pp = pprint.PrettyPrinter(indent=4)
#creating observable index
obs_index={'A':{'medium':[],'high':[]},'Address - ipv4-addr':{'medium':[],'high':[]},'md5':{'medium':[],'high':[]},'email':{'medium':[],'high':[]},'userid':{'medium':[],'high':[]}}
syslog.syslog(syslog.LOG_INFO,'nyx: Distributing a list of IP adresses')
for ip in list_ips(settings['crits']): #json.load(open('ips.json','rb')):
try:
if 'bro' in settings.keys():
alert_bro(ip,settings['bro'])
confidence=get_intel_confidence(ip)
if ip['ip']:
obs_index['Address - ipv4-addr'][confidence].append(ip['ip'])
if confidence=="medium":
if 'qradar' in settings.keys():
qradar(ip, settings['qradar'],'medium_reference_sets')
# not adding the medium IPs to palo alto, as we have varying sets of limitations for the addresses and address groups.
elif confidence=="high":
if 'qradar' in settings.keys():
qradar(ip, settings['qradar'],'high_reference_sets')
if 'palo_alto' in settings.keys():
palo_alto(ip,settings['palo_alto'],'ip_block_list')
except:
syslog.syslog(syslog.LOG_ERR,'nyx: encountered problems adding the ip indicator: %s' % str(ip))
syslog.syslog(syslog.LOG_INFO,'nyx: Distributing a list of domains')
for domain in list_fqdns(settings['crits']):#json.load(open('domains.json','rb')):
try:
if 'bro' in settings.keys():
alert_bro(domain,settings['bro'])
confidence=get_intel_confidence(domain)
if "qradar" in settings.keys():
validate_qradar(settings["qradar"])
if "soltra" in settings.keys():
intel["medium"] = soltra.poll_feed(settings["soltra"], "medium")
intel["high"] = soltra.poll_feed(settings["soltra"], "high")
for csi, ivalues in intel.iteritems():
for ip in ivalues["AddressObjectType"]:
# creating crits-like objects
observable = {"type": "Address - ipv4-addr", "source": [{"name": "Soltra-" + csi}], "ip": ip["value"]}
obs_index["Address - ipv4-addr"][csi].append(ip["value"])
if "bro" in settings.keys():
alert_bro(observable, settings["bro"])
if "qradar" in settings.keys():
qradar(observable, settings["qradar"], csi + "_reference_sets")
if "palo_alto" in settings.keys() and csi == "high":
palo_alto(observable, settings["palo_alto"], "ip_block_list")
if "moloch" in settings.keys():
alert_wise(observable, settings["moloch"], csi)
for domain in ivalues["DomainNameObjectType"]:
observable = {"type": "A", "source": [{"name": "Soltra-" + csi}], "domain": domain["value"]}
obs_index["A"][csi].append(domain["value"])
if "bro" in settings.keys():
alert_bro(observable, settings["bro"])
if "qradar" in settings.keys():
qradar(observable, settings["qradar"], csi + "_reference_sets")
if "palo_alto" in settings.keys() and csi == "high":
palo_alto(observable, settings["palo_alto"], "url_block_list")
if "moloch" in settings.keys():
alert_wise(observable, settings["moloch"], csi)