def _api(self): """Instantiates PyPSSL API""" credentials = self.api_key.split(":") pssl = pypssl.PyPSSL(basic_auth=(credentials[0], credentials[1])) return pssl
def run(self): # You should save CIRCL credentials with this template: "<user>|<pwd>" if not self.__credentials: raise AnalyzerRunException("no credentials retrieved") split_credentials = self.__credentials.split("|") if len(split_credentials) != 2: raise AnalyzerRunException( "CIRCL credentials not properly configured." "Template to use: '<user>|<pwd>'") user = split_credentials[0] pwd = split_credentials[1] pssl = pypssl.PyPSSL(basic_auth=(user, pwd)) result = pssl.query(self.observable_name, timeout=5) certificates = [] if result.get(self.observable_name, {}): certificates = list( result.get(self.observable_name).get("certificates", [])) parsed_result = {"ip": self.observable_name, "certificates": []} for cert in certificates: subject = (result.get(self.observable_name).get( "subjects", {}).get(cert, {}).get("values", [])) if subject: parsed_result["certificates"].append({ "fingerprint": cert, "subject": subject[0] }) return parsed_result
def __init__(self): Analyzer.__init__(self) self.user = self.getParam('config.user', None, 'PassiveSSL username is missing!') self.password = self.getParam('config.password', None, 'PassiveSSL password is missing!') self.pssl = pypssl.PyPSSL(basic_auth=(self.user, self.password))
def handler(q=False): if q is False: return False request = json.loads(q) if request.get('ip-src'): toquery = request['ip-src'] elif request.get('ip-dst'): toquery = request['ip-dst'] else: misperrors['error'] = "Unsupported attributes type" return misperrors if request.get('config'): if (request['config'].get('username') is None) or (request['config'].get('password') is None): misperrors['error'] = 'CIRCL Passive SSL authentication is missing' return misperrors x = pypssl.PyPSSL(basic_auth=(request['config']['username'], request['config']['password'])) res = x.query(toquery) out = res.get(toquery) r = {'results': [{'types': mispattributes['output'], 'values': out}]} return r
def run(analyzer_name, job_id, observable_name, observable_classification, additional_config_params): logger.info("started analyzer {} job_id {} observable {}" "".format(analyzer_name, job_id, observable_name)) report = general.get_basic_report_template(analyzer_name) try: # You should save CIRCL credentials with this template: "<user>|<pwd>" credentials = secrets.get_secret("CIRCL_CREDENTIALS") if not credentials: raise AnalyzerRunException("no credentials retrieved") split_credentials = credentials.split('|') if len(split_credentials) != 2: raise AnalyzerRunException("CIRCL credentials not properly configured." "Template to use: '<user>|<pwd>'") user = split_credentials[0] pwd = split_credentials[1] pssl = pypssl.PyPSSL(basic_auth=(user, pwd)) result = pssl.query(observable_name) certificates = [] if result.get(observable_name, {}): certificates = list(result.get(observable_name).get('certificates', [])) parsed_result = {'ip': observable_name, 'certificates': []} for cert in certificates: subject = result.get(observable_name).get('subjects', {}).get(cert, {}).get('values', []) if subject: parsed_result['certificates'].append({'fingerprint': cert, 'subject': subject[0]}) # pprint.pprint(parsed_result) report['report'] = parsed_result except AnalyzerRunException as e: error_message = "job_id:{} analyzer:{} observable_name:{} Analyzer error {}" \ "".format(job_id, analyzer_name, observable_name, e) logger.error(error_message) report['errors'].append(error_message) report['success'] = False except Exception as e: traceback.print_exc() error_message = "job_id:{} analyzer:{} observable_name:{} Unexpected error {}" \ "".format(job_id, analyzer_name, observable_name, e) logger.exception(error_message) report['errors'].append(str(e)) report['success'] = False else: report['success'] = True general.set_report_and_cleanup(job_id, report, logger) logger.info("ended analyzer {} job_id {} observable {}" "".format(analyzer_name, job_id, observable_name)) return report
def __init__(self, attribute, authentication): self.misp_event = MISPEvent() self.attribute = MISPAttribute() self.attribute.from_dict(**attribute) self.misp_event.add_attribute(**self.attribute) self.pssl = pypssl.PyPSSL(basic_auth=authentication) self.cert_hash = 'x509-fingerprint-sha1' self.cert_type = 'pem' self.mapping = {'issuer': ('text', 'issuer'), 'keylength': ('text', 'pubkey-info-size'), 'not_after': ('datetime', 'validity-not-after'), 'not_before': ('datetime', 'validity-not-before'), 'subject': ('text', 'subject')}
def main(): parser = argparse.ArgumentParser(description='Query a Passive SSL instance.') parser.add_argument("--url", default='https://www.circl.lu/', help='URL where the passive SSL is running (no path).') parser.add_argument("-v", "--version", type=int, default=2, help='URL where the passive SSL is running (no path).') parser.add_argument("-u", "--username", help='Username to login on the platform.') parser.add_argument("-p", "--password", help='Password to login on the platform.') parser.add_argument("-t", "--token", help='Token to login on the platform.') parser.add_argument("-i", "--ip", help='IP to query (can be a block, max /23).') parser.add_argument("-c", "--cert", help='SHA1 of the certificate to search.') parser.add_argument("-f", "--fetch", help='SHA1 of the certificate to fetch.') args = parser.parse_args() p = pypssl.PyPSSL(args.url, args.version, (args.username, args.password), args.token) if args.ip is not None: print(json.dumps(p.query(args.ip))) elif args.cert is not None: print(json.dumps(p.query_cert(args.cert))) elif args.fetch is not None: print(json.dumps(p.fetch_cert(args.fetch, make_datetime=False))) else: print('You didn\'t query anything...')
def pssl_investigate_ip(ip_to_investigate): """ investigate a ip with passive SSL service :param ip_to_investigate: """ # CIRCL passive SSL logger.info("Doing pSSL on: " + ip_to_investigate) p = pypssl.PyPSSL(PSSL_URL, PSSL_VERSION, (PSSL_USER, PSSL_PASSWORD)) # a = p.query(domain_to_investigate) b = p.query(ip_to_investigate + "/28") for ip in b: for certificate in b[ip]['certificates']: details = [] try: logger.debug("Investigating " + ip_to_investigate + " cert: " + certificate) #cert_details = p.query_cert(certificate) details = p.fetch_cert(certificate) timestamp_desc = "pSSL_IP" ip = ip_to_investigate except ValueError as e: logger.error( "Value Error with receiving the cert with hash: " + certificate + " from ip: " + ip_to_investigate + " " + str(e)) continue except Exception as e: logger.error( "General Error with receiving the cert with hash: " + certificate + " from ip: " + ip_to_investigate + " " + str(e)) continue try: # FIRST_Seen if 'icsi' in details: first_seen = details['icsi']['first_seen'] first_seen_datetime = calculate_date(first_seen) timestamp = convert_date_to_timestamp(first_seen_datetime) message = "IP " + ip + " had an SSL certificate " + certificate + " first seen in the wild " + str( first_seen_datetime) + " " + str(details) message = message.replace(',', ';') append_line_to_csv(timestamp, first_seen_datetime, timestamp_desc, message, report, attribution, md5=certificate, ip=ip_to_investigate) # LAST Seen last_seen_datetime = calculate_date( details['icsi']['last_seen']) timestamp = convert_date_to_timestamp(last_seen_datetime) message = "IP " + ip + " had an SSL certificate " + certificate + " last seen in the wild " + str( last_seen_datetime) + " " + str(details) message = message.replace(',', ';') append_line_to_csv(timestamp, last_seen_datetime, timestamp_desc, message, report, attribution, md5=certificate, ip=ip_to_investigate) else: logger.debug( ip_to_investigate + " " + certificate + " no isci info found, so maybe not seen in the wild") # NOT AFTER datetime_new = details['info']['not_after'] timestamp = convert_tsdate_to_timestamp( str(details['info']['not_after'])) datetime_new = str(datetime_new).replace(' ', 'T') message = "IP " + ip + " had an SSL certificate " + certificate + " issued not after " + str( datetime_new) + " " + str(details) message = message.replace(',', ';') append_line_to_csv(timestamp, datetime_new, timestamp_desc, message, report, attribution, md5=certificate, ip=ip_to_investigate) # NOT BEFORE datetime_new = details['info']['not_before'] timestamp = convert_tsdate_to_timestamp( str(details['info']['not_before'])) datetime_new = str(datetime_new).replace(' ', 'T') message = "IP " + ip + " had an SSL certificate " + certificate + " issued not before " + str( datetime_new) + " " + str(details) message = message.replace(',', ';') append_line_to_csv(timestamp, datetime_new, timestamp_desc, message, report, attribution, md5=certificate, ip=ip_to_investigate) logger.debug("finished certificate") except Exception as e: logger.error("Big Error with receiving the cert with hash: " + certificate + " from ip: " + ip_to_investigate + " " + str(e))
def init(): return pypssl.PyPSSL(base_url=BASE_URL, basic_auth=(LOGIN, PASSWORD))