maniteja123/isms

Information Security Monitoring System

isms

Introduction

Alert Management is a component of ISMS, Information Security Management System This component will be responsible to collect alerts from different sources and will allow the administrator to manage them. There are Alert sources and Alert managers to function as Clients and Servers.

The Alert sources will be referred as Alert Generator (AG) hereafter. The alert generators will submit the alerts to centralized ISMS-alert collector. They are independent clients which represent a class of sources categorized by the types of alerts generated by them.

The Alert collector will be responsible for collecting alerts, displaying alerts and management of alerts. The Alert collector is responsible for collection and registration of alert generated from Alert Generators The Alert manager provides a UI for displaying the alerts.

Folder structure

isms

1. isms

   1. settings.py

   2. urls.py

2. alertcollector

   1. models.py

   2. views.py

   3. urls.py

3. functions

   1. client.py

4. logs

   1. client.log

   2. server.log

5. config

   1. server

      1. server_conf.ini

   2. client

      1. key.py

API

1. API

   1. settings.py

   2. urls.py

2. server

   1. models.py

   2. views.py

   3. urls.py

3. functions

   1. client.py

4. config

   1. client

      1. client_conf.ini

   2. server

      1. server_conf.ini

5. manage.py

ISMS

isms

Configurations of the django server

settings.py

Contains the settings of the django server and the apps used by the server.ISMS uses postgresql database backend and alertcollector app.

urls.py

Contains the valid urls at which alert generators can communicate with the central server.

alertcollector

Alert generator models and Alert collector views to respond to the requests sent by alert generator API.

models.py

Contains the alert generator, alert group and alert class models.

Alert generator Model

Attribute	DataType	Description
alert_gen_id	int	ID of alert generator
alert_gen_name	str	Name of alert generator
alert_gen_author	str	Author of alert generator
deleted	boolean	Indicates whether generator is deleted
alert_gen_ip	str	IP address of alert generator
alert_gen_key	int	Unique key of alert generator

Alert group Model

Attribute	DataType	Description
alert_group_id	int	ID of alert group
alert_group_name	str	Name of alert group
alert_group_description	str	Details of alert group
alert_gen	alert generator	Foreign key to alert generator
deleted	boolean	Indicates whether alert group is deleted

Alert class Model

Attributes	DataType	Description
alert_class_id	int	ID of the alert class
alert_class_name	str	Name of alert class
alert_class_description	str	Description of alert class
alert_class_help	str	Help information of alert class
alert_class_syntax	str	syntax of alert class
alert_class_filter_syntax	str	Filtering syntax of alert class
alert_class_parent	str	Parent alert class(if any)
alert_group	alert group	Foreign key to alert group
is_operator	boolean	Indictes whether class is operator
is_filter	boolean	Indicates whether it can be filtered
deleted	boolean	Indicates whether alert class is deleted

views.py

Contains the methods to respond to requests like registering alert generators.

Methods

The main views in views.py are:

Method	Return Type	Parameters	Description
add_generator	response(str)	request(HTTP)	Registers alert generator in database
verify_generator	response(str)	request(HTTP)	Verifies alert generator
update_generator	response(str)	request(HTTP)	Updates alert generator properties
delete_generator	response(str)	request(HTTP)	Deletes alert generator from database
add_group	response(str)	request(HTTP)	Registers alert group in database
verify_group	response(str)	request(HTTP)	Verifies alert group
update_group	response(str)	request(HTTP)	Updates alert group properties
delete_group	response(str)	request(HTTP)	Deletes alert group from database
add_class	response(str)	request(HTTP)	Registers alert class in database
=================================== Response example ================================== VIEW add_generator() RESPONSE SENT {"status": "Generator already exists", "code": 200} ================================== urls.py ^^^ Contains the valid urls at which the alert generators can communicate with the views of alert collector app. functions ~~~ Client Functions of the alert collector. client.py ^^^ Contains funtions for the alert collector to send requests to alert generators like instantiating alert generator and profiling alert generator. Methods + The main methods of client.py are: [align="center",options="header"]	============================================	Method	Return Type
Parameters	Description	get_ip	ip(str)
name(str)	retrieves ip of generator from database	instantiate_alert_generator	response(str)
gen_name(str), alert_class_id(int), alert_id(int), args(dict)	sends alert instantiation request to generator	profile_alert_generator	response(str)
gen_name(str), alert_class_id(int), alert_id(int), args(dict)	sends alert profiling request to generator	============================================ Parameters ++ The parameters for the methods are: [align="center",options="header"]	=====================================
Parameter	Description	gen_name	Name of the alert generator
alert_class_id	ID of the alert group	alert_id	ID of the alert class instance
args	dict of the attributes of instance	==================================== Function call example =========================================== FUNCTION instantiate_alert_generator("HIDS","TCP_MISSING","12133",{"port":"80"}) RESPONSE RECEIVED {"status":"alert generator instantiated","code":200} ======================================== config ~~ Files to generate API to the alert generators client ^^ Files to generate API to the alert generators key.py IMPORTANT Required for authentication purpose.Necessarily needs to be private to the alert collector Function to generate a unique key and copy of API to the newly registered alert generator, which is used for further communication between alert generator and alert collector. server ^^ server_conf.ini + INI file for storing database configurations of the alert collector [align="center",options="header"]	=====================================
Parameter	Description	name	Name of the alert collector database
user	Username of postgresql database backend	password	Password of postgresql database backend
===================================== logs ~~ Activity logs of the client and server of the alert collector. LEVELS ^^^ Levels of severity of the log records ------------- DEBUG INFO WARNING ERROR ------------- client.log ^^^^ Records log about the client communication with the alert generators ========== Wed, 16 Jul 2014 12:20:05 INFO Sending POST Request to alert generator HIDS ========= server.log ^^^^ Records logs about the server communication with the alert generators ========= Tue, 15 Jul 2014 15:55:48 INFO Successfully registered alert class TCPPORT_MISSING ======== manage.py ~~~~ Handles the functioning of django server of the alert collector. API --- API ~ settings.py ^^^^^ Contains the settings of the django server and the apps used by the API.API uses server app and functions provided by the alert generator to respond to requests urls.py ^^^ Contains the valid urls at which alert collector can communicate with the API server server ~~ views.py ^^^^ Contains the methods to respond to requests like instantiating alert generators. Methods + The views of the alert generator API are: [align="center",options="header"]	=====================================	Method	Return Type
Parameters	Description	instance_create	response(str)
request(HTTP)	Instantiating the alert generator	alert_profile	response(str)

|Method |Return Type |Parameters |Description s|get_server_ip m|ip(str) m|- e|Retrieves the IP of alert collector from server_conf.ini file s|register_alert_generator m|name(str) ,author(str) ,ip(str), key(int) m|response(str) e|Registering alert generator s|verify_alert_generator m|name(str) ,author(str) ,ip(str), key(int) m|response(str) e|Verifying alert generator s|update_alert_generator m|name(str) ,author(str) ,ip(str), key(int), args(dict) m|response(str) e|Updating properties of alert generator s|delete_alert_generator m|name(str) ,author(str) ,ip(str), key(int) m|response(str) e|Deleting alert generator s|register_alert_group m|name(str), desc(str), gen(name), author(str), ip(str), key(int) m|response e|Registering alert group s|verify_alert_group m|name(str), desc(str), gen(name), author(str), ip(str), key(int) m|response e|Verifies alert group s|update_alert_group m|name(str), desc(str), gen(name), author(str), ip(str), key(int), args(dict) m|response e|Updates properties of alert group s|delete_alert_group m|name(str), desc(str), gen(name), author(str), ip(str), key(int) m|response m|Deletes alert group s|register_alert_class m|name(str) desc(str) help(str) syntax(str), filter(str), parent(str), group(str), ip(str), key(int) m|Registers the alert class

Parameters ++ The parameters of functions are: [align="center",options="header"]

|Parameter |Description s|name e|Name of alert generator/group/class s|author e|Author of alert generator who registered it s|ip e|IP address of the alert generator author s|key e|Key provided by alert collector during registration s|desc e|Description of alert group s|gen e|Generator to which the alert group belongs to s|group e|Group to which the alert class belongs to s|help e|Help information about the alert class s|syntax e|Syntax regarding the alert class s|filter e|Class can be filtered (Empty string means False) s|parent e|Parent alert class of the alert class

Function call example =========================================== FUNCTION register_alert_generator("HIDS","admin",127.0.0.1,2345325)) RESPONSE RECEIVED {"status": "Generator already exists", "code": 200} ======================================== config ~~ Configuration files of the alert generator and alert collector client ^^ Client configuration like path to functions to instantiate alerts. client_conf.ini + INI file to store the configurations of alert generator [align="center",options="header"]

=====================================

Parameter

Description

name

Name of the alert generator

functions

Path to the functions of the alert generator

===================================== server ^^ Server configuration server_conf.ini + INI file for storing configurations of the alert collector [align="center",options="header"]

=====================================

Parameter

Description

name

Name of the alert collector

ip

IP address of the alert collector to send requests for alert registration

===================================== manage.py ~~~~ Handles the functioning of django server of the alert generator. ------------------ Author: Maniteja Date: July 2014 ------------------