OptionsBleed.py
| 1 |
# Copyright (C) 2017 CS-SI <support.prelude@c-s.fr>
|
|---|---|
| 2 |
#
|
| 3 |
# This program is free software; you can redistribute it and/or modify
|
| 4 |
# it under the terms of the GNU General Public License as published by
|
| 5 |
# the Free Software Foundation; either version 2, or (at your option)
|
| 6 |
# any later version.
|
| 7 |
#
|
| 8 |
# This program is distributed in the hope that it will be useful,
|
| 9 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
| 10 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
| 11 |
# GNU General Public License for more details.
|
| 12 |
#
|
| 13 |
# You should have received a copy of the GNU General Public License along
|
| 14 |
# with this program; if not, write to the Free Software Foundation, Inc.,
|
| 15 |
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
| 16 |
|
| 17 |
from preludecorrelator.pluginmanager import Plugin |
| 18 |
from preludecorrelator.context import Context |
| 19 |
|
| 20 |
class OptionsBleed(Plugin): |
| 21 |
def run(self, idmef): |
| 22 |
if "OPTIONS" not in idmef.get("alert.classification.text") or idmef.get("alert.analyzer(-1).name") != "httpd": |
| 23 |
return
|
| 24 |
|
| 25 |
ctx = Context(("OPTIONSBLEED", idmef.get('alert.target(0).node.address(*).address')), { "expire": 120, "threshold": 15, "alert_on_expire": True }, update=True, idmef=idmef) |
| 26 |
if ctx.getUpdateCount() == 0: |
| 27 |
ctx.set("alert.classification.text", "OptionsBleed attack") |
| 28 |
ctx.set("alert.correlation_alert.name", "Multiple HTTP OPTIONS requests against a single host") |
| 29 |
ctx.set("alert.assessment.impact.severity", "high") |
| 30 |
ctx.set("alert.assessment.impact.description", "Multiple HTTP OPTIONS requests against a single host. It may be an OPTIONS Bleed atttack") |
| 31 |
ctx.set("alert.classification.reference(0).origin", "cve") |
| 32 |
ctx.set("alert.classification.reference(0).name", "2017-9798") |