OptionsBleed.py
1 |
# Copyright (C) 2017 CS-SI <support.prelude@c-s.fr>
|
---|---|
2 |
#
|
3 |
# This program is free software; you can redistribute it and/or modify
|
4 |
# it under the terms of the GNU General Public License as published by
|
5 |
# the Free Software Foundation; either version 2, or (at your option)
|
6 |
# any later version.
|
7 |
#
|
8 |
# This program is distributed in the hope that it will be useful,
|
9 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
10 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
11 |
# GNU General Public License for more details.
|
12 |
#
|
13 |
# You should have received a copy of the GNU General Public License along
|
14 |
# with this program; if not, write to the Free Software Foundation, Inc.,
|
15 |
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
16 |
|
17 |
from preludecorrelator.pluginmanager import Plugin |
18 |
from preludecorrelator.context import Context |
19 |
|
20 |
class OptionsBleed(Plugin): |
21 |
def run(self, idmef): |
22 |
if "OPTIONS" not in idmef.get("alert.classification.text") or idmef.get("alert.analyzer(-1).name") != "httpd": |
23 |
return
|
24 |
|
25 |
ctx = Context(("OPTIONSBLEED", idmef.get('alert.target(0).node.address(*).address')), { "expire": 120, "threshold": 15, "alert_on_expire": True }, update=True, idmef=idmef) |
26 |
if ctx.getUpdateCount() == 0: |
27 |
ctx.set("alert.classification.text", "OptionsBleed attack") |
28 |
ctx.set("alert.correlation_alert.name", "Multiple HTTP OPTIONS requests against a single host") |
29 |
ctx.set("alert.assessment.impact.severity", "high") |
30 |
ctx.set("alert.assessment.impact.description", "Multiple HTTP OPTIONS requests against a single host. It may be an OPTIONS Bleed atttack") |
31 |
ctx.set("alert.classification.reference(0).origin", "cve") |
32 |
ctx.set("alert.classification.reference(0).name", "2017-9798") |