Skip to content

Commit

Permalink
Update replay tool
Browse files Browse the repository at this point in the history
  • Loading branch information
rfaircloth-splunk committed Dec 12, 2019
1 parent b48c445 commit 85a59d8
Show file tree
Hide file tree
Showing 3 changed files with 86 additions and 23 deletions.
76 changes: 76 additions & 0 deletions tests/test_symantec_ep.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
# Copyright 2019 Splunk, Inc.
#
# Use of this source code is governed by a BSD-2-clause-style
# license that can be found in the LICENSE-BSD2 file or at
# https://opensource.org/licenses/BSD-2-Clause
import datetime
import random
import pytz

from jinja2 import Environment, environment

from .sendmessage import *
from .splunkutils import *
import random

env = Environment(extensions=['jinja2_time.TimeExtension'])

def test_symantec_ep_msg_1(record_property, setup_wordlist, setup_splunk):
host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
pid = random.randint(1000, 32000)

mt = env.from_string("{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} SymantecServer: WORK1-PC,Local Host: 0.0.0.0,Local Port: 29555,Local Host MAC: FFFFFFFFFFFF,Remote Host IP: 0.0.0.0,Remote Host Name: ,Remote Port: 0,Remote Host MAC: WORK2-PC,7,Inbound,Begin: 2019-10-25 00:06:22,End: 2019-10-25 00:06:22,Occurrences: 1,Application: ,Rule: B-ALL-B,Location: Untrusted,User: johndoe,Domain: AD-ENT,Action: Blocked,SHA-256: ,MD-5:\n")
message = mt.render(mark="<111>", host=host, pid=pid)

sendsingle(message)

st = env.from_string("search index=main \"[{{ pid }}]\" sourcetype=\"nix:syslog\" | head 2")
search = st.render(host=host, pid=pid)

resultCount, eventCount = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1

def test_symantec_ep_msg_two(record_property, setup_wordlist, setup_splunk):
host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
pid = random.randint(1000, 32000)

mt = env.from_string("{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} SymantecServer: WORK1-PC,Local Host: 192.168.1.85,Local Port: 59929,Local Host MAC: D4D252E652BA,Remote Host IP: 10.217.138.110,Remote Host Name: host.example.com,Remote Port: 9000,Remote Host MAC: D4B17A775938,TCP,Outbound,Begin: 2019-10-25 00:06:09,End: 2019-10-25 00:06:18,Occurrences: 3,Application: C:/Program Files/Preton/PretonSaver/PretonService.exe,Rule: B-ALL-B,Location: Untrusted,User: SYSTEM,Domain: NT AUTHORITY,Action: Blocked,SHA-256: ba532f64bd6a31cf5f1938820f458d31fed8faa01733c9de3a1d313198b0dd9c,MD-5: 1AE7578A3CF3EABE492463C2AB7D7318\n")
message = mt.render(mark="<111>", host=host, pid=pid)

sendsingle(message)

st = env.from_string("search index=main \"[{{ pid }}]\" sourcetype=\"nix:syslog\" | head 2")
search = st.render(host=host, pid=pid)

resultCount, eventCount = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1

def test_symantec_ep_msg_two(record_property, setup_wordlist, setup_splunk):
host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
pid = random.randint(1000, 32000)

mt = env.from_string("{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} SymantecServer: Site: WORK-A,Server: FOOFOO,Domain: Desktop,The client has downloaded the content package successfully,FOOFO,USERNAME,ENT.EXAMPLE.CORP\n")
message = mt.render(mark="<111>", host=host, pid=pid)

sendsingle(message)

st = env.from_string("search index=main \"[{{ pid }}]\" sourcetype=\"nix:syslog\" | head 2")
search = st.render(host=host, pid=pid)

resultCount, eventCount = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1
30 changes: 7 additions & 23 deletions utility/udpreplay/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -4,28 +4,9 @@
#
#You should have received a copy of the CC0 legalcode along with this
#work. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
FROM registry.access.redhat.com/rhel7/rhel

ARG RH_ORG
ARG RH_ACTIVATION

RUN subscription-manager register --org=$RH_ORG --activationkey=$RH_ACTIVATION --force
RUN subscription-manager repos --enable=rhel-7-server-extras-rpms --enable=rhel-7-server-optional-rpms --enable=rhel-server-rhscl-7-rpms

RUN yum -y install libpcap-devel gcc-c++ git findutils autoconf \
autoconf-archive automake ca-certificates git libtool pkgconfig bison byacc file \
flex pcre-devel glib2-devel openssl-devel librdkafka-devel libcurl-devel \
rh-python36 rh-python36-python-tools rh-python36-scldevel\
net-snmp-devel \
libuuid-devel make libxslt docbook-style-xsl gcc-c++ tzdata libxml2 sqlite \
json-c-devel gnupg wget curl which bzip2 doxygen libsecret ivykis-devel -y

RUN cd /tmp ;\
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm ;\
yum install epel-release-latest-7.noarch.rpm -y ;\
rm epel-release-latest-7.noarch.rpm ;\
yum install -y cmake3 boost-devel
FROM ubuntu:latest

RUN apt-get update ;apt-get install -y build-essential autoconf wget git libboost-dev libpcap-dev libtool autogen


RUN cd ~ ; git clone https://github.com/ska-sa/udpreplay.git
Expand All @@ -36,5 +17,8 @@ RUN cd ~/udpreplay && \
make install && \
cd ~ ; rm -Rf udpreplay

RUN subscription-manager unregister
ENTRYPOINT ["/bin/tail", "-f", "/dev/null"]
RUN cd ~ ; git clone https://github.com/GabrielGanne/tcpreplay.git
RUN cd ~/tcpreplay && \
./autogen.sh; ./configure; make install
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]
3 changes: 3 additions & 0 deletions utility/udpreplay/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/usr/bin/env bash

tail -f /dev/null

0 comments on commit 85a59d8

Please sign in to comment.