def vt_private_getallinfo(malitem):
APIKEY = functions.getconf('virustotal', 'APIKEY')
params = {'apikey': APIKEY, 'resource':malitem, 'allinfo':1}
response = requests.get('https://www.virustotal.com/vtapi/v2/file/report', params=params)
reportobj = response.json()
if reportobj['response_code'] == 1:
basic = {}
basicinfo = ','.join(['{0}:{1}'.format(i, reportobj[i] if i in reportobj else 'Failure') \
for i in ['size', 'type', 'first_seen', 'scan_date', 'positives', 'total']])
for v in basicinfo.split(','):
basic.update({v.split(":")[0] : v.split(":")[1]})
scans = {}
scaninfo=','.join(['{0}:{1}'.format(i, reportobj['scans'][i]['result'] if i in reportobj['scans'] else 'Failure') \
for i in ['McAfee', 'Symantec', 'Norman', 'AntiVir', 'Kaspersky', 'TrendMicro', 'Microsoft', 'Avast', 'TrendMicro', 'F-Secure']])
for v in scaninfo.split(','):
scans.update({v.split(":")[0] : v.split(":")[1]})
network = {}
if 'behaviour-v1' in reportobj['additional_info']:
for i in reportobj['additional_info']['behaviour-v1']['network']:
network.update({i:reportobj['additional_info']['behaviour-v1']['network'][i]})
sd = {
"md5" : malitem,
"basic" : basic,
"scans" : scans,
"network" : network
}
return sd
def on_message(identifier, channel, payload):
try:
decoded = json.loads(str(payload))
except:
decoded = {'raw': payload}
if channel == 'dionaea.capture':
csv = ', '.join(['{0} = {1}'.format(i, decoded[i]) for i in ['url', 'daddr', 'saddr', 'dport', 'sport', 'md5', 'sha512']])
outmsg = 'PUBLISH channel = %s, identifier = %s, %s' % (channel, identifier, csv)
log.info(outmsg)
occurrence = datetime.datetime.now().isoformat()
event={'saddr':decoded['saddr'], 'sport':decoded['sport'], 'daddr':decoded['daddr'], 'dport':decoded['dport']}
APIKEY = functions.getconf('virustotal', 'APIKEY')
vtresult= functions.vt_getreport(decoded['md5'], APIKEY)
md5list={'md5':decoded['md5'], 'malurl':decoded['url'], 'malhostname':urlparse(decoded['url']).hostname, 'malscheme':urlparse(decoded['url']).scheme, 'vtresult':vtresult}
geoinfo = functions.geohostname(urlparse(decoded['url']).hostname)
hostnamelist = {'hostname':urlparse(decoded['url']).hostname, 'underpath':[urlparse(decoded['url']).path], 'scheme':urlparse(decoded['url']).scheme, 'geoinfo':geoinfo}
sd = {
"occurrence" : occurrence,
"startURL" : decoded['url'],
"event" : event,
"md5List" : md5list,
"hostnameList": hostnamelist
}
functions.jsonsend("localhost", 8888, json.dumps(sd))
return
if channel == 'mwbinary.dionaea.sensorunique':
md5sum = hashlib.md5(payload).hexdigest()
fpath = os.path.join(OUTDIR, md5sum)
try:
with open(fpath, 'wb') as fd:
fd.write(payload)
except:
outfd = open(OUTFILE, 'a')
print >>outfd, '{0} ERROR could not write to {1}'.format(datetime.datetime.now().ctime(), fpath)
outfd.flush()