added to @kx499s changes that store the payloads as dicts instead as …

…JSON in hpfeeds mongo collection
jatrost · Jun 19, 2015 · 3d7a807 · 3d7a807
1 parent e1db79c
commit 3d7a807
Show file tree

Hide file tree

Showing 16 changed files with 21 additions and 33 deletions.
diff --git a/normalizer/modules/amun_events.py b/normalizer/modules/amun_events.py
@@ -24,7 +24,7 @@ class AmunEvents(BaseNormalizer):
     channels = ('amun.events',)
 
     def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True):
-        o_data = json.loads(data)
+        o_data = self.parse_record_data(data)
 
         if ignore_rfc1918 and self.is_RFC1918_addr(o_data['attackerIP']):
             return []

diff --git a/normalizer/modules/basenormalizer.py b/normalizer/modules/basenormalizer.py
@@ -19,6 +19,7 @@
 import socket
 import struct
 from urlparse import urlparse
+import json
 
 
 class BaseNormalizer(object):
@@ -75,3 +76,8 @@ def is_RFC1918_addr(self, ip):
 
         return False
 
+    def parse_record_data(self, data):
+        if type(data) is dict:
+            return data
+        else:
+            return json.loads(data)
diff --git a/normalizer/modules/beeswarm_hive.py b/normalizer/modules/beeswarm_hive.py
@@ -24,7 +24,7 @@ class BeeswarmHive(BaseNormalizer):
     channels = ('beeswarm.hive',)
 
     def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True):
-        o_data = json.loads(data)
+        o_data = self.parse_record_data(data)
 
         if ignore_rfc1918 and self.is_RFC1918_addr(o_data['attacker_ip']):
             return []

diff --git a/normalizer/modules/conpot_events.py b/normalizer/modules/conpot_events.py
@@ -24,7 +24,7 @@ class Conpot(BaseNormalizer):
     channels = ('conpot.events',)
 
     def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True):
-        o_data = json.loads(data)
+        o_data = self.parse_record_data(data)
 
         if ignore_rfc1918 and self.is_RFC1918_addr(o_data['remote'][0]):
             return []

diff --git a/normalizer/modules/dionaea_capture.py b/normalizer/modules/dionaea_capture.py
@@ -23,11 +23,7 @@ class DionaeaCaptures(BaseNormalizer):
     channels = ('dionaea.capture', 'dionaea.capture.anon', 'dionaea.captures')
 
     def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True):
-        if type(data) is dict:
-            o_data = data
-        else:
-            o_data = json.loads(data)
-
+        o_data = self.parse_record_data(data)
         if ignore_rfc1918 and self.is_RFC1918_addr(o_data['saddr']):
             return []
 

diff --git a/normalizer/modules/dionaea_connections.py b/normalizer/modules/dionaea_connections.py
@@ -31,10 +31,7 @@ def normalize_ip(self, ip):
             return ip
 
     def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True):
-        if type(data) is dict:
-            o_data = data
-        else:
-            o_data = json.loads(data)
+        o_data = self.parse_record_data(data)
 
         o_data['remote_host'] = self.normalize_ip(o_data['remote_host'])
         if ignore_rfc1918 and self.is_RFC1918_addr(o_data['remote_host']):

diff --git a/normalizer/modules/elastichoney_events.py b/normalizer/modules/elastichoney_events.py
@@ -23,7 +23,7 @@ class ElastichoneyEvents(BaseNormalizer):
     channels = ('elastichoney.events',)
 
     def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True):
-        o_data = json.loads(data)
+        o_data = self.parse_record_data(data)
 
         if ignore_rfc1918 and self.is_RFC1918_addr(o_data['source']):
             return []

diff --git a/normalizer/modules/glastopf_events.py b/normalizer/modules/glastopf_events.py
@@ -33,10 +33,7 @@ def __init__(self):
         self.dork_filter = '/headers|favicon.ico|w00tw00t|/robots.txt'
 
     def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True):
-        if type(data) is dict:
-            o_data = data
-        else:
-            o_data = json.loads(data)
+        o_data = self.parse_record_data(data)
 
         if ignore_rfc1918 and self.is_RFC1918_addr(o_data['source'][0]):
             return []

diff --git a/normalizer/modules/kippo_events.py b/normalizer/modules/kippo_events.py
@@ -23,10 +23,7 @@ class KippoEvents(BaseNormalizer):
     channels = ('kippo.sessions',)
 
     def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True):
-        if type(data) is dict:
-            o_data = data
-        else:
-            o_data = json.loads(data)
+        o_data = self.parse_record_data(data)
 
         if ignore_rfc1918 and self.is_RFC1918_addr(o_data['peerIP']):
             return []

diff --git a/normalizer/modules/p0f_events.py b/normalizer/modules/p0f_events.py
@@ -37,10 +37,7 @@ def get_metadata(self, o_data, submission_timestamp):
         return metadata
 
     def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True):
-        if type(data) is dict:
-            o_data = data
-        else:
-            o_data = json.loads(data)
+        o_data = self.parse_record_data(data)
 
         if ignore_rfc1918 and self.is_RFC1918_addr(o_data['client_ip']):
             return []

diff --git a/normalizer/modules/shockpot_events.py b/normalizer/modules/shockpot_events.py
@@ -23,7 +23,7 @@ class ShockpotEvents(BaseNormalizer):
     channels = ('shockpot.events',)
 
     def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True):
-        o_data = json.loads(data)
+        o_data = self.parse_record_data(data)
 
         if ignore_rfc1918 and self.is_RFC1918_addr(o_data['source_ip']):
             return []

diff --git a/normalizer/modules/snort_alerts.py b/normalizer/modules/snort_alerts.py
@@ -24,7 +24,7 @@ class Snort(BaseNormalizer):
     channels = ('snort.alerts',)
 
     def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True):
-        o_data = json.loads(data)
+        o_data = self.parse_record_data(data)
 
         if ignore_rfc1918 and self.is_RFC1918_addr(o_data['source_ip']):
             return []

diff --git a/normalizer/modules/suricata_events.py b/normalizer/modules/suricata_events.py
@@ -23,7 +23,7 @@ class Suricata(BaseNormalizer):
     channels = ('suricata.events',)
 
     def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True):
-        o_data = json.loads(data)
+        o_data = self.parse_record_data(data)
 
         if ignore_rfc1918 and self.is_RFC1918_addr(o_data['source_ip']):
             return []

diff --git a/normalizer/modules/thug_files.py b/normalizer/modules/thug_files.py
@@ -24,7 +24,7 @@ class ThugFiles(BaseNormalizer):
     channels = ('thug.files',)
 
     def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True):
-        data = json.loads(data)
+        data = self.parse_record_data(data)
         decoded = base64.b64decode(data['data'])
         hashes = super(ThugFiles, self).generate_checksum_list(decoded)
 

diff --git a/normalizer/modules/wordpot_events.py b/normalizer/modules/wordpot_events.py
@@ -24,7 +24,7 @@ class WordpotEvents(BaseNormalizer):
     channels = ('wordpot.events',)
 
     def normalize(self, data, channel, submission_timestamp, ignore_rfc1918=True):
-        o_data = json.loads(data)
+        o_data = self.parse_record_data(data)
 
         if ignore_rfc1918 and self.is_RFC1918_addr(o_data['source_ip']):
             return []

diff --git a/persistance/mnemodb.py b/persistance/mnemodb.py
@@ -116,9 +116,7 @@ def insert_hpfeed(self, ident, channel, payload):
             try:
                 payload = json.loads(payload)
             except ValueError, e:
-                logger.info('insert_hpfeed:payload: could not convert string')
-                pass
-
+                logger.warning('insert_hpfeed: payload was not JSON, storing as a string (ident=%s, channel=%s)', ident, channel)
 
         timestamp = datetime.utcnow()
         entry = {'channel': channel,