def post(self, request):
for indicator in request.POST.getlist('choices'):
indicator_type = discover_type(indicator)
if indicator_type == "domain":
try:
monitor = DomainMonitor.objects.get(domain_name=indicator,
owner=request.user)
except:
pass
else:
monitor.tags.clear()
if indicator_type == "ip":
try:
monitor = IpMonitor.objects.get(ip_address=indicator,
owner=request.user)
except:
pass
else:
monitor.tags.clear()
messages.add_message(request, messages.SUCCESS, self.msg_success)
return redirect('monitor_dashboard')
def post(self, request):
for indicator in request.POST.getlist('choices'):
indicator_type = discover_type(indicator)
if indicator_type == "domain":
try:
DomainMonitor.objects.get(domain_name=indicator,
owner=request.user).delete()
except:
LOGGER.exception("Error deleting domain monitor for value: %s", indicator)
if indicator_type == "ip":
try:
IpMonitor.objects.get(ip_address=indicator,
owner=request.user).delete()
except:
LOGGER.exception("Error deleting IP monitor for value: %s", indicator)
if indicator_type == "other":
try:
CertificateMonitor.objects.get(certificate_value=indicator,
owner=request.user).delete()
except:
LOGGER.exception("Error deleting certificate monitor for value: %s", indicator)
messages.add_message(request, messages.SUCCESS, self.msg_success)
return redirect('monitor_dashboard')
def post(self, request):
for indicator in request.POST.getlist('choices'):
indicator_type = discover_type(indicator)
if indicator_type == "domain":
try:
monitor = DomainMonitor.objects.get(domain_name=indicator,
owner=request.user)
except:
pass
else:
monitor.tags.clear()
if indicator_type == "ip":
try:
monitor = IpMonitor.objects.get(ip_address=indicator,
owner=request.user)
except:
pass
else:
monitor.tags.clear()
messages.add_message(request, messages.SUCCESS, self.msg_success)
return redirect('monitor_dashboard')
def clean_indicator(self):
indicator = self.cleaned_data.get('indicator').strip().lower()
verified_type = discover_type(indicator)
if verified_type:
self.indicator_type = verified_type
if self.indicator_type != "domain" and self.indicator_type != "ip":
raise forms.ValidationError('That is not a valid ip or domain')
return indicator
def post(self, request):
tags = IndicatorTag.objects.filter(tag__in=request.POST.getlist('tags'),
owner=request.user)
if tags:
for indicator in request.POST.getlist('choices'):
indicator_type = discover_type(indicator)
LOGGER.debug("Applying %d tag(s) to %s indicator: %s", len(tags), indicator_type, indicator)
if indicator_type == "domain":
try:
monitor = DomainMonitor.objects.get(domain_name=indicator,
owner=request.user)
except:
LOGGER.exception("Error retrieving domain indicator '%s'", indicator)
else:
for tag in tags:
LOGGER.debug("Adding tag '%s' to domain value: %s", tag, indicator)
monitor.tags.add(tag)
if indicator_type == "ip":
try:
monitor = IpMonitor.objects.get(ip_address=indicator,
owner=request.user)
except:
LOGGER.exception("Error retrieving IP indicator '%s'", indicator)
else:
for tag in tags:
LOGGER.debug("Adding tag '%s' to IP value: %s", tag, indicator)
monitor.tags.add(tag)
if indicator_type == "other":
try:
monitor = CertificateMonitor.objects.get(certificate_value=indicator,
owner=request.user)
except:
LOGGER.exception("Error retrieving certificate indicator '%s'", indicator)
else:
for tag in tags:
LOGGER.debug("Adding tag '%s' to certificate value: %s", tag, indicator)
monitor.tags.add(tag)
messages.add_message(request, messages.SUCCESS, self.msg_success)
return redirect('monitor_dashboard')
def clean_indicators(self):
submission = self.cleaned_data.get('indicators')
indicator_list = re.split(r'[,;|\n\r ]+', submission)
for indicator in indicator_list:
indicator = indicator.rstrip().lower()
indicator_type = discover_type(indicator)
if indicator_type == "domain":
self.valid_domains.append(indicator)
if indicator_type == "ip":
self.valid_ips.append(indicator)
def post(self, request):
for indicator in request.POST.getlist('choices'):
indicator_type = discover_type(indicator)
if indicator_type == "domain":
try:
monitor = DomainMonitor.objects.get(
domain_name=indicator,
domainsubscription__owner=self.request.user)
except:
pass
else:
tag = monitor.tags.get(owner=self.request.user)
monitor.tags.remove(tag)
#monitor.tags.clear()
if indicator_type == "ip":
try:
monitor = IpMonitor.objects.get(
ip_address=indicator,
ipsubscription__owner=request.user)
except:
pass
else:
tag = monitor.tags.get(owner=self.request.user)
monitor.tags.remove(tag)
# monitor.tags.clear()
if indicator_type == "other":
try:
monitor = CertificateMonitor.objects.get(
certificate_value=indicator,
certificatesubscription__owner=self.request.user)
except:
pass
else:
tag = monitor.tags.get(owner=self.request.user)
monitor.tags.remove(tag)
# monitor.tags.clear()
messages.add_message(request, messages.SUCCESS, self.msg_success)
return redirect('monitor_dashboard')
def clean_indicators(self):
submission = self.cleaned_data.get('indicators')
indicator_list = re.split(r'[,;|\n\r ]+', submission)
for indicator in indicator_list:
indicator = indicator.rstrip().lower()
indicator_type = discover_type(indicator)
if indicator_type == "domain":
self.valid_domains.append(indicator)
if indicator_type == "ip":
self.valid_ips.append(indicator)
if indicator_type == "other":
LOGGER.warn("Discarding attempt to add '%s' as an IP or Domain to be monitored", indicator)
raise ValidationError("%s is not a valid IP or Domain" % indicator)
def post(self, request):
for indicator in request.POST.getlist('choices'):
indicator_type = discover_type(indicator)
if indicator_type == "domain":
try:
DomainSubscription.objects.get(
owner=request.user, domain_name=indicator).delete()
CertificateSubscription.objects.get(
owner=request.user, certificate=indicator).delete()
except:
LOGGER.exception(
"Error deleting domain monitor for value: %s",
indicator)
if indicator_type == "ip":
try:
IpSubscription.objects.get(owner=request.user,
ip_address=indicator).delete()
except:
LOGGER.exception("Error deleting IP monitor for value: %s",
indicator)
if indicator_type == "other":
try:
# CertificateMonitor.objects.get(certificate_value=indicator,
# owner=request.user).delete()
# Added by LNguyen 1/18/2017 - Delete the associations but not the certificate data to preserve
# any historical search results
CertificateSubscription.objects.get(
owner=request.user, certificate=indicator).delete()
except Exception as err:
LOGGER.exception(
"Error deleting certificate monitor for value: %s",
indicator, str(err))
messages.add_message(request, messages.SUCCESS, self.msg_success)
return redirect('monitor_dashboard')
def clean_indicators(self):
submission = self.cleaned_data.get('indicators')
indicator_list = re.split(r'[,;|\n\r ]+', submission)
for indicator in indicator_list:
indicator = indicator.rstrip().lower()
indicator_type = discover_type(indicator)
if indicator_type == "domain":
self.valid_domains.append(indicator)
if indicator_type == "ip":
self.valid_ips.append(indicator)
if indicator_type == "other":
LOGGER.warn(
"Discarding attempt to add '%s' as an IP or Domain to be monitored",
indicator)
raise ValidationError("%s is not a valid IP or Domain" %
indicator)
def clean_indicator(self):
indicator = self.cleaned_data.get('indicator').strip().lower()
self.indicator_type = discover_type(indicator)
return indicator
def lookup_threatlabs(indicator):
"""
Created by: Linda Nguyen
Date: Apr2017
Find all passive DNS A type records for a given indicator from Threatlabs.IO
:param indicator: The indicator value for which to search.
:return: A list of passive DNS records and attributes
"""
result = []
api_key = settings.THREATLABS_API_ID
indicator_type = discover_type(indicator)
try:
type = 'A'
# Use this API for ip address type indicators
if indicator_type == "ip":
url = "https://api.threatlabs.io/pdns/rdata/ip/" + indicator
# Else use this API for domain type indicators
elif indicator_type == "domain":
url = "https://api.threatlabs.io/pdns/rrset/name/" + indicator + "/" + type
# Else invalid indicator type, so log error
else:
errmsg = "Indicator invalid for threatlabs API: " + indicator
logger.exception(errmsg)
return result
response = requests.get(url, headers={'X-API-Key': api_key})
if response.status_code == 200:
arrayObj = json.loads(
json.dumps(response.content.decode('utf-8').split()))
newresult = []
result = []
for domainObj in arrayObj:
jsonObj = json.loads(domainObj)
domain = jsonObj["rrname"]
rdata = ''.join(jsonObj["rdata"])
firstseen = datetime.datetime.fromtimestamp(
json.loads(domainObj)["time_first"])
lastseen = datetime.datetime.fromtimestamp(
json.loads(domainObj)["time_last"])
newresult.append({
'ip': rdata,
'domain': domain,
'date': firstseen,
'firstseen': firstseen,
'lastseen': lastseen,
'ip_location': {}
})
result = newresult
else:
errmsg = "Error with ThreatLabs.IO.PDNS: " + str(
response.status_code)
logger.exception(errmsg)
return result
except Exception as e:
print(str(e))
errmsg = "Error with DNSTwist: " + str(e)
logger.exception(errmsg)
return result
def check_type(self, indicator):
return discover_type(indicator)
def post(self, request):
task = request.POST['task_id']
res = GroupResult.restore(task)
if res and not res.ready():
return HttpResponse(json.dumps({"status": "loading"}), content_type="application/json")
# Task completion allows for origin information to be pulled
try:
task_origin = TaskTracker.objects.get(group_id=task)
record_type = task_origin.type
indicator = task_origin.keyword
except MultipleObjectsReturned:
task_origin = TaskTracker.objects.filter(group_id=task).latest('date')
record_type = task_origin.type
indicator = task_origin.keyword
except ObjectDoesNotExist:
record_type = None
indicator = None
# Pull data according to the record type
if record_type == "Recent":
self.template_name = "pivoteer/RecentRecords.html"
# Current hosting records
host_record = IndicatorRecord.objects.recent_hosts(indicator)
# We must lookup the country for each IP address for use in the template.
# We do this outside the task because we don't know the IP addresses until the task completes.
host_records_complete = []
for record in host_record:
info = getattr(record, 'info')
record.location = geolocate_ip(info['ip'])
host_records_complete.append(record)
self.template_vars["current_hosts"] = host_records_complete
# Current WHOIS record
whois_record = IndicatorRecord.objects.recent_whois(indicator)
self.template_vars["current_whois"] = whois_record
# Current ThreatCrowd record
tc_info = IndicatorRecord.objects.recent_tc(indicator)
self.template_vars["tc_info"] = tc_info
cert_info = IndicatorRecord.objects.recent_cert(indicator)
self.template_vars["cert_info"] = cert_info
elif record_type == "Historical":
self.template_name = "pivoteer/HistoricalRecords.html"
# Historical hosting records
host_records = IndicatorRecord.objects.historical_hosts(indicator, request)
# We must lookup the country for each IP address for use in the template.
# We do this outside the task because we don't know the IP addresses until the task completes.
host_records_complete = []
for record in host_records:
info = getattr(record, 'info')
record.location = geolocate_ip(info['ip'])
host_records_complete.append(record)
self.template_vars["hosting_records"] = host_records_complete
# Historical WHOIS records
whois_record = IndicatorRecord.objects.historical_whois(indicator)
self.template_vars["historical_whois"] = whois_record
elif record_type == "Malware":
self.template_name = "pivoteer/MalwareRecords.html"
malware_records = IndicatorRecord.objects.malware_records(indicator)
self.template_vars["malware_records"] = malware_records
self.template_vars["origin"] = indicator
elif record_type == "SafeBrowsing":
safebrowsing_records = IndicatorRecord.objects.safebrowsing_record(indicator)
self.template_name = "pivoteer/Google.html"
self.template_vars["records"] = safebrowsing_records
self.template_vars["google_url"] = settings.GOOGLE_SAFEBROWSING_URL + indicator
self.template_vars["origin"] = indicator
elif record_type == "Search":
self.template_name = "pivoteer/SearchRecords.html"
search_records = IndicatorRecord.objects.get_search_records(indicator)
self.template_vars["search_records"] = search_records
elif record_type == "External":
self.template_name = "pivoteer/ExternalRecords.html"
self.template_vars['indicator'] = indicator
self.template_vars['type'] = discover_type(indicator)
return render(request, self.template_name, self.template_vars)
def clean_indicator(self):
indicator = self.cleaned_data.get('indicator').strip().lower()
self.indicator_type = discover_type(indicator)
return indicator
def check_type(self, indicator):
return discover_type(indicator)
def post(self, request):
task = request.POST['task_id']
res = GroupResult.restore(task)
if res and not res.ready():
return HttpResponse(json.dumps({"status": "loading"}),
content_type="application/json")
# Task completion allows for origin information to be pulled
try:
task_origin = TaskTracker.objects.get(group_id=task)
record_type = task_origin.type
indicator = task_origin.keyword
except MultipleObjectsReturned:
task_origin = TaskTracker.objects.filter(
group_id=task).latest('date')
record_type = task_origin.type
indicator = task_origin.keyword
except ObjectDoesNotExist:
record_type = None
indicator = None
# Pull data according to the record type
if record_type == "Recent":
self.template_name = "pivoteer/RecentRecords.html"
# Current hosting records
host_record = IndicatorRecord.objects.recent_hosts(indicator)
# We must lookup the country for each IP address for use in the template.
# We do this outside the task because we don't know the IP addresses until the task completes.
host_records_complete = []
for record in host_record:
info = getattr(record, 'info')
record.location = geolocate_ip(info['ip'])
host_records_complete.append(record)
self.template_vars["current_hosts"] = host_records_complete
# Current WHOIS record
whois_record = IndicatorRecord.objects.recent_whois(indicator)
self.template_vars["current_whois"] = whois_record
# Current ThreatCrowd record
tc_info = IndicatorRecord.objects.recent_tc(indicator)
self.template_vars["tc_info"] = tc_info
cert_info = IndicatorRecord.objects.recent_cert(indicator)
self.template_vars["cert_info"] = cert_info
elif record_type == "Historical":
self.template_name = "pivoteer/HistoricalRecords.html"
# Historical hosting records
host_records = IndicatorRecord.objects.historical_hosts(
indicator, request)
# We must lookup the country for each IP address for use in the template.
# We do this outside the task because we don't know the IP addresses until the task completes.
host_records_complete = []
for record in host_records:
info = getattr(record, 'info')
record.location = geolocate_ip(info['ip'])
host_records_complete.append(record)
self.template_vars["hosting_records"] = host_records_complete
# Historical WHOIS records
whois_record = IndicatorRecord.objects.historical_whois(indicator)
self.template_vars["historical_whois"] = whois_record
elif record_type == "Malware":
self.template_name = "pivoteer/MalwareRecords.html"
malware_records = IndicatorRecord.objects.malware_records(
indicator)
self.template_vars["malware_records"] = malware_records
self.template_vars["origin"] = indicator
elif record_type == "SafeBrowsing":
safebrowsing_records = IndicatorRecord.objects.safebrowsing_record(
indicator)
self.template_name = "pivoteer/Google.html"
self.template_vars["records"] = safebrowsing_records
self.template_vars[
"google_url"] = settings.GOOGLE_SAFEBROWSING_URL + indicator
self.template_vars["origin"] = indicator
elif record_type == "Search":
self.template_name = "pivoteer/SearchRecords.html"
search_records = IndicatorRecord.objects.get_search_records(
indicator)
self.template_vars["search_records"] = search_records
elif record_type == "External":
self.template_name = "pivoteer/ExternalRecords.html"
self.template_vars['indicator'] = indicator
self.template_vars['type'] = discover_type(indicator)
return render(request, self.template_name, self.template_vars)
