def dotransform(request, response): url = request.value regex = '^{0}'.format(re.escape(url)) json_dict = msmodule.query('urls?url_regex={0}'.format(regex)) if len(json_dict['urls']) > 0: if 'extractions' in json_dict['urls'][0]: extractions = json_dict['urls'][0]['extractions'] valid_hash_fields = set(['md5', 'sha1', 'sha512']) for e in extractions: has_hash_keys = valid_hash_fields.intersection(set(e['hashes'].keys())) #entity = MnemosyneExtraction('{0} [{1}]'.format(e['hashes']['sha1'], 'SHA1')) entity = MnemosyneExtraction('Unknown') for k in has_hash_keys: setattr(entity, k, e['hashes'][k]) query = msmodule.query('files?hash={0}&no_data'.format(entity.md5))['files'] if len(query) > 0 and 'content_guess' in query[0]: entity.content_guess = query[0]['content_guess'] else: entity.content_guess = 'Unknown' entity.value = entity.content_guess response += entity return response
def dotransform(request, response): ip_addr = request.value json_dict = msmodule.query('sessions?source_ip={0}&limit=10000'.format(ip_addr)) sessions = json_dict['sessions'] #{u'destination_ip': u'xx.yyy.zzz.pp', u'protocol': u'ssh', u'hpfeed_id': u'5140f89909ce454287da8188', # u'timestamp': u'2013-03-13T22:07:16.669000', u'source_ip': u'qqqq.azz.xxx.qqq', u'source_port': 23909, # u'honeypot': u'beeswarm.hive', u'_id': u'514512de09ce45745ae34b53', u'destination_port': 8022, # u'auth_attempts': [{u'login': u'postgres', u'password': u'postgres123'}]} protocols = {} for s in sessions: if s['protocol'] in protocols: protocols[s['protocol']] += 1 else: protocols[s['protocol']] = 1 for protocol, count in protocols.items(): entity = MnemosyneProtocol(protocol) entity.linklabel = '{0} Activities'.format(count) response += entity return response
def dotransform(request, response): url = request.value regex = '.*{0}(/|:)'.format(re.escape(url)) json_dict = msmodule.query('/urls?url_regex={0}'.format(regex)) if len(json_dict['urls']) > 0: for url in json_dict['urls']: entity = URL('woopsa') entity.fqdn = url['url'] response += entity return response
def dotransform(request, response): url = request.value regex = '.*{0}(/|:)'.format(re.escape(url)) json_dict = msmodule.query('urls?url_regex={0}'.format(regex)) urls = json_dict['urls'] for item in urls: u = URL(item['url']) u.url = item['url'] response += u return response
def dotransform(request, response): ip_addr = request.value json_dict = msmodule.query('sessions?source_ip={0}'.format(ip_addr)) honeypot_sessions = json_dict['sessions'] #{u'destination_ip': u'xx.yyy.zzz.pp', u'protocol': u'ssh', u'hpfeed_id': u'5140f89909ce454287da8188', # u'timestamp': u'2013-03-13T22:07:16.669000', u'source_ip': u'qqqq.azz.xxx.qqq', u'source_port': 23909, # u'honeypot': u'beeswarm.hive', u'_id': u'514512de09ce45745ae34b53', u'destination_port': 8022, # u'auth_attempts': [{u'login': u'postgres', u'password': u'postgres123'}]} count = 0 for s in honeypot_sessions: count += 1 entity = MnemosyneHoneypot(s['destination_ip']) entity.iconurl = 'file://%s' % resource_filename('mnemtego.resources.images', 'hp_logo.png') entity.linklabel = '{0} Attacks'.format(count) entity.Honeypot = s['honeypot'] entity.ipv4addr = 'maltego.IPv4Address' response += entity return response
def get_urls(hash): result = msmodule.query('urls?hash={0}'.format(hash))['urls'] for item in result: u = URL(item['url']) u.url = item['url'] yield u