def clean_indicator(self, i, rule):
# check for de-fang'd feed
if rule.replace:
for e in i:
if not rule.replace.get(e):
continue
for k, v in rule.replace[e].items():
i[e] = i[e].replace(k, v)
i = normalize_itype(i)
if isinstance(i, dict):
i = Indicator(**i)
if not i.firsttime:
i.firsttime = i.lasttime
if not i.reporttime:
i.reporttime = arrow.utcnow().datetime
if not i.group:
i.group = 'everyone'
return i
def clean_indicator(self, i, rule):
# check for de-fang'd feed
if rule.replace:
for e in i:
if not rule.replace.get(e):
continue
for k, v in rule.replace[e].items():
i[e] = i[e].replace(k, v)
i = normalize_itype(i)
if isinstance(i, dict):
i = Indicator(**i)
if not i.firsttime:
i.firsttime = i.lasttime
if not i.reporttime:
i.reporttime = arrow.utcnow().datetime
if not i.group:
i.group = 'everyone'
return i
def get_indicator(l):
i = {}
# step 1, detect datatypes
for e in l:
if isinstance(e, int):
i[e] = 'int'
continue
t = None
try:
t = resolve_itype(e)
if t:
i[e] = 'indicator'
continue
except Exception:
pass
if is_timestamp(e):
i[e] = 'timestamp'
continue
if isinstance(e, basestring):
i[e] = 'string'
i2 = Indicator()
timestamps = []
ports = []
for e in i:
if i[e] == 'indicator':
i2.indicator = e
continue
if i[e] == 'timestamp':
timestamps.append(e)
continue
if i[e] == 'int':
ports.append(e)
continue
if i[e] == 'string':
if ' ' in e:
i2.description = e
continue
if len(e) < 10:
i2.tags = [e]
continue
timestamps = sorted(timestamps, reverse=True)
if len(timestamps) > 0:
i2.lasttime = timestamps[0]
if len(timestamps) > 1:
i2.firsttime = timestamps[1]
if len(ports) > 0:
if len(ports) == 1:
i2.portlist = ports[0]
else:
if ports[0] > ports[1]:
i2.portlist = ports[0]
i2.dest_portlist = ports[1]
else:
i2.portlist = ports[1]
i2.dest_portlist = ports[0]
return i2
