shitornot.py

shitornot.py

import sys
import os
import datetime
sys.path.append(os.path.join(os.path.dirname(os.path.abspath(__file__)), '../mozdef/lib'))
from elasticsearch_client import ElasticsearchClient
from query_models import TermMatch, SearchQuery, QueryStringMatch
from utilities.toUTC import toUTC
import pprint

es_client = ElasticsearchClient('http://localhost:9200')

pp = pprint.PrettyPrinter(indent=4)

search_query = SearchQuery(days=1)
search_query.add_must([
    TermMatch('_type', 'nsm'),
    TermMatch('category', 'bro'),
    TermMatch('type', 'ssl')
#    QueryStringMatch('summary:Bugzilla@Mozilla'),
])

results1 = search_query.execute(es_client, size=10000)

for result in results1['hits']:
    search_query = SearchQuery(days=1)
    search_query.add_must([
        TermMatch('_type', 'nsm'),
        TermMatch('category', 'bro'),
        TermMatch('type', 'conn'),
        TermMatch('details.uid', result['_source']['details']['uid'])
    ])

    results2 = search_query.execute(es_client, size=10000)

    rl = len(results2['hits'])
    if rl == 0:
        print('Shit happened - %d results for a matching conn - UID %s' % (len(results2['hits']), result['_source']['details']['uid']))
    if rl > 1:
        print('Shit happened - %d results for a matching conn (expected 1)' % len(results2['hits']))
        pp.pprint(results2)

    if results2['hits']:
        if results2['hits'][0]:
            if results2['hits'][0]['_source']:
                if results2['hits'][0]['_source']['details']:
                    if results2['hits'][0]['_source']['details']['uid']:
                        #print(results2['hits'][0]['_source']['details']['uid'])
                        if result['_source']['details']['uid'] != results2['hits'][0]['_source']['details']['uid']:
                            print("Shit happened")