Esempio n. 1
0
    pp = pprint.PrettyPrinter(indent=4)
    
    #creating observable index
    obs_index={'A':{'medium':[],'high':[]},'Address - ipv4-addr':{'medium':[],'high':[]},'md5':{'medium':[],'high':[]},'email':{'medium':[],'high':[]},'userid':{'medium':[],'high':[]}}

    syslog.syslog(syslog.LOG_INFO,'nyx: Distributing a list of IP adresses')
    for ip in list_ips(settings['crits']): #json.load(open('ips.json','rb')):
        try:
            if 'bro' in settings.keys():
                alert_bro(ip,settings['bro'])
            confidence=get_intel_confidence(ip)
            if ip['ip']:
		obs_index['Address - ipv4-addr'][confidence].append(ip['ip'])
            if confidence=="medium":
                if 'qradar' in settings.keys():
                    qradar(ip, settings['qradar'],'medium_reference_sets')
                    # not adding the medium IPs to palo alto, as we have varying sets of limitations for the addresses and address groups.
            elif confidence=="high":
                if 'qradar' in settings.keys():
                    qradar(ip, settings['qradar'],'high_reference_sets')
                if 'palo_alto' in settings.keys():
                    palo_alto(ip,settings['palo_alto'],'ip_block_list')
        except:
            syslog.syslog(syslog.LOG_ERR,'nyx: encountered problems adding the ip indicator: %s' % str(ip))

    syslog.syslog(syslog.LOG_INFO,'nyx: Distributing a list of domains')
    for domain in list_fqdns(settings['crits']):#json.load(open('domains.json','rb')):
        try:
            if 'bro' in settings.keys():
                alert_bro(domain,settings['bro'])
            confidence=get_intel_confidence(domain)
Esempio n. 2
0
    if "qradar" in settings.keys():
        validate_qradar(settings["qradar"])

    if "soltra" in settings.keys():
        intel["medium"] = soltra.poll_feed(settings["soltra"], "medium")
        intel["high"] = soltra.poll_feed(settings["soltra"], "high")

    for csi, ivalues in intel.iteritems():
        for ip in ivalues["AddressObjectType"]:
            # creating crits-like objects
            observable = {"type": "Address - ipv4-addr", "source": [{"name": "Soltra-" + csi}], "ip": ip["value"]}
            obs_index["Address - ipv4-addr"][csi].append(ip["value"])
            if "bro" in settings.keys():
                alert_bro(observable, settings["bro"])
            if "qradar" in settings.keys():
                qradar(observable, settings["qradar"], csi + "_reference_sets")
            if "palo_alto" in settings.keys() and csi == "high":
                palo_alto(observable, settings["palo_alto"], "ip_block_list")
            if "moloch" in settings.keys():
                alert_wise(observable, settings["moloch"], csi)
        for domain in ivalues["DomainNameObjectType"]:
            observable = {"type": "A", "source": [{"name": "Soltra-" + csi}], "domain": domain["value"]}
            obs_index["A"][csi].append(domain["value"])
            if "bro" in settings.keys():
                alert_bro(observable, settings["bro"])
            if "qradar" in settings.keys():
                qradar(observable, settings["qradar"], csi + "_reference_sets")
            if "palo_alto" in settings.keys() and csi == "high":
                palo_alto(observable, settings["palo_alto"], "url_block_list")
            if "moloch" in settings.keys():
                alert_wise(observable, settings["moloch"], csi)