def test_vuln_risklist(self):
client = ConnectApiClient()
resp = client.get_vulnerability_risklist(gzip=False)
itr = resp.iter_lines()
header = next(itr)
self.assertIsInstance(header, basestring)
entries = list(itr)
self.assertGreater(len(entries), 10)
def test_vuln_risklist_gzip(self):
"""download gzip and write to a byte buffer"""
client = ConnectApiClient()
resp = client.get_vulnerability_risklist(gzip=True)
buf = io.BytesIO()
for itr in resp.iter_content(chunk_size=1024):
buf.write(itr)
buf.seek(0)
self.assertGreater(len(buf.read()), 1000)
buf.close()
def test_vuln_riskrule(self):
client = ConnectApiClient()
resp = client.get_vulnerability_riskrules()
self.assertIsInstance(resp, list)
self.assertEquals(
set(resp[0].keys()),
set([
'name', 'description', 'count', 'criticality',
'criticalityLabel'
]))
def test_ip_demoevents(self):
client = ConnectApiClient()
res = client.get_ip_demoevents(limit=1)
# pylint: disable=anomalous-backslash-in-string
pattern = '.+ \[127.0.0.1\] \[localhost\]: ' \
'NetScreen device_id=netscreen2 ' \
'\[Root\]system-notification-00257\(traffic\): ' \
'start_time=".+" duration=0 policy_id=320001 ' \
'service=msrpc Endpoint Mapper\(tcp\) proto=6 src ' \
'zone=office dst zone=internet action=Permit sent=0 ' \
'rcvd=16384 dst=.+ src=.+'
self.assertRegexpMatches(res.text, pattern)
def test_domain_search(self):
client = ConnectApiClient()
resp = client.search_domains()
self.assertIsInstance(resp, ConnectApiResponse)
self.assertIsInstance(resp.entities, types.GeneratorType)
first_entity = next(resp.entities)
self.assertIsInstance(first_entity, DotAccessDict)
self.assertEquals(first_entity.id, first_entity.entity.id)
self.assertIsInstance(resp.returned_count, int)
self.assertIsInstance(resp.total_count, long)
self.assertGreater(resp.returned_count, 0)
def main():
parser = argparse.ArgumentParser()
parser.add_argument(
'-t',
'--type',
type=str,
required=True,
choices={"ip", "hash", "domain"},
help=
"Type of IoC to process : ip, hash, domain. exp for IP use : --type ip"
)
parser.add_argument(
'-c',
'--clookup',
type=str,
required=False,
choices={"yes", "no"},
default='no',
help="Chose whether to lookup the IP or domain country or not")
args = parser.parse_args()
if not os.path.exists(document_root_folder):
print document_root_folder + ' folder is missing.'
sys.exit(1)
if not os.access(document_root_folder, os.W_OK):
print 'User ' + getpass.getuser(
) + ' has no write permission on ' + document_root_folder
sys.exit(1)
print 'Downloading IoC...'
api = ConnectApiClient(auth=api_key)
#Name Risk RiskString EvidenceDetails
with open(document_root_folder + args.type + '.csv', 'wb') as f:
api.save_risklist(f, args.type, None, 'csv')
csv_formatter(document_root_folder + args.type + '.csv', args.type,
args.clookup)
def test_get_url(self):
client = ConnectApiClient()
url = 'https://sites.google.com/site/unblockingnotice/'
resp = client.lookup_url(url)
self.assertIsInstance(resp, DotAccessDict)
def test_get_search(self):
client = ConnectApiClient()
resp = client.search("ip",
**dict(risk_score="(91,100]", direction='desc'))
self.assertIsInstance(resp, ConnectApiResponse)
def test_get_ip(self):
client = ConnectApiClient()
resp = client.lookup_ip("8.8.8.8")
self.assertIsInstance(resp, DotAccessDict)
def test_get_fusion_file(self):
client = ConnectApiClient()
info = client.get_fusion_file("/public/default_ip_risklist.csv")
self.assertIsInstance(info, requests.models.Response)
self.assertGreater(len(info.content), 0)
def test_head_fusion_file(self):
client = ConnectApiClient()
info = client.head_fusion_file("/public/default_ip_risklist.csv")
self.assertIsInstance(info, requests.structures.CaseInsensitiveDict)
def test_get_malware(self):
client = ConnectApiClient()
resp = client.lookup_malware('KoneQR')
self.assertIsInstance(resp, DotAccessDict)
def test_vuln_riskrule(self):
client = ConnectApiClient()
resp = client.get_vulnerability_riskrules()
self.check_list(resp)
def domainLookup(args):
api = ConnectApiClient(auth=args.rf_token)
print(api.lookup_domain(args.domainname))
def test_vuln_demoevents(self):
client = ConnectApiClient()
res = client.get_vulnerability_demoevents(limit=1)
self.assertEquals(res.text[:20], u'{"_scan_result_info"')
def test_url_demoevents(self):
client = ConnectApiClient()
res = client.get_url_demoevents(limit=1)
# pylint: disable=anomalous-backslash-in-string
pattern = '.+\s+\d+ .+ TCP_MISS/.+GET https?://\S+/\S+ - DIRECT/.*'
self.assertRegexpMatches(res.text, pattern)
def test_hash_demoevents(self):
client = ConnectApiClient()
res = client.get_hash_demoevents(limit=1)
pattern = '.+ Application hash: [0-9a-f]+, .+'
self.assertRegexpMatches(res.text, pattern)
def test_vulnerabilty_extension(self):
client = ConnectApiClient()
info = client.get_vulnerability_extension("CVE-2014-0160", "shodan")
self.assertIsInstance(info, DotAccessDict)
def iplookup(args):
api = ConnectApiClient(auth=args.rf_token)
print(api.lookup_ip(args.ipaddress))
def test_get_hash_extension(self):
client = ConnectApiClient()
hash_val = '21232f297a57a5a743894a0e4a801fc3'
info = client.get_hash_extension(hash_val, 'active_reversinglabs')
self.assertIsInstance(info, DotAccessDict)
if __name__ == '__main__':
# API key supplied as argument on command line
# NEVER hardcode an API key, it could be exposed by source control etc >:O
parser = argparse.ArgumentParser(description='Download and parse IP Risk\
List data from RF for Zeek')
parser.add_argument('apikey', type=str, help='RF API key for API auth')
args = parser.parse_args()
# Create zeek_intel column names
f = open("zeek_intel.txt", "w")
f.write("#fields\tindicator\tindicator_type\tmeta.source\tmeta.risk")
f.write("\tmeta.riskstring\tmeta.rule\tmeta.criticalitylabel\tmeta.desc")
f.write("\tmeta.timestamp\tmeta.name\tmeta.criticality\n")
# Get and parse IP risk list from RF
api = ConnectApiClient(auth=args.apikey)
ip_risklist = api.get_ip_risklist()
decoding_errors = 0
total = 0
for ip in ip_risklist.csv_reader:
total += 1
try:
edict = json.loads(ip['EvidenceDetails'])
for e in edict['EvidenceDetails']:
f.write(ip['Name'] + "\tIntel::ADDR\tRFAPI\t" + ip['Risk'])
f.write("\t" + ip['RiskString'] + "\t")
f.write(e['Rule'] + "\t" + e['CriticalityLabel'] + "\t")
f.write(e['EvidenceString'] + "\t" + e['Timestamp'] + "\t")
f.write(e['Name'] + "\t" + str(e['Criticality']))
f.write("\n")
except UnicodeEncodeError:
def test_hash_riskrule(self):
client = ConnectApiClient()
resp = client.get_hash_riskrules()
self.check_list(resp)