checks/fireeye_mail

   1 #!/usr/bin/python
   2 # -*- encoding: utf-8; py-indent-offset: 4 -*-
   3 # +------------------------------------------------------------------+
   4 # |             ____ _               _        __  __ _  __           |
   5 # |            / ___| |__   ___  ___| | __   |  \/  | |/ /           |
   6 # |           | |   | '_ \ / _ \/ __| |/ /   | |\/| | ' /            |
   7 # |           | |___| | | |  __/ (__|   <    | |  | | . \            |
   8 # |            \____|_| |_|\___|\___|_|\_\___|_|  |_|_|\_\           |
   9 # |                                                                  |
  10 # | Copyright Mathias Kettner 2016             mk@mathias-kettner.de |
  11 # +------------------------------------------------------------------+
  12 #
  13 # This file is part of Check_MK.
  14 # The official homepage is at http://mathias-kettner.de/check_mk.
  15 #
  16 # check_mk is free software;  you can redistribute it and/or modify it
  17 # under the  terms of the  GNU General Public License  as published by
  18 # the Free Software Foundation in version 2.  check_mk is  distributed
  19 # in the hope that it will be useful, but WITHOUT ANY WARRANTY;  with-
  20 # out even the implied warranty of  MERCHANTABILITY  or  FITNESS FOR A
  21 # PARTICULAR PURPOSE. See the  GNU General Public License for more de-
  22 # ails.  You should have  received  a copy of the  GNU  General Public
  23 # License along with GNU Make; see the file  COPYING.  If  not,  write
  24 # to the Free Software Foundation, Inc., 51 Franklin St,  Fifth Floor,
  25 # Boston, MA 02110-1301 USA.
  26
  27
  28 def fireeye_counter_generic(value, what, average):
  29     this_time = time.time()
  30     # 'what' is the readable description of the checked counter
  31     # (e.g. 'Infected URL')
  32     # For the counter variable name, we remove all spaces
  33     # (e.g. 'fireeye.infected.url')
  34     counter = 'fireeye.%s' % what.replace(' ', '.').lower()
  35     rate = get_rate(counter, this_time, value)
  36     state = 0
  37     if what == 'Bypass' and rate > 0:
  38         state = 2
  39     # The perf-variable also uses the counter description as name
  40     # (e.g. 'infected_rate')
  41     perfdata = [('%s_rate' % what.split(' ')[0].lower(), rate)]
  42     if average:
  43         avg = get_average(' %s avg' % counter, this_time, rate, average)
  44         return (state, '%s rate: %.2f mails per %d second' % \
  45             (what, avg * average, average), perfdata)
  46     return (state, '%s rate: %.2f mails per second' % (what, rate), perfdata)
  47
  48
  49 #   .--mail----------------------------------------------------------------.
  50 #   |                                                                      |
  51 #   |                     __  __       _ _                                 |
  52 #   |                    |  \/  |     (_) |                                |
  53 #   |                    | \  / | __ _ _| |                                |
  54 #   |                    | |\/| |/ _` | | |                                |
  55 #   |                    | |  | | (_| | | |                                |
  56 #   |                    |_|  |_|\__,_|_|_|                                |
  57 #   |                                                                      |
  58 #   '----------------------------------------------------------------------'
  59
  60 #.1.3.6.1.4.1.25597.13.1.1.0 2560224
  61 #.1.3.6.1.4.1.25597.13.1.2.0 0
  62 #.1.3.6.1.4.1.25597.13.1.3.0 2560224
  63 #.1.3.6.1.4.1.25597.13.1.4.0 2864
  64 #.1.3.6.1.4.1.25597.13.1.5.0 0
  65 #.1.3.6.1.4.1.25597.13.1.6.0 2864
  66 #.1.3.6.1.4.1.25597.13.1.7.0 2134871
  67 #.1.3.6.1.4.1.25597.13.1.8.0 0
  68 #.1.3.6.1.4.1.25597.13.1.9.0 2134871
  69
  70
  71 def check_fireeye_mail(_no_item, params, info):
  72     mail_info = info[0][0:3]
  73     average = params.get('interval', 0)
  74     for index, mail_type in enumerate(['Total Email', 'Infected Email', 'Analyzed Email']):
  75         yield fireeye_counter_generic(int(mail_info[index]) * 60, mail_type, average)
  76
  77
  78 check_info['fireeye_mail'] = {
  79     'inventory_function': lambda info: inventory_fireeye_generic(info, False, True),
  80     'check_function': check_fireeye_mail,
  81     'service_description': 'Received Mail Rates',
  82     'group': 'fireeye_mail',
  83     'snmp_info': (
  84         '.1.3.6.1.4.1.25597.13.1',
  85         [
  86             '1',  # 0  FE-FIREEYE-MIB::feTotalEmailCount
  87             '4',  # 1  FE-FIREEYE-MIB::feInfectedEmailCount
  88             '7',  # 2  FE-FIREEYE-MIB::feAnalyzedEmailCount
  89             '10',  # 3  FE-FIREEYE-MIB::feTotalUrlCount
  90             '13',  # 4  FE-FIREEYE-MIB::feInfectedUrlCount
  91             '16',  # 5  FE-FIREEYE-MIB::feAnalyzedUrlCount
  92             '19',  # 6  FE-FIREEYE-MIB::feTotalAttachmentCount
  93             '22',  # 7  FE-FIREEYE-MIB::feInfectedAttachmentCount
  94             '25',  # 8  FE-FIREEYE-MIB::feAnalyzedAttachmentCount
  95             '28',  # 9  FE-FIREEYE-MIB::feTotalEmailHasAttachment
  96             '31',  # 10 FE-FIREEYE-MIB::feTotalEmailHasUrl
  97             '34',  # 11 FE-FIREEYE-MIB::feTotalEmailHasBadAttachment
  98             '37',  # 12 FE-FIREEYE-MIB::feTotalEmailHasBadUrl
  99             '50',  # 13 FE-FIREEYE-MIB::feSamplingEmailStartTime
 100             '51',  # 14 FE-FIREEYE-MIB::feSamplingEmailEndTime
 101             '52',  # 15 FE-FIREEYE-MIB::feSamplingEmailReceivedRate
 102         ]),
 103     'snmp_scan_function': scan_fireeye,
 104     'has_perfdata': True,
 105     'includes': ['fireeye.include']
 106 }
 107
 108 #   .--attachment----------------------------------------------------------.
 109 #   |                                                                      |
 110 #   |               _   _             _                          _         |
 111 #   |          /\  | | | |           | |                        | |        |
 112 #   |         /  \ | |_| |_ __ _  ___| |__  _ __ ___   ___ _ __ | |_       |
 113 #   |        / /\ \| __| __/ _` |/ __| '_ \| '_ ` _ \ / _ \ '_ \| __|      |
 114 #   |       / ____ \ |_| || (_| | (__| | | | | | | | |  __/ | | | |_       |
 115 #   |      /_/    \_\__|\__\__,_|\___|_| |_|_| |_| |_|\___|_| |_|\__|      |
 116 #   |                                                                      |
 117 #   '----------------------------------------------------------------------'
 118
 119 #.1.3.6.1.4.1.25597.13.1.19.0 3415541
 120 #.1.3.6.1.4.1.25597.13.1.20.0 0
 121 #.1.3.6.1.4.1.25597.13.1.21.0 3415541
 122 #.1.3.6.1.4.1.25597.13.1.22.0 896
 123 #.1.3.6.1.4.1.25597.13.1.23.0 0
 124 #.1.3.6.1.4.1.25597.13.1.24.0 896
 125 #.1.3.6.1.4.1.25597.13.1.25.0 1942580
 126 #.1.3.6.1.4.1.25597.13.1.26.0 0
 127 #.1.3.6.1.4.1.25597.13.1.27.0 1942580
 128
 129
 130 def check_fireeye_attachment(_no_item, params, info):
 131     mail_info = info[0][6:9]
 132     average = params.get('interval', 0)
 133     for index, attachment_type in enumerate(['Total Attachment', 'Infected Attachment', \
 134             'Analyzed Attachment']):
 135         yield fireeye_counter_generic(int(mail_info[index]), attachment_type, average)
 136
 137
 138 check_info['fireeye_mail.attachment'] = {
 139     'inventory_function': lambda info: inventory_fireeye_generic(info, False, True),
 140     'check_function': check_fireeye_attachment,
 141     'service_description': 'Mails Containing Attachment',
 142     'group': 'fireeye_mail',
 143     'has_perfdata': True,
 144 }
 145
 146 #   .--url-----------------------------------------------------------------.
 147 #   |                                                                      |
 148 #   |                _    _ _____  _                                       |
 149 #   |               | |  | |  __ \| |                                      |
 150 #   |               | |  | | |__) | |                                      |
 151 #   |               | |  | |  _  /| |                                      |
 152 #   |               | |__| | | \ \| |____                                  |
 153 #   |                \____/|_|  \_\______|                                 |
 154 #   |                                                                      |
 155 #   '----------------------------------------------------------------------'
 156 #.1.3.6.1.4.1.25597.13.1.10.0 34996161
 157 #.1.3.6.1.4.1.25597.13.1.11.0 0
 158 #.1.3.6.1.4.1.25597.13.1.12.0 34996161
 159 #.1.3.6.1.4.1.25597.13.1.13.0 2011
 160 #.1.3.6.1.4.1.25597.13.1.14.0 0
 161 #.1.3.6.1.4.1.25597.13.1.15.0 2011
 162 #.1.3.6.1.4.1.25597.13.1.16.0 5619681
 163 #.1.3.6.1.4.1.25597.13.1.17.0 0
 164 #.1.3.6.1.4.1.25597.13.1.18.0 5619681
 165
 166
 167 def check_fireeye_url(_no_item, params, info):
 168     mail_info = info[0][3:6]
 169     average = params.get('interval', 0)
 170     for index, url_type in enumerate(['Total URL', 'Infected URL', 'Analyzed URL']):
 171         yield fireeye_counter_generic(int(mail_info[index]), url_type, average)
 172
 173
 174 check_info['fireeye_mail.url'] = {
 175     'inventory_function': lambda info: inventory_fireeye_generic(info, False, True),
 176     'check_function': check_fireeye_url,
 177     'service_description': 'Mails Containing URL',
 178     'group': 'fireeye_mail',
 179     'has_perfdata': True,
 180 }
 181
 182 #   .--statistics----------------------------------------------------------.
 183 #   |                                                                      |
 184 #   |           _____ _        _   _     _   _                             |
 185 #   |          / ____| |      | | (_)   | | (_)                            |
 186 #   |         | (___ | |_ __ _| |_ _ ___| |_ _  ___ ___                    |
 187 #   |          \___ \| __/ _` | __| / __| __| |/ __/ __|                   |
 188 #   |          ____) | || (_| | |_| \__ \ |_| | (__\__ \                   |
 189 #   |         |_____/ \__\__,_|\__|_|___/\__|_|\___|___/                   |
 190 #   |                                                                      |
 191 #   '----------------------------------------------------------------------'
 192 #.1.3.6.1.4.1.25597.13.1.28.0 1133119
 193 #.1.3.6.1.4.1.25597.13.1.29.0 0
 194 #.1.3.6.1.4.1.25597.13.1.30.0 1133119
 195 #.1.3.6.1.4.1.25597.13.1.31.0 1738052
 196 #.1.3.6.1.4.1.25597.13.1.32.0 0
 197 #.1.3.6.1.4.1.25597.13.1.33.0 1738053
 198 #.1.3.6.1.4.1.25597.13.1.34.0 841
 199 #.1.3.6.1.4.1.25597.13.1.35.0 0
 200 #.1.3.6.1.4.1.25597.13.1.36.0 841
 201 #.1.3.6.1.4.1.25597.13.1.37.0 2007
 202 #.1.3.6.1.4.1.25597.13.1.38.0 0
 203 #.1.3.6.1.4.1.25597.13.1.39.0 2007
 204
 205
 206 def check_fireeye_mail_statistics(_no_item, params, info):
 207     statistics_info = info[0][9:13]
 208     average = params.get('interval', 0)
 209     for index, mail_containing in enumerate(['Emails containing Attachment', \
 210             'Emails containing URL', 'Emails containing malicious Attachment', \
 211             'Emails containing malicious URL']):
 212         this_time = time.time()
 213         counter = 'fireeye.stat.%s' % ''.join(mail_containing.split(' ')[2:]).lower()
 214         rate = get_rate(counter, this_time, int(statistics_info[index]))
 215         perfdata = [(counter.replace('.', '_'), rate * 60)]
 216         if average:
 217             avg = get_average('%s.avg' % counter, this_time, rate, average)
 218             yield 0, '%s: %.2f per %d minutes' % \
 219                 (mail_containing, avg * 60 * average, average), perfdata
 220         else:
 221             yield 0, '%s: %.2f per minute' % (mail_containing, rate * 60), perfdata
 222
 223
 224 check_info['fireeye_mail.statistics'] = {
 225     'inventory_function': lambda info: inventory_fireeye_generic(info, False, True),
 226     'check_function': check_fireeye_mail_statistics,
 227     'service_description': 'Mail Processing Statistics',
 228     'group': 'fireeye_mail',
 229     'has_perfdata': True,
 230 }
 231
 232 #   .--received------------------------------------------------------------.
 233 #   |                                                                      |
 234 #   |         _____               _               _                        |
 235 #   |        |  __ \             (_)             | |                       |
 236 #   |        | |__) |___  ___ ___ ___   _____  __| |                       |
 237 #   |        |  _  // _ \/ __/ _ \ \ \ / / _ \/ _` |                       |
 238 #   |        | | \ \  __/ (_|  __/ |\ V /  __/ (_| |                       |
 239 #   |        |_|  \_\___|\___\___|_| \_/ \___|\__,_|                       |
 240 #   |                                                                      |
 241 #   '----------------------------------------------------------------------'
 242 #.1.3.6.1.4.1.25597.13.1.50.0 04/06/17 12:01:04
 243 #.1.3.6.1.4.1.25597.13.1.51.0 04/06/17 12:16:03
 244 #.1.3.6.1.4.1.25597.13.1.52.0 4282
 245
 246 factory_settings['received_levels'] = {'rate': (6000, 7000)}
 247
 248
 249 def check_fireeye_mail_received(no_item, params, info):
 250     start, end, received = info[0][13:16]
 251     warn, crit = params.get('rate')
 252     infotext = 'Mails received between %s and %s: %s' % \
 253         (start.split(' ')[1], end.split(' ')[1], received)
 254     perf_counter = 'mail_received_rate'
 255     received = int(received) * 60
 256     return fireeye_check_generic(infotext, perf_counter, received, warn, crit)
 257
 258
 259 check_info['fireeye_mail.received'] = {
 260     'inventory_function': lambda info: inventory_fireeye_generic(info, False, True),
 261     'check_function': check_fireeye_mail_received,
 262     'service_description': 'Mails Received',
 263     'default_levels_variable': 'received_levels',
 264     'group': 'fireeye_mail_received',
 265     'has_perfdata': True,
 266 }