def run_knownbad(self):
jobs_stats['knownbad'] = {
'status': 'running',
'started': str(datetime.now()).split('.')[0],
'message': 'loading sources',
'events': 0
}
if knownbad.load_sources():
for src in knownbad.sources:
job_stats['knownbad'] = {
'message': 'gathering data from sources'
}
self.host, self.source = knownbad.gather_data(src)
if not self.host == "":
job_stats['knownbad'] = {
'message': 'sending syslog events'
}
self.cef = 'CEF:0|OSINT|ArcReactor|1.0|100|Known Malicious Host|1|src=%s msg=%s' % (
self.host, self.source)
reactor.send_syslog(self.cef)
job_stats['knownbad'] = {
'events': job_stats['knownbad']['events'] + 1
}
job_stats['knownbad'] = {
'status': 'finished',
'message': 'finished successfully',
'ended': str(datetime.now()).split('.')[0]
}
job_stats['knownbad'] = {
'message': 'finished with errors',
'ended': str(datetime.now()).split('.')[0]
}
def run_knownbad(self):
jobs_stats['knownbad'] = {
'status': 'running',
'started': str(datetime.now()).split('.')[0],
'message': 'loading sources',
'events': 0
}
if knownbad.load_sources():
for src in knownbad.sources:
job_stats['knownbad'] = { 'message': 'gathering data from sources' }
self.host, self.source = knownbad.gather_data(src)
if not self.host == "":
job_stats['knownbad'] = { 'message': 'sending syslog events' }
self.cef = 'CEF:0|OSINT|ArcReactor|1.0|100|Known Malicious Host|1|src=%s msg=%s' % (self.host, self.source)
reactor.send_syslog(self.cef)
job_stats['knownbad'] = { 'events': job_stats['knownbad']['events'] + 1 }
job_stats['knownbad'] = { 'status': 'finished', 'message': 'finished successfully', 'ended': str(datetime.now()).split('.')[0] }
job_stats['knownbad'] = { 'message': 'finished with errors', 'ended': str(datetime.now()).split('.')[0] }
def gather_data():
try:
data = reactor.http_request('http://reputation.alienvault.com/reputation.snort')
if data is not None:
reactor.status('info', 'OTX', 'attempting to parse reputation data')
for line in data.split('\n'):
if not line.startswith('#') or not len(line) == 0:
try:
d = line.split('#')
addr, info = d[0], d[1]
cef = 'CEF:0|OSINT|ArcReactor|1.0|100|%s|1|src=%s msg=%s' % (info, addr, 'http://reputation.alienvault.com/reputation.snort')
reactor.status('info', 'OTX', 'sending CEF syslog for %s - %s' % (info, addr))
reactor.send_syslog(cef)
count += 1
except IndexError:
continue
reactor.status('info', 'OTX', 'sent %d total events' % count)
return True
except:
reactor.status('warn', 'OTX', 'failed to retrieve OTX database')
return False
def run_pastebin(self):
job_stats['pastebin'] = {
'status': 'running',
'started': str(datetime.now()).split('.')[0],
'message': 'loading keywords',
'events': 0
}
reactor.status('info', 'pastebin', 'launching pastebin module')
if pastebin.load_words():
job_stats['pastebin'] = {'message': 'collecting post archive'}
pastebin.gather_archive()
if len(pastebin.queue) > 0:
for post in pastebin.queue:
job_stats['pastebin'] = {
'message': 'searching post %s' % post
}
# the search_raw function is called from within gather_content
pastebin.gather_content(post)
job_stats['pastebin'] = {'events': len(pastebin.found)}
if len(pastebin.found) > 0:
for self.post_id, self.data in pastebin.found.iteritems():
job_stats['pastebin'] = {
'message': 'sending syslog events'
}
self.cef = 'CEF:0|OSINT|ArcReactor|1.0|100|Watchlist Keyword Found|1|src=%s msg=%s' % (
self.post_id, self.data)
reactor.send_syslog(self.cef)
job_stats['pastebin'] = {
'status': 'finished',
'message': 'finished successfully',
'ended': str(datetime.now()).split('.')[0]
}
job_stats['pastebin'] = {
'status': 'finished',
'message': 'finished with errors',
'ended': str(datetime.now()).split('.')[0]
}
def run_pastebin(self):
job_stats['pastebin'] = {
'status': 'running',
'started': str(datetime.now()).split('.')[0],
'message': 'loading keywords',
'events': 0
}
reactor.status('info', 'pastebin', 'launching pastebin module')
if pastebin.load_words():
job_stats['pastebin'] = { 'message': 'collecting post archive' }
pastebin.gather_archive()
if len(pastebin.queue) > 0:
for post in pastebin.queue:
job_stats['pastebin'] = { 'message': 'searching post %s' % post }
# the search_raw function is called from within gather_content
pastebin.gather_content(post)
job_stats['pastebin'] = { 'events': len(pastebin.found) }
if len(pastebin.found) > 0:
for self.post_id, self.data in pastebin.found.iteritems():
job_stats['pastebin'] = { 'message': 'sending syslog events' }
self.cef = 'CEF:0|OSINT|ArcReactor|1.0|100|Watchlist Keyword Found|1|src=%s msg=%s' % (self.post_id, self.data)
reactor.send_syslog(self.cef)
job_stats['pastebin'] = { 'status': 'finished', 'message': 'finished successfully', 'ended': str(datetime.now()).split('.')[0] }
job_stats['pastebin'] = { 'status': 'finished', 'message': 'finished with errors', 'ended': str(datetime.now()).split('.')[0] }