# BASIC HTTP Authentication to NWD nwmodule.nw_http_auth() # NW REST API Query amd results risk_phrase = sys.argv[1] date_t = datetime.today() tdelta = timedelta(days=1) diff = date_t - tdelta diff = "'" + diff.strftime('%Y-%b-%d %H:%M:%S') + "'-'" + date_t.strftime('%Y-%b-%d %H:%M:%S') + "'" threat_ip_dst = 'select risk.warning where (time=%s) && risk.warning contains %s' % (diff, risk_phrase) json_data = json.loads(nwmodule.nwQuery(0, 0, threat_ip_dst, 'application/json', 25)) ip_list = [] print trans_header for d in json_data['results']['fields']: value = d['value'].decode('ascii') if value in ip_list: continue else: # Kind of a hack but hey it works! print """ <Entity Type="netwitness.NWThreatNOIP"> <Value>%s</Value> <AdditionalFields> <Field Name="phrase" DisplayName="Phrase">%s</Field> <Field Name="metaid1" DisplayName="Meta id1">%s</Field> <Field Name="metaid2" DisplayName="Meta id2">%s</Field>
fields = sys.argv[2].split('#') date_t = datetime.today() tdelta = timedelta(days=1) diff = date_t - tdelta diff = "'" + diff.strftime('%Y-%b-%d %H:%M:%S') + "'-'" + date_t.strftime('%Y-%b-%d %H:%M:%S') + "'" for i in fields: if 'ip' in i: parse = i.split('=') ip = parse[1] query = 'select ip.dst where (time=%s) && risk.warning="%s" && ip.src=%s' % (diff, risk_name, ip) else: query = 'select ip.dst where (time=%s) && risk.warning="%s"' % (diff, risk_name) json_data = json.loads(nwmodule.nwQuery(0, 0, query, 'application/json', 25)) ip_list = [] print trans_header for d in json_data['results']['fields']: value = d['value'].decode('ascii') if value in ip_list: continue else: # Kind of a hack but hey it works! print """ <Entity Type="maltego.IPv4Address"> <Value>%s</Value> <AdditionalFields> <Field Name="threat" DisplayName="Threat Name">%s</Field> <Field Name="metaid1" DisplayName="Meta id1">%s</Field> <Field Name="metaid2" DisplayName="Meta id2">%s</Field>
# BASIC HTTP Authentication to NWD nwmodule.nw_http_auth() # NW REST API Query amd results risk_name = sys.argv[1] date_t = datetime.today() tdelta = timedelta(days=1) diff = date_t - tdelta diff = "'" + diff.strftime('%Y-%b-%d %H:%M:%S') + "'-'" + date_t.strftime('%Y-%b-%d %H:%M:%S') + "'" threat_ip_all = 'select ip.dst,ip.src where (time=%s) && risk.warning="%s"' % (diff, risk_name) json_data = json.loads(nwmodule.nwQuery(0, 0, threat_ip_all, 'application/json', 10)) ip_list = [] print trans_header for d in json_data['results']['fields']: value = d['value'].decode('ascii') if value in ip_list: continue else: # Kind of a hack but hey it works! print """ <Entity Type="maltego.IPv4Address"> <Value>%s</Value> <AdditionalFields> <Field Name="threat" DisplayName="Threat Name">%s</Field> <Field Name="metaid1" DisplayName="Meta id1">%s</Field> <Field Name="metaid2" DisplayName="Meta id2">%s</Field>
tdelta = timedelta(days=1) diff = date_t - tdelta diff = "'" + diff.strftime('%Y-%b-%d %H:%M:%S') + "'-'" + date_t.strftime( '%Y-%b-%d %H:%M:%S') + "'" for i in fields: if 'ip' in i: parse = i.split('=') ip = parse[1] query = 'select ip.dst where (time=%s) && risk.warning="%s" && ip.src=%s' % ( diff, risk_name, ip) else: query = 'select ip.dst where (time=%s) && risk.warning="%s"' % ( diff, risk_name) json_data = json.loads(nwmodule.nwQuery(0, 0, query, 'application/json', 25)) ip_list = [] print trans_header for d in json_data['results']['fields']: value = d['value'].decode('ascii') if value in ip_list: continue else: # Kind of a hack but hey it works! print """ <Entity Type="maltego.IPv4Address"> <Value>%s</Value> <AdditionalFields> <Field Name="threat" DisplayName="Threat Name">%s</Field> <Field Name="metaid1" DisplayName="Meta id1">%s</Field> <Field Name="metaid2" DisplayName="Meta id2">%s</Field>
nwmodule.nw_http_auth() # NW REST API Query amd results ip_src = sys.argv[1] date_t = datetime.today() tdelta = timedelta(days=1) diff = date_t - tdelta diff = "'" + diff.strftime('%Y-%b-%d %H:%M:%S') + "'-'" + date_t.strftime( '%Y-%b-%d %H:%M:%S') + "'" threat_ip_dst = 'select ip.dst where (time=%s) && ip.src=%s' % (diff, ip_src) json_data = json.loads( nwmodule.nwQuery(0, 0, threat_ip_dst, 'application/json', 10)) ip_list = [] print trans_header for d in json_data['results']['fields']: value = d['value'].decode('ascii') # Kind of a hack but hey it works! if value in ip_list: continue else: print """ <Entity Type="maltego.IPv4Address"> <Value>%s</Value> <AdditionalFields> <Field Name="ip" DisplayName="IP Source Address">%s</Field> <Field Name="metaid1" DisplayName="Meta id1">%s</Field> <Field Name="metaid2" DisplayName="Meta id2">%s</Field>
# BASIC HTTP Authentication to NWD nwmodule.nw_http_auth() # NW REST API Query amd results ip_src = sys.argv[1] date_t = datetime.today() tdelta = timedelta(days=1) diff = date_t - tdelta diff = "'" + diff.strftime("%Y-%b-%d %H:%M:%S") + "'-'" + date_t.strftime("%Y-%b-%d %H:%M:%S") + "'" threat_ip_dst = "select ip.dst where (time=%s) && ip.src=%s" % (diff, ip_src) json_data = json.loads(nwmodule.nwQuery(0, 0, threat_ip_dst, "application/json", 10)) ip_list = [] print trans_header for d in json_data["results"]["fields"]: value = d["value"].decode("ascii") # Kind of a hack but hey it works! if value in ip_list: continue else: print """ <Entity Type="maltego.IPv4Address"> <Value>%s</Value> <AdditionalFields> <Field Name="ip" DisplayName="IP Source Address">%s</Field> <Field Name="metaid1" DisplayName="Meta id1">%s</Field> <Field Name="metaid2" DisplayName="Meta id2">%s</Field>