def _api(self):
"""Instantiates PyPSSL API"""
credentials = self.api_key.split(":")
pssl = pypssl.PyPSSL(basic_auth=(credentials[0], credentials[1]))
return pssl
def run(self):
# You should save CIRCL credentials with this template: "<user>|<pwd>"
if not self.__credentials:
raise AnalyzerRunException("no credentials retrieved")
split_credentials = self.__credentials.split("|")
if len(split_credentials) != 2:
raise AnalyzerRunException(
"CIRCL credentials not properly configured."
"Template to use: '<user>|<pwd>'")
user = split_credentials[0]
pwd = split_credentials[1]
pssl = pypssl.PyPSSL(basic_auth=(user, pwd))
result = pssl.query(self.observable_name, timeout=5)
certificates = []
if result.get(self.observable_name, {}):
certificates = list(
result.get(self.observable_name).get("certificates", []))
parsed_result = {"ip": self.observable_name, "certificates": []}
for cert in certificates:
subject = (result.get(self.observable_name).get(
"subjects", {}).get(cert, {}).get("values", []))
if subject:
parsed_result["certificates"].append({
"fingerprint": cert,
"subject": subject[0]
})
return parsed_result
def __init__(self):
Analyzer.__init__(self)
self.user = self.getParam('config.user', None,
'PassiveSSL username is missing!')
self.password = self.getParam('config.password', None,
'PassiveSSL password is missing!')
self.pssl = pypssl.PyPSSL(basic_auth=(self.user, self.password))
def handler(q=False):
if q is False:
return False
request = json.loads(q)
if request.get('ip-src'):
toquery = request['ip-src']
elif request.get('ip-dst'):
toquery = request['ip-dst']
else:
misperrors['error'] = "Unsupported attributes type"
return misperrors
if request.get('config'):
if (request['config'].get('username') is
None) or (request['config'].get('password') is None):
misperrors['error'] = 'CIRCL Passive SSL authentication is missing'
return misperrors
x = pypssl.PyPSSL(basic_auth=(request['config']['username'],
request['config']['password']))
res = x.query(toquery)
out = res.get(toquery)
r = {'results': [{'types': mispattributes['output'], 'values': out}]}
return r
def run(analyzer_name, job_id, observable_name, observable_classification, additional_config_params):
logger.info("started analyzer {} job_id {} observable {}"
"".format(analyzer_name, job_id, observable_name))
report = general.get_basic_report_template(analyzer_name)
try:
# You should save CIRCL credentials with this template: "<user>|<pwd>"
credentials = secrets.get_secret("CIRCL_CREDENTIALS")
if not credentials:
raise AnalyzerRunException("no credentials retrieved")
split_credentials = credentials.split('|')
if len(split_credentials) != 2:
raise AnalyzerRunException("CIRCL credentials not properly configured."
"Template to use: '<user>|<pwd>'")
user = split_credentials[0]
pwd = split_credentials[1]
pssl = pypssl.PyPSSL(basic_auth=(user, pwd))
result = pssl.query(observable_name)
certificates = []
if result.get(observable_name, {}):
certificates = list(result.get(observable_name).get('certificates', []))
parsed_result = {'ip': observable_name, 'certificates': []}
for cert in certificates:
subject = result.get(observable_name).get('subjects', {}).get(cert, {}).get('values', [])
if subject:
parsed_result['certificates'].append({'fingerprint': cert, 'subject': subject[0]})
# pprint.pprint(parsed_result)
report['report'] = parsed_result
except AnalyzerRunException as e:
error_message = "job_id:{} analyzer:{} observable_name:{} Analyzer error {}" \
"".format(job_id, analyzer_name, observable_name, e)
logger.error(error_message)
report['errors'].append(error_message)
report['success'] = False
except Exception as e:
traceback.print_exc()
error_message = "job_id:{} analyzer:{} observable_name:{} Unexpected error {}" \
"".format(job_id, analyzer_name, observable_name, e)
logger.exception(error_message)
report['errors'].append(str(e))
report['success'] = False
else:
report['success'] = True
general.set_report_and_cleanup(job_id, report, logger)
logger.info("ended analyzer {} job_id {} observable {}"
"".format(analyzer_name, job_id, observable_name))
return report
def __init__(self, attribute, authentication):
self.misp_event = MISPEvent()
self.attribute = MISPAttribute()
self.attribute.from_dict(**attribute)
self.misp_event.add_attribute(**self.attribute)
self.pssl = pypssl.PyPSSL(basic_auth=authentication)
self.cert_hash = 'x509-fingerprint-sha1'
self.cert_type = 'pem'
self.mapping = {'issuer': ('text', 'issuer'),
'keylength': ('text', 'pubkey-info-size'),
'not_after': ('datetime', 'validity-not-after'),
'not_before': ('datetime', 'validity-not-before'),
'subject': ('text', 'subject')}
def main():
parser = argparse.ArgumentParser(description='Query a Passive SSL instance.')
parser.add_argument("--url", default='https://www.circl.lu/', help='URL where the passive SSL is running (no path).')
parser.add_argument("-v", "--version", type=int, default=2, help='URL where the passive SSL is running (no path).')
parser.add_argument("-u", "--username", help='Username to login on the platform.')
parser.add_argument("-p", "--password", help='Password to login on the platform.')
parser.add_argument("-t", "--token", help='Token to login on the platform.')
parser.add_argument("-i", "--ip", help='IP to query (can be a block, max /23).')
parser.add_argument("-c", "--cert", help='SHA1 of the certificate to search.')
parser.add_argument("-f", "--fetch", help='SHA1 of the certificate to fetch.')
args = parser.parse_args()
p = pypssl.PyPSSL(args.url, args.version, (args.username, args.password), args.token)
if args.ip is not None:
print(json.dumps(p.query(args.ip)))
elif args.cert is not None:
print(json.dumps(p.query_cert(args.cert)))
elif args.fetch is not None:
print(json.dumps(p.fetch_cert(args.fetch, make_datetime=False)))
else:
print('You didn\'t query anything...')
def pssl_investigate_ip(ip_to_investigate):
"""
investigate a ip with passive SSL service
:param ip_to_investigate:
"""
# CIRCL passive SSL
logger.info("Doing pSSL on: " + ip_to_investigate)
p = pypssl.PyPSSL(PSSL_URL, PSSL_VERSION, (PSSL_USER, PSSL_PASSWORD))
# a = p.query(domain_to_investigate)
b = p.query(ip_to_investigate + "/28")
for ip in b:
for certificate in b[ip]['certificates']:
details = []
try:
logger.debug("Investigating " + ip_to_investigate + " cert: " +
certificate)
#cert_details = p.query_cert(certificate)
details = p.fetch_cert(certificate)
timestamp_desc = "pSSL_IP"
ip = ip_to_investigate
except ValueError as e:
logger.error(
"Value Error with receiving the cert with hash: " +
certificate + " from ip: " + ip_to_investigate + " " +
str(e))
continue
except Exception as e:
logger.error(
"General Error with receiving the cert with hash: " +
certificate + " from ip: " + ip_to_investigate + " " +
str(e))
continue
try:
# FIRST_Seen
if 'icsi' in details:
first_seen = details['icsi']['first_seen']
first_seen_datetime = calculate_date(first_seen)
timestamp = convert_date_to_timestamp(first_seen_datetime)
message = "IP " + ip + " had an SSL certificate " + certificate + " first seen in the wild " + str(
first_seen_datetime) + " " + str(details)
message = message.replace(',', ';')
append_line_to_csv(timestamp,
first_seen_datetime,
timestamp_desc,
message,
report,
attribution,
md5=certificate,
ip=ip_to_investigate)
# LAST Seen
last_seen_datetime = calculate_date(
details['icsi']['last_seen'])
timestamp = convert_date_to_timestamp(last_seen_datetime)
message = "IP " + ip + " had an SSL certificate " + certificate + " last seen in the wild " + str(
last_seen_datetime) + " " + str(details)
message = message.replace(',', ';')
append_line_to_csv(timestamp,
last_seen_datetime,
timestamp_desc,
message,
report,
attribution,
md5=certificate,
ip=ip_to_investigate)
else:
logger.debug(
ip_to_investigate + " " + certificate +
" no isci info found, so maybe not seen in the wild")
# NOT AFTER
datetime_new = details['info']['not_after']
timestamp = convert_tsdate_to_timestamp(
str(details['info']['not_after']))
datetime_new = str(datetime_new).replace(' ', 'T')
message = "IP " + ip + " had an SSL certificate " + certificate + " issued not after " + str(
datetime_new) + " " + str(details)
message = message.replace(',', ';')
append_line_to_csv(timestamp,
datetime_new,
timestamp_desc,
message,
report,
attribution,
md5=certificate,
ip=ip_to_investigate)
# NOT BEFORE
datetime_new = details['info']['not_before']
timestamp = convert_tsdate_to_timestamp(
str(details['info']['not_before']))
datetime_new = str(datetime_new).replace(' ', 'T')
message = "IP " + ip + " had an SSL certificate " + certificate + " issued not before " + str(
datetime_new) + " " + str(details)
message = message.replace(',', ';')
append_line_to_csv(timestamp,
datetime_new,
timestamp_desc,
message,
report,
attribution,
md5=certificate,
ip=ip_to_investigate)
logger.debug("finished certificate")
except Exception as e:
logger.error("Big Error with receiving the cert with hash: " +
certificate + " from ip: " + ip_to_investigate +
" " + str(e))
def init():
return pypssl.PyPSSL(base_url=BASE_URL, basic_auth=(LOGIN, PASSWORD))