search

angolo40 / mikrocata2selks

Mikrotik + Selks (Suricata) + Telegram + TZSP on Debian 12
GNU General Public License v3.0
51 stars 12 forks source link

I also made some changes in the add_to_tick function to suppress the error 'key error' #7

Open bekhzad-khamidullaev opened 11 months ago

bekhzad-khamidullaev commented 11 months ago

I also made some changes in the add_to_tick function to suppress the error 'key error'

def add_to_tik(alerts):
    global last_pos
    global api
    _address = Key("address")
    _id = Key(".id")
    _list = Key("list")
    address_list = api.path("/ip/firewall/address-list")
    resources = api.path("system/resource")
        for event in {item['src_ip']: item for item in alerts}.values():
            if 'alert' not in event:
                print("Event does not contain a key 'alert':", event)
                continue
            signature_id = event['alert'].get('signature_id', 'unknown')
            signature = event['alert'].get('signature', 'unknown')
            timestamp = event.get("timestamp", "unknown")
            src_ip = event.get("src_ip", "unknown")
            dest_ip = event.get("dest_ip", "unknown")
            src_port = event.get("src_port", "unknown")
            proto = event.get("proto", "unknown")
            wanted_ip, wanted_port = event["dest_ip"], event.get("src_port")
            else:
                wanted_ip, wanted_port = event["src_ip"], event.get("dest_port")
            try:
                address_list.add(list=BLOCK_LIST_NAME,
                                 address=wanted_ip,
                                 comment=f"""[{event['alert']['gid']}:{
                                 event['alert']['signature_id']}] {
                                 event['alert']['signature']} ::: Port: {
                                 wanted_port}/{
                                 event['proto']} ::: timestamp: {
                                 timestamp}""",
                                 timeout=TIMEOUT)

            except librouteros.exceptions.TrapError as e:
                if "failure: already have such entry" in str(e):
                    for row in address_list.select(_id, _list, _address).where(
                            _address == wanted_ip,
                            _list == BLOCK_LIST_NAME):
                        address_list.remove(row[".id"])

                    address_list.add(list=BLOCK_LIST_NAME,
                                     address=wanted_ip,
                                     comment=f"""[{event['alert']['gid']}:{
                                     event['alert']['signature_id']}] {
                                     event['alert']['signature']} ::: Port: {
                                     wanted_port}/{
                                     event['proto']} ::: timestamp: {
                                     timestamp}""",
                                     timeout=TIMEOUT)

                else:
                    raise

            except socket.timeout:
                connect_to_tik()