def run(self):
try:
# Main loop function
# First load the malicious ips from the file to the DB
self.__load_malicious_ips()
while True:
message = self.c1.get_message(timeout=self.timeout)
# Check that the message is for you.
if message['channel'] == 'new_ip':
new_ip = message['data']
# Get what we know about this IP so far
ip_description = __database__.search_IP_in_IoC(new_ip)
if ip_description:
self.print(
'\tIs in our DB as malicious. Description {}'.
format(ip_description))
# Mark this IP as being malicious in the DB
ip_data = {}
ip_data['Malicious'] = ip_description
__database__.setInfoForIPs(new_ip, ip_data)
except KeyboardInterrupt:
return True
except Exception as inst:
self.print('Problem on the run()', 0, 1)
self.print(str(type(inst)), 0, 1)
self.print(str(inst.args), 0, 1)
self.print(str(inst), 0, 1)
self.print(traceback.format_exc())
return True
def set_maliciousIP_to_IPInfo(self, ip, ip_description):
'''
Set malicious IP in IPsInfo.
'''
ip_data = {}
# Maybe we should change the key to 'status' or something like that.
ip_data['threatintelligence'] = ip_description
__database__.setInfoForIPs(
ip, ip_data) # Set in the IP info that IP is blacklisted
def run(self):
try:
# Main loop function
# First load the malicious ips from the file to the DB
self.__load_malicious_ips()
while True:
message = self.c1.get_message(timeout=self.timeout)
# if timewindows are not updated for a long time (see at logsProcess.py), we will stop slips automatically.The 'stop_process' line is sent from logsProcess.py.
if message['data'] == 'stop_process':
return True
# Check that the message is for you.
elif message['channel'] == 'ip_Threat_Intelligence':
data = message['data']
try:
data = data.split('-')
thIn_signal = int(data[0])
new_ip = data[1]
profileid = data[2]
twid = data[3]
if not thIn_signal:
ip_description = __database__.search_IP_in_IoC(
new_ip)
if ip_description:
ip_data = {}
ip_data['Malicious'] = ip_description
__database__.setInfoForIPs(new_ip, ip_data)
self.print(
'\tIs in our DB as malicious. Description {}'
.format(ip_description))
self.add_maliciousIP(new_ip, profileid, twid)
self.set_evidence(new_ip, ip_description,
profileid, twid)
else:
ip_data = {}
ip_data['Malicious'] = "Not Malicious"
__database__.setInfoForIPs(new_ip, ip_data)
else:
ip_description = __database__.getIPData(
new_ip)['Malicious']
self.add_maliciousIP(new_ip, profileid, twid)
self.set_evidence(new_ip, ip_description,
profileid, twid)
except KeyError and AttributeError:
self.print('There is no such a key', data)
except KeyboardInterrupt:
return True
except Exception as inst:
self.print('Problem on the run()', 0, 1)
self.print(str(type(inst)), 0, 1)
self.print(str(inst.args), 0, 1)
self.print(str(inst), 0, 1)
self.print(traceback.format_exc())
return True
def set_TI_IP_detection(self, ip, ip_description, profileid, twid):
'''
Funciton to set malicious IPs in IPsInfo and other db keys.
:ip: detected IP
:ip_description: source file of detected IP
:profileid: profile where IP was detected
:twid: timewindow where IP was detected
'''
ip_data = {}
# Maybe we should change the key to 'status' or something like that.
ip_data['threatintelligence'] = ip_description
self.add_maliciousIP(ip, profileid, twid)
__database__.setInfoForIPs(ip, ip_data) # Set in the IP info that IP is blacklisted
def run(self):
try:
# Main loop function
while True:
message = self.c1.get_message(timeout=self.timeout)
# if timewindows are not updated for a long time, Slips is stopped automatically.
if message['data'] == 'stop_process':
return True
elif message['channel'] == 'new_ip':
ip = message['data']
# The first message comes with data=1
if type(ip) == str:
data = __database__.getIPData(ip)
ip_addr = ipaddress.ip_address(ip)
# Check that there is data in the DB, and that the data is not empty, and that our key is not there yet
if (not data or 'geocountry'
not in data) and not ip_addr.is_multicast:
geoinfo = self.reader.get(ip)
if geoinfo:
try:
countrydata = geoinfo['country']
countryname = countrydata['names']['en']
data = {}
data['geocountry'] = countryname
except KeyError:
data = {}
data['geocountry'] = 'Unknown'
elif ipaddress.ip_address(ip).is_private:
# Try to find if it is a local/private IP
data = {}
data['geocountry'] = 'Private'
else:
data = {}
data['geocountry'] = 'Unknown'
__database__.setInfoForIPs(ip, data)
except KeyboardInterrupt:
if self.reader:
self.reader.close()
return True
except Exception as inst:
if self.reader:
self.reader.close()
self.print('Problem on the run()', 0, 1)
self.print(str(type(inst)), 0, 1)
self.print(str(inst.args), 0, 1)
self.print(str(inst), 0, 1)
return True
def run(self):
try:
# Main loop function
while True:
message = self.c1.get_message(timeout=self.timeout)
# if timewindows are not updated for a long time (see at logsProcess.py), we will stop slips automatically.The 'stop_process' line is sent from logsProcess.py.
if message['data'] == 'stop_process':
return True
elif message['channel'] == 'new_ip':
# Not all the ips!! only the new one coming in the data
ip = message['data']
# The first message comes with data=1
if type(ip) == str:
data = __database__.getIPData(ip)
# If we alredy have the country for this ip, do not ask the file
if 'geocountry' not in data:
geoinfo = self.reader.get(ip)
if geoinfo:
try:
countrydata = geoinfo['country']
countryname = countrydata['names']['en']
data = {}
data['geocountry'] = countryname
except KeyError:
data = {}
data['geocountry'] = 'Unknown'
elif ipaddress.ip_address(ip).is_private:
# Try to find if it is a local/private IP
data = {}
data['geocountry'] = 'Private'
else:
data = {}
data['geocountry'] = 'Unknown'
__database__.setInfoForIPs(ip, data)
except KeyboardInterrupt:
if self.reader:
self.reader.close()
return True
except Exception as inst:
if self.reader:
self.reader.close()
self.print('Problem on the run()', 0, 1)
self.print(str(type(inst)), 0, 1)
self.print(str(inst.args), 0, 1)
self.print(str(inst), 0, 1)
return True
def run(self):
try:
# Main loop function
while True:
message = self.c1.get_message(timeout=self.timeout)
# if timewindows are not updated for a long time (see at logsProcess.py), we will stop slips automatically.The 'stop_process' line is sent from logsProcess.py.
if message['data'] == 'stop_process':
return True
elif message['channel'] == 'new_ip':
# Not all the ips!! only the new one coming in the data
ip = message['data']
# The first message comes with data=1
if type(ip) == str:
data = __database__.getIPData(ip)
ip_addr = ipaddress.ip_address(ip)
# If we alredy have the country for this ip, do not ask the file
# Check that there is data in the DB, and that the data is not empty, and that our key is not there yet
if (
data or data == {}
) and 'asn' not in data and not ip_addr.is_multicast:
asninfo = self.reader.get(ip)
if asninfo:
try:
asnorg = asninfo[
'autonomous_system_organization']
data = {}
data['asn'] = asnorg
except KeyError:
data = {}
data['asn'] = 'Unknown'
else:
data = {}
data['asn'] = 'Unknown'
__database__.setInfoForIPs(ip, data)
except KeyboardInterrupt:
if self.reader:
self.reader.close()
return True
except Exception as inst:
if self.reader:
self.reader.close()
self.print('Problem on run()', 0, 1)
self.print(str(type(inst)), 0, 1)
self.print(str(inst.args), 0, 1)
self.print(str(inst), 0, 1)
return True
def run(self):
try:
# Main loop function
while True:
message = self.c1.get_message(timeout=self.timeout)
if message['channel'] == 'new_ip':
# Not all the ips!! only the new one coming in the data
ip = message['data']
# The first message comes with data=1
if type(ip) == str:
data = __database__.getIPData(ip)
# If we alredy have the country for this ip, do not ask the file
if 'asn' not in data:
asninfo = self.reader.get(ip)
if asninfo:
try:
asnorg = asninfo[
'autonomous_system_organization']
data = {}
data['asn'] = asnorg
except KeyError:
data = {}
data['asn'] = 'Unknown'
else:
data = {}
data['asn'] = 'Unknown'
__database__.setInfoForIPs(ip, data)
except KeyboardInterrupt:
if self.reader:
self.reader.close()
return True
except Exception as inst:
if self.reader:
self.reader.close()
self.print('Problem on run()', 0, 1)
self.print(str(type(inst)), 0, 1)
self.print(str(inst.args), 0, 1)
self.print(str(inst), 0, 1)
return True
def set_vt_data_in_IPInfo(self, ip, cached_data):
"""
Function to set VirusTotal data of the IP in the IPInfo.
It also sets asn data if it is unknown or does not exist.
It also set passive dns retrieved from VirusTotal.
"""
vt_scores, passive_dns, as_owner = self.get_ip_vt_data(ip)
vtdata = {
"URL": vt_scores[0],
"down_file": vt_scores[1],
"ref_file": vt_scores[2],
"com_file": vt_scores[3],
"timestamp": time.time()
}
data = {}
data["VirusTotal"] = vtdata
# Add asn if it is unknown or not in the IP info
if cached_data and ('asn' not in cached_data
or cached_data['asn'] == 'Unknown'):
data['asn'] = as_owner
__database__.setInfoForIPs(ip, data)
__database__.set_passive_dns(ip, passive_dns)
def run(self):
if self.key is None:
# We don't have a virustotal key
return
try:
# Main loop function
while True:
message_c1 = self.c1.get_message(timeout=self.timeout)
message_c2 = self.c2.get_message(timeout=self.timeout)
# if timewindows are not updated for a long time we will stop slips automatically.
if message_c1['data'] == 'stop_process' or message_c2['data'] == 'stop_process' :
return True
if message_c1['channel'] == 'new_flow' and message_c1["type"] == "message":
data = message_c1["data"]
if type(data) == str:
data = json.loads(data)
profileid = data['profileid']
twid = data['twid']
stime = data['stime']
flow = json.loads(data['flow']) # this is a dict {'uid':json flow data}
# there is only one pair key-value in the dictionary
for key, value in flow.items():
uid = key
flow_data = json.loads(value)
ip = flow_data['daddr']
#ip = data_flow_dict['saddr']
# The first message comes with data=1
data = __database__.getIPData(ip)
# If we already have the VT for this ip, do not ask VT
# Check that there is data in the DB, and that the data is not empty, and that our key is not there yet
if (data or data == {}) and 'VirusTotal' not in data:
vt_scores, passive_dns, as_owner = self.get_ip_vt_data(ip)
vtdata = {"URL": vt_scores[0],
"down_file": vt_scores[1],
"ref_file": vt_scores[2],
"com_file": vt_scores[3],
"timestamp": time.time()}
data = {}
data["VirusTotal"] = vtdata
# Add asn if it is unknown or not in the IP info
if 'asn' not in data or data['asn'] == 'Unknown':
data['asn'] = as_owner
__database__.setInfoForIPs(ip, data)
__database__.set_passive_dns(ip, passive_dns)
elif data and 'VirusTotal' in data:
# If VT is in data, check timestamp. Take time difference, if not valid, update vt scores.
if (time.time() - data["VirusTotal"]['timestamp']) > self.update_period:
vt_scores, passive_dns, _ = self.get_ip_vt_data(ip)
vtdata = {"URL": vt_scores[0],
"down_file": vt_scores[1],
"ref_file": vt_scores[2],
"com_file": vt_scores[3],
"timestamp": time.time()}
data = {}
data["VirusTotal"] = vtdata
__database__.setInfoForIPs(ip, data)
__database__.set_passive_dns(ip, passive_dns)
if message_c2['channel'] == 'new_dns_flow' and message_c2["type"] == "message":
data = message_c2["data"]
# The first message comes with data=1
if type(data) == str:
data = json.loads(data)
profileid = data['profileid']
twid = data['twid']
flow_data = json.loads(data['flow']) # this is a dict {'uid':json flow data}
domain = flow_data['query']
data = __database__.getDomainData(domain)
# If we already have the VT for this ip, do not ask VT
# Check that there is data in the DB, and that the data is not empty, and that our key is not there yet
if (data or data == {}) and 'VirusTotal' not in data:
vt_scores, as_owner = self.get_domain_vt_data(domain)
vtdata = {"URL": vt_scores[0],
"down_file": vt_scores[1],
"ref_file": vt_scores[2],
"com_file": vt_scores[3],
"timestamp": time.time()}
data = {}
data["VirusTotal"] = vtdata
# Add asn if it is unknown or not in the IP info
if 'asn' not in data or data['asn'] == 'Unknown':
data['asn'] = as_owner
__database__.setInfoForDomains(domain, data)
elif data and 'VirusTotal' in data:
# If VT is in data, check timestamp. Take time difference, if not valid, update vt scores.
if (time.time() - data["VirusTotal"]['timestamp']) > self.update_period:
vt_scores, _ = self.get_domain_vt_data(domain)
vtdata = {"URL": vt_scores[0],
"down_file": vt_scores[1],
"ref_file": vt_scores[2],
"com_file": vt_scores[3],
"timestamp": time.time()}
data = {}
data["VirusTotal"] = vtdata
__database__.setInfoForDomains(domain, data)
except KeyboardInterrupt:
return True
except Exception as inst:
self.print('Problem on the run()', 0, 1)
self.print(str(type(inst)), 0, 1)
self.print(str(inst.args), 0, 1)
self.print(str(inst), 0, 1)
return True
