def run_knownbad(self): jobs_stats['knownbad'] = { 'status': 'running', 'started': str(datetime.now()).split('.')[0], 'message': 'loading sources', 'events': 0 } if knownbad.load_sources(): for src in knownbad.sources: job_stats['knownbad'] = { 'message': 'gathering data from sources' } self.host, self.source = knownbad.gather_data(src) if not self.host == "": job_stats['knownbad'] = { 'message': 'sending syslog events' } self.cef = 'CEF:0|OSINT|ArcReactor|1.0|100|Known Malicious Host|1|src=%s msg=%s' % ( self.host, self.source) reactor.send_syslog(self.cef) job_stats['knownbad'] = { 'events': job_stats['knownbad']['events'] + 1 } job_stats['knownbad'] = { 'status': 'finished', 'message': 'finished successfully', 'ended': str(datetime.now()).split('.')[0] } job_stats['knownbad'] = { 'message': 'finished with errors', 'ended': str(datetime.now()).split('.')[0] }
def run_knownbad(self): jobs_stats['knownbad'] = { 'status': 'running', 'started': str(datetime.now()).split('.')[0], 'message': 'loading sources', 'events': 0 } if knownbad.load_sources(): for src in knownbad.sources: job_stats['knownbad'] = { 'message': 'gathering data from sources' } self.host, self.source = knownbad.gather_data(src) if not self.host == "": job_stats['knownbad'] = { 'message': 'sending syslog events' } self.cef = 'CEF:0|OSINT|ArcReactor|1.0|100|Known Malicious Host|1|src=%s msg=%s' % (self.host, self.source) reactor.send_syslog(self.cef) job_stats['knownbad'] = { 'events': job_stats['knownbad']['events'] + 1 } job_stats['knownbad'] = { 'status': 'finished', 'message': 'finished successfully', 'ended': str(datetime.now()).split('.')[0] } job_stats['knownbad'] = { 'message': 'finished with errors', 'ended': str(datetime.now()).split('.')[0] }
def gather_data(): try: data = reactor.http_request('http://reputation.alienvault.com/reputation.snort') if data is not None: reactor.status('info', 'OTX', 'attempting to parse reputation data') for line in data.split('\n'): if not line.startswith('#') or not len(line) == 0: try: d = line.split('#') addr, info = d[0], d[1] cef = 'CEF:0|OSINT|ArcReactor|1.0|100|%s|1|src=%s msg=%s' % (info, addr, 'http://reputation.alienvault.com/reputation.snort') reactor.status('info', 'OTX', 'sending CEF syslog for %s - %s' % (info, addr)) reactor.send_syslog(cef) count += 1 except IndexError: continue reactor.status('info', 'OTX', 'sent %d total events' % count) return True except: reactor.status('warn', 'OTX', 'failed to retrieve OTX database') return False
def run_pastebin(self): job_stats['pastebin'] = { 'status': 'running', 'started': str(datetime.now()).split('.')[0], 'message': 'loading keywords', 'events': 0 } reactor.status('info', 'pastebin', 'launching pastebin module') if pastebin.load_words(): job_stats['pastebin'] = {'message': 'collecting post archive'} pastebin.gather_archive() if len(pastebin.queue) > 0: for post in pastebin.queue: job_stats['pastebin'] = { 'message': 'searching post %s' % post } # the search_raw function is called from within gather_content pastebin.gather_content(post) job_stats['pastebin'] = {'events': len(pastebin.found)} if len(pastebin.found) > 0: for self.post_id, self.data in pastebin.found.iteritems(): job_stats['pastebin'] = { 'message': 'sending syslog events' } self.cef = 'CEF:0|OSINT|ArcReactor|1.0|100|Watchlist Keyword Found|1|src=%s msg=%s' % ( self.post_id, self.data) reactor.send_syslog(self.cef) job_stats['pastebin'] = { 'status': 'finished', 'message': 'finished successfully', 'ended': str(datetime.now()).split('.')[0] } job_stats['pastebin'] = { 'status': 'finished', 'message': 'finished with errors', 'ended': str(datetime.now()).split('.')[0] }
def run_pastebin(self): job_stats['pastebin'] = { 'status': 'running', 'started': str(datetime.now()).split('.')[0], 'message': 'loading keywords', 'events': 0 } reactor.status('info', 'pastebin', 'launching pastebin module') if pastebin.load_words(): job_stats['pastebin'] = { 'message': 'collecting post archive' } pastebin.gather_archive() if len(pastebin.queue) > 0: for post in pastebin.queue: job_stats['pastebin'] = { 'message': 'searching post %s' % post } # the search_raw function is called from within gather_content pastebin.gather_content(post) job_stats['pastebin'] = { 'events': len(pastebin.found) } if len(pastebin.found) > 0: for self.post_id, self.data in pastebin.found.iteritems(): job_stats['pastebin'] = { 'message': 'sending syslog events' } self.cef = 'CEF:0|OSINT|ArcReactor|1.0|100|Watchlist Keyword Found|1|src=%s msg=%s' % (self.post_id, self.data) reactor.send_syslog(self.cef) job_stats['pastebin'] = { 'status': 'finished', 'message': 'finished successfully', 'ended': str(datetime.now()).split('.')[0] } job_stats['pastebin'] = { 'status': 'finished', 'message': 'finished with errors', 'ended': str(datetime.now()).split('.')[0] }