Server/webserver.py

import json
from flask import Flask
from flask import request
import sql
import log
import rule
import config
from flask import Flask, render_template, request
import plugin
import logging

app = Flask(
    __name__,
    template_folder="./templates",
    static_folder="./templates",
    static_url_path="",
)
app.jinja_env.variable_start_string = "{.<"
app.jinja_env.variable_end_string = ">.}"


@app.route("/")
def root():
    if request.remote_addr not in config.ALLOW_ACCESS_IP:
        return "Access Denied"
    return render_template("index.html")


@app.route("/static/<path:path>")
def on_vue_static(path):
    if request.remote_addr not in config.ALLOW_ACCESS_IP:
        return "Access Denied"
    return app.send_static_file("./" + path)


@app.route("/plugin/<path:path>")
def on_plugin_access(path):
    if request.remote_addr not in config.ALLOW_ACCESS_IP:
        return "Access Denied"
    return plugin.dispath_html_draw(path)


@app.route("/api/v1/get/plugin_menu")
def plugin_menu():
    if request.remote_addr not in config.ALLOW_ACCESS_IP:
        return "Access Denied"
    return {"data": {"menu": plugin.dispath_html_menu()}}


@app.route("/api/v1/get/threat_statistics", methods=["GET"])
def threat_statistics():
    if request.remote_addr not in config.ALLOW_ACCESS_IP:
        return "Access Denied"
    # sqlite的count啥的还不如自己查出来自己统计
    threat_datas = sql.query_all_threat_log(-1)
    return_data = {"all": len(threat_datas), "confirm": 0,
                   "ingore": 0, "working": 0}
    for iter in threat_datas:
        if iter[9] == 1:
            return_data["confirm"] += 1
        elif iter[9] == 2:
            return_data["ingore"] += 1
        if iter[7] == 0:
            return_data["working"] += 1
    return {"data": return_data}


@app.route("/api/v1/get/process_chain/handle", methods=["GET"])
def handle_chain_data():
    id = request.args.get("id")
    handletype = request.args.get("handletype")
    if request.remote_addr not in config.ALLOW_ACCESS_IP or (
        id is None or handletype is None
    ):
        return "Access Denied"
    sql.handle_threat_log(id, handletype)
    return {"data": {"success": 1}}


@app.route("/api/v1/get/process_chain/delete", methods=["GET"])
def delete_chain_data():
    id = request.args.get("id")
    if request.remote_addr not in config.ALLOW_ACCESS_IP or id is None:
        return "Access Denied"
    sql.delete_threat(id)
    return {"data": {"success": 1}}


@app.route("/api/v1/get/process_chain/pull", methods=["GET"])
def pull_chain_data():
    if request.remote_addr not in config.ALLOW_ACCESS_IP:
        return "Access Denied"
    id = request.args.get("id")
    return_data = {}
    if id is not None:
        threat_data = sql.query_one_threat(id)
        return_data = {
            "host": threat_data[1],
            "chain_hash": threat_data[2],
            "type": threat_data[3],
            "risk_score": threat_data[4],
            "hit_rule": json.loads(threat_data[5]),
            "chain": json.loads(threat_data[6]),
            "is_end": threat_data[7],
        }
    return {"data": return_data}


@app.route("/api/v1/get/process_chain/all")
def process_chain():
    # -1全部 0未处理的 1处理的 2忽略的
    query_type = request.args.get("query_type")
    if request.remote_addr not in config.ALLOW_ACCESS_IP or query_type is None:
        return "Access Denied"
    threat_datas = sql.query_all_threat_log(query_type)
    return_data = []
    for iter in threat_datas:
        return_data.append(
            {
                "host": iter[0],
                "chain_hash": iter[1],
                "hit_rule": json.loads(iter[2]),
                "time": iter[3],
                "type": iter[4],
                "risk_score": iter[5],
                "id": iter[6],
                "is_end": iter[7],
                "start_process": json.loads(iter[8]),
            }
        )
    return {"data": return_data}


@app.route("/api/v1/process", methods=["POST"])
def process():
    if request.method == "POST":
        # print(request.data)
        body_data = request.data.decode()
        # 转小写
        host = request.remote_addr
        log.process_log(host, json.loads(body_data.lower()), body_data)

    return {"status": "success"}


@app.route("/api/v1/log_hunt", methods=["POST"])
def log_rescan():
    if request.remote_addr not in config.ALLOW_ACCESS_IP:
        return "Access Denied"
    start_time = request.args.get("start_time")
    end_time = request.args.get("end_time")
    raw_logs = sql.select_process_raw_log_by_time(
        int(start_time), int(end_time))
    threat_data = log.process_raw_log(raw_logs)
    return {"data": threat_data}


if __name__ == "__main__":
    plugin.reload_plugs()
    sql.init()
    rule.init_rule()

    # 如果你觉得日志太多了,去掉这个注释...
    flask_log = logging.getLogger("werkzeug")
    flask_log.setLevel(logging.ERROR)
    app.run(debug=True, host="127.0.0.1")
init 2022-08-22 20:14:03 +08:00			`import json`
			`from flask import Flask`
			`from flask import request`
			`import sql`
			`import log`
			`import rule`
			`import config`
			`from flask import Flask, render_template, request`
			`import plugin`
			`import logging`

增加日志回扫功能 2022-08-24 18:06:27 +08:00			`app = Flask(`
			`__name__,`
			`template_folder="./templates",`
			`static_folder="./templates",`
			`static_url_path="",`
			`)`
			`app.jinja_env.variable_start_string = "{.<"`
			`app.jinja_env.variable_end_string = ">.}"`
init 2022-08-22 20:14:03 +08:00
增加日志回扫功能 2022-08-24 18:06:27 +08:00
			`@app.route("/")`
init 2022-08-22 20:14:03 +08:00			`def root():`
			`if request.remote_addr not in config.ALLOW_ACCESS_IP:`
			`return "Access Denied"`
			`return render_template("index.html")`


增加日志回扫功能 2022-08-24 18:06:27 +08:00			`@app.route("/static/<path:path>")`
init 2022-08-22 20:14:03 +08:00			`def on_vue_static(path):`
			`if request.remote_addr not in config.ALLOW_ACCESS_IP:`
			`return "Access Denied"`
			`return app.send_static_file("./" + path)`


增加日志回扫功能 2022-08-24 18:06:27 +08:00			`@app.route("/plugin/<path:path>")`
init 2022-08-22 20:14:03 +08:00			`def on_plugin_access(path):`
			`if request.remote_addr not in config.ALLOW_ACCESS_IP:`
			`return "Access Denied"`
			`return plugin.dispath_html_draw(path)`


增加日志回扫功能 2022-08-24 18:06:27 +08:00			`@app.route("/api/v1/get/plugin_menu")`
init 2022-08-22 20:14:03 +08:00			`def plugin_menu():`
			`if request.remote_addr not in config.ALLOW_ACCESS_IP:`
			`return "Access Denied"`
增加日志回扫功能 2022-08-24 18:06:27 +08:00			`return {"data": {"menu": plugin.dispath_html_menu()}}`
init 2022-08-22 20:14:03 +08:00

增加日志回扫功能 2022-08-24 18:06:27 +08:00			`@app.route("/api/v1/get/threat_statistics", methods=["GET"])`
init 2022-08-22 20:14:03 +08:00			`def threat_statistics():`
			`if request.remote_addr not in config.ALLOW_ACCESS_IP:`
			`return "Access Denied"`
			`# sqlite的count啥的还不如自己查出来自己统计`
			`threat_datas = sql.query_all_threat_log(-1)`
Update webserver.py 2022-08-29 20:00:30 +08:00			`return_data = {"all": len(threat_datas), "confirm": 0,`
			`"ingore": 0, "working": 0}`
init 2022-08-22 20:14:03 +08:00			`for iter in threat_datas:`
			`if iter[9] == 1:`
增加日志回扫功能 2022-08-24 18:06:27 +08:00			`return_data["confirm"] += 1`
init 2022-08-22 20:14:03 +08:00			`elif iter[9] == 2:`
增加日志回扫功能 2022-08-24 18:06:27 +08:00			`return_data["ingore"] += 1`
init 2022-08-22 20:14:03 +08:00			`if iter[7] == 0:`
增加日志回扫功能 2022-08-24 18:06:27 +08:00			`return_data["working"] += 1`
			`return {"data": return_data}`
init 2022-08-22 20:14:03 +08:00

增加日志回扫功能 2022-08-24 18:06:27 +08:00			`@app.route("/api/v1/get/process_chain/handle", methods=["GET"])`
init 2022-08-22 20:14:03 +08:00			`def handle_chain_data():`
增加日志回扫功能 2022-08-24 18:06:27 +08:00			`id = request.args.get("id")`
			`handletype = request.args.get("handletype")`
			`if request.remote_addr not in config.ALLOW_ACCESS_IP or (`
			`id is None or handletype is None`
			`):`
init 2022-08-22 20:14:03 +08:00			`return "Access Denied"`
			`sql.handle_threat_log(id, handletype)`
增加日志回扫功能 2022-08-24 18:06:27 +08:00			`return {"data": {"success": 1}}`
init 2022-08-22 20:14:03 +08:00

增加日志回扫功能 2022-08-24 18:06:27 +08:00			`@app.route("/api/v1/get/process_chain/delete", methods=["GET"])`
init 2022-08-22 20:14:03 +08:00			`def delete_chain_data():`
增加日志回扫功能 2022-08-24 18:06:27 +08:00			`id = request.args.get("id")`
init 2022-08-22 20:14:03 +08:00			`if request.remote_addr not in config.ALLOW_ACCESS_IP or id is None:`
			`return "Access Denied"`
			`sql.delete_threat(id)`
增加日志回扫功能 2022-08-24 18:06:27 +08:00			`return {"data": {"success": 1}}`
init 2022-08-22 20:14:03 +08:00

增加日志回扫功能 2022-08-24 18:06:27 +08:00			`@app.route("/api/v1/get/process_chain/pull", methods=["GET"])`
init 2022-08-22 20:14:03 +08:00			`def pull_chain_data():`
			`if request.remote_addr not in config.ALLOW_ACCESS_IP:`
			`return "Access Denied"`
增加日志回扫功能 2022-08-24 18:06:27 +08:00			`id = request.args.get("id")`
init 2022-08-22 20:14:03 +08:00			`return_data = {}`
			`if id is not None:`
			`threat_data = sql.query_one_threat(id)`
			`return_data = {`
增加日志回扫功能 2022-08-24 18:06:27 +08:00			`"host": threat_data[1],`
			`"chain_hash": threat_data[2],`
			`"type": threat_data[3],`
			`"risk_score": threat_data[4],`
			`"hit_rule": json.loads(threat_data[5]),`
			`"chain": json.loads(threat_data[6]),`
			`"is_end": threat_data[7],`
init 2022-08-22 20:14:03 +08:00			`}`
增加日志回扫功能 2022-08-24 18:06:27 +08:00			`return {"data": return_data}`
init 2022-08-22 20:14:03 +08:00

增加日志回扫功能 2022-08-24 18:06:27 +08:00			`@app.route("/api/v1/get/process_chain/all")`
init 2022-08-22 20:14:03 +08:00			`def process_chain():`
			`# -1全部 0未处理的 1处理的 2忽略的`
增加日志回扫功能 2022-08-24 18:06:27 +08:00			`query_type = request.args.get("query_type")`
init 2022-08-22 20:14:03 +08:00			`if request.remote_addr not in config.ALLOW_ACCESS_IP or query_type is None:`
			`return "Access Denied"`
			`threat_datas = sql.query_all_threat_log(query_type)`
			`return_data = []`
			`for iter in threat_datas:`
增加日志回扫功能 2022-08-24 18:06:27 +08:00			`return_data.append(`
			`{`
			`"host": iter[0],`
			`"chain_hash": iter[1],`
			`"hit_rule": json.loads(iter[2]),`
			`"time": iter[3],`
			`"type": iter[4],`
			`"risk_score": iter[5],`
			`"id": iter[6],`
			`"is_end": iter[7],`
			`"start_process": json.loads(iter[8]),`
			`}`
			`)`
			`return {"data": return_data}`


			`@app.route("/api/v1/process", methods=["POST"])`
init 2022-08-22 20:14:03 +08:00			`def process():`
增加日志回扫功能 2022-08-24 18:06:27 +08:00			`if request.method == "POST":`
init 2022-08-22 20:14:03 +08:00			`# print(request.data)`
			`body_data = request.data.decode()`
			`# 转小写`
			`host = request.remote_addr`
			`log.process_log(host, json.loads(body_data.lower()), body_data)`

增加日志回扫功能 2022-08-24 18:06:27 +08:00			`return {"status": "success"}`


			`@app.route("/api/v1/log_hunt", methods=["POST"])`
			`def log_rescan():`
			`if request.remote_addr not in config.ALLOW_ACCESS_IP:`
			`return "Access Denied"`
			`start_time = request.args.get("start_time")`
			`end_time = request.args.get("end_time")`
Update webserver.py 2022-08-29 20:00:30 +08:00			`raw_logs = sql.select_process_raw_log_by_time(`
			`int(start_time), int(end_time))`
增加日志回扫功能 2022-08-24 18:06:27 +08:00			`threat_data = log.process_raw_log(raw_logs)`
			`return {"data": threat_data}`
init 2022-08-22 20:14:03 +08:00

增加日志回扫功能 2022-08-24 18:06:27 +08:00			`if __name__ == "__main__":`
init 2022-08-22 20:14:03 +08:00			`plugin.reload_plugs()`
			`sql.init()`
			`rule.init_rule()`

			`# 如果你觉得日志太多了,去掉这个注释...`
增加日志回扫功能 2022-08-24 18:06:27 +08:00			`flask_log = logging.getLogger("werkzeug")`
init 2022-08-22 20:14:03 +08:00			`flask_log.setLevel(logging.ERROR)`
Update webserver.py 2022-08-29 20:00:30 +08:00			`app.run(debug=True, host="127.0.0.1")`