diff --git a/cmd/dtester/main.go b/cmd/dtester/main.go index 26f19d5f..9c6fa03b 100644 --- a/cmd/dtester/main.go +++ b/cmd/dtester/main.go @@ -63,6 +63,8 @@ func init() { dsiemCmd.Flags().StringP("address", "a", "127.0.0.1", "Dsiem IP address to send events to") dsiemCmd.Flags().IntP("port", "p", 8080, "Dsiem TCP port") dsiemCmd.Flags().StringP("homenet", "i", "192.168.0.1", "IP address to use to represent HOME_NET. This IP must already be defined in dsiem assets configuration") + dsiemCmd.Flags().StringP("srcip", "s", "", "Fixed source IP address to use for all events, put a high value asset here to quickly raise alarms") + dsiemCmd.Flags().StringP("destip", "d", "", "Fixed destination IP address to use for all events, put a high value asset here to quickly raise alarms") dsiemCmd.Flags().IntP("rps", "r", 500, "number of HTTP post request per second") dsiemCmd.Flags().IntP("concurrency", "c", 50, "number of concurrent HTTP post to submit") @@ -76,6 +78,8 @@ func init() { viper.BindPFlag("address", dsiemCmd.Flags().Lookup("address")) viper.BindPFlag("port", dsiemCmd.Flags().Lookup("port")) viper.BindPFlag("homenet", dsiemCmd.Flags().Lookup("homenet")) + viper.BindPFlag("srcip", dsiemCmd.Flags().Lookup("srcip")) + viper.BindPFlag("destip", dsiemCmd.Flags().Lookup("destip")) viper.BindPFlag("rps", dsiemCmd.Flags().Lookup("rps")) viper.BindPFlag("logfile", fbeatCmd.Flags().Lookup("logfile")) @@ -102,7 +106,7 @@ var rootCmd = &cobra.Command{ Short: "Directive rules tester for Dsiem", Long: ` Dtester test directive rules by sending a simulated matching event to dsiem, -either directly or through filebeat and logstash`, +either directly, or through filebeat and logstash`, } var versionCmd = &cobra.Command{ @@ -157,6 +161,8 @@ func toFilebeat(d *siem.Directives, logfile string) { max := viper.GetInt("max") verbose := viper.GetBool("verbose") swg := sizedwaitgroup.New(10) + srcip := viper.GetString("srcip") + destip := viper.GetString("destip") for _, v := range d.Dirs { var prevPortTo int @@ -171,8 +177,6 @@ func toFilebeat(d *siem.Directives, logfile string) { e := event.NormalizedEvent{} e.Sensor = progName e.Title = j.Name - e.SrcIP = genIP(j.From, prevFrom, "") - e.DstIP = genIP(j.To, prevTo, e.SrcIP) e.SrcPort = genPort(j.PortFrom, prevPortFrom, false) e.DstPort = genPort(j.PortTo, prevPortTo, true) e.Protocol = genProto(j.Protocol) @@ -182,6 +186,18 @@ func toFilebeat(d *siem.Directives, logfile string) { e.Category = j.Category e.SubCategory = pickOneFromStrSlice(j.SubCategory) + if destip == "" { + e.DstIP = genIP(j.To, prevTo, e.SrcIP) + } else { + e.DstIP = destip + } + + if srcip == "" { + e.SrcIP = genIP(j.From, prevFrom, "") + } else { + e.SrcIP = srcip + } + prevPortTo = e.DstPort prevPortFrom = e.SrcPort prevFrom = e.SrcIP @@ -209,6 +225,9 @@ func sender(d *siem.Directives, addr string, port int) { rps := viper.GetInt("rps") conc := viper.GetInt("concurrency") verbose := viper.GetBool("verbose") + srcip := viper.GetString("srcip") + destip := viper.GetString("destip") + keepAliveTimeout := 600 * time.Second timeout := 5 * time.Second @@ -235,9 +254,8 @@ func sender(d *siem.Directives, addr string, port int) { amt = max } e := event.NormalizedEvent{} + e.Title = "Dtester event" e.Sensor = progName - e.SrcIP = genIP(j.From, prevFrom, "") - e.DstIP = genIP(j.To, prevTo, e.SrcIP) e.SrcPort = genPort(j.PortFrom, prevPortFrom, false) e.DstPort = genPort(j.PortTo, prevPortTo, true) e.Protocol = genProto(j.Protocol) @@ -247,6 +265,18 @@ func sender(d *siem.Directives, addr string, port int) { e.Category = j.Category e.SubCategory = pickOneFromStrSlice(j.SubCategory) + if destip == "" { + e.DstIP = genIP(j.To, prevTo, e.SrcIP) + } else { + e.DstIP = destip + } + + if srcip == "" { + e.SrcIP = genIP(j.From, prevFrom, "") + } else { + e.SrcIP = srcip + } + prevPortTo = e.DstPort prevPortFrom = e.SrcPort prevFrom = e.SrcIP