def parseargs() -> argparse.ArgumentParser: """Parse arguments""" parser = worker.parseargs("ARGUS Case enrichment") parser.add_argument( "--argus-baseurl", dest="argus_baseurl", default="https://api.mnemonic.no/", help="Argus API host", ) parser.add_argument( "--argus-timeout", dest="timeout", type=int, default=300, help="Timeout" ) parser.add_argument( "--content-props", default="file.sha256,process.sha256", help="Comma separated list of properties that represents a content object", ) parser.add_argument( "--hash-props", default="file.md5,process.md5,file.sha1,process.sha1,file.sha512,process.sha512", help="Comma separated list of properties that represents a hash", ) parser.add_argument( "--last-update", type=int, help="Last updated timestamp (epoc, seconds). Default - use now-1w first time, and start on last retrieved event at next run.", ) parser.add_argument("--argus-apikey", dest="argus_apikey", help="Argus API key") parser.add_argument( "--organization-from-argus", action="store_true", help="Apply organization from argus event", ) return parser
def parseargs() -> argparse.ArgumentParser: """Extract command lines argument""" parser = worker.parseargs('ACT Fact Chain Helper') parser.add_argument('--start', type=fact_type_value, help='Start type/value (i.e. threatActor/apt21)') parser.add_argument('--end', type=fact_type_value, help='End type/value (i.e. tool/zeus)') parser.add_argument('--avoid', type=worker_config.string_list, default=[], help='List of fact- or object- types to avoid') parser.add_argument('--include', type=worker_config.string_list, default=[], help='List of fact- or object- types to include') parser.add_argument('--fact-type-definition', type=str, default=types.etc_file('fact-types.json'), help='fact definition file. default="fact-types.json"') parser.add_argument( '--avoid-cost', type=int, default=3, help= 'multiplier used to increase cost of avoided objects or facts. Default=3' ) return parser
def parseargs() -> argparse.ArgumentParser: """ Parse arguments """ parser = worker.parseargs('ARGUS Case enrichment') parser.add_argument('--argus-baseurl', dest='argus_baseurl', default="https://api.mnemonic.no/", help="Argus API host") parser.add_argument('--argus-timeout', dest='timeout', type=int, default=300, help="Timeout") parser.add_argument( '--content-props', default="file.sha256,process.sha256", help= "Comma separated list of properties that represents a content object") parser.add_argument( '--hash-props', default= "file.md5,process.md5,file.sha1,process.sha1,file.sha512,process.sha512", help="Comma separated list of properties that represents a hash") parser.add_argument( '--last-update', type=int, help= "Last updated timestamp (epoc, seconds). Default - use now-1w first time, and start on last retrieved event at next run." ) parser.add_argument('--argus-apikey', dest='argus_apikey', help="Argus API key") return parser
def parseargs() -> argparse.ArgumentParser: """ Parse arguments """ parser = worker.parseargs('Mitre ATT&CK worker') parser.add_argument( '--smtphost', dest='smtphost', help="SMTP host used to send revoked/deprecated objects") parser.add_argument( '--sender', dest='sender', help="Sender address used to send revoked/deprecated objects") parser.add_argument( '--recipient', dest='recipient', help="Recipient address used to send revoked/deprecated objects") parser.add_argument( '--type', choices=list(MITRE_URLS.keys()), help= 'Specify a single type to download (enterprise, mobile or pre). Default is to fetch all' ) parser.add_argument('--notifycache', dest='notifycache', help="Cache for revoked/deprecated objects", default=DEFAULT_NOTIFY_CACHE) return parser
def parseargs() -> argparse.ArgumentParser: """Extract command lines argument""" parser = worker.parseargs("ACT VT Client") parser.add_argument("--apikey", metavar="KEY", help="VirusTotal API key") group = parser.add_mutually_exclusive_group() group.add_argument( "--hexdigest", action="store_true", default=False, help="Skip autodetection of type and force lookup as hexdigest", ) group.add_argument( "--ip", action="store_true", default=False, help="Skip autodetection of type and force lookup as IP address", ) group.add_argument( "--domain", action="store_true", default=False, help="Skip autodetection of type and force lookup as domain", ) return parser
def parseargs() -> argparse.ArgumentParser: """Parse arguments""" parser = worker.parseargs( "Updates list of threat actor aliases from an ACT platform" ) parser.add_argument( "--aliasfile", required=True, help=".cfg-file with \ existing threat actor aliases", ) parser.add_argument( "--newaliasfile", required=True, help="name of \ .cfg-file with updated list of threat actor aliases", ) parser.add_argument( "--output-json", action="store_true", help="Enable \ this flag if json testfiles should be created.", ) return parser
def parseargs() -> argparse.ArgumentParser: """Parse arguments""" parser = worker.parseargs("Get act feeds from act sharing directories") parser.add_argument( "--feed-uri", help="URI to retrieve feed from", ) parser.add_argument( "--dump-dir", type=Path, help= "Dump manifest/bundles to directory instead of sendings facts to uploader", ) parser.add_argument( "--feed-cache", type=Path, default=caep.get_cache_dir("act_feed_cache"), help="The directory to store information about last run", ) parser.add_argument( "--no-exit-on-error", action="store_true", help="Log errors and continue on platform upload errors", ) return parser
def parseargs() -> argparse.ArgumentParser: """Parse arguments""" parser = worker.parseargs("Shadowserver ASN enrichment") parser.add_argument( "--country-codes", help="Should point to file downloaded from {}".format(ISO_3166_FILE), ) parser.add_argument( "--veris-campaign", help="Read mapping of veris campaign from (CSV) file" ) parser.add_argument( "--threat-actor-variety", help="Varieties to use as Threat Actors", default="Activist, Organized crime, Nation-state", ) parser.add_argument( "--hash-url-matching", help="Download and hash references matching regular expression", default=r"^(.*pdf)$", ) parser.add_argument( "--veris-prefix", help='Prefix for incidents and campaign IDs. E.g use "VCDB" for Veris Community Database"', ) parser.add_argument("--veris-url", help="Read veris incidents from URL.") parser.add_argument("--veris-file", help="Read veris incidents from File.") parser.add_argument( "--stdin", action="store_true", help="Read veris incidents on stdin." ) return parser
def parseargs() -> argparse.ArgumentParser: """ Parse arguments """ parser = worker.parseargs('PDNS enrichment') parser.add_argument('--pdns-baseurl', dest='pdns_baseurl', default="https://api.mnemonic.no/", help="PassiveDNS API host") parser.add_argument('--pdns-timeout', dest='timeout', type=int, default=299, help="Timeout") parser.add_argument('--pdns-batch-size', dest='pdns_batch_size', type=int, default=100, help="Batch size of pdns queries") parser.add_argument('--pdns-apikey', dest='apikey', help="PassiveDNS API key") parser.add_argument('--limit', dest='limit', type=int, default=100, help="Maximum number of records to return from pdns") return parser
def parseargs() -> argparse.ArgumentParser: """Parse arguments""" parser = worker.parseargs("ThaiCERT worker") parser.add_argument( "--url", dest="thaicert_url", default=THAICERT_URL, help="ThaiCERT data URL" ) return parser
def parseargs() -> argparse.ArgumentParser: """Parse arguments""" parser = worker.parseargs("Generic uploader") parser.add_argument("--allow-default-origin", action="store_true", help="Allow facts without origin") parser.add_argument("--timing", action="store_true", help="Add timing operations at warn level") parser.add_argument("--no-exit-on-error", action="store_true", help="Log errors and continue") parser.add_argument( "--no-format", action="store_true", help="Do not format facts with default formatter", ) parser.add_argument( "--no-validate", action="store_true", help="Do not validate facts with default types", ) return parser
def parseargs() -> argparse.ArgumentParser: """Parse arguments""" parser = worker.parseargs("Mitre ATT&CK worker") parser.add_argument( "--smtphost", dest="smtphost", help="SMTP host used to send revoked/deprecated objects", ) parser.add_argument( "--sender", dest="sender", help="Sender address used to send revoked/deprecated objects", ) parser.add_argument( "--recipient", dest="recipient", help="Recipient address used to send revoked/deprecated objects", ) parser.add_argument( "--type", choices=list(MITRE_TYPES), help= "Specify a single type to download (enterprise, mobile or pre). Default is to fetch all", ) parser.add_argument( "--notifycache", dest="notifycache", help="Cache for revoked/deprecated objects", default=DEFAULT_NOTIFY_CACHE, ) return parser
def parseargs() -> argparse.ArgumentParser: """ Parse arguments """ parser = worker.parseargs('Country/region enrichment') parser.add_argument('--country-region-url', dest='country_region_url', default="https://raw.githubusercontent.com/lukes/ISO-3166-Countries-with-Regional-Codes/master/all/all.json", help="Country region URL in json format") return parser
def parseargs() -> argparse.ArgumentParser: """ Parse arguments """ parser = worker.parseargs('Generic uploader') parser.add_argument('--timing', action="store_true", help="Add timing operations at warn level") return parser
def parseargs() -> argparse.ArgumentParser: """ Parse arguments """ parser = worker.parseargs('Get MISP feeds from MISP sharing directories') parser.add_argument('--manifest-dir', default=worker.get_cache_dir('misp_manifest'), help='The directory to store latest manifests') return parser
def main() -> None: """Main function""" # Look for default ini file in "/etc/actworkers.ini" and # ~/config/actworkers/actworkers.ini (or replace .config with # $XDG_CONFIG_DIR if set) args = worker.handle_args(worker.parseargs(WORKER_NAME)) actapi = worker.init_act(args) process(actapi, args.output_format)
def parseargs() -> argparse.ArgumentParser: """ Parse arguments """ parser = worker.parseargs('PDNS enrichment') parser.add_argument('--pdns-baseurl', dest='pdns_baseurl', default="https://api.mnemonic.no/", help="Argus API host") parser.add_argument('--pdns-timeout', dest='timeout', type=int, default=299, help="Timeout") parser.add_argument('--pdns-apikey', dest='apikey', help="Argus API key") return parser
def parseargs() -> argparse.ArgumentParser: """Parse arguments""" parser = worker.parseargs("Get MISP feeds from MISP sharing directories") parser.add_argument( "--manifest-dir", default=caep.get_cache_dir("misp_manifest"), help="The directory to store latest manifests", ) return parser
def main_log_error() -> None: "Call main() and log all exceptions as errors" try: # Look for default ini file in "/etc/actworkers.ini" and ~/config/actworkers/actworkers.ini # (or replace .config with $XDG_CONFIG_DIR if set) args = worker.handle_args(worker.parseargs("Generic uploader")) actapi = worker.init_act(args) main(actapi) except Exception: error("Unhandled exception: {}".format(traceback.format_exc())) raise
def parseargs() -> argparse.ArgumentParser: """ Parse arguments """ parser = worker.parseargs('Manage origins') parser.add_argument("--list", action="store_true", help="List origins") parser.add_argument("--add", action="store_true", help="List origins") parser.add_argument("--delete", action="store_true", help="List origins") # Trust is converted to float before sending a request to the platform # and since this value can come from an ini file (where it will be a string) # We keep the value as a string here parser.add_argument("--default-trust", default="0.8", help="Default trust") return parser
def parseargs() -> argparse.ArgumentParser: """ Parse arguments """ parser = worker.parseargs('Search Graph') parser.add_argument('--search-jobs', help="Search jobs (ini-file)") parser.add_argument('--output-path', help="Output-path for result files (default=.)", default=".") parser.add_argument('--workers', type=int, default=4, help="Number of parallel workers for graph search") return parser
def parseargs() -> argparse.ArgumentParser: """Parse arguments""" parser = worker.parseargs("Shadowserver ASN enrichment") parser.add_argument( "--country-codes", help="Should point to file downloaded from {}".format(ISO_3166_FILE), ) group = parser.add_mutually_exclusive_group(required=True) group.add_argument( "--bulk", help="bulk query from file. File must contain one IP per line." ) group.add_argument("--stdin", action="store_true", help="query ip on stdin") return parser
def parseargs() -> argparse.ArgumentParser: """Extract command lines argument""" parser = worker.parseargs("ACT iSight Client") parser.add_argument("--privatekey", metavar="PRIVATEKEY", help="iSight API key") parser.add_argument("--publickey", metavar="PUBLICKEY", help="iSight API key") parser.add_argument("--debugdir", metavar="DIR", help="Dump directory for output") parser.add_argument( "--days", default="1", help="How many days back to look for data" ) parser.add_argument( "--root", default="https://api.isightpartners.com", help="api endpoint" ) return parser
def parseargs() -> argparse.ArgumentParser: """Parse arguments""" parser = worker.parseargs("Map tool aliases") parser.add_argument( "--threshold", type=float, default=0.5, help="Threshold for Jaccard index" ) parser.add_argument( "--submit", default=False, action="store_true", help="Submit alias to platform" ) parser.add_argument( "--exclude_tools", default="^\[placeholder\[[a-f0-9]{64}\]\]$", help="Tool patterns to exclude", ) return parser
def parseargs() -> argparse.ArgumentParser: """Extract command lines argument""" parser = worker.parseargs('ACT VT Client v{}'.format(VERSION)) parser.add_argument('--apikey', metavar='KEY', help='VirusTotal API key') group = parser.add_mutually_exclusive_group() group.add_argument('--hexdigest', action='store_true', default=False, help='query hexdigestsum on stdin') group.add_argument('--ip', action='store_true', default=False, help='query ip on stdin') group.add_argument('--domain', action='store_true', default=False, help='query domain on stdin') return parser
def parseargs() -> argparse.ArgumentParser: """Parse arguments""" parser = worker.parseargs("Threat Actor helper") parser.add_argument("--ta", "--threat-actor", help="Threat Actor") parser.add_argument("--ta-located-in", help="Threat Actor located in") parser.add_argument("--campaign", help="Campaign") parser.add_argument( "--techniques", type=worker_config.string_list, default=[], help="Techniques (Commaseparated list)", ) parser.add_argument( "--tools", type=worker_config.string_list, default=[], help="Tools (Commaseparated list)", ) parser.add_argument( "--sectors", type=worker_config.string_list, default=[], help="Sectors (Commaseparated list)", ) parser.add_argument( "--target-countries", type=worker_config.string_list, default=[], help="Target Countries (Commaseparated list)", ) parser.add_argument( "--country-region", default= "https://raw.githubusercontent.com/lukes/ISO-3166-Countries-with-Regional-Codes/master/all/all.json", help="Country region in json format (HTTP URL or file)", ) # Stix Vocabulary parser.add_argument( "--sector-vocabulary", default= "https://raw.githubusercontent.com/mnemonic-no/act-scio2/master/act/scio/etc/plugins/sectors.cfg", help= "Sector vocabulary (STIX2, in scio format). Fetched from URL or file", ) return parser
def test_args_origin_id(monkeypatch: _pytest.monkeypatch.MonkeyPatch) -> None: """test argument origin-id""" origin_id = "00000000-0000-0000-0000-000000000001" monkeypatch.setattr(sys, "argv", ["./test-worker.py", "--origin-id", origin_id]) args = cli.handle_args(worker.parseargs("Test worker")) actapi = worker.init_act(args) assert actapi.config.origin_id == origin_id fact = (actapi.fact("mentions").source("report", "xyz").destination( "fqdn", "test.com")) assert fact.origin.id == origin_id
def parseargs() -> argparse.Namespace: parser = worker.parseargs("URL unshortener worker") parser.add_argument( "--url-shorteners", dest="url_shorteners", default= "adf.ly, bit.ly, bitly.com, cc.uz, evassmat.com, goo.gl, is.gd, lnkd.in, smarturl.it, www.t2m.io, tiny.cc, tinyurl.com, x.co", help="Comma separated list of shortener-domains") parser.add_argument( "--user-agent", dest="user_agent", default= "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36", help="User-agent to present to the redirect services") return worker.handle_args(parser)
def parseargs() -> argparse.ArgumentParser: """Extract command lines argument""" parser = worker.parseargs( 'ACT Alienvault OTX Import Client v{}'.format(VERSION)) parser.add_argument('--config_path', metavar='PATH', help='Path to reputation configuration files') parser.add_argument('--otx-baseurl', default="https://otx.alienvault.com/api/", help="Alienvault OTX API host") parser.add_argument('--otx-apikey', metavar='KEY', help='Alienvault OTX API key') parser.add_argument('--otx-path-lastretrived', metavar='FILEPATH', help='Path to store last retrival timestamp') return parser
def parseargs() -> argparse.ArgumentParser: """Parse arguments""" parser = worker.parseargs("PDNS enrichment") parser.add_argument( "--no-tlp-access-mode", action="store_true", help= "Do not set access mode from TLP on document. If not set, facts will " + "have access-mode=Public for tlp=white/green otherwise access-mode=RoleBased", ) parser.add_argument( "--pdns-baseurl", dest="pdns_baseurl", default="https://api.mnemonic.no/", help="PassiveDNS API host", ) parser.add_argument("--pdns-timeout", dest="timeout", type=int, default=299, help="Timeout") parser.add_argument( "--pdns-batch-size", dest="pdns_batch_size", type=int, default=100, help="Batch size of pdns queries", ) parser.add_argument("--pdns-apikey", dest="apikey", help="PassiveDNS API key") parser.add_argument( "--limit", dest="limit", type=int, default=100, help="Maximum number of records to return from pdns", ) return parser