def watch_iocs(): """ Retrieve IOCs from the remote URLs defined in config/watchers. For each IOC, add it to the DB. """ # Retrieve the URLs from the configuration urls = read_config(("watchers", "iocs")) watchers = [{"url": url, "status": False} for url in urls] while True: for w in watchers: if w["status"] == False: iocs = IOCs() iocs_list = [] to_delete = [] try: res = requests.get(w["url"], verify=False) if res.status_code == 200: content = json.loads(res.content) iocs_list = content[ "iocs"] if "iocs" in content else [] to_delete = content[ "to_delete"] if "to_delete" in content else [] else: w["status"] = False except: w["status"] = False for ioc in iocs_list: try: iocs.add(ioc["type"], ioc["tag"], ioc["tlp"], ioc["value"], "watcher") w["status"] = True except: continue for ioc in to_delete: try: iocs.delete_by_value(ioc["value"]) w["status"] = True except: continue # If at least one URL haven't be parsed, let's retry in 1min. if False in [w["status"] for w in watchers]: time.sleep(60) else: break
def add(ioc_type, ioc_tag, ioc_tlp, ioc_value): """ Parse and add an IOC to the database. :return: status of the operation in JSON """ source = "backend" res = IOCs.add(ioc_type, ioc_tag, ioc_tlp, ioc_value, source) return jsonify(res)
def add(ioc_type, ioc_tag, ioc_tlp, ioc_value): """ Parse and add an IOC to the database. :return: status of the operation in JSON """ source = "backend" if ioc_type == "snort": ioc_value = unquote("/".join(request.full_path.split("/")[7:])) res = IOCs.add(ioc_type, ioc_tag, ioc_tlp, ioc_value, source) return jsonify(res)
def watch_misp(): """ Retrieve IOCs from misp instances. Each new element is tested and then added to the database. """ iocs, misp = IOCs(), MISP() instances = [i for i in misp.get_instances()] while instances: for i, ist in enumerate(instances): status = misp.test_instance(ist["url"], ist["apikey"], ist["verifycert"]) if status: for ioc in misp.get_iocs(ist["id"]): iocs.add(ioc["type"], ioc["tag"], ioc["tlp"], ioc["value"], "misp-{}".format(ist["id"])) misp.update_sync(ist["id"]) instances.pop(i) if instances: time.sleep(60)
def add_post(): """ Parse and add an IOC to the database using the post method. :return: status of the operation in JSON """ data = json.loads(request.data) ioc = data["data"]["ioc"] res = IOCs.add(ioc["ioc_type"], ioc["ioc_tag"], ioc["ioc_tlp"], ioc["ioc_value"], ioc["ioc_source"]) return jsonify(res)