Beispiel #1
0
 def __init__(self):
     config_file_path = os.path.dirname(
         os.path.abspath(__file__)) + "/config.yml"
     config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
               if os.path.isfile(config_file_path) else {})
     self.helper = OpenCTIConnectorHelper(config)
     self.lastinfosec_url = get_config_variable("CONFIG_LIS_URL",
                                                ["lastinfosec", "api_url"],
                                                config)
     self.lastinfosec_apikey = get_config_variable(
         "CONFIG_LIS_APIKEY", ["lastinfosec", "api_key"], config)
     self.opencti_url = get_config_variable("OPENCTI_URL",
                                            ["opencti", "url"], config)
     self.opencti_id = get_config_variable("OPENCTI_TOKEN",
                                           ["opencti", "token"], config)
     self.update_existing_data = True
     self.api = OpenCTIApiClient(self.opencti_url, self.opencti_id)
Beispiel #2
0
    def __init__(self):
        # Instantiate the connector helper from config
        config_file_path = os.path.dirname(
            os.path.abspath(__file__)) + "/../config.yml"
        config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
                  if os.path.isfile(config_file_path) else {})
        # Extra config
        self.confidence_level = get_config_variable(
            "CONNECTOR_CONFIDENCE_LEVEL",
            ["connector", "confidence_level"],
            config,
        )
        self.update_existing_data = get_config_variable(
            "CONNECTOR_UPDATE_EXISTING_DATA",
            ["connector", "update_existing_data"],
            config,
        )
        self.BASE_URL = get_config_variable("valhalla_BASE_URL",
                                            ["valhalla", "base_url"], config)
        self.API_KEY = get_config_variable("valhalla_API_KEY",
                                           ["valhalla", "auth_key"], config)
        self.INTERVAL_SEC = get_config_variable("valhalla_INTERVAL_SEC",
                                                ["valhalla", "interval_sec"],
                                                config)

        self.helper = OpenCTIConnectorHelper(config)
        self.helper.log_info(f"loaded valhalla config: {config}")

        # If we run without API key we can assume all data is TLP:WHITE else we
        # default to TLP:AMBER to be safe.
        if self.API_KEY == "" or self.API_KEY is None:
            self.default_marking = self.helper.api.marking_definition.read(
                id=TLP_WHITE["id"])
            self.valhalla_client = ValhallaAPI()
        else:
            self.default_marking = self.helper.api.marking_definition.read(
                id=TLP_AMBER["id"])
            self.valhalla_client = ValhallaAPI(api_key=self.API_KEY)

        self.knowledge_importer = KnowledgeImporter(
            self.helper,
            self.confidence_level,
            self.update_existing_data,
            self.default_marking,
            self.valhalla_client,
        )
Beispiel #3
0
    def __init__(self):
        """Read in config variables"""

        config_file_path = os.path.dirname(os.path.abspath(__file__))
        config_file_path += "/config.yml"
        config = (yaml.load(open(config_file_path), Loader=yaml.SafeLoader)
                  if os.path.isfile(config_file_path) else {})
        self.helper = OpenCTIConnectorHelper(config)
        # Extra config
        self.username = get_config_variable("TAXII2_USERNAME",
                                            ["taxii2", "username"], config)
        self.password = get_config_variable("TAXII2_PASSWORD",
                                            ["taxii2", "password"], config)
        self.is_v21 = get_config_variable("TAXII2_V21", ["taxii2", "v2.1"],
                                          config)
        if self.is_v21:
            global Server, ApiRoot
            from taxii2client.v21 import Server, ApiRoot

        self.server_url = get_config_variable("TAXII2_SERVER_URL",
                                              ["taxii2", "server_url"], config)
        discovery_tail = "taxii/" if not self.is_v21 else "taxii2/"
        self.discovery_url = os.path.join(self.server_url, discovery_tail)

        self.collections = get_config_variable("TAXII2_COLLECTIONS",
                                               ["taxii2", "collections"],
                                               config).split(",")

        self.initial_history = get_config_variable(
            "TAXII2_INITIAL_HISTORY", ["taxii2", "initial_history"], config,
            True)

        self.per_request = get_config_variable("TAXII2_PER_REQUEST",
                                               ["taxii2", "per_request"],
                                               config, True)

        self.interval = get_config_variable("TAXII2_INTERVAl",
                                            ["taxii2", "interval"], config,
                                            True)

        self.update_existing_data = get_config_variable(
            "CONNECTOR_UPDATE_EXISTING_DATA",
            ["connector", "update_existing_data"],
            config,
        )
    def __init__(self):
        # Instantiate the connector helper from config
        config_file_path = "{}/config.yml".format(
            os.path.dirname(os.path.abspath(__file__)))

        config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
                  if os.path.isfile(config_file_path) else {})
        self.helper = OpenCTIConnectorHelper(config)

        # Connector Config
        self.confidence_level = get_config_variable(
            "CONNECTOR_CONFIDENCE_LEVEL",
            ["connector", "confidence_level"],
            config,
            isNumber=True,
        )
        self.update_existing_data = get_config_variable(
            "CONNECTOR_UPDATE_EXISTING_DATA",
            ["connector", "update_existing_data"],
            config,
        )

        # CYBERCRIME-TRACKER.NET Config
        self.feed_url = get_config_variable("CYBERCRIMET_RACKER_FEED_URL",
                                            ["cybercrime-tracker", "feed_url"],
                                            config)
        self.connector_tlp = get_config_variable("CYBERCRIME_TRACKER_TLP",
                                                 ["cybercrime-tracker", "tlp"],
                                                 config)
        self.create_indicators = get_config_variable(
            "CYBERCRIME_TRACKER_CREATE_INDICATORS",
            ["cybercrime-tracker", "create_indicators"],
            config,
        )
        self.create_observables = get_config_variable(
            "CYBERCRIME_TRACKER_CREATE_OBSERVABLES",
            ["cybercrime-tracker", "create_observables"],
            config,
        )
        self.interval = get_config_variable(
            "CYBERCRIMETRACKER_INTERVAL",
            ["cybercrime-tracker", "interval"],
            config,
            isNumber=True,
        )
Beispiel #5
0
    def __init__(self):
        # Get configuration
        config_file_path = os.path.dirname(
            os.path.abspath(__file__)) + '/config.yml'
        self.config = dict()
        if os.path.isfile(config_file_path):
            config = yaml.load(open(config_file_path), Loader=yaml.FullLoader)
            self.config_rabbitmq = config['rabbitmq']
            self.config['name'] = config['mitre']['name']
            self.config['confidence_level'] = config['mitre'][
                'confidence_level']
            self.config['enterprise_file_url'] = config['mitre'][
                'enterprise_file_url']
            self.config['entities'] = config['mitre']['entities'].split(',')
            self.config['interval'] = config['mitre']['interval']
            self.config['log_level'] = config['mitre']['log_level']
        else:
            self.config_rabbitmq = dict()
            self.config_rabbitmq['hostname'] = os.getenv(
                'RABBITMQ_HOSTNAME', 'localhost')
            self.config_rabbitmq['port'] = os.getenv('RABBITMQ_PORT', 5672)
            self.config_rabbitmq['username'] = os.getenv(
                'RABBITMQ_USERNAME', 'guest')
            self.config_rabbitmq['password'] = os.getenv(
                'RABBITMQ_PASSWORD', 'guest')
            self.config['name'] = os.getenv('MITRE_NAME', 'MITRE ATT&CK')
            self.config['confidence_level'] = int(
                os.getenv('MITRE_CONFIDENCE_LEVEL', 3))
            self.config['enterprise_file_url'] = os.getenv(
                'MITRE_ENTERPRISE_FILE_URL',
                'https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json'
            )
            self.config['entities'] = os.getenv(
                'MITRE_ENTITIES',
                'attack-pattern,course-of-action,intrusion-set,malware,tool'
            ).split(',')
            self.config['interval'] = os.getenv('MITRE_INTERVAL', 5)
            self.config['log_level'] = os.getenv('MITRE_LOG_LEVEL', 'info')

        # Initialize OpenCTI Connector
        connector_identifier = ''.join(e for e in self.config['name']
                                       if e.isalnum())
        self.opencti_connector_helper = OpenCTIConnectorHelper(
            connector_identifier.lower(), self.config, self.config_rabbitmq,
            self.config['log_level'])
Beispiel #6
0
 def __init__(self):
     # Instantiate the connector helper from config
     config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml"
     config = (
         yaml.load(open(config_file_path), Loader=yaml.FullLoader)
         if os.path.isfile(config_file_path)
         else {}
     )
     self.helper = OpenCTIConnectorHelper(config)
     self.api_key = get_config_variable(
         "ABUSEIPDB_API_KEY", ["abuseipdb", "api_key"], config
     )
     self.max_tlp = get_config_variable(
         "ABUSEIPDB_MAX_TLP", ["abuseipdb", "max_tlp"], config
     )
     self.whitelist_label = self.helper.api.label.create(
         value="whitelist", color="#4caf50"
     )
Beispiel #7
0
 def __init__(self):
     # Instantiate the connector helper from config
     config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml"
     config = (
         yaml.load(open(config_file_path), Loader=yaml.FullLoader)
         if os.path.isfile(config_file_path)
         else {}
     )
     self.interval = 1  # 1 Day interval between each scraping
     self.helper = OpenCTIConnectorHelper(config)
     # Extra config
     self.confidence_level = get_config_variable(
         "CONNECTOR_CONFIDENCE_LEVEL",
         ["connector", "confidence_level"],
         config,
         isNumber=True,
     )
     self.data = {}
Beispiel #8
0
    def __init__(self):
        # Instantiate the connector helper from config
        config_file_path = Path(
            __file__).parent.parent.resolve() / "config.yml"

        config = (yaml.load(open(config_file_path, encoding="utf-8"),
                            Loader=yaml.FullLoader)
                  if config_file_path.is_file() else {})
        self.helper = OpenCTIConnectorHelper(config)
        token = get_config_variable("VIRUSTOTAL_TOKEN",
                                    ["virustotal", "token"], config)
        self.max_tlp = get_config_variable("VIRUSTOTAL_MAX_TLP",
                                           ["virustotal", "max_tlp"], config)

        self.client = VirusTotalClient(self._API_URL, token)

        # Cache to store YARA rulesets.
        self.yara_cache = {}
 def __init__(self, conf_data):
     config_file_path = os.path.dirname(
         os.path.abspath(__file__)) + "/config.yml"
     config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
               if os.path.isfile(config_file_path) else conf_data)
     self.helper = OpenCTIConnectorHelper(config)
     # Extra config
     self.direct_creation = get_config_variable(
         "DIRECT_CREATION",
         ["backup", "direct_creation"],
         config,
         default=False,
     )
     self.backup_protocol = get_config_variable("BACKUP_PROTOCOL",
                                                ["backup", "protocol"],
                                                config)
     self.backup_path = get_config_variable("BACKUP_PATH",
                                            ["backup", "path"], config)
Beispiel #10
0
 def __init__(self):
     # Instantiate the connector helper from config
     config_file_path = os.path.dirname(
         os.path.abspath(__file__)) + "/config.yml"
     config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
               if os.path.isfile(config_file_path) else {})
     self.helper = OpenCTIConnectorHelper(config)
     self.token = get_config_variable("VIRUSTOTAL_TOKEN",
                                      ["virustotal", "token"], config)
     self.max_tlp = get_config_variable("VIRUSTOTAL_MAX_TLP",
                                        ["virustotal", "max_tlp"], config)
     self.api_url = "https://www.virustotal.com/api/v3"
     self.headers = {
         "x-apikey": self.token,
         "accept": "application/json",
         "content-type": "application/json",
     }
     self._CONNECTOR_RUN_INTERVAL_SEC = 60 * 60
 def __init__(self):
     config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml"
     config = (
         yaml.load(open(config_file_path), Loader=yaml.FullLoader)
         if os.path.isfile(config_file_path)
         else {}
     )
     self.talosip_interval = get_config_variable(
         "TALOSIP_INTERVAL", ["talosip", "interval"], config, True
     )
     self.talosip_url = get_config_variable(
         "TALOSIP_URL", ["talosip", "url"], config
     )
     self.update_existing_data = get_config_variable(
         "CONNECTOR_UPDATE_EXISTING_DATA",
         ["connector", "update_existing_data"],
         config,
     )
     self.delete_old_data = get_config_variable(
         "DELETE_OLD_DATA", ["connector", "delete_old_data"], config
     )
     self.helper = OpenCTIConnectorHelper(config)
     # get tag
     self.talos_tag = self.helper.api.tag.create(
         tag_type="Event", value="TalosIntelligence", color="#fc036b"
     )
     self.ipv4_tag = self.helper.api.tag.create(
         tag_type="Event", value="ipv4-blacklist", color="#1c100b"
     )
     # create identity
     self.helper.log_info("Creating an Identity...")
     self.entity_identity = self.helper.api.identity.create(
         name="Cisco Talos",
         type="Organization",
         description="Talosintilligence IP Blacklist",
     )
     # create marking definition
     self.tlp_white_marking_definition = self.helper.api.marking_definition.read(
         filters={"key": "definition", "values": ["TLP:WHITE"]}
     )
     # report published time
     self.published_report = None
     self.being_added = []
     self.being_deleted = []
Beispiel #12
0
 def __init__(self):
     # Instantiate the connector helper from config
     config_file_path = os.path.dirname(
         os.path.abspath(__file__)) + "/config.yml"
     config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
               if os.path.isfile(config_file_path) else {})
     self.helper = OpenCTIConnectorHelper(config)
     self.token = get_config_variable("SHODAN_TOKEN", ["shodan", "token"],
                                      config)
     self.max_tlp = get_config_variable("SHODAN_MAX_TLP",
                                        ["shodan", "max_tlp"], config)
     self.create_indicators = get_config_variable(
         "SHODAN_CREATE_INDICATORS",
         ["shodan", "create_indicators"],
         config,
         False,
         True,
     )
     self.shodanAPI = shodan.Shodan(self.token)
Beispiel #13
0
    def __init__(self):
        # Instantiate the connector helper from config
        config_file_path = os.path.dirname(
            os.path.abspath(__file__)) + "/config.yml"
        config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
                  if os.path.isfile(config_file_path) else {})
        self.helper = OpenCTIConnectorHelper(config)

        self.identity = self.helper.api.identity.create(
            type="Organization", name="Virustotal",
            description="Virustotal")["standard_id"]

        # Get other config values
        api_key = get_config_variable(
            "VIRUSTOTAL_DOWNLOADER_API_KEY",
            ["virustotal_downloader", "api_key"],
            config,
        )
        self.api_client = vt.Client(api_key)
Beispiel #14
0
 def __init__(self):
     # Instantiate the connector helper from config
     config_file_path = os.path.dirname(
         os.path.abspath(__file__)) + '/config.yml'
     config = yaml.load(open(config_file_path), Loader=yaml.FullLoader
                        ) if os.path.isfile(config_file_path) else {}
     self.helper = OpenCTIConnectorHelper(config)
     # Extra config
     self.amitt_file_url = get_config_variable('AMITT_FILE_URL',
                                               ['amitt', 'amitt_file_url'],
                                               config)
     self.pre_amitt_file_url = get_config_variable(
         'PRE_AMITT_FILE_URL', ['amitt', 'pre_amitt_file_url'], config)
     self.amitt_interval = get_config_variable('AMITT_INTERVAL',
                                               ['amitt', 'interval'],
                                               config, True)
     self.update_existing_data = get_config_variable(
         'CONNECTOR_UPDATE_EXISTING_DATA',
         ['connector', 'update_existing_data'], config)
Beispiel #15
0
 def __init__(self):
     # Instantiate the connector helper from config
     config_file_path = os.path.dirname(
         os.path.abspath(__file__)) + "/config.yml"
     config = (yaml.load(open(config_file_path))
               if os.path.isfile(config_file_path) else {})
     self.interval = 1  # 1 Day interval between each scraping
     self.helper = OpenCTIConnectorHelper(config)
     # Extra config
     self.confidence_level = get_config_variable(
         "CONNECTOR_CONFIDENCE_LEVEL",
         ["connector", "confidence_level"],
         config,
     )
     self.MALPEDIA_API = get_config_variable("MALPEDIA_API",
                                             ["malpedia", "MALPEDIA_API"],
                                             config)
     self.AUTH_KEY = get_config_variable("AUTH_KEY",
                                         ["malpedia", "AUTH_KEY"], config)
Beispiel #16
0
 def __init__(self):
     # Instantiate the connector helper from config
     config_file_path = os.path.dirname(
         os.path.abspath(__file__)) + '/config.yml'
     config = yaml.load(open(config_file_path), Loader=yaml.FullLoader
                        ) if os.path.isfile(config_file_path) else {}
     self.helper = OpenCTIConnectorHelper(config)
     # Extra config
     self.opencti_sectors_file_url = get_config_variable(
         'CONFIG_SECTORS_FILE_URL', ['config', 'sectors_file_url'], config)
     self.opencti_geography_file_url = get_config_variable(
         'CONFIG_GEOGRAPHY_FILE_URL', ['config', 'geography_file_url'],
         config)
     self.opencti_interval = get_config_variable('CONFIG_INTERVAL',
                                                 ['config', 'interval'],
                                                 config, True)
     self.update_existing_data = get_config_variable(
         'CONNECTOR_UPDATE_EXISTING_DATA',
         ['connector', 'update_existing_data'], config)
Beispiel #17
0
    def __init__(self):
        config_file_path = os.path.dirname(
            os.path.abspath(__file__)) + "/config.yml"
        config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
                  if os.path.isfile(config_file_path) else {})

        # Connector configuration
        self.entity_name = get_config_variable("CONNECTOR_ENTITY_NAME",
                                               ["connector", "entity_name"],
                                               config)
        self.entity_desc = get_config_variable(
            "CONNECTOR_ENTITY_DESCRIPTION",
            ["connector", "entity_description"], config)
        self.forward_all_iocs = get_config_variable(
            "CONNECTOR_FORWARD_ALL_IOCS", ["connector", "forward_all_iocs"],
            config)
        self.threatbus_entity = None

        # Custom configuration for Threat Bus & ZeroMQ plugin endpoint
        self.threatbus_zmq_host = get_config_variable(
            "THREATBUS_ZMQ_HOST", ["threatbus", "zmq_host"], config)
        self.threatbus_zmq_port = get_config_variable(
            "THREATBUS_ZMQ_PORT", ["threatbus", "zmq_port"], config)
        threatbus_snapshot = get_config_variable(
            "THREATBUS_SNAPSHOT",
            ["threatbus", "snapshot"],
            config,
            isNumber=True,
            default=0,
        )

        # Helper initialization
        self.opencti_helper = OpenCTIConnectorHelper(config)
        zmq_endpoint = f"{self.threatbus_zmq_host}:{self.threatbus_zmq_port}"
        self.threatbus_helper = ThreatBusConnectorHelper(
            zmq_endpoint,
            self._handle_threatbus_message,
            self.opencti_helper.log_info,
            self.opencti_helper.log_error,
            subscribe_topics=["stix2/sighting", "stix2/indicator"],
            publish_topic="stix2/indicator",
            snapshot=threatbus_snapshot,
        )
Beispiel #18
0
    def __init__(self):
        # Get configuration
        config_file_path = os.path.dirname(
            os.path.abspath(__file__)) + '/config.yml'
        self.config = dict()
        if os.path.isfile(config_file_path):
            config = yaml.load(open(config_file_path), Loader=yaml.FullLoader)
            self.config_rabbitmq = config['rabbitmq']
            self.config['name'] = config['opencti']['name']
            self.config['confidence_level'] = config['opencti'][
                'confidence_level']
            self.config['sectors_file_url'] = config['opencti'][
                'sectors_file_url']
            self.config['entities'] = config['opencti']['entities'].split(',')
            self.config['interval'] = config['opencti']['interval']
            self.config['log_level'] = config['opencti']['log_level']
        else:
            self.config_rabbitmq = dict()
            self.config_rabbitmq['hostname'] = os.getenv(
                'RABBITMQ_HOSTNAME', 'localhost')
            self.config_rabbitmq['port'] = os.getenv('RABBITMQ_PORT', 5672)
            self.config_rabbitmq['username'] = os.getenv(
                'RABBITMQ_USERNAME', 'guest')
            self.config_rabbitmq['password'] = os.getenv(
                'RABBITMQ_PASSWORD', 'guest')
            self.config['name'] = os.getenv('OPENCTI_NAME', 'OpenCTI')
            self.config['confidence_level'] = int(
                os.getenv('OPENCTI_CONFIDENCE_LEVEL', 5))
            self.config['sectors_file_url'] = os.getenv(
                'OPENCTI_SECTORS_FILE_URL',
                'https://raw.githubusercontent.com/OpenCTI-Platform/datasets/master/data/sectors.json'
            )
            self.config['entities'] = os.getenv(
                'OPENCTI_ENTITIES', 'sector,region,country,city').split(',')
            self.config['interval'] = os.getenv('OPENCTI_INTERVAL', 1)
            self.config['log_level'] = os.getenv('OPENCTI_LOG_LEVEL', 'info')

        # Initialize OpenCTI Connector
        connector_identifier = ''.join(e for e in self.config['name']
                                       if e.isalnum())
        self.opencti_connector_helper = OpenCTIConnectorHelper(
            connector_identifier.lower(), self.config, self.config_rabbitmq,
            self.config['log_level'])
Beispiel #19
0
 def __init__(self):
     # Instantiate the connector helper from config
     config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml"
     config = (
         yaml.load(open(config_file_path), Loader=yaml.FullLoader)
         if os.path.isfile(config_file_path)
         else {}
     )
     self.helper = OpenCTIConnectorHelper(config)
     # Extra config
     self.thehive_url = get_config_variable(
         "THEHIVE_URL", ["thehive", "url"], config
     )
     self.thehive_api_key = get_config_variable(
         "THEHIVE_API_KEY", ["thehive", "api_key"], config
     )
     self.thehive_check_ssl = get_config_variable(
         "THEHIVE_CHECK_SSL", ["thehive", "check_ssl"], config, False, True
     )
     self.thehive_organization_name = get_config_variable(
         "THEHIVE_ORGANIZATION_NAME", ["thehive", "organization_name"], config
     )
     self.thehive_import_from_date = get_config_variable(
         "THEHIVE_IMPORT_FROM_DATE",
         ["thehive", "import_from_date"],
         config,
         False,
         datetime.utcfromtimestamp(int(time.time())).strftime("%Y-%m-%d %H:%M:%S"),
     )
     self.update_existing_data = get_config_variable(
         "CONNECTOR_UPDATE_EXISTING_DATA",
         ["connector", "update_existing_data"],
         config,
     )
     self.identity = self.helper.api.identity.create(
         type="Organization",
         name=self.thehive_organization_name,
         description=self.thehive_organization_name,
     )
     self.thehive_api = TheHiveApi(
         self.thehive_url, self.thehive_api_key, cert=self.thehive_check_ssl
     )
Beispiel #20
0
    def __init__(self):
        # Get configuration
        config_file_path = os.path.dirname(
            os.path.abspath(__file__)) + '/config.yml'
        self.config = dict()
        if os.path.isfile(config_file_path):
            config = yaml.load(open(config_file_path), Loader=yaml.FullLoader)
            self.config_rabbitmq = config['rabbitmq']
            self.config['name'] = config['cve']['name']
            self.config['confidence_level'] = config['cve']['confidence_level']
            self.config['nvd_data_feed'] = config['cve']['nvd_data_feed']
            self.config['entities'] = config['cve']['entities'].split(',')
            self.config['interval'] = config['cve']['interval']
            self.config['log_level'] = config['cve']['log_level']
        else:
            self.config_rabbitmq = dict()
            self.config_rabbitmq['hostname'] = os.getenv(
                'RABBITMQ_HOSTNAME', 'localhost')
            self.config_rabbitmq['port'] = os.getenv('RABBITMQ_PORT', 5672)
            self.config_rabbitmq['username'] = os.getenv(
                'RABBITMQ_USERNAME', 'guest')
            self.config_rabbitmq['password'] = os.getenv(
                'RABBITMQ_PASSWORD', 'guest')
            self.config['name'] = os.getenv(
                'CVE_NAME', 'Common Vulnerabilities and Exposures')
            self.config['confidence_level'] = int(
                os.getenv('CVE_CONFIDENCE_LEVEL', 3))
            self.config['nvd_data_feed'] = os.getenv(
                'CVE_DATA_FEED',
                'https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-recent.json.gz'
            )
            self.config['entities'] = os.getenv('CVE_ENTITIES',
                                                'vulnerability').split(',')
            self.config['interval'] = os.getenv('CVE_INTERVAL', 5)
            self.config['log_level'] = os.getenv('CVE_LOG_LEVEL', 'info')

        # Initialize OpenCTI Connector
        connector_identifier = ''.join(e for e in self.config['name']
                                       if e.isalnum())
        self.opencti_connector_helper = OpenCTIConnectorHelper(
            connector_identifier.lower(), self.config, self.config_rabbitmq,
            self.config['log_level'])
Beispiel #21
0
    def __init__(self):
        # Instantiate the connector helper from config
        config_file_path = os.path.dirname(
            os.path.abspath(__file__)) + "/config.yml"
        config = (yaml.load(open(config_file_path), Loader=yaml.SafeLoader)
                  if os.path.isfile(config_file_path) else {})
        self.helper = OpenCTIConnectorHelper(config)
        self.organization = get_config_variable("ORGANIZATION",
                                                ["sighting", "organization"],
                                                config)
        self.labels = get_config_variable("SIGHTING_LABELS",
                                          ["sighting", "labels"],
                                          config).split(",")

        self.identity = self.helper.api.identity.create(
            type="Organization",
            name=self.organization,
            description=self.organization +
            " created by the Sighting connector",
        )
Beispiel #22
0
    def __init__(self, config, dryrun):
        self.config = config['OpenCTI']
        self.dryrun = dryrun
        self._get_octi_sectors()

        self.connector_config = {
            'name': self.config['connector_name'],
            'confidence_level': 3,
            'entities': 'report, intrusion-set, identity',
            'interval': 0,
            'log_level': 'info'
        }

        confyml_path = os.path.dirname(
            os.path.abspath(__file__)) + '/config.yml'
        confyml = yaml.load(
            open(confyml_path),
            Loader=yaml.FullLoader) if os.path.isfile(confyml_path) else {}

        self.opencti_connector_helper = OpenCTIConnectorHelper(confyml)
Beispiel #23
0
    def __init__(self, config, dryrun):
        self.config = config['OpenCTI']
        self.dryrun = dryrun
        self._get_octi_sectors()

        self.connector_config = {
            'name': self.config['connector_name'],
            'confidence_level': 3,
            'entities': 'report, intrusion-set, identity',
            'interval': 0,
            'log_level': 'info'
        }

        self.opencti_connector_helper = OpenCTIConnectorHelper(
            self.config['connector_name'].lower(), self.connector_config, {
                'hostname': self.config['rabbitmq_hostname'],
                'port': int(self.config['rabbitmq_port']),
                'username': self.config['rabbitmq_username'],
                'password': self.config['rabbitmq_password']
            }, self.connector_config['log_level'])
Beispiel #24
0
    def __init__(self):
        # Instantiate the connector helper from config
        config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml"
        config = (
            yaml.load(open(config_file_path), Loader=yaml.FullLoader)
            if os.path.isfile(config_file_path)
            else {}
        )
        self.helper = OpenCTIConnectorHelper(config)
        # Extra config
        self.misp_url = get_config_variable("MISP_URL", ["misp", "url"], config)
        self.misp_key = get_config_variable("MISP_KEY", ["misp", "key"], config)
        self.misp_ssl_verify = get_config_variable(
            "MISP_SSL_VERIFY", ["misp", "ssl_verify"], config
        )
        self.misp_create_report = get_config_variable(
            "MISP_CREATE_REPORTS", ["misp", "create_reports"], config
        )
        self.misp_report_class = (
            get_config_variable("MISP_REPORT_CLASS", ["misp", "report_class"], config)
            or "MISP Event"
        )
        self.misp_import_from_date = get_config_variable(
            "MISP_IMPORT_FROM_DATE", ["misp", "import_from_date"], config
        )
        self.misp_import_tags = get_config_variable(
            "MISP_IMPORT_TAGS", ["misp", "import_tags"], config
        )
        self.misp_interval = get_config_variable(
            "MISP_INTERVAL", ["misp", "interval"], config, True
        )
        self.update_existing_data = get_config_variable(
            "CONNECTOR_UPDATE_EXISTING_DATA",
            ["connector", "update_existing_data"],
            config,
        )

        # Initialize MISP
        self.misp = ExpandedPyMISP(
            url=self.misp_url, key=self.misp_key, ssl=self.misp_ssl_verify, debug=False
        )
Beispiel #25
0
    def __init__(self):
        # Instantiate the connector helper from config
        config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml"
        config = (
            yaml.load(open(config_file_path), Loader=yaml.FullLoader)
            if os.path.isfile(config_file_path)
            else {}
        )
        self.helper = OpenCTIConnectorHelper(config)

        warninglists_slow_search = bool(
            get_config_variable(
                "HYGIENE_WARNINGLISTS_SLOW_SEARCH",
                ["hygiene", "warninglists_slow_search"],
                config,
                default=False,
            )
        )

        self.enrich_subdomains = bool(
            get_config_variable(
                "HYGIENE_ENRICH_SUBDOMAINS",
                ["hygiene", "enrich_subdomains"],
                config,
                default=False,
            )
        )

        self.helper.log_info(f"Warning lists slow search: {warninglists_slow_search}")

        self.warninglists = WarningLists(slow_search=warninglists_slow_search)

        # Create Hygiene Tag
        self.label_hygiene = self.helper.api.label.create(
            value="Hygiene", color="#fc0341"
        )

        if self.enrich_subdomains:
            self.label_hygiene_parent = self.helper.api.label.create(
                value="Hygiene_parent", color="#fc0341"
            )
Beispiel #26
0
 def __init__(self):
     # Instantiate the connector helper from config
     config_file_path = os.path.dirname(
         os.path.abspath(__file__)) + "/config.yml"
     config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
               if os.path.isfile(config_file_path) else {})
     self.helper = OpenCTIConnectorHelper(config)
     # Extra config
     self.opencti_sectors_file_url = get_config_variable(
         "CONFIG_SECTORS_FILE_URL", ["config", "sectors_file_url"], config)
     self.opencti_geography_file_url = get_config_variable(
         "CONFIG_GEOGRAPHY_FILE_URL", ["config", "geography_file_url"],
         config)
     self.opencti_interval = get_config_variable("CONFIG_INTERVAL",
                                                 ["config", "interval"],
                                                 config, True)
     self.update_existing_data = get_config_variable(
         "CONNECTOR_UPDATE_EXISTING_DATA",
         ["connector", "update_existing_data"],
         config,
     )
Beispiel #27
0
 def __init__(self):
     # Instantiate the connector helper from config
     config_file_path = os.path.dirname(
         os.path.abspath(__file__)) + "/config.yml"
     config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
               if os.path.isfile(config_file_path) else {})
     self.helper = OpenCTIConnectorHelper(config)
     # Extra config
     self.cve_import_history = get_config_variable(
         "CVE_IMPORT_HISTORY", ["cve", "import_history"], config, False)
     self.cve_nvd_data_feed = get_config_variable("CVE_NVD_DATA_FEED",
                                                  ["cve", "nvd_data_feed"],
                                                  config)
     self.cve_interval = get_config_variable("CVE_INTERVAL",
                                             ["cve", "interval"], config,
                                             True)
     self.update_existing_data = get_config_variable(
         "CONNECTOR_UPDATE_EXISTING_DATA",
         ["connector", "update_existing_data"],
         config,
     )
Beispiel #28
0
 def __init__(self):
     # Instantiate the connector helper from config
     config_file_path = os.path.dirname(
         os.path.abspath(__file__)) + "/config.yml"
     config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
               if os.path.isfile(config_file_path) else {})
     self.helper = OpenCTIConnectorHelper(config)
     # Extra config
     self.amitt_file_url = get_config_variable("AMITT_FILE_URL",
                                               ["amitt", "amitt_file_url"],
                                               config)
     self.pre_amitt_file_url = get_config_variable(
         "PRE_AMITT_FILE_URL", ["amitt", "pre_amitt_file_url"], config)
     self.amitt_interval = get_config_variable("AMITT_INTERVAL",
                                               ["amitt", "interval"],
                                               config, True)
     self.update_existing_data = get_config_variable(
         "CONNECTOR_UPDATE_EXISTING_DATA",
         ["connector", "update_existing_data"],
         config,
     )
Beispiel #29
0
    def __init__(self):
        # Instantiate the connector helper from config
        config_file_path = os.path.dirname(
            os.path.abspath(__file__)) + "/config.yml"
        config = (yaml.load(open(config_file_path), Loader=yaml.FullLoader)
                  if os.path.isfile(config_file_path) else {})
        self.helper = OpenCTIConnectorHelper(config)
        # Extra config
        self.fireeye_api_url = get_config_variable("FIREEYE_API_URL",
                                                   ["fireeye", "api_url"],
                                                   config)
        self.fireeye_api_v3_public = get_config_variable(
            "FIREEYE_API_V3_PUBLIC", ["fireeye", "api_v3_public"], config)
        self.fireeye_api_v3_secret = get_config_variable(
            "FIREEYE_API_V3_SECRET", ["fireeye", "api_v3_secret"], config)
        self.fireeye_collections = get_config_variable(
            "FIREEYE_COLLECTIONS", ["fireeye", "collections"],
            config).split(",")
        self.fireeye_import_start_date = get_config_variable(
            "FIREEYE_IMPORT_START_DATE",
            ["fireeye", "import_start_date"],
            config,
        )
        self.update_existing_data = get_config_variable(
            "CONNECTOR_UPDATE_EXISTING_DATA",
            ["connector", "update_existing_data"],
            config,
        )
        self.added_after = parse(self.fireeye_import_start_date).timestamp()

        self.identity = self.helper.api.identity.create(
            type="Organization",
            name="FireEye, Inc.",
            description=
            "FireEye is a publicly traded cybersecurity company headquartered in Milpitas, California. It has been involved in the detection and prevention of major cyber attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks. FireEye was founded in 2004.",
        )

        # Init variables
        self.auth_token = None
        self._get_token()
Beispiel #30
0
    def __init__(self):
        # Instantiate the connector helper from config
        config_file_path = Path(__file__).parent.parent.resolve() / "config.yml"

        config = (
            yaml.load(open(config_file_path, encoding="utf8"), Loader=yaml.FullLoader)
            if config_file_path.is_file()
            else {}
        )

        self.helper = OpenCTIConnectorHelper(config)

        self.base_url = get_config_variable(
            "RISKIQ_BASE_URL", ["riskiq", "base_url"], config
        )
        self.interval_sec = get_config_variable(
            "RISKIQ_INTERVAL_SEC", ["riskiq", "interval_sec"], config
        )
        user = get_config_variable("RISKIQ_USER", ["riskiq", "user"], config)
        password = get_config_variable(
            "RISKIQ_PASSWORD", ["riskiq", "password"], config
        )
        self.create_indicators = get_config_variable(
            "RISKIQ_CREATE_INDICATORS",
            ["riskiq", "create_indicators"],
            config,
            False,
            True,
        )
        # Create the author for all reports.
        self.author = Identity(
            name=self._DEFAULT_AUTHOR,
            identity_class="organization",
            description=" RiskIQ is a cyber security company based in San Francisco, California."
            " It provides cloud - based software as a service(SaaS) for organizations"
            " to detect phishing, fraud, malware, and other online security threats.",
            confidence=self.helper.connect_confidence_level,
        )
        # Initialization of the client
        self.client = RiskIQClient(self.base_url, user, password)