django-restit 4.2.78__py3-none-any.whl → 4.2.83__py3-none-any.whl

account/models/member.py

@@ -224,11 +224,11 @@ class Member(User, RestModel, MetaDataModel):
 
     @property
     def force_single_session(self):
-        return self.hasPermission("force_single_session")
+        return self.hasPermission("force_single_session", ignore_su=True)
 
     @property
     def email_disabled(self):
-        return self.hasPermission("email_disabled")
+        return self.hasPermission("email_disabled", ignore_su=True)
 
     @property
     def has_totp(self):

account/models/notify.py

@@ -130,6 +130,8 @@ class NotificationRecord(models.Model, RestModel):
 
     @classmethod
     def canSend(cls):
+        if not settings.get("THROTTLE_EMAILS", False):
+            return True
         max_emails_per_minute = settings.get("MAX_EMAILS_PER_MINUTE", 30)
         last_email = NotificationRecord.objects.filter(state=1).last()
         now = datetime.now()
@@ -206,7 +208,7 @@ class NotificationRecord(models.Model, RestModel):
 
     @classmethod
     def _notifyViaEmail(cls, member, subject, message, template, context, 
-                        attachments, from_email=None):
+                        attachments, from_email=settings.DEFAULT_FROM_EMAIL):
         # lets verify the db is working
         if template:
             if context is None:
@@ -215,6 +217,8 @@ class NotificationRecord(models.Model, RestModel):
                 context["body"] = message
             context["unsubscribe_token"] = member.getUUID()
             message = inbox.utils.renderTemplate(template, context)
+        if from_email is None:
+            from_email = settings.DEFAULT_FROM_EMAIL
 
         nr = NotificationMemberRecord(member=member, to_addr=member.email)
         email_record = NotificationRecord(

auditlog/migrations/0002_alter_persistentlog_session.py

@@ -0,0 +1,20 @@
+# Generated by Django 4.2.11 on 2024-05-13 02:34
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('sessionlog', '0001_initial'),
+        ('auditlog', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='persistentlog',
+            name='session',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, to='sessionlog.sessionlog'),
+        ),
+    ]

{django_restit-4.2.78.dist-info → django_restit-4.2.83.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: django-restit
-Version: 4.2.78
+Version: 4.2.83
 Summary: A Rest Framework for DJANGO
 License: MIT
 Author: Ian Starnes

{django_restit-4.2.78.dist-info → django_restit-4.2.83.dist-info}/RECORD

@@ -28,9 +28,9 @@ account/models/device.py,sha256=TloXvvrx3khF3BeGFuVYn6DhXjOW0AMZb4F9Fl5nBII,5491
 account/models/feeds.py,sha256=vI7fG4ASY1M0Zjke24RdnfDcuWeATl_yR_25jPmT64g,2011
 account/models/group.py,sha256=iDD_oSgswKV_t_gXZuVK80MvICrZZqdANm2jtGtOFy8,21985
 account/models/legacy.py,sha256=zYdtv4LC0ooxPVqWM-uToPwV-lYWQLorSE6p6yn1xDw,2720
-account/models/member.py,sha256=v2cM7g5XoOQi_ZAlGcOcKn24zZCfAFokxUFIqNshDxc,52960
+account/models/member.py,sha256=fzSVVAdbUa1knp1O4JTnYZFYRas7-zDZaOPjZAMCC1Q,52992
 account/models/membership.py,sha256=90EpAhOsGaqphDAkONP6j_qQ0OWSRaQsI8H7E7fgMkE,9249
-account/models/notify.py,sha256=Qzi8gLsVi8nDx8gpL4dyr0MPExYYGIDxZvHFUdCs7H4,15072
+account/models/notify.py,sha256=iAq8tjyqouUelYgsMhWlchYmEAuCsKAyNIr5F8_xUeU,15258
 account/models/passkeys.py,sha256=TJxITUi4DT4_1tW2K7ZlOcRjJuMVl2NtKz7pKQU8-Tw,1516
 account/models/session.py,sha256=ELkWjB_2KXQvPtRPrvuGJpJsqrxCQX_4J53SbqGz_2U,3737
 account/models/settings.py,sha256=gOyRWBVd3BQpjfj_hJPtqX3H46ztyRAFxBrPbv11lQg,2137
@@ -65,6 +65,7 @@ auditlog/cloudwatch.py,sha256=R-B_ByVM3We26YnDoFYIQeWV31CUyS63QTojRAkfWa8,2805
 auditlog/decorators.py,sha256=ZoIv0fhZjxtMEV15NcKijW4xPF5UEScPna60zB3TxZo,6553
 auditlog/middleware.py,sha256=Q4bXg8rnm8y2fMnAsN6ha3Fz6TW8jIzLnvpu4H9SpWE,1537
 auditlog/migrations/0001_initial.py,sha256=X171gKQZIaTO9FGNG1yKTjGSZS0ZjZj5gvimF9-_kks,3309
+auditlog/migrations/0002_alter_persistentlog_session.py,sha256=DkkcIobbHdbniKg5bOlRmiF-Nc4hX55Y6KuQySrCcJ8,541
 auditlog/migrations/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 auditlog/models.py,sha256=skDAiuzR4chC-WNIaH2nm_VVcbnDD6ZtUxBwhk7UY8U,16517
 auditlog/periodic.py,sha256=AUhDeVsZtC47BJ-lklvYEegHoxAzj1RpIvRFSsM7g5E,363
@@ -79,6 +80,7 @@ inbox/migrations/0001_initial.py,sha256=P1OmbSHZGhj3wVBdFKWEzNrPdbyKzR9fFBXP8rhX
 inbox/migrations/0002_alter_message_cc.py,sha256=dsnDHCs1-dFZfSEWJmufBOs5gvNbI7u99kru6fVas0Y,380
 inbox/migrations/0003_attachment_content_type.py,sha256=dh_km90V6R3O0-N2oNTWhWLZZ96MylRgDY7Poua9CZ8,416
 inbox/migrations/0004_mailtemplate.py,sha256=yV51UdsRWmKC5Dy34-h2bXBeYeFtjoWQ7kOw7cuYCQo,1140
+inbox/migrations/0005_alter_mailbox_state.py,sha256=trr-CCLupHQ7e-tjJK08LACdxhCApGMNBTOeWFcyXnI,393
 inbox/migrations/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 inbox/models/__init__.py,sha256=yARvP31nhJGLjqP-U_ONi2OLjiTUFspdH0AlKynt4Y8,174
 inbox/models/bounce.py,sha256=3b_pCKH3gwb3NE8I1XlVI6JeoVmobZyKidsILH-jIRg,2881
@@ -106,17 +108,18 @@ incident/migrations/0011_ticket.py,sha256=Ml5E_Qi4Z0MD89fetoOFOL3rPlVQdjaaDCcFBf
 incident/migrations/0012_rule_match_by.py,sha256=PGclGnnc_8JEsJZ8znoXm-iAC6Y0i2WM6C2cmFgdKlA,372
 incident/migrations/0013_rulecheck_is_required.py,sha256=cL7tOj5XGPpKd2f5BojIKfNJeDB1IL-jGRU6-g-Co5o,387
 incident/migrations/0014_event_group_alter_rulecheck_index.py,sha256=v3gm5k0LVoas27qUDOt7el7YtK4yjFVLeEpuFUCoXaQ,724
+incident/migrations/0015_rule_title_template_alter_incident_state.py,sha256=FPUDhFwqBC39EjeknRT7BPddEf6ExCjsXVb9LMqIn3U,687
 incident/migrations/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 incident/models/__init__.py,sha256=NMphuhb0RTMf7Ov4QkNv7iv6_I8Wtr3xQ54yjX_a31M,209
-incident/models/event.py,sha256=WRNzvjo0jypdnQNBksOOyi-_0kVT4qWUrDZf0Aw_MPM,7355
+incident/models/event.py,sha256=Dw6fUi2tbLeA_ZRDcvGQNFkCkMGMBdtNeaLikXdAyE8,7769
 incident/models/incident.py,sha256=HPbi6J9qm7_-FMjnDUPV9NcbmP_60WU-IO9HJSpoLTY,19360
-incident/models/ossec.py,sha256=p1ptr-8lnaj1EP_VmPR58b2LmaYBGaYYKAMqhWK5yZM,2227
-incident/models/rules.py,sha256=SMlDRw_r3fGv-vmRojRLmsklqRRxDcjrSLVBIz-gadA,6884
+incident/models/ossec.py,sha256=eUDRGawzuLWobKEVGKfdZisDnyjS_Hlxi0T_GCSLCCI,2252
+incident/models/rules.py,sha256=aRkJ0ZnTv87nAUC1sHVkPExfb3OJ8fgHQIhnCIpIbhQ,7001
 incident/models/ticket.py,sha256=S3kqGQpYLE6Y4M9IKu_60sgW-f592xNr8uufqHnvDoU,2302
 incident/parsers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-incident/parsers/ossec.py,sha256=uh9LFLUa0uL7a-3l9w3Kd7YmTZGYbS24uoDwPWM_s58,8415
+incident/parsers/ossec.py,sha256=jyJmNBwnQS1tjZMwYhslnCpZviCHXnozv88BPT-ytCw,11592
 incident/periodic.py,sha256=eX1rQK6v65A9ugofTvJPSmAWei6C-3EYgzCMuGZ03jM,381
-incident/rpc.py,sha256=3y0rfxRR9DikmCmj3IRcMaCLtzLCMrtH64lrjY1w2Og,7992
+incident/rpc.py,sha256=viJt873b8T8SiAq10EM57lF8g7ghyj3ymdkaXzh2Ass,8181
 incident/templates/email/incident_change.html,sha256=tQYphypwLukkVdwH0TB2Szz2VEJ7GnsfRS3_ZJ-MYeE,13895
 incident/templates/email/incident_msg.html,sha256=MZdKhTddUF2MpiH8Z3RTQEmW_ko1n3ajeZ11KLtiLlU,13780
 incident/templates/email/incident_new.html,sha256=W6nwFQROnyDfMlXub8s02ws4hGnJp16pfgp9xTm_aEc,15185
@@ -132,12 +135,12 @@ location/migrations/0004_remove_address_modified_by_address_group_and_more.py,sh
 location/migrations/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 location/models/__init__.py,sha256=rZhldkoKmoJQXjBAK1IIQn7K_OOJvFtIGOGVl_szqbE,230
 location/models/address.py,sha256=wl0bToZ6VrJP923IIfzWqZY9xyKgla6A-uzj8jQFGRI,3149
-location/models/ip.py,sha256=ZaBFdW1tL1Q3bnS5gIY9SseiQ5xeeP_oyP1hp3czFeA,5984
+location/models/ip.py,sha256=Bl-OlwEXGvKYvYSDBSsnQkeAi4ZTKs1mDt3ddc5rq80,6039
 location/models/legacy.py,sha256=8ROsUSZrjGQkUyXeJvoxPdKAWaKfUH-AL9TIeJb7krg,1994
 location/models/location.py,sha256=01dJPJecbp5orExsIGWOsBC_KkwFRIW0rGDIwyx1r0w,2316
 location/models/track.py,sha256=OdhRL1KVXlPcZkp4S6QpKc7Ctoth8VjwHs_dlZ8XHI4,1474
 location/providers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-location/providers/iplookup/__init__.py,sha256=t7yiXnEopAN_NZ77k2oHAhfVCmWNDkiCKA8S41jbJv0,727
+location/providers/iplookup/__init__.py,sha256=I0K0HZrluCsBZ1TlGGKnyavEDZ3mT-xfE7Dtq2k-F9k,790
 location/providers/iplookup/abstractapi.py,sha256=gY8eqpjEasZtiBC6nNu960ZGL96FVwNS2JoZuP1GBO4,2419
 location/providers/iplookup/extremeip.py,sha256=QNRGhwXXsOuJL2M-xiI2pFN_6LP2HkqSUpFosu5Q04M,1345
 location/providers/iplookup/geoplugin.py,sha256=RK_6McxHYlVVMVdJ2rCafw-kqMfzMm3g_tJjBwcKXYg,2121
@@ -401,7 +404,7 @@ rest/middleware/request.py,sha256=JchRNy5L-bGd-7h-KFYekGRvREe2eCkZXKOYqIkP2hI,41
 rest/middleware/session.py,sha256=zHSoQpIzRLmpqr_JvW406wzpvU3W3gDbm5JhtzLAMlE,10240
 rest/middleware/session_store.py,sha256=1nSdeXK8PyuYgGgIufqrS6j6QpIrQ7zbMNT0ol75e6U,1901
 rest/models/__init__.py,sha256=M8pvFDq-WCF-QcM58X7pMufYYe0aaQ3U0PwGe9TKbbY,130
-rest/models/base.py,sha256=MIZUQStR5Y2ndSjmOSu-NSIg3SZs9IFoMlRQ2re75OE,69565
+rest/models/base.py,sha256=bPcTeCX7KvhkcVMKEyLmu9eYc7ccJGkIP1n3cctJPVE,69675
 rest/models/cacher.py,sha256=eKz8TINVhWEqKhJGMsRkKZTtBUIv5rN3NHbZwOC56Uk,578
 rest/models/metadata.py,sha256=65GvfFbc26_7wJz8qEAzU7fEOZWVz0ttO5j5m_gs4hk,12860
 rest/net.py,sha256=LcB2QV6VNRtsSdmiQvYZgwQUDwOPMn_VBdRiZ6OpI-I,2974
@@ -472,6 +475,7 @@ telephony/phone_util.py,sha256=5NwSBnwBEC3EaeSeN42ggBiAQ00Ujvr6CepDjXLsCyw,5067
 telephony/rpc.py,sha256=PXPDFvgoXkCKlfMzIbt6lYZPay3fcveNj2X4Pjby7p4,3473
 wiki/__init__.py,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
 wiki/migrations/0001_initial.py,sha256=9jvUyjrbJrbDilRnwzQUPhPV8Xi_olEPBk_N0nycvM0,3606
+wiki/migrations/0002_alter_pagemedia_entry.py,sha256=9CUnfvBmj0D4akCkux7HFuXgw9B9avE8V-iMCm5cjds,485
 wiki/migrations/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 wiki/models/__init__.py,sha256=jE-9r_Hqpyo7ysKu9BschXOn5Zg34wUt894GwJpxA28,132
 wiki/models/faq.py,sha256=nvcEFerllQKT61kIYlasvZzRKwpXyfmQpiqkpHP1V1o,1745
@@ -502,7 +506,7 @@ ws4redis/servers/uwsgi.py,sha256=VyhoCI1DnVFqBiJYHoxqn5Idlf6uJPHvfBKgkjs34mo,172
 ws4redis/settings.py,sha256=K0yBiLUuY81iDM4Yr-k8hbvjn5VVHu5zQhmMK8Dtz0s,1536
 ws4redis/utf8validator.py,sha256=S0OlfjeGRP75aO6CzZsF4oTjRQAgR17OWE9rgZdMBZA,5122
 ws4redis/websocket.py,sha256=R0TUyPsoVRD7Y_oU7w2I6NL4fPwiz5Vl94-fUkZgLHA,14848
-django_restit-4.2.78.dist-info/LICENSE.md,sha256=VHN4hhEeVOoFjtG-5fVv4jesA4SWi0Z-KgOzzN6a1ps,1068
-django_restit-4.2.78.dist-info/METADATA,sha256=wKYW-bztLqxjiqvXiiFHkxyo4_uLm5shsfOU3xnJnbE,7645
-django_restit-4.2.78.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
-django_restit-4.2.78.dist-info/RECORD,,
+django_restit-4.2.83.dist-info/LICENSE.md,sha256=VHN4hhEeVOoFjtG-5fVv4jesA4SWi0Z-KgOzzN6a1ps,1068
+django_restit-4.2.83.dist-info/METADATA,sha256=rbSXb9-b2DozTJTvyuPOVSB8x-7l1fWIhCqtR013RVg,7645
+django_restit-4.2.83.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
+django_restit-4.2.83.dist-info/RECORD,,

inbox/migrations/0005_alter_mailbox_state.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.2.11 on 2024-05-13 02:34
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('inbox', '0004_mailtemplate'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='mailbox',
+            name='state',
+            field=models.IntegerField(db_index=True, default=1),
+        ),
+    ]

incident/migrations/0015_rule_title_template_alter_incident_state.py

@@ -0,0 +1,23 @@
+# Generated by Django 4.2.11 on 2024-05-13 02:34
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('incident', '0014_event_group_alter_rulecheck_index'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='rule',
+            name='title_template',
+            field=models.CharField(default=None, max_length=200, null=True),
+        ),
+        migrations.AlterField(
+            model_name='incident',
+            name='state',
+            field=models.IntegerField(choices=[(0, 'new'), (1, 'opened'), (2, 'paused'), (3, 'ignored'), (4, 'resolved'), (5, 'pending')], default=0),
+        ),
+    ]

incident/models/event.py

@@ -73,6 +73,7 @@ class Event(JSONMetaData, rm.RestModel):
 
     level = models.IntegerField(default=0, db_index=True)
     category = models.CharField(max_length=124, db_index=True)
+    # code = models.IntegerField(default=0, db_index=True)
 
     group = models.ForeignKey(
         "account.Group", on_delete=models.SET_NULL, 
@@ -154,7 +155,7 @@ class Event(JSONMetaData, rm.RestModel):
         incident = None
         action_count = 0
         if hit_rule is not None:
-            logger.error(f"RULE HIT: {hit_rule.name}")
+            # logger.error(f"RULE HIT: {hit_rule.name}")
             priority = hit_rule.priority
             if hit_rule.action == "ignore":
                 self.save()
@@ -183,7 +184,13 @@ class Event(JSONMetaData, rm.RestModel):
             if hit_rule is not None and hit_rule.action_after != 0:
                 incident.state = INCIDENT_STATE_PENDING
             # TODO possibly make this smarter?
-            if self.category == "ossec":
+            if hit_rule and hit_rule.title_template and "{" in hit_rule.title_template:
+                try:
+                    incident.description = hit_rule.title_template.format(event=self)
+                except Exception:
+                    logger.exception(hit_rule.title_template)
+                    incident.description = self.description
+            elif self.category == "ossec":
                 incident.description = f"{self.hostname}: {self.description}"
             else:
                 incident.description = self.description

incident/models/ossec.py

@@ -47,5 +47,7 @@ class ServerOssecAlert(models.Model, rm.RestModel):
     title       = models.CharField(max_length=200, blank=True, null=True, default=None)
     geoip       = models.ForeignKey("location.GeoIP", blank=True, null=True, default=None, on_delete=models.DO_NOTHING)
     
+    metadata = None
+    
     def __str__(self):
         return f'{self.hostname}: {self.title}'

incident/models/rules.py

@@ -43,6 +43,7 @@ class Rule(models.Model, rm.RestModel):
                     "created",
                     "priority",
                     "name",
+                    "title_template",
                     "category",
                     "priority",
                     "action",
@@ -63,6 +64,7 @@ class Rule(models.Model, rm.RestModel):
     modified = models.DateTimeField(auto_now=True)
 
     name = models.CharField(max_length=200)
+    title_template = models.CharField(max_length=200, default=None, null=True)
     # the group the rule gets assigned to when triggered
     group = models.ForeignKey("account.Group", on_delete=models.CASCADE, null=True, default=None)
     # category allows us to limit running rules to only those with a category

incident/parsers/ossec.py

@@ -13,19 +13,47 @@ LEVEL_REMAP_BY_RULE = {
     5710: 5
 }
 
+NGINX_PARSE_PATTERN = re.compile(
+    r'(?P<src_ip>\d+\.\d+\.\d+\.\d+) - - \[(?P<http_time>.+?)\] '
+    r'(?P<http_method>\w+) (?P<http_url>.+?) (?P<http_protocol>[\w/.]+) '
+    r'(?P<http_status>\d+) (?P<http_bytes>\d+) (?P<http_referer>.+?) '
+    r'(?P<user_agent>.+?) (?P<http_elapsed>\d\.\d{3})'
+)
+
+def parse_nginx_line(line):
+    if "\n" in line:
+        for l in line.split('\n'):
+            match = NGINX_PARSE_PATTERN.match(l)
+            if match:
+                return match.groupdict()
+        return None
+    match = NGINX_PARSE_PATTERN.match(line)
+    if match:
+        return match.groupdict()
+    return None
 
-def removeNonAscii(input_str):
-    """Remove all non-ASCII characters and escaped byte sequences from the input string."""
-    # Remove escaped byte sequences
-    cleaned_str = re.sub(r'\\x[0-9a-fA-F]{2}', '', input_str)
-    # Remove non-ASCII characters
-    return ''.join(char for char in cleaned_str if 32 <= ord(char) < 128)
+
+def removeNonAscii(input_str, replacement=''):
+    """
+    Replace all non-ASCII characters and escaped byte sequences in the input string with a specified string.
+    
+    Args:
+    input_str (str): The string to process.
+    replacement (str): The string to use as a replacement for non-ASCII characters and escaped byte sequences.
+
+    Returns:
+    str: The processed string with non-ASCII characters and byte sequences replaced.
+    """
+    # Replace escaped byte sequences with the replacement string
+    cleaned_str = re.sub(r'\\x[0-9a-fA-F]{2}', replacement, input_str)
+    # Replace non-ASCII characters with the replacement string
+    return ''.join(char if (32 <= ord(char) < 128 or char in '\n\r\t') else f"<r{str(ord(char))}>" for char in cleaned_str)
 
 
 def extractURL(text):
-    match = re.search(r"GET\s+(https?://[^\s]+)\s+HTTP/\d\.\d", text)
+    match = re.search(r"(GET|POST|DELETE|PUT)\s+(https?://[^\s]+)\s+HTTP/\d\.\d", text)
     if match:
-        return match.group(1)
+        return match.group(2)
     return None
 
 
@@ -36,6 +64,13 @@ def extractDomain(text):
     return None
 
 
+def extractIP(text):
+    match = re.search(r"\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b", text)
+    if match:
+        return match.group(1)
+    return None
+
+
 def extractUrlPath(text):
     match = re.search(r"https?://[^/]+(/[^?]*)", text)
     if match:
@@ -43,185 +78,232 @@ def extractUrlPath(text):
     return None
 
 
+def extractUserAgent(text):
+    # this only works if the referrer is '-'
+    match = re.search(r"' - (.+?) \d+\.\d+ \d+'", text)
+    if match:
+        return match.group(1)
+    return None
+
+
 def extractMetaData(alert):
-    irule = int(alert.rule_id)
-    if irule in [31301, 31302, 31303]:
-        patterns = {
-            "src_ip": re.compile(r"Src IP: (\S+)"),
-            "path": re.compile(r"request: (\S+ \S+)"),
-            "http_server": re.compile(r"server: (\S+)"),
-            "http_host": re.compile(r"host: (\S+)"),
-            "http_referrer": re.compile(r"referrer: (\S+)")
-        }
-        # Search for matches in the text
-        return {key: pattern.search(alert.text).group(1) for key, pattern in patterns.items() if pattern.search(alert.text)}
-    return {}
+    return parse_alert_metadata(alert)
 
 
-def parseAlert(request, data):
-    # helpers.log_print(data)
+DEFAULT_META_PATTERNS = {
+    "src_ip": re.compile(r"Src IP: (\S+)"),
+    "src_port": re.compile(r"Src Port: (\S+)"),
+    "user": re.compile(r"User: (\S+)"),
+    "path": re.compile(r"request: (\S+ \S+)"),
+    "http_server": re.compile(r"server: (\S+),"),
+    "http_host": re.compile(r"host: (\S+)"),
+    "http_referrer": re.compile(r"referrer: (\S+),"),
+    "client": re.compile(r"client: (\S+),"),
+    "upstream": re.compile(r"upstream: (\S+),")
+}
+
+
+def parse_alert_metadata(alert):
+    patterns = DEFAULT_META_PATTERNS
+    if alert.rule_id == "2501":
+        match = re.search(r'user (\w+) (\d+\.\d+\.\d+\.\d+) port (\d+)', alert.text)
+        if match:
+            return dict(username=match.group(1), src_ip=match.group(2), src_port=match.group(3))
+    elif alert.rule_id.startswith("311") or alert.rule_id in ["31516", "31508", "31516"]:
+        data = parse_nginx_line(alert.text)
+        if data:
+            return data
+    elif alert.rule_id in ["31301"]:
+        match = re.search(r'\((?P<error_code>\d+): (?P<error_message>.*?)\)', alert.text)
+        data = match_patterns(patterns, alert.text)
+        data["action"] = "error"
+        if match:
+            data.update(match.groupdict())
+        return data
+    elif alert.rule_id in ["31302", "31303"]:
+        match = re.search(r'\[(warn|crit|error)\].*?: (.*?),', alert.text)
+        data = match_patterns(patterns, alert.text)
+        
+        if match:
+            data["action"] = match.group(1)
+            emsg = match.group(2)
+            if emsg[0] == "*":
+                emsg = emsg[emsg.find(' ')+1:]
+            data["error_message"] = emsg
+        return data
+    elif alert.rule_id == "551":
+        match = re.search(r"Integrity checksum changed for: '(\S+)'", alert.text)
+        if match:
+            return dict(filename=match.group(1), action="changed")
+    elif alert.rule_id == "554":
+        match = re.search(r"New file '(\S+)' added", alert.text)
+        if match:
+            return dict(filename=match.group(1), action="added")
+    elif alert.rule_id == "5402":
+        match = re.search(r'(?P<username>[\w-]+) : PWD=(?P<pwd>\S+) ; USER=(?P<user>\w+) ; COMMAND=(?P<command>.+)', alert.text)
+        if match:
+            return match.groupdict()
+        match = re.search(r'(?P<username>[\w-]+) : TTY=(?P<tty>\S+) ; PWD=(?P<pwd>\S+) ; USER=(?P<user>\w+) ; COMMAND=(?P<command>.+)', alert.text)
+        if match:
+            return match.groupdict()
+    elif alert.rule_id in ["5501", "5502"]:
+        match = re.search(r"session (?P<action>\S+) for user (?P<username>\S+)*", alert.text)
+        if match:
+            return match.groupdict()
+    elif alert.rule_id in ["5704", "5705"]:
+        match = re.search(r"(?P<src_ip>\d{1,3}(?:\.\d{1,3}){3}) port (?P<src_port>\d+)", alert.text)
+        if match:
+            return match.groupdict()
+    elif alert.rule_id == "5715":
+        match = re.search(r'Accepted publickey for (?P<username>\S+) from (?P<src_ip>\d+\.\d+\.\d+\.\d+) .*: (?P<ssh_key_type>\S+) (?P<ssh_signature>\S+)', alert.text)
+        if match:
+            return match.groupdict()
+    elif alert.rule_id == "2932":
+        match = re.search(r"Installed: (\S+)", alert.text)
+        if match:
+            return dict(package=match.group(1))
+    return match_patterns(patterns, alert.text)
+
+def match_patterns(patterns, text):
+    # Search for matches in the text
+    return {key: pattern.search(text).group(1) for key, pattern in patterns.items() if pattern.search(text)}
+
+
+def parse_alert_json(data):
     try:
-        data = objict.fromJSON(data.replace('\n', '\\n'))
+        if isinstance(data, str):
+            data = objict.fromJSON(data.replace('\n', '\\n'))
     except Exception:
         data = objict.fromJSON(removeNonAscii(data))
     for key in data:
         data[key] = data[key].strip()
+    if data.text:
+        data.text = removeNonAscii(data.text)
+    return data
 
-    if data.rule_id in IGNORE_RULES:
-        return None
-    if "test" in data.hostname and data.rule_id == "533":
-        # bug on test ossec falsely report 533 events
+
+def ignore_alert(alert):
+    if alert.rule_id in IGNORE_RULES:
+        return True
+    if alert.rule_id == "510" and "/dev/.mount/utab" in alert.text:
+        return True
+    return False
+
+
+def parse_alert_id(details):
+    match = re.search(r"Alert (\d+\.\d+):", details)
+    if match:
+        return match.group(1)
+    return ""
+
+
+def parse_rule_details(details):
+    alert_id = parse_alert_id(details)
+    rule_pattern = r"Rule: (\d+) \(level (\d+)\) -> '([^']+)'"
+    match = re.search(rule_pattern, details)
+    if match:
+        return objict(
+            rid=int(match.group(1)), level=int(match.group(2)), 
+            title=match.group(3), alert_id=alert_id)
+    return objict(alert_id=alert_id)
+
+
+def parse_when(alert):
+    return datetime.utcfromtimestamp(int(alert.alert_id[:alert.alert_id.find(".")]))
+
+
+def truncate_str(text, length):
+    if len(text) > length:
+        text = text[:length]
+        text = text[:text.rfind(' ')] + "..."
+    return text
+
+
+def update_by_rule(data, geoip=None):
+    if data.rule_id == "2501":
+        data.title = f"SSH Auth Attempt {data.username}@{data.hostname} from {data.src_ip}"
+    elif data.rule_id == "2503" and data.src_ip:
+        data.title = f"SSH Auth Blocked from {data.src_ip}"
+    elif data.rule_id == "31101" and data.http_status:
+        data.title = f"Web {data.http_status} {data.http_method} {data.http_url} from {data.src_ip}"
+    elif data.rule_id == "31104" and data.http_status:
+        data.title = f"Web Attack {data.http_status} {data.http_method} {data.http_url} from {data.src_ip}"
+    elif data.rule_id == "31111" and data.http_status:
+        if geoip and geoip.isp:
+            data.title = f"No referrer for .js - {data.http_status} {data.http_method} {data.http_url} from {data.src_ip}({geoip.isp})"
+        else:
+            data.title = f"No referrer for .js - {data.http_status} {data.http_method} {data.http_url} from {data.src_ip}"
+    elif data.rule_id in ["31151", "31152", "31153"] and data.http_status:
+        url = truncate_str(data.http_url, 50)
+        data.title = f"Suspected Web Scan {url} from {data.src_ip}"
+    elif data.rule_id == "31120" and data.http_status:
+        url = truncate_str(data.http_url, 50)
+        data.title = f"Web Error {data.http_status} {data.http_method} {url} from {data.src_ip}"
+    elif data.rule_id.startswith("311") and data.http_status:
+        url = truncate_str(data.http_url, 50)
+        data.title = f"Web {data.http_status} {data.http_method} {url} from {data.src_ip}"
+    elif data.rule_id in ["31301", "31302", "31303"] and data.error_message:
+        if data.upstream and "ws/events" in data.upstream:
+            data.title = f"Websocket Error: {data.error_message} on {data.hostname}"
+        else:
+            emsg = truncate_str(data.error_message, 50)
+            data.title = f"Nginx {data.action}: {emsg} from {data.src_ip}"
+    elif data.rule_id == "31516" and data.http_url:
+        url = truncate_str(data.http_url, 50)
+        data.title = f"Web Suspicious {data.http_status} {data.http_method} {url} from {data.src_ip}"
+    elif data.rule_id == "533":
+        data.title = f"Network Open Port Change Detected on {data.hostname}"
+    elif data.rule_id == "5402":
+        cmd = truncate_str(data.command, 50)
+        data.title = f"Sudo(user: {data.user}) executed '{cmd}' on {data.hostname}"
+    elif data.rule_id in ["551", "554"] and data.filename:
+        name = truncate_str(data.filename, 50)
+        data.title = f"File {data.action.capitalize()} on {data.hostname}: {name}"
+    elif data.rule_id in ["5501", "5502"]:
+        if "sudo" in data.text:
+            data.title = f"Server Login {data.action} via sudo on {data.hostname}"
+        else:
+            data.title = f"Server Login {data.action} on {data.hostname}"
+    elif data.rule_id == "5715":
+        data.title = f"SSH Login Detected: {data.username}@{data.hostname} from {data.src_ip}"
+    elif data.rule_id == "2932" and data.package:
+        package = truncate_str(data.package, 60)
+        data.title = f"Package Installed on {data.hostname}: {package}"
+    elif data.src_ip and data.src_ip not in data.title:
+        data.title = f"{data.title} Source IP: {data.src_ip}"
+    if len(data.title) > 199:
+        data.title = data.title[:199]
+
+def parse_incoming_alert(data):
+    alert = parse_alert_json(data)
+    if ignore_alert(alert):
         return None
-    if data.rule_id == "510" and "/dev/.mount/utab" in data.text:
+    alert.update(parse_rule_details(alert.text))
+    if alert.title is None:
         return None
-    # we care not for this field for now
-    data.pop("logfile", None)
-    if not data.text:
-        raise Exception("invalid or missing json")
-    alert = am.ServerOssecAlert(**data)
-    alert.when = datetime.utcfromtimestamp(int(data.alert_id[:data.alert_id.find(".")]))
-    # now lets parse the title
-    title = alert.text[alert.text.find("Rule:") + 5:]
-    # level to int
-    level = title[title.find('(level') + 7:]
-    alert.level = int(level[:level.find(')')].strip())
-    title = title[:title.find('\n')].strip()
-    pos = title.find("->")
-    if pos > 0:
-        title = title[pos + 2:]
-    alert.title = title
-    if alert.title.startswith("'"):
-        alert.title = alert.title[1:-1]
-
-    if data.hostname == "test":
-        if data.rule_id == "31120" or "Web server" in title:
-            return None
-
-    # helpers.log_print(title, alert.title)
-    # source ip (normally public ip of host)
-    pos = alert.text.find("Src IP:")
-    if pos > 1:
-        src_ip = alert.text[alert.text.find("Src IP:") + 7:]
-        alert.src_ip = src_ip[:src_ip.find('\n')].strip()
-
-    irule = int(alert.rule_id)
-    if irule == 5710:
-        m = re.search(r"Invalid user (\S+) from (\S+)", data.text)
-        if m and m.groups():
-            alert.username = m.group(1)
-            alert.src_ip = m.group(2).strip()
-            alert.title = f"Attempt to login with invalid user: {alert.username}"
-        else:
-            m = re.search(r"Invalid user  from (\S+)", data.text)
-            if m and m.groups():
-                alert.username = "(empty string)"
-                alert.src_ip = m.group(1).strip()
-    elif irule == 2932:
-        m = re.search(r"Installed: (\S+)", data.text)
-        if m and m.groups():
-            package = m.group(1)
-            alert.title = "Yum Package Installed: {}".format(package)
-    elif irule == 551:
-        # Integrity checksum changed for: '/etc/ld.so.cache'
-        m = re.search(r"Integrity checksum changed for: '(\S+)'", data.text)
-        if m and m.groups():
-            action = m.group(1)
-            alert.title = "File Changed: {}".format(action)
-    elif irule == 5715:
-        m = re.search(r"Accepted publickey for (\S+).*ssh2: ([^\n\r]*)", data.text)
-        if m and m.groups():
-            ssh_sig = m.group(2)
-            if " " in ssh_sig:
-                kind, ssh_sig = ssh_sig.split(' ')
-            alert.level = 8
-            alert.username = m.group(1)
-            alert.ssh_sig = ssh_sig
-            alert.ssh_kind = kind
-            alert.title = f"SSH LOGIN:{alert.username}@{alert.hostname} from {alert.src_ip}"
-            # member = findUserBySshSig(ssh_sig)
-            # if member:
-            #     alert.title = "SSH LOGIN user: {}".format(member.username)
-    elif irule == 5501 or irule == 5502:
-        # pam_unix(sshd:session): session opened for user git by (uid=0)
-        m = re.search(r"session (\S+) for user (\S+)*", data.text)
-        if m and m.groups():
-            alert.action = m.group(1)
-            alert.username = m.group(2)
-            alert.title = f"session {alert.action} for user {alert.username}"
-    elif irule == 5402:
-        # TTY=pts/0 ; PWD=/opt/mm_protector ; USER=root ; COMMAND=/sbin/iptables -F
-        m = re.search(r"sudo(?:\[\d+\])?:\s*(\S+).*?COMMAND=([^\n\r]*)", data.text)
-        # m = re.search(r"sudo:\s*(\S+).*COMMAND=([^\n\r]*)", data.text)
-        if m and m.groups():
-            alert.username = m.group(1)
-            alert.title = "sudo {}".format(m.group(2)).replace("#040", " ")
-        alert.level = 7
-    elif irule == 5706:
-        m = re.search(r"identification string from (\S+) port (\S+)", data.text)
-        if m and m.groups():
-            alert.src_ip = m.group(1)
-    elif irule == 5702:
-        m = re.search(r"getaddrinfo for (\S+)", data.text)
-        if m and m.groups():
-            remote_host = m.group(1)
-            alert.title = f"Reverse lookup failed for '{remote_host}'"
-    elif irule == 554:
-        m = re.search(r"New file '(\S+)' added", data.text)
-        if m and m.groups():
-            remote_file = m.group(1)
-            alert.title = f"New file detected: '{remote_file}'"
-    elif irule == 31101:
-        m = re.search(r"(GET|POST|DELETE|PUT)\s+(http://[^\s]+)\s+HTTP/\d\.\d\s+(\d+)", data.text)
-        if m and m.groups():
-            code = m.group(3)
-            method = m.group(1)
-            request_path = m.group(2)
-            alert.title = f"HTTP {code}: {METHOD} {request_path}"
-    elif irule == 31104 or irule == 31516:
-        m = re.search(r"(GET|POST|DELETE|PUT)\s+(http://[^\s]+)\s+HTTP/\d\.\d\s+(\d+)", data.text)
-        if m and m.groups():
-            code = m.group(3)
-            method = m.group(1)
-            request_path = m.group(2)
-            kind = "Common"
-            if irule == 31516:
-                kind = "Suspect"
-            alert.title = f"{kind} Attack {code}: {METHOD} {request_path}"
-    elif irule in [31301, 31302, 31303]:
-        m = re.search(r"(\[error\]|\[crit\])[^\*]*\*\d*\s+(.*?),", data.text)
-        if m and len(m.groups()) >=2:
-            alert.title = error
-    elif irule == 100020:
-        m = re.search(r"\[(\S+)\]", data.text)
-        if m and m.groups():
-            alert.src_ip = m.group(1)
-    elif "web,accesslog," in data.text and "https:" in data.text:
-        alert.ssh_sig = extractURL(data.text)
-        if alert.ssh_sig:
-            alert.hostname = extractDomain(alert.ssh_sig)
-
-    if alert.ext_ip is None:
+    alert.update(parse_alert_metadata(alert))
+    if alert.src_ip in ["-", None] and alert.client:
+        alert.src_ip = alert.client
+    if alert.ext_ip in ["-", None]:
         alert.ext_ip = alert.src_ip
-    if alert.src_ip is not None and len(alert.src_ip) > 6:
-        # lets do a lookup for the src
-        alert.geoip = GeoIP.lookup(alert.src_ip)
-
-    if irule == 31111:
-        url = alert.ssh_sig
-        hostname = alert.hostname
-        if url:
-            hostname = extractDomain(url)
-        if alert.geoip and alert.geoip.isp:
-            alert.title = f"Suspicious fetch of .js, {hostname} ISP: {alert.geoip.isp}"
-        else:
-            alert.title = f"Suspicious fetch of .js, {hostname}"
-    # finally here we change the alert level
-    if irule in LEVEL_REMAP_BY_RULE:
-        alert.level = LEVEL_REMAP_BY_RULE[irule]
-    if alert.title[0] in ["'", '"']:
-        alert.title = alert.title[1:-1]
-    if len(alert.title) > 80:
-        alert.title = alert.title[:80] + "..."
-    alert.save()
+    update_by_rule(alert)
     return alert
 
+
+def parseAlert(request, data):
+    pdata = parse_incoming_alert(data)
+    if pdata is None:
+        return None
+    field_names = am.ServerOssecAlert.get_model_field_names()
+    soa = am.ServerOssecAlert(**{key:value for key, value in pdata.items() if key in field_names})
+    soa.when = parse_when(pdata)
+    soa.metadata = pdata
+    if soa.src_ip is not None and len(soa.src_ip) > 6 and soa.src_ip != "127.0.0.1":
+        soa.geoip = GeoIP.lookup(soa.src_ip)
+        update_by_rule(pdata, soa.geoip)
+        soa.title = pdata.title
+    soa.save()
+    return soa
+
+
+

incident/rpc.py

@@ -61,6 +61,7 @@ def ossec_alert_creat_from_request(request):
     if payload:
         try:
             # TODO make this a task (background it)
+            rh.log_error("parsing payload", payload)
             od = ossec.parseAlert(request, payload)
             # lets now create a local event
             if od is not None:
@@ -78,14 +79,14 @@ def ossec_alert_creat_from_request(request):
                 elif od.level <= 3:
                     level = 8
                 metadata = od.toDict(graph="default")
-                metadata.update(ossec.extractMetaData(od))
+                metadata.update(od.metadata)
                 # we reuse the ssh_sig because it is a text field to store urls
-                ssh_sig = metadata.get("ssh_sig", None)
-                if ssh_sig is not None and ssh_sig.startswith("http"):    
-                    metadata["url"] = ssh_sig
-                    metadata["domain"] = ossec.extractDomain(ssh_sig)
-                    metadata["path"] = ossec.extractUrlPath(ssh_sig)
-                    metadata.pop("ssh_sig")
+                # ssh_sig = metadata.get("ssh_sig", None)
+                # if ssh_sig is not None and ssh_sig.startswith("http"):    
+                #     metadata["url"] = ssh_sig
+                #     metadata["domain"] = ossec.extractDomain(ssh_sig)
+                #     metadata["path"] = ossec.extractUrlPath(ssh_sig)
+                #     metadata.pop("ssh_sig")
                 if od.geoip:
                     metadata["country"] = od.geoip.country
                     metadata["city"] = od.geoip.city
@@ -103,7 +104,9 @@ def ossec_alert_creat_from_request(request):
                     "reporter_ip": od.src_ip,
                     "metadata": metadata
                 })
+                return rv.restStatus(request, True)
         except Exception as err:
+            rh.log_exception()
             stack = rh.getStackString()
             # rh.log_exception("during ossec alert", payload)
             metadata = dict(ip=request.ip, payload=payload)
@@ -115,6 +118,7 @@ def ossec_alert_creat_from_request(request):
                 "category": "ossec_error",
                 "metadata": metadata
             })
+    rh.log_error("ossec alert", request.DATA.asDict())
     return rv.restStatus(request, False, error="no alert data")
 
 

location/models/ip.py

@@ -93,6 +93,8 @@ class GeoIP(models.Model, rm.RestModel):
             ip = ip.strip()
         if not geolocate.isIP(ip):
             ip = geolocate.dnsToIP(ip)
+            if ip is None:
+                return None
         subnet = ip[:ip.rfind(".")]
         gip = GeoIP.objects.filter(ip=ip).first()
         if gip is None:

location/providers/iplookup/__init__.py

@@ -32,4 +32,8 @@ def isIP(ip):
 
 
 def dnsToIP(name):
-    return socket.gethostbyname(name)
+    try:
+        return socket.gethostbyname(name)
+    except Exception:
+        pass
+    return None

rest/models/base.py

@@ -1718,6 +1718,10 @@ class RestModel(object):
     def get_related_name_fields(cls):
         return [f.related_name for f in cls._meta.related_objects]
 
+    @classmethod
+    def get_model_field_names(cls):
+        return [f.name for f in cls._meta.get_fields()]
+
     @classmethod
     def get_fk_model(cls, fieldname):
         '''returns None if not foreignkey, otherswise the relevant model'''

wiki/migrations/0002_alter_pagemedia_entry.py

@@ -0,0 +1,19 @@
+# Generated by Django 4.2.11 on 2024-05-13 02:34
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('wiki', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='pagemedia',
+            name='entry',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='media_library', to='wiki.page'),
+        ),
+    ]