def run(self): try: # Main loop function # First load the malicious ips from the file to the DB self.__load_malicious_ips() while True: message = self.c1.get_message(timeout=self.timeout) # Check that the message is for you. if message['channel'] == 'new_ip': new_ip = message['data'] # Get what we know about this IP so far ip_description = __database__.search_IP_in_IoC(new_ip) if ip_description: self.print( '\tIs in our DB as malicious. Description {}'. format(ip_description)) # Mark this IP as being malicious in the DB ip_data = {} ip_data['Malicious'] = ip_description __database__.setInfoForIPs(new_ip, ip_data) except KeyboardInterrupt: return True except Exception as inst: self.print('Problem on the run()', 0, 1) self.print(str(type(inst)), 0, 1) self.print(str(inst.args), 0, 1) self.print(str(inst), 0, 1) self.print(traceback.format_exc()) return True
def set_maliciousIP_to_IPInfo(self, ip, ip_description): ''' Set malicious IP in IPsInfo. ''' ip_data = {} # Maybe we should change the key to 'status' or something like that. ip_data['threatintelligence'] = ip_description __database__.setInfoForIPs( ip, ip_data) # Set in the IP info that IP is blacklisted
def run(self): try: # Main loop function # First load the malicious ips from the file to the DB self.__load_malicious_ips() while True: message = self.c1.get_message(timeout=self.timeout) # if timewindows are not updated for a long time (see at logsProcess.py), we will stop slips automatically.The 'stop_process' line is sent from logsProcess.py. if message['data'] == 'stop_process': return True # Check that the message is for you. elif message['channel'] == 'ip_Threat_Intelligence': data = message['data'] try: data = data.split('-') thIn_signal = int(data[0]) new_ip = data[1] profileid = data[2] twid = data[3] if not thIn_signal: ip_description = __database__.search_IP_in_IoC( new_ip) if ip_description: ip_data = {} ip_data['Malicious'] = ip_description __database__.setInfoForIPs(new_ip, ip_data) self.print( '\tIs in our DB as malicious. Description {}' .format(ip_description)) self.add_maliciousIP(new_ip, profileid, twid) self.set_evidence(new_ip, ip_description, profileid, twid) else: ip_data = {} ip_data['Malicious'] = "Not Malicious" __database__.setInfoForIPs(new_ip, ip_data) else: ip_description = __database__.getIPData( new_ip)['Malicious'] self.add_maliciousIP(new_ip, profileid, twid) self.set_evidence(new_ip, ip_description, profileid, twid) except KeyError and AttributeError: self.print('There is no such a key', data) except KeyboardInterrupt: return True except Exception as inst: self.print('Problem on the run()', 0, 1) self.print(str(type(inst)), 0, 1) self.print(str(inst.args), 0, 1) self.print(str(inst), 0, 1) self.print(traceback.format_exc()) return True
def set_TI_IP_detection(self, ip, ip_description, profileid, twid): ''' Funciton to set malicious IPs in IPsInfo and other db keys. :ip: detected IP :ip_description: source file of detected IP :profileid: profile where IP was detected :twid: timewindow where IP was detected ''' ip_data = {} # Maybe we should change the key to 'status' or something like that. ip_data['threatintelligence'] = ip_description self.add_maliciousIP(ip, profileid, twid) __database__.setInfoForIPs(ip, ip_data) # Set in the IP info that IP is blacklisted
def run(self): try: # Main loop function while True: message = self.c1.get_message(timeout=self.timeout) # if timewindows are not updated for a long time, Slips is stopped automatically. if message['data'] == 'stop_process': return True elif message['channel'] == 'new_ip': ip = message['data'] # The first message comes with data=1 if type(ip) == str: data = __database__.getIPData(ip) ip_addr = ipaddress.ip_address(ip) # Check that there is data in the DB, and that the data is not empty, and that our key is not there yet if (not data or 'geocountry' not in data) and not ip_addr.is_multicast: geoinfo = self.reader.get(ip) if geoinfo: try: countrydata = geoinfo['country'] countryname = countrydata['names']['en'] data = {} data['geocountry'] = countryname except KeyError: data = {} data['geocountry'] = 'Unknown' elif ipaddress.ip_address(ip).is_private: # Try to find if it is a local/private IP data = {} data['geocountry'] = 'Private' else: data = {} data['geocountry'] = 'Unknown' __database__.setInfoForIPs(ip, data) except KeyboardInterrupt: if self.reader: self.reader.close() return True except Exception as inst: if self.reader: self.reader.close() self.print('Problem on the run()', 0, 1) self.print(str(type(inst)), 0, 1) self.print(str(inst.args), 0, 1) self.print(str(inst), 0, 1) return True
def run(self): try: # Main loop function while True: message = self.c1.get_message(timeout=self.timeout) # if timewindows are not updated for a long time (see at logsProcess.py), we will stop slips automatically.The 'stop_process' line is sent from logsProcess.py. if message['data'] == 'stop_process': return True elif message['channel'] == 'new_ip': # Not all the ips!! only the new one coming in the data ip = message['data'] # The first message comes with data=1 if type(ip) == str: data = __database__.getIPData(ip) # If we alredy have the country for this ip, do not ask the file if 'geocountry' not in data: geoinfo = self.reader.get(ip) if geoinfo: try: countrydata = geoinfo['country'] countryname = countrydata['names']['en'] data = {} data['geocountry'] = countryname except KeyError: data = {} data['geocountry'] = 'Unknown' elif ipaddress.ip_address(ip).is_private: # Try to find if it is a local/private IP data = {} data['geocountry'] = 'Private' else: data = {} data['geocountry'] = 'Unknown' __database__.setInfoForIPs(ip, data) except KeyboardInterrupt: if self.reader: self.reader.close() return True except Exception as inst: if self.reader: self.reader.close() self.print('Problem on the run()', 0, 1) self.print(str(type(inst)), 0, 1) self.print(str(inst.args), 0, 1) self.print(str(inst), 0, 1) return True
def run(self): try: # Main loop function while True: message = self.c1.get_message(timeout=self.timeout) # if timewindows are not updated for a long time (see at logsProcess.py), we will stop slips automatically.The 'stop_process' line is sent from logsProcess.py. if message['data'] == 'stop_process': return True elif message['channel'] == 'new_ip': # Not all the ips!! only the new one coming in the data ip = message['data'] # The first message comes with data=1 if type(ip) == str: data = __database__.getIPData(ip) ip_addr = ipaddress.ip_address(ip) # If we alredy have the country for this ip, do not ask the file # Check that there is data in the DB, and that the data is not empty, and that our key is not there yet if ( data or data == {} ) and 'asn' not in data and not ip_addr.is_multicast: asninfo = self.reader.get(ip) if asninfo: try: asnorg = asninfo[ 'autonomous_system_organization'] data = {} data['asn'] = asnorg except KeyError: data = {} data['asn'] = 'Unknown' else: data = {} data['asn'] = 'Unknown' __database__.setInfoForIPs(ip, data) except KeyboardInterrupt: if self.reader: self.reader.close() return True except Exception as inst: if self.reader: self.reader.close() self.print('Problem on run()', 0, 1) self.print(str(type(inst)), 0, 1) self.print(str(inst.args), 0, 1) self.print(str(inst), 0, 1) return True
def run(self): try: # Main loop function while True: message = self.c1.get_message(timeout=self.timeout) if message['channel'] == 'new_ip': # Not all the ips!! only the new one coming in the data ip = message['data'] # The first message comes with data=1 if type(ip) == str: data = __database__.getIPData(ip) # If we alredy have the country for this ip, do not ask the file if 'asn' not in data: asninfo = self.reader.get(ip) if asninfo: try: asnorg = asninfo[ 'autonomous_system_organization'] data = {} data['asn'] = asnorg except KeyError: data = {} data['asn'] = 'Unknown' else: data = {} data['asn'] = 'Unknown' __database__.setInfoForIPs(ip, data) except KeyboardInterrupt: if self.reader: self.reader.close() return True except Exception as inst: if self.reader: self.reader.close() self.print('Problem on run()', 0, 1) self.print(str(type(inst)), 0, 1) self.print(str(inst.args), 0, 1) self.print(str(inst), 0, 1) return True
def set_vt_data_in_IPInfo(self, ip, cached_data): """ Function to set VirusTotal data of the IP in the IPInfo. It also sets asn data if it is unknown or does not exist. It also set passive dns retrieved from VirusTotal. """ vt_scores, passive_dns, as_owner = self.get_ip_vt_data(ip) vtdata = { "URL": vt_scores[0], "down_file": vt_scores[1], "ref_file": vt_scores[2], "com_file": vt_scores[3], "timestamp": time.time() } data = {} data["VirusTotal"] = vtdata # Add asn if it is unknown or not in the IP info if cached_data and ('asn' not in cached_data or cached_data['asn'] == 'Unknown'): data['asn'] = as_owner __database__.setInfoForIPs(ip, data) __database__.set_passive_dns(ip, passive_dns)
def run(self): if self.key is None: # We don't have a virustotal key return try: # Main loop function while True: message_c1 = self.c1.get_message(timeout=self.timeout) message_c2 = self.c2.get_message(timeout=self.timeout) # if timewindows are not updated for a long time we will stop slips automatically. if message_c1['data'] == 'stop_process' or message_c2['data'] == 'stop_process' : return True if message_c1['channel'] == 'new_flow' and message_c1["type"] == "message": data = message_c1["data"] if type(data) == str: data = json.loads(data) profileid = data['profileid'] twid = data['twid'] stime = data['stime'] flow = json.loads(data['flow']) # this is a dict {'uid':json flow data} # there is only one pair key-value in the dictionary for key, value in flow.items(): uid = key flow_data = json.loads(value) ip = flow_data['daddr'] #ip = data_flow_dict['saddr'] # The first message comes with data=1 data = __database__.getIPData(ip) # If we already have the VT for this ip, do not ask VT # Check that there is data in the DB, and that the data is not empty, and that our key is not there yet if (data or data == {}) and 'VirusTotal' not in data: vt_scores, passive_dns, as_owner = self.get_ip_vt_data(ip) vtdata = {"URL": vt_scores[0], "down_file": vt_scores[1], "ref_file": vt_scores[2], "com_file": vt_scores[3], "timestamp": time.time()} data = {} data["VirusTotal"] = vtdata # Add asn if it is unknown or not in the IP info if 'asn' not in data or data['asn'] == 'Unknown': data['asn'] = as_owner __database__.setInfoForIPs(ip, data) __database__.set_passive_dns(ip, passive_dns) elif data and 'VirusTotal' in data: # If VT is in data, check timestamp. Take time difference, if not valid, update vt scores. if (time.time() - data["VirusTotal"]['timestamp']) > self.update_period: vt_scores, passive_dns, _ = self.get_ip_vt_data(ip) vtdata = {"URL": vt_scores[0], "down_file": vt_scores[1], "ref_file": vt_scores[2], "com_file": vt_scores[3], "timestamp": time.time()} data = {} data["VirusTotal"] = vtdata __database__.setInfoForIPs(ip, data) __database__.set_passive_dns(ip, passive_dns) if message_c2['channel'] == 'new_dns_flow' and message_c2["type"] == "message": data = message_c2["data"] # The first message comes with data=1 if type(data) == str: data = json.loads(data) profileid = data['profileid'] twid = data['twid'] flow_data = json.loads(data['flow']) # this is a dict {'uid':json flow data} domain = flow_data['query'] data = __database__.getDomainData(domain) # If we already have the VT for this ip, do not ask VT # Check that there is data in the DB, and that the data is not empty, and that our key is not there yet if (data or data == {}) and 'VirusTotal' not in data: vt_scores, as_owner = self.get_domain_vt_data(domain) vtdata = {"URL": vt_scores[0], "down_file": vt_scores[1], "ref_file": vt_scores[2], "com_file": vt_scores[3], "timestamp": time.time()} data = {} data["VirusTotal"] = vtdata # Add asn if it is unknown or not in the IP info if 'asn' not in data or data['asn'] == 'Unknown': data['asn'] = as_owner __database__.setInfoForDomains(domain, data) elif data and 'VirusTotal' in data: # If VT is in data, check timestamp. Take time difference, if not valid, update vt scores. if (time.time() - data["VirusTotal"]['timestamp']) > self.update_period: vt_scores, _ = self.get_domain_vt_data(domain) vtdata = {"URL": vt_scores[0], "down_file": vt_scores[1], "ref_file": vt_scores[2], "com_file": vt_scores[3], "timestamp": time.time()} data = {} data["VirusTotal"] = vtdata __database__.setInfoForDomains(domain, data) except KeyboardInterrupt: return True except Exception as inst: self.print('Problem on the run()', 0, 1) self.print(str(type(inst)), 0, 1) self.print(str(inst.args), 0, 1) self.print(str(inst), 0, 1) return True