evebox 0.13.0

A web based Suricata event manager
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126

// Copyright (C) 2020 Jason Ish
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

use crate::eve::eve::EveJson;
use crate::logger::log;
use crate::rules::RuleMap;

use serde_json::json;
use std::sync::Arc;

pub enum EveFilter {
    GeoIP(crate::geoip::GeoIP),
    EveBoxMetadataFilter(EveBoxMetadataFilter),
    CustomFieldFilter(CustomFieldFilter),
    AddRuleFilter(AddRuleFilter),
    Filters(Arc<Vec<EveFilter>>),
}

impl EveFilter {
    pub fn run(&self, mut event: &mut EveJson) {
        match self {
            EveFilter::GeoIP(geoip) => {
                geoip.add_geoip_to_eve(&mut event);
            }
            EveFilter::EveBoxMetadataFilter(filter) => {
                filter.run(&mut event);
            }
            EveFilter::CustomFieldFilter(filter) => {
                filter.run(&mut event);
            }
            EveFilter::AddRuleFilter(filter) => {
                filter.run(&mut event);
            }
            EveFilter::Filters(filters) => {
                for filter in filters.iter() {
                    filter.run(&mut event);
                }
            }
        }
    }
}

#[derive(Debug, Default)]
pub struct EveBoxMetadataFilter {
    pub filename: Option<String>,
}

impl EveBoxMetadataFilter {
    pub fn run(&self, event: &mut EveJson) {
        // Create the "evebox" object.
        if let EveJson::Null = event["evebox"] {
            event["evebox"] = json!({});
        }

        // Add fields to the EveBox object.
        if let EveJson::Object(_) = &event["evebox"] {
            if let Some(filename) = &self.filename {
                event["evebox"]["filename"] = filename.to_string().into();
            }
        }

        // Add a tags object.
        event["tags"] = serde_json::Value::Array(vec![]);
    }
}

impl From<EveBoxMetadataFilter> for EveFilter {
    fn from(filter: EveBoxMetadataFilter) -> Self {
        EveFilter::EveBoxMetadataFilter(filter)
    }
}

pub struct CustomFieldFilter {
    pub field: String,
    pub value: String,
}

impl CustomFieldFilter {
    pub fn new(field: &str, value: &str) -> Self {
        Self {
            field: field.to_string(),
            value: value.to_string(),
        }
    }

    pub fn run(&self, event: &mut EveJson) {
        event[&self.field] = self.value.clone().into();
    }
}

impl From<CustomFieldFilter> for EveFilter {
    fn from(filter: CustomFieldFilter) -> Self {
        EveFilter::CustomFieldFilter(filter)
    }
}

pub struct AddRuleFilter {
    pub map: Arc<RuleMap>,
}

impl AddRuleFilter {
    pub fn run(&self, event: &mut EveJson) {
        if let EveJson::String(_) = event["alert"]["rule"] {
            return;
        }
        if let Some(sid) = &event["alert"]["signature_id"].as_u64() {
            if let Some(rule) = self.map.find_by_sid(*sid) {
                event["alert"]["rule"] = rule.into();
            } else {
                log::trace!("Failed to find rule for SID {}", sid);
            }
        }
    }
}