def process_content(self, content, filename): context = dict(source=self.name) context['description'] = 'File: {}'.format(filename) if content.startswith('Certificate:') and content.endswith( '-----END CERTIFICATE-----\n'): try: cert_data = Certificate.from_data(content) cert_data.add_context(context) cert_data.add_source(self.name) except ObservableValidationError as e: logging.error(e) else: try: observables = Observable.from_string(content) except Exception as e: logging.error(e) return for key in observables: for ioc in filter(None, observables[key]): if key == 'Url' and any( [domain in ioc for domain in BLACKLIST_DOMAINS]): continue try: ioc_data = self.refs[key].get_or_create(value=ioc) ioc_data.add_context(context) ioc_data.add_source(self.name) except ObservableValidationError as e: logging.error(e) except UnicodeDecodeError as e: logging.error(e)
def analyze(observable, results): links = set() if isinstance(observable, Ip): ip_search = CirclPassiveSSLApi.search_ip(observable, results.settings) if ip_search: json_string = json.dumps(ip_search, sort_keys=True, indent=4, separators=(",", ": ")) results.update(raw=json_string) for ip_addr, ip_details in ip_search.items(): for cert_sha1 in ip_details.get("certificates", []): try: cert_result = CirclPassiveSSLApi.fetch_cert( cert_sha1, results.settings) if cert_result: _info = cert_result.get("info", {}) x509 = load_certificate( FILETYPE_PEM, cert_result.get("pem")) der = dump_certificate(FILETYPE_ASN1, x509) cert_ob = Certificate.from_data(data=der) subject = CertificateSubject.get_or_create( value=_info.get("subject", "")) issuer = CertificateSubject.get_or_create( value=_info.get("issuer", "")) links.update( observable.active_link_to( cert_ob, "ssl-cert", "circl_passive_ssl_query")) links.update( cert_ob.active_link_to( subject, "cert-subject", "circl_passive_ssl_query", )) links.update( cert_ob.active_link_to( issuer, "cert-issuer", "circl_passive_ssl_query")) except Exception as e: logging.error( "Error attempting to fetch cert file {}". format(e)) return list(links)
def _handle_cert(dbase, rec, links): """Internal function to handle a record corresponding to an X509 certificate. """ raw_data = dbase.from_binary(rec['value']) cert = Certificate.from_data(raw_data, hash_sha256=rec['infos']['sha256']) rec['value'] = encode_b64(raw_data).decode() links.update( cert.link_to( CertificateSubject.get_or_create( value=rec['infos']['subject_text']), "cert-subject", "IVRE - X509 subject", )) links.update( cert.link_to( CertificateSubject.get_or_create( value=rec['infos']['issuer_text']), "cert-issuer", "IVRE - X509 issuer", )) commonname = rec['infos']['subject']['commonName'] if commonname: while commonname.startswith('*.'): commonname = commonname[2:] if commonname: _try_link(links, cert, Hostname, commonname, "cert-commonname", "IVRE - X509 Subject commonName") for san in rec['infos'].get('san', []): if san.startswith('DNS:'): san = san[4:] while san.startswith('*.'): san = san[2:] if san: _try_link(links, cert, Hostname, san, "cert-san", "IVRE - X509 subjectAltName") elif san.startswith('IP Address:'): san = san[11:] if san: _try_link(links, cert, Ip, san, "cert-san", "IVRE - X509 subjectAltName") elif san.startswith('email:'): san = san[6:] if san: _try_link(links, cert, Email, san, "cert-san", "IVRE - X509 subjectAltName") elif san.startswith('URI:'): san = san[4:] if san: _try_link(links, cert, Url, san, "cert-san", "IVRE - X509 subjectAltName") else: LOG.debug('_handle_rec: cannot handle subjectAltName: %r', san) return cert
def register_certificate(content, context, source): """Helper function to register certificate Args: content (str): The certificate content. context (dict): The observable context. source (str): origin of the observable """ try: cert_data = Certificate.from_data(content) cert_data.add_context(context) cert_data.add_source(source) except ObservableValidationError as e: logging.error(e)