def process_iocs(results):
"""Return data formatted for Splunk from crt.sh."""
if results != None:
provided_iocs = [y for x in results for y in x.values()]
elif sys.argv[1] != "subdomain" and sys.argv[1] != "wildcard":
if len(sys.argv) > 1:
provided_iocs = sys.argv[1:]
elif sys.argv[1] == "subdomain" or sys.argv[1] == "wildcard":
if len(sys.argv) > 2:
provided_iocs = sys.argv[2:]
session = commons.create_session()
splunk_table = []
for provided_ioc in set(provided_iocs):
provided_ioc = commons.deobfuscate_string(provided_ioc)
if validators.domain(provided_ioc) or validators.ipv4(provided_ioc):
crt_dicts = query_crtsh(provided_ioc, session)
else:
splunk_table.append({"invalid": provided_ioc})
continue
for crt_dict in crt_dicts:
splunk_table.append(crt_dict)
session.close()
return splunk_table
def process_iocs(results):
"""Return data formatted for Splunk from psbdmp."""
if sys.argv[1] == "search" or sys.argv[1] == "dump":
endpoint = sys.argv[1]
provided_iocs = sys.argv[2:]
session = commons.create_session()
splunk_table = []
for provided_ioc in set(provided_iocs):
provided_ioc = commons.deobfuscate_string(provided_ioc)
if endpoint == "search":
psbdmp_dicts = psbdmp_search(provided_ioc, session)
elif endpoint == "dump":
psbdmp_dicts = psbdmp_dump(provided_ioc, session)
else:
splunk_table.append({"invalid": provided_ioc})
continue
for psbdmp_dict in psbdmp_dicts:
splunk_table.append(psbdmp_dict)
session.close()
return splunk_table
def process_iocs(results):
"""Return data formatted for Splunk from Malshare."""
if results != None:
provided_iocs = [y for x in results for y in x.values()]
else:
provided_iocs = sys.argv[1:]
session = commons.create_session()
api_key = commons.get_apikey("malshare")
splunk_table = []
for provided_ioc in set(provided_iocs):
provided_ioc = commons.deobfuscate_string(provided_ioc)
provided_ioc = provided_ioc.lower()
if validators.ipv4(provided_ioc) or validators.domain(provided_ioc) or \
re.match("^[a-f\d]{32}$", provided_ioc) or re.match("^[a-f\d]{64}$", provided_ioc):
pass
else:
splunk_table.append({"invalid": provided_ioc})
continue
ioc_dicts = query_malshare(provided_ioc, api_key, session)
for ioc_dict in ioc_dicts:
splunk_table.append(ioc_dict)
session.close()
return splunk_table
def process_iocs(results):
"""Return data formatted for Splunk from Twitter."""
if results != None:
provided_iocs = [y for x in results for y in x.values()]
else:
provided_iocs = sys.argv[1:]
if len(provided_iocs) > 180:
return {
"error":
"Search term limit: 180\nTotal Search Terms Provided: {}".format(
len(provided_iocs))
}
session = create_session()
splunk_table = []
if isinstance(session, dict):
splunk_table.append(session)
return splunk_table
rate_limit = check_rate_limit(session, provided_iocs)
if isinstance(rate_limit, dict):
splunk_table.append(rate_limit)
return splunk_table
empty_files = [
"d41d8cd98f00b204e9800998ecf8427e",
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
]
splunk_table = []
for provided_ioc in set(provided_iocs):
provided_ioc = commons.deobfuscate_string(provided_ioc)
if provided_ioc in empty_files:
splunk_table.append({"invalid": provided_ioc})
continue
if validators.url(provided_ioc) or validators.domain(provided_ioc) or \
validators.ipv4(provided_ioc) or validators.md5(provided_ioc) or \
validators.sha256(provided_ioc) or \
len(provided_ioc) > 2 and len(provided_ioc) <= 140:
ioc_dicts = query_twitter(session, provided_ioc)
else:
splunk_table.append({"invalid": provided_ioc})
continue
for ioc_dict in ioc_dicts:
ioc_dict = commons.lower_keys(ioc_dict)
splunk_table.append(ioc_dict)
return splunk_table
def process_iocs(results):
"""Return data formatted for Splunk from URLhaus."""
if results != None:
provided_iocs = [y for x in results for y in x.values()]
else:
provided_iocs = sys.argv[1:]
session = commons.create_session()
empty_files = [
"d41d8cd98f00b204e9800998ecf8427e",
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
]
urlhaus_match = re.compile(r"^h..ps?:\/\/urlhaus\.abuse\.ch")
splunk_table = []
for provided_ioc in set(provided_iocs):
provided_ioc = commons.deobfuscate_string(provided_ioc)
if provided_ioc in empty_files:
splunk_table.append({"invalid": provided_ioc})
continue
if urlhaus_match.match(provided_ioc):
splunk_table.append({"invalid": provided_ioc})
continue
if validators.domain(provided_ioc) or validators.ipv4(provided_ioc):
ioc_type = "host"
elif validators.url(provided_ioc):
ioc_type = "url"
elif re.match("^[a-f\d]{32}$", provided_ioc) or re.match(
"^[a-f\d]{64}$", provided_ioc):
ioc_type = "payload"
else:
splunk_table.append({"invalid": provided_ioc})
continue
ioc_dicts = query_urlhaus(session, provided_ioc, ioc_type)
for ioc_dict in ioc_dicts:
ioc_dict = commons.lower_keys(ioc_dict)
splunk_table.append(ioc_dict)
session.close()
return splunk_table
def process_iocs(results):
"""Return data formatted for Splunk from urlscan.io."""
if results != None:
provided_iocs = [y for x in results for y in x.values()]
elif sys.argv[1] in usfs.queries.keys():
if len(sys.argv[1:]) < 3:
return [{
"error":
"3 positional args needed. {} given.".format(
str(len(sys.argv[1:])))
}]
provided_iocs = sys.argv[3:]
else:
provided_iocs = sys.argv[1:]
session = commons.create_session()
splunk_table = []
for provided_ioc in set(provided_iocs):
provided_ioc = commons.deobfuscate_string(provided_ioc)
if provided_ioc == "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855":
splunk_table.append({"no data": provided_ioc})
continue
if provided_ioc.lower() in usfs.extensions.keys():
ioc_dicts = query_urlscan_file(session, provided_ioc)
elif validators.domain(provided_ioc) or validators.ipv4(provided_ioc) or \
validators.sha256(provided_ioc) or "certstream-suspicious" in provided_ioc:
ioc_dicts = query_urlscan(session, provided_ioc)
else:
splunk_table.append({"invalid": provided_ioc})
continue
for ioc_dict in ioc_dicts:
if "ip" not in ioc_dict:
splunk_table.append({"no data": provided_ioc})
continue
splunk_table.append(ioc_dict)
session.close()
return splunk_table
def process_iocs(results):
"""Return data formatted for Splunk from GreyNoise."""
if results != None:
provided_iocs = [y for x in results for y in x.values()]
else:
provided_iocs = sys.argv[1:]
splunk_table = []
lookup_path = "{}/lookups".format(app_home)
open_file = open("{}/greynoise_feed.csv".format(lookup_path), "r")
data_feed = open_file.read().splitlines()
header = data_feed[0].split(",")
open_file.close()
open_file = open("{}/greynoise_scanners.csv".format(lookup_path), "r")
scanners = set(open_file.read().splitlines()[1:])
scanners = [x.lower() for x in scanners]
open_file.close()
for provided_ioc in set(provided_iocs):
provided_ioc = commons.deobfuscate_string(provided_ioc)
if not validators.ipv4(provided_ioc) and \
not validators.domain(provided_ioc) and \
provided_ioc.lower() not in scanners:
splunk_table.append({"invalid": provided_ioc})
continue
line_found = False
for line in data_feed:
if provided_ioc.lower() in line.lower():
line_found = True
scanner_data = line.split(",")
scanner_dict = OrderedDict(zip(header, scanner_data))
scanner_dict = commons.lower_keys(scanner_dict)
splunk_table.append(scanner_dict)
if line_found == False:
splunk_table.append({"no data": provided_ioc})
return splunk_table
def process_iocs(results):
"""Return data formatted for Splunk from Hybrid-Analysis."""
params = [
'authentihash', 'av_detect', 'context', 'country', 'domain', 'env_id',
'filename', 'filetype_desc', 'filetype', 'hash', 'host', 'imp_hash',
'port', 'similar_to', 'ssdeep', 'tag', 'url', 'verdict', 'vx_family'
]
if results != None:
provided_iocs = [y for x in results for y in x.values()]
elif sys.argv[1] == "terms" and sys.argv[2] in params:
if len(sys.argv) > 2:
endpoint = sys.argv[1]
param = sys.argv[2]
provided_iocs = sys.argv[3:]
elif sys.argv[1] == "hash" and sys.argv[2] == "hash":
if len(sys.argv) > 2:
endpoint = sys.argv[1]
param = sys.argv[2]
provided_iocs = sys.argv[3:]
session = commons.create_session()
api_domain = commons.get_apidomain("hybrid-analysis")
api_key = commons.get_apikey("hybrid-analysis")
splunk_table = []
for provided_ioc in set(provided_iocs):
provided_ioc = commons.deobfuscate_string(provided_ioc)
provided_ioc = provided_ioc.lower()
ioc_dicts = query_hybridanalysis(endpoint, param, provided_ioc,
api_domain, api_key, session)
for ioc_dict in ioc_dicts:
splunk_table.append(ioc_dict)
session.close()
return splunk_table
def process_iocs(results):
"""Return data formatted for Splunk from ThreatCrowd."""
if results != None:
provided_iocs = [y for x in results for y in x.values()]
else:
provided_iocs = sys.argv[1:]
session = commons.create_session()
splunk_table = []
for provided_ioc in set(provided_iocs):
provided_ioc = commons.deobfuscate_string(provided_ioc)
provided_ioc = provided_ioc.lower()
if validators.ipv4(provided_ioc):
ioc_type = "ip"
elif validators.domain(provided_ioc):
ioc_type = "domain"
elif validators.email(provided_ioc):
ioc_type = "email"
elif re.match("^[a-f\d]{32}$", provided_ioc) or re.match(
"^[a-f\d]{64}$", provided_ioc):
ioc_type = "resource"
else:
splunk_table.append({"invalid": provided_ioc})
continue
ioc_dicts = query_threatcrowd(provided_ioc, ioc_type, session)
for ioc_dict in ioc_dicts:
splunk_table.append(ioc_dict)
if len(provided_iocs) > 1:
sleep(10)
session.close()
return splunk_table
def process_iocs(results):
"""Return data formatted for Splunk from Cymon."""
if results != None:
provided_iocs = [y for x in results for y in x.values()]
else:
provided_iocs = sys.argv[1:]
session = commons.create_session()
splunk_table = []
for provided_ioc in provided_iocs:
provided_ioc = commons.deobfuscate_string(provided_ioc)
if validators.ipv4(provided_ioc):
ioc_type = "ip"
elif validators.domain(provided_ioc):
ioc_type = "domain"
elif validators.md5(provided_ioc):
ioc_type = "md5"
elif validators.sha256(provided_ioc):
ioc_type = "sha256"
else:
splunk_table.append({"invalid": provided_ioc})
continue
ioc_dicts = query_cymon(ioc_type, session, provided_ioc)
if isinstance(ioc_dicts, dict):
splunk_table.append(ioc_dicts)
continue
for ioc_dict in ioc_dicts:
ioc_dict = commons.lower_keys(ioc_dict)
splunk_table.append(ioc_dict)
session.close()
return splunk_table
def process_iocs(results):
"""Return data formatted for Splunk from CyberCrime Tracker."""
if results != None:
provided_iocs = [y for x in results for y in x.values()]
else:
provided_iocs = sys.argv[1:]
session = commons.create_session()
splunk_table = []
for provided_ioc in set(provided_iocs):
provided_ioc = commons.deobfuscate_string(provided_ioc)
if validators.domain(provided_ioc) or validators.ipv4(provided_ioc):
cct_dicts = query_cct(provided_ioc, session)
else:
splunk_table.append({"invalid": provided_ioc})
continue
for cct_dict in cct_dicts:
splunk_table.append(cct_dict)
session.close()
return splunk_table
