IZ iRddlZddlZddlmZmZmZmZddlmZm Z m Z m Z m Z m Z mZmZmZmZmZddlmZddlmZmZddlmZddlmZmZmZmZddlm Z dd l!m"Z"m#Z#d d d d d dddddddddddZ$Gdde Z%GddeZ&GddeZ'GddeZ(dS)N)DictListOptionalSet) JOINCase CharField CompositeKey FloatFieldForeignKeyField IntegerFieldIntegrityErrorPrimaryKeyField TextFieldprefetch) model_to_dict)Modelinstance)apply_order_by)ControlPanelProtector CpHulkSensor ModsecSensor OssecSensor)Country)IPList IPListPurpose)r#r"r!r rrr ceZdZfdZxZS)_SafeCharFieldcpt|ddS)Nzutf-8ignore)errors)superadaptencode)selfvalue __class__s I/opt/imunify360/venv/lib/python3.11/site-packages/im360/model/incident.pyr2z_SafeCharField.adapt3s)ww}}U\\'(\CCDDD)__name__ __module__ __qualname__r2 __classcell__)r6s@r7r-r-2sAEEEEEEEEEr8r-c feZdZdZeddZedZedZe dZ edZ edZ edZ edZedZeddZeddZGd d ZGd d Zed Ze ddZedeeeeffdZe ddeedeeedeeeeffdZedZ edZ!dS)Incidentz4Security-related events that happened on the server.T) primary_keynullr@ country_id)r@ column_nameN)r@defaultc(eZdZejZdZdZdZdS) Incident.Metaincident))) timestampF))countryFresidentN) r9r:r;rdbdatabasedb_tableindexesschemar8r7MetarFcs(; r8rQc$eZdZedZdS)Incident.OrderByc tttfdtD}t t jtj t t j |dftj t t j |dftj t j ffdfS)Nc3DK|]\}}||dz|z dzz zfVdS)r#NrP).0ossecmodsecmax_ossec_severitys r7 z,Incident.OrderBy.severity..qsd  "E6)A-5)A-//      r8rd) maxossec_to_modsec_severitykeystupleitemsrr>pluginr PLUGIN_IDseverityrr) ossec_casesrYs @r7rczIncident.OrderBy.severityms!$%=%B%B%D%D!E!E     &>%C%C%E%E     KO(1 !2KCC )2 !2KCC&/1BC  r8N)r9r:r; staticmethodrcrPr8r7OrderByrSls-       r8rfc*|jtjk|jtjkz|jtjkz|j|kz|jt jk|jt|kzz|jzSN) rarrbrrrcrr]is_null)clsrcs r7_accept_severityzIncident._accept_severitys Z;#88z%:%DDFz\%;;=<8+ -|55<#;H#EEG l""$$ % r8c |tj}ttttt jtjtjk tj |k| |ztj |kz tj } | "| tj| z} | | tj| tj| ztj| ztj| z} |2| tj|} |#| tj|k} | #| tj| k} | d|Dnd}d}|d| tjD}|||}d|D}|sgS| tj|z} | t1| || } || |} || |} t7| }| |d|Dd}t7|||S)a :param by_country_code: country code in form 'US => United States' :param integer since: unixtime when records is began :param integer to: unixtime when records is ended :param str by_abuser_ip: full or part of IP, used for filtering results by abuser's IP :param str by_list: List of names of the appropriate ip list. Could be 'gray', 'white', 'black'. :param int limit: limits the output with specified number of incidents. The number greater than zero :param int offset: offset for pagination :param int severity: min log level (severity) to return. :param str search: filter results by ip, name, description :param list order_by: sorting orders :param list of str by_domains: filter by panel user domains :param str by_plugin: filter by plugin name, e.g. 'modsec', 'ossec'. N)onc6h|]}|SrP)upper)rVlns r7 z4Incident.get_sorted_incident_list..s * * *BRXXZZ * * *r8c*h|]}|j |jSrPabuserrVrows r7rqz4Incident.get_sorted_incident_list..s2!!!:! !!!r8ch|] \}}|| SrhrP)rVarps r7rqz4Incident.get_sorted_incident_list..s$a"....r8c*h|]}|j |jSrPrs)rVrs r7rqz4Incident.get_sorted_incident_list..s!444a184444r8)timer>selectrjoinr LEFT_OUTERrIidwhererHrkorder_bydescdomainnamecontains descriptionrtcoderadistinct_resolve_abuser_listnamesr`roffsetlimitlistmk_incident_iterator)rjsinceto by_abuser_ipby_listrrrcby_country_code by_domainssearchr by_pluginquerylistname_filterabuser_listnamecandidate_abusersmatched_abusersrowss r7get_sorted_incident_listz!Incident.get_sorted_incident_lists%B :B OOHg . . Th.>'*.LU#u,&&x001%+- Xh(--// 0 0   !KK: =>>E  KK &&v..&//778/**6223/**6223E  #KK 8 8 F FGGE  &KK  ?@@E  KK9 <==E/6.A * *' * * * *t ?C  &!! <<88AACC!!!  ";;!?O.4466O#  KK? BCCE  "8S%88E  LL((E  KK&&EE{{  "!;;444444dOC,,T?CCDDDr8rc#K|D]}|jr||jnd}|r|nd}|rtj|jnd}|j|j|j|j |j |j |j |j |j|||jr'tt!j|jni|jd VdS)N)r) rrarulerHtimesrcrrrtlistnamepurposerIr)rtgetlowerrlistname2purposer5rrarrHretriesrcrrrIrrr)rjrrrvln_upperrrs r7rzIncident.mk_incident_iterators   C:=*N**3:666$H+3=x~~'''H .x88>>  f* ]L"*$";= )D)D)DEEE*      r8abusersrreturnc|siStjtjtjtjtjtj}|?|tjt|}dtj Dfd|D}i}|D]s} tj |}n#t$rd||<Y)wxYwd\}} |j} |D]2\} } } | j| kr| | kr|| r| | } }3|||<t|S)uEReturn ``{abuser_ip: highest-priority IPList listname covering it}``. ``None`` value if the abuser is not in any (allowed) list. One SQL fetch of the candidate IPList rows + Python containment via :py:meth:`ipaddress.IPv4Network.subnet_of` — avoids issuing one DB query per abuser. Nci|]\}}|| SrPrP)rVprps r7 z6Incident._resolve_abuser_listnames..OsAAAeaBAAAr8c`g|]*}|j|j|jdf+S)) ip_networkrr)rVrvprioritys r7 z6Incident._resolve_abuser_listnames..PsD   ^S\8<< b+I+I J   r8)Nr)rr|network_addressnetmaskversionrr is_expiredin_rIP_LIST_PRIORITIES ipaddressr ValueError subnet_of)rjrrqiplist_entriesresultrt abuser_netbest best_prioabuser_versionrow_net row_listnamerow_priors @r7rz"Incident._resolve_abuser_listnames3s I M  " N N O   %"$$$ % %  &++D,A,ABBCCA BAv'@AAA        ,. " "F &1&99    !%v 'OD)'/N3A = =/x?n44y((''00=&2H)D!F6NN sC++C=<C=c*d}tj5tdt ||D]9}t ||||z: ddddS#1swxYwYdS)N2r)rrKatomicrangelenr> insert_manyexecute)datanum_rowsidxs r7save_incident_listzIncident.save_incident_lisths [   ! ! K KQD 844 K K$$T#h*>%?@@HHJJJJ K K K K K K K K K K K K K K K K K K KsABB B cdd|vr$||j|dk}d|vr$||j|dk}d|vr$||j|dk}d|vr3||j|d}|S)Nrip attack_typer)rrrtrrr)rjrkwargss r7_add_common_filterszIncident._add_common_filtersps v  KK fX.> >??E 6>>KK fTl :;;E F " "KKF=,A ABBE F " "KK(( )>??E r8) NNNNNNNNNNNNrh)"r9r:r;__doc__r rr rarr rHrrcrr-rrtrIrrrQrf classmethodrkrrstrrrrrrerrrPr8r7r>r>7sz>> $T 2 2 2B YD ! ! !F 9$   D %%%Il%%%G |&&&H 9$   D .d+++K YD ! ! !FiT|<</322S2"#c(+2 c8C= ! 222[2hKK\K  [   r8r>c"eZdZdZGddZeZedZedZ e dZ e de efdZe dd Ze d Ze d Ze dd Ze dZdS) DisabledRulez'Provides a way to ignore certain rules.c$eZdZejZdZdZdS)DisabledRule.Metadisabled_rules))rarule_idTN)r9r:r;rrKrLrMrNrPr8r7rQrs;#2r8rQFrArcDfdDS)Nczg|]7}jj|jjj|jjj|ji8SrP)rarr)rVrrjs r7rz(DisabledRule.as_list..sO       $, ty    r8)r|)rjs`r7as_listzDisabledRule.as_lists8         r8Nc |||}|jr|d|jDvSdS#|j$rYnwxYwdS)Nrc3$K|] }|jV dSrhrrVds r7rZz/DisabledRule.is_rule_ignored..s$!?!?q!(!?!?!?!?!?!?r8TF)rdomains DoesNotExist)rjrarrdrs r7is_rule_ignoredzDisabledRule.is_rule_ignoredso 88Bz !?!?BJ!?!?!???t    D us05 AAc||jttj|j|ktjdz z }d|DS)Ncg|] }|d SrrPrus r7rz4DisabledRule.get_global_disabled..0003I000r8) r|rr}DisabledRuleDomainrr~rrardicts)rjrars r7get_global_disabledz DisabledRule.get_global_disabledst JJs{ # # T$do 6 6 Uv%*<*Ct*KLUWW 10%0000r8c||jt|j|ktj|k}d|DS)Ncg|] }|d SrrPrus r7rz4DisabledRule.get_domain_disabled..rr8)r|rr}rrrarr)rjrarrs r7get_domain_disabledz DisabledRule.get_domain_disabledsf JJs{ # # T$ % % U3:');)Bf)L M M UWW  10%0000r8rc||j|j||}|t |||}t}t||}g}| d}|D]H} | j| j| j dd} | j rd| j D| d<| | I||fS)NT) clear_limit)rarrrcg|] }|j SrPrrs r7rz&DisabledRule.fetch..s"B"B"B18"B"B"Br8r) r|rrarrrrrrcountrrappend) rjrrr rules_query domains_queryrules_with_domains_queryr max_countritems r7fetchzDisabledRule.fetchs JJLL Xcj#+ . . U5\\ VF^^   (3 DDK*1133 #+K#G#G %%$%77 , D+l  D| C"B"BT\"B"B"BY MM$    &  r8c t|||}|D]}t||dS#t $rt||}|r)|D]#}t|j|$YdSt tj |jkYdSwxYw)N)rarr)disabled_rule_id_idrr) rinsertrrcreaterr create_or_getrdeleterr)r4rarrr inserted_idrrs r7storezDisabledRule.stores9 &--r.gii   "))(3A*     !!!<rrrPr8r7rsx ,,,,,,,,,,,,                          .-----11111111?????? ('''''66666666       &EEEEEYEEE EEEEEuEEEP nnnnn5nnnbDDDDDDDDDDr8