├── .github └── workflows │ └── ci.yml ├── .gitignore ├── .mvn ├── README.md ├── jvm.config └── wrapper │ └── maven-wrapper.properties ├── CHANGELOG.md ├── LICENSE ├── README.md ├── build.config.js ├── deployment └── settings.xml ├── gauge_validation_poc ├── .gitignore ├── env │ └── default │ │ ├── default.properties │ │ └── python.properties ├── execution_environment │ ├── docker-compose.yml │ └── graylog │ │ └── config │ │ ├── graylog.conf │ │ ├── log4j2.xml │ │ └── node-id ├── manifest.json ├── requirements.txt ├── specs │ └── scenarios.spec └── step_impl │ ├── __init__.py │ ├── graylog_server.py │ └── step_impl.py ├── images ├── alert.png └── edit_condition.png ├── mvnw ├── package.json ├── pom.xml ├── runtime ├── docker-compose.yml └── graylog │ └── config │ ├── graylog.conf │ ├── log4j2.xml │ └── node-id ├── src ├── deb │ └── control │ │ └── control ├── main │ ├── java │ │ └── com │ │ │ └── airbus_cyber_security │ │ │ └── graylog │ │ │ ├── CorrelationCountMetaData.java │ │ │ ├── CorrelationCountPlugin.java │ │ │ └── events │ │ │ ├── CorrelationCountModule.java │ │ │ ├── contentpack │ │ │ └── entities │ │ │ │ └── CorrelationCountProcessorConfigEntity.java │ │ │ └── processor │ │ │ └── correlation │ │ │ ├── CorrelationCountProcessor.java │ │ │ ├── CorrelationCountProcessorConfig.java │ │ │ ├── CorrelationCountProcessorParameters.java │ │ │ └── checks │ │ │ ├── CorrelationCountCheck.java │ │ │ ├── CorrelationCountCombinedResults.java │ │ │ ├── CorrelationCountResult.java │ │ │ ├── CorrelationCountSearches.java │ │ │ ├── OrderType.java │ │ │ ├── Threshold.java │ │ │ ├── ThresholdType.java │ │ │ └── TimestampGroupByMap.java │ └── resources │ │ ├── META-INF │ │ └── services │ │ │ └── org.graylog2.plugin.Plugin │ │ └── com.airbus-cyber-security.graylog.graylog-plugin-correlation-count │ │ └── graylog-plugin.properties ├── test │ └── java │ │ ├── com │ │ └── airbus_cyber_security │ │ │ └── graylog │ │ │ └── events │ │ │ └── processor │ │ │ └── correlation │ │ │ ├── CorrelationCountProcessorTest.java │ │ │ └── checks │ │ │ └── CorrelationCountCheckTest.java │ │ └── org │ │ ├── graylog2 │ │ └── plugin │ │ │ └── TestMessageFactory.java │ │ └── omg │ │ └── CORBA │ │ └── portable │ │ └── IDLEntity.java └── web │ ├── components │ └── event-definitions │ │ └── event-definition-types │ │ ├── CorrelationCountForm.jsx │ │ ├── CorrelationCountFormContainer.tsx │ │ ├── CorrelationCountSummary.jsx │ │ └── TimeUnitFormGroup.jsx │ └── index.jsx ├── tsconfig.json ├── validation ├── gelf_input.py ├── graylog.py ├── graylog_inputs.py ├── graylog_rest_api.py ├── graylog_server.py ├── requirements.txt ├── server_timeout_error.py └── test.py ├── webpack.config.js └── yarn.lock /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: Continuous Integration 2 | 3 | on: push 4 | 5 | env: 6 | JAVA_VERSION: 17 7 | 8 | jobs: 9 | build: 10 | runs-on: ubuntu-22.04 11 | steps: 12 | - name: Check out repository code 13 | uses: actions/checkout@v3 14 | with: 15 | path: plugin 16 | - name: Setup Java JDK ${{ env.JAVA_VERSION }} 17 | uses: actions/setup-java@v3 18 | with: 19 | java-version: ${{ env.JAVA_VERSION }} 20 | distribution: temurin 21 | cache: maven 22 | - name: Retrieve variables from pom 23 | id: requestPom 24 | working-directory: plugin 25 | run: | 26 | echo "GRAYLOG_VERSION=$(mvn help:evaluate -Dexpression=project.parent.version -q -DforceStdout)" >> $GITHUB_OUTPUT 27 | 28 | NAME=$(mvn help:evaluate -Dexpression=project.name -q -DforceStdout) 29 | VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout) 30 | echo "VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_OUTPUT 31 | echo "JAR_PATH=target/$NAME-$VERSION.jar" >> $GITHUB_OUTPUT 32 | echo "RPM_PATH=target/rpm/$NAME/RPMS/noarch/$NAME-$VERSION-1.noarch.rpm" >> $GITHUB_OUTPUT 33 | echo "DEB_PATH=target/$NAME-$VERSION.deb" >> $GITHUB_OUTPUT 34 | - name: Cache Graylog 35 | uses: actions/cache@v3 36 | id: cache 37 | with: 38 | path: graylog2-server 39 | key: ${{ steps.requestPom.outputs.GRAYLOG_VERSION }} 40 | - name: Check out Graylog ${{ steps.requestPom.outputs.GRAYLOG_VERSION }} 41 | if: steps.cache.outputs.cache-hit != 'true' 42 | uses: actions/checkout@v3 43 | with: 44 | repository: Graylog2/graylog2-server 45 | ref: ${{ steps.requestPom.outputs.GRAYLOG_VERSION }} 46 | path: graylog2-server 47 | - name: Build Graylog 48 | if: steps.cache.outputs.cache-hit != 'true' 49 | working-directory: graylog2-server 50 | run: | 51 | ./mvnw compile -DskipTests=true --batch-mode 52 | - name: Cache node_modules 53 | uses: actions/cache@v3 54 | with: 55 | path: plugin/node_modules 56 | key: ${{ hashFiles('plugin/yarn.lock') }} 57 | - name: Build plugin 58 | working-directory: plugin 59 | run: | 60 | ./mvnw package --batch-mode 61 | - name: Copy jar to backend tests runtime 62 | working-directory: plugin 63 | run: | 64 | mkdir runtime/graylog/plugin 65 | cp ${{ steps.requestPom.outputs.JAR_PATH }} runtime/graylog/plugin 66 | - name: Execute backend tests 67 | working-directory: plugin/validation 68 | run: | 69 | python -m venv venv 70 | source venv/bin/activate 71 | pip install -r requirements.txt 72 | docker compose --project-directory ../runtime pull 73 | PYTHONUNBUFFERED=true python -m unittest --verbose 74 | - name: Package signed .rpm 75 | if: endsWith(steps.requestPom.outputs.VERSION,'SNAPSHOT') == false 76 | working-directory: plugin 77 | env: 78 | GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} 79 | PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} 80 | run: | 81 | ./mvnw rpm:rpm 82 | echo -n "$GPG_PRIVATE_KEY" | gpg2 --batch --allow-secret-key-import --import 83 | rpm --define "_gpg_name Airbus CyberSecurity" --define "_gpg_sign_cmd_extra_args --pinentry-mode loopback --passphrase $PASSPHRASE" --addsign "${{ steps.requestPom.outputs.RPM_PATH }}" 84 | - name: Package signed .deb 85 | if: endsWith(steps.requestPom.outputs.VERSION,'SNAPSHOT') == false 86 | working-directory: plugin 87 | env: 88 | GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} 89 | PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} 90 | run: | 91 | echo -n "$GPG_PRIVATE_KEY" | gpg2 --batch --allow-secret-key-import --import 92 | gpg2 --export-secret-keys --batch --pinentry-mode loopback --passphrase "$PASSPHRASE" > $HOME/.gnupg/secring.gpg 93 | ./mvnw org.vafer:jdeb:jdeb --settings deployment/settings.xml 94 | - name: Check license headers 95 | working-directory: plugin 96 | run: | 97 | ./mvnw license:check 98 | - name: Archive .jar 99 | uses: actions/upload-artifact@v4 100 | with: 101 | name: jar 102 | path: plugin/${{ steps.requestPom.outputs.JAR_PATH }} 103 | if-no-files-found: error 104 | - name: Archive .rpm 105 | if: endsWith(steps.requestPom.outputs.VERSION,'SNAPSHOT') == false 106 | uses: actions/upload-artifact@v4 107 | with: 108 | name: rpm 109 | path: plugin/${{ steps.requestPom.outputs.RPM_PATH }} 110 | if-no-files-found: error 111 | - name: Archive .deb 112 | if: endsWith(steps.requestPom.outputs.VERSION,'SNAPSHOT') == false 113 | uses: actions/upload-artifact@v4 114 | with: 115 | name: deb 116 | path: plugin/${{ steps.requestPom.outputs.DEB_PATH }} 117 | if-no-files-found: error 118 | - name: Release 119 | if: startsWith(github.ref, 'refs/tags/') 120 | uses: softprops/action-gh-release@v1 121 | with: 122 | files: | 123 | plugin/${{ steps.requestPom.outputs.JAR_PATH }} 124 | plugin/${{ steps.requestPom.outputs.RPM_PATH }} 125 | plugin/${{ steps.requestPom.outputs.DEB_PATH }} 126 | fail_on_unmatched_files: true 127 | - name: Deploy to Maven Central 128 | if: startsWith(github.ref, 'refs/tags/') || endsWith(steps.requestPom.outputs.VERSION,'SNAPSHOT') 129 | working-directory: plugin 130 | env: 131 | SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} 132 | SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} 133 | GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} 134 | PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} 135 | run: | 136 | echo -n "$GPG_PRIVATE_KEY" | gpg2 --batch --allow-secret-key-import --import 137 | ./mvnw clean deploy -DskipTests=true --settings deployment/settings.xml 138 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /target/ 2 | /node/ 3 | /node_modules/ 4 | 5 | # Location for built plugin 6 | /runtime/graylog/plugin/ 7 | 8 | # For backend tests in python 9 | /validation/__pycache__/ 10 | /validation/venv/ 11 | 12 | # IDE 13 | .idea 14 | *.iml -------------------------------------------------------------------------------- /.mvn/README.md: -------------------------------------------------------------------------------- 1 | ## How to create/update the maven wrapper 2 | 3 | `mvn wrapper:wrapper -Dtype=only-script -Dmaven=` 4 | -------------------------------------------------------------------------------- /.mvn/jvm.config: -------------------------------------------------------------------------------- 1 | --add-exports jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED 2 | --add-exports jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED 3 | --add-exports jdk.compiler/com.sun.tools.javac.main=ALL-UNNAMED 4 | --add-exports jdk.compiler/com.sun.tools.javac.model=ALL-UNNAMED 5 | --add-exports jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED 6 | --add-exports jdk.compiler/com.sun.tools.javac.processing=ALL-UNNAMED 7 | --add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED 8 | --add-exports jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED 9 | --add-opens jdk.compiler/com.sun.tools.javac.code=ALL-UNNAMED 10 | --add-opens jdk.compiler/com.sun.tools.javac.comp=ALL-UNNAMED 11 | -------------------------------------------------------------------------------- /.mvn/wrapper/maven-wrapper.properties: -------------------------------------------------------------------------------- 1 | # Licensed to the Apache Software Foundation (ASF) under one 2 | # or more contributor license agreements. See the NOTICE file 3 | # distributed with this work for additional information 4 | # regarding copyright ownership. The ASF licenses this file 5 | # to you under the Apache License, Version 2.0 (the 6 | # "License"); you may not use this file except in compliance 7 | # with the License. You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, 12 | # software distributed under the License is distributed on an 13 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 14 | # KIND, either express or implied. See the License for the 15 | # specific language governing permissions and limitations 16 | # under the License. 17 | distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.6/apache-maven-3.9.6-bin.zip 18 | wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar 19 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Change Log 2 | 3 | All notable changes to this project will be documented in this file. 4 | 5 | ## [6.1.0](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/6.0.0...6.1.0) 6 | ### Features 7 | * Add compatibility with [Graylog 6.1.0](https://graylog.org/post/announcing-graylog-v6-1/) 8 | 9 | ## [6.0.0](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/5.1.2...6.0.0) 10 | ### Features 11 | * Add compatibility with [Graylog 6.0.6](https://graylog.org/post/announcing-graylog-6-0-6/) 12 | 13 | ## [5.1.2](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/5.1.1...5.1.2) 14 | ### Bug Fixes 15 | * additional_search_query is missing in event description ([issue #124](https://github.com/airbus-cyber/graylog-plugin-correlation-count/issues/34)) 16 | 17 | Note : This fix involves an internal updating of the API. The rules must be exported then imported with the new version of the plugin. 18 | 19 | ## [5.1.1](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/5.1.0...5.1.1) 20 | ### Bug Fixes 21 | * throw a permanent EventProcessorException when the value of some group fields is missing to stop the job, instead of raising an IndexOutOfBoundsException ([issue #34](https://github.com/airbus-cyber/graylog-plugin-correlation-count/issues/34)) 22 | 23 | ## [5.1.0](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/5.0.0...5.1.0) 24 | ### Features 25 | * Add compatibility with [Graylog 5.1](https://www.graylog.org/post/announcing-graylog-v5-1-3/) 26 | 27 | ## [5.0.0](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/4.2.0...5.0.0) 28 | ### Features 29 | * Add compatibility with [Graylog 5.0](https://www.graylog.org/post/announcing-graylog-v5-0-8/) 30 | 31 | ## [4.2.0](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/4.1.3...4.2.0) 32 | ### Features 33 | * Add compatibility with [Graylog 4.3](https://www.graylog.org/post/announcing-graylog-v4-3-graylog-operations-graylog-security) 34 | 35 | ## [4.1.3](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/4.1.2...4.1.3) 36 | ### Bug Fixes 37 | * A grouping field with a special character such as space was not working. The values of grouping fields are now escaped in search queries ([issue 27](https://github.com/airbus-cyber/graylog-plugin-correlation-count/issues/27)) 38 | 39 | ## [4.1.2](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/4.1.1...4.1.2) 40 | ### Bug Fixes 41 | * Correct handling of catchup windows. There is no more exception on several results with the same grouping field value 42 | (see Alert Wizard plugin [issue 60](https://github.com/airbus-cyber/graylog-plugin-alert-wizard/issues/60)) 43 | 44 | ## [4.1.1](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/4.1.0...4.1.1) 45 | ### Bug Fixes 46 | * Log an error instead of raising an exception when there are several results with the same grouping field 47 | values (see Alert Wizard plugin [issue 60](https://github.com/airbus-cyber/graylog-plugin-alert-wizard/issues/60)) 48 | 49 | ## [4.1.0](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/4.0.1...4.1.0) 50 | ### Features 51 | * Add compatibility with Graylog 4.2 52 | 53 | ## [4.0.1](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/4.0.0...4.0.1) 54 | ### Bug Fixes 55 | * Put back missing jar in release page of github thanks to a continuous integration based on github actions 56 | 57 | ## [4.0.0](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/2.2.0...4.0.0) 58 | ### Features 59 | * Add compatibility with Graylog 4.1 60 | * Change plugin license to SSPL version 1 61 | 62 | ## [2.2.0](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/2.1.2...2.2.0) 63 | ### Features 64 | * Add compatibility with Graylog 3.3 65 | 66 | ## [2.1.2](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/2.1.1...2.1.2) 67 | ### Bug Fixes 68 | * Fix Create only 1 event when the condition is satisfied 69 | 70 | ## [2.1.1](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/2.1.0...2.1.1) 71 | ### Bug Fixes 72 | * Fix event source streams empty 73 | 74 | ## [2.1.0](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/2.0.0...2.1.0) 75 | ### Features 76 | * Disabled isolated Plugin (shares a class loader with other plugins that have isolated=false) 77 | 78 | ## [2.0.0](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/1.2.0...2.0.0) 79 | ### Features 80 | * Add compatibility with Graylog 3.2 81 | 82 | ## [1.2.0](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/1.1.0...1.2.0) 83 | ### Features 84 | * Add compatibility with Graylog 3.0 85 | 86 | ## [1.1.0](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/1.0.1...1.1.0) 87 | ### Features 88 | * Add the Search Query functionality for compatibility with Graylog 2.5 89 | 90 | ## [1.0.1](https://github.com/airbus-cyber/graylog-plugin-correlation-count/compare/1.0.0...1.0.1) 91 | ### Bug Fixes 92 | * Fix the graphic display of the messages order to clarify this order 93 | 94 | ## [1.0.0](https://github.com/airbus-cyber/graylog-plugin-correlation-count/tree/1.0.0) 95 | * First release 96 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Server Side Public License 2 | VERSION 1, OCTOBER 16, 2018 3 | 4 | Copyright © 2018 MongoDB, Inc. 5 | 6 | Everyone is permitted to copy and distribute verbatim copies of this 7 | license document, but changing it is not allowed. 8 | 9 | TERMS AND CONDITIONS 10 | 11 | 0. Definitions. 12 | 13 | “This License” refers to Server Side Public License. 14 | 15 | “Copyright” also means copyright-like laws that apply to other kinds of 16 | works, such as semiconductor masks. 17 | 18 | “The Program” refers to any copyrightable work licensed under this 19 | License. Each licensee is addressed as “you”. “Licensees” and 20 | “recipients” may be individuals or organizations. 21 | 22 | To “modify” a work means to copy from or adapt all or part of the work in 23 | a fashion requiring copyright permission, other than the making of an 24 | exact copy. The resulting work is called a “modified version” of the 25 | earlier work or a work “based on” the earlier work. 26 | 27 | A “covered work” means either the unmodified Program or a work based on 28 | the Program. 29 | 30 | To “propagate” a work means to do anything with it that, without 31 | permission, would make you directly or secondarily liable for 32 | infringement under applicable copyright law, except executing it on a 33 | computer or modifying a private copy. Propagation includes copying, 34 | distribution (with or without modification), making available to the 35 | public, and in some countries other activities as well. 36 | 37 | To “convey” a work means any kind of propagation that enables other 38 | parties to make or receive copies. Mere interaction with a user through a 39 | computer network, with no transfer of a copy, is not conveying. 40 | 41 | An interactive user interface displays “Appropriate Legal Notices” to the 42 | extent that it includes a convenient and prominently visible feature that 43 | (1) displays an appropriate copyright notice, and (2) tells the user that 44 | there is no warranty for the work (except to the extent that warranties 45 | are provided), that licensees may convey the work under this License, and 46 | how to view a copy of this License. If the interface presents a list of 47 | user commands or options, such as a menu, a prominent item in the list 48 | meets this criterion. 49 | 50 | 1. Source Code. 51 | 52 | The “source code” for a work means the preferred form of the work for 53 | making modifications to it. “Object code” means any non-source form of a 54 | work. 55 | 56 | A “Standard Interface” means an interface that either is an official 57 | standard defined by a recognized standards body, or, in the case of 58 | interfaces specified for a particular programming language, one that is 59 | widely used among developers working in that language. The “System 60 | Libraries” of an executable work include anything, other than the work as 61 | a whole, that (a) is included in the normal form of packaging a Major 62 | Component, but which is not part of that Major Component, and (b) serves 63 | only to enable use of the work with that Major Component, or to implement 64 | a Standard Interface for which an implementation is available to the 65 | public in source code form. A “Major Component”, in this context, means a 66 | major essential component (kernel, window system, and so on) of the 67 | specific operating system (if any) on which the executable work runs, or 68 | a compiler used to produce the work, or an object code interpreter used 69 | to run it. 70 | 71 | The “Corresponding Source” for a work in object code form means all the 72 | source code needed to generate, install, and (for an executable work) run 73 | the object code and to modify the work, including scripts to control 74 | those activities. However, it does not include the work's System 75 | Libraries, or general-purpose tools or generally available free programs 76 | which are used unmodified in performing those activities but which are 77 | not part of the work. For example, Corresponding Source includes 78 | interface definition files associated with source files for the work, and 79 | the source code for shared libraries and dynamically linked subprograms 80 | that the work is specifically designed to require, such as by intimate 81 | data communication or control flow between those subprograms and other 82 | parts of the work. 83 | 84 | The Corresponding Source need not include anything that users can 85 | regenerate automatically from other parts of the Corresponding Source. 86 | 87 | The Corresponding Source for a work in source code form is that same work. 88 | 89 | 2. Basic Permissions. 90 | 91 | All rights granted under this License are granted for the term of 92 | copyright on the Program, and are irrevocable provided the stated 93 | conditions are met. This License explicitly affirms your unlimited 94 | permission to run the unmodified Program, subject to section 13. The 95 | output from running a covered work is covered by this License only if the 96 | output, given its content, constitutes a covered work. This License 97 | acknowledges your rights of fair use or other equivalent, as provided by 98 | copyright law. Subject to section 13, you may make, run and propagate 99 | covered works that you do not convey, without conditions so long as your 100 | license otherwise remains in force. You may convey covered works to 101 | others for the sole purpose of having them make modifications exclusively 102 | for you, or provide you with facilities for running those works, provided 103 | that you comply with the terms of this License in conveying all 104 | material for which you do not control copyright. Those thus making or 105 | running the covered works for you must do so exclusively on your 106 | behalf, under your direction and control, on terms that prohibit them 107 | from making any copies of your copyrighted material outside their 108 | relationship with you. 109 | 110 | Conveying under any other circumstances is permitted solely under the 111 | conditions stated below. Sublicensing is not allowed; section 10 makes it 112 | unnecessary. 113 | 114 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 115 | 116 | No covered work shall be deemed part of an effective technological 117 | measure under any applicable law fulfilling obligations under article 11 118 | of the WIPO copyright treaty adopted on 20 December 1996, or similar laws 119 | prohibiting or restricting circumvention of such measures. 120 | 121 | When you convey a covered work, you waive any legal power to forbid 122 | circumvention of technological measures to the extent such circumvention is 123 | effected by exercising rights under this License with respect to the 124 | covered work, and you disclaim any intention to limit operation or 125 | modification of the work as a means of enforcing, against the work's users, 126 | your or third parties' legal rights to forbid circumvention of 127 | technological measures. 128 | 129 | 4. Conveying Verbatim Copies. 130 | 131 | You may convey verbatim copies of the Program's source code as you 132 | receive it, in any medium, provided that you conspicuously and 133 | appropriately publish on each copy an appropriate copyright notice; keep 134 | intact all notices stating that this License and any non-permissive terms 135 | added in accord with section 7 apply to the code; keep intact all notices 136 | of the absence of any warranty; and give all recipients a copy of this 137 | License along with the Program. You may charge any price or no price for 138 | each copy that you convey, and you may offer support or warranty 139 | protection for a fee. 140 | 141 | 5. Conveying Modified Source Versions. 142 | 143 | You may convey a work based on the Program, or the modifications to 144 | produce it from the Program, in the form of source code under the terms 145 | of section 4, provided that you also meet all of these conditions: 146 | 147 | a) The work must carry prominent notices stating that you modified it, 148 | and giving a relevant date. 149 | 150 | b) The work must carry prominent notices stating that it is released 151 | under this License and any conditions added under section 7. This 152 | requirement modifies the requirement in section 4 to “keep intact all 153 | notices”. 154 | 155 | c) You must license the entire work, as a whole, under this License to 156 | anyone who comes into possession of a copy. This License will therefore 157 | apply, along with any applicable section 7 additional terms, to the 158 | whole of the work, and all its parts, regardless of how they are 159 | packaged. This License gives no permission to license the work in any 160 | other way, but it does not invalidate such permission if you have 161 | separately received it. 162 | 163 | d) If the work has interactive user interfaces, each must display 164 | Appropriate Legal Notices; however, if the Program has interactive 165 | interfaces that do not display Appropriate Legal Notices, your work 166 | need not make them do so. 167 | 168 | A compilation of a covered work with other separate and independent 169 | works, which are not by their nature extensions of the covered work, and 170 | which are not combined with it such as to form a larger program, in or on 171 | a volume of a storage or distribution medium, is called an “aggregate” if 172 | the compilation and its resulting copyright are not used to limit the 173 | access or legal rights of the compilation's users beyond what the 174 | individual works permit. Inclusion of a covered work in an aggregate does 175 | not cause this License to apply to the other parts of the aggregate. 176 | 177 | 6. Conveying Non-Source Forms. 178 | 179 | You may convey a covered work in object code form under the terms of 180 | sections 4 and 5, provided that you also convey the machine-readable 181 | Corresponding Source under the terms of this License, in one of these 182 | ways: 183 | 184 | a) Convey the object code in, or embodied in, a physical product 185 | (including a physical distribution medium), accompanied by the 186 | Corresponding Source fixed on a durable physical medium customarily 187 | used for software interchange. 188 | 189 | b) Convey the object code in, or embodied in, a physical product 190 | (including a physical distribution medium), accompanied by a written 191 | offer, valid for at least three years and valid for as long as you 192 | offer spare parts or customer support for that product model, to give 193 | anyone who possesses the object code either (1) a copy of the 194 | Corresponding Source for all the software in the product that is 195 | covered by this License, on a durable physical medium customarily used 196 | for software interchange, for a price no more than your reasonable cost 197 | of physically performing this conveying of source, or (2) access to 198 | copy the Corresponding Source from a network server at no charge. 199 | 200 | c) Convey individual copies of the object code with a copy of the 201 | written offer to provide the Corresponding Source. This alternative is 202 | allowed only occasionally and noncommercially, and only if you received 203 | the object code with such an offer, in accord with subsection 6b. 204 | 205 | d) Convey the object code by offering access from a designated place 206 | (gratis or for a charge), and offer equivalent access to the 207 | Corresponding Source in the same way through the same place at no 208 | further charge. You need not require recipients to copy the 209 | Corresponding Source along with the object code. If the place to copy 210 | the object code is a network server, the Corresponding Source may be on 211 | a different server (operated by you or a third party) that supports 212 | equivalent copying facilities, provided you maintain clear directions 213 | next to the object code saying where to find the Corresponding Source. 214 | Regardless of what server hosts the Corresponding Source, you remain 215 | obligated to ensure that it is available for as long as needed to 216 | satisfy these requirements. 217 | 218 | e) Convey the object code using peer-to-peer transmission, provided you 219 | inform other peers where the object code and Corresponding Source of 220 | the work are being offered to the general public at no charge under 221 | subsection 6d. 222 | 223 | A separable portion of the object code, whose source code is excluded 224 | from the Corresponding Source as a System Library, need not be included 225 | in conveying the object code work. 226 | 227 | A “User Product” is either (1) a “consumer product”, which means any 228 | tangible personal property which is normally used for personal, family, 229 | or household purposes, or (2) anything designed or sold for incorporation 230 | into a dwelling. In determining whether a product is a consumer product, 231 | doubtful cases shall be resolved in favor of coverage. For a particular 232 | product received by a particular user, “normally used” refers to a 233 | typical or common use of that class of product, regardless of the status 234 | of the particular user or of the way in which the particular user 235 | actually uses, or expects or is expected to use, the product. A product 236 | is a consumer product regardless of whether the product has substantial 237 | commercial, industrial or non-consumer uses, unless such uses represent 238 | the only significant mode of use of the product. 239 | 240 | “Installation Information” for a User Product means any methods, 241 | procedures, authorization keys, or other information required to install 242 | and execute modified versions of a covered work in that User Product from 243 | a modified version of its Corresponding Source. The information must 244 | suffice to ensure that the continued functioning of the modified object 245 | code is in no case prevented or interfered with solely because 246 | modification has been made. 247 | 248 | If you convey an object code work under this section in, or with, or 249 | specifically for use in, a User Product, and the conveying occurs as part 250 | of a transaction in which the right of possession and use of the User 251 | Product is transferred to the recipient in perpetuity or for a fixed term 252 | (regardless of how the transaction is characterized), the Corresponding 253 | Source conveyed under this section must be accompanied by the 254 | Installation Information. But this requirement does not apply if neither 255 | you nor any third party retains the ability to install modified object 256 | code on the User Product (for example, the work has been installed in 257 | ROM). 258 | 259 | The requirement to provide Installation Information does not include a 260 | requirement to continue to provide support service, warranty, or updates 261 | for a work that has been modified or installed by the recipient, or for 262 | the User Product in which it has been modified or installed. Access 263 | to a network may be denied when the modification itself materially 264 | and adversely affects the operation of the network or violates the 265 | rules and protocols for communication across the network. 266 | 267 | Corresponding Source conveyed, and Installation Information provided, in 268 | accord with this section must be in a format that is publicly documented 269 | (and with an implementation available to the public in source code form), 270 | and must require no special password or key for unpacking, reading or 271 | copying. 272 | 273 | 7. Additional Terms. 274 | 275 | “Additional permissions” are terms that supplement the terms of this 276 | License by making exceptions from one or more of its conditions. 277 | Additional permissions that are applicable to the entire Program shall be 278 | treated as though they were included in this License, to the extent that 279 | they are valid under applicable law. If additional permissions apply only 280 | to part of the Program, that part may be used separately under those 281 | permissions, but the entire Program remains governed by this License 282 | without regard to the additional permissions. When you convey a copy of 283 | a covered work, you may at your option remove any additional permissions 284 | from that copy, or from any part of it. (Additional permissions may be 285 | written to require their own removal in certain cases when you modify the 286 | work.) You may place additional permissions on material, added by you to 287 | a covered work, for which you have or can give appropriate copyright 288 | permission. 289 | 290 | Notwithstanding any other provision of this License, for material you add 291 | to a covered work, you may (if authorized by the copyright holders of 292 | that material) supplement the terms of this License with terms: 293 | 294 | a) Disclaiming warranty or limiting liability differently from the 295 | terms of sections 15 and 16 of this License; or 296 | 297 | b) Requiring preservation of specified reasonable legal notices or 298 | author attributions in that material or in the Appropriate Legal 299 | Notices displayed by works containing it; or 300 | 301 | c) Prohibiting misrepresentation of the origin of that material, or 302 | requiring that modified versions of such material be marked in 303 | reasonable ways as different from the original version; or 304 | 305 | d) Limiting the use for publicity purposes of names of licensors or 306 | authors of the material; or 307 | 308 | e) Declining to grant rights under trademark law for use of some trade 309 | names, trademarks, or service marks; or 310 | 311 | f) Requiring indemnification of licensors and authors of that material 312 | by anyone who conveys the material (or modified versions of it) with 313 | contractual assumptions of liability to the recipient, for any 314 | liability that these contractual assumptions directly impose on those 315 | licensors and authors. 316 | 317 | All other non-permissive additional terms are considered “further 318 | restrictions” within the meaning of section 10. If the Program as you 319 | received it, or any part of it, contains a notice stating that it is 320 | governed by this License along with a term that is a further restriction, 321 | you may remove that term. If a license document contains a further 322 | restriction but permits relicensing or conveying under this License, you 323 | may add to a covered work material governed by the terms of that license 324 | document, provided that the further restriction does not survive such 325 | relicensing or conveying. 326 | 327 | If you add terms to a covered work in accord with this section, you must 328 | place, in the relevant source files, a statement of the additional terms 329 | that apply to those files, or a notice indicating where to find the 330 | applicable terms. Additional terms, permissive or non-permissive, may be 331 | stated in the form of a separately written license, or stated as 332 | exceptions; the above requirements apply either way. 333 | 334 | 8. Termination. 335 | 336 | You may not propagate or modify a covered work except as expressly 337 | provided under this License. Any attempt otherwise to propagate or modify 338 | it is void, and will automatically terminate your rights under this 339 | License (including any patent licenses granted under the third paragraph 340 | of section 11). 341 | 342 | However, if you cease all violation of this License, then your license 343 | from a particular copyright holder is reinstated (a) provisionally, 344 | unless and until the copyright holder explicitly and finally terminates 345 | your license, and (b) permanently, if the copyright holder fails to 346 | notify you of the violation by some reasonable means prior to 60 days 347 | after the cessation. 348 | 349 | Moreover, your license from a particular copyright holder is reinstated 350 | permanently if the copyright holder notifies you of the violation by some 351 | reasonable means, this is the first time you have received notice of 352 | violation of this License (for any work) from that copyright holder, and 353 | you cure the violation prior to 30 days after your receipt of the notice. 354 | 355 | Termination of your rights under this section does not terminate the 356 | licenses of parties who have received copies or rights from you under 357 | this License. If your rights have been terminated and not permanently 358 | reinstated, you do not qualify to receive new licenses for the same 359 | material under section 10. 360 | 361 | 9. Acceptance Not Required for Having Copies. 362 | 363 | You are not required to accept this License in order to receive or run a 364 | copy of the Program. Ancillary propagation of a covered work occurring 365 | solely as a consequence of using peer-to-peer transmission to receive a 366 | copy likewise does not require acceptance. However, nothing other than 367 | this License grants you permission to propagate or modify any covered 368 | work. These actions infringe copyright if you do not accept this License. 369 | Therefore, by modifying or propagating a covered work, you indicate your 370 | acceptance of this License to do so. 371 | 372 | 10. Automatic Licensing of Downstream Recipients. 373 | 374 | Each time you convey a covered work, the recipient automatically receives 375 | a license from the original licensors, to run, modify and propagate that 376 | work, subject to this License. You are not responsible for enforcing 377 | compliance by third parties with this License. 378 | 379 | An “entity transaction” is a transaction transferring control of an 380 | organization, or substantially all assets of one, or subdividing an 381 | organization, or merging organizations. If propagation of a covered work 382 | results from an entity transaction, each party to that transaction who 383 | receives a copy of the work also receives whatever licenses to the work 384 | the party's predecessor in interest had or could give under the previous 385 | paragraph, plus a right to possession of the Corresponding Source of the 386 | work from the predecessor in interest, if the predecessor has it or can 387 | get it with reasonable efforts. 388 | 389 | You may not impose any further restrictions on the exercise of the rights 390 | granted or affirmed under this License. For example, you may not impose a 391 | license fee, royalty, or other charge for exercise of rights granted 392 | under this License, and you may not initiate litigation (including a 393 | cross-claim or counterclaim in a lawsuit) alleging that any patent claim 394 | is infringed by making, using, selling, offering for sale, or importing 395 | the Program or any portion of it. 396 | 397 | 11. Patents. 398 | 399 | A “contributor” is a copyright holder who authorizes use under this 400 | License of the Program or a work on which the Program is based. The work 401 | thus licensed is called the contributor's “contributor version”. 402 | 403 | A contributor's “essential patent claims” are all patent claims owned or 404 | controlled by the contributor, whether already acquired or hereafter 405 | acquired, that would be infringed by some manner, permitted by this 406 | License, of making, using, or selling its contributor version, but do not 407 | include claims that would be infringed only as a consequence of further 408 | modification of the contributor version. For purposes of this definition, 409 | “control” includes the right to grant patent sublicenses in a manner 410 | consistent with the requirements of this License. 411 | 412 | Each contributor grants you a non-exclusive, worldwide, royalty-free 413 | patent license under the contributor's essential patent claims, to make, 414 | use, sell, offer for sale, import and otherwise run, modify and propagate 415 | the contents of its contributor version. 416 | 417 | In the following three paragraphs, a “patent license” is any express 418 | agreement or commitment, however denominated, not to enforce a patent 419 | (such as an express permission to practice a patent or covenant not to 420 | sue for patent infringement). To “grant” such a patent license to a party 421 | means to make such an agreement or commitment not to enforce a patent 422 | against the party. 423 | 424 | If you convey a covered work, knowingly relying on a patent license, and 425 | the Corresponding Source of the work is not available for anyone to copy, 426 | free of charge and under the terms of this License, through a publicly 427 | available network server or other readily accessible means, then you must 428 | either (1) cause the Corresponding Source to be so available, or (2) 429 | arrange to deprive yourself of the benefit of the patent license for this 430 | particular work, or (3) arrange, in a manner consistent with the 431 | requirements of this License, to extend the patent license to downstream 432 | recipients. “Knowingly relying” means you have actual knowledge that, but 433 | for the patent license, your conveying the covered work in a country, or 434 | your recipient's use of the covered work in a country, would infringe 435 | one or more identifiable patents in that country that you have reason 436 | to believe are valid. 437 | 438 | If, pursuant to or in connection with a single transaction or 439 | arrangement, you convey, or propagate by procuring conveyance of, a 440 | covered work, and grant a patent license to some of the parties receiving 441 | the covered work authorizing them to use, propagate, modify or convey a 442 | specific copy of the covered work, then the patent license you grant is 443 | automatically extended to all recipients of the covered work and works 444 | based on it. 445 | 446 | A patent license is “discriminatory” if it does not include within the 447 | scope of its coverage, prohibits the exercise of, or is conditioned on 448 | the non-exercise of one or more of the rights that are specifically 449 | granted under this License. You may not convey a covered work if you are 450 | a party to an arrangement with a third party that is in the business of 451 | distributing software, under which you make payment to the third party 452 | based on the extent of your activity of conveying the work, and under 453 | which the third party grants, to any of the parties who would receive the 454 | covered work from you, a discriminatory patent license (a) in connection 455 | with copies of the covered work conveyed by you (or copies made from 456 | those copies), or (b) primarily for and in connection with specific 457 | products or compilations that contain the covered work, unless you 458 | entered into that arrangement, or that patent license was granted, prior 459 | to 28 March 2007. 460 | 461 | Nothing in this License shall be construed as excluding or limiting any 462 | implied license or other defenses to infringement that may otherwise be 463 | available to you under applicable patent law. 464 | 465 | 12. No Surrender of Others' Freedom. 466 | 467 | If conditions are imposed on you (whether by court order, agreement or 468 | otherwise) that contradict the conditions of this License, they do not 469 | excuse you from the conditions of this License. If you cannot use, 470 | propagate or convey a covered work so as to satisfy simultaneously your 471 | obligations under this License and any other pertinent obligations, then 472 | as a consequence you may not use, propagate or convey it at all. For 473 | example, if you agree to terms that obligate you to collect a royalty for 474 | further conveying from those to whom you convey the Program, the only way 475 | you could satisfy both those terms and this License would be to refrain 476 | entirely from conveying the Program. 477 | 478 | 13. Offering the Program as a Service. 479 | 480 | If you make the functionality of the Program or a modified version 481 | available to third parties as a service, you must make the Service Source 482 | Code available via network download to everyone at no charge, under the 483 | terms of this License. Making the functionality of the Program or 484 | modified version available to third parties as a service includes, 485 | without limitation, enabling third parties to interact with the 486 | functionality of the Program or modified version remotely through a 487 | computer network, offering a service the value of which entirely or 488 | primarily derives from the value of the Program or modified version, or 489 | offering a service that accomplishes for users the primary purpose of the 490 | Program or modified version. 491 | 492 | “Service Source Code” means the Corresponding Source for the Program or 493 | the modified version, and the Corresponding Source for all programs that 494 | you use to make the Program or modified version available as a service, 495 | including, without limitation, management software, user interfaces, 496 | application program interfaces, automation software, monitoring software, 497 | backup software, storage software and hosting software, all such that a 498 | user could run an instance of the service using the Service Source Code 499 | you make available. 500 | 501 | 14. Revised Versions of this License. 502 | 503 | MongoDB, Inc. may publish revised and/or new versions of the Server Side 504 | Public License from time to time. Such new versions will be similar in 505 | spirit to the present version, but may differ in detail to address new 506 | problems or concerns. 507 | 508 | Each version is given a distinguishing version number. If the Program 509 | specifies that a certain numbered version of the Server Side Public 510 | License “or any later version” applies to it, you have the option of 511 | following the terms and conditions either of that numbered version or of 512 | any later version published by MongoDB, Inc. If the Program does not 513 | specify a version number of the Server Side Public License, you may 514 | choose any version ever published by MongoDB, Inc. 515 | 516 | If the Program specifies that a proxy can decide which future versions of 517 | the Server Side Public License can be used, that proxy's public statement 518 | of acceptance of a version permanently authorizes you to choose that 519 | version for the Program. 520 | 521 | Later license versions may give you additional or different permissions. 522 | However, no additional obligations are imposed on any author or copyright 523 | holder as a result of your choosing to follow a later version. 524 | 525 | 15. Disclaimer of Warranty. 526 | 527 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 528 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 529 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY 530 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 531 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 532 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 533 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 534 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 535 | 536 | 16. Limitation of Liability. 537 | 538 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 539 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 540 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING 541 | ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF 542 | THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO 543 | LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU 544 | OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 545 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 546 | POSSIBILITY OF SUCH DAMAGES. 547 | 548 | 17. Interpretation of Sections 15 and 16. 549 | 550 | If the disclaimer of warranty and limitation of liability provided above 551 | cannot be given local legal effect according to their terms, reviewing 552 | courts shall apply local law that most closely approximates an absolute 553 | waiver of all civil liability in connection with the Program, unless a 554 | warranty or assumption of liability accompanies a copy of the Program in 555 | return for a fee. 556 | 557 | END OF TERMS AND CONDITIONS 558 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Correlation Count Plugin for Graylog 2 | 3 | [![Continuous Integration](https://github.com/airbus-cyber/graylog-plugin-correlation-count/actions/workflows/ci.yml/badge.svg)](https://github.com/airbus-cyber/graylog-plugin-correlation-count/actions/workflows/ci.yml) 4 | [![License](https://img.shields.io/badge/license-SSPL-green)](https://www.mongodb.com/licensing/server-side-public-license) 5 | [![GitHub Release](https://img.shields.io/github/v/release/airbus-cyber/graylog-plugin-correlation-count)](https://github.com/airbus-cyber/graylog-plugin-correlation-count/releases) 6 | 7 | #### Alert condition plugin for Graylog to perform correlation 8 | 9 | The alert condition triggers whenever the main stream received more or less than X messages and the additional stream received more or less than Y messages in the last Z minutes. 10 | 11 | This is useful for correlating messages of different kinds. 12 | 13 | Perfect for example to be alerted when there is a successful authentication after a number of authentication attempts on your platform. Create a stream that catches every authentification failure and another stream that catches every successful authentification and be alerted when the first one exceeds a given threshold and the second one exceeds another given threshold (here zero) per user. 14 | 15 | Please also take note that only a single alert is raised for this condition during the alerting interval, although multiple messages containing different values for the message fields may have been received since the last alert. 16 | 17 | Example of raised alert: 18 | 19 | ![](https://raw.githubusercontent.com/airbus-cyber/graylog-plugin-correlation-count/master/images/alert.png) 20 | 21 | ## Version Compatibility 22 | 23 | | Plugin Version | Graylog Version | 24 | |----------------|-----------------| 25 | | 6.1.x | 6.1.x | 26 | | 6.0.x | 6.0.x | 27 | | 5.1.x | 5.1.x | 28 | | 5.0.x | 5.0.x | 29 | | 4.2.x | 4.3.x | 30 | | 4.1.x | 4.2.x | 31 | | 4.0.x | 4.1.x | 32 | | 2.2.x | 3.3.x | 33 | | 2.1.x | 3.2.x | 34 | | 2.0.x | 3.2.x | 35 | | 1.2.x | 3.0.x | 36 | | 1.1.x | 2.5.x | 37 | | 1.0.x | 2.4.x | 38 | 39 | 40 | ## Installation 41 | 42 | [Download the plugin](https://github.com/airbus-cyber/graylog-plugin-correlation-count/releases) 43 | and place the `.jar` file in your Graylog plugin directory. The plugin directory 44 | is the `plugins/` folder relative from your `graylog-server` directory by default 45 | and can be configured in your `graylog.conf` file. 46 | 47 | Restart `graylog-server` and you are done. 48 | 49 | ## Usage 50 | 51 | First you have to select the alert type **Correlation Count Alert Condition** 52 | 53 | Then, you can configure the **Stream**. The parameters **Threshold** and **Threshold Type** let you respectively select the threshold and its type which apply on the main stream. 54 | 55 | Similarly, you can configure the **Additional Stream** to correlate messages of different kind from the main stream. 56 | 57 | The parameters **Additional Threshold** and **Additional Threshold Type** let you respectively select the threshold and its type which apply on the additional stream. 58 | 59 | You can configure the **Messages Order** between the additional stream and the main stream if you want for example the messages of the additional stream to precede the messages of the main stream to trigger the alert. 60 | 61 | You can optionally configure the **Grouping Fields** to only count messages with the same values in both streams. 62 | 63 | You can also set all the common parameters : **Search within the last**, **Execute search every** and **Search Query**. 64 | 65 | ![](https://raw.githubusercontent.com/airbus-cyber/graylog-plugin-correlation-count/master/images/edit_condition.png) 66 | 67 | ## Build 68 | 69 | This project requires Java 17 JDK. 70 | 71 | * Clone this repository. 72 | * Clone [graylog2-server](https://github.com/Graylog2/graylog2-server) repository next to this repository. 73 | * Build Graylog2-server with `./mvnw compile -DskipTests=true` (in graylog2-server folder) 74 | * Run `./mvnw package` to build a JAR file (in this project folder). 75 | * Optional: Run `./mvnw org.vafer:jdeb:jdeb` and `./mvnw rpm:rpm` to create a DEB and RPM package respectively. 76 | * Copy generated JAR file in target directory to your Graylog plugin directory. 77 | * Restart the Graylog. 78 | 79 | A docker to build can be generated from [Dockerfile](https://github.com/airbus-cyber/graylog-plugin-logging-alert/blob/master/build_docker/Dockerfile). 80 | 81 | ## License 82 | 83 | This plugin is released under version 1 of the [Server Side Public License (SSPL)](LICENSE). 84 | -------------------------------------------------------------------------------- /build.config.js: -------------------------------------------------------------------------------- 1 | const path = require('path'); 2 | 3 | module.exports = { 4 | // Make sure that this is the correct path to the web interface part of the Graylog server repository. 5 | web_src_path: path.resolve(__dirname, '../graylog2-server/graylog2-web-interface'), 6 | }; 7 | -------------------------------------------------------------------------------- /deployment/settings.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | central 5 | ${env.SONATYPE_USERNAME} 6 | ${env.SONATYPE_PASSWORD} 7 | 8 | 9 | 10 | 11 | ossrh 12 | 13 | true 14 | 15 | 16 | gpg2 17 | ${env.PASSPHRASE} 18 | Airbus CyberSecurity 19 | 20 | 21 | 22 | jdeb-signing 23 | 24 | F8D87B13 25 | ${env.PASSPHRASE} 26 | 27 | 28 | 29 | 30 | jdeb-signing 31 | 32 | 33 | -------------------------------------------------------------------------------- /gauge_validation_poc/.gitignore: -------------------------------------------------------------------------------- 1 | # Gauge - metadata dir 2 | .gauge 3 | 4 | # Gauge - log files dir 5 | logs 6 | 7 | # Gauge - reports generated by reporting plugins 8 | reports 9 | 10 | # Python generated files 11 | __pycache__/ 12 | 13 | # Location for built plugin 14 | execution_environment/graylog/plugin/ 15 | -------------------------------------------------------------------------------- /gauge_validation_poc/env/default/default.properties: -------------------------------------------------------------------------------- 1 | # default.properties 2 | # properties set here will be available to the test execution as environment variables 3 | 4 | # sample_key = sample_value 5 | 6 | # The path to the gauge reports directory. Should be either relative to the project directory or an absolute path 7 | gauge_reports_dir = reports 8 | 9 | # Set as false if gauge reports should not be overwritten on each execution. A new time-stamped directory will be created on each execution. 10 | overwrite_reports = true 11 | 12 | # Set to false to disable screenshots on failure in reports. 13 | screenshot_on_failure = true 14 | 15 | # The path to the gauge logs directory. Should be either relative to the project directory or an absolute path 16 | logs_directory = logs 17 | 18 | # Set to true to use multithreading for parallel execution 19 | enable_multithreading = false 20 | 21 | # The path the gauge specifications directory. Takes a comma separated list of specification files/directories. 22 | gauge_specs_dir = specs 23 | 24 | # The default delimiter used read csv files. 25 | csv_delimiter = , 26 | 27 | # Allows steps to be written in multiline 28 | allow_multiline_step = false 29 | -------------------------------------------------------------------------------- /gauge_validation_poc/env/default/python.properties: -------------------------------------------------------------------------------- 1 | GAUGE_PYTHON_COMMAND = python 2 | 3 | STEP_IMPL_DIR = step_impl -------------------------------------------------------------------------------- /gauge_validation_poc/execution_environment/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | 4 | # MongoDB: https://hub.docker.com/_/mongo/ 5 | mongo: 6 | image: "mongo:4.2" 7 | container_name: mongo4 8 | networks: 9 | net: 10 | ipv4_address: 172.15.0.2 11 | 12 | # Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/7.10/docker.html 13 | elasticsearch: 14 | image: "docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2" 15 | container_name: elasticsearch7 16 | environment: 17 | - "discovery.type=single-node" 18 | networks: 19 | net: 20 | ipv4_address: 172.15.0.3 21 | 22 | # Graylog: https://hub.docker.com/r/graylog/graylog/ 23 | graylog: 24 | image: "graylog/graylog:4.1" 25 | container_name: graylog 26 | links: 27 | - mongo:mongo 28 | - elasticsearch 29 | depends_on: 30 | - mongo 31 | - elasticsearch 32 | ports: 33 | # Graylog web interface and REST API 34 | - 9000:9000 35 | # Raw/Plaintext TCP 36 | - 5555:5555 37 | # Syslog TCP 38 | - 514:514 39 | # Syslog UDP 40 | - 514:514/udp 41 | # GELF TCP 42 | - 12201:12201 43 | # GELF UDP 44 | - 12201:12201/udp 45 | networks: 46 | net: 47 | ipv4_address: 172.15.0.4 48 | volumes: 49 | - ./graylog/config:/usr/share/graylog/data/config 50 | - ./graylog/plugin:/usr/share/graylog/plugin/ 51 | 52 | networks: 53 | net: 54 | ipam: 55 | driver: default 56 | config: 57 | - subnet: 172.15.0.0/16 58 | 59 | -------------------------------------------------------------------------------- /gauge_validation_poc/execution_environment/graylog/config/log4j2.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /gauge_validation_poc/execution_environment/graylog/config/node-id: -------------------------------------------------------------------------------- 1 | dd18c58a-f4b5-46ba-85b0-1a7cebb33b79 -------------------------------------------------------------------------------- /gauge_validation_poc/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "Language": "python", 3 | "Plugins": [ 4 | "html-report" 5 | ] 6 | } -------------------------------------------------------------------------------- /gauge_validation_poc/requirements.txt: -------------------------------------------------------------------------------- 1 | getgauge==0.3.10 -------------------------------------------------------------------------------- /gauge_validation_poc/specs/scenarios.spec: -------------------------------------------------------------------------------- 1 | # End-to-end test scenarios 2 | 3 | To execute this specification, build the plugin jar and copy it to execution_environment/graylog/plugin, then run 4 | 5 | gauge specs 6 | 7 | 8 | ## Plugin should not fail on receiving a message 9 | 10 | * Start Graylog server 11 | * Login as "admin"/"admin" 12 | * Go to page "/alerts/definitions/new" 13 | * Fill "event-definition-title" input with "Test correlation" 14 | * Click button "Next" 15 | * Stop Graylog server 16 | 17 | -------------------------------------------------------------------------------- /gauge_validation_poc/step_impl/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/airbus-cyber/graylog-plugin-correlation-count/13732fceefccfe7463d9c34bd1f13770654cdcdb/gauge_validation_poc/step_impl/__init__.py -------------------------------------------------------------------------------- /gauge_validation_poc/step_impl/graylog_server.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | from threading import Thread 3 | from queue import Queue 4 | 5 | DOCKER_COMPOSE_PATH = 'execution_environment' 6 | 7 | 8 | class GraylogServer: 9 | 10 | def _put_stream_lines_in_queue(self, stream, queue): 11 | while True: 12 | line = stream.readline() 13 | if (line == ''): 14 | break 15 | queue.put(line) 16 | 17 | URL = 'http://127.0.0.1:9000' 18 | 19 | def start(self): 20 | subprocess.run(['docker-compose', 'up', '--detach'], cwd=DOCKER_COMPOSE_PATH) 21 | 22 | def wait_until_log(self, message): 23 | graylog_logs = subprocess.Popen(['docker-compose', 'logs', '--no-color', '--follow'], cwd=DOCKER_COMPOSE_PATH, stdout=subprocess.PIPE, text=True) 24 | logs = Queue() 25 | reading_logs = Thread(target=self._put_stream_lines_in_queue, args=[graylog_logs.stdout, logs]) 26 | reading_logs.start() 27 | while True: 28 | try: 29 | log = logs.get(1) 30 | except Empty: 31 | raise AssertionError(expected_message) 32 | break 33 | print(log) 34 | if 'Graylog server up and running.' in log: 35 | break 36 | graylog_logs.terminate() 37 | reading_logs.join() 38 | 39 | def stop(self): 40 | subprocess.run(['docker-compose', 'stop'], cwd=DOCKER_COMPOSE_PATH) 41 | 42 | -------------------------------------------------------------------------------- /gauge_validation_poc/step_impl/step_impl.py: -------------------------------------------------------------------------------- 1 | import os 2 | from getgauge.python import before_suite, after_suite, step 3 | from getgauge.python import custom_screenshot_writer 4 | from selenium.webdriver import Firefox 5 | from selenium.webdriver.common.keys import Keys 6 | from selenium.webdriver.common.by import By 7 | from selenium.webdriver.support.ui import WebDriverWait 8 | from selenium.webdriver.support.expected_conditions import presence_of_element_located 9 | from step_impl.graylog_server import GraylogServer 10 | 11 | @before_suite 12 | def init(): 13 | # Note: I am not sure this is better, or using the data_store.suite is better... 14 | global server 15 | server = GraylogServer() 16 | global driver 17 | driver = Firefox() 18 | 19 | @after_suite 20 | def close(): 21 | driver.close() 22 | 23 | @step("Start Graylog server") 24 | def start_graylog_server(): 25 | server.start() 26 | server.wait_until_log('Graylog server did not start correctly') 27 | 28 | @step("Stop Graylog server") 29 | def stop_graylog_server(): 30 | server.stop() 31 | 32 | @step("Login as /") 33 | def login(login, password): 34 | driver.get(server.URL) 35 | fill_input('username', login) 36 | fill_input('password', password) 37 | # note: could alternatively do send_keys(Keys.ENTER) 38 | driver.find_element_by_css_selector('button[type=submit]').click() 39 | 40 | @step("Go to page ") 41 | def go_to_page(page_name): 42 | driver.get(server.URL + page_name) 43 | 44 | @step("Click button <>") 45 | def click_button(text): 46 | driver.find_element_by_xpath('//button[text()="' + text + '"]').click() 47 | 48 | @step("Fill input with ") 49 | def fill_input(identifier, value): 50 | WebDriverWait(driver, 10).until(presence_of_element_located([By.ID, identifier])) 51 | driver.find_element_by_id(identifier).send_keys(value) 52 | 53 | @custom_screenshot_writer 54 | def take_screenshot(): 55 | image = driver.get_screenshot_as_png() 56 | file_name = os.path.join(os.getenv("gauge_screenshots_dir"), "screenshot-{0}.png".format(uuid1().int)) 57 | file = open(file_name, "wb") 58 | file.write(image) 59 | return os.path.basename(file_name) 60 | -------------------------------------------------------------------------------- /images/alert.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/airbus-cyber/graylog-plugin-correlation-count/13732fceefccfe7463d9c34bd1f13770654cdcdb/images/alert.png -------------------------------------------------------------------------------- /images/edit_condition.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/airbus-cyber/graylog-plugin-correlation-count/13732fceefccfe7463d9c34bd1f13770654cdcdb/images/edit_condition.png -------------------------------------------------------------------------------- /mvnw: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # ---------------------------------------------------------------------------- 3 | # Licensed to the Apache Software Foundation (ASF) under one 4 | # or more contributor license agreements. See the NOTICE file 5 | # distributed with this work for additional information 6 | # regarding copyright ownership. The ASF licenses this file 7 | # to you under the Apache License, Version 2.0 (the 8 | # "License"); you may not use this file except in compliance 9 | # with the License. You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, 14 | # software distributed under the License is distributed on an 15 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16 | # KIND, either express or implied. See the License for the 17 | # specific language governing permissions and limitations 18 | # under the License. 19 | # ---------------------------------------------------------------------------- 20 | 21 | # ---------------------------------------------------------------------------- 22 | # Apache Maven Wrapper startup batch script, version 3.2.0 23 | # 24 | # Optional ENV vars 25 | # ----------------- 26 | # JAVA_HOME - location of a JDK home dir, required when download maven via java source 27 | # MVNW_REPOURL - repo url base for downloading maven distribution 28 | # MVNW_USERNAME/MVNW_PASSWORD - user and password for downloading maven 29 | # MVNW_VERBOSE - true: enable verbose log; debug: trace the mvnw script; others: silence the output 30 | # ---------------------------------------------------------------------------- 31 | 32 | set -euf 33 | [ "${MVNW_VERBOSE-}" != debug ] || set -x 34 | 35 | # OS specific support. 36 | native_path() { printf %s\\n "$1"; } 37 | case "$(uname)" in 38 | (CYGWIN*|MINGW*) [ -z "${JAVA_HOME-}" ] || JAVA_HOME="$(cygpath --unix "$JAVA_HOME")" 39 | native_path() { cygpath --path --windows "$1"; } ;; 40 | esac 41 | 42 | # set JAVACMD and JAVACCMD 43 | set_java_home() { 44 | # For Cygwin and MinGW, ensure paths are in Unix format before anything is touched 45 | if [ -n "${JAVA_HOME-}" ] ; then 46 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 47 | # IBM's JDK on AIX uses strange locations for the executables 48 | JAVACMD="$JAVA_HOME/jre/sh/java" 49 | JAVACCMD="$JAVA_HOME/jre/sh/javac" 50 | else 51 | JAVACMD="$JAVA_HOME/bin/java" 52 | JAVACCMD="$JAVA_HOME/bin/javac" 53 | 54 | if [ ! -x "$JAVACMD" ] || [ ! -x "$JAVACCMD" ] ; then 55 | echo "The JAVA_HOME environment variable is not defined correctly, so mvnw cannot run." >&2 56 | echo "JAVA_HOME is set to \"$JAVA_HOME\", but \"\$JAVA_HOME/bin/java\" or \"\$JAVA_HOME/bin/javac\" does not exist." >&2 57 | return 1 58 | fi 59 | fi 60 | else 61 | JAVACMD="$('set' +e; 'unset' -f command 2>/dev/null; 'command' -v java)" || : 62 | JAVACCMD="$('set' +e; 'unset' -f command 2>/dev/null; 'command' -v javac)" || : 63 | 64 | if [ ! -x "${JAVACMD-}" ] || [ ! -x "${JAVACCMD-}" ] ; then 65 | echo "The java/javac command does not exist in PATH nor is JAVA_HOME set, so mvnw cannot run." >&2 66 | return 1 67 | fi 68 | fi 69 | } 70 | 71 | # hash string like Java String::hashCode 72 | hash_string() { 73 | str="${1:-}" h=0 74 | while [ -n "$str" ]; do 75 | h=$(( ( h * 31 + $(LC_CTYPE=C printf %d "'$str") ) % 4294967296 )) 76 | str="${str#?}" 77 | done 78 | printf %x\\n $h 79 | } 80 | 81 | verbose() { :; } 82 | [ "${MVNW_VERBOSE-}" != true ] || verbose() { printf %s\\n "${1-}"; } 83 | 84 | die() { 85 | printf %s\\n "$1" >&2 86 | exit 1 87 | } 88 | 89 | # parse distributionUrl and optional distributionSha256Sum, requires .mvn/wrapper/maven-wrapper.properties 90 | while IFS="=" read -r key value; do 91 | case "${key-}" in 92 | distributionUrl) distributionUrl="${value-}" ;; 93 | distributionSha256Sum) distributionSha256Sum="${value-}" ;; 94 | esac 95 | done < "${0%/*}/.mvn/wrapper/maven-wrapper.properties" 96 | [ -n "${distributionUrl-}" ] || die "cannot read distributionUrl property in ${0%/*}/.mvn/wrapper/maven-wrapper.properties" 97 | 98 | 99 | case "${distributionUrl##*/}" in 100 | (maven-mvnd-*bin.*) 101 | MVN_CMD=mvnd.sh _MVNW_REPO_PATTERN=/maven/mvnd/ 102 | case "${PROCESSOR_ARCHITECTURE-}${PROCESSOR_ARCHITEW6432-}:$(uname -a)" in 103 | (*AMD64:CYGWIN*|*AMD64:MINGW*) distributionPlatform=windows-amd64 ;; 104 | (:Darwin*x86_64) distributionPlatform=darwin-amd64 ;; 105 | (:Darwin*arm64) distributionPlatform=darwin-aarch64 ;; 106 | (:Linux*x86_64*) distributionPlatform=linux-amd64 ;; 107 | (*) echo "Cannot detect native platform for mvnd on $(uname)-$(uname -m), use pure java version" >&2 108 | distributionPlatform=linux-amd64 109 | ;; 110 | esac 111 | distributionUrl="${distributionUrl%-bin.*}-$distributionPlatform.zip" 112 | ;; 113 | (maven-mvnd-*) MVN_CMD=mvnd.sh _MVNW_REPO_PATTERN=/maven/mvnd/ ;; 114 | (*) MVN_CMD="mvn${0##*/mvnw}" _MVNW_REPO_PATTERN=/org/apache/maven/ ;; 115 | esac 116 | 117 | # apply MVNW_REPOURL and calculate MAVEN_HOME 118 | # maven home pattern: ~/.m2/wrapper/dists/{apache-maven-,maven-mvnd--}/ 119 | [ -z "${MVNW_REPOURL-}" ] || distributionUrl="$MVNW_REPOURL$_MVNW_REPO_PATTERN${distributionUrl#*"$_MVNW_REPO_PATTERN"}" 120 | distributionUrlName="${distributionUrl##*/}" 121 | distributionUrlNameMain="${distributionUrlName%.*}" 122 | distributionUrlNameMain="${distributionUrlNameMain%-bin}" 123 | MAVEN_HOME="$HOME/.m2/wrapper/dists/${distributionUrlNameMain-}/$(hash_string "$distributionUrl")" 124 | 125 | exec_maven() { 126 | unset MVNW_VERBOSE MVNW_USERNAME MVNW_PASSWORD MVNW_REPOURL || : 127 | exec "$MAVEN_HOME/bin/$MVN_CMD" "$@" || die "cannot exec $MAVEN_HOME/bin/$MVN_CMD" 128 | } 129 | 130 | if [ -d "$MAVEN_HOME" ]; then 131 | verbose "found existing MAVEN_HOME at $MAVEN_HOME" 132 | exec_maven "$@" 133 | fi 134 | 135 | case "${distributionUrl-}" in 136 | (*?-bin.zip|*?maven-mvnd-?*-?*.zip) ;; 137 | (*) die "distributionUrl is not valid, must match *-bin.zip or maven-mvnd-*.zip, but found '${distributionUrl-}'" ;; 138 | esac 139 | 140 | # prepare tmp dir 141 | if TMP_DOWNLOAD_DIR="$(mktemp -d)" && [ -d "$TMP_DOWNLOAD_DIR" ]; then 142 | clean() { rm -rf -- "$TMP_DOWNLOAD_DIR"; } 143 | trap clean HUP INT TERM EXIT 144 | else 145 | die "cannot create temp dir" 146 | fi 147 | 148 | mkdir -p -- "${MAVEN_HOME%/*}" 149 | 150 | # Download and Install Apache Maven 151 | verbose "Couldn't find MAVEN_HOME, downloading and installing it ..." 152 | verbose "Downloading from: $distributionUrl" 153 | verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName" 154 | 155 | # select .zip or .tar.gz 156 | if ! command -v unzip >/dev/null; then 157 | distributionUrl="${distributionUrl%.zip}.tar.gz" 158 | distributionUrlName="${distributionUrl##*/}" 159 | fi 160 | 161 | # verbose opt 162 | __MVNW_QUIET_WGET=--quiet __MVNW_QUIET_CURL=--silent __MVNW_QUIET_UNZIP=-q __MVNW_QUIET_TAR='' 163 | [ "${MVNW_VERBOSE-}" != true ] || __MVNW_QUIET_WGET='' __MVNW_QUIET_CURL='' __MVNW_QUIET_UNZIP='' __MVNW_QUIET_TAR=v 164 | 165 | # normalize http auth 166 | case "${MVNW_PASSWORD:+has-password}" in 167 | '') MVNW_USERNAME='' MVNW_PASSWORD='' ;; 168 | has-password) [ -n "${MVNW_USERNAME-}" ] || MVNW_USERNAME='' MVNW_PASSWORD='' ;; 169 | esac 170 | 171 | if [ -z "${MVNW_USERNAME-}" ] && command -v wget > /dev/null; then 172 | verbose "Found wget ... using wget" 173 | wget ${__MVNW_QUIET_WGET:+"$__MVNW_QUIET_WGET"} "$distributionUrl" -O "$TMP_DOWNLOAD_DIR/$distributionUrlName" 174 | elif [ -z "${MVNW_USERNAME-}" ] && command -v curl > /dev/null; then 175 | verbose "Found curl ... using curl" 176 | curl ${__MVNW_QUIET_CURL:+"$__MVNW_QUIET_CURL"} -f -L -o "$TMP_DOWNLOAD_DIR/$distributionUrlName" "$distributionUrl" 177 | elif set_java_home; then 178 | verbose "Falling back to use Java to download" 179 | javaSource="$TMP_DOWNLOAD_DIR/Downloader.java" 180 | targetZip="$TMP_DOWNLOAD_DIR/$distributionUrlName" 181 | cat > "$javaSource" <<-END 182 | public class Downloader extends java.net.Authenticator 183 | { 184 | protected java.net.PasswordAuthentication getPasswordAuthentication() 185 | { 186 | return new java.net.PasswordAuthentication( System.getenv( "MVNW_USERNAME" ), System.getenv( "MVNW_PASSWORD" ).toCharArray() ); 187 | } 188 | public static void main( String[] args ) throws Exception 189 | { 190 | setDefault( new Downloader() ); 191 | java.nio.file.Files.copy( new java.net.URL( args[0] ).openStream(), java.nio.file.Paths.get( args[1] ).toAbsolutePath().normalize() ); 192 | } 193 | } 194 | END 195 | # For Cygwin/MinGW, switch paths to Windows format before running javac and java 196 | verbose " - Compiling Downloader.java ..." 197 | "$(native_path "$JAVACCMD")" "$(native_path "$javaSource")" 198 | verbose " - Running Downloader.java ..." 199 | "$(native_path "$JAVACMD")" -cp "$(native_path "$TMP_DOWNLOAD_DIR")" Downloader "$distributionUrl" "$(native_path "$targetZip")" 200 | fi 201 | 202 | # If specified, validate the SHA-256 sum of the Maven distribution zip file 203 | if [ -n "${distributionSha256Sum-}" ]; then 204 | distributionSha256Result=false 205 | if [ "$MVN_CMD" = mvnd.sh ]; then 206 | echo "Checksum validation is not supported for maven-mvnd." >&2 207 | echo "Please disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2 208 | exit 1 209 | elif command -v sha256sum > /dev/null; then 210 | if echo "$distributionSha256Sum $TMP_DOWNLOAD_DIR/$distributionUrlName" | sha256sum -c > /dev/null 2>&1; then 211 | distributionSha256Result=true 212 | fi 213 | elif command -v shasum > /dev/null; then 214 | if echo "$distributionSha256Sum $TMP_DOWNLOAD_DIR/$distributionUrlName" | shasum -a 256 -c > /dev/null 2>&1; then 215 | distributionSha256Result=true 216 | fi 217 | else 218 | echo "Checksum validation was requested but neither 'sha256sum' or 'shasum' are available." >&2 219 | echo "Please install either command, or disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2 220 | exit 1 221 | fi 222 | if [ $distributionSha256Result = false ]; then 223 | echo "Error: Failed to validate Maven distribution SHA-256, your Maven distribution might be compromised." >&2 224 | echo "If you updated your Maven version, you need to update the specified distributionSha256Sum property." >&2 225 | exit 1 226 | fi 227 | fi 228 | 229 | # unzip and move 230 | if command -v unzip > /dev/null; then 231 | unzip ${__MVNW_QUIET_UNZIP:+"$__MVNW_QUIET_UNZIP"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -d "$TMP_DOWNLOAD_DIR" 232 | else 233 | tar xzf${__MVNW_QUIET_TAR:+"$__MVNW_QUIET_TAR"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -C "$TMP_DOWNLOAD_DIR" 234 | fi 235 | printf %s\\n "$distributionUrl" > "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain/mvnw.url" 236 | mv -- "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain" "$MAVEN_HOME" || [ -d "$MAVEN_HOME" ] || die "fail to move MAVEN_HOME" 237 | 238 | clean || : 239 | exec_maven "$@" 240 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "CorrelationCount", 3 | "version": "6.1.0", 4 | "description": "Graylog plugin CorrelationCount Web Interface", 5 | "repository": { 6 | "type": "git", 7 | "url": "https://github.com/airbus-cyber/graylog-plugin-correlation-count" 8 | }, 9 | "scripts": { 10 | "build": "webpack --bail" 11 | }, 12 | "keywords": [ 13 | "graylog" 14 | ], 15 | "author": "Airbus CyberSecurity", 16 | "license": "SSPL-1.0", 17 | "dependencies": {}, 18 | "devDependencies": { 19 | "graylog-web-plugin": "file:../graylog2-server/graylog2-web-interface/packages/graylog-web-plugin" 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | 4.0.0 22 | 23 | 24 | org.graylog.plugins 25 | graylog-plugin-web-parent 26 | 6.1.0 27 | 28 | 29 | com.airbus-cyber-security.graylog 30 | graylog-plugin-correlation-count 31 | 6.1.0 32 | jar 33 | ${project.artifactId} 34 | Graylog ${project.artifactId} plugin. 35 | https://github.com/airbus-cyber/graylog-plugin-correlation-count 36 | 37 | 38 | 39 | Server Side Public License (SSPL) version 1 40 | https://www.mongodb.com/licensing/server-side-public-license 41 | 42 | 43 | 44 | 45 | 46 | Airbus CyberSecurity 47 | Airbus CyberSecurity 48 | https://www.airbus-cyber-security.com 49 | 50 | 51 | 52 | 53 | scm:git:git@github.com:airbus-cyber/graylog-plugin-correlation-count.git 54 | scm:git:git@github.com:airbus-cyber/graylog-plugin-correlation-count.git 55 | https://github.com/airbus-cyber/graylog-plugin-correlation-count 56 | HEAD 57 | 58 | 59 | 60 | UTF-8 61 | ${project.parent.version} 62 | /usr/share/graylog-server/plugin 63 | 64 | 65 | 66 | 67 | 68 | io.dropwizard.metrics 69 | metrics-core 70 | ${metrics.version} 71 | runtime 72 | 73 | 74 | com.swrve 75 | rate-limited-logger 76 | 2.0.2 77 | runtime 78 | 79 | 80 | 81 | jakarta.annotation 82 | jakarta.annotation-api 83 | ${jakarta.annotation-api.version} 84 | provided 85 | 86 | 87 | javax.annotation 88 | javax.annotation-api 89 | ${javax.annotation-api.version} 90 | provided 91 | 92 | 93 | org.bouncycastle 94 | bcprov-jdk18on 95 | ${bouncycastle.version} 96 | provided 97 | 98 | 99 | commons-io 100 | commons-io 101 | ${commons-io.version} 102 | provided 103 | 104 | 105 | org.apache.logging.log4j 106 | log4j-core 107 | ${log4j.version} 108 | provided 109 | 110 | 111 | org.slf4j 112 | slf4j-api 113 | ${slf4j.version} 114 | provided 115 | 116 | 117 | joda-time 118 | joda-time 119 | ${joda-time.version} 120 | provided 121 | 122 | 123 | com.google.inject 124 | guice 125 | ${guice.version} 126 | provided 127 | 128 | 129 | com.google.inject.extensions 130 | guice-assistedinject 131 | ${guice.version} 132 | provided 133 | 134 | 135 | com.fasterxml.jackson.core 136 | jackson-annotations 137 | ${jackson.version} 138 | provided 139 | 140 | 141 | com.fasterxml.jackson.core 142 | jackson-databind 143 | ${jackson.version} 144 | provided 145 | 146 | 147 | 148 | org.mongodb 149 | mongodb-driver-sync 150 | ${mongodb-driver.version} 151 | test 152 | 153 | 154 | org.mongodb 155 | mongodb-driver-legacy 156 | ${mongodb-driver.version} 157 | test 158 | 159 | 160 | org.mongojack 161 | mongojack 162 | ${mongojack.version} 163 | test 164 | 165 | 166 | com.eaio.uuid 167 | uuid 168 | 3.2 169 | test 170 | 171 | 172 | junit 173 | junit 174 | ${junit.version} 175 | test 176 | 177 | 178 | org.assertj 179 | assertj-core 180 | ${assertj-core.version} 181 | test 182 | 183 | 184 | org.mockito 185 | mockito-core 186 | ${mockito.version} 187 | test 188 | 189 | 190 | 191 | 192 | 193 | 194 | ${web.build-dir} 195 | 196 | 197 | src/main/resources 198 | true 199 | 200 | 201 | 202 | 210 | 211 | com.mycila 212 | license-maven-plugin 213 | 214 | 215 | 216 |
com/mycila/maven/plugin/license/templates/SSPL-1.txt
217 | 218 | 2018 219 | Airbus CyberSecurity (SAS) 220 | 221 | 222 | **/src/main/java/** 223 | **/src/test/java/** 224 | **/pom.xml 225 | 226 | *.js 227 | src/web/**/*.js 228 | src/web/**/*.jsx 229 | src/web/**/*.ts 230 | src/web/**/*.tsx 231 | src/web/**/*.css 232 | 233 | 234 | *.config.js 235 | 236 |
237 |
238 |
239 | 240 | 241 | 242 | check 243 | 244 | 245 | 246 |
247 | 248 | org.apache.maven.plugins 249 | maven-enforcer-plugin 250 | 251 | 252 | enforce-versions 253 | validate 254 | 255 | enforce 256 | 257 | 258 | true 259 | false 260 | 261 | 262 | 263 | [3.9.0,) 264 | 265 | 266 | [17.0,17.99] 267 | 268 | 269 | unix 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | maven-assembly-plugin 278 | 279 | true 280 | 281 | 282 | 283 | org.apache.maven.plugins 284 | maven-jar-plugin 285 | 286 | 287 | 288 | ${project.groupId}.${project.artifactId} 289 | 290 | 291 | target 292 | 293 | 294 | 295 | org.apache.maven.plugins 296 | maven-shade-plugin 297 | 298 | false 299 | 300 | 301 | 302 | 303 | 304 | com.airbus-cyber-security.graylog:* 305 | 306 | 307 | 308 | 309 | 310 | package 311 | 312 | shade 313 | 314 | 315 | 316 | 317 | 318 | org.vafer 319 | jdeb 320 | 321 | ${project.build.directory}/${project.artifactId}-${project.version}.deb 322 | 323 | 324 | ${project.build.directory}/${project.build.finalName}.jar 325 | file 326 | 327 | perm 328 | ${graylog.plugin-dir} 329 | 644 330 | root 331 | root 332 | 333 | 334 | 335 | true 336 | dpkg-sig 337 | builder 338 | 339 | 340 | 341 | org.codehaus.mojo 342 | rpm-maven-plugin 343 | 344 | Application/Internet 345 | 346 | /usr 347 | 348 | 349 | _unpackaged_files_terminate_build 0 350 | _binaries_in_noarch_packages_terminate_build 0 351 | 352 | 644 353 | 755 354 | root 355 | root 356 | 357 | 358 | ${graylog.plugin-dir} 359 | 360 | 361 | ${project.build.directory}/ 362 | 363 | ${project.build.finalName}.jar 364 | 365 | 366 | 367 | 368 | 369 | 370 | 371 | 372 | org.apache.maven.plugins 373 | maven-gpg-plugin 374 | 375 | 376 | sign-artifacts 377 | verify 378 | 379 | sign 380 | 381 | 382 | 383 | --pinentry-mode 384 | loopback 385 | 386 | 387 | 388 | 389 | 390 | 391 | org.apache.maven.plugins 392 | maven-source-plugin 393 | 394 | 395 | attach-sources 396 | 397 | jar-no-fork 398 | 399 | 400 | 401 | 402 | 403 | org.apache.maven.plugins 404 | maven-javadoc-plugin 405 | 406 | -missing 407 | 408 | 409 | 410 | attach-javadocs 411 | 412 | jar 413 | 414 | 415 | 416 | 417 | 418 | org.sonatype.central 419 | central-publishing-maven-plugin 420 | 0.7.0 421 | true 422 | 423 | central 424 | true 425 | published 426 | 427 | 428 |
429 |
430 |
431 | -------------------------------------------------------------------------------- /runtime/docker-compose.yml: -------------------------------------------------------------------------------- 1 | # sources of inspiration for this file 2 | # * https://go2docs.graylog.org/5-1/downloading_and_installing_graylog/docker_installation.htm 3 | # * https://github.com/Graylog2/docker-compose 4 | 5 | services: 6 | 7 | # MongoDB: https://hub.docker.com/_/mongo/ 8 | mongo: 9 | image: "mongo:6.0" 10 | container_name: mongo 11 | 12 | # OpenSearch: 13 | # * https://hub.docker.com/r/opensearchproject/opensearch 14 | # * https://opensearch.org/docs/2.15/install-and-configure/install-opensearch/docker/#sample-docker-composeyml 15 | # * Bump 2.15.0 : https://graylog.org/post/announcing-graylog-v6-1/ 16 | opensearch: 17 | image: "opensearchproject/opensearch:2.15.0" 18 | container_name: opensearch2.15 19 | environment: 20 | - plugins.security.disabled=true 21 | - discovery.type=single-node 22 | - action.auto_create_index=false 23 | - bootstrap.memory_lock=true 24 | - OPENSEARCH_INITIAL_ADMIN_PASSWORD=T3st-P@ssword! 25 | ulimits: 26 | memlock: 27 | soft: -1 28 | hard: -1 29 | 30 | # Graylog: https://hub.docker.com/r/graylog/graylog/ 31 | graylog: 32 | image: "graylog/graylog:6.1.0" 33 | container_name: graylog 34 | links: 35 | - mongo:mongo 36 | - opensearch 37 | depends_on: 38 | - mongo 39 | - opensearch 40 | ports: 41 | # Graylog web interface and REST API 42 | - 9000:9000 43 | # Raw/Plaintext TCP 44 | - 5555:5555 45 | # Syslog TCP 46 | - 514:514 47 | # Syslog UDP 48 | - 514:514/udp 49 | # GELF TCP 50 | - 12201:12201 51 | # GELF UDP 52 | - 12201:12201/udp 53 | volumes: 54 | - ./graylog/config:/usr/share/graylog/data/config 55 | - ./graylog/plugin:/usr/share/graylog/plugin/ 56 | -------------------------------------------------------------------------------- /runtime/graylog/config/log4j2.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /runtime/graylog/config/node-id: -------------------------------------------------------------------------------- 1 | dd18c58a-f4b5-46ba-85b0-1a7cebb33b79 -------------------------------------------------------------------------------- /src/deb/control/control: -------------------------------------------------------------------------------- 1 | Package: [[name]] 2 | Version: [[version]] 3 | Architecture: all 4 | Maintainer: Airbus CyberSecurity 5 | Section: web 6 | Priority: optional 7 | Depends: graylog-server 8 | Description: [[description]] 9 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/CorrelationCountMetaData.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | package com.airbus_cyber_security.graylog; 19 | 20 | import org.graylog2.plugin.PluginMetaData; 21 | import org.graylog2.plugin.ServerStatus; 22 | import org.graylog2.plugin.Version; 23 | 24 | import java.net.URI; 25 | import java.util.Collections; 26 | import java.util.Set; 27 | 28 | /** 29 | * Implement the PluginMetaData interface here. 30 | */ 31 | public class CorrelationCountMetaData implements PluginMetaData { 32 | private static final String PLUGIN_PROPERTIES = "com.airbus-cyber-security.graylog.graylog-plugin-correlation-count/graylog-plugin.properties"; 33 | 34 | @Override 35 | public String getUniqueId() { 36 | return "com.airbus-cyber-security.graylog.CorrelationCountPlugin"; 37 | } 38 | 39 | @Override 40 | public String getName() { 41 | return "Correlation Count Alert Condition"; 42 | } 43 | 44 | @Override 45 | public String getAuthor() { 46 | return "Airbus CyberSecurity"; 47 | } 48 | 49 | @Override 50 | public URI getURL() { 51 | return URI.create("https://www.airbus-cyber-security.com"); 52 | } 53 | 54 | @Override 55 | public Version getVersion() { 56 | return Version.fromPluginProperties(getClass(), PLUGIN_PROPERTIES, "version", Version.from(0, 0, 1, "unknown")); 57 | } 58 | 59 | @Override 60 | public String getDescription() { 61 | return "This condition is triggered when there are more or less messages than the threshold."; 62 | } 63 | 64 | @Override 65 | public Version getRequiredVersion() { 66 | return Version.fromPluginProperties(getClass(), PLUGIN_PROPERTIES, "graylog.version", Version.from(5, 0, 0)); 67 | } 68 | 69 | @Override 70 | public Set getRequiredCapabilities() { 71 | return Collections.emptySet(); 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/CorrelationCountPlugin.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | package com.airbus_cyber_security.graylog; 19 | 20 | import com.airbus_cyber_security.graylog.events.CorrelationCountModule; 21 | import org.graylog2.plugin.Plugin; 22 | import org.graylog2.plugin.PluginMetaData; 23 | import org.graylog2.plugin.PluginModule; 24 | 25 | import java.util.Arrays; 26 | import java.util.Collection; 27 | 28 | public class CorrelationCountPlugin implements Plugin { 29 | @Override 30 | public PluginMetaData metadata() { 31 | return new CorrelationCountMetaData(); 32 | } 33 | 34 | @Override 35 | public Collection modules () { 36 | return Arrays.asList(new CorrelationCountModule()); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/CorrelationCountModule.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | package com.airbus_cyber_security.graylog.events; 19 | 20 | import java.util.Collections; 21 | import java.util.Set; 22 | 23 | import com.airbus_cyber_security.graylog.events.contentpack.entities.CorrelationCountProcessorConfigEntity; 24 | import com.airbus_cyber_security.graylog.events.processor.correlation.CorrelationCountProcessor; 25 | import com.airbus_cyber_security.graylog.events.processor.correlation.CorrelationCountProcessorParameters; 26 | import com.airbus_cyber_security.graylog.events.processor.correlation.CorrelationCountProcessorConfig; 27 | import org.graylog2.plugin.PluginConfigBean; 28 | import org.graylog2.plugin.PluginModule; 29 | 30 | public class CorrelationCountModule extends PluginModule { 31 | /** 32 | * Returns all configuration beans required by this plugin. 33 | * 34 | * Implementing this method is optional. The default method returns an empty {@link Set}. 35 | */ 36 | @Override 37 | public Set getConfigBeans() { 38 | return Collections.emptySet(); 39 | } 40 | 41 | @Override 42 | protected void configure() { 43 | registerJacksonSubtype(CorrelationCountProcessorConfigEntity.class, 44 | CorrelationCountProcessorConfigEntity.TYPE_NAME); 45 | 46 | addEventProcessor(CorrelationCountProcessorConfig.TYPE_NAME, 47 | CorrelationCountProcessor.class, 48 | CorrelationCountProcessor.Factory.class, 49 | CorrelationCountProcessorConfig.class, 50 | CorrelationCountProcessorParameters.class); 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/contentpack/entities/CorrelationCountProcessorConfigEntity.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | package com.airbus_cyber_security.graylog.events.contentpack.entities; 19 | 20 | import com.airbus_cyber_security.graylog.events.processor.correlation.CorrelationCountProcessorConfig; 21 | import com.airbus_cyber_security.graylog.events.processor.correlation.checks.OrderType; 22 | import com.fasterxml.jackson.annotation.JsonCreator; 23 | import com.fasterxml.jackson.annotation.JsonProperty; 24 | import com.fasterxml.jackson.annotation.JsonTypeName; 25 | import com.fasterxml.jackson.databind.annotation.JsonDeserialize; 26 | import com.google.auto.value.AutoValue; 27 | import org.graylog.events.contentpack.entities.EventProcessorConfigEntity; 28 | import org.graylog.events.processor.EventProcessorConfig; 29 | import org.graylog2.contentpacks.model.entities.EntityDescriptor; 30 | import org.graylog2.contentpacks.model.entities.references.ValueReference; 31 | 32 | import java.util.List; 33 | import java.util.Map; 34 | 35 | @AutoValue 36 | @JsonTypeName(CorrelationCountProcessorConfigEntity.TYPE_NAME) 37 | @JsonDeserialize(builder = CorrelationCountProcessorConfigEntity.Builder.class) 38 | public abstract class CorrelationCountProcessorConfigEntity implements EventProcessorConfigEntity { 39 | 40 | public static final String TYPE_NAME = "correlation-count"; 41 | 42 | private static final String FIELD_STREAM = "stream"; 43 | private static final String FIELD_ADDITIONAL_STREAM = "additional_stream"; 44 | private static final String FIELD_ADDITIONAL_THRESHOLD_TYPE = "additional_threshold_type"; 45 | private static final String FIELD_ADDITIONAL_THRESHOLD = "additional_threshold"; 46 | private static final String FIELD_THRESHOLD_TYPE = "threshold_type"; 47 | private static final String FIELD_THRESHOLD = "threshold"; 48 | private static final String FIELD_MESSAGES_ORDER = "messages_order"; 49 | private static final String FIELD_SEARCH_WITHIN_MS = "search_within_ms"; 50 | private static final String FIELD_EXECUTE_EVERY_MS = "execute_every_ms"; 51 | private static final String FIELD_GROUPING_FIELDS = "grouping_fields"; 52 | private static final String FIELD_COMMENT = "comment"; 53 | private static final String FIELD_SEARCH_QUERY = "search_query"; 54 | private static final String FIELD_ADDITIONAL_SEARCH_QUERY = "additional_search_query"; 55 | 56 | @JsonProperty(FIELD_STREAM) 57 | public abstract ValueReference stream(); 58 | 59 | @JsonProperty(FIELD_ADDITIONAL_STREAM) 60 | public abstract ValueReference additionalStream(); 61 | 62 | @JsonProperty(FIELD_ADDITIONAL_THRESHOLD_TYPE) 63 | public abstract ValueReference additionalThresholdType(); 64 | 65 | @JsonProperty(FIELD_ADDITIONAL_THRESHOLD) 66 | public abstract int additionalThreshold(); 67 | 68 | @JsonProperty(FIELD_THRESHOLD_TYPE) 69 | public abstract ValueReference thresholdType(); 70 | 71 | @JsonProperty(FIELD_THRESHOLD) 72 | public abstract int threshold(); 73 | 74 | @JsonProperty(FIELD_MESSAGES_ORDER) 75 | public abstract ValueReference messagesOrder(); 76 | 77 | @JsonProperty(FIELD_SEARCH_WITHIN_MS) 78 | public abstract long searchWithinMs(); 79 | 80 | @JsonProperty(FIELD_EXECUTE_EVERY_MS) 81 | public abstract long executeEveryMs(); 82 | 83 | @JsonProperty(FIELD_GROUPING_FIELDS) 84 | public abstract List groupingFields(); 85 | 86 | @JsonProperty(FIELD_COMMENT) 87 | public abstract ValueReference comment(); 88 | 89 | @JsonProperty(FIELD_SEARCH_QUERY) 90 | public abstract ValueReference searchQuery(); 91 | 92 | @JsonProperty(value = FIELD_ADDITIONAL_SEARCH_QUERY) 93 | public abstract ValueReference additionalSearchQuery(); 94 | 95 | public static Builder builder() { 96 | return Builder.create(); 97 | } 98 | 99 | public abstract Builder toBuilder(); 100 | 101 | @AutoValue.Builder 102 | public static abstract class Builder implements EventProcessorConfigEntity.Builder { 103 | @JsonCreator 104 | public static Builder create() { 105 | return new AutoValue_CorrelationCountProcessorConfigEntity.Builder() 106 | .type(TYPE_NAME); 107 | } 108 | 109 | @JsonProperty(FIELD_STREAM) 110 | public abstract Builder stream(ValueReference stream); 111 | 112 | @JsonProperty(FIELD_ADDITIONAL_STREAM) 113 | public abstract Builder additionalStream(ValueReference additionalStream); 114 | 115 | @JsonProperty(FIELD_ADDITIONAL_THRESHOLD_TYPE) 116 | public abstract Builder additionalThresholdType(ValueReference additionalThresholdType); 117 | 118 | @JsonProperty(FIELD_ADDITIONAL_THRESHOLD) 119 | public abstract Builder additionalThreshold(int additionalThreshold); 120 | 121 | @JsonProperty(FIELD_THRESHOLD_TYPE) 122 | public abstract Builder thresholdType(ValueReference thresholdType); 123 | 124 | @JsonProperty(FIELD_THRESHOLD) 125 | public abstract Builder threshold(int threshold); 126 | 127 | @JsonProperty(FIELD_MESSAGES_ORDER) 128 | public abstract Builder messagesOrder(ValueReference messagesOrder); 129 | 130 | @JsonProperty(FIELD_SEARCH_WITHIN_MS) 131 | public abstract Builder searchWithinMs(long searchWithinMs); 132 | 133 | @JsonProperty(FIELD_EXECUTE_EVERY_MS) 134 | public abstract Builder executeEveryMs(long executeEveryMs); 135 | 136 | @JsonProperty(FIELD_GROUPING_FIELDS) 137 | public abstract Builder groupingFields(List groupingFields); 138 | 139 | @JsonProperty(FIELD_COMMENT) 140 | public abstract Builder comment(ValueReference comment); 141 | 142 | @JsonProperty(FIELD_SEARCH_QUERY) 143 | public abstract Builder searchQuery(ValueReference searchQuery); 144 | 145 | @JsonProperty(value = FIELD_ADDITIONAL_SEARCH_QUERY) 146 | public abstract Builder additionalSearchQuery(ValueReference additionalSearchQuery); 147 | 148 | public abstract CorrelationCountProcessorConfigEntity build(); 149 | } 150 | 151 | @Override 152 | public EventProcessorConfig toNativeEntity(Map parameters, Map nativeEntities) { 153 | return CorrelationCountProcessorConfig.builder() 154 | .stream(stream().asString(parameters)) 155 | .additionalStream(additionalStream().asString(parameters)) 156 | .additionalThresholdType(additionalThresholdType().asString(parameters)) 157 | .additionalThreshold(additionalThreshold()) 158 | .thresholdType(thresholdType().asString(parameters)) 159 | .threshold(threshold()) 160 | .messagesOrder(OrderType.fromString(messagesOrder().asString(parameters))) 161 | .searchWithinMs(searchWithinMs()) 162 | .executeEveryMs(executeEveryMs()) 163 | .groupingFields(groupingFields()) 164 | .comment(comment().asString(parameters)) 165 | .searchQuery(searchQuery().asString(parameters)) 166 | .additionalSearchQuery(additionalSearchQuery().asString(parameters)) 167 | .build(); 168 | } 169 | } 170 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/processor/correlation/CorrelationCountProcessor.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | package com.airbus_cyber_security.graylog.events.processor.correlation; 19 | 20 | import com.airbus_cyber_security.graylog.events.processor.correlation.checks.CorrelationCountCheck; 21 | import com.airbus_cyber_security.graylog.events.processor.correlation.checks.CorrelationCountResult; 22 | import com.airbus_cyber_security.graylog.events.processor.correlation.checks.CorrelationCountSearches; 23 | import com.airbus_cyber_security.graylog.events.processor.correlation.checks.OrderType; 24 | import com.google.common.collect.ImmutableList; 25 | import com.google.common.collect.Lists; 26 | import com.google.inject.assistedinject.Assisted; 27 | import org.graylog.events.event.Event; 28 | import org.graylog.events.event.EventFactory; 29 | import org.graylog.events.event.EventWithContext; 30 | import org.graylog.events.processor.DBEventProcessorStateService; 31 | import org.graylog.events.processor.EventConsumer; 32 | import org.graylog.events.processor.EventDefinition; 33 | import org.graylog.events.processor.EventProcessor; 34 | import org.graylog.events.processor.EventProcessorDependencyCheck; 35 | import org.graylog.events.processor.EventProcessorException; 36 | import org.graylog.events.processor.EventProcessorParameters; 37 | import org.graylog.events.processor.EventProcessorPreconditionException; 38 | import org.graylog2.plugin.Message; 39 | import org.graylog2.plugin.MessageFactory; 40 | import org.graylog2.plugin.MessageSummary; 41 | import org.graylog2.plugin.indexer.searches.timeranges.AbsoluteRange; 42 | import org.graylog2.plugin.indexer.searches.timeranges.TimeRange; 43 | import org.joda.time.DateTime; 44 | import org.slf4j.Logger; 45 | import org.slf4j.LoggerFactory; 46 | 47 | import jakarta.inject.Inject; 48 | 49 | import java.util.Collection; 50 | import java.util.HashMap; 51 | import java.util.List; 52 | import java.util.Locale; 53 | import java.util.Map; 54 | import java.util.function.Consumer; 55 | 56 | // sources of inspiration: 57 | // * org.graylog.events.processor.aggregation.AggregationEventProcessor 58 | public class CorrelationCountProcessor implements EventProcessor { 59 | public interface Factory extends EventProcessor.Factory { 60 | @Override 61 | CorrelationCountProcessor create(EventDefinition eventDefinition); 62 | } 63 | 64 | private static final Logger LOG = LoggerFactory.getLogger(CorrelationCountProcessor.class); 65 | 66 | private final EventDefinition eventDefinition; 67 | private final EventProcessorDependencyCheck dependencyCheck; 68 | private final DBEventProcessorStateService stateService; 69 | private final CorrelationCountProcessorConfig configuration; 70 | private final CorrelationCountCheck correlationCountCheck; 71 | private final CorrelationCountSearches correlationCountSearches; 72 | private final MessageFactory messageFactory; 73 | 74 | @Inject 75 | public CorrelationCountProcessor(@Assisted EventDefinition eventDefinition, EventProcessorDependencyCheck dependencyCheck, 76 | DBEventProcessorStateService stateService, CorrelationCountSearches correlationCountSearches, MessageFactory messageFactory) { 77 | this.eventDefinition = eventDefinition; 78 | this.dependencyCheck = dependencyCheck; 79 | this.stateService = stateService; 80 | this.configuration = (CorrelationCountProcessorConfig) eventDefinition.config(); 81 | this.correlationCountCheck = new CorrelationCountCheck(this.configuration); 82 | this.correlationCountSearches = correlationCountSearches; 83 | this.messageFactory = messageFactory; 84 | } 85 | 86 | @Override 87 | public void createEvents(EventFactory eventFactory, EventProcessorParameters eventProcessorParameters, EventConsumer> eventConsumer) throws EventProcessorException { 88 | TimeRange timerange = getTimeRangeFromParameters(eventProcessorParameters); 89 | 90 | // TODO: We have to take the Elasticsearch index.refresh_interval into account here! 91 | if (!dependencyCheck.hasMessagesIndexedUpTo(timerange)) { 92 | String msg = String.format(Locale.ROOT, "Couldn't run correlation count <%s/%s> for timerange <%s to %s> because required messages haven't been indexed, yet.", 93 | this.eventDefinition.title(), this.eventDefinition.id(), timerange.getFrom(), timerange.getTo()); 94 | throw new EventProcessorPreconditionException(msg, this.eventDefinition); 95 | } 96 | 97 | List results = runCheck(timerange); 98 | List events = eventsFromCorrelationResults(eventFactory, results); 99 | eventConsumer.accept(events); 100 | // Update the state for this processor! This state will be used for dependency checks between event processors. 101 | this.stateService.setState(this.eventDefinition.id(), timerange.getFrom(), timerange.getTo()); 102 | } 103 | 104 | private ImmutableList eventsFromCorrelationResults(EventFactory eventFactory, List results) throws EventProcessorException { 105 | ImmutableList.Builder listEvents = ImmutableList.builder(); 106 | 107 | for (CorrelationCountResult result: results) { 108 | Map groupByFields = associateGroupByFields(result.getGroupByFields()); 109 | 110 | String resultDescription = getResultDescription(result.getFirstStreamCount(), result.getSecondStreamCount()); 111 | Message message = messageFactory.createMessage(resultDescription, "", result.getTimestamp()); 112 | for (Map.Entry groupBy: groupByFields.entrySet()) { 113 | message.addField(groupBy.getKey(), groupBy.getValue()); 114 | } 115 | 116 | // see https://github.com/Graylog2/graylog2-server/blob/5.0.0/graylog2-server/src/main/java/org/graylog/events/processor/aggregation/AggregationEventProcessor.java#L281 117 | Event event = eventFactory.createEvent(this.eventDefinition, result.getTimestamp(), resultDescription); 118 | event.addSourceStream(this.configuration.stream()); 119 | event.addSourceStream(this.configuration.additionalStream()); 120 | 121 | event.setTimerangeStart(this.calculateTimerangeStartFromTimestamp(result.getTimestamp())); 122 | event.setTimerangeEnd(result.getTimestamp()); 123 | event.setGroupByFields(groupByFields); 124 | 125 | EventWithContext eventWithContext = EventWithContext.create(event, message); 126 | listEvents.add(eventWithContext); 127 | } 128 | return listEvents.build(); 129 | } 130 | 131 | private String getResultDescription(long countMainStream, long countAdditionalStream) { 132 | String msgCondition; 133 | if (this.configuration.messagesOrder().equals(OrderType.ANY)) { 134 | msgCondition = "and"; 135 | } else { 136 | msgCondition = this.configuration.messagesOrder().getDescription(); 137 | } 138 | 139 | String resultDescription = "The additional stream had " + countAdditionalStream + " messages with trigger condition " 140 | + this.configuration.additionalThresholdType().toLowerCase(Locale.ENGLISH) + " than " + this.configuration.additionalThreshold() 141 | + " messages " + msgCondition + " the main stream had " + countMainStream + " messages with trigger condition " 142 | + this.configuration.thresholdType().toLowerCase(Locale.ENGLISH) + " than " + this.configuration.threshold() + " messages in the last " + this.configuration.searchWithinMs() + " milliseconds"; 143 | 144 | if (!this.configuration.groupingFields().isEmpty()) { 145 | resultDescription = resultDescription + " with the same value of the fields " + String.join(", ", this.configuration.groupingFields()); 146 | } 147 | 148 | return resultDescription + ". (Executes every: " + this.configuration.executeEveryMs() + " milliseconds)"; 149 | } 150 | 151 | private TimeRange getTimeRangeFromParameters(EventProcessorParameters eventProcessorParameters) { 152 | CorrelationCountProcessorParameters parameters = (CorrelationCountProcessorParameters) eventProcessorParameters; 153 | return parameters.timerange(); 154 | } 155 | 156 | @Override 157 | public void sourceMessagesForEvent(Event event, Consumer> messageConsumer, long limit) { 158 | if (limit <= 0) { 159 | return; 160 | } 161 | TimeRange timeRange = AbsoluteRange.create(event.getTimerangeStart(), event.getTimerangeEnd()); 162 | Map groupByFields = event.getGroupByFields(); 163 | String searchQuery = this.configuration.searchQuery(); 164 | String additionalSearchQuery = this.configuration.additionalSearchQuery(); 165 | List summariesMainStream = this.correlationCountSearches.searchMessages(searchQuery, groupByFields, this.configuration.stream(), timeRange); 166 | List summariesAdditionalStream = this.correlationCountSearches.searchMessages(additionalSearchQuery, groupByFields, this.configuration.additionalStream(), timeRange); 167 | List summaries = Lists.newArrayList(); 168 | summaries.addAll(summariesMainStream); 169 | summaries.addAll(summariesAdditionalStream); 170 | messageConsumer.accept(summaries); 171 | } 172 | 173 | private Map associateGroupByFields(List groupByFields) throws EventProcessorException { 174 | Map fields = new HashMap<>(); 175 | List fieldNames = this.configuration.groupingFields(); 176 | for (int i = 0; i < fieldNames.size(); i++) { 177 | String name = fieldNames.get(i); 178 | try { 179 | String value = groupByFields.get(i); 180 | fields.put(name, value); 181 | } catch (IndexOutOfBoundsException e) { 182 | LOG.error("Expected {} groupBy fields in search result, but got {}", configuration.groupingFields().size(), groupByFields); 183 | throw new EventProcessorException("Couldn't create events for: " + this.eventDefinition.title(), true, this.eventDefinition.id(), this.eventDefinition, e); 184 | } 185 | } 186 | return fields; 187 | } 188 | 189 | private ImmutableList runCheck(TimeRange timeRange) throws EventProcessorException { 190 | Collection matchedResults = this.correlationCountSearches.count(timeRange, this.configuration, this.eventDefinition); 191 | 192 | ImmutableList.Builder results = ImmutableList.builder(); 193 | for (CorrelationCountResult matchedResult: matchedResults) { 194 | long firstStreamCount = matchedResult.getFirstStreamCount(); 195 | long secondStreamCount = matchedResult.getSecondStreamCount(); 196 | if (!this.correlationCountCheck.thresholdsAreReached(firstStreamCount, secondStreamCount)) { 197 | continue; 198 | } 199 | Map groupByFields = associateGroupByFields(matchedResult.getGroupByFields()); 200 | TimeRange searchTimeRange = buildSearchTimeRange(matchedResult.getTimestamp()); 201 | 202 | String searchQuery = this.configuration.searchQuery(); 203 | String additionalSearchQuery = this.configuration.additionalSearchQuery(); 204 | List summariesMainStream = this.correlationCountSearches.searchMessages(searchQuery, groupByFields, this.configuration.stream(), searchTimeRange); 205 | List summariesAdditionalStream = this.correlationCountSearches.searchMessages(additionalSearchQuery, groupByFields, this.configuration.additionalStream(), searchTimeRange); 206 | 207 | if (!this.correlationCountCheck.isRuleTriggered(summariesMainStream, summariesAdditionalStream)) { 208 | continue; 209 | } 210 | 211 | results.add(matchedResult); 212 | } 213 | return results.build(); 214 | } 215 | 216 | private DateTime calculateTimerangeStartFromTimestamp(DateTime to) { 217 | // see https://github.com/Graylog2/graylog2-server/blob/5.0.0/graylog2-server/src/main/java/org/graylog/events/processor/aggregation/AggregationEventProcessor.java#L284 218 | return to.minus(this.configuration.searchWithinMs()); 219 | } 220 | 221 | private TimeRange buildSearchTimeRange(DateTime to) { 222 | DateTime from = this.calculateTimerangeStartFromTimestamp(to); 223 | return AbsoluteRange.create(from, to); 224 | } 225 | } 226 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/processor/correlation/CorrelationCountProcessorConfig.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | package com.airbus_cyber_security.graylog.events.processor.correlation; 19 | 20 | // sources of inspiration: org.graylog.events.processor.aggregation.AggregationEventProcessorConfig 21 | 22 | import com.airbus_cyber_security.graylog.events.contentpack.entities.CorrelationCountProcessorConfigEntity; 23 | import com.airbus_cyber_security.graylog.events.processor.correlation.checks.OrderType; 24 | import com.fasterxml.jackson.annotation.JsonCreator; 25 | import com.fasterxml.jackson.annotation.JsonProperty; 26 | import com.fasterxml.jackson.annotation.JsonTypeName; 27 | import com.fasterxml.jackson.databind.annotation.JsonDeserialize; 28 | import com.google.auto.value.AutoValue; 29 | import org.graylog.events.contentpack.entities.EventProcessorConfigEntity; 30 | import org.graylog.events.processor.EventDefinition; 31 | import org.graylog.events.processor.EventProcessorConfig; 32 | import org.graylog.events.processor.EventProcessorExecutionJob; 33 | import org.graylog.events.processor.EventProcessorSchedulerConfig; 34 | import org.graylog.scheduler.clock.JobSchedulerClock; 35 | import org.graylog.scheduler.schedule.IntervalJobSchedule; 36 | import org.graylog2.contentpacks.EntityDescriptorIds; 37 | import org.graylog2.contentpacks.model.entities.references.ValueReference; 38 | import org.graylog2.plugin.indexer.searches.timeranges.AbsoluteRange; 39 | import org.graylog2.plugin.rest.ValidationResult; 40 | import org.joda.time.DateTime; 41 | 42 | import java.util.List; 43 | import java.util.Optional; 44 | import java.util.concurrent.TimeUnit; 45 | 46 | @AutoValue 47 | @JsonTypeName(CorrelationCountProcessorConfig.TYPE_NAME) 48 | @JsonDeserialize(builder = CorrelationCountProcessorConfig.Builder.class) 49 | public abstract class CorrelationCountProcessorConfig implements EventProcessorConfig { 50 | public static final String TYPE_NAME = "correlation-count"; 51 | 52 | private static final String FIELD_STREAM = "stream"; 53 | private static final String FIELD_ADDITIONAL_STREAM = "additional_stream"; 54 | private static final String FIELD_ADDITIONAL_THRESHOLD_TYPE = "additional_threshold_type"; 55 | private static final String FIELD_ADDITIONAL_THRESHOLD = "additional_threshold"; 56 | private static final String FIELD_THRESHOLD_TYPE = "threshold_type"; 57 | private static final String FIELD_THRESHOLD = "threshold"; 58 | private static final String FIELD_MESSAGES_ORDER = "messages_order"; 59 | private static final String FIELD_GROUPING_FIELDS = "grouping_fields"; 60 | private static final String FIELD_COMMENT = "comment"; 61 | private static final String FIELD_SEARCH_QUERY = "search_query"; 62 | private static final String FIELD_SEARCH_WITHIN_MS = "search_within_ms"; 63 | private static final String FIELD_EXECUTE_EVERY_MS = "execute_every_ms"; 64 | private static final String FIELD_ADDITIONAL_SEARCH_QUERY = "additional_search_query"; 65 | 66 | @JsonProperty(FIELD_STREAM) 67 | public abstract String stream(); 68 | 69 | @JsonProperty(FIELD_ADDITIONAL_STREAM) 70 | public abstract String additionalStream(); 71 | 72 | // TODO should directly be an enum 73 | @JsonProperty(FIELD_ADDITIONAL_THRESHOLD_TYPE) 74 | public abstract String additionalThresholdType(); 75 | 76 | @JsonProperty(FIELD_ADDITIONAL_THRESHOLD) 77 | public abstract int additionalThreshold(); 78 | 79 | // TODO should directly be an enum 80 | @JsonProperty(FIELD_THRESHOLD_TYPE) 81 | public abstract String thresholdType(); 82 | 83 | @JsonProperty(FIELD_THRESHOLD) 84 | public abstract int threshold(); 85 | 86 | @JsonProperty(FIELD_MESSAGES_ORDER) 87 | public abstract OrderType messagesOrder(); 88 | 89 | @JsonProperty(FIELD_SEARCH_WITHIN_MS) 90 | public abstract long searchWithinMs(); 91 | 92 | @JsonProperty(FIELD_EXECUTE_EVERY_MS) 93 | public abstract long executeEveryMs(); 94 | 95 | @JsonProperty(FIELD_GROUPING_FIELDS) 96 | public abstract List groupingFields(); 97 | 98 | @JsonProperty(FIELD_COMMENT) 99 | public abstract String comment(); 100 | 101 | @JsonProperty(FIELD_SEARCH_QUERY) 102 | public abstract String searchQuery(); 103 | 104 | @JsonProperty(FIELD_ADDITIONAL_SEARCH_QUERY) 105 | public abstract String additionalSearchQuery(); 106 | 107 | public static Builder builder() { 108 | return Builder.create(); 109 | } 110 | 111 | public abstract Builder toBuilder(); 112 | 113 | @Override 114 | public Optional toJobSchedulerConfig(EventDefinition eventDefinition, JobSchedulerClock clock) { 115 | final DateTime now = clock.nowUTC(); 116 | 117 | // We need an initial timerange for the first execution of the event processor 118 | final AbsoluteRange timerange = AbsoluteRange.create(now.minus(searchWithinMs()), now); 119 | 120 | final EventProcessorExecutionJob.Config jobDefinitionConfig = EventProcessorExecutionJob.Config.builder() 121 | .eventDefinitionId(eventDefinition.id()) 122 | .processingWindowSize(searchWithinMs()) 123 | .processingHopSize(executeEveryMs()) 124 | .parameters(CorrelationCountProcessorParameters.builder() 125 | .timerange(timerange) 126 | .build()) 127 | .build(); 128 | final IntervalJobSchedule schedule = IntervalJobSchedule.builder() 129 | .interval(executeEveryMs()) 130 | .unit(TimeUnit.MILLISECONDS) 131 | .build(); 132 | 133 | return Optional.of(EventProcessorSchedulerConfig.create(jobDefinitionConfig, schedule)); 134 | } 135 | 136 | @AutoValue.Builder 137 | public static abstract class Builder implements EventProcessorConfig.Builder { 138 | @JsonCreator 139 | public static Builder create() { 140 | return new AutoValue_CorrelationCountProcessorConfig.Builder() 141 | .type(TYPE_NAME); 142 | } 143 | 144 | @JsonProperty(FIELD_STREAM) 145 | public abstract Builder stream(String stream); 146 | 147 | @JsonProperty(FIELD_ADDITIONAL_STREAM) 148 | public abstract Builder additionalStream(String additionalStream); 149 | 150 | @JsonProperty(FIELD_ADDITIONAL_THRESHOLD_TYPE) 151 | public abstract Builder additionalThresholdType(String additionalThresholdType); 152 | 153 | @JsonProperty(FIELD_ADDITIONAL_THRESHOLD) 154 | public abstract Builder additionalThreshold(int additionalThreshold); 155 | 156 | @JsonProperty(FIELD_THRESHOLD_TYPE) 157 | public abstract Builder thresholdType(String thresholdType); 158 | 159 | @JsonProperty(FIELD_THRESHOLD) 160 | public abstract Builder threshold(int threshold); 161 | 162 | @JsonProperty(FIELD_MESSAGES_ORDER) 163 | public abstract Builder messagesOrder(OrderType messagesOrder); 164 | 165 | @JsonProperty(FIELD_SEARCH_WITHIN_MS) 166 | public abstract Builder searchWithinMs(long searchWithinMs); 167 | 168 | @JsonProperty(FIELD_EXECUTE_EVERY_MS) 169 | public abstract Builder executeEveryMs(long executeEveryMs); 170 | 171 | @JsonProperty(FIELD_GROUPING_FIELDS) 172 | public abstract Builder groupingFields(List groupingFields); 173 | 174 | @JsonProperty(FIELD_COMMENT) 175 | public abstract Builder comment(String comment); 176 | 177 | @JsonProperty(FIELD_SEARCH_QUERY) 178 | public abstract Builder searchQuery(String searchQuery); 179 | 180 | @JsonProperty(FIELD_ADDITIONAL_SEARCH_QUERY) 181 | public abstract Builder additionalSearchQuery(String additionalSearchQuery); 182 | 183 | public abstract CorrelationCountProcessorConfig build(); 184 | } 185 | 186 | @Override 187 | public ValidationResult validate() { 188 | ValidationResult validationResult = new ValidationResult(); 189 | 190 | if (searchWithinMs() <= 0) { 191 | validationResult.addError(FIELD_SEARCH_WITHIN_MS, 192 | "Correlation Count Alert Condition search_within_ms must be greater than 0."); 193 | } 194 | if (executeEveryMs() <= 0) { 195 | validationResult.addError(FIELD_EXECUTE_EVERY_MS, 196 | "Filter & Aggregation execute_every_ms must be greater than 0."); 197 | } 198 | if (stream() == null || stream().isEmpty()) { 199 | validationResult.addError(FIELD_STREAM, "Stream is mandatory"); 200 | } 201 | if (additionalStream() == null || additionalStream().isEmpty()) { 202 | validationResult.addError(FIELD_ADDITIONAL_STREAM, "Additional stream is mandatory"); 203 | } 204 | if (additionalThresholdType() == null || additionalThresholdType().isEmpty()) { 205 | validationResult.addError(FIELD_ADDITIONAL_THRESHOLD_TYPE, "Additional threshold type is mandatory"); 206 | } 207 | if (additionalThreshold() < 0) { 208 | validationResult.addError(FIELD_ADDITIONAL_THRESHOLD, "Additional threshold must be greater than 0."); 209 | } 210 | if (thresholdType() == null || thresholdType().isEmpty()) { 211 | validationResult.addError(FIELD_THRESHOLD_TYPE, "Threshold type is mandatory"); 212 | } 213 | if (threshold() < 0) { 214 | validationResult.addError(FIELD_THRESHOLD, "Threshold must be greater than 0."); 215 | } 216 | return validationResult; 217 | } 218 | 219 | @Override 220 | public EventProcessorConfigEntity toContentPackEntity(EntityDescriptorIds entityDescriptorIds) { 221 | return CorrelationCountProcessorConfigEntity.builder() 222 | .stream(ValueReference.of(stream())) 223 | .additionalStream(ValueReference.of(additionalStream())) 224 | .additionalThresholdType(ValueReference.of(additionalThresholdType())) 225 | .additionalThreshold(additionalThreshold()) 226 | .thresholdType(ValueReference.of(thresholdType())) 227 | .threshold(threshold()) 228 | .messagesOrder(ValueReference.of(messagesOrder())) 229 | .searchWithinMs(searchWithinMs()) 230 | .executeEveryMs(executeEveryMs()) 231 | .groupingFields(groupingFields()) 232 | .comment(ValueReference.of(comment())) 233 | .searchQuery(ValueReference.of(searchQuery())) 234 | .additionalSearchQuery(ValueReference.of(additionalSearchQuery())) 235 | .build(); 236 | } 237 | } 238 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/processor/correlation/CorrelationCountProcessorParameters.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | package com.airbus_cyber_security.graylog.events.processor.correlation; 19 | 20 | import com.fasterxml.jackson.annotation.JsonCreator; 21 | import com.fasterxml.jackson.annotation.JsonTypeName; 22 | import com.fasterxml.jackson.databind.annotation.JsonDeserialize; 23 | import com.google.auto.value.AutoValue; 24 | import org.graylog.events.processor.EventProcessorParametersWithTimerange; 25 | import org.graylog2.plugin.indexer.searches.timeranges.AbsoluteRange; 26 | import org.graylog2.plugin.indexer.searches.timeranges.InvalidRangeParametersException; 27 | import org.graylog2.plugin.indexer.searches.timeranges.RelativeRange; 28 | import org.joda.time.DateTime; 29 | 30 | import static com.google.common.base.Preconditions.checkArgument; 31 | import static java.util.Objects.requireNonNull; 32 | 33 | @AutoValue 34 | @JsonTypeName(CorrelationCountProcessorConfig.TYPE_NAME) 35 | @JsonDeserialize(builder = CorrelationCountProcessorParameters.Builder.class) 36 | public abstract class CorrelationCountProcessorParameters implements EventProcessorParametersWithTimerange { 37 | @Override 38 | public EventProcessorParametersWithTimerange withTimerange(DateTime from, DateTime to) { 39 | requireNonNull(from, "from cannot be null"); 40 | requireNonNull(to, "to cannot be null"); 41 | checkArgument(to.isAfter(from), "to must be after from"); 42 | 43 | return toBuilder().timerange(AbsoluteRange.create(from, to)).build(); 44 | } 45 | 46 | public abstract Builder toBuilder(); 47 | 48 | public static Builder builder() { 49 | return Builder.create(); 50 | } 51 | 52 | @AutoValue.Builder 53 | public static abstract class Builder implements EventProcessorParametersWithTimerange.Builder { 54 | @JsonCreator 55 | public static Builder create() { 56 | final RelativeRange timerange; 57 | try { 58 | timerange = RelativeRange.create(3600); 59 | } catch (InvalidRangeParametersException e) { 60 | // This should not happen! 61 | throw new RuntimeException(e); 62 | } 63 | 64 | return new AutoValue_CorrelationCountProcessorParameters.Builder() 65 | .type(CorrelationCountProcessorConfig.TYPE_NAME) 66 | .timerange(timerange); 67 | } 68 | 69 | public abstract CorrelationCountProcessorParameters build(); 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/processor/correlation/checks/CorrelationCountCheck.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | package com.airbus_cyber_security.graylog.events.processor.correlation.checks; 19 | 20 | import com.airbus_cyber_security.graylog.events.processor.correlation.CorrelationCountProcessorConfig; 21 | import org.graylog2.plugin.MessageSummary; 22 | import org.joda.time.DateTime; 23 | 24 | import java.util.ArrayList; 25 | import java.util.Collections; 26 | import java.util.List; 27 | 28 | public class CorrelationCountCheck { 29 | 30 | private final Threshold mainStreamThreshold; 31 | private final Threshold additionalStreamThreshold; 32 | private final OrderType messagesOrder; 33 | 34 | public CorrelationCountCheck(CorrelationCountProcessorConfig configuration) { 35 | this.mainStreamThreshold = new Threshold(configuration.thresholdType(), configuration.threshold()); 36 | this.additionalStreamThreshold = new Threshold(configuration.additionalThresholdType(), configuration.additionalThreshold()); 37 | this.messagesOrder = configuration.messagesOrder(); 38 | } 39 | 40 | public boolean thresholdsAreReached(long mainCount, long additionalCount) { 41 | return this.mainStreamThreshold.isReached(mainCount) && this.additionalStreamThreshold.isReached(additionalCount); 42 | } 43 | 44 | private List getListOrderTimestamp(List summaries) { 45 | List listDate = new ArrayList<>(); 46 | for (MessageSummary messageSummary: summaries) { 47 | listDate.add(messageSummary.getTimestamp()); 48 | } 49 | Collections.sort(listDate); 50 | if (this.messagesOrder.equals(OrderType.AFTER)) { 51 | Collections.reverse(listDate); 52 | } 53 | return listDate; 54 | } 55 | 56 | /* 57 | * Check that the Second Stream is before or after the first stream 58 | */ 59 | private boolean checkOrderSecondStream(List summariesFirstStream, List summariesSecondStream) { 60 | int countFirstStream = summariesFirstStream.size(); 61 | List listDateFirstStream = getListOrderTimestamp(summariesFirstStream); 62 | List listDateSecondStream = getListOrderTimestamp(summariesSecondStream); 63 | 64 | for (DateTime dateFirstStream: listDateFirstStream) { 65 | int countSecondStream = 0; 66 | for (DateTime dateSecondStream: listDateSecondStream) { 67 | if ((this.messagesOrder.equals(OrderType.BEFORE) && dateSecondStream.isBefore(dateFirstStream)) || 68 | (this.messagesOrder.equals(OrderType.AFTER) && dateSecondStream.isAfter(dateFirstStream))) { 69 | countSecondStream++; 70 | } else { 71 | break; 72 | } 73 | } 74 | if (thresholdsAreReached(countFirstStream, countSecondStream)) { 75 | return true; 76 | } 77 | countFirstStream--; 78 | } 79 | return false; 80 | } 81 | 82 | public boolean isRuleTriggered(List summariesMainStream, List summariesAdditionalStream) { 83 | if (this.messagesOrder.equals(OrderType.ANY)) { 84 | return true; 85 | } 86 | return checkOrderSecondStream(summariesMainStream, summariesAdditionalStream); 87 | } 88 | } 89 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/processor/correlation/checks/CorrelationCountCombinedResults.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | package com.airbus_cyber_security.graylog.events.processor.correlation.checks; 19 | 20 | import com.google.common.collect.ImmutableList; 21 | import org.joda.time.DateTime; 22 | 23 | import java.util.Collection; 24 | 25 | public class CorrelationCountCombinedResults { 26 | 27 | private final TimestampGroupByMap> groupingFields; 28 | private final TimestampGroupByMap firstStreamCounts; 29 | private final TimestampGroupByMap secondStreamCounts; 30 | 31 | CorrelationCountCombinedResults() { 32 | this.groupingFields = new TimestampGroupByMap<>(); 33 | this.firstStreamCounts = new TimestampGroupByMap<>(); 34 | this.secondStreamCounts = new TimestampGroupByMap<>(); 35 | } 36 | 37 | private String buildTermKey(ImmutableList groupByFields) { 38 | StringBuilder builder = new StringBuilder(); 39 | for (String field: groupByFields) { 40 | if (0 < builder.length()) { 41 | builder.append(" - "); 42 | } 43 | builder.append(field); 44 | } 45 | return builder.toString(); 46 | } 47 | 48 | void addFirstStreamResult(DateTime timestamp, ImmutableList groupByFields, long count) { 49 | String key = buildTermKey(groupByFields); 50 | 51 | this.groupingFields.put(timestamp, key, groupByFields); 52 | if (this.firstStreamCounts.containsKey(timestamp, key)) { 53 | throw new IllegalArgumentException("Unexpected duplicated key in stream: " + timestamp + ", " + key); 54 | } 55 | this.firstStreamCounts.put(timestamp, key, count); 56 | } 57 | 58 | void addSecondStreamResult(DateTime timestamp, ImmutableList groupByFields, long count) { 59 | String key = buildTermKey(groupByFields); 60 | 61 | this.groupingFields.put(timestamp, key, groupByFields); 62 | if (this.secondStreamCounts.containsKey(timestamp, key)) { 63 | throw new IllegalArgumentException("Unexpected duplicated key in additional stream: " + timestamp + ", " + key); 64 | } 65 | this.secondStreamCounts.put(timestamp, key, count); 66 | } 67 | 68 | Collection getAll() { 69 | ImmutableList.Builder results = ImmutableList.builder(); 70 | for (DateTime timestamp: this.groupingFields.getTimestamps()) { 71 | for (String key: this.groupingFields.getGroupByFields(timestamp)) { 72 | ImmutableList groupByFields = this.groupingFields.get(timestamp, key); 73 | long firstStreamCount = this.firstStreamCounts.getOrDefault(timestamp, key, 0L); 74 | long secondStreamCount = this.secondStreamCounts.getOrDefault(timestamp, key, 0L); 75 | CorrelationCountResult result = new CorrelationCountResult(timestamp, groupByFields, firstStreamCount, secondStreamCount); 76 | results.add(result); 77 | } 78 | } 79 | 80 | return results.build(); 81 | } 82 | } 83 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/processor/correlation/checks/CorrelationCountResult.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | package com.airbus_cyber_security.graylog.events.processor.correlation.checks; 19 | 20 | import org.joda.time.DateTime; 21 | 22 | import java.util.List; 23 | 24 | public class CorrelationCountResult { 25 | 26 | private final DateTime timestamp; 27 | private final List groupByFields; 28 | private final long firstStreamCount; 29 | private final long secondStreamCount; 30 | 31 | public CorrelationCountResult(DateTime timestamp, List groupByFields, long firstStreamCount, long secondStreamCount) { 32 | this.timestamp = timestamp; 33 | this.groupByFields = groupByFields; 34 | this.firstStreamCount = firstStreamCount; 35 | this.secondStreamCount = secondStreamCount; 36 | } 37 | 38 | public DateTime getTimestamp() { 39 | return this.timestamp; 40 | } 41 | 42 | public long getFirstStreamCount() { 43 | return this.firstStreamCount; 44 | } 45 | 46 | public long getSecondStreamCount() { 47 | return this.secondStreamCount; 48 | } 49 | 50 | public List getGroupByFields() { 51 | return this.groupByFields; 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/processor/correlation/checks/CorrelationCountSearches.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | package com.airbus_cyber_security.graylog.events.processor.correlation.checks; 19 | 20 | import com.airbus_cyber_security.graylog.events.processor.correlation.CorrelationCountProcessorConfig; 21 | import com.google.common.collect.ImmutableList; 22 | import com.google.common.collect.ImmutableSet; 23 | import com.google.common.collect.Lists; 24 | import org.graylog.events.processor.EventDefinition; 25 | import org.graylog.events.processor.EventProcessorException; 26 | import org.graylog.events.processor.aggregation.AggregationEventProcessorConfig; 27 | import org.graylog.events.processor.aggregation.AggregationEventProcessorParameters; 28 | import org.graylog.events.processor.aggregation.AggregationKeyResult; 29 | import org.graylog.events.processor.aggregation.AggregationResult; 30 | import org.graylog.events.processor.aggregation.AggregationSearch; 31 | import org.graylog.events.processor.aggregation.AggregationSeriesValue; 32 | import org.graylog.events.search.MoreSearch; 33 | import org.graylog.plugins.views.search.searchtypes.pivot.SeriesSpec; 34 | import org.graylog.plugins.views.search.searchtypes.pivot.series.Count; 35 | import org.graylog2.indexer.results.ResultMessage; 36 | import org.graylog2.indexer.results.SearchResult; 37 | import org.graylog2.indexer.searches.Searches; 38 | import org.graylog2.indexer.searches.Sorting; 39 | import org.graylog2.plugin.Message; 40 | import org.graylog2.plugin.MessageSummary; 41 | import org.graylog2.plugin.indexer.searches.timeranges.TimeRange; 42 | import org.joda.time.DateTime; 43 | 44 | import jakarta.inject.Inject; 45 | import org.joda.time.DateTimeZone; 46 | 47 | import java.util.Collection; 48 | import java.util.List; 49 | import java.util.Map; 50 | 51 | public class CorrelationCountSearches { 52 | 53 | private static final int SEARCH_LIMIT = 500; 54 | private static final String HEADER_STREAM = "streams:"; 55 | private final AggregationSearch.Factory aggregationSearchFactory; 56 | // TODO should probably use MoreSearch rather than Searches (see code of AggregationEventProcessor) 57 | private final Searches searches; 58 | 59 | @Inject 60 | public CorrelationCountSearches(AggregationSearch.Factory aggregationSearchFactory, Searches searches) { 61 | this.aggregationSearchFactory = aggregationSearchFactory; 62 | this.searches = searches; 63 | } 64 | 65 | private AggregationResult getTerms(String stream, TimeRange timeRange, CorrelationCountProcessorConfig configuration, EventDefinition eventDefinition, String searchQuery) throws EventProcessorException { 66 | // Build series from configuration 67 | ImmutableList.Builder seriesBuilder = ImmutableList.builder(); 68 | StringBuilder idBuilder = new StringBuilder("correlation_id"); 69 | for (String groupingField: configuration.groupingFields()) { 70 | idBuilder.append("#").append(groupingField); 71 | } 72 | Count countSeries = Count.builder().id(idBuilder.toString()).build(); 73 | seriesBuilder.add(countSeries); 74 | // Create the graylog "legal" aggregation configuration 75 | AggregationEventProcessorConfig config = AggregationEventProcessorConfig.builder() 76 | .groupBy(configuration.groupingFields()) 77 | .query(searchQuery) 78 | .streams(ImmutableSet.of(stream)) 79 | .executeEveryMs(configuration.executeEveryMs()) 80 | .searchWithinMs(configuration.searchWithinMs()) 81 | .series(seriesBuilder.build()) 82 | .build(); 83 | AggregationEventProcessorParameters parameters = AggregationEventProcessorParameters.builder() 84 | .streams(ImmutableSet.of(stream)).batchSize(Long.valueOf(SEARCH_LIMIT).intValue()) 85 | .timerange(timeRange) 86 | .build(); 87 | String owner = "event-processor-" + AggregationEventProcessorConfig.TYPE_NAME + "-" + eventDefinition.id(); 88 | AggregationSearch search = this.aggregationSearchFactory.create(config, parameters, new AggregationSearch.User(owner, DateTimeZone.UTC), eventDefinition, List.of()); 89 | return search.doSearch(); 90 | } 91 | 92 | private long extractCount(AggregationKeyResult keyResult) { 93 | ImmutableList seriesValues = keyResult.seriesValues(); 94 | // there should only be one series (the AggregationFunction.COUNT) 95 | AggregationSeriesValue seriesValue = seriesValues.get(0); 96 | return Double.valueOf(seriesValue.value()).longValue(); 97 | } 98 | 99 | public Collection count(TimeRange timeRange, CorrelationCountProcessorConfig configuration, EventDefinition eventDefinition) throws EventProcessorException { 100 | 101 | AggregationResult termResult = getTerms(configuration.stream(), timeRange, configuration, eventDefinition, configuration.searchQuery()); 102 | AggregationResult termResultAdditionalStream = getTerms(configuration.additionalStream(), timeRange, configuration, eventDefinition, configuration.additionalSearchQuery()); 103 | 104 | CorrelationCountCombinedResults results = new CorrelationCountCombinedResults(); 105 | 106 | for (AggregationKeyResult keyResult: termResult.keyResults()) { 107 | ImmutableList groupByFields = keyResult.key(); 108 | DateTime timestamp = keyResult.timestamp().get(); 109 | long value = extractCount(keyResult); 110 | 111 | results.addFirstStreamResult(timestamp, groupByFields, value); 112 | } 113 | 114 | for (AggregationKeyResult keyResult: termResultAdditionalStream.keyResults()) { 115 | ImmutableList groupByFields = keyResult.key(); 116 | DateTime timestamp = keyResult.timestamp().get(); 117 | long value = extractCount(keyResult); 118 | 119 | results.addSecondStreamResult(timestamp, groupByFields, value); 120 | } 121 | 122 | return results.getAll(); 123 | } 124 | 125 | private String buildSearchQuery(String searchQuery, Map groupByFields) { 126 | // TODO: should searchQuery be sanitized? 127 | StringBuilder builder = new StringBuilder(searchQuery); 128 | for (Map.Entry groupBy: groupByFields.entrySet()) { 129 | String name = groupBy.getKey(); 130 | String value = MoreSearch.luceneEscape(groupBy.getValue()); 131 | builder.append(" AND ").append(name).append(": \"").append(value).append("\""); 132 | } 133 | return builder.toString(); 134 | } 135 | 136 | public List searchMessages(String additionalQuery, Map groupByFields, String stream, TimeRange range) { 137 | String searchQuery = this.buildSearchQuery(additionalQuery, groupByFields); 138 | String filter = HEADER_STREAM + stream; 139 | SearchResult backlogResult = this.searches.search(searchQuery, filter, 140 | range, SEARCH_LIMIT, 0, new Sorting(Message.FIELD_TIMESTAMP, Sorting.Direction.DESC)); 141 | List result = Lists.newArrayList(); 142 | for (ResultMessage resultMessage: backlogResult.getResults()) { 143 | result.add(new MessageSummary(resultMessage.getIndex(), resultMessage.getMessage())); 144 | } 145 | return result; 146 | } 147 | } 148 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/processor/correlation/checks/OrderType.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | package com.airbus_cyber_security.graylog.events.processor.correlation.checks; 19 | 20 | import com.fasterxml.jackson.annotation.JsonProperty; 21 | 22 | public enum OrderType { 23 | 24 | // TODO try to avoid repeating string "ANY". Would it work with enums without values? Otherwise use some constants. 25 | @JsonProperty("ANY") 26 | ANY("ANY"), 27 | 28 | @JsonProperty("BEFORE") 29 | BEFORE("BEFORE"), 30 | 31 | @JsonProperty("AFTER") 32 | AFTER("AFTER"); 33 | 34 | private final String description; 35 | 36 | OrderType(String description) { 37 | this.description = description; 38 | } 39 | 40 | public String getDescription() { 41 | return description; 42 | } 43 | 44 | public static OrderType fromString(String text) { 45 | for (OrderType orderType: OrderType.values()) { 46 | if (orderType.description.equals(text)) { 47 | return orderType; 48 | } 49 | } 50 | throw new IllegalArgumentException("Unknown OrderType value: " + text); 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/processor/correlation/checks/Threshold.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | package com.airbus_cyber_security.graylog.events.processor.correlation.checks; 19 | 20 | public class Threshold { 21 | 22 | private final ThresholdType type; 23 | private final int value; 24 | 25 | public Threshold(String type, int value) { 26 | this.type = ThresholdType.fromString(type); 27 | this.value = value; 28 | } 29 | 30 | public boolean isReached(long count) { 31 | return (((this.type == ThresholdType.MORE) && (count > this.value)) || 32 | ((this.type == ThresholdType.LESS) && (count < this.value))); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/processor/correlation/checks/ThresholdType.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | package com.airbus_cyber_security.graylog.events.processor.correlation.checks; 19 | 20 | public enum ThresholdType { 21 | 22 | MORE("MORE"), 23 | LESS("LESS"); 24 | 25 | private final String description; 26 | 27 | ThresholdType(String description) { 28 | this.description = description; 29 | } 30 | 31 | public String getDescription() { 32 | return description; 33 | } 34 | 35 | public static ThresholdType fromString(String text) { 36 | for (ThresholdType type : ThresholdType.values()) { 37 | if (type.description.equalsIgnoreCase(text)) { 38 | return type; 39 | } 40 | } 41 | throw new IllegalArgumentException("Unknown ThresholdType value: " + text); 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /src/main/java/com/airbus_cyber_security/graylog/events/processor/correlation/checks/TimestampGroupByMap.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | package com.airbus_cyber_security.graylog.events.processor.correlation.checks; 19 | 20 | import org.joda.time.DateTime; 21 | 22 | import java.util.HashMap; 23 | import java.util.Map; 24 | import java.util.Set; 25 | 26 | public class TimestampGroupByMap { 27 | 28 | private final Map> map; 29 | 30 | TimestampGroupByMap() { 31 | this.map = new HashMap<>(); 32 | } 33 | 34 | void put(DateTime timestamp, String groupBy, V value) { 35 | Map values = this.map.computeIfAbsent(timestamp, k -> new HashMap<>()); 36 | values.put(groupBy, value); 37 | } 38 | 39 | Set getTimestamps() { 40 | return this.map.keySet(); 41 | } 42 | 43 | Set getGroupByFields(DateTime timestamp) { 44 | Map values = this.map.get(timestamp); 45 | return values.keySet(); 46 | } 47 | 48 | V get(DateTime timestamp, String groupBy) { 49 | Map values = this.map.get(timestamp); 50 | return values.get(groupBy); 51 | } 52 | 53 | boolean containsKey(DateTime timestamp, String groupBy) { 54 | Map values = this.map.get(timestamp); 55 | if (values == null) { 56 | return false; 57 | } 58 | return values.containsKey(groupBy); 59 | } 60 | 61 | V getOrDefault(DateTime timestamp, String groupBy, V defaultValue) { 62 | Map values = this.map.get(timestamp); 63 | if (values == null) { 64 | return defaultValue; 65 | } 66 | return values.getOrDefault(groupBy, defaultValue); 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /src/main/resources/META-INF/services/org.graylog2.plugin.Plugin: -------------------------------------------------------------------------------- 1 | com.airbus_cyber_security.graylog.CorrelationCountPlugin 2 | -------------------------------------------------------------------------------- /src/main/resources/com.airbus-cyber-security.graylog.graylog-plugin-correlation-count/graylog-plugin.properties: -------------------------------------------------------------------------------- 1 | # The plugin version 2 | version=${project.version} 3 | 4 | # The required Graylog server version 5 | graylog.version=${graylog.version} 6 | 7 | # When set to true (the default) the plugin gets a separate class loader 8 | # when loading the plugin. When set to false, the plugin shares a class loader 9 | # with other plugins that have isolated=false. 10 | # 11 | # Do not disable this unless this plugin depends on another plugin! 12 | isolated=false 13 | -------------------------------------------------------------------------------- /src/test/java/com/airbus_cyber_security/graylog/events/processor/correlation/CorrelationCountProcessorTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | package com.airbus_cyber_security.graylog.events.processor.correlation; 19 | 20 | import com.airbus_cyber_security.graylog.events.processor.correlation.checks.CorrelationCountSearches; 21 | import com.airbus_cyber_security.graylog.events.processor.correlation.checks.OrderType; 22 | import com.airbus_cyber_security.graylog.events.processor.correlation.checks.ThresholdType; 23 | import com.google.common.collect.ImmutableList; 24 | import org.graylog.events.event.EventFactory; 25 | import org.graylog.events.notifications.EventNotificationSettings; 26 | import org.graylog.events.processor.DBEventProcessorStateService; 27 | import org.graylog.events.processor.EventDefinitionDto; 28 | import org.graylog.events.processor.EventProcessorDependencyCheck; 29 | import org.graylog.events.processor.EventProcessorPreconditionException; 30 | import org.graylog2.plugin.TestMessageFactory; 31 | import org.graylog2.plugin.indexer.searches.timeranges.AbsoluteRange; 32 | import org.joda.time.DateTime; 33 | import org.joda.time.DateTimeZone; 34 | import org.junit.Test; 35 | import org.mockito.Mockito; 36 | 37 | import java.util.ArrayList; 38 | 39 | import static org.assertj.core.api.Assertions.assertThatCode; 40 | 41 | public class CorrelationCountProcessorTest { 42 | 43 | @Test 44 | public void testEvents() { 45 | DateTime now = DateTime.now(DateTimeZone.UTC); 46 | AbsoluteRange timeRange = AbsoluteRange.create(now.minusHours(1), now.plusHours(1)); 47 | EventDefinitionDto eventDefinitionDto = EventDefinitionDto.builder() 48 | .id("dto-id") 49 | .title("Test Correlation") 50 | .description("A test correlation event processors") 51 | .config(getCorrelationCountProcessorConfig()) 52 | .alert(false) 53 | .keySpec(ImmutableList.of()) 54 | .notificationSettings(EventNotificationSettings.withGracePeriod(60000)) 55 | .priority(1) 56 | .build(); 57 | CorrelationCountProcessorParameters parameters = CorrelationCountProcessorParameters.builder() 58 | .timerange(timeRange) 59 | .build(); 60 | CorrelationCountSearches correlationCountSearches = Mockito.mock(CorrelationCountSearches.class); 61 | EventProcessorDependencyCheck eventProcessorDependencyCheck = Mockito.mock(EventProcessorDependencyCheck.class); 62 | DBEventProcessorStateService stateService = Mockito.mock(DBEventProcessorStateService.class); 63 | EventFactory eventFactory = Mockito.mock(EventFactory.class); 64 | 65 | CorrelationCountProcessor eventProcessor = new CorrelationCountProcessor(eventDefinitionDto, eventProcessorDependencyCheck, 66 | stateService, correlationCountSearches, new TestMessageFactory()); 67 | assertThatCode(() -> eventProcessor.createEvents(eventFactory, parameters, (events) -> { 68 | })) 69 | .hasMessageContaining(eventDefinitionDto.title()) 70 | .hasMessageContaining(eventDefinitionDto.id()) 71 | .hasMessageContaining(timeRange.from().toString()) 72 | .hasMessageContaining(timeRange.to().toString()) 73 | .isInstanceOf(EventProcessorPreconditionException.class); 74 | } 75 | 76 | private CorrelationCountProcessorConfig getCorrelationCountProcessorConfig() { 77 | int threshold = 100; 78 | return CorrelationCountProcessorConfig.builder() 79 | .stream("main stream") 80 | .additionalStream("additional stream") 81 | .additionalThresholdType(ThresholdType.MORE.getDescription()) 82 | .additionalThreshold(threshold) 83 | .thresholdType(ThresholdType.MORE.getDescription()) 84 | .threshold(threshold) 85 | .messagesOrder(OrderType.ANY) 86 | .searchWithinMs(2 * 60 * 1000) 87 | .executeEveryMs(2 * 60 * 1000) 88 | .groupingFields(new ArrayList<>()) 89 | .comment("test comment") 90 | .searchQuery("*") 91 | .additionalSearchQuery("*") 92 | .build(); 93 | } 94 | } 95 | -------------------------------------------------------------------------------- /src/test/java/com/airbus_cyber_security/graylog/events/processor/correlation/checks/CorrelationCountCheckTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | package com.airbus_cyber_security.graylog.events.processor.correlation.checks; 19 | 20 | import com.airbus_cyber_security.graylog.events.processor.correlation.CorrelationCountProcessorConfig; 21 | import com.airbus_cyber_security.graylog.events.processor.correlation.checks.OrderType; 22 | import org.graylog2.plugin.Message; 23 | import org.graylog2.plugin.MessageFactory; 24 | import org.graylog2.plugin.MessageSummary; 25 | import org.graylog2.plugin.TestMessageFactory; 26 | import org.joda.time.DateTime; 27 | import org.joda.time.DateTimeZone; 28 | import org.junit.Test; 29 | 30 | import java.util.ArrayList; 31 | import java.util.HashSet; 32 | import java.util.List; 33 | 34 | import static org.junit.Assert.assertTrue; 35 | 36 | public class CorrelationCountCheckTest { 37 | 38 | @Test 39 | public void testCheckOrderStreamThreshold2After() { 40 | MessageFactory testMessageFactory = new TestMessageFactory(); 41 | 42 | List summariesStream1 = new ArrayList(); 43 | summariesStream1.add(new MessageSummary("0", testMessageFactory.createMessage("message", "source", new DateTime(600, DateTimeZone.UTC)))); 44 | summariesStream1.add(new MessageSummary("1", testMessageFactory.createMessage("message", "source", new DateTime(1100, DateTimeZone.UTC)))); 45 | 46 | List summariesStream2 = new ArrayList(); 47 | summariesStream2.add(new MessageSummary("0", testMessageFactory.createMessage("message", "source", new DateTime(100, DateTimeZone.UTC)))); 48 | summariesStream2.add(new MessageSummary("1", testMessageFactory.createMessage("message", "source", new DateTime(200, DateTimeZone.UTC)))); 49 | summariesStream2.add(new MessageSummary("2", testMessageFactory.createMessage("message", "source", new DateTime(300, DateTimeZone.UTC)))); 50 | summariesStream2.add(new MessageSummary("3", testMessageFactory.createMessage("message", "source", new DateTime(400, DateTimeZone.UTC)))); 51 | summariesStream2.add(new MessageSummary("4", testMessageFactory.createMessage("message", "source", new DateTime(500, DateTimeZone.UTC)))); 52 | summariesStream2.add(new MessageSummary("5", testMessageFactory.createMessage("message", "source", new DateTime(700, DateTimeZone.UTC)))); 53 | summariesStream2.add(new MessageSummary("6", testMessageFactory.createMessage("message", "source", new DateTime(800, DateTimeZone.UTC)))); 54 | summariesStream2.add(new MessageSummary("7", testMessageFactory.createMessage("message", "source", new DateTime(900, DateTimeZone.UTC)))); 55 | summariesStream2.add(new MessageSummary("8", testMessageFactory.createMessage("message", "source", new DateTime(1000, DateTimeZone.UTC)))); 56 | 57 | CorrelationCountProcessorConfig configuration = CorrelationCountProcessorConfig.builder() 58 | .stream("main stream") 59 | .additionalStream("additional stream") 60 | .additionalThresholdType("MORE") 61 | .additionalThreshold(1) 62 | .thresholdType("MORE") 63 | .threshold(4) 64 | .messagesOrder(OrderType.AFTER) 65 | .searchWithinMs(10 * 60 * 1000) 66 | .executeEveryMs(0) 67 | .groupingFields(new ArrayList<>()) 68 | .comment("test comment") 69 | .searchQuery("*") 70 | .additionalSearchQuery("*") 71 | .build(); 72 | 73 | CorrelationCountCheck subject = new CorrelationCountCheck(configuration); 74 | assertTrue(subject.isRuleTriggered(summariesStream2, summariesStream1)); 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /src/test/java/org/graylog2/plugin/TestMessageFactory.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | package org.graylog2.plugin; 18 | 19 | import org.joda.time.DateTime; 20 | 21 | import java.util.Map; 22 | 23 | public class TestMessageFactory implements MessageFactory { 24 | 25 | public Message createMessage(String message, String source, DateTime timestamp) { 26 | return new Message(message, source, timestamp); 27 | } 28 | 29 | public Message createMessage(Map fields) { 30 | return new Message(fields); 31 | } 32 | 33 | public Message createMessage(String id, Map newFields) { 34 | return new Message(id, newFields); 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/test/java/org/omg/CORBA/portable/IDLEntity.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | package org.omg.CORBA.portable; 18 | 19 | import java.io.Serializable; 20 | 21 | /** 22 | * FIX for test usage 23 | */ 24 | public interface IDLEntity extends Serializable { 25 | } 26 | -------------------------------------------------------------------------------- /src/web/components/event-definitions/event-definition-types/CorrelationCountForm.jsx: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | import React from 'react'; 19 | import PropTypes from 'prop-types'; 20 | import lodash from 'lodash'; 21 | import FormsUtils from 'util/FormsUtils'; 22 | import { naturalSortIgnoreCase } from 'util/SortUtils'; 23 | 24 | import { Select, MultiSelect } from 'components/common'; 25 | // TODO write a unit test which protects against having ControlLable, FormGroup and HelpBlock imported from components/common 26 | import { ControlLabel, FormGroup, HelpBlock, Input } from 'components/bootstrap'; 27 | import TimeUnitFormGroup from './TimeUnitFormGroup'; 28 | 29 | import { defaultCompare } from 'logic/DefaultCompare'; 30 | 31 | 32 | class CorrelationCountForm extends React.Component { 33 | // Memoize function to only format fields when they change. Use joined fieldNames as cache key. 34 | formatFields = lodash.memoize( 35 | (fieldTypes) => { 36 | return fieldTypes 37 | .sort((ftA, ftB) => defaultCompare(ftA.name, ftB.name)) 38 | .map((fieldType) => { 39 | return { 40 | label: `${fieldType.name} – ${fieldType.value.type.type}`, 41 | value: fieldType.name, 42 | }; 43 | } 44 | ); 45 | }, 46 | (fieldTypes) => fieldTypes.map((ft) => ft.name).join('-'), 47 | ); 48 | 49 | static propTypes = { 50 | eventDefinition: PropTypes.object.isRequired, 51 | validation: PropTypes.object.isRequired, 52 | onChange: PropTypes.func.isRequired, 53 | streams: PropTypes.array.isRequired, 54 | allFieldTypes: PropTypes.array.isRequired, 55 | }; 56 | 57 | formatStreamIds = () => { 58 | const { streams } = this.props; 59 | 60 | return streams.filter(s => s.is_editable).map(s => s.id) 61 | .map(streamId => streams.find(s => s.id === streamId) || streamId) 62 | .map((streamOrId) => { 63 | const stream = (typeof streamOrId === 'object' ? streamOrId : { title: streamOrId, id: streamOrId }); 64 | return { 65 | label: stream.title, 66 | value: stream.id, 67 | }; 68 | }) 69 | .sort((s1, s2) => naturalSortIgnoreCase(s1.label, s2.label)); 70 | }; 71 | 72 | propagateChange = (key, value) => { 73 | const { eventDefinition, onChange } = this.props; 74 | const config = lodash.cloneDeep(eventDefinition.config); 75 | config[key] = value; 76 | onChange('config', config); 77 | }; 78 | 79 | handleChange = (event) => { 80 | const { name } = event.target; 81 | this.propagateChange(name, FormsUtils.getValueFromInput(event.target)); 82 | }; 83 | 84 | handleSearchWithinMsChange = (nextValue) => { 85 | this.propagateChange('search_within_ms', nextValue); 86 | }; 87 | 88 | handleExecuteEveryMsChange = (nextValue) => { 89 | this.propagateChange('execute_every_ms', nextValue); 90 | }; 91 | 92 | handleStreamChange = (nextValue) => { 93 | this.propagateChange('stream', nextValue); 94 | }; 95 | 96 | handleAdditionalStreamChange = (nextValue) => { 97 | this.propagateChange('additional_stream', nextValue); 98 | }; 99 | 100 | handleAdditionalThresholdTypeChange = (nextValue) => { 101 | this.propagateChange('additional_threshold_type', nextValue); 102 | }; 103 | 104 | handleThresholdTypeChange = (nextValue) => { 105 | this.propagateChange('threshold_type', nextValue); 106 | }; 107 | 108 | handleMessagesOrderChange = (nextValue) => { 109 | this.propagateChange('messages_order', nextValue); 110 | }; 111 | 112 | handleGroupByChange = (selected) => { 113 | const nextValue = selected === '' ? [] : selected.split(','); 114 | this.propagateChange('grouping_fields', nextValue) 115 | }; 116 | 117 | availableThresholdTypes = () => { 118 | return [ 119 | {value: 'MORE', label: 'more than'}, 120 | {value: 'LESS', label: 'less than'}, 121 | ]; 122 | }; 123 | 124 | availableMessagesOrder = () => { 125 | return [ 126 | {value: 'BEFORE', label: 'additional messages before main messages'}, 127 | {value: 'AFTER', label: 'additional messages after main messages'}, 128 | {value: 'ANY', label: 'any order'}, 129 | ] 130 | }; 131 | 132 | render() { 133 | const { eventDefinition, validation, allFieldTypes } = this.props; 134 | const formattedStreams = this.formatStreamIds(); 135 | const formattedFields = this.formatFields(allFieldTypes); 136 | 137 | return ( 138 | 139 | 141 | Stream 142 | 164 | 165 | Select condition to trigger alert: when there are more or less messages in the main stream than the threshold 166 | 167 | 168 | Threshold 169 | 177 | Search Query (Optional) 178 | 186 | 188 | Additional Stream 189 | 211 | 212 | Select condition to trigger alert: when there are more or less messages in the additional stream than the threshold 213 | 214 | 215 | Additional Threshold 216 | 224 | Additional Search Query (Optional) 225 | 233 | 235 | Messages Order 236 | 281 | 282 | ); 283 | } 284 | } 285 | 286 | export default CorrelationCountForm; 287 | -------------------------------------------------------------------------------- /src/web/components/event-definitions/event-definition-types/CorrelationCountFormContainer.tsx: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | import React from 'react'; 19 | import { useContext } from 'react'; 20 | import PropTypes from 'prop-types'; 21 | 22 | import { Spinner } from 'components/common'; 23 | import useFieldTypes from 'views/logic/fieldtypes/useFieldTypes'; 24 | import { ALL_MESSAGES_TIMERANGE } from 'views/Constants'; 25 | import StreamsContext from 'contexts/StreamsContext'; 26 | import CorrelationCountForm from './CorrelationCountForm'; 27 | 28 | 29 | type Props = { 30 | eventDefinition: {}, 31 | validation: {}, 32 | onChange: () => void 33 | } 34 | 35 | const CorrelationCountFormContainer = (props: Props) => { 36 | const { data: fieldTypes } = useFieldTypes([], ALL_MESSAGES_TIMERANGE); 37 | const isLoading = !fieldTypes; 38 | const streams = useContext(StreamsContext); 39 | 40 | if (isLoading) { 41 | return ; 42 | } 43 | return ; 44 | } 45 | 46 | CorrelationCountFormContainer.propTypes = { 47 | eventDefinition: PropTypes.object.isRequired, 48 | validation: PropTypes.object.isRequired, 49 | onChange: PropTypes.func.isRequired, 50 | streams: PropTypes.array.isRequired, 51 | fieldTypes: PropTypes.object.isRequired, 52 | }; 53 | 54 | export default CorrelationCountFormContainer; -------------------------------------------------------------------------------- /src/web/components/event-definitions/event-definition-types/CorrelationCountSummary.jsx: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | import React from 'react'; 19 | import PropTypes from 'prop-types'; 20 | import { extractDurationAndUnit } from 'components/common/TimeUnitInput'; 21 | import { TIME_UNITS } from 'components/event-definitions/event-definition-types/FilterForm'; 22 | 23 | class CorrelationCountSummary extends React.Component { 24 | static propTypes = { 25 | config: PropTypes.string.isRequired, 26 | }; 27 | 28 | render() { 29 | const { config } = this.props; 30 | const searchWithin = extractDurationAndUnit(config.search_within_ms, TIME_UNITS); 31 | const executeEvery = extractDurationAndUnit(config.execute_every_ms, TIME_UNITS); 32 | 33 | return ( 34 | 35 | 36 | Stream: 37 | {config.stream || 'No stream for this condition.'} 38 | 39 | 40 | Threshold Type: 41 | {config.threshold_type || 'No threshold type for this condition.'} 42 | 43 | 44 | Threshold: 45 | {config.threshold} 46 | 47 | 48 | Search Query: 49 | {config.search_query} 50 | 51 | 52 | Additional Stream: 53 | {config.additional_stream || 'No additional stream for this condition.'} 54 | 55 | 56 | Additional Threshold Type: 57 | {config.additional_threshold_type || 'No additional threshold type for this condition.'} 58 | 59 | 60 | Additional Threshold: 61 | {config.additional_threshold} 62 | 63 | 64 | Additional Search Query: 65 | {config.additional_search_query} 66 | 67 | 68 | Messages Order: 69 | {config.messages_order || 'No messages order for this condition.'} 70 | 71 | 72 | Search within: 73 | {searchWithin.duration} {searchWithin.unit.toLowerCase()} 74 | 75 | 76 | Execute search every: 77 | {executeEvery.duration} {executeEvery.unit.toLowerCase()} 78 | 79 | 80 | Grouping Fields: 81 | {config.grouping_fields.join(', ') || 'No grouping fields for this condition.'} 82 | 83 | 84 | Comment: 85 | {config.comment} 86 | 87 | 88 | ); 89 | } 90 | } 91 | 92 | export default CorrelationCountSummary; -------------------------------------------------------------------------------- /src/web/components/event-definitions/event-definition-types/TimeUnitFormGroup.jsx: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | import React from 'react'; 19 | import PropTypes from 'prop-types'; 20 | import lodash from 'lodash'; 21 | import moment from 'moment'; 22 | import { TimeUnitInput } from 'components/common'; 23 | import { extractDurationAndUnit } from 'components/common/TimeUnitInput'; 24 | import { FormGroup, HelpBlock } from 'components/bootstrap'; 25 | import { TIME_UNITS } from 'components/event-definitions/event-definition-types/FilterForm'; 26 | 27 | class TimeUnitFormGroup extends React.Component { 28 | static propTypes = { 29 | value: PropTypes.number.isRequired, 30 | label: PropTypes.string.isRequired, 31 | update: PropTypes.func.isRequired, 32 | errors: PropTypes.array.isRequired 33 | }; 34 | 35 | constructor(props) { 36 | super(props); 37 | 38 | this.state = extractDurationAndUnit(props.value, TIME_UNITS); 39 | } 40 | 41 | handleTimeRangeChange = (nextValue, nextUnit) => { 42 | const durationInMs = moment.duration(lodash.max([nextValue, 1]), nextUnit).asMilliseconds(); 43 | 44 | this.setState({ 45 | duration: nextValue, 46 | unit: nextUnit 47 | }); 48 | this.props.update(durationInMs); 49 | }; 50 | 51 | render() { 52 | const { label, errors } = this.props; 53 | const { duration, unit } = this.state; 54 | 55 | return ( 56 | // note: there is no controlId set because it just doesn't seem to work for this widget 57 | // the controlId is suppose to set the "for" attribute on the label and the "id" attribute on the input 58 | 59 | 66 | {errors && ( 67 | {errors[0]} 68 | )} 69 | 70 | ); 71 | } 72 | } 73 | 74 | export default TimeUnitFormGroup; 75 | -------------------------------------------------------------------------------- /src/web/index.jsx: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2018 Airbus CyberSecurity (SAS) 3 | * 4 | * This program is free software: you can redistribute it and/or modify 5 | * it under the terms of the Server Side Public License, version 1, 6 | * as published by MongoDB, Inc. 7 | * 8 | * This program is distributed in the hope that it will be useful, 9 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | * Server Side Public License for more details. 12 | * 13 | * You should have received a copy of the Server Side Public License 14 | * along with this program. If not, see 15 | * . 16 | */ 17 | 18 | import { PluginManifest, PluginStore } from 'graylog-web-plugin/plugin'; 19 | 20 | import CorrelationCountFormContainer from "./components/event-definitions/event-definition-types/CorrelationCountFormContainer"; 21 | import CorrelationCountSummary from "./components/event-definitions/event-definition-types/CorrelationCountSummary"; 22 | 23 | const DEFAULT_CONFIGURATION = { 24 | stream: '', 25 | threshold_type: 'MORE', 26 | threshold: '0', 27 | search_query: '*', 28 | additional_stream: '', 29 | additional_threshold_type: 'MORE', 30 | additional_threshold: '0', 31 | additional_search_query: '*', 32 | search_within_ms: 60*1000, 33 | execute_every_ms: 60*1000, 34 | messages_order: 'ANY', 35 | grouping_fields: [], 36 | comment: '', 37 | }; 38 | 39 | PluginStore.register(new PluginManifest({}, { 40 | eventDefinitionTypes: [ 41 | { 42 | type: 'correlation-count', 43 | displayName: 'Correlation Count Alert Condition', 44 | sortOrder: 1, // Sort before conditions working on events 45 | description: 'This condition is triggered when the number of messages in the main stream is higher/lower than a defined ' 46 | + 'threshold and when the number of messages in the additional stream is higher/lower than another defined ' + 47 | 'threshold in a given time range.', 48 | formComponent: CorrelationCountFormContainer, 49 | summaryComponent: CorrelationCountSummary, 50 | defaultConfig: DEFAULT_CONFIGURATION 51 | }, 52 | ], 53 | })); 54 | -------------------------------------------------------------------------------- /tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "es5", 4 | "lib": [ 5 | "dom", 6 | "dom.iterable", 7 | "esnext" 8 | ], 9 | "allowJs": false, 10 | "downlevelIteration": true, 11 | "skipLibCheck": true, 12 | "esModuleInterop": true, 13 | "allowSyntheticDefaultImports": true, 14 | "strict": false, 15 | "forceConsistentCasingInFileNames": true, 16 | "module": "esnext", 17 | "moduleResolution": "node", 18 | "resolveJsonModule": true, 19 | "isolatedModules": true, 20 | "noEmit": true, 21 | "jsx": "react", 22 | "baseUrl": ".", 23 | "paths": { 24 | "*": [ 25 | "*", 26 | "./src/web/*", 27 | "./test/web/*", 28 | "../graylog2-server/graylog2-web-interface/src/*", 29 | "../graylog2-server/graylog2-web-interface/test/*", 30 | ] 31 | } 32 | }, 33 | "include": [ 34 | "src", 35 | "../graylog2-server/graylog2-web-interface/src/@types/**/*", 36 | "../graylog2-server/graylog2-web-interface/src/**/*.d.ts" 37 | ] 38 | } 39 | -------------------------------------------------------------------------------- /validation/gelf_input.py: -------------------------------------------------------------------------------- 1 | 2 | class GelfInput: 3 | 4 | def __init__(self, api, identifier): 5 | self._api = api 6 | self._identifier = identifier 7 | 8 | def is_running(self): 9 | return self._api.gelf_input_is_running(self._identifier) -------------------------------------------------------------------------------- /validation/graylog.py: -------------------------------------------------------------------------------- 1 | import time 2 | from graylog_server import GraylogServer 3 | from graylog_rest_api import GraylogRestApi 4 | from graylog_inputs import GraylogInputs 5 | from server_timeout_error import ServerTimeoutError 6 | 7 | 8 | class Graylog: 9 | 10 | def __init__(self): 11 | self._server = GraylogServer('../runtime') 12 | self._api = GraylogRestApi() 13 | 14 | def _wait(self, condition, attempts, sleep_duration=1.0): 15 | count = 0 16 | while not condition(): 17 | time.sleep(sleep_duration) 18 | count += 1 19 | if count > attempts: 20 | print(self._server.extract_all_logs()) 21 | raise ServerTimeoutError() 22 | 23 | def _wait_with_param(self, condition, attempts, condition_args, sleep_duration=1.0): 24 | count = 0 25 | while not condition(condition_args): 26 | time.sleep(sleep_duration) 27 | count += 1 28 | if count > attempts: 29 | print(self._server.extract_all_logs()) 30 | raise ServerTimeoutError() 31 | 32 | def _wait_until_graylog_has_started(self): 33 | """ 34 | We wait until the default deflector is up, as it seems to be the last operation done on startup 35 | This might have to change in the future, if graylog changes its ways... 36 | :return: 37 | """ 38 | print('Waiting for graylog to start...') 39 | self._wait(self._api.default_deflector_is_up, 180) 40 | self._wait(self._api.events_search_is_available, 180) 41 | 42 | def start(self): 43 | self._server.start() 44 | self._wait_until_graylog_has_started() 45 | 46 | def stop(self): 47 | self._server.stop() 48 | 49 | def start_logs_capture(self): 50 | self._server.start_logs_capture() 51 | 52 | def extract_logs(self): 53 | return self._server.extract_logs() 54 | 55 | def create_gelf_input(self): 56 | gelf_input = self._api.create_gelf_input() 57 | self._wait(gelf_input.is_running, 10, sleep_duration=.1) 58 | return GraylogInputs() 59 | 60 | def create_correlation_count(self, *args, **kwargs): 61 | self._api.create_correlation_count(*args, **kwargs) 62 | 63 | def get_events(self): 64 | return self._api.get_events() 65 | 66 | def get_events_count(self, event_definition_type=None): 67 | response = self.get_events() 68 | 69 | # TODO : Remove after debug CI 70 | print(response) 71 | 72 | total = response['total_events'] 73 | if event_definition_type is None: 74 | return total 75 | result = 0 76 | for i in range(total): 77 | event = response['events'][i]['event'] 78 | if event['event_definition_type'] == event_definition_type: 79 | result += 1 80 | return result 81 | 82 | def _has_event(self, event_definition_type=None): 83 | events_count = self.get_events_count(event_definition_type) 84 | return events_count == 1 85 | 86 | def wait_until_event(self, event_definition_type=None): 87 | if event_definition_type is None: 88 | self._wait(self._has_event, 60) 89 | else: 90 | self._wait_with_param(self._has_event, 60, event_definition_type) 91 | 92 | -------------------------------------------------------------------------------- /validation/graylog_inputs.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import json 3 | 4 | _GRAYLOG_INPUT_ADDRESS = ('127.0.0.1', 12201) 5 | 6 | 7 | class GraylogInputs: 8 | 9 | def __init__(self): 10 | self._socket = socket.create_connection(_GRAYLOG_INPUT_ADDRESS) 11 | 12 | def send(self, args): 13 | data = dict({'version': '1.1', 'host': 'host', 'short_message': 'short_message'}, **args) 14 | print('Sending {}'.format(data)) 15 | message = '{}\0'.format(json.dumps(data)) 16 | self._socket.send(message.encode()) 17 | 18 | def close(self): 19 | self._socket.close() 20 | 21 | def __enter__(self): 22 | return self 23 | 24 | def __exit__(self, exc_type, exc_value, exc_traceback): 25 | self.close() 26 | -------------------------------------------------------------------------------- /validation/graylog_rest_api.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from urllib import parse 3 | from requests.exceptions import ConnectionError 4 | from gelf_input import GelfInput 5 | 6 | _AUTH = ('admin', 'admin') 7 | _HEADERS = {"X-Requested-By": "test-program"} 8 | _STREAM_ALL_MESSAGES = '000000000000000000000001' 9 | 10 | 11 | class GraylogRestApi: 12 | 13 | def _print(self, message): 14 | print(message, flush=True) 15 | 16 | def _build_url(self, path): 17 | return parse.urljoin('http://127.0.0.1:9000/api/', path) 18 | 19 | def _get(self, path): 20 | url = self._build_url(path) 21 | response = requests.get(url, auth=_AUTH, headers=_HEADERS) 22 | self._print('GET {} => {}'.format(url, response.status_code)) 23 | return response 24 | 25 | def _post(self, path, payload=None): 26 | url = self._build_url(path) 27 | response = requests.post(url, json=payload, auth=_AUTH, headers=_HEADERS) 28 | self._print('POST {} {} => {}'.format(url, payload, response.status_code)) 29 | return response 30 | 31 | def default_deflector_is_up(self): 32 | try: 33 | response = self._get('system/deflector') 34 | body = response.json() 35 | if body['is_up']: 36 | return True 37 | return False 38 | except ConnectionError: 39 | return False 40 | 41 | def create_gelf_input(self): 42 | payload = { 43 | 'configuration': { 44 | 'bind_address': '0.0.0.0', 45 | 'decompress_size_limit': 8388608, 46 | 'max_message_size': 2097152, 47 | 'number_worker_threads': 8, 48 | 'override_source': None, 49 | 'port': 12201, 50 | 'recv_buffer_size': 1048576, 51 | 'tcp_keepalive': False, 52 | 'tls_cert_file': '', 53 | 'tls_client_auth': 'disabled', 54 | 'tls_client_auth_cert_file': '', 55 | 'tls_enable': False, 56 | 'tls_key_file': 'admin', 57 | 'tls_key_password': 'admin', 58 | 'use_null_delimiter': True 59 | }, 60 | 'global': True, 61 | 'title': 'Inputs', 62 | 'type': 'org.graylog2.inputs.gelf.tcp.GELFTCPInput' 63 | } 64 | response = self._post('system/inputs', payload) 65 | identifier = response.json()['id'] 66 | return GelfInput(self, identifier) 67 | 68 | def gelf_input_is_running(self, identifier): 69 | response = self._get('system/inputstates/') 70 | body = response.json() 71 | for state in body['states']: 72 | if state['id'] != identifier: 73 | continue 74 | return state['state'] == 'RUNNING' 75 | return False 76 | 77 | def create_correlation_count(self, threshold, search_query='*', additional_search_query='*', group_by=None, period=5, messages_order='ANY'): 78 | if group_by is None: 79 | group_by = [] 80 | event_definition = { 81 | 'alert': False, 82 | 'config': { 83 | 'type': 'correlation-count', 84 | 'comment': '', 85 | 'execute_every_ms': period*1000, 86 | 'search_within_ms': period*1000, 87 | 'grouping_fields': group_by, 88 | 89 | 'stream': _STREAM_ALL_MESSAGES, 90 | 'threshold': threshold, 91 | 'threshold_type': 'MORE', 92 | 'search_query': search_query, 93 | 'additional_stream': _STREAM_ALL_MESSAGES, 94 | 'additional_threshold': threshold, 95 | 'additional_threshold_type': 'MORE', 96 | 'additional_search_query': additional_search_query, 97 | 98 | 'messages_order': messages_order 99 | }, 100 | 'description': '', 101 | 'field_spec': {}, 102 | 'key_spec': [], 103 | 'notification_settings': { 104 | 'backlog_size': None, 105 | 'grace_period_ms': 0 106 | }, 107 | 'notifications': [], 108 | 'priority': 2, 109 | 'title': 'AAA' 110 | } 111 | self._post('events/definitions', event_definition) 112 | 113 | # TODO simplify this: have only get_events at this level 114 | def _search_events(self): 115 | return self._post('events/search', {}) 116 | 117 | def events_search_is_available(self): 118 | response = self._search_events() 119 | return response.status_code == 200 120 | 121 | def get_events(self): 122 | response = self._search_events() 123 | return response.json() 124 | -------------------------------------------------------------------------------- /validation/graylog_server.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | 4 | class GraylogServer: 5 | 6 | def __init__(self, docker_compose_path): 7 | self._docker_compose_path = docker_compose_path 8 | self._log_offset = 0 9 | 10 | def start(self): 11 | subprocess.run(['docker', 'compose', 'up', '--detach'], cwd=self._docker_compose_path) 12 | 13 | def extract_all_logs(self): 14 | return subprocess.check_output(['docker', 'compose', 'logs', '--no-color', 'graylog'], cwd=self._docker_compose_path, universal_newlines=True) 15 | 16 | def start_logs_capture(self): 17 | logs = self.extract_all_logs() 18 | self._log_offset = len(logs) 19 | 20 | def extract_logs(self): 21 | logs = self.extract_all_logs() 22 | return logs[self._log_offset:] 23 | 24 | def stop(self): 25 | subprocess.run(['docker', 'compose', 'down'], cwd=self._docker_compose_path) 26 | subprocess.run(['docker', 'volume', 'prune', '--force']) 27 | -------------------------------------------------------------------------------- /validation/requirements.txt: -------------------------------------------------------------------------------- 1 | requests >= 2.26.0, < 3.0.0 2 | -------------------------------------------------------------------------------- /validation/server_timeout_error.py: -------------------------------------------------------------------------------- 1 | 2 | class ServerTimeoutError(Exception): 3 | pass -------------------------------------------------------------------------------- /validation/test.py: -------------------------------------------------------------------------------- 1 | # to create and populate the test venv: 2 | # * python3 -m venv venv 3 | # * source venv/bin/activate 4 | # * pip install -r requirements.txt 5 | # to execute these tests: 6 | # * activate venv 7 | # source ./venv/bin/activate 8 | # * execute tests 9 | # python -m unittest --verbose 10 | # To execute only one test, suffix with the fully qualified test name. Example: 11 | # python -m unittest test.Test.test_send_message_should_trigger_correlation_rule 12 | 13 | from unittest import TestCase 14 | import time 15 | from graylog import Graylog 16 | from server_timeout_error import ServerTimeoutError 17 | 18 | _PERIOD = 5 19 | 20 | 21 | class Test(TestCase): 22 | 23 | def setUp(self) -> None: 24 | self._graylog = Graylog() 25 | self._graylog.start() 26 | 27 | def tearDown(self) -> None: 28 | self._graylog.stop() 29 | 30 | def test_start_should_load_plugin(self): 31 | logs = self._graylog.extract_logs() 32 | self.assertIn('INFO : org.graylog2.bootstrap.CmdLineTool - Loaded plugin: Correlation Count Alert Condition', logs) 33 | 34 | def test_send_message_should_trigger_correlation_rule(self): 35 | self._graylog.create_correlation_count(0, period=_PERIOD) 36 | with self._graylog.create_gelf_input() as inputs: 37 | inputs.send({}) 38 | time.sleep(_PERIOD) 39 | 40 | try: 41 | self._graylog.wait_until_event('correlation-count') 42 | except ServerTimeoutError: 43 | print(self._graylog.get_events()) 44 | events_count = self._graylog.get_events_count() 45 | self.fail(f'Events count: {events_count} (expected 1)') 46 | 47 | def test_send_message_should_trigger_correlation_rule_with_group_by(self): 48 | self._graylog.create_correlation_count(1, group_by=['x'], period=_PERIOD) 49 | with self._graylog.create_gelf_input() as inputs: 50 | inputs.send({'_x': 1}) 51 | inputs.send({'_x': 1}) 52 | time.sleep(_PERIOD) 53 | inputs.send({'short_message': 'pop'}) 54 | 55 | self._graylog.wait_until_event('correlation-count') 56 | 57 | def test_send_message_with_different_values_for_group_by_field_should_not_trigger_correlation_rule_with_group_by(self): 58 | self._graylog.create_correlation_count(1, group_by=['x'], period=_PERIOD) 59 | with self._graylog.create_gelf_input() as inputs: 60 | inputs.send({'_x': 1}) 61 | inputs.send({'_x': 2}) 62 | time.sleep(_PERIOD) 63 | inputs.send({'short_message': 'pop'}) 64 | 65 | time.sleep(20) 66 | self.assertEqual(0, self._graylog.get_events_count('correlation-count')) 67 | 68 | def test_send_message_should_trigger_correlation_rule_with_group_by_when_value_has_a_space__issue27(self): 69 | self._graylog.create_correlation_count(1, group_by=['x'], period=_PERIOD, messages_order='BEFORE') 70 | with self._graylog.create_gelf_input() as inputs: 71 | inputs.send({'_x': 'hello world'}) 72 | inputs.send({'_x': 'hello world'}) 73 | # need to sleep for 1 to be sure that the timestamp of the second message is strictly before the timestamp of the third message 74 | # the precision is only of a millisecond and there is otherwise a risk that the event does not trigger 75 | time.sleep(1) 76 | inputs.send({'_x': 'hello world'}) 77 | inputs.send({'_x': 'hello world'}) 78 | time.sleep(_PERIOD) 79 | inputs.send({'short_message': 'pop'}) 80 | 81 | self._graylog.wait_until_event('correlation-count') 82 | 83 | def test_send_message_should_not_fail_on_correlation_rule_with_group_by_when_value_has_a_double_quote__issue27(self): 84 | self._graylog.create_correlation_count(1, group_by=['x'], period=_PERIOD, messages_order='BEFORE') 85 | with self._graylog.create_gelf_input() as inputs: 86 | self._graylog.start_logs_capture() 87 | inputs.send({'_x': 'hello"world'}) 88 | inputs.send({'_x': 'hello"world'}) 89 | time.sleep(_PERIOD) 90 | inputs.send({'short_message': 'pop'}) 91 | 92 | time.sleep(2*_PERIOD) 93 | logs = self._graylog.extract_logs() 94 | self.assertNotIn('ERROR', logs) 95 | 96 | def test_send_message_should_not_fail_with_out_of_bounds_when_group_by_fields_are_missing__issue34(self): 97 | self._graylog.create_correlation_count(0, group_by=['field1', 'field2'], period=_PERIOD) 98 | with self._graylog.create_gelf_input() as inputs: 99 | self._graylog.start_logs_capture() 100 | inputs.send({}) 101 | inputs.send({}) 102 | 103 | time.sleep(2*_PERIOD) 104 | logs = self._graylog.extract_logs() 105 | self.assertNotIn('Caught an unhandled exception while executing event processor', logs) 106 | self.assertNotIn('| java.lang.IndexOutOfBoundsException:', logs) 107 | 108 | def test_send_message_should_trigger_correlation_rule_with_search_query(self): 109 | self._graylog.create_correlation_count(0, search_query='pop', period=_PERIOD) 110 | with self._graylog.create_gelf_input() as inputs: 111 | inputs.send({'short_message': 'pop'}) 112 | time.sleep(_PERIOD) 113 | 114 | try: 115 | self._graylog.wait_until_event('correlation-count') 116 | except ServerTimeoutError: 117 | print(self._graylog.get_events()) 118 | events_count = self._graylog.get_events_count() 119 | self.fail(f'Events count: {events_count} (expected 1)') 120 | 121 | def test_send_message_should_trigger_correlation_rule_with_search_query_and_additional_search_query(self): 122 | self._graylog.create_correlation_count(0, search_query='pop', additional_search_query='hello*', period=_PERIOD) 123 | with self._graylog.create_gelf_input() as inputs: 124 | inputs.send({'short_message': 'pop', '_x': 'hello world'}) 125 | time.sleep(_PERIOD) 126 | 127 | try: 128 | self._graylog.wait_until_event('correlation-count') 129 | except ServerTimeoutError: 130 | print(self._graylog.get_events()) 131 | events_count = self._graylog.get_events_count() 132 | self.fail(f'Events count: {events_count} (expected 1)') 133 | 134 | def test_send_message_should_not_trigger_correlation_rule_with_search_query(self): 135 | self._graylog.create_correlation_count(0, search_query='pop', period=_PERIOD) 136 | with self._graylog.create_gelf_input() as inputs: 137 | inputs.send({'short_message': 'no_match'}) 138 | time.sleep(_PERIOD) 139 | 140 | try: 141 | self._graylog.wait_until_event('correlation-count') 142 | events_count = self._graylog.get_events_count() 143 | self.fail(f'Events count: {events_count} (expected 0)') 144 | except ServerTimeoutError: 145 | print(self._graylog.get_events()) 146 | -------------------------------------------------------------------------------- /webpack.config.js: -------------------------------------------------------------------------------- 1 | const PluginWebpackConfig = require('graylog-web-plugin').PluginWebpackConfig; 2 | const loadBuildConfig = require('graylog-web-plugin').loadBuildConfig; 3 | const path = require('path'); 4 | 5 | // Remember to use the same name here and in `getUniqueId()` in the java MetaData class 6 | module.exports = new PluginWebpackConfig(__dirname,'com.airbus_cyber_security.graylog.CorrelationCountPlugin', loadBuildConfig(path.resolve(__dirname, './build.config')), { 7 | // Here goes your additional webpack configuration. 8 | }); 9 | --------------------------------------------------------------------------------