コード例 #1
0
    def process(self):
        report = self.receive_message()

        if report is None or not report.contains("raw"):
            self.acknowledge_message()
            return

        columns = [
            "__IGNORE__", "source.url", "event_description.url", "time.source",
            "__IGNORE__", "__IGNORE__", "__IGNORE__",
            "event_description.target"
        ]

        raw_report = utils.base64_decode(report.get("raw"))
        for row in utils.csv_reader(raw_report):

            # ignore headers
            if "phish_id" in row:
                continue

            event = Event(report)

            for key, value in zip(columns, row):

                if key == "__IGNORE__":
                    continue

                event.add(key, value)

            event.add('classification.type', u'phishing')
            event.add("raw", ",".join(row))

            self.send_message(event)
        self.acknowledge_message()
コード例 #2
0
    def process(self):
        report = self.receive_message()

        if not report or not report.contains("raw"):
            self.acknowledge_message()
            return

        raw_report = utils.base64_decode(report.get("raw"))
        for row in utils.csv_reader(raw_report):
            event = Event(report)
            self.logger.debug(repr(row))

            event.add("time.source", row[0].replace('_', ' ') + " UTC")
            if row[1] != '-':
                event.add("source.url", self.add_http(row[1]))
            try:
                event.add("source.ip", row[2])
            except InvalidValue:
                event.add("source.url", self.add_http(row[2]))
                event.add('source.ip', urlparse(row[2]).netloc)
            event.add("source.reverse_dns", row[3])
            event.add("event_description.text", row[4])
            # TODO: ignore abuse contact for now
            event.add("source.asn", int(row[6]))

            event.add('classification.type', u'malware')
            event.add("raw", ",".join(row))

            self.send_message(event)
        self.acknowledge_message()
コード例 #3
0
ファイル: parser.py プロジェクト: nizq/intelmq
    def process(self):
        report = self.receive_message()

        if not report or not report.contains("raw"):
            self.acknowledge_message()
            return

        raw_report = utils.base64_decode(report.value("raw"))
        for row in utils.csv_reader(raw_report):
            event = Event(report)
            self.logger.debug(repr(row))

            event.add("time.source", row[0].replace('_', ' ') + " UTC")
            if row[1] != '-':
                event.add("source.url", self.add_http(row[1]))
            try:
                event.add("source.ip", row[2])
            except InvalidValue:
                event.add("source.url", self.add_http(row[2]))
                event.add('source.ip', urlparse(row[2]).netloc)
            event.add("source.reverse_dns", row[3])
            event.add("event_description.text", row[4])
            # TODO: ignore abuse contact for now
            event.add("source.asn", int(row[6]))

            event.add('classification.type', u'malware')
            event.add("raw", ",".join(row))

            self.send_message(event)
        self.acknowledge_message()
コード例 #4
0
ファイル: parser.py プロジェクト: serranos/intelmq
    def process(self):
        report = self.receive_message()

        if not report or not report.contains("raw"):
            self.acknowledge_message()
            return

        raw_report = utils.base64_decode(report.value("raw"))
        for row in utils.csv_reader(raw_report):
            event = Event(report)
            self.logger.debug(repr(row))

            event.add("time.source", row[0].replace("_", " ") + " UTC", sanitize=True)
            if row[1] != "-":
                event.add("source.url", row[1], sanitize=True)
            try:
                event.add("source.ip", row[2], sanitize=True)
            except InvalidValue:
                event.add("source.url", row[2], sanitize=True)
                event.add("source.ip", urlparse(row[2]).netloc, sanitize=True)
            event.add("source.reverse_dns", row[3], sanitize=True)
            event.add("event_description.text", row[4], sanitize=True)
            # TODO: ignore abuse contact for now
            event.add("source.asn", int(row[6]))

            event.add("classification.type", "malware")
            event.add("raw", ",".join(row), sanitize=True)

            self.send_message(event)
        self.acknowledge_message()
コード例 #5
0
ファイル: parser.py プロジェクト: Hacker-One/intelmq
    def process(self):
        report = self.receive_message()

        if report is None or not report.contains("raw"):
            self.acknowledge_message()
            return

        columns = [
            "source.ip",
            "__IGNORE__",
            "event_description.text",
            "__IGNORE__"
        ]

        headers = True
        raw_report = utils.base64_decode(report.get("raw"))
        for row in utils.csv_reader(raw_report):
            # ignore headers
            if headers:
                headers = False
                continue

            event = Event(report)

            for key, value in zip(columns, row):
                if key == "__IGNORE__":
                    continue

                event.add(key, value)

            event.add('classification.type', u'scanner')
            event.add("raw", ",".join(row))

            self.send_message(event)
        self.acknowledge_message()
コード例 #6
0
ファイル: parser.py プロジェクト: jmj-uy/intelmq-1
    def process(self):
        report = self.receive_message()

        if report is None or not report.contains("raw"):
            self.acknowledge_message()
            return

        columns = [
            "source.ip", "__IGNORE__", "event_description.text", "__IGNORE__"
        ]

        headers = True
        raw_report = utils.base64_decode(report.get("raw"))
        for row in utils.csv_reader(raw_report):
            # ignore headers
            if headers:
                headers = False
                continue

            event = Event(report)

            for key, value in zip(columns, row):
                if key == "__IGNORE__":
                    continue

                event.add(key, value)

            event.add('classification.type', u'scanner')
            event.add("raw", ",".join(row))

            self.send_message(event)
        self.acknowledge_message()
コード例 #7
0
ファイル: drone_parser.py プロジェクト: jmj-uy/intelmq-1
    def process(self):
        report = self.receive_message()

        if report is None or not report.contains("raw"):
            self.acknowledge_message()
            return

        raw_report = utils.base64_decode(report["raw"])
        for row in utils.csv_reader(raw_report, dictreader=True):
            event = Event(report)
            extra = {}

            event.add('time.source', row['timestamp']+' UTC')
            event.add('source.ip', row['ip'])
            event.add('source.port', row['port'])
            event.add('source.asn', row['asn'])
            event.add('source.geolocation.cc', row['geo'])
            event.add('source.geolocation.region', row['region'])
            event.add('source.geolocation.city', row['city'])
            if row['hostname']:
                event.add('source.reverse_dns', row['hostname'])
            event.add('protocol.transport', row['type'])
            event.add('malware.name', row['infection'])
            if row['url']:
                event.add('destination.url', row['url'])
            if row['agent']:
                extra['user_agent'] = row['agent']
            event.add('destination.ip', row['cc'])
            event.add('destination.port', row['cc_port'])
            event.add('destination.asn', row['cc_asn'])
            event.add('destination.geolocation.cc', row['cc_geo'])
            if row['cc_dns']:
                event.add('destination.reverse_dns', row['cc_dns'])
            extra['connection_count'] = int(row['count'])
            if row['proxy']:
                extra['proxy'] = row['proxy']
            if row['application']:
                event.add('protocol.application', row['type'])
            extra['os.name'] = row['p0f_genre']
            extra['os.version'] = row['p0f_detail']
            if 'machine_name' in row and row['machine_name']:
                event.add('source.local_hostname', row['type'])
            if 'id' in row and row['id']:
                extra['bot_id'] = row['id']
            if int(row['naics']):
                extra['naics'] = int(row['naics'])
            if int(row['sic']):
                extra['sic'] = int(row['sic'])

            event.add('extra', extra)
            event.add('classification.type', 'botnet drone')
            event.add('raw', '"'+','.join(map(str, row.items()))+'"')

            self.send_message(event)
        self.acknowledge_message()
コード例 #8
0
    def process(self):
        report = self.receive_message()

        if report is None or not report.contains("raw"):
            self.acknowledge_message()
            return

        raw_report = utils.base64_decode(report.get("raw"))

        for row in utils.csv_reader(raw_report, dictreader=True):
            event = Event(report)

            for key, value in row.items():
                if not value:
                    continue

                if key is None:
                    self.logger.warning('Value without key found, skipping the'
                                        ' value: {!r}'.format(value))
                    continue

                key = COLUMNS[key]

                if key == "__IGNORE__" or key == "__TDB__":
                    continue

                if key == "source.fqdn" and IPAddress.is_valid(value,
                                                               sanitize=True):
                    continue

                if key == "time.source":
                    value = value + " UTC"

                if key == "source.asn" and value.startswith("ASNA"):
                    continue

                if key == "source.asn":
                    for asn in value.split(','):
                        if asn.startswith("AS"):
                            value = asn.split("AS")[1]
                            break

                event.add(key, value)

            event.add('classification.type', u'malware')
            event.add("raw", ",".join(row))

            self.send_message(event)
        self.acknowledge_message()
コード例 #9
0
ファイル: parser_virus.py プロジェクト: Hacker-One/intelmq
    def process(self):
        report = self.receive_message()

        if report is None or not report.contains("raw"):
            self.acknowledge_message()
            return

        raw_report = utils.base64_decode(report.get("raw"))

        for row in utils.csv_reader(raw_report, dictreader=True):
            event = Event(report)

            for key, value in row.items():
                if not value:
                    continue

                if key is None:
                    self.logger.warning('Value without key found, skipping the'
                                        ' value: {!r}'.format(value))
                    continue

                key = COLUMNS[key]

                if key == "__IGNORE__" or key == "__TDB__":
                    continue

                if key == "source.fqdn" and IPAddress.is_valid(value,
                                                               sanitize=True):
                    continue

                if key == "time.source":
                    value = value + " UTC"

                if key == "source.asn" and value.startswith("ASNA"):
                    continue

                if key == "source.asn":
                    for asn in value.split(','):
                        if asn.startswith("AS"):
                            value = asn.split("AS")[1]
                            break

                event.add(key, value)

            event.add('classification.type', u'malware')
            event.add("raw", ",".join(row))

            self.send_message(event)
        self.acknowledge_message()
コード例 #10
0
ファイル: snmp_parser.py プロジェクト: nizq/intelmq
    def process(self):
        report = self.receive_message()

        if report is None or not report.contains("raw"):
            self.acknowledge_message()
            return

        raw_report = utils.base64_decode(report["raw"])
        for row in utils.csv_reader(raw_report, dictreader=True):
            event = Event(report)
            extra = {}

            event.add("time.source", row["timestamp"] + " UTC")
            event.add("source.ip", row["ip"])
            event.add("protocol.transport", row["protocol"])
            event.add("source.port", row["port"])
            event.add("source.reverse_dns", row["hostname"])
            extra["sysdesc"] = row["sysdesc"]
            extra["sysname"] = row["sysname"]
            event.add("source.asn", row["asn"])
            event.add("source.geolocation.cc", row["geo"])
            event.add("source.geolocation.region", row["region"])
            event.add("source.geolocation.city", row["city"])
            if int(row["naics"]):
                extra["naics"] = int(row["naics"])
            if int(row["sic"]):
                extra["sic"] = int(row["sic"])
            if row["sector"]:
                extra["sector"] = row["sector"]

            event.add("extra", extra)
            event.add("protocol.application", "snmp")
            event.add("classification.type", "vulnerable service")
            event.add("classification.identifier", "snmp")
            event.add("raw", '"' + ",".join(map(str, row.items())) + '"')

            self.send_message(event)
        self.acknowledge_message()
コード例 #11
0
    def process(self):
        report = self.receive_message()

        if report is None or not report.contains("raw"):
            self.acknowledge_message()
            return

        raw_report = utils.base64_decode(report["raw"])
        for row in utils.csv_reader(raw_report, dictreader=True):
            event = Event(report)
            extra = {}

            event.add('time.source', row['timestamp']+' UTC')
            event.add('source.ip', row['ip'])
            event.add('protocol.transport', row['protocol'])
            event.add('source.port', row['port'])
            event.add('source.reverse_dns', row['hostname'])
            extra['sysdesc'] = row['sysdesc']
            extra['sysname'] = row['sysname']
            event.add('source.asn', row['asn'])
            event.add('source.geolocation.cc', row['geo'])
            event.add('source.geolocation.region', row['region'])
            event.add('source.geolocation.city', row['city'])
            if int(row['naics']):
                extra['naics'] = int(row['naics'])
            if int(row['sic']):
                extra['sic'] = int(row['sic'])
            if row['sector']:
                extra['sector'] = row['sector']

            event.add('extra', extra)
            event.add('protocol.application', 'snmp')
            event.add('classification.type', 'vulnerable service')
            event.add('classification.identifier', 'snmp')
            event.add('raw', '"'+','.join(map(str, row.items()))+'"')

            self.send_message(event)
        self.acknowledge_message()
コード例 #12
0
ファイル: parser.py プロジェクト: Hacker-One/intelmq
    def process(self):
        report = self.receive_message()

        if report is None or not report.contains("raw"):
            self.acknowledge_message()
            return

        columns = ["__IGNORE__",
                   "source.url",
                   "event_description.url",
                   "time.source",
                   "__IGNORE__",
                   "__IGNORE__",
                   "__IGNORE__",
                   "event_description.target"
                   ]

        raw_report = utils.base64_decode(report.get("raw"))
        for row in utils.csv_reader(raw_report):

            # ignore headers
            if "phish_id" in row:
                continue

            event = Event(report)

            for key, value in zip(columns, row):

                if key == "__IGNORE__":
                    continue

                event.add(key, value)

            event.add('classification.type', u'phishing')
            event.add("raw", ",".join(row))

            self.send_message(event)
        self.acknowledge_message()
コード例 #13
0
ファイル: qotd_parser.py プロジェクト: Hacker-One/intelmq
    def process(self):
        report = self.receive_message()

        if report is None or not report.contains("raw"):
            self.acknowledge_message()
            return

        raw_report = utils.base64_decode(report["raw"])
        for row in utils.csv_reader(raw_report, dictreader=True):
            event = Event(report)
            extra = {}

            event.add('time.source', row['timestamp']+' UTC')
            event.add('source.ip', row['ip'])
            event.add('protocol.transport', row['protocol'])
            event.add('source.port', row['port'])
            event.add('source.reverse_dns', row['hostname'])
            event.add('protocol.application', row['tag'])
            extra['quote'] = row['quote']
            event.add('source.asn', row['asn'])
            event.add('source.geolocation.cc', row['geo'])
            event.add('source.geolocation.region', row['region'])
            event.add('source.geolocation.city', row['city'])
            if int(row['naics']):
                extra['naics'] = int(row['naics'])
            if int(row['sic']):
                extra['sic'] = int(row['sic'])
            if row['sector']:
                extra['sector'] = row['sector']

            event.add('extra', extra)
            event.add('classification.type', 'vulnerable service')
            event.add('classification.identifier', 'qotd')
            event.add('raw', '"'+','.join(map(str, row.items()))+'"')

            self.send_message(event)
        self.acknowledge_message()
コード例 #14
0
ファイル: parser_csv.py プロジェクト: nizq/intelmq
    def process(self):
        report = self.receive_message()

        if not report or not report.contains("raw"):
            self.acknowledge_message()
            return

        columns = self.parameters.columns

        raw_report = utils.base64_decode(report.value("raw"))
        # ignore lines starting with #
        raw_report = re.sub(r'(?m)^#.*\n?', '', raw_report)
        # ignore null bytes
        raw_report = re.sub(r'(?m)\0', '', raw_report)
        for row in utils.csv_reader(raw_report,
                                    delimiter=str(self.parameters.delimiter)):
            event = Event(report)

            for key, value in zip(columns, row):

                if key in ["__IGNORE__", ""]:
                    continue
                try:
                    if key in ["time.source", "time.destination"]:
                        value = parse(value, fuzzy=True).isoformat()
                        value += " UTC"
                    # regex from http://stackoverflow.com/a/23483979
                    # matching ipv4/ipv6 IP within string
                    elif key in ["source.ip", "destination.ip"]:
                        value = re.compile(
                            '(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])'
                            '\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0'
                            '-5])|(([a-zA-Z]|[a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9])'
                            '\.)*([A-Za-z]|[A-Za-z][A-Za-z0-9\-]*[A-Za-z0-9])|'
                            '\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|('
                            '([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]'
                            '|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d'
                            '\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:['
                            '0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|['
                            '1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|'
                            ':))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1'
                            ',3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d'
                            '\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){'
                            '3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,'
                            '4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-'
                            '4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-'
                            '9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-'
                            'Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0'
                            '-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1'
                            '\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(('
                            '(:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4'
                            '}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2['
                            '0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]'
                            '{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2'
                            '[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|'
                            '[1-9]?\d)){3}))|:)))(%.+)?').match(value).group()
                    elif key.endswith('.url') and '://' not in value:
                        value = self.parameters.default_url_protocol + value
                except:
                    self.logger.exception('Encountered error while parsing'
                                          'line in csv file, ignoring.')
                    continue
                event.add(key, value)

            event.add('classification.type', self.parameters.type)
            event.add("raw", ",".join(row))

            self.send_message(event)
        self.acknowledge_message()
コード例 #15
0
    def process(self):
        report = self.receive_message()

        if report is None or not report.contains("raw"):
            self.acknowledge_message()
            return

        raw_report = utils.base64_decode(report["raw"])
        for row in utils.csv_reader(raw_report, dictreader=True):
            event = Event(report)
            extra = {}
            self.logger.debug(repr(row))

            event.add('time.source', row['timestamp'] + ' UTC')
            event.add('source.ip', row['ip'])
            event.add('source.asn', row['asn'])
            event.add('source.geolocation.cc', row['geo'])
            if row['http_host'] and row['url']:
                event.add('destination.url', row['http_host'] + row['url'])
            elif row['url']:
                extra['url'] = row['url']  # incomplete URL
            event.add('malware.name', row['type'])
            if row['http_agent']:
                extra['http_agent'] = row['http_agent']
            if row['tor']:
                event.add('source.tor_node', row['tor'])
            event.add('source.port', row['src_port'])
            if row['p0f_genre']:
                extra['os.name'] = row['p0f_genre']
            if row['p0f_detail']:
                extra['os.version'] = row['p0f_detail']
            if row['hostname']:
                event.add('source.reverse_dns', row['hostname'])
            event.add('destination.port', row['dst_port'])
            if row['http_host']:
                extra['http_host'] = row['http_host']
            if row['http_referer'] not in ['', 'null']:
                extra['http_referer'] = row['http_referer']
            if row['http_referer_asn']:
                extra['http_referer_asn'] = row['http_referer_asn']
            if row['http_referer_geo']:
                extra['http_referer_geo'] = row['http_referer_geo']
            if row['dst_ip']:
                event.add('destination.ip', row['dst_ip'])
            if row['dst_asn']:
                event.add('destination.asn', row['dst_asn'])
            if row['dst_geo']:
                event.add('destination.geolocation.cc', row['dst_geo'])
            if int(row['naics']):
                extra['naics'] = int(row['naics'])
            if int(row['sic']):
                extra['sic'] = int(row['sic'])

            event.add('raw', '"' + ','.join(map(str, row.items())) + '"')
            if extra:
                event.add('extra', extra)
            event.add('classification.type', 'botnet drone')
            event.add('protocol.application', 'http')

            self.send_message(event)
        self.acknowledge_message()
コード例 #16
0
    def process(self):
        report = self.receive_message()

        if not report or not report.contains("raw"):
            self.acknowledge_message()
            return

        columns = self.parameters.columns

        raw_report = utils.base64_decode(report.get("raw"))
        # ignore lines starting with #
        raw_report = re.sub(r'(?m)^#.*\n?', '', raw_report)
        # ignore null bytes
        raw_report = re.sub(r'(?m)\0', '', raw_report)
        for row in utils.csv_reader(raw_report,
                                    delimiter=str(self.parameters.delimiter)):
            event = Event(report)

            for key, value in zip(columns, row):

                if key in ["__IGNORE__", ""]:
                    continue
                try:
                    if key in ["time.source", "time.destination"]:
                        value = parse(value, fuzzy=True).isoformat()
                        value += " UTC"
                    # regex from http://stackoverflow.com/a/23483979
                    # matching ipv4/ipv6 IP within string
                    elif key in ["source.ip", "destination.ip"]:
                        value = re.compile(
                            '(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])'
                            '\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0'
                            '-5])|(([a-zA-Z]|[a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9])'
                            '\.)*([A-Za-z]|[A-Za-z][A-Za-z0-9\-]*[A-Za-z0-9])|'
                            '\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|('
                            '([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]'
                            '|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d'
                            '\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:['
                            '0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|['
                            '1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|'
                            ':))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1'
                            ',3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d'
                            '\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){'
                            '3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,'
                            '4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-'
                            '4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-'
                            '9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-'
                            'Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0'
                            '-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1'
                            '\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(('
                            '(:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4'
                            '}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2['
                            '0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]'
                            '{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2'
                            '[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|'
                            '[1-9]?\d)){3}))|:)))(%.+)?').match(value).group()
                    elif key.endswith('.url') and '://' not in value:
                        value = self.parameters.default_url_protocol + value
                except:
                    self.logger.exception('Encountered error while parsing'
                                          'line in csv file, ignoring.')
                    continue
                event.add(key, value)

            event.add('classification.type', self.parameters.type)
            event.add("raw", ",".join(row))

            self.send_message(event)
        self.acknowledge_message()
コード例 #17
0
    def process(self):
        report = self.receive_message()

        if report is None or not report.contains("raw"):
            self.acknowledge_message()
            return

        raw_report = utils.base64_decode(report["raw"])
        for row in utils.csv_reader(raw_report, dictreader=True):
            event = Event(report)
            extra = {}
            self.logger.debug(repr(row))

            event.add('time.source', row['timestamp']+' UTC')
            event.add('source.ip', row['ip'])
            event.add('source.asn', row['asn'])
            event.add('source.geolocation.cc', row['geo'])
            if row['http_host'] and row['url']:
                event.add('destination.url', row['http_host']+row['url'])
            elif row['url']:
                extra['url'] = row['url']  # incomplete URL
            event.add('malware.name', row['type'])
            if row['http_agent']:
                extra['http_agent'] = row['http_agent']
            if row['tor']:
                event.add('source.tor_node', row['tor'])
            event.add('source.port', row['src_port'])
            if row['p0f_genre']:
                extra['os.name'] = row['p0f_genre']
            if row['p0f_detail']:
                extra['os.version'] = row['p0f_detail']
            if row['hostname']:
                event.add('source.reverse_dns', row['hostname'])
            event.add('destination.port', row['dst_port'])
            if row['http_host']:
                extra['http_host'] = row['http_host']
            if row['http_referer'] not in ['', 'null']:
                extra['http_referer'] = row['http_referer']
            if row['http_referer_asn']:
                extra['http_referer_asn'] = row['http_referer_asn']
            if row['http_referer_geo']:
                extra['http_referer_geo'] = row['http_referer_geo']
            if row['dst_ip']:
                event.add('destination.ip', row['dst_ip'])
            if row['dst_asn']:
                event.add('destination.asn', row['dst_asn'])
            if row['dst_geo']:
                event.add('destination.geolocation.cc', row['dst_geo'])
            if int(row['naics']):
                extra['naics'] = int(row['naics'])
            if int(row['sic']):
                extra['sic'] = int(row['sic'])

            event.add('raw', '"'+','.join(map(str, row.items()))+'"')
            if extra:
                event.add('extra', extra)
            event.add('classification.type', 'botnet drone')
            event.add('protocol.application', 'http')

            self.send_message(event)
        self.acknowledge_message()