for ip in list_ips(settings['crits']): #json.load(open('ips.json','rb')):
try:
if 'bro' in settings.keys():
alert_bro(ip,settings['bro'])
confidence=get_intel_confidence(ip)
if ip['ip']:
obs_index['Address - ipv4-addr'][confidence].append(ip['ip'])
if confidence=="medium":
if 'qradar' in settings.keys():
qradar(ip, settings['qradar'],'medium_reference_sets')
# not adding the medium IPs to palo alto, as we have varying sets of limitations for the addresses and address groups.
elif confidence=="high":
if 'qradar' in settings.keys():
qradar(ip, settings['qradar'],'high_reference_sets')
if 'palo_alto' in settings.keys():
palo_alto(ip,settings['palo_alto'],'ip_block_list')
except:
syslog.syslog(syslog.LOG_ERR,'nyx: encountered problems adding the ip indicator: %s' % str(ip))
syslog.syslog(syslog.LOG_INFO,'nyx: Distributing a list of domains')
for domain in list_fqdns(settings['crits']):#json.load(open('domains.json','rb')):
try:
if 'bro' in settings.keys():
alert_bro(domain,settings['bro'])
confidence=get_intel_confidence(domain)
if domain['domain']:
obs_index['A'][confidence].append(domain['domain'])
if 'web_proxy' in settings.keys() and confidence=='high':
# trying to reduce the false positives by only blocking the high confidence Indicators of Compromise
add_to_proxy(domain,settings['web_proxy'])
if confidence=="medium":
if "soltra" in settings.keys():
intel["medium"] = soltra.poll_feed(settings["soltra"], "medium")
intel["high"] = soltra.poll_feed(settings["soltra"], "high")
for csi, ivalues in intel.iteritems():
for ip in ivalues["AddressObjectType"]:
# creating crits-like objects
observable = {"type": "Address - ipv4-addr", "source": [{"name": "Soltra-" + csi}], "ip": ip["value"]}
obs_index["Address - ipv4-addr"][csi].append(ip["value"])
if "bro" in settings.keys():
alert_bro(observable, settings["bro"])
if "qradar" in settings.keys():
qradar(observable, settings["qradar"], csi + "_reference_sets")
if "palo_alto" in settings.keys() and csi == "high":
palo_alto(observable, settings["palo_alto"], "ip_block_list")
if "moloch" in settings.keys():
alert_wise(observable, settings["moloch"], csi)
for domain in ivalues["DomainNameObjectType"]:
observable = {"type": "A", "source": [{"name": "Soltra-" + csi}], "domain": domain["value"]}
obs_index["A"][csi].append(domain["value"])
if "bro" in settings.keys():
alert_bro(observable, settings["bro"])
if "qradar" in settings.keys():
qradar(observable, settings["qradar"], csi + "_reference_sets")
if "palo_alto" in settings.keys() and csi == "high":
palo_alto(observable, settings["palo_alto"], "url_block_list")
if "moloch" in settings.keys():
alert_wise(observable, settings["moloch"], csi)
for file_obj in ivalues["FileObjectType"]:
for file_prop in file_obj:
for ip in ivalues['AddressObjectType']:
# creating crits-like objects
observable = {
"type": "Address - ipv4-addr",
"source": [{
"name": "Soltra-" + csi
}],
'ip': ip['value']
}
obs_index['Address - ipv4-addr'][csi].append(ip['value'])
if 'bro' in settings.keys():
alert_bro(observable, settings['bro'])
if 'qradar' in settings.keys():
qradar(observable, settings['qradar'], csi + '_reference_sets')
if 'palo_alto' in settings.keys() and csi == 'high':
palo_alto(observable, settings['palo_alto'], 'ip_block_list')
if 'moloch' in settings.keys():
alert_wise(observable, settings['moloch'], csi)
for domain in ivalues['DomainNameObjectType']:
observable = {
"type": "A",
"source": [{
"name": "Soltra-" + csi
}],
'domain': domain['value']
}
obs_index['A'][csi].append(domain['value'])
if 'bro' in settings.keys():
alert_bro(observable, settings['bro'])
if 'qradar' in settings.keys():
qradar(observable, settings['qradar'], csi + '_reference_sets')
syslog.syslog(syslog.LOG_INFO, 'nyx: Distributing a list of IP adresses')
for ip in list_ips(settings['crits'],
100): #json.load(open('ips.json','rb')):
try:
if 'bro' in settings.keys():
alert_bro(ip, settings['bro'])
confidence = get_intel_confidence(ip)
if confidence == "medium":
if 'qradar' in settings.keys():
qradar(ip, settings['qradar'], 'medium_reference_sets')
# not adding the medium IPs to palo alto, as we have varying sets of limitations for the addresses and address groups.
elif confidence == "high":
if 'qradar' in settings.keys():
qradar(ip, settings['qradar'], 'high_reference_sets')
if 'palo_alto' in settings.keys():
palo_alto(ip, settings['palo_alto'], 'ip_block_list')
except:
syslog.syslog(
syslog.LOG_ERR,
'nyx: encountered problems adding the ip indicator: %s' %
str(ip))
syslog.syslog(syslog.LOG_INFO, 'nyx: Distributing a list of domains')
for domain in list_fqdns(settings['crits'],
100): #json.load(open('domains.json','rb')):
try:
if 'bro' in settings.keys():
alert_bro(domain, settings['bro'])
confidence = get_intel_confidence(domain)
if 'web_proxy' in settings.keys() and confidence == 'high':
# trying to reduce the false positives by only blocking the high confidence Indicators of Compromise