Adjust JSON output to add groups

krhubert · krhubert · commit f69b036150a1 · 2018-04-25T16:17:49.000+02:00
diff --git a/alerts/alerts.go b/alerts/alerts.go
@@ -0,0 +1,115 @@
+package alerts
+
+import (
+	"net"
+	"time"
+
+	"github.com/alphasoc/nfr/client"
+	"github.com/alphasoc/nfr/groups"
+)
+
+// AlertMapper maps response to internal alert struct.
+type AlertMapper struct {
+	groups *groups.Groups
+}
+
+// Alert represents alert api struct.
+type Alert struct {
+	Follow string  `json:"follow"`
+	More   bool    `json:"more"`
+	Events []Event `json:"events"`
+}
+
+// Event from alert.
+type Event struct {
+	Type    string   `json:"type"`
+	Flags   []string `json:"flags"`
+	Groups  []Group  `json:"groups"`
+	Threats []Threat `json:"threats"`
+
+	// fileds common for dns and ip event
+	Timestamp time.Time `json:"ts"`
+	SrcIP     net.IP    `json:"srcIp"`
+
+	// ip event fileds
+	SrcPort  int    `json:"srcPort"`
+	DstIP    net.IP `json:"destIp"`
+	DstPort  int    `json:"destPort"`
+	Protocol string `json:"proto"`
+	BytesIn  int    `json:"bytesIn"`
+	BytesOut int    `json:"bytesOut"`
+
+	// dns event fileds
+	Query      string `json:"query"`
+	RecordType string `json:"recordType"`
+}
+
+// Threat for event.
+type Threat struct {
+	ID          string `json:"id"`
+	Severity    int    `json:"severity"`
+	Description string `json:"desc"`
+	Policy      bool   `json:"policy"`
+	Deprecated  bool   `json:"deprecated"`
+}
+
+// Group describe group event belongs to.
+type Group struct {
+	Label       string `json:"label"`
+	Description string `json:"desc"`
+}
+
+// NewAlertMapper creates new alert mapper.
+func NewAlertMapper(groups *groups.Groups) *AlertMapper {
+	return &AlertMapper{groups: groups}
+}
+
+// Map maps client response to alert.
+func (m *AlertMapper) Map(resp *client.AlertsResponse) *Alert {
+	var alert = &Alert{
+		Follow: resp.Follow,
+		More:   resp.More,
+		Events: make([]Event, len(resp.Alerts)),
+	}
+
+	for i := range resp.Alerts {
+		alert.Events[i] = Event{
+			Type:  "alert",
+			Flags: resp.Alerts[i].Wisdom.Flags,
+		}
+		for _, threat := range resp.Alerts[i].Threats {
+			alert.Events[i].Threats = append(alert.Events[i].Threats, Threat{
+				ID:          threat,
+				Severity:    resp.Threats[threat].Severity,
+				Description: resp.Threats[threat].Title,
+				Policy:      resp.Threats[threat].Policy,
+				Deprecated:  false,
+			})
+		}
+
+		switch resp.Alerts[i].EventType {
+		case "dns":
+			alert.Events[i].Timestamp = resp.Alerts[i].DNSEvent.Timestamp
+			alert.Events[i].SrcIP = resp.Alerts[i].DNSEvent.SrcIP
+			alert.Events[i].Query = resp.Alerts[i].DNSEvent.Query
+			alert.Events[i].RecordType = resp.Alerts[i].DNSEvent.QType
+		case "ip":
+			alert.Events[i].Timestamp = resp.Alerts[i].IPEvent.Timestamp
+			alert.Events[i].SrcIP = resp.Alerts[i].IPEvent.SrcIP
+			alert.Events[i].SrcPort = resp.Alerts[i].IPEvent.SrcPort
+			alert.Events[i].DstIP = resp.Alerts[i].IPEvent.DstIP
+			alert.Events[i].DstPort = resp.Alerts[i].IPEvent.DstPort
+			alert.Events[i].Protocol = resp.Alerts[i].IPEvent.Protocol
+			alert.Events[i].BytesIn = resp.Alerts[i].IPEvent.BytesIn
+			alert.Events[i].BytesOut = resp.Alerts[i].IPEvent.BytesOut
+		}
+
+		for _, group := range m.groups.FindGroupsBySrcIP(alert.Events[i].SrcIP) {
+			alert.Events[i].Groups = append(alert.Events[i].Groups, Group{
+				Label:       group.Name,
+				Description: group.Label,
+			})
+		}
+	}
+	return alert
+}
diff --git a/alerts/graylog_writer.go b/alerts/graylog_writer.go
@@ -35,45 +35,35 @@ func NewGraylogWriter(uri string, level int) (*GraylogWriter, error) {
 }
 
 // Write writes alert response to graylog server.
-func (w *GraylogWriter) Write(resp *client.AlertsResponse) error {
-	// do not log if there is no alerts
-	if len(resp.Alerts) == 0 {
-		return nil
-	}
-
+func (w *GraylogWriter) Write(alert *Alert) error {
 	// send each alert as separate message.
-	for _, alert := range resp.Alerts {
-		for _, threat := range alert.Threats {
+	for _, event := range alert.Events {
+		for _, threat := range event.Threats {
 			m := &gelf.Message{
 				Version:      "1.1",
 				Host:         w.hostname,
-				ShortMessage: resp.Threats[threat].Title,
+				ShortMessage: threat.Description,
 				Timestamp:    time.Now().Unix(),
 				Level:        w.level,
 				Extra: map[string]interface{}{
-					"severity":     resp.Threats[threat].Severity,
-					"policy":       strconv.FormatBool(resp.Threats[threat].Policy),
-					"flags":        strings.Join(alert.Wisdom.Flags, ","),
-					"threat":       threat,
+					"severity":     threat.Severity,
+					"policy":       strconv.FormatBool(threat.Policy),
+					"flags":        strings.Join(event.Flags, ","),
+					"threat":       threat.ID,
 					"engine_agent": client.DefaultUserAgent,
 				},
 			}
-			switch alert.EventType {
-			case "dns":
-				m.Extra["original_event"] = alert.DNSEvent.Timestamp.String()
-				m.Extra["src_ip"] = alert.DNSEvent.SrcIP
-				m.Extra["query"] = alert.DNSEvent.Query
-				m.Extra["record_type"] = alert.DNSEvent.QType
-			case "ip":
-				m.Extra["original_event"] = alert.IPEvent.Timestamp.String()
-				m.Extra["protocol"] = alert.IPEvent.Protocol
-				m.Extra["src_ip"] = alert.IPEvent.SrcIP
-				m.Extra["src_port"] = alert.IPEvent.SrcPort
-				m.Extra["dest_ip"] = alert.IPEvent.DstIP
-				m.Extra["dest_port"] = alert.IPEvent.DstPort
-				m.Extra["bytes_in"] = alert.IPEvent.BytesIn
-				m.Extra["bytes_out"] = alert.IPEvent.BytesOut
-			}
+			m.Extra["original_event"] = event.Timestamp.String()
+			m.Extra["src_ip"] = event.SrcIP
+			m.Extra["query"] = event.Query
+			m.Extra["record_type"] = event.RecordType
+
+			m.Extra["protocol"] = event.Protocol
+			m.Extra["src_port"] = event.SrcPort
+			m.Extra["dest_ip"] = event.DstIP
+			m.Extra["dest_port"] = event.DstPort
+			m.Extra["bytes_in"] = event.BytesIn
+			m.Extra["bytes_out"] = event.BytesOut
 			if err := w.g.Send(m); err != nil {
 				return err
 			}
diff --git a/alerts/json_writer.go b/alerts/json_writer.go
@@ -3,8 +3,6 @@ package alerts
 import (
 	"encoding/json"
 	"os"
-
-	"github.com/alphasoc/nfr/client"
 )
 
 // JSONFileWriter implements Writer interface and writes alerts in json format.
@@ -29,13 +27,8 @@ func NewJSONFileWriter(file string) (*JSONFileWriter, error) {
 }
 
 // Write writes alerts response to the file in json format.
-func (l *JSONFileWriter) Write(e *client.AlertsResponse) error {
-	// do not log if there is no alerts
-	if len(e.Alerts) == 0 {
-		return nil
-	}
-
-	b, err := json.Marshal(e)
+func (l *JSONFileWriter) Write(alert *Alert) error {
+	b, err := json.Marshal(alert)
 	if err != nil {
 		return err
 	}
diff --git a/alerts/poller.go b/alerts/poller.go
@@ -1,4 +1,4 @@
-// Package alerts polls and writes alerts from AlphaSOC api.
+// Package alerts polls and writes alerts from AlphaSOC Engine.
 package alerts
 
 import (
@@ -17,13 +17,15 @@ type Poller struct {
 	ticker     *time.Ticker
 	follow     string
 	followFile string
+	mapper     *AlertMapper
 }
 
 // NewPoller creates new poller base on give client and writer.
-func NewPoller(c client.Client) *Poller {
+func NewPoller(c client.Client, mapper *AlertMapper) *Poller {
 	return &Poller{
 		c:       c,
 		writers: make([]Writer, 0),
+		mapper:  mapper,
 	}
 }
 
@@ -66,8 +68,14 @@ func (p *Poller) do(interval time.Duration, count int) error {
 			return err
 		}
 
+		if len(alerts.Alerts) == 0 {
+			continue
+		}
+
+		newAlerts := p.mapper.Map(alerts)
+
 		for _, w := range p.writers {
-			if err := w.Write(alerts); err != nil {
+			if err := w.Write(newAlerts); err != nil {
 				return err
 			}
 		}
diff --git a/alerts/qradar_writer.go b/alerts/qradar_writer.go
@@ -5,7 +5,6 @@ import (
 	"log/syslog"
 	"strings"
 
-	"github.com/alphasoc/nfr/client"
 	"github.com/alphasoc/nfr/leef"
 	"github.com/alphasoc/nfr/version"
 )
@@ -32,43 +31,35 @@ func NewQRadarWriter(raddr string) (*QRadarWriter, error) {
 }
 
 // Write writes alert response to the qradar syslog input.
-func (w *QRadarWriter) Write(resp *client.AlertsResponse) error {
-	if len(resp.Alerts) == 0 {
-		return nil
-	}
-
+func (w *QRadarWriter) Write(alert *Alert) error {
 	// send each alert as separate message.
-	for _, alert := range resp.Alerts {
-		for _, threat := range alert.Threats {
+	for _, event := range alert.Events {
+		for _, threat := range event.Threats {
 			e := leef.NewEvent()
-			e.SetHeader("AlphaSOC", tag, strings.TrimPrefix(version.Version, "v"), threat)
+			e.SetHeader("AlphaSOC", tag, strings.TrimPrefix(version.Version, "v"), threat.ID)
 
-			e.SetSevAttr(resp.Threats[threat].Severity * 2)
-			if resp.Threats[threat].Policy {
+			e.SetSevAttr(threat.Severity * 2)
+			if threat.Policy {
 				e.SetPolicyAttr("1")
 			} else {
 				e.SetPolicyAttr("0")
 			}
-			e.SetAttr("flags", strings.Join(alert.Wisdom.Flags, ","))
-			e.SetAttr("description", resp.Threats[threat].Title)
+			e.SetAttr("flags", strings.Join(event.Flags, ","))
+			e.SetAttr("description", threat.Description)
 
 			e.SetDevTimeFormatAttr("MMM dd yyyy HH:mm:ss")
-			switch alert.EventType {
-			case "dns":
-				e.SetDevTimeAttr(alert.DNSEvent.Timestamp.Format("Jan 02 2006 15:04:05"))
-				e.SetSrcAttr(alert.DNSEvent.SrcIP)
-				e.SetAttr("query", alert.DNSEvent.Query)
-				e.SetAttr("recordType", alert.DNSEvent.QType)
-			case "ip":
-				e.SetDevTimeAttr(alert.IPEvent.Timestamp.Format("Jan 02 2006 15:04:05"))
-				e.SetProtoAttr(alert.IPEvent.Protocol)
-				e.SetSrcAttr(alert.IPEvent.SrcIP)
-				e.SetSrcPortAttr(alert.IPEvent.SrcPort)
-				e.SetDstAttr(alert.IPEvent.DstIP)
-				e.SetDstPortAttr(alert.IPEvent.DstPort)
-				e.SetSrcBytesAttr(alert.IPEvent.BytesIn)
-				e.SetDstBytesAttr(alert.IPEvent.BytesOut)
-			}
+			e.SetDevTimeAttr(event.Timestamp.Format("Jan 02 2006 15:04:05"))
+			e.SetProtoAttr(event.Protocol)
+			e.SetSrcAttr(event.SrcIP)
+			e.SetSrcAttr(event.SrcIP)
+			e.SetSrcPortAttr(event.SrcPort)
+			e.SetDstAttr(event.DstIP)
+			e.SetDstPortAttr(event.DstPort)
+			e.SetSrcBytesAttr(event.BytesIn)
+			e.SetDstBytesAttr(event.BytesOut)
+			e.SetAttr("query", event.Query)
+			e.SetAttr("recordType", event.RecordType)
+
 			if err := w.w.Alert(e.String()); err != nil {
 				return err
 			}
diff --git a/alerts/syslog_writer.go b/alerts/syslog_writer.go
@@ -4,8 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"log/syslog"
-
-	"github.com/alphasoc/nfr/client"
 )
 
 // SyslogWriter implements Writer interface and write
@@ -25,12 +23,8 @@ func NewSyslogWriter(raddr string) (*SyslogWriter, error) {
 }
 
 // Write writes alert response to the syslog input.
-func (w *SyslogWriter) Write(resp *client.AlertsResponse) error {
-	if len(resp.Alerts) == 0 {
-		return nil
-	}
-
-	b, err := json.Marshal(resp)
+func (w *SyslogWriter) Write(alert *Alert) error {
+	b, err := json.Marshal(alert)
 	if err != nil {
 		return err
 	}
diff --git a/alerts/writer.go b/alerts/writer.go
@@ -1,10 +1,6 @@
 package alerts
 
-import (
-	"github.com/alphasoc/nfr/client"
-)
-
 // Writer interface for log api alerts response.
 type Writer interface {
-	Write(*client.AlertsResponse) error
+	Write(*Alert) error
 }
diff --git a/executor/executor.go b/executor/executor.go
@@ -58,8 +58,15 @@ func New(c client.Client, cfg *config.Config) (*Executor, error) {
 		cfg: cfg,
 	}
 
+	groups, err := createGroups(cfg)
+	if err != nil {
+		return nil, err
+	}
+	e.groups = groups
+
 	if cfg.HasOutputs() {
-		e.alertsPoller = alerts.NewPoller(c)
+		mapper := alerts.NewAlertMapper(groups)
+		e.alertsPoller = alerts.NewPoller(c, mapper)
 		if err := e.alertsPoller.SetFollowDataFile(cfg.Data.File); err != nil {
 			return nil, err
 		}
@@ -92,12 +99,6 @@ func New(c client.Client, cfg *config.Config) (*Executor, error) {
 
 	e.dnsbuf = packet.NewDNSPacketBuffer()
 	e.ipbuf = packet.NewIPPacketBuffer()
-	groups, err := createGroups(cfg)
-	if err != nil {
-		return nil, err
-	}
-	e.groups = groups
-
 	return e, nil
 }
 
@@ -540,6 +541,7 @@ func createGroups(cfg *config.Config) (*groups.Groups, error) {
 	for name, group := range cfg.ScopeConfig.Groups {
 		g := &groups.Group{
 			Name:            name,
+			Label:           group.Label,
 			SrcIncludes:     group.InScope,
 			SrcExcludes:     group.OutScope,
 			DstIncludes:     []string{"0.0.0.0/0", "::/0"},
diff --git a/groups/groups.go b/groups/groups.go
diff --git a/matchers/networks.go b/matchers/networks.go

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-// Package alerts polls and writes alerts from AlphaSOC api.`
	`1`	`+// Package alerts polls and writes alerts from AlphaSOC Engine.`
`2`	`2`	`package alerts`
`3`	`3`
`4`	`4`	`import (`
`@@ -17,13 +17,15 @@ type Poller struct {`
`17`	`17`	`ticker *time.Ticker`
`18`	`18`	`follow string`
`19`	`19`	`followFile string`
	`20`	`+ mapper *AlertMapper`
`20`	`21`	`}`
`21`	`22`
`22`	`23`	`// NewPoller creates new poller base on give client and writer.`
`23`		`-func NewPoller(c client.Client) *Poller {`
	`24`	`+func NewPoller(c client.Client, mapper AlertMapper) Poller {`
`24`	`25`	`return &Poller{`
`25`	`26`	`c: c,`
`26`	`27`	`writers: make([]Writer, 0),`
	`28`	`+ mapper: mapper,`
`27`	`29`	`}`
`28`	`30`	`}`
`29`	`31`
`@@ -66,8 +68,14 @@ func (p *Poller) do(interval time.Duration, count int) error {`
`66`	`68`	`return err`
`67`	`69`	`}`
`68`	`70`
	`71`	`+ if len(alerts.Alerts) == 0 {`
	`72`	`+ continue`
	`73`	`+ }`
	`74`	`+`
	`75`	`+ newAlerts := p.mapper.Map(alerts)`
	`76`	`+`
`69`	`77`	`for _, w := range p.writers {`
`70`		`- if err := w.Write(alerts); err != nil {`
	`78`	`+ if err := w.Write(newAlerts); err != nil {`
`71`	`79`	`return err`
`72`	`80`	`}`
`73`	`81`	`}`