def search_cif(self, indicator): ''' :param indicator: one of domain, fqdn, or hash :return: dictionary of results ''' results = [] for cif_host in self.cif_hosts: cli = Client(token=cif_host['token'], remote=cif_host['remote'], verify_ssl=self.verify) filters = { 'indicator': indicator, 'limit': self.limit, 'nolog': '1' } results += cli.indicators_search(filters=filters) return results
def main(): p = get_argument_parser() p = ArgumentParser( description=textwrap.dedent('''\ Env Variables: CIF_TOKEN CIF_REMOTE example usage: $ cif-tail '''), formatter_class=RawDescriptionHelpFormatter, prog='cif-tail', parents=[p], ) p.add_argument('--no-verify-ssl', help='turn TLS/SSL verification OFF', action='store_true') p.add_argument('--format', default='table') p.add_argument('--cycle', help='specify a cycle in which to run', default=5) p.add_argument('--filters', help='specify data filters to use', default='itype=ipv4,confidence=7,limit=10') p.add_argument('--remote', default=REMOTE_ADDR) p.add_argument('--token', default=TOKEN) p.add_argument('--start', default=arrow.get((arrow.utcnow().timestamp - 420))) args = p.parse_args() # setup logging setup_logging(args) verify_ssl = True if args.no_verify_ssl: verify_ssl = False filters = {} for k in args.filters.split(','): kk, v = k.split('=') filters[kk] = v remote = args.remote token = args.token client = Client(remote, token, verify_ssl=verify_ssl) start = args.start start = arrow.get(start) cycle = (int(args.cycle) * 60) # we want a 120s buffer for things that are being generated "now" end = arrow.get((arrow.utcnow().timestamp - 120)) while True: logger.debug('now: %s' % arrow.utcnow()) start = start.strftime('%Y-%m-%dT%H:%M:%S') + 'Z' end = end.strftime('%Y-%m-%dT%H:%M:%S') + 'Z' filters['reporttime'] = '{},{}'.format(start, end) logger.debug('searching {} - {}'.format(start, end)) resp = client.indicators_search(filters) if args.format == 'csv': for l in get_lines_csv(resp): print(l) else: for l in get_lines_table(resp): print(l) logger.debug('sleeping for {}m'.format(args.cycle)) sleep(cycle) # todo- this needs some work, maybe use last record if there was one? # what if there wasn't? start = arrow.get(arrow.get(end).timestamp + 1) end = arrow.get((arrow.utcnow().timestamp - 120))
def main(): p = get_argument_parser() p = ArgumentParser( description=textwrap.dedent('''\ Env Variables: CIF_TOKEN CIF_REMOTE example usage: $ cif-tail '''), formatter_class=RawDescriptionHelpFormatter, prog='cif-tail', parents=[p], ) p.add_argument('--no-verify-ssl', help='turn TLS/SSL verification OFF', action='store_true') p.add_argument('--format', default='table') p.add_argument('--cycle', help='specify a cycle in which to run', default=5) p.add_argument('--filters', help='specify data filters to use', default='itype=ipv4,confidence=7,limit=10') p.add_argument('--remote', default=REMOTE_ADDR) p.add_argument('--token', default=TOKEN) p.add_argument('--start', default=arrow.get((arrow.utcnow().timestamp - 420))) args = p.parse_args() # setup logging setup_logging(args) verify_ssl = not args.no_verify_ssl filters = {} for k in args.filters.split(','): kk, v = k.split('=') filters[kk] = v remote = args.remote token = args.token client = Client(remote, token, verify_ssl=verify_ssl) start = args.start start = arrow.get(start) cycle = (int(args.cycle) * 60) delay = Delayer(upper=cycle) # we want a 120s buffer for things that are being generated "now" end = arrow.get((arrow.utcnow().timestamp - 120)) while True: logger.debug('now: %s' % arrow.utcnow()) start = start.strftime('%Y-%m-%dT%H:%M:%S') + 'Z' end = end.strftime('%Y-%m-%dT%H:%M:%S') + 'Z' filters['reporttime'] = '{},{}'.format(start, end) logger.debug('searching {} - {}'.format(start, end)) try: resp = client.indicators_search(filters) except Exception: logger.exception("CIF API Error") resp = [] if resp: delay.reset() if args.format == 'csv': for l in get_lines_csv(resp): print(l) else: for l in get_lines_table(resp): print(l) delay.sleep() # todo- this needs some work, maybe use last record if there was one? # what if there wasn't? start = arrow.get(arrow.get(end).timestamp + 1) end = arrow.get((arrow.utcnow().timestamp - 120))