def test_matching(self):
self.assertTrue(utils.is_mac("00:C0:B7:7E:55:50"))
self.assertTrue(utils.is_mac("00:c0:b7:7E:55:50"))
self.assertFalse(utils.is_mac("00.D0.B7.7E.55.50"))
self.assertFalse(utils.is_mac("testsystem0"))
self.assertTrue(utils.is_ip("127.0.0.1"))
self.assertTrue(utils.is_ip("192.168.1.1"))
self.assertFalse(utils.is_ip("00:C0:B7:7E:55:50"))
self.assertFalse(utils.is_ip("testsystem0"))
def get_real_domain(self, domain_prefix, suffix = ""):
if self.config.need_vpn:
if utils.is_ip(domain_prefix):
domain_prefix = domain_prefix.replace('.', '-')
return "https://" + domain_prefix + ".webvpn.buu.edu.cn" + suffix
else:
if utils.is_ip(domain_prefix):
return "http://" + domain_prefix + suffix
else:
return "http://" + domain_prefix + ".buu.edu.cn" + suffix
def get_real_domain_encoded(self, domain_prefix, suffix = ""):
import urllib
if self.config.need_vpn:
if utils.is_ip(domain_prefix):
domain_prefix = domain_prefix.replace('.', '-')
return urllib.parse.quote_plus("https://" + domain_prefix + ".webvpn.buu.edu.cn" + suffix)
else:
if utils.is_ip(domain_prefix):
return urllib.parse.quote_plus("http://" + domain_prefix + suffix)
else:
return urllib.parse.quote_plus("http://" + domain_prefix + ".buu.edu.cn" + suffix)
def set_name(self,name):
"""
Set the name. If the name is a MAC or IP, and the first MAC and/or IP is not defined, go ahead
and fill that value in.
"""
if self.name not in ["",None] and self.parent not in ["",None] and self.name == self.parent:
raise CX(_("self parentage is weird"))
if not isinstance(name, basestring):
raise CX(_("name must be a string"))
for x in name:
if not x.isalnum() and not x in [ "_", "-", ".", ":", "+" ] :
raise CX(_("invalid characters in name: %s") % x)
# Stuff here defaults to eth0. Yes, it's ugly and hardcoded, but so was
# the default interface behaviour that's now removed. ;)
# --Jasper Capel
if utils.is_mac(name):
intf = self.__get_interface("eth0")
if intf["mac_address"] == "":
intf["mac_address"] = name
elif utils.is_ip(name):
intf = self.__get_interface("eth0")
if intf["ip_address"] == "":
intf["ip_address"] = name
self.name = name
return True
def set_name(self, name):
"""
Set the name. If the name is a MAC or IP, and the first MAC and/or IP is not defined, go ahead
and fill that value in.
"""
if self.name not in ["", None] and self.parent not in [
"", None
] and self.name == self.parent:
raise CX(_("self parentage is weird"))
if not isinstance(name, basestring):
raise CX(_("name must be a string"))
for x in name:
if not x.isalnum() and not x in ["_", "-", ".", ":", "+"]:
raise CX(_("invalid characters in name: %s") % x)
# Stuff here defaults to eth0. Yes, it's ugly and hardcoded, but so was
# the default interface behaviour that's now removed. ;)
# --Jasper Capel
if utils.is_mac(name):
intf = self.__get_interface("eth0")
if intf["mac_address"] == "":
intf["mac_address"] = name
elif utils.is_ip(name):
intf = self.__get_interface("eth0")
if intf["ip_address"] == "":
intf["ip_address"] = name
self.name = name
return True
def generate_rule(ioc, family=None, country=None, reference=None, counter=1):
message_suffix = ""
if family:
message_suffix += " - related to {}".format(family)
if country:
message_suffix += " (seen in {})".format(country)
sid = 9100000 + counter
if is_ip(ioc):
message = "Traffic to suspicious IP {}{}".format(ioc, message_suffix)
alert = "alert ip any any -> {} any (msg:\"{}\"; reference:url,{}; classtype:trojan-activity; sid:{}; rev:0;)".format(
ioc, message, reference, sid)
else:
message = "Suspicious DNS request {}{}".format(ioc, message_suffix)
domain_pattern = ''
for part in ioc.split('.'):
domain_pattern += '|{:02X}|{}'.format(len(part), part)
alert = "alert udp any any -> any 53 (msg:\"{}\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth: 10; offset: 2; content:\"{}\"; nocase; distance: 0; fast_pattern; reference:url,{}; classtype:trojan-activity; sid:{}; rev:0;)".format(
message, domain_pattern, reference, sid)
return alert
def set_gateway(self, gateway):
if gateway is None:
gateway = ""
if utils.is_ip(gateway) or gateway == "":
self.gateway = gateway
else:
raise CX(_("invalid format for gateway IP address (%s)") % gateway)
return True
def set_gateway(self,gateway):
if gateway is None:
gateway = ""
if utils.is_ip(gateway) or gateway == "":
self.gateway = gateway
else:
raise CX(_("invalid format for gateway IP address (%s)") % gateway)
return True
def set_ipv6_address(self,address,interface):
"""
Assign a IP or hostname in DHCP when this MAC boots.
Only works if manage_dhcp is set in /etc/cobbler/settings
"""
intf = self.__get_interface(interface)
if address == "" or utils.is_ip(address):
intf["ipv6_address"] = address.strip()
return True
raise CX(_("invalid format for IPv6 IP address (%s)") % address)
def set_ipv6_address(self, address, interface):
"""
Assign a IP or hostname in DHCP when this MAC boots.
Only works if manage_dhcp is set in /etc/cobbler/settings
"""
intf = self.__get_interface(interface)
if address == "" or utils.is_ip(address):
intf["ipv6_address"] = address.strip()
return True
raise CX(_("invalid format for IPv6 IP address (%s)") % address)
def set_ipv6_secondaries(self,addresses,interface):
intf = self.__get_interface(interface)
data = utils.input_string_or_list(addresses)
secondaries = []
for address in data:
if address == "" or utils.is_ip(address):
secondaries.append(address)
else:
raise CX(_("invalid format for IPv6 IP address (%s)") % address)
intf["ipv6_secondaries"] = secondaries
return True
def set_ipv6_secondaries(self,addresses,interface):
intf = self.__get_interface(interface)
data = utils.input_string_or_list(addresses)
secondaries = []
for address in data:
if address == "" or utils.is_ip(address):
secondaries.append(address)
else:
raise CX(_("invalid format for IPv6 IP address (%s)") % address)
intf["ipv6_secondaries"] = secondaries
return True
def set_ip_address(self, address, interface):
"""
Assign a IP or hostname in DHCP when this MAC boots.
Only works if manage_dhcp is set in /etc/cobbler/settings
"""
intf = self.__get_interface(interface)
# FIXME: move duplicate supression code to the object validation
# functions to take a harder line on supression?
if address != "" and not str(self.config._settings.allow_duplicate_ips).lower() in ["1", "y", "yes"]:
matched = self.config.api.find_items("system", {"ip_address": address})
for x in matched:
if x.name != self.name:
raise CX("IP address duplicated: %s" % address)
if address == "" or utils.is_ip(address):
intf["ip_address"] = address.strip()
return True
raise CX(_("invalid format for IP address (%s)") % address)
def main():
parser = ArgumentParser(description="Targeted Threats IOC Extractor")
parser.add_argument('--all',
'-a',
action='store_true',
help="Get all indicators")
parser.add_argument('--ip',
'-i',
action='store_true',
help="Get only IP addresses")
parser.add_argument('--domains',
'-d',
action='store_true',
help="Get only domains")
parser.add_argument('ioc_path', action="store")
args, unknown = parser.parse_known_args()
if not args.all and not args.ip and not args.domains:
parser.print_usage()
sys.exit(1)
if not os.path.exists(args.ioc_path):
print("[!] ERROR: IOC file does not exist at path {}".format(
args.ioc_path))
return
with open(args.ioc_path, 'r') as handle:
reader = csv.reader(handle)
for row in reader:
try:
if row[0].startswith('#'):
continue
except IndexError:
continue
if is_ip(row[0]):
if args.all or args.ip:
print row[0]
else:
if args.all or args.domains:
print row[0]
def set_ip_address(self,address,interface):
"""
Assign a IP or hostname in DHCP when this MAC boots.
Only works if manage_dhcp is set in /etc/cobbler/settings
"""
intf = self.__get_interface(interface)
# FIXME: move duplicate supression code to the object validation
# functions to take a harder line on supression?
if address != "" and not str(self.config._settings.allow_duplicate_ips).lower() in [ "1", "y", "yes"]:
matched = self.config.api.find_items("system", {"ip_address" : address})
for x in matched:
if x.name != self.name:
raise CX("IP address duplicated: %s" % address)
if address == "" or utils.is_ip(address):
intf["ip_address"] = address.strip()
return True
raise CX(_("invalid format for IP address (%s)") % address)
def set_name(self, name):
"""
Set the name. If the name is a MAC or IP, and the first MAC and/or IP is not defined, go ahead
and fill that value in.
"""
if self.name not in ["", None] and self.parent not in ["", None] and self.name == self.parent:
raise CX(_("self parentage is weird"))
self.validate_name(name)
# Stuff here defaults to eth0. Yes, it's ugly and hardcoded, but so was
# the default interface behaviour that's now removed. ;)
# --Jasper Capel
if utils.is_mac(name):
intf = self.__get_interface("eth0")
if intf["mac_address"] == "":
intf["mac_address"] = name
elif utils.is_ip(name):
intf = self.__get_interface("eth0")
if intf["ip_address"] == "":
intf["ip_address"] = name
self.name = name
return True
def ip_address(self, ip_address):
if is_ip(ip_address):
self._ip_address = ip_address
else:
raise ValueError("Not an IP address")
def whois(indicator):
if is_ip(indicator):
return ip_whois(indicator)
else:
return domain_whois(indicator)
def whois(indicator):
if is_ip(indicator):
return ip_whois(indicator)
else:
return domain_whois(indicator)
def get_real_domain(self, domain_prefix, suffix=""):
if utils.is_ip(domain_prefix):
return "http://" + domain_prefix + "/" + suffix
else:
return "http://" + domain_prefix + ".buu.edu.cn" + "/" + suffix
def set_if_gateway(self,gateway,interface):
intf = self.__get_interface(interface)
if gateway == "" or utils.is_ip(gateway):
intf["if_gateway"] = gateway
return True
raise CX(_("invalid gateway: %s" % gateway))
def set_ipv6_default_gateway(self, address, interface):
intf = self.__get_interface(interface)
if address == "" or utils.is_ip(address):
intf["ipv6_default_gateway"] = address.strip()
return True
raise CX(_("invalid format for IPv6 IP address (%s)") % address)
def set_if_gateway(self, gateway, interface):
intf = self.__get_interface(interface)
if gateway == "" or utils.is_ip(gateway):
intf["if_gateway"] = gateway
return True
raise CX(_("invalid gateway: %s" % gateway))
def set_ipv6_default_gateway(self,address,interface):
intf = self.__get_interface(interface)
if address == "" or utils.is_ip(address):
intf["ipv6_default_gateway"] = address.strip()
return True
raise CX(_("invalid format for IPv6 IP address (%s)") % address)
def ip_address(self, ip_address):
if is_ip(ip_address):
self._ip_address = ip_address
else:
raise ValueError("Not an IP address")
