From 85a59d857a6f85d79b36c6e2e21282d49042b822 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Thu, 12 Dec 2019 10:38:34 -0500 Subject: [PATCH] Update replay tool --- tests/test_symantec_ep.py | 76 +++++++++++++++++++++++++++++++++ utility/udpreplay/Dockerfile | 30 +++---------- utility/udpreplay/entrypoint.sh | 3 ++ 3 files changed, 86 insertions(+), 23 deletions(-) create mode 100644 tests/test_symantec_ep.py create mode 100755 utility/udpreplay/entrypoint.sh diff --git a/tests/test_symantec_ep.py b/tests/test_symantec_ep.py new file mode 100644 index 0000000..b3c906e --- /dev/null +++ b/tests/test_symantec_ep.py @@ -0,0 +1,76 @@ +# Copyright 2019 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause +import datetime +import random +import pytz + +from jinja2 import Environment, environment + +from .sendmessage import * +from .splunkutils import * +import random + +env = Environment(extensions=['jinja2_time.TimeExtension']) + +def test_symantec_ep_msg_1(record_property, setup_wordlist, setup_splunk): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + pid = random.randint(1000, 32000) + + mt = env.from_string("{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} SymantecServer: WORK1-PC,Local Host: 0.0.0.0,Local Port: 29555,Local Host MAC: FFFFFFFFFFFF,Remote Host IP: 0.0.0.0,Remote Host Name: ,Remote Port: 0,Remote Host MAC: WORK2-PC,7,Inbound,Begin: 2019-10-25 00:06:22,End: 2019-10-25 00:06:22,Occurrences: 1,Application: ,Rule: B-ALL-B,Location: Untrusted,User: johndoe,Domain: AD-ENT,Action: Blocked,SHA-256: ,MD-5:\n") + message = mt.render(mark="<111>", host=host, pid=pid) + + sendsingle(message) + + st = env.from_string("search index=main \"[{{ pid }}]\" sourcetype=\"nix:syslog\" | head 2") + search = st.render(host=host, pid=pid) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + +def test_symantec_ep_msg_two(record_property, setup_wordlist, setup_splunk): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + pid = random.randint(1000, 32000) + + mt = env.from_string("{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} SymantecServer: WORK1-PC,Local Host: 192.168.1.85,Local Port: 59929,Local Host MAC: D4D252E652BA,Remote Host IP: 10.217.138.110,Remote Host Name: host.example.com,Remote Port: 9000,Remote Host MAC: D4B17A775938,TCP,Outbound,Begin: 2019-10-25 00:06:09,End: 2019-10-25 00:06:18,Occurrences: 3,Application: C:/Program Files/Preton/PretonSaver/PretonService.exe,Rule: B-ALL-B,Location: Untrusted,User: SYSTEM,Domain: NT AUTHORITY,Action: Blocked,SHA-256: ba532f64bd6a31cf5f1938820f458d31fed8faa01733c9de3a1d313198b0dd9c,MD-5: 1AE7578A3CF3EABE492463C2AB7D7318\n") + message = mt.render(mark="<111>", host=host, pid=pid) + + sendsingle(message) + + st = env.from_string("search index=main \"[{{ pid }}]\" sourcetype=\"nix:syslog\" | head 2") + search = st.render(host=host, pid=pid) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + +def test_symantec_ep_msg_two(record_property, setup_wordlist, setup_splunk): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + pid = random.randint(1000, 32000) + + mt = env.from_string("{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} SymantecServer: Site: WORK-A,Server: FOOFOO,Domain: Desktop,The client has downloaded the content package successfully,FOOFO,USERNAME,ENT.EXAMPLE.CORP\n") + message = mt.render(mark="<111>", host=host, pid=pid) + + sendsingle(message) + + st = env.from_string("search index=main \"[{{ pid }}]\" sourcetype=\"nix:syslog\" | head 2") + search = st.render(host=host, pid=pid) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 \ No newline at end of file diff --git a/utility/udpreplay/Dockerfile b/utility/udpreplay/Dockerfile index 2dbd80f..62a5397 100644 --- a/utility/udpreplay/Dockerfile +++ b/utility/udpreplay/Dockerfile @@ -4,28 +4,9 @@ # #You should have received a copy of the CC0 legalcode along with this #work. If not, see . -FROM registry.access.redhat.com/rhel7/rhel - -ARG RH_ORG -ARG RH_ACTIVATION - -RUN subscription-manager register --org=$RH_ORG --activationkey=$RH_ACTIVATION --force -RUN subscription-manager repos --enable=rhel-7-server-extras-rpms --enable=rhel-7-server-optional-rpms --enable=rhel-server-rhscl-7-rpms - -RUN yum -y install libpcap-devel gcc-c++ git findutils autoconf \ - autoconf-archive automake ca-certificates git libtool pkgconfig bison byacc file \ - flex pcre-devel glib2-devel openssl-devel librdkafka-devel libcurl-devel \ - rh-python36 rh-python36-python-tools rh-python36-scldevel\ - net-snmp-devel \ - libuuid-devel make libxslt docbook-style-xsl gcc-c++ tzdata libxml2 sqlite \ - json-c-devel gnupg wget curl which bzip2 doxygen libsecret ivykis-devel -y - -RUN cd /tmp ;\ - wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm ;\ - yum install epel-release-latest-7.noarch.rpm -y ;\ - rm epel-release-latest-7.noarch.rpm ;\ - yum install -y cmake3 boost-devel +FROM ubuntu:latest +RUN apt-get update ;apt-get install -y build-essential autoconf wget git libboost-dev libpcap-dev libtool autogen RUN cd ~ ; git clone https://github.com/ska-sa/udpreplay.git @@ -36,5 +17,8 @@ RUN cd ~/udpreplay && \ make install && \ cd ~ ; rm -Rf udpreplay -RUN subscription-manager unregister -ENTRYPOINT ["/bin/tail", "-f", "/dev/null"] +RUN cd ~ ; git clone https://github.com/GabrielGanne/tcpreplay.git +RUN cd ~/tcpreplay && \ + ./autogen.sh; ./configure; make install +COPY entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] diff --git a/utility/udpreplay/entrypoint.sh b/utility/udpreplay/entrypoint.sh new file mode 100755 index 0000000..fb099fc --- /dev/null +++ b/utility/udpreplay/entrypoint.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +tail -f /dev/null