bicep_utils.models package¶

Submodules¶

bicep_utils.models.ids_base module¶

class app.bicep_utils.models.ids_base.Alert(time=None, source_ip=None, source_port=None, destination_ip=None, destination_port=None, severity=None, type=None, message=None)[source]¶

Bases: object

Class which contains the most important fields of an alert (one line of anomaly). It presents a standardized interface for the different IDS to map their distinct alerts to.

__init__(time=None, source_ip=None, source_port=None, destination_ip=None, destination_port=None, severity=None, type=None, message=None)[source]¶

Initializes an Alert object with optional attributes.

Parameters:

time (str, optional) – Timestamp of the alert.
source_ip (str, optional) – Source IP address.
source_port (str, optional) – Source port number.
destination_ip (str, optional) – Destination IP address.
destination_port (str, optional) – Destination port number.
severity (float, optional) – Severity level of the alert.
type (str, optional) – Type of the alert.
message (str, optional) – Description of the alert.

__str__()[source]¶

Returns a string representation of the alert.

Returns:: str – Readable format of the alert.

classmethod from_json(json_alert: str)[source]¶

Creates an Alert object from a JSON string.

Parameters:: json_alert (str) – JSON representation of an alert.
Returns:: Alert – An instance of the Alert class.

to_dict()[source]¶

Converts the alert object to a dictionary.

Returns:: dict – Dictionary representation of the alert.

to_json()[source]¶

Converts the alert object to a JSON string.

Returns:: str – JSON representation of the alert.

class app.bicep_utils.models.ids_base.IDSBase(container_id: int = None, container_name: str = None, ensemble_id: int = None, pids: list[int] = [], dataset_id: int = None, static_analysis_running: bool = False, send_alerts_periodically_task=None, tap_interface_name: str = None, background_tasks: set = {})[source]¶

Bases: ABC

Abstract base class for all IDS supported by BICEP Each IDS involved needs to inherit from this base class and implement the following methods and attributes

__init__(container_id: int = None, container_name: str = None, ensemble_id: int = None, pids: list[int] = [], dataset_id: int = None, static_analysis_running: bool = False, send_alerts_periodically_task=None, tap_interface_name: str = None, background_tasks: set = {})[source]¶

Constructor of the IDSBase class

Parameters:

container_id (int) – = None,
container_name (str) – = None,
ensemble_id (int) – = None,
pids (list[int]) – = [],
dataset_id (int) – = None,
static_analysis_running (bool) – = False,
send_alerts_periodically_task – = None,
tap_interface_name (str) – = None,
background_tasks (set) – = set(),

abstract property configuration_location¶: Abstract property specifying the configuration location.

abstractmethod async configure(file_path) → str[source]¶

Configures the IDS with the provided configuration file. E.g. placing the configuration in the correct location.

Parameters:: file_path (str) – Path to the configuration file.
Returns:: str – Confirmation message.

abstractmethod async configure_ruleset(file_path) → str[source]¶

Configures the IDS ruleset with the provided file. If not ruleset is required for the IDS, simply return a confirmation message saying so.

Parameters:: file_path (str) – Path to the ruleset file.
Returns:: str – Confirmation message.

abstractmethod async execute_network_analysis_command() → int[source]¶

Method that takes all actions necessary to execute the IDS command for a network analysis on the self.tap_interface.

Returns:: int – Process ID of the spawned IDS process.

abstractmethod async execute_static_analysis_command(file_path: str) → int[source]¶

Executes the IDS command for static analysis using a pcap file.

Parameters:: file_path (str) – Path to the pcap file.
Returns:: int – Process ID of the spawned IDS process.

async finish_static_analysis_in_background()[source]¶

async get_default_interface_name() → str[source]¶

Method to receive the name of the main interface by looking into the ip routes.

Returns:: interface_name (str) – The interface name of the main network interface

abstract property log_location¶: Abstract property specifying the log location.

abstract property parser¶: Abstract property to reference the repsective IDS Parser.

async send_alerts_to_core() → HTTPResponse[source]¶: Method to collect all currently available alerts, parses them and sends them to the Core. The method will erase all logfiles so far after the collection to ensure that the same alerts are not send twice. This method will be executed once after a static analysis.

async send_alerts_to_core_periodically(period: float = 300)[source]¶

Background method to collect all currently available alerts, parses them and sends them to the Core. The method will erase all logfiles so far after the collection to ensure that the same alerts are not send twice. Method stops only when the analysis gets stopped.

Parameters:: period (float) – The period in seconds when to send the next batch to the core

async start_network_analysis() → str[source]¶

Method to start a network anaylsis. Ensures that necessary tap interface is available and that traffic replication has started for that tap interface.

Returns:: str – Confirmation string that the analysis has been started.

async start_static_analysis(file_path)[source]¶

Method to start a static analysis

Parameters:: file_path (str) – The file path to the dataset file to trigger the static analysis on.

async stop_all_processes()[source]¶: Stops all running IDS processes (static or network analysis tasks).

async stop_analysis()[source]¶: Method to stop any analysis by stopping all processes in the background. Afterward, tells the core that the analysis has been comlpeted.

async tell_core_analysis_has_finished() → HTTPResponse[source]¶: Method to tell the Core that the analysis has been finished.

class app.bicep_utils.models.ids_base.IDSParser[source]¶

Bases: ABC

Abstract base class for parsing alerts from IDS logs.

abstract property alert_file_location¶: Abstract property for specifying the location of the alert file.

abstractmethod async normalize_threat_levels(threat: int) → float[source]¶

Normalizes threat levels to a range of 0 to 1.

Parameters:: threat (int) – Threat level from the IDS.
Returns:: float – Normalized threat level rounded to two decimals.

abstractmethod async parse_alerts() → list[Alert][source]¶

Method triggered once after the static analysis is complete or periodically for a network analysis. Takes in the whole file, reads it, parses it, deletes it.

Returns:: list[Alert] – List of parsed alerts.

abstractmethod async parse_line(line) → Alert[source]¶

Parses a single line into an Alert object.

Parameters:: line (str) – A single log line.
Returns:: Alert – Parsed alert object.

timestamp_format = '%Y-%m-%dT%H:%M:%S.%f%z'¶