Suricata queries

5f9391d5 · matejsoroka · 67c5b182 · 5f9391d5 · 5f9391d5 · 5f9391d5
Unverified Commit 5f9391d5 authored 2 years ago by matejsoroka
--- a/GranefAPI/main.py
+++ b/GranefAPI/main.py
@@ -46,7 +46,7 @@ from fastapi.middleware.cors import CORSMiddleware

 # Custom modules of Granef API
 from utilities.dgraph_client import DgraphClient
-from routers import general_queries, overview_queries, graph_queries, analysis_queries
+from routers import general_queries, overview_queries, graph_queries, analysis_queries, suricata_queries


 # Application definition ("description" key may be added too).
@@ -60,6 +60,7 @@ app.include_router(general_queries.router, tags=["General"])
 app.include_router(graph_queries.router, prefix="/graph", tags=["Graph queries"])
 app.include_router(overview_queries.router, prefix="/overview", tags=["Overview queries"])
 app.include_router(analysis_queries.router, prefix="/analysis", tags=["Analysis queries"])
+app.include_router(suricata_queries.router, prefix="/suricata", tags=["Suricata queries"])


 @app.get("/", summary="Get API information", tags=["General"])

--- a/GranefAPI/models/query_models.py
+++ b/GranefAPI/models/query_models.py
@@ -88,4 +88,8 @@ class AdressProtocolTimestampsQuery(BaseModel):
    address: str = Field(None, example='192.168.1.16')
    protocol: str = Field(None, example='HTTP')
    timestamp_min: str = Field(None, example='2008-07-22T01:51:07.095278Z')
-    timestamp_max: str = Field(None, example='2008-07-22T01:55:00')
\ No newline at end of file
+    timestamp_max: str = Field(None, example='2008-07-22T01:55:00')
+
+class AlertFilterQuery(BaseModel):
+    severity: int = Field(0, example='5')
+    regexp: str = Field(None, example='/JA3/')
--- a/GranefAPI/routers/suricata_queries.py
+++ b/GranefAPI/routers/suricata_queries.py
+#! /usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+#
+# Granef -- graph-based network forensics toolkit
+# Copyright (C) 2020-2021  Milan Cermak, Institute of Computer Science of Masaryk University
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+
+"""
+Definition of queries providing an overview of the network data.
+"""
+
+# Common Python modules
+import json
+
+# FastAPI modules
+from fastapi import APIRouter
+
+# GranefAPI
+from models import query_models
+from utilities import validation, preprocessing
+from utilities.dgraph_client import DgraphClient
+
+
+# Initialize FastAPI router
+router = APIRouter()
+
+@router.post("/alert",
+    response_model=query_models.GeneralResponseList,
+    summary="Get alerts produced by suricata.")
+def alert(request: query_models.AlertFilterQuery) -> dict:
+    """
+    Get alerts produced by suricata.
+    """
+
+    dgraph_client = DgraphClient()
+
+    regexp = "" if not request.regexp else f"and regexp(alert.alert.signature, {request.regexp})"
+
+    query = f"""{{
+        getAlert(func:type(Alert)) @filter (le(alert.alert.severity, {request.severity}) {regexp} ) {{
+            dgraph.type
+            alert.alert.signature
+            alert.alert.severity
+            alert.alert.action
+        }}
+    }}
+    """
+
+    result = json.loads(dgraph_client.query(preprocessing.add_default_attributes(query)))
+    return {"response": result["getAlert"]}
+
+
+@router.post("/alert-connection",
+    response_model=query_models.GeneralResponseList,
+    summary="Get alerts produced by suricata with related connections.")
+def alert_connections(request: query_models.AlertFilterQuery) -> dict:
+    """
+    Get alerts produced by suricata with related connections.
+    """
+
+    dgraph_client = DgraphClient()
+
+    regexp = "" if not request.regexp else f"and regexp(alert.alert.signature, {request.regexp})"
+
+    query = f"""{{
+        getConnectionsWithAlerts(func:type(Connection)) @filter (has(connection.alert)) @cascade {{
+            dgraph.type
+            ~host.responded {{
+                uid
+                dgraph.type
+                host.ip
+            }}
+            ~host.originated {{
+                uid
+                dgraph.type
+                host.ip
+            }}
+            connection.alert @filter(le(alert.alert.severity, {request.severity}) {regexp} ) {{
+                dgraph.type
+                alert.alert.signature
+                alert.alert.severity
+                alert.alert.action
+            }}
+        }}
+    }}
+    """
+
+    result = json.loads(dgraph_client.query(preprocessing.add_default_attributes(query)))
+    return {"response": result["getConnectionsWithAlerts"]}
--- a/requirements.txt
+++ b/requirements.txt
@@ -6,3 +6,4 @@ gunicorn
 ipaddress
 typing-extensions
 coloredlogs
+networkx
\ No newline at end of file