-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 9d41c6e
Showing
4 changed files
with
172 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 1,70 @@ | ||
|
|
||
| ### Role ### | ||
| You are a cybersecurity analyst tasked with interpreting alerts from an intrusion detection system. | ||
|
|
||
| ### Task ### | ||
| Your task is to analyze the following Suricata alert (provided in JSON format) and create a detailed summary for the Security Operations (SecOps) team. Format the output as JSON-compatible Slack blocks that can be directly used with the Slack API. | ||
|
|
||
| The summary should include: | ||
|
|
||
| 1. **Alert Overview**: A brief explanation of what triggered the alert and what it signifies. | ||
| 2. **Severity Level**: The alert’s severity and what that level indicates. | ||
| 3. **Impact**: Potential impact on network systems or assets. | ||
| 4. **Recommended Actions**: Immediate investigation or mitigation steps. | ||
| 5. **Additional Context**: Any relevant context to aid the team’s understanding (e.g., related alerts, similar incidents). | ||
|
|
||
| Use the following structure for each section: | ||
|
|
||
| - **Section Block with a Header**: Each section should have a header (bold text) followed by a brief explanation or list. | ||
| - **Bullet Points**: Where applicable, especially in “Recommended Actions” and “Additional Context.” | ||
|
|
||
| ### Requirements ### | ||
| - Format the response for clarity, using simple language to ensure accessibility for all team members. | ||
| - Use JSON formatting compatible with Slack block elements, with each section as a separate Slack block for easy reading and comprehension. | ||
|
|
||
| **Example JSON Structure**: | ||
| ```json | ||
| [ | ||
| { | ||
| "type": "section", | ||
| "text": { | ||
| "type": "mrkdwn", | ||
| "text": "*Alert Overview*\nProvide a brief overview of the alert here." | ||
| } | ||
| }, | ||
| { | ||
| "type": "section", | ||
| "text": { | ||
| "type": "mrkdwn", | ||
| "text": "*Severity Level*\nSeverity: High\nImplications: This level indicates..." | ||
| } | ||
| }, | ||
| { | ||
| "type": "section", | ||
| "text": { | ||
| "type": "mrkdwn", | ||
| "text": "*Impact*\nDiscuss the potential impact on systems here." | ||
| } | ||
| }, | ||
| { | ||
| "type": "section", | ||
| "text": { | ||
| "type": "mrkdwn", | ||
| "text": "*Recommended Actions*\n• Action item 1\n• Action item 2" | ||
| } | ||
| }, | ||
| { | ||
| "type": "section", | ||
| "text": { | ||
| "type": "mrkdwn", | ||
| "text": "*Additional Context*\n• Related alerts: ...\n• Recent incidents: ..." | ||
| } | ||
| } | ||
| ] | ||
| ``` | ||
|
|
||
| ### Alert Data ### | ||
| [Insert the Suricata alert JSON here] | ||
|
|
||
| ### Output ### | ||
| Generate a JSON array formatted as shown in the example, replacing placeholder text with a detailed and actionable summary of the alert. Ensure compatibility with Slack’s block kit structure. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 1 @@ | ||
| requests==2.26.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 1,87 @@ | ||
| import json | ||
| import hashlib | ||
| import requests | ||
| import time | ||
| from collections import OrderedDict | ||
|
|
||
| # Configuration | ||
| EVE_JSON_PATH = '/var/log/suricata/eve.json' | ||
| TINES_WEBHOOK_URL = 'https://your-tines-tenant.tines.com/path/secret' | ||
| MAX_SEEN_ALERTS = 10000 # Maximum number of unique alerts to track in memory | ||
| seen_alerts = OrderedDict() | ||
|
|
||
| def get_alert_hash(alert: dict) -> str: | ||
| """Generate a unique hash for the alert. | ||
| Args: | ||
| alert (dict): Alert data received from Suricata | ||
| Returns: | ||
| str: A unique hash for the alert. | ||
| """ | ||
| unique_id = f"{alert.get('flow_id')}-{alert.get('src_ip')}-{alert.get('src_port')}-" \ | ||
| f"{alert.get('dest_ip')}-{alert.get('dest_port')}-{alert.get('alert', {}).get('signature_id')}" | ||
| return hashlib.md5(unique_id.encode('utf-8')).hexdigest() | ||
|
|
||
| def relay_alert(alert: dict): | ||
| """Relay the alert to Tines. | ||
| Args: | ||
| alert (dict): Alert data received from Suricata. | ||
| """ | ||
| try: | ||
| response = requests.post(TINES_WEBHOOK_URL, | ||
| json=alert, | ||
| timeout=5) | ||
| response.raise_for_status() | ||
| except requests.exceptions.RequestException: | ||
| pass | ||
|
|
||
| def add_to_seen(alert_hash: str): | ||
| """Add the alert hash to the seen_alerts dictionary. | ||
| Args: | ||
| alert_hash (str): The hash of the alert. | ||
| """ | ||
| seen_alerts[alert_hash] = None | ||
|
|
||
| if len(seen_alerts) > MAX_SEEN_ALERTS: | ||
| seen_alerts.popitem(last=False) # Remove the oldest item | ||
|
|
||
| def follow(file: object): | ||
| """Follow a file and yield new lines as they are written. | ||
| Args: | ||
| file (object): The file to follow. | ||
| Yields: | ||
| _type_: _description_ | ||
| """ | ||
|
|
||
| file.seek(0, 2) # Move to the end of the file | ||
| while True: | ||
| line = file.readline() | ||
| if not line: | ||
| time.sleep(0.1) | ||
| continue | ||
| yield line | ||
|
|
||
|
|
||
| def main(): | ||
| with open(EVE_JSON_PATH, 'r') as f: | ||
| loglines = follow(f) | ||
| for line in loglines: | ||
| try: | ||
| event_data = json.loads(line) | ||
| if event_data.get("event_type") == "alert": | ||
| alert_hash = get_alert_hash(event_data) | ||
| if alert_hash not in seen_alerts: | ||
| relay_alert(event_data) | ||
| add_to_seen(alert_hash) | ||
| # Else, it's a duplicate alert; do nothing | ||
| except json.JSONDecodeError: | ||
| # Skip lines that aren't valid JSON | ||
| continue | ||
|
|
||
| if __name__ == "__main__": | ||
| main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 1,14 @@ | ||
| [Unit] | ||
| Description=Relay Suricata Alerts to Tines Webhook | ||
| After=network.target | ||
|
|
||
| [Service] | ||
| Type=simple | ||
| ExecStart=/usr/bin/python3 /opt/relay_alerts/relay_alerts.py | ||
| WorkingDirectory=/opt/relay_alerts | ||
| Restart=on-failure | ||
| User=suricata # Replace 'suricata' with the appropriate user | ||
| Group=suricata # Replace 'suricata' with the appropriate group | ||
|
|
||
| [Install] | ||
| WantedBy=multi-user.target |