Beispiel #1
0
    def _process_message(self, data):
        entity_id = data["entity_id"]
        observable = self.helper.api.stix_cyber_observable.read(id=entity_id)
        # Extract TLP
        tlp = "TLP:WHITE"
        for marking_definition in observable["objectMarking"]:
            if marking_definition["definition_type"] == "TLP":
                tlp = marking_definition["definition"]

        if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
            raise ValueError(
                "Do not send any data, TLP of the observable is greater than MAX TLP"
            )

        # Extract IP from entity data
        observable_value = observable["value"]

        # Get Shodan API Response
        try:
            response = self.shodanAPI.host(observable_value)
        except Exception as e:
            return str(e)

        # Process and send Shodan Data to OpenCTI
        self._convert_shodan_to_stix(response, observable)

        return "[SUCCESS] Shodan IP Found, data sent in"
Beispiel #2
0
    def _process_message(self, data):
        entity_id = data['entity_id']
        observable = self.helper.api.stix_observable.read(id=entity_id)
        # Extract TLP
        tlp = 'TLP:WHITE'
        for marking_definition in observable['markingDefinitions']:
            if marking_definition['definition_type'] == 'TLP':
                tlp = marking_definition['definition']

        if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
            return [
                'Do not send any data, TLP of the observable is greater than MAX TLP'
            ]

        # Extract IP from entity data
        observable_id = observable['stix_id_key']
        observable_value = observable['observable_value']
        # Get the geo loc from the API
        api_url = 'https://ipinfo.io/' + observable_value + '?token=' + self.token
        response = requests.request("GET",
                                    api_url,
                                    headers={
                                        'accept': "application/json",
                                        'content-type': "application/json",
                                    })
        json_data = json.loads(response.text)
        country = pycountry.countries.get(alpha_2=json_data['country'])
        bundle = self._generate_stix_bundle(country, json_data['city'],
                                            observable_id)
        bundles_sent = self.helper.send_stix2_bundle(bundle)
        return [
            'Sent ' + str(len(bundles_sent)) +
            ' stix bundle(s) for worker import'
        ]
Beispiel #3
0
    def _process_message(self, data):
        entity_id = data["entity_id"]
        observable = self.helper.api.stix_cyber_observable.read(id=entity_id)
        if observable is None:
            raise ValueError(
                "Observable not found (or the connector does not has access to this observable, check the group of the connector user)"
            )
        TLPs = ["TLP:WHITE"]
        if "objectMarking" in observable:
            for marking_definition in observable["objectMarking"]:
                if marking_definition["definition_type"] == "TLP":
                    TLPs.append(marking_definition["definition"])

        for TLPx in TLPs:
            if not OpenCTIConnectorHelper.check_max_tlp(TLPx, self.max_tlp):
                raise ValueError(
                    "Do not send any data, TLP of the observable is greater than MAX TLP"
                )

        # Extract IP from entity data
        observable_value = observable["value"]

        # Get Shodan API Response
        try:
            response = self.shodanAPI.host(observable_value)
        except Exception as e:
            return str(e)

        # Process and send Shodan Data to OpenCTI
        self._convert_shodan_to_stix(response, observable)

        return "[SUCCESS] Shodan IP Found, data sent in"
Beispiel #4
0
 def _process_message(self, data):
     entity_id = data["entity_id"]
     observable = self.helper.api.stix_cyber_observable.read(id=entity_id)
     # Extract TLP
     tlp = "TLP:WHITE"
     for marking_definition in observable["objectMarking"]:
         if marking_definition["definition_type"] == "TLP":
             tlp = marking_definition["definition"]
     if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
         raise ValueError(
             "Do not send any data, TLP of the observable is greater than MAX TLP"
         )
     return self._process_file(observable)
Beispiel #5
0
 def _process_message(self, data):
     entity_id = data["entity_id"]
     observable = self.helper.api.stix_cyber_observable.read(id=entity_id)
     if observable is None:
         raise ValueError(
             "Observable not found (or the connector does not has access to this observable, check the group of the connector user)"
         )
     # Extract TLP
     tlp = "TLP:WHITE"
     for marking_definition in observable.get("objectMarking", []):
         if marking_definition["definition_type"] == "TLP":
             tlp = marking_definition["definition"]
     if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
         raise ValueError(
             "Do not send any data, TLP of the observable is greater than MAX TLP"
         )
     return self._process_file(observable)
 def _process_message(self, data):
     entity_id = data["entity_id"]
     observable = self.helper.api.stix_cyber_observable.read(id=entity_id)
     if observable is None:
         raise ValueError(
             "Observable not found "
             "(may be linked to data seggregation, check your group and permissions)"
         )
     # Extract TLP
     tlp = "TLP:WHITE"
     for marking_definition in observable["objectMarking"]:
         if marking_definition["definition_type"] == "TLP":
             tlp = marking_definition["definition"]
     if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
         raise ValueError(
             "Do not send any data, TLP of the observable is greater than MAX TLP"
         )
     return self._process_observable(observable)
Beispiel #7
0
    def _process_message(self, data):
        entity_id = data["entity_id"]
        observable = self.helper.api.stix_cyber_observable.read(id=entity_id)
        if observable is None:
            raise ValueError(
                "Observable not found (or the connector does not has access to this observable, check the group of the connector user)"
            )
        # Extract TLP
        tlp = "TLP:WHITE"
        for marking_definition in observable["objectMarking"]:
            if marking_definition["definition_type"] == "TLP":
                tlp = marking_definition["definition"]

        if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
            raise ValueError(
                "Do not send any data, TLP of the observable is greater than MAX TLP"
            )

        # Extract IP from entity data
        observable_id = observable["standard_id"]
        observable_value = observable["value"]
        # Get the geo loc from the API
        api_url = "https://ipinfo.io/" + observable_value + "/json/?token=" + self.token
        response = requests.request(
            "GET",
            api_url,
            headers={
                "accept": "application/json",
                "content-type": "application/json"
            },
        )
        json_data = response.json()
        if "status" in json_data and json_data["status"] == 429:
            raise ValueError("IpInfo Rate limit exceeded")
        country = pycountry.countries.get(alpha_2=json_data["country"])
        if country is None:
            raise ValueError(
                "IpInfo was not able to find a country for this IP address")
        bundle = self._generate_stix_bundle(country, json_data["city"],
                                            json_data["loc"], observable_id)
        bundles_sent = self.helper.send_stix2_bundle(bundle)
        return "Sent " + str(
            len(bundles_sent)) + " stix bundle(s) for worker import"
Beispiel #8
0
    def _process_message(self, data):
        entity_id = data["entity_id"]
        observable = self.helper.api.stix_observable.read(id=entity_id)
        # Extract TLP
        tlp = "TLP:WHITE"
        for marking_definition in observable["markingDefinitions"]:
            if marking_definition["definition_type"] == "TLP":
                tlp = marking_definition["definition"]

        if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
            raise ValueError(
                "Do not send any data, TLP of the observable is greater than MAX TLP"
            )

        # Extract IP from entity data
        observable_id = observable["stix_id_key"]
        observable_value = observable["observable_value"]
        # Get the geo loc from the API
        api_url = "https://ipinfo.io/" + observable_value + "?token=" + self.token
        response = requests.request(
            "GET",
            api_url,
            headers={
                "accept": "application/json",
                "content-type": "application/json",
            },
        )
        json_data = json.loads(response.text)
        country = pycountry.countries.get(alpha_2=json_data["country"])
        if country is None:
            raise ValueError(
                "IpInfo was not able to find a country for this IP address")
        bundle = self._generate_stix_bundle(country, json_data["city"],
                                            observable_id)
        bundles_sent = self.helper.send_stix2_bundle(bundle)
        return [
            "Sent " + str(len(bundles_sent)) +
            " stix bundle(s) for worker import"
        ]
    def _process_message(self, data):
        """Process a message, depending on its type."""
        entity_id = data["entity_id"]
        observable = self.helper.api.stix_cyber_observable.read(id=entity_id)
        if observable is None:
            return
        # Extract TLP
        tlp = "TLP:WHITE"
        for marking_definition in observable["objectMarking"]:
            if marking_definition["definition_type"] == "TLP":
                tlp = marking_definition["definition"]
                break

        if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
            raise ValueError(
                "Do not send any data, TLP of the observable is greater than MAX TLP"
            )

        if self.use_data:
            self.process_data_observable(observable)
        if self.use_passive:
            self.process_passive_observable(observable)
        if self.use_scans:
            self.process_scans_observable(observable)
Beispiel #10
0
    def _process_message(self, data):
        entity_id = data["entity_id"]
        observable = self.helper.api.stix_cyber_observable.read(id=entity_id)
        # Extract TLP
        tlp = "TLP:WHITE"
        for marking_definition in observable["objectMarking"]:
            if marking_definition["definition_type"] == "TLP":
                tlp = marking_definition["definition"]

        if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
            raise ValueError(
                "Do not send any data, TLP of the observable is greater than MAX TLP"
            )
        # Extract IP from entity data
        observable_id = observable["standard_id"]
        observable_value = observable["value"]
        url = "https://api.abuseipdb.com/api/v2/check"
        headers = {
            "Accept": "application/json",
            "Content-Type": "application/x-www-form-urlencoded",
            "Key": "%s" % self.api_key,
        }
        params = {
            "maxAgeInDays": 365,
            "verbose": "True",
            "ipAddress": observable_value
        }
        response = requests.get(url, headers=headers, params=params)
        data = response.json()
        data = data["data"]
        self.helper.api.stix_cyber_observable.update_field(
            id=observable_id,
            key="x_opencti_score",
            value=str(data["abuseConfidenceScore"]),
        )
        if data["isWhitelisted"]:
            external_reference = self.helper.api.external_reference.create(
                source_name="AbuseIPDB (whitelist)",
                url="https://www.abuseipdb.com/check/" + observable_value,
                description="This IP address is from within our whitelist.",
            )
            self.helper.api.stix_cyber_observable.add_external_reference(
                id=observable_id,
                external_reference_id=external_reference["id"])
            self.helper.api.stix_cyber_observable.add_label(
                id=observable_id, label_id=self.whitelist_label["id"])
            return "IP found in AbuseIPDB WHITELIST."
        if len(data["reports"]) > 0:
            for report in data["reports"]:
                country = self.helper.api.stix_domain_object.get_by_stix_id_or_name(
                    name=report["reporterCountryName"])
                self.helper.api.stix_sighting_relationship.create(
                    fromId=observable_id,
                    toId=country["id"],
                    count=1,
                    first_seen=report["reportedAt"],
                    last_seen=report["reportedAt"],
                )
                for category in report["categories"]:
                    category_text = self.extract_abuse_ipdb_category(category)
                    label = self.helper.api.label.create(value=category_text)
                    self.helper.api.stix_cyber_observable.add_label(
                        id=observable_id, label_id=label["id"])
            return "IP found in AbuseIPDB with reports, knowledge attached."
Beispiel #11
0
    def _process_message(self, data):
        entity_id = data["entity_id"]
        observable = self.helper.api.stix_cyber_observable.read(id=entity_id)
        # Extract TLP
        tlp = "TLP:WHITE"
        for marking_definition in observable.get("objectMarking", []):
            if marking_definition["definition_type"] == "TLP":
                tlp = marking_definition["definition"]

        if not OpenCTIConnectorHelper.check_max_tlp(tlp, self.max_tlp):
            raise ValueError(
                "Do not send any data, TLP of the observable is greater than MAX TLP"
            )
        # Extract IP from entity data
        observable_id = observable["standard_id"]
        observable_value = observable["value"]
        url = "https://api.abuseipdb.com/api/v2/check"
        headers = {
            "Accept": "application/json",
            "Content-Type": "application/x-www-form-urlencoded",
            "Key": "%s" % self.api_key,
        }
        params = {
            "maxAgeInDays": 365,
            "verbose": "True",
            "ipAddress": observable_value
        }
        r = requests.get(url, headers=headers, params=params)
        r.raise_for_status()
        data = r.json()
        data = data["data"]
        self.helper.api.stix_cyber_observable.update_field(
            id=observable_id,
            input={
                "key": "x_opencti_score",
                "value": str(data["abuseConfidenceScore"]),
            },
        )
        if data["isWhitelisted"]:
            external_reference = self.helper.api.external_reference.create(
                source_name="AbuseIPDB (whitelist)",
                url="https://www.abuseipdb.com/check/" + observable_value,
                description="This IP address is from within our whitelist.",
            )
            self.helper.api.stix_cyber_observable.add_external_reference(
                id=observable_id,
                external_reference_id=external_reference["id"])
            self.helper.api.stix_cyber_observable.add_label(
                id=observable_id, label_id=self.whitelist_label["id"])
            return "IP found in AbuseIPDB WHITELIST."
        if len(data["reports"]) > 0:
            found = []
            cl = defaultdict(dict)

            for report in data["reports"]:
                countryN = report["reporterCountryCode"]
                if countryN in cl:
                    cl[countryN]["count"] += 1
                    cl[countryN]["firstseen"] = report["reportedAt"]
                else:
                    cl[countryN]["count"] = 1
                    cl[countryN]["firstseen"] = report["reportedAt"]
                    cl[countryN]["lastseen"] = report["reportedAt"]

                for category in report["categories"]:
                    if category not in found:
                        found.append(category)
                        category_text = self.extract_abuse_ipdb_category(
                            category)
                        label = self.helper.api.label.create(
                            value=category_text)
                        self.helper.api.stix_cyber_observable.add_label(
                            id=observable_id, label_id=label["id"])

            for ckey in list(cl.keys()):
                country = self.helper.api.location.read(
                    filters=[{
                        "key": "x_opencti_aliases",
                        "values": [ckey],
                    }],
                    getAll=True,
                )
                if country is None:
                    self.helper.log_info(
                        "No country found with Alpha 2 code " + ckey)
                else:
                    self.helper.api.stix_sighting_relationship.create(
                        fromId=observable_id,
                        toId=country["id"],
                        count=cl[ckey]["count"],
                        first_seen=cl[ckey]["firstseen"],
                        last_seen=cl[ckey]["lastseen"],
                    )
            return "IP found in AbuseIPDB with reports, knowledge attached."