def virusTotalTest(rss_feed):
"""Utilize VirusTotal Public API"""
sock = syslog_tcp_open('127.0.0.1', port=1026)
for items in getMalValues(rss_feed):
request_Url = "https://www.virustotal.com/vtapi/v2/file/report"
parameters = {"resource": items['MD5'],
"apikey": "5dff9055f2785dafbf43ef4ec02828130ec2b0ac10b218158b7c371f4e1ed5c9"}
r1 = requests.get(request_Url, params=parameters)
data = r1.json()
if data is not None:
if data["response_code"] == 1:
if data["positives"] <= 15:
r = requests.get(data["permalink"])
if r.status_code == 200:
soup = BeautifulSoup(r.text)
rows = soup.findAll("div", {"class": "row"})
for row in rows:
element = row.findAll("td", {})
element_rend = ["".join(x.renderContents().strip(':')) for x in element]
keys = element_rend[0::2]
values = element_rend[1::2]
element_dict = dict(zip(keys, values))
analysis_date = element_dict['Analysis date'].strip()[0:19]
request_url = items['RequestURL'].strip()
ip_address = items['IPAddress'].strip()
asn = "ASN" + str(items['ASN']).strip()
sha256_hash = element_dict['SHA256'].strip()
sha1_hash = element_dict['SHA1'].strip()
md5_hash = element_dict['MD5'].strip()
file_size = convertToBytes(element_dict['File size'][0:9].strip(' ').strip('('))
file_name = str(element_dict['File name'].strip())
file_type = element_dict['File type'].strip()
av_rate = str(data["positives"]).strip() + '%'
vt_link = str(data["permalink"].strip())
for c2_item in cull_c2(str(vt_link)):
if c2_item is not None:
cef_vt_c2_ip = 'CEF:0|VirusTotal + Malc0de|VirusTotal|1.0|C2|VirusTotal C2|1|' \
'end=%s request=%s src=%s dst=%s shost=%s cs1=%s cs2=%s ' \
'cs3=%s fsize=%s fileId=%s fileType=%s cs4=%s ' \
'requestClientApplication=%s'\
% (analysis_date, request_url, ip_address, c2_item, asn, sha256_hash,
sha1_hash, md5_hash, file_size, file_name,
file_type, av_rate, vt_link)
syslog_tcp(sock, "%s" % cef_vt_c2_ip, priority=0, facility=7)
cef_vt = 'CEF:0|VirusTotal + Malc0de|VirusTotal|1.0|Exploit|VirusTotal ' \
'Exploit|1| end=%s ' \
'request=%s src=%s shost=%s cs1=%s cs2=%s cs3=%s fsize=%s fileId=%s ' \
'fileType=%s cs4=%s requestClientApplication=%s' \
% (analysis_date, request_url, ip_address, asn, sha256_hash,
sha1_hash, md5_hash, file_size, file_name, file_type, av_rate, vt_link)
syslog_tcp(sock, "%s" % cef_vt, priority=0, facility=7)
time.sleep(16)
syslog_tcp_close(sock)
def main():
follow_ids = [365235743, 739250522, 358381825, 336683669, 16589206]
sock = syslog_tcp_open('127.0.0.1', port=1026)
for item in twitterStream(follow_ids):
#CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
cef = 'CEF:0|Twitter RealTime Stream|Twitter|1.0|Twitter ID|WatchList|1| end=%s requestClientApplication=%s' \
' suid=%s suser=%s spriv=%s duid=%s duser=%s dpriv=%s msg=%s' % (item['Ctime'], item['Platform'],
str(item['TwitterID']), item['ScreenName'], item['ProperName'], str(item['ReplyToID']),
item['ReplyToScreenName'], item['SourceLang'], item['Tweet'])
syslog_tcp(sock, "%s" % cef, priority=0, facility=7)
time.sleep(0.01)
syslog_tcp_close(sock)
def tor_routerNodes():
"""Cull Tor Router Nodes"""
SEARCH_BASE = "http://128.31.0.34:9031/tor/status/all"
file_name = "tor_router_nodes.txt"
cull_urlData(SEARCH_BASE, file_name)
open_file = open(file_name, 'rt')
sock = syslog_tcp_open('127.0.0.1', port=1026)
for i, line in enumerate(open_file):
if line.startswith('r'):
urlDataList = [str(i), line.split()[1:]]
urlDataDict = dict(zip(urlDataList[0:5], urlDataList[1:]))
for values in urlDataDict.values():
try:
element = values[5].strip('\n')
cef_router_node = 'CEF:0|Tor Router Node|Tor Router|1.0|Router Node|Tor Router Node|1| src=%s' % \
element
syslog_tcp(sock, "%s" % cef_router_node, priority=0, facility=7)
except ValueError:
return ValueError
syslog_tcp_close(sock)
def tor_exitNodes():
"""Cull Tor Exit Nodes"""
url_list = ["http://exitlist.torproject.org/exit-addresses", "http://exitlist.torproject.org/exit-addresses.new"]
sock = syslog_tcp_open('127.0.0.1', port=1026)
for url_element in url_list:
file_name = "tor_exit_nodes.txt"
cull_urlData(url_element, file_name)
open_file = open(file_name, 'rt')
for i, line in enumerate(open_file):
if line.startswith('ExitAddress'):
urlDataList = [str(i), line.split()[1:]]
urlDataDict = dict(zip(urlDataList[0:5], urlDataList[1:]))
for values in urlDataDict.values():
try:
element = values[0].strip('\n')
cef_exit_node = 'CEF:0|Tor Exit Node|Tor Exit|1.0|Exit Node|Tor Exit Node|1| src=%s' % \
element
syslog_tcp(sock, "%s" % cef_exit_node, priority=0, facility=7)
except IndexError:
return None
syslog_tcp_close(sock)
