d\.\d", text)
+    match = re.search(r"(GET|POST|DELETE|PUT)\s+(https?://[^\s]+)\s+HTTP/\d\.\d", text)
     if match:
-        return match.group(1)
+        return match.group(2)
     return None
 
 
@@ -36,6 +55,13 @@ def extractDomain(text):
     return None
 
 
+def extractIP(text):
+    match = re.search(r"\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b", text)
+    if match:
+        return match.group(1)
+    return None
+
+
 def extractUrlPath(text):
     match = re.search(r"https?://[^/]+(/[^?]*)", text)
     if match:
@@ -43,174 +69,225 @@ def extractUrlPath(text):
     return None
 
 
+def extractUserAgent(text):
+    # this only works if the referrer is '-'
+    match = re.search(r"' - (.+?) \d+\.\d+ \d+'", text)
+    if match:
+        return match.group(1)
+    return None
+
+
 def extractMetaData(alert):
-    irule = int(alert.rule_id)
-    if irule == 31301:
-        patterns = {
-            "src_ip": re.compile(r"Src IP: (\S+)"),
-            "path": re.compile(r"request: (\S+ \S+)"),
-            "http_server": re.compile(r"server: (\S+)"),
-            "http_host": re.compile(r"host: (\S+)"),
-            "http_referrer": re.compile(r"referrer: (\S+)")
-        }
-        # Search for matches in the text
-        return {key: pattern.search(alert.text).group(1) for key, pattern in patterns.items() if pattern.search(alert.text)}
-    return {}
+    return parse_alert_metadata(alert)
 
 
-def parseAlert(request, data):
-    # helpers.log_print(data)
+DEFAULT_META_PATTERNS = {
+    "src_ip": re.compile(r"Src IP: (\S+)"),
+    "src_port": re.compile(r"Src Port: (\S+)"),
+    "user": re.compile(r"User: (\S+)"),
+    "path": re.compile(r"request: (\S+ \S+)"),
+    "http_server": re.compile(r"server: (\S+),"),
+    "http_host": re.compile(r"host: (\S+)"),
+    "http_referrer": re.compile(r"referrer: (\S+),"),
+    "client": re.compile(r"client: (\S+),"),
+    "upstream": re.compile(r"upstream: (\S+),")
+}
+
+
+def parse_alert_metadata(alert):
+    patterns = DEFAULT_META_PATTERNS
+    if alert.rule_id == "2501":
+        match = re.search(r'user (\w+) (\d+\.\d+\.\d+\.\d+) port (\d+)', alert.text)
+        if match:
+            return dict(username=match.group(1), src_ip=match.group(2), src_port=match.group(3))
+    elif alert.rule_id.startswith("311") or alert.rule_id in ["31516", "31508", "31516"]:
+        data = parse_nginx_line(alert.text)
+        if data:
+            return data
+    elif alert.rule_id in ["31301"]:
+        match = re.search(r'\((?P<error_code>\d+): (?P<error_message>.*?)\)', alert.text)
+        data = match_patterns(patterns, alert.text)
+        data["action"] = "error"
+        if match:
+            data.update(match.groupdict())
+        return data
+    elif alert.rule_id in ["31302", "31303"]:
+        match = re.search(r'\[(warn|crit|error)\].*?: (.*?),', alert.text)
+        data = match_patterns(patterns, alert.text)
+        
+        if match:
+            data["action"] = match.group(1)
+            emsg = match.group(2)
+            if emsg[0] == "*":
+                emsg = emsg[emsg.find(' ')+1:]
+            data["error_message"] = emsg
+        return data
+    elif alert.rule_id == "551":
+        match = re.search(r"Integrity checksum changed for: '(\S+)'", alert.text)
+        if match:
+            return dict(filename=match.group(1), action="changed")
+    elif alert.rule_id == "554":
+        match = re.search(r"New file '(\S+)' added", alert.text)
+        if match:
+            return dict(filename=match.group(1), action="added")
+    elif alert.rule_id == "5402":
+        match = re.search(r'(?P<username>\w+) : PWD=(?P<pwd>\S+) ; USER=(?P<user>\w+) ; COMMAND=(?P<command>.+)', alert.text)
+        return match.groupdict()
+    elif alert.rule_id in ["5501", "5502"]:
+        match = re.search(r"session (?P<action>\S+) for user (?P<username>\S+)*", alert.text)
+        if match:
+            return match.groupdict()
+    elif alert.rule_id in ["5704", "5705"]:
+        match = re.search(r"(?P<src_ip>\d{1,3}(?:\.\d{1,3}){3}) port (?P<src_port>\d+)", alert.text)
+        if match:
+            return match.groupdict()
+    elif alert.rule_id == "5715":
+        match = re.search(r'Accepted publickey for (?P<username>\S+) from (?P<src_ip>\d+\.\d+\.\d+\.\d+) .*: (?P<ssh_key_type>\S+) (?P<ssh_signature>\S+)', alert.text)
+        if match:
+            return match.groupdict()
+    elif alert.rule_id == "2932":
+        match = re.search(r"Installed: (\S+)", alert.text)
+        if match:
+            return dict(package=match.group(1))
+    return match_patterns(patterns, alert.text)
+
+def match_patterns(patterns, text):
+    # Search for matches in the text
+    return {key: pattern.search(text).group(1) for key, pattern in patterns.items() if pattern.search(text)}
+
+
+def parse_alert_json(data):
     try:
-        data = objict.fromJSON(data.replace('\n', '\\n'))
+        if isinstance(data, str):
+            data = objict.fromJSON(data.replace('\n', '\\n'))
     except Exception:
         data = objict.fromJSON(removeNonAscii(data))
     for key in data:
         data[key] = data[key].strip()
+    return data
 
-    if data.rule_id in IGNORE_RULES:
-        return None
-    if "test" in data.hostname and data.rule_id == "533":
-        # bug on test ossec falsely report 533 events
+
+def ignore_alert(alert):
+    if alert.rule_id in IGNORE_RULES:
+        return True
+    if alert.rule_id == "510" and "/dev/.mount/utab" in alert.text:
+        return True
+    return False
+
+
+def parse_alert_id(details):
+    match = re.search(r"Alert (\d+\.\d+):", details)
+    if match:
+        return match.group(1)
+    return ""
+
+
+def parse_rule_details(details):
+    alert_id = parse_alert_id(details)
+    rule_pattern = r"Rule: (\d+) \(level (\d+)\) -> '([^']+)'"
+    match = re.search(rule_pattern, details)
+    if match:
+        return objict(
+            rid=int(match.group(1)), level=int(match.group(2)), 
+            title=match.group(3), alert_id=alert_id)
+    return objict(alert_id=alert_id)
+
+
+def parse_when(alert):
+    return datetime.utcfromtimestamp(int(alert.alert_id[:alert.alert_id.find(".")]))
+
+
+def truncate_str(text, length):
+    if len(text) > length:
+        text = text[:length]
+        text = text[:text.rfind(' ')] + "..."
+    return text
+
+
+def update_by_rule(data, geoip=None):
+    if data.rule_id == "2501":
+        data.title = f"SSH Auth Attempt {data.username}@{data.hostname} from {data.src_ip}"
+    elif data.rule_id == "2503" and data.src_ip:
+        data.title = f"SSH Auth Blocked from {data.src_ip}"
+    elif data.rule_id == "31101" and data.http_status:
+        data.title = f"Web {data.http_status} {data.http_method} {data.http_url} from {data.src_ip}"
+    elif data.rule_id == "31104" and data.http_status:
+        data.title = f"Web Attack {data.http_status} {data.http_method} {data.http_url} from {data.src_ip}"
+    elif data.rule_id == "31111" and data.http_status:
+        if geoip and geoip.isp:
+            data.title = f"No referrer for .js - {data.http_status} {data.http_method} {data.http_url} from {data.src_ip}({geoip.isp})"
+        else:
+            data.title = f"No referrer for .js - {data.http_status} {data.http_method} {data.http_url} from {data.src_ip}"
+    elif data.rule_id in ["31151", "31152", "31153"] and data.http_status:
+        url = truncate_str(data.http_url, 50)
+        data.title = f"Suspected Web Scan {url} from {data.src_ip}"
+    elif data.rule_id == "31120" and data.http_status:
+        url = truncate_str(data.http_url, 50)
+        data.title = f"Web Error {data.http_status} {data.http_method} {url} from {data.src_ip}"
+    elif data.rule_id.startswith("311") and data.http_status:
+        url = truncate_str(data.http_url, 50)
+        data.title = f"Web {data.http_status} {data.http_method} {url} from {data.src_ip}"
+    elif data.rule_id in ["31301", "31302", "31303"] and data.error_message:
+        if data.upstream and "ws/events" in data.upstream:
+            data.title = f"Websocket Error: {data.error_message} on {data.hostname}"
+        else:
+            emsg = truncate_str(data.error_message, 50)
+            data.title = f"Nginx {data.action}: {emsg} from {data.src_ip}"
+    elif data.rule_id == "31516" and data.http_url:
+        url = truncate_str(data.http_url, 50)
+        data.title = f"Web Suspicious {data.http_status} {data.http_method} {url} from {data.src_ip}"
+    elif data.rule_id == "533":
+        data.title = f"Network Open Port Change Detected on {data.hostname}"
+    elif data.rule_id == "5402":
+        data.title = f"Sudo(user: {data.user}) executed on {data.hostname}"
+    elif data.rule_id in ["551", "554"] and data.filename:
+        name = truncate_str(data.filename, 50)
+        data.title = f"File {data.action.capitalize()} on {data.hostname}: {name}"
+    elif data.rule_id in ["5501", "5502"]:
+        if "sudo" in data.text:
+            data.title = f"Server Login {data.action} via sudo on {data.hostname}"
+        else:
+            data.title = f"Server Login {data.action} on {data.hostname}"
+    elif data.rule_id == "5715":
+        data.title = f"SSH Login Detected: {data.username}@{data.hostname} from {data.src_ip}"
+    elif data.rule_id == "2932" and data.package:
+        package = truncate_str(data.package, 60)
+        data.title = f"Package Installed on {data.hostname}: {package}"
+    elif data.src_ip and data.src_ip not in data.title:
+        data.title = f"{data.title} Source IP: {data.src_ip}"
+    if len(data.title) > 199:
+        data.title = data.title[:199]
+
+def parse_incoming_alert(data):
+    alert = parse_alert_json(data)
+    if ignore_alert(alert):
         return None
-    if data.rule_id == "510" and "/dev/.mount/utab" in data.text:
+    alert.update(parse_rule_details(alert.text))
+    if alert.title is None:
         return None
-    # we care not for this field for now
-    data.pop("logfile", None)
-    if not data.text:
-        raise Exception("invalid or missing json")
-    alert = am.ServerOssecAlert(**data)
-    alert.when = datetime.utcfromtimestamp(int(data.alert_id[:data.alert_id.find(".")]))
-    # now lets parse the title
-    title = alert.text[alert.text.find("Rule:") + 5:]
-    # level to int
-    level = title[title.find('(level') + 7:]
-    alert.level = int(level[:level.find(')')].strip())
-    title = title[:title.find('\n')].strip()
-    pos = title.find("->")
-    if pos > 0:
-        title = title[pos + 2:]
-    alert.title = title
-    if alert.title.startswith("'"):
-        alert.title = alert.title[1:-1]
-
-    if data.hostname == "test":
-        if data.rule_id == "31120" or "Web server" in title:
-            return None
-
-    # helpers.log_print(title, alert.title)
-    # source ip (normally public ip of host)
-    pos = alert.text.find("Src IP:")
-    if pos > 1:
-        src_ip = alert.text[alert.text.find("Src IP:") + 7:]
-        alert.src_ip = src_ip[:src_ip.find('\n')].strip()
-
-    irule = int(alert.rule_id)
-    if irule == 5710:
-        m = re.search(r"Invalid user (\S+) from (\S+)", data.text)
-        if m and m.groups():
-            alert.username = m.group(1)
-            alert.src_ip = m.group(2).strip()
-            alert.title = f"Attempt to login with invalid user: {alert.username}"
-        else:
-            m = re.search(r"Invalid user  from (\S+)", data.text)
-            if m and m.groups():
-                alert.username = "(empty string)"
-                alert.src_ip = m.group(1).strip()
-    elif irule == 2932:
-        m = re.search(r"Installed: (\S+)", data.text)
-        if m and m.groups():
-            package = m.group(1)
-            alert.title = "Yum Package Installed: {}".format(package)
-    elif irule == 551:
-        # Integrity checksum changed for: '/etc/ld.so.cache'
-        m = re.search(r"Integrity checksum changed for: '(\S+)'", data.text)
-        if m and m.groups():
-            action = m.group(1)
-            alert.title = "File Changed: {}".format(action)
-    elif irule == 5715:
-        m = re.search(r"Accepted publickey for (\S+).*ssh2: ([^\n\r]*)", data.text)
-        if m and m.groups():
-            ssh_sig = m.group(2)
-            if " " in ssh_sig:
-                kind, ssh_sig = ssh_sig.split(' ')
-            alert.level = 8
-            alert.username = m.group(1)
-            alert.ssh_sig = ssh_sig
-            alert.ssh_kind = kind
-            alert.title = f"SSH LOGIN:{alert.username}@{alert.hostname} from {alert.src_ip}"
-            # member = findUserBySshSig(ssh_sig)
-            # if member:
-            #     alert.title = "SSH LOGIN user: {}".format(member.username)
-    elif irule == 5501 or irule == 5502:
-        # pam_unix(sshd:session): session opened for user git by (uid=0)
-        m = re.search(r"session (\S+) for user (\S+)*", data.text)
-        if m and m.groups():
-            alert.action = m.group(1)
-            alert.username = m.group(2)
-            alert.title = f"session {alert.action} for user {alert.username}"
-    elif irule == 5402:
-        # TTY=pts/0 ; PWD=/opt/mm_protector ; USER=root ; COMMAND=/sbin/iptables -F
-        m = re.search(r"sudo(?:\[\d+\])?:\s*(\S+).*?COMMAND=([^\n\r]*)", data.text)
-        # m = re.search(r"sudo:\s*(\S+).*COMMAND=([^\n\r]*)", data.text)
-        if m and m.groups():
-            alert.username = m.group(1)
-            alert.title = "sudo {}".format(m.group(2)).replace("#040", " ")
-        alert.level = 7
-    elif irule == 5706:
-        m = re.search(r"identification string from (\S+) port (\S+)", data.text)
-        if m and m.groups():
-            alert.src_ip = m.group(1)
-    elif irule == 5702:
-        m = re.search(r"getaddrinfo for (\S+)", data.text)
-        if m and m.groups():
-            remote_host = m.group(1)
-            alert.title = f"Reverse lookup failed for '{remote_host}'"
-    elif irule == 554:
-        m = re.search(r"New file '(\S+)' added", data.text)
-        if m and m.groups():
-            remote_file = m.group(1)
-            alert.title = f"New file detected: '{remote_file}'"
-    elif irule == 31101:
-        m = re.search(r"GET\s+(http://[^\s]+)\s+HTTP/\d\.\d\s+(\d+)", data.text)
-        if m and m.groups():
-            code = m.group(2)
-            request_path = m.group(1)
-            alert.title = f"HTTP {code}: {request_path}"
-    elif irule == 31301:
-        m = re.search(r"(\[error\]|\[crit\])[^\*]*\*\d*\s+(.*?),", text)
-        if m and len(m.groups()) >=2:
-            alert.title = error
-    elif irule == 100020:
-        m = re.search(r"\[(\S+)\]", data.text)
-        if m and m.groups():
-            alert.src_ip = m.group(1)
-    elif "web,accesslog," in data.text and "https:" in data.text:
-        alert.ssh_sig = extractURL(data.text)
-        if alert.ssh_sig:
-            alert.hostname = extractDomain(alert.ssh_sig)
-
-    if alert.ext_ip is None:
+    alert.update(parse_alert_metadata(alert))
+    if alert.src_ip in ["-", None] and alert.client:
+        alert.src_ip = alert.client
+    if alert.ext_ip in ["-", None]:
         alert.ext_ip = alert.src_ip
-    if alert.src_ip is not None and len(alert.src_ip) > 6:
-        # lets do a lookup for the src
-        alert.geoip = GeoIP.lookup(alert.src_ip)
-
-    if irule == 31111:
-        url = alert.ssh_sig
-        hostname = alert.hostname
-        if url:
-            hostname = extractDomain(url)
-        if alert.geoip and alert.geoip.isp:
-            alert.title = f"Suspicious fetch of .js, {hostname} ISP: {alert.geoip.isp}"
-        else:
-            alert.title = f"Suspicious fetch of .js, {hostname}"
-    # finally here we change the alert level
-    if irule in LEVEL_REMAP_BY_RULE:
-        alert.level = LEVEL_REMAP_BY_RULE[irule]
-    if alert.title[0] in ["'", '"']:
-        alert.title = alert.title[1:-1]
-    if len(alert.title) > 80:
-        alert.title = alert.title[:80] + "..."
-    alert.save()
+    update_by_rule(alert)
     return alert
 
+
+def parseAlert(request, data):
+    pdata = parse_incoming_alert(data)
+    if pdata is None:
+        return None
+    field_names = am.ServerOssecAlert.get_model_field_names()
+    soa = am.ServerOssecAlert(**{key:value for key, value in pdata.items() if key in field_names})
+    soa.when = parse_when(pdata)
+    soa.metadata = pdata
+    if soa.src_ip is not None and len(soa.src_ip) > 6 and soa.src_ip != "127.0.0.1":
+        soa.geoip = GeoIP.lookup(soa.src_ip)
+        update_by_rule(pdata, soa.geoip)
+        soa.title = pdata.title
+    soa.save()
+    return soa
+
+
+

incident/rpc.py

@@ -61,6 +61,7 @@ def ossec_alert_creat_from_request(request):
     if payload:
         try:
             # TODO make this a task (background it)
+            rh.log_error("parsing payload", payload)
             od = ossec.parseAlert(request, payload)
             # lets now create a local event
             if od is not None:
@@ -78,14 +79,14 @@ def ossec_alert_creat_from_request(request):
                 elif od.level <= 3:
                     level = 8
                 metadata = od.toDict(graph="default")
-                metadata.update(ossec.extractMetaData(od))
+                metadata.update(od.metadata)
                 # we reuse the ssh_sig because it is a text field to store urls
-                ssh_sig = metadata.get("ssh_sig", None)
-                if ssh_sig is not None and ssh_sig.startswith("http"):    
-                    metadata["url"] = ssh_sig
-                    metadata["domain"] = ossec.extractDomain(ssh_sig)
-                    metadata["path"] = ossec.extractUrlPath(ssh_sig)
-                    metadata.pop("ssh_sig")
+                # ssh_sig = metadata.get("ssh_sig", None)
+                # if ssh_sig is not None and ssh_sig.startswith("http"):    
+                #     metadata["url"] = ssh_sig
+                #     metadata["domain"] = ossec.extractDomain(ssh_sig)
+                #     metadata["path"] = ossec.extractUrlPath(ssh_sig)
+                #     metadata.pop("ssh_sig")
                 if od.geoip:
                     metadata["country"] = od.geoip.country
                     metadata["city"] = od.geoip.city
@@ -103,7 +104,9 @@ def ossec_alert_creat_from_request(request):
                     "reporter_ip": od.src_ip,
                     "metadata": metadata
                 })
+                return rv.restStatus(request, True)
         except Exception as err:
+            rh.log_exception()
             stack = rh.getStackString()
             # rh.log_exception("during ossec alert", payload)
             metadata = dict(ip=request.ip, payload=payload)
@@ -115,6 +118,7 @@ def ossec_alert_creat_from_request(request):
                 "category": "ossec_error",
                 "metadata": metadata
             })
+    rh.log_error("ossec alert", request.DATA.asDict())
     return rv.restStatus(request, False, error="no alert data")
 
 

rest/models/base.py

@@ -1718,6 +1718,10 @@ class RestModel(object):
     def get_related_name_fields(cls):
         return [f.related_name for f in cls._meta.related_objects]
 
+    @classmethod
+    def get_model_field_names(cls):
+        return [f.name for f in cls._meta.get_fields()]
+
     @classmethod
     def get_fk_model(cls, fieldname):
         '''returns None if not foreignkey, otherswise the relevant model'''