Exemple #1
0
def watch_iocs():
    """
        Retrieve IOCs from the remote URLs defined in config/watchers.
        For each IOC, add it to the DB.
    """

    # Retrieve the URLs from the configuration
    urls = read_config(("watchers", "iocs"))
    watchers = [{"url": url, "status": False} for url in urls]

    while True:
        for w in watchers:
            if w["status"] == False:
                iocs = IOCs()
                iocs_list = []
                to_delete = []
                try:
                    res = requests.get(w["url"], verify=False)
                    if res.status_code == 200:
                        content = json.loads(res.content)
                        iocs_list = content[
                            "iocs"] if "iocs" in content else []
                        to_delete = content[
                            "to_delete"] if "to_delete" in content else []
                    else:
                        w["status"] = False
                except:
                    w["status"] = False

                for ioc in iocs_list:
                    try:
                        iocs.add(ioc["type"], ioc["tag"], ioc["tlp"],
                                 ioc["value"], "watcher")
                        w["status"] = True
                    except:
                        continue

                for ioc in to_delete:
                    try:
                        iocs.delete_by_value(ioc["value"])
                        w["status"] = True
                    except:
                        continue

        # If at least one URL haven't be parsed, let's retry in 1min.
        if False in [w["status"] for w in watchers]:
            time.sleep(60)
        else:
            break
Exemple #2
0
def add(ioc_type, ioc_tag, ioc_tlp, ioc_value):
    """
        Parse and add an IOC to the database.
        :return: status of the operation in JSON
    """
    source = "backend"
    res = IOCs.add(ioc_type, ioc_tag, ioc_tlp, ioc_value, source)
    return jsonify(res)
Exemple #3
0
def add(ioc_type, ioc_tag, ioc_tlp, ioc_value):
    """
        Parse and add an IOC to the database.
        :return: status of the operation in JSON
    """
    source = "backend"
    if ioc_type == "snort":
        ioc_value = unquote("/".join(request.full_path.split("/")[7:]))
    res = IOCs.add(ioc_type, ioc_tag, ioc_tlp, ioc_value, source)
    return jsonify(res)
Exemple #4
0
def watch_misp():
    """
        Retrieve IOCs from misp instances. Each new element is
        tested and then added to the database.
    """
    iocs, misp = IOCs(), MISP()
    instances = [i for i in misp.get_instances()]

    while instances:
        for i, ist in enumerate(instances):
            status = misp.test_instance(ist["url"], ist["apikey"],
                                        ist["verifycert"])
            if status:
                for ioc in misp.get_iocs(ist["id"]):
                    iocs.add(ioc["type"], ioc["tag"], ioc["tlp"], ioc["value"],
                             "misp-{}".format(ist["id"]))
                misp.update_sync(ist["id"])
                instances.pop(i)
        if instances: time.sleep(60)
Exemple #5
0
def add_post():
    """
        Parse and add an IOC to the database using the post method.
        :return: status of the operation in JSON
    """

    data = json.loads(request.data)
    ioc = data["data"]["ioc"]
    res = IOCs.add(ioc["ioc_type"], ioc["ioc_tag"], ioc["ioc_tlp"],
                   ioc["ioc_value"], ioc["ioc_source"])
    return jsonify(res)