-
Notifications
You must be signed in to change notification settings - Fork 0
/
mawilab.py
63 lines (55 loc) · 2.11 KB
/
mawilab.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
from n6sdk.data_spec.fields import *
from necoma.common import *
from datetime import datetime
#class MawilabDataSpec(DataSpec):
# id = None
# restriction = None
#
# category = Ext(
# enum_values=DataSpec.category.enum_values + ('flow-anomaly',),
# )
#
# address = ExtendedAddressField(in_params='optional',in_result='required')
# nbdetector = IntegerField(in_params='optional', in_result='required')
# source = UnicodeField(in_params='optional', in_result=None)
class MawilabDataBackendApi(object):
@staticmethod
def parse(auth_data, params, query_result, **kwargs):
for data in query_result:
if data[0] is None or data[0] == '':
continue
if data[1] is None or data[1] == '':
continue
if data[2] is None or data[2] == '':
continue
if data[3] is None or data[3] == '':
continue
columns = {'sport':1, 'dport':3, 'name':4, 'nbdetector':5, 'confidence':6, 'ip':-1}
skip = False
for key, value in params.items():
if key == 'source':
continue
if columns.has_key(key) is False:
continue
if key == 'ip':
if (params[key][0] != data[0]) and (params[key][0] != data[2]):
skip = True
break
continue
if params[key][0] != data[columns[key]]:
skip = True
break
if skip == True:
continue
yield {
'source': 'mawilab',
'category': 'flow-anomaly',
'address': [{'ip': data[0], 'dir': 'src'}, {'ip': data[2], 'dir': 'dst'}],
'sport': data[1],
'dport': data[3],
'name': data[4],
'nbdetector': data[5],
'confidence': convert_conf(data[6]),
'time': datetime.strptime(data[7], "%Y%m%d"),
#'until': datetime.strptime(data[7], "%Y%m%d"),
}