def subscribe_watchlist(cb, parser, args):
try:
cb.select(Feed, args.feed_id)
except ObjectNotFoundError:
eprint("Nonexistent or private feed: {}".format(args.feed_id))
sys.exit(1)
classifier = {
"key": "feed_id",
"value": args.feed_id,
}
watchlist_dict = {
"name": args.watchlist_name,
"description": args.description,
"tags_enabled": args.tags,
"alerts_enabled": args.alerts,
"create_timestamp": args.timestamp,
"last_update_timestamp": args.last_update,
"report_ids": [],
"classifier": classifier,
}
watchlist = cb.create(Watchlist, watchlist_dict)
watchlist.save()
def subscribe_watchlist(cb, parser, args):
try:
cb.select(Feed, args.feed_id)
except ObjectNotFoundError:
eprint("Nonexistent or private feed: {}".format(args.feed_id))
sys.exit(1)
classifier = {
"key": "feed_id",
"value": args.feed_id,
}
watchlist_dict = {
"name": args.watchlist_name,
"description": args.description,
"tags_enabled": args.tags,
"alerts_enabled": args.alerts,
"create_timestamp": args.timestamp,
"last_update_timestamp": args.last_update,
"report_ids": [],
"classifier": classifier,
}
watchlist = cb.create(Watchlist, watchlist_dict)
watchlist.save()
def replace_report(cb, parser, args):
feed = get_feed(cb, feed_id=args.id, feed_name=args.feedname)
imported = json.loads(sys.stdin.read())
reports = feed.reports
existing_report = next((report for report in reports if imported["id"] == report.id), None)
if existing_report:
existing_report.update(**imported)
else:
eprint("No existing report to replace")
sys.exit(1)
def replace_report(cb, parser, args):
feed = get_feed(cb, feed_id=args.id, feed_name=args.feedname)
imported = json.loads(sys.stdin.read())
reports = feed.reports
existing_report = next(
(report for report in reports if imported["id"] == report.id), None)
if existing_report:
existing_report.update(**imported)
else:
eprint("No existing report to replace")
sys.exit(1)
def import_report(cb, parser, args):
feed = get_feed(cb, feed_id=args.id, feed_name=args.feedname)
imp_dict = json.loads(sys.stdin.read())
reports = feed.reports
existing_report = next((report for report in reports if imp_dict["id"] == report.id), None)
if existing_report:
eprint("Report already exists; use replace-report.")
sys.exit(1)
else:
imp_report = cb.create(Report, imp_dict)
feed.append_reports([imp_report])
def get_report(feed, report_id=None, report_name=None):
if report_id:
reports = [report for report in feed.reports if report.id == report_id]
if not reports:
eprint("No reports with ID '{}'".format(report_id))
sys.exit(1)
elif len(reports) > 1:
eprint("More than one report with ID '{}'".format(report_id))
sys.exit(1)
elif report_name:
reports = [
report for report in feed.reports if report.title == report_name
]
if not reports:
eprint("No reports named '{}'".format(report_name))
sys.exit(1)
elif len(reports) > 1:
eprint("More than one report named '{}'".format(report_name))
sys.exit(1)
else:
raise ValueError("expected either report_id or report_name")
return reports[0]
def import_report(cb, parser, args):
feed = get_feed(cb, feed_id=args.id, feed_name=args.feedname)
imp_dict = json.loads(sys.stdin.read())
reports = feed.reports
existing_report = next(
(report for report in reports if imp_dict["id"] == report.id), None)
if existing_report:
eprint("Report already exists; use replace-report.")
sys.exit(1)
else:
imp_report = cb.create(Report, imp_dict)
feed.append_reports([imp_report])
def list_feeds(cb, parser, args):
if args.iocs and not args.reports:
eprint("--iocs specified without --reports")
sys.exit(1)
feeds = cb.select(Feed).where(include_public=args.public)
for feed in feeds:
print(feed)
if args.reports:
for report in feed.reports:
print(report)
if args.iocs:
for ioc in report.iocs_:
print(ioc)
def list_feeds(cb, parser, args):
if args.iocs and not args.reports:
eprint("--iocs specified without --reports")
sys.exit(1)
feeds = cb.select(Feed).where(include_public=args.public)
for feed in feeds:
print(feed)
if args.reports:
for report in feed.reports:
print(report)
if args.iocs:
for ioc in report.iocs_:
print(ioc)
def get_watchlist(cb, watchlist_id=None, watchlist_name=None):
if watchlist_id:
return cb.select(Watchlist, watchlist_id)
elif watchlist_name:
feeds = [feed for feed in cb.select(Watchlist) if feed.name == watchlist_name]
if not feeds:
eprint("No watchlist named {}".format(watchlist_name))
sys.exit(1)
elif len(feeds) > 1:
eprint("More than one feed named {}, not continuing".format(watchlist_name))
sys.exit(1)
return feeds[0]
else:
raise ValueError("expected either watchlist_id or watchlist_name")
def get_report(watchlist, report_id=None, report_name=None):
if report_id:
reports = [report for report in watchlist.reports if report.id == report_id]
elif report_name:
reports = [report for report in watchlist.reports if report.title == report_name]
else:
raise ValueError("expected either report_id or report_name")
if not reports:
eprint("No matching reports found.")
sys.exit(1)
if len(reports) > 1:
eprint("More than one matching report found.")
sys.exit(1)
return reports[0]
def get_feed(cb, feed_id=None, feed_name=None):
if feed_id:
return cb.select(Feed, feed_id)
elif feed_name:
feeds = [feed for feed in cb.select(Feed) if feed.name == feed_name]
if not feeds:
eprint("No feeds named '{}'".format(feed_name))
sys.exit(1)
elif len(feeds) > 1:
eprint("More than one feed named '{}'".format(feed_name))
sys.exit(1)
return feeds[0]
else:
raise ValueError("expected either feed_id or feed_name")
def get_feed(cb, feed_id=None, feed_name=None):
if feed_id:
return cb.select(Feed, feed_id)
elif feed_name:
feeds = [feed for feed in cb.select(Feed) if feed.name == feed_name]
if not feeds:
eprint("No feeds named '{}'".format(feed_name))
sys.exit(1)
elif len(feeds) > 1:
eprint("More than one feed named '{}'".format(feed_name))
sys.exit(1)
return feeds[0]
else:
raise ValueError("expected either feed_id or feed_name")
def alter_ioc(cb, parser, args):
watchlist = get_watchlist(cb, watchlist_id=args.watchlist_id)
report = get_report(watchlist, report_id=args.report_id)
iocs = [ioc for ioc in report.iocs_ if ioc.id == args.ioc_id]
if not iocs:
eprint("No IOC with ID {} found.".format(args.ioc_id))
sys.exit(1)
elif len(iocs) > 1:
eprint("More than one IOC with ID {} found.".format(args.ioc_id))
sys.exit(1)
if args.activate:
iocs[0].unignore()
elif args.deactivate:
iocs[0].ignore()
def alter_ioc(cb, parser, args):
watchlist = get_watchlist(cb, watchlist_id=args.watchlist_id)
report = get_report(watchlist, report_id=args.report_id)
iocs = [ioc for ioc in report.iocs_ if ioc.id == args.ioc_id]
if not iocs:
eprint("No IOC with ID {} found.".format(args.ioc_id))
sys.exit(1)
elif len(iocs) > 1:
eprint("More than one IOC with ID {} found.".format(args.ioc_id))
sys.exit(1)
if args.activate:
iocs[0].unignore()
elif args.deactivate:
iocs[0].ignore()
def get_report_feed(watchlist, report_id=None, report_name=None):
reports = watchlist.feed.reports
if report_id:
reports = [report for report in reports if report.id == report_id]
elif report_name:
reports = [report for report in reports if report.title == report_name]
else:
raise ValueError("expected either report_id or report_name")
if not reports:
eprint("No matching reports found.")
sys.exit(1)
if len(reports) > 1:
eprint("More than one matching report found.")
sys.exit(1)
return reports[0]
def get_watchlist(cb, watchlist_id=None, watchlist_name=None):
if watchlist_id:
return cb.select(Watchlist, watchlist_id)
elif watchlist_name:
feeds = [
feed for feed in cb.select(Watchlist)
if feed.name == watchlist_name
]
if not feeds:
eprint("No watchlist named {}".format(watchlist_name))
sys.exit(1)
elif len(feeds) > 1:
eprint("More than one feed named {}, not continuing".format(
watchlist_name))
sys.exit(1)
return feeds[0]
else:
raise ValueError("expected either watchlist_id or watchlist_name")
def get_report(feed, report_id=None, report_name=None):
if report_id:
reports = [report for report in feed.reports if report.id == report_id]
if not reports:
eprint("No reports with ID '{}'".format(report_id))
sys.exit(1)
elif len(reports) > 1:
eprint("More than one report with ID '{}'".format(report_id))
sys.exit(1)
elif report_name:
reports = [report for report in feed.reports if report.title == report_name]
if not reports:
eprint("No reports named '{}'".format(report_name))
sys.exit(1)
elif len(reports) > 1:
eprint("More than one report named '{}'".format(report_name))
sys.exit(1)
else:
raise ValueError("expected either report_id or report_name")
return reports[0]
