valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix mp

Browse Source
This commit is contained in:
yugoslavskiy 2019-10-25 09:05:55 +02:00
parent 2ca5aeeb83
commit 323fb8989e
6 changed files with 130 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
Atomic_Threat_Coverage/Data_Needed/DN_0099_Bind_DNS_query.md Normal file
View File

@ -0,0 +1,25 @@
| Title | DN_0099_Bind_DNS_query |
|:------------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | DNS Query from BIND Server |
| Logging Policy | <ul><li>[LP_0047_BIND_DNS_queries](../Logging_Policies/LP_0047_BIND_DNS_queries.md)</li></ul> |
| Mitigation Policy | <ul></ul> |
| References | <ul><li>[None](None)</li></ul> |
| Platform | Linux |
| Type | queries log |
| Channel | queries_log |
| Provider | BIND |
| Fields | <ul><li>date</li><li>record_type</li><li>client_ip</li><li>src_ip</li><li>domain_name</li><li>query</li><li>dns_query</li><li>destination_ip</li><li>dst_ip</li><li>parent_domain</li><li>question_length</li></ul> |
## Log Samples
### Raw Log
```
25-Oct-2019 01:22:19.421 queries: info: client 192.168.1.200#51364 (yahoo.com): query: yahoo.com IN TXT + (192.168.1.235)
```

25
Atomic_Threat_Coverage/Data_Needed/DN_0100_Passive_DNS_log.md Normal file
View File

@ -0,0 +1,25 @@
| Title | DN_0100_Passive_DNS_log |
|:------------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Log from Passive DNS |
| Logging Policy | <ul><li>[LP_0048_Passive_DNS_logging](../Logging_Policies/LP_0048_Passive_DNS_logging.md)</li></ul> |
| Mitigation Policy | <ul></ul> |
| References | <ul><li>[None](None)</li></ul> |
| Platform | Linux |
| Type | queries log |
| Channel | passivedns |
| Provider | Passive DNS |
| Fields | <ul><li>date</li><li>record_type</li><li>client_ip</li><li>src_ip</li><li>destination_ip</li><li>dst_ip</li><li>ttl</li><li>domain_name</li><li>query</li><li>dns_query</li><li>answer</li><li>parent_domain</li><li>question_length</li></ul> |
## Log Samples
### Raw Log
```
1523230478.705932||192.168.1.235||8.8.8.8||IN||facebook.com.||TXT||"v=spf1 redirect=_spf.facebook.com"||21323||1
```

12
data_needed/DN_0099_Bind_DNS_query.yml
View File

@ -1,7 +1,7 @@
title: DN_0099_Bind_DNS_query
description: >
DNS Query from BIND Server
loggingpolicy:
loggingpolicy:
- LP_0047_BIND_DNS_queries
references:
- None
@ -12,9 +12,15 @@ channel: queries_log
provider: BIND
fields:
- date
- query_type
- record_type
- client_ip
- src_ip # redundant
- domain_name
- source_ip
- query # redundant
- dns_query # redundant
- destination_ip
- dst_ip # redundant
- parent_domain # actually requires enrichment. todo
- question_length # actually requires enrichment. todo
sample: |
25-Oct-2019 01:22:19.421 queries: info: client 192.168.1.200#51364 (yahoo.com): query: yahoo.com IN TXT + (192.168.1.235)

10
data_needed/DN_0100_Passive_DNS_log.yml
View File

@ -1,7 +1,7 @@
title: DN_0100_Passive_DNS_log
description: >
Log from Passive DNS
loggingpolicy:
loggingpolicy:
- LP_0048_Passive_DNS_logging
references:
- None
@ -12,11 +12,17 @@ channel: passivedns
provider: Passive DNS
fields:
- date
- query_type
- record_type
- client_ip
- src_ip # redundant
- destination_ip
- dst_ip # redundant
- ttl
- domain_name
- query # redundant
- dns_query # redundant
- answer
- parent_domain # actually requires enrichment. todo
- question_length # actually requires enrichment. todo
sample: |
1523230478.705932||192.168.1.235||8.8.8.8||IN||facebook.com.||TXT||"v=spf1 redirect=_spf.facebook.com"||21323||1

34
scripts/dataneeded.py
View File

@ -53,6 +53,7 @@ class DataNeeded:
self.title = self.dn_fields.get("title")
self.description = self.dn_fields.get("description")
self.loggingpolicy = self.dn_fields.get("loggingpolicy")
self.mitigation_policy = self.dn_fields.get("mitigation_policy")
self.platform = self.dn_fields.get("platform")
self.type = self.dn_fields.get("type")
self.channel = self.dn_fields.get("channel")
@ -84,14 +85,21 @@ class DataNeeded:
if isinstance(logging_policies, str):
logging_policies = [logging_policies]
refs = self.dn_fields.get("references")
self.dn_fields.update({'loggingpolicy': logging_policies})
mitigation_policy = self.dn_fields.get("mitigation_policy")
if isinstance(mitigation_policy, str):
mitigation_policy = [mitigation_policy]
self.dn_fields.update({'mitigation_policy': mitigation_policy})
self.dn_fields.update(
{'description': self.dn_fields.get('description').strip()}
)
refs = self.dn_fields.get("references")
if isinstance(refs, str):
self.dn_fields.update({'references': [refs]})
@ -121,13 +129,33 @@ class DataNeeded:
lp = (lp, logging_policies_id)
logging_policies_with_id.append(lp)
self.dn_fields.update({'loggingpolicy': logging_policies_with_id})
mitigation_policies = self.dn_fields.get("mitigation_policy")
if not mitigation_policies:
mitigation_policies = ["None", ]
mitigation_policies_with_id = []
for mp in mitigation_policies:
if mp != "None" and self.apipath and self.auth and self.space:
mitigation_policies_id = str(ATCutils.confluence_get_page_id(
self.apipath, self.auth, self.space, mp))
else:
mitigation_policies_id = ""
mp = (mp, mitigation_policies_id)
mitigation_policies_with_id.append(mp)
self.dn_fields.update({'mitigation_policy': mitigation_policies_with_id})
refs = self.dn_fields.get("references")
if isinstance(refs, str):
self.dn_fields.update({'references': [refs]})
self.dn_fields.update({'loggingpolicy': logging_policies_with_id})
self.content = template.render(self.dn_fields)

42
scripts/templates/confluence_dataneeded_template.html.j2
View File

@ -16,16 +16,38 @@
<th class="confluenceTh">Description</th>
<td class="confluenceTd">{{ description|e }}<br /></td>
</tr>
<tr>
<th class="confluenceTh">Logging Policy</th>
<td class="confluenceTd">
{%- if loggingpolicy |length > 1 -%}<ul>{%endif%}
{% for policy_name, policy_id in loggingpolicy %}
{%- if loggingpolicy |length > 1 -%}<li>{%endif%}<a href="{{confluence_viewpage_url}}{{policy_id}}">{{ policy_name }}</a>{%- if loggingpolicy |length > 1 -%}</li>{%endif%}
{% endfor %}
{%- if loggingpolicy |length > 1 -%}</ul>{%endif%}
</td>
</tr>
{% if loggingpolicy is defined and loggingpolicy != 'None' |length %}
<tr>
<th class="confluenceTh">Logging Policy</th>
<td class="confluenceTd">
{%- if loggingpolicy |length > 1 -%}<ul>{%endif%}
{% for policy_name, policy_id in loggingpolicy %}
{%- if loggingpolicy |length > 1 -%}<li>{%endif%}<a href="{{confluence_viewpage_url}}{{policy_id}}">{{ policy_name }}</a>{%- if loggingpolicy |length > 1 -%}</li>{%endif%}
{% endfor %}
{%- if loggingpolicy |length > 1 -%}</ul>{%endif%}
</td>
</tr>
{% else %}
<tr>
<th class="confluenceTh">Logging Policy</th>
<td class="confluenceTd">
This Data Needed doesn't require any Logging Policy configuration
</td>
</tr>
{% endif %}
{% if mitigation_policy is defined and mitigation_policy|length %}
<tr>
<th class="confluenceTh">Mitigation Policy</th>
<td class="confluenceTd">
{%- if mitigation_policy |length > 1 -%}<ul>{%endif%}
{% for policy_name, policy_id in mitigation_policy %}
{%- if mitigation_policy |length > 1 -%}<li>{%endif%}<a href="{{confluence_viewpage_url}}{{policy_id}}">{{ policy_name }}</a>{%- if mitigation_policy |length > 1 -%}</li>{%endif%}
{% endfor %}
{%- if mitigation_policy |length > 1 -%}</ul>{%endif%}
</td>
</tr>
{% else %}
{% endif %}
<tr>
<th class="confluenceTh">References</th>
<td class="confluenceTd">