def test_matching(self): self.assertTrue(utils.is_mac("00:C0:B7:7E:55:50")) self.assertTrue(utils.is_mac("00:c0:b7:7E:55:50")) self.assertFalse(utils.is_mac("00.D0.B7.7E.55.50")) self.assertFalse(utils.is_mac("testsystem0")) self.assertTrue(utils.is_ip("127.0.0.1")) self.assertTrue(utils.is_ip("192.168.1.1")) self.assertFalse(utils.is_ip("00:C0:B7:7E:55:50")) self.assertFalse(utils.is_ip("testsystem0"))
def get_real_domain(self, domain_prefix, suffix = ""): if self.config.need_vpn: if utils.is_ip(domain_prefix): domain_prefix = domain_prefix.replace('.', '-') return "https://" + domain_prefix + ".webvpn.buu.edu.cn" + suffix else: if utils.is_ip(domain_prefix): return "http://" + domain_prefix + suffix else: return "http://" + domain_prefix + ".buu.edu.cn" + suffix
def get_real_domain_encoded(self, domain_prefix, suffix = ""): import urllib if self.config.need_vpn: if utils.is_ip(domain_prefix): domain_prefix = domain_prefix.replace('.', '-') return urllib.parse.quote_plus("https://" + domain_prefix + ".webvpn.buu.edu.cn" + suffix) else: if utils.is_ip(domain_prefix): return urllib.parse.quote_plus("http://" + domain_prefix + suffix) else: return urllib.parse.quote_plus("http://" + domain_prefix + ".buu.edu.cn" + suffix)
def set_name(self,name): """ Set the name. If the name is a MAC or IP, and the first MAC and/or IP is not defined, go ahead and fill that value in. """ if self.name not in ["",None] and self.parent not in ["",None] and self.name == self.parent: raise CX(_("self parentage is weird")) if not isinstance(name, basestring): raise CX(_("name must be a string")) for x in name: if not x.isalnum() and not x in [ "_", "-", ".", ":", "+" ] : raise CX(_("invalid characters in name: %s") % x) # Stuff here defaults to eth0. Yes, it's ugly and hardcoded, but so was # the default interface behaviour that's now removed. ;) # --Jasper Capel if utils.is_mac(name): intf = self.__get_interface("eth0") if intf["mac_address"] == "": intf["mac_address"] = name elif utils.is_ip(name): intf = self.__get_interface("eth0") if intf["ip_address"] == "": intf["ip_address"] = name self.name = name return True
def set_name(self, name): """ Set the name. If the name is a MAC or IP, and the first MAC and/or IP is not defined, go ahead and fill that value in. """ if self.name not in ["", None] and self.parent not in [ "", None ] and self.name == self.parent: raise CX(_("self parentage is weird")) if not isinstance(name, basestring): raise CX(_("name must be a string")) for x in name: if not x.isalnum() and not x in ["_", "-", ".", ":", "+"]: raise CX(_("invalid characters in name: %s") % x) # Stuff here defaults to eth0. Yes, it's ugly and hardcoded, but so was # the default interface behaviour that's now removed. ;) # --Jasper Capel if utils.is_mac(name): intf = self.__get_interface("eth0") if intf["mac_address"] == "": intf["mac_address"] = name elif utils.is_ip(name): intf = self.__get_interface("eth0") if intf["ip_address"] == "": intf["ip_address"] = name self.name = name return True
def generate_rule(ioc, family=None, country=None, reference=None, counter=1): message_suffix = "" if family: message_suffix += " - related to {}".format(family) if country: message_suffix += " (seen in {})".format(country) sid = 9100000 + counter if is_ip(ioc): message = "Traffic to suspicious IP {}{}".format(ioc, message_suffix) alert = "alert ip any any -> {} any (msg:\"{}\"; reference:url,{}; classtype:trojan-activity; sid:{}; rev:0;)".format( ioc, message, reference, sid) else: message = "Suspicious DNS request {}{}".format(ioc, message_suffix) domain_pattern = '' for part in ioc.split('.'): domain_pattern += '|{:02X}|{}'.format(len(part), part) alert = "alert udp any any -> any 53 (msg:\"{}\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth: 10; offset: 2; content:\"{}\"; nocase; distance: 0; fast_pattern; reference:url,{}; classtype:trojan-activity; sid:{}; rev:0;)".format( message, domain_pattern, reference, sid) return alert
def set_gateway(self, gateway): if gateway is None: gateway = "" if utils.is_ip(gateway) or gateway == "": self.gateway = gateway else: raise CX(_("invalid format for gateway IP address (%s)") % gateway) return True
def set_gateway(self,gateway): if gateway is None: gateway = "" if utils.is_ip(gateway) or gateway == "": self.gateway = gateway else: raise CX(_("invalid format for gateway IP address (%s)") % gateway) return True
def set_ipv6_address(self,address,interface): """ Assign a IP or hostname in DHCP when this MAC boots. Only works if manage_dhcp is set in /etc/cobbler/settings """ intf = self.__get_interface(interface) if address == "" or utils.is_ip(address): intf["ipv6_address"] = address.strip() return True raise CX(_("invalid format for IPv6 IP address (%s)") % address)
def set_ipv6_address(self, address, interface): """ Assign a IP or hostname in DHCP when this MAC boots. Only works if manage_dhcp is set in /etc/cobbler/settings """ intf = self.__get_interface(interface) if address == "" or utils.is_ip(address): intf["ipv6_address"] = address.strip() return True raise CX(_("invalid format for IPv6 IP address (%s)") % address)
def set_ipv6_secondaries(self,addresses,interface): intf = self.__get_interface(interface) data = utils.input_string_or_list(addresses) secondaries = [] for address in data: if address == "" or utils.is_ip(address): secondaries.append(address) else: raise CX(_("invalid format for IPv6 IP address (%s)") % address) intf["ipv6_secondaries"] = secondaries return True
def set_ip_address(self, address, interface): """ Assign a IP or hostname in DHCP when this MAC boots. Only works if manage_dhcp is set in /etc/cobbler/settings """ intf = self.__get_interface(interface) # FIXME: move duplicate supression code to the object validation # functions to take a harder line on supression? if address != "" and not str(self.config._settings.allow_duplicate_ips).lower() in ["1", "y", "yes"]: matched = self.config.api.find_items("system", {"ip_address": address}) for x in matched: if x.name != self.name: raise CX("IP address duplicated: %s" % address) if address == "" or utils.is_ip(address): intf["ip_address"] = address.strip() return True raise CX(_("invalid format for IP address (%s)") % address)
def main(): parser = ArgumentParser(description="Targeted Threats IOC Extractor") parser.add_argument('--all', '-a', action='store_true', help="Get all indicators") parser.add_argument('--ip', '-i', action='store_true', help="Get only IP addresses") parser.add_argument('--domains', '-d', action='store_true', help="Get only domains") parser.add_argument('ioc_path', action="store") args, unknown = parser.parse_known_args() if not args.all and not args.ip and not args.domains: parser.print_usage() sys.exit(1) if not os.path.exists(args.ioc_path): print("[!] ERROR: IOC file does not exist at path {}".format( args.ioc_path)) return with open(args.ioc_path, 'r') as handle: reader = csv.reader(handle) for row in reader: try: if row[0].startswith('#'): continue except IndexError: continue if is_ip(row[0]): if args.all or args.ip: print row[0] else: if args.all or args.domains: print row[0]
def set_ip_address(self,address,interface): """ Assign a IP or hostname in DHCP when this MAC boots. Only works if manage_dhcp is set in /etc/cobbler/settings """ intf = self.__get_interface(interface) # FIXME: move duplicate supression code to the object validation # functions to take a harder line on supression? if address != "" and not str(self.config._settings.allow_duplicate_ips).lower() in [ "1", "y", "yes"]: matched = self.config.api.find_items("system", {"ip_address" : address}) for x in matched: if x.name != self.name: raise CX("IP address duplicated: %s" % address) if address == "" or utils.is_ip(address): intf["ip_address"] = address.strip() return True raise CX(_("invalid format for IP address (%s)") % address)
def set_name(self, name): """ Set the name. If the name is a MAC or IP, and the first MAC and/or IP is not defined, go ahead and fill that value in. """ if self.name not in ["", None] and self.parent not in ["", None] and self.name == self.parent: raise CX(_("self parentage is weird")) self.validate_name(name) # Stuff here defaults to eth0. Yes, it's ugly and hardcoded, but so was # the default interface behaviour that's now removed. ;) # --Jasper Capel if utils.is_mac(name): intf = self.__get_interface("eth0") if intf["mac_address"] == "": intf["mac_address"] = name elif utils.is_ip(name): intf = self.__get_interface("eth0") if intf["ip_address"] == "": intf["ip_address"] = name self.name = name return True
def ip_address(self, ip_address): if is_ip(ip_address): self._ip_address = ip_address else: raise ValueError("Not an IP address")
def whois(indicator): if is_ip(indicator): return ip_whois(indicator) else: return domain_whois(indicator)
def get_real_domain(self, domain_prefix, suffix=""): if utils.is_ip(domain_prefix): return "http://" + domain_prefix + "/" + suffix else: return "http://" + domain_prefix + ".buu.edu.cn" + "/" + suffix
def set_if_gateway(self,gateway,interface): intf = self.__get_interface(interface) if gateway == "" or utils.is_ip(gateway): intf["if_gateway"] = gateway return True raise CX(_("invalid gateway: %s" % gateway))
def set_ipv6_default_gateway(self, address, interface): intf = self.__get_interface(interface) if address == "" or utils.is_ip(address): intf["ipv6_default_gateway"] = address.strip() return True raise CX(_("invalid format for IPv6 IP address (%s)") % address)
def set_if_gateway(self, gateway, interface): intf = self.__get_interface(interface) if gateway == "" or utils.is_ip(gateway): intf["if_gateway"] = gateway return True raise CX(_("invalid gateway: %s" % gateway))
def set_ipv6_default_gateway(self,address,interface): intf = self.__get_interface(interface) if address == "" or utils.is_ip(address): intf["ipv6_default_gateway"] = address.strip() return True raise CX(_("invalid format for IPv6 IP address (%s)") % address)