def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) ioc_keys: List[str] = [ 'received', 'x-orig-ip', 'x-originating-ip', 'x-remote-ip', 'x-sender-ip', 'body', 'body_html', ] self.omit_body = config.getboolean('options', 'omit_body', fallback=False) self.always_dispatch = config.getlist('options', 'always_dispatch', fallback=[]) self.archive_attachments = config.getboolean('options', 'archive_attachments', fallback=True) self.extract_iocs = config.getboolean('options', 'extract_iocs', fallback=False) self.ioc_keys = config.getlist('options', 'ioc_keys', fallback=ioc_keys)
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.dispatch_rules = None self.worker_rules = None filename = getframeinfo(currentframe()).filename # type: ignore parent = Path(filename).resolve().parent self.timeout = config.getint('options', 'timeout', fallback=60) self.strings_limit = config.getint('options', 'strings_limit', fallback=None) self.xor_first_match = config.getboolean('options', 'xor_first_match', fallback=True) dispatch_ruleset = config.get('options', 'dispatch_rules', fallback='rules/dispatcher.yar') if dispatch_ruleset: if not os.path.isabs(dispatch_ruleset): dispatch_ruleset = os.path.join(parent, dispatch_ruleset) self.dispatch_rules = self._compile_rules(dispatch_ruleset) worker_ruleset = config.get('options', 'worker_rules', fallback='rules/stoq.yar') if worker_ruleset: if not os.path.isabs(worker_ruleset): worker_ruleset = os.path.join(parent, worker_ruleset) self.worker_rules = self._compile_rules(worker_ruleset)
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.decompress_files = config.getboolean( 'options', 'decompress_files', fallback=True ) self.derive_deflate_level = config.getboolean( 'options', 'derive_deflate_level', fallback=True )
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.mongo_client = None self.mongodb_uri = config.get('options', 'mongodb_uri', fallback=None) self.mongodb_collection = config.get( 'options', 'mongodb_collection', fallback='stoq' )
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.client = None self.access_key = config.get('options', 'access_key', fallback=None) self.secret_key = config.get('options', 'secret_key', fallback=None) self.archive_bucket = config.get('options', 'archive_bucket', fallback=None) self.connector_bucket = config.get('options', 'connector_bucket', fallback=None) self.use_sha = config.getboolean('archiver', 'use_sha', fallback=True)
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.apikey = config.get('options', 'apikey', fallback=None) self.time_since = config.get('options', 'time_since', fallback='1m') self.download = config.getboolean('options', 'download', fallback=False) if not self.apikey: raise StoqPluginException('VTMIS API Key does not exist')
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) filename = getframeinfo(currentframe()).filename # type: ignore parent = Path(filename).resolve().parent self.terms = config.get('options', 'terms', fallback='terms.txt') if not os.path.isabs(self.terms): self.terms = os.path.join(parent, self.terms) self.bin = config.get('options', 'bin_path', fallback='xorsearch')
def __init__(self, config: StoqConfigParser) -> None: self.config = config self.plugin_name = config.get('Core', 'Name') self.__author__ = config.get('Documentation', 'Author', fallback='') self.__version__ = config.get('Documentation', 'Version', fallback='') self.__website__ = config.get('Documentation', 'Website', fallback='') self.__description__ = config.get('Documentation', 'Description', fallback='') self.log = logging.getLogger(f'stoq.{self.plugin_name}')
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.publish_archive = config.getboolean( 'options', 'publish_archive', fallback=True ) self.redis_host = config.get('options', 'redis_host', fallback='127.0.0.1') self.redis_port = config.getint('options', 'redis_port', fallback=6379) self.max_connections = config.getint('options', 'max_connections', fallback=15) self.redis_queue = config.get('options', 'redis_queue', fallback='stoq') self._connect()
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.required_workers.add('mimetype') self.timeout = config.getint('options', 'timeout', fallback=45) self.passwords = config.getlist( 'options', 'passwords', fallback=['-', 'infected', 'password'] ) self.maximum_size = config.getint( 'options', 'maximum_size', fallback=50_000_000 )
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.opswat_url = config.get('options', 'opswat_url', fallback=None) if not self.opswat_url: raise StoqPluginException('MetaDefender URL was not provided') self.apikey = config.get('options', 'apikey', fallback=None) if not self.apikey: raise StoqPluginException('MetaDefender API Key was not provided') self.delay = config.getint('options', 'delay', fallback=10) self.max_attempts = config.getint('options', 'max_attempts', fallback=10)
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.source_dir = config.get('options', 'source_dir', fallback=None) self.recursive = config.getboolean('options', 'recursive', fallback=False) self.results_dir = config.get('options', 'results_dir', fallback=os.path.join( os.getcwd(), 'results')) self.date_mode = config.getboolean('options', 'date_mode', fallback=False) self.date_format = config.get('options', 'date_format', fallback='%Y/%m/%d') self.compactly = config.getboolean('options', 'compactly', fallback=True) self.archive_dir = config.get('options', 'archive_dir', fallback=os.path.join( os.getcwd(), 'archive')) self.use_sha = config.getboolean('options', 'use_sha', fallback=True)
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.required_workers.add('mimetype') self.timeout = config.getint('options', 'timeout', fallback=45) self.passwords = config.getlist( 'options', 'passwords', fallback=['-', 'infected', 'password'] ) self.maximum_size = config.getint( 'options', 'maximum_size', fallback=50_000_000 ) self.always_dispatch = config.getlist('options', 'always_dispatch', fallback=[]) self.archive_extracted = config.getboolean( 'options', 'archive_extracted', fallback=True )
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.workspaceid = config.get('options', 'workspaceid', fallback=None) if not self.workspaceid: raise StoqPluginException('workspaceid has not been defined') self.workspacekey = config.get('options', 'workspacekey', fallback=None) if not self.workspacekey: raise StoqPluginException('workspacekey has not been defined') self.logtype = config.get('options', 'logtype', fallback='stoQ') self.uri = f'https://{self.workspaceid}.ods.opinsights.azure.com{self.API_RESOURCE}?api-version={self.API_VERSION}'
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.publish_client = None self.ingest_client = None self.project_id = config.get('options', 'project_id') self.max_messages = config.getint('options', 'max_messages', fallback=10) self.publish_archive = config.getboolean('options', 'publish_archive', fallback=True) self.topic = config.get('options', 'topic', fallback='stoq') self.subscription = config.get('options', 'subscription', fallback='stoq')
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.conn_str = config.get('options', 'conn_str', fallback=None) if not self.conn_str: raise StoqPluginException('conn_str has not been defined') self.results_container = config.get('options', 'results_container', fallback='stoq-results') self.archive_container = config.get('options', 'archive_container', fallback='stoq-archive') self.use_sha = config.getboolean('options', 'use_sha', fallback=True) self.use_datetime = config.getboolean('options', 'use_datetime', fallback=False)
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.source_dir = config.get('options', 'source_dir', fallback=None) if not self.source_dir or not os.path.exists(self.source_dir): raise StoqPluginException( f"Source directory not defined or doesn't exist: '{self.source_dir}'" ) self.source_dir = os.path.abspath(self.source_dir)
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) filename = getframeinfo(currentframe()).filename parent = Path(filename).resolve().parent self.template = config.get('options', 'template', fallback='stoq.tpl') if self.template: self.template = os.path.abspath(os.path.join( parent, self.template))
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) filename = getframeinfo(currentframe()).filename parent = Path(filename).resolve().parent self.bin = config.get('options', 'bin', fallback='trid') self.skip_warnings = config.getlist( 'options', 'skip_warnings', fallback=['file seems to be plain text/ASCII']) self.trid_defs = config.get('options', 'trid_defs', fallback='triddefs.trd') if not os.path.isabs(self.trid_defs) and self.trid_defs: self.trid_defs = os.path.join(parent, self.trid_defs) if not os.path.isfile(self.trid_defs): raise StoqPluginException( f'TrID definitions do not exist at {self.trid_defs}')
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.project_id = config.get('options', 'project_id', fallback=None) if not self.project_id: raise StoqPluginException('project_id has not been defined') self.archive_bucket = config.get('options', 'archive_bucket', fallback='') self.connector_bucket = config.get('options', 'connector_bucket', fallback='') self.use_sha = config.getboolean('options', 'use_sha', fallback=True) self.use_datetime = config.getboolean('options', 'use_datetime', fallback=False) self.max_retries = config.getint('options', 'max_retries', fallback=5) self.use_encryption = config.getboolean( 'options', 'use_encryption', fallback=False ) if self.use_encryption: self.crypto_id = config.get('options', 'crypto_id') self.keyring_id = config.get('options', 'keyring_id') self.location_id = config.get('options', 'location_id') # Creates an API client for the KMS API. self.kms_client = googleapiclient.discovery.build( 'cloudkms', 'v1', cache_discovery=False ) self.kms_key = f'projects/{self.project_id}/locations/{self.location_id}/keyRings/{self.keyring_id}/cryptoKeys/{self.crypto_id}'
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.es = None self.es_host = config.get('options', 'es_host', fallback=None) self.es_options = json.loads( config.get('options', 'es_options', fallback='{}')) self.es_timeout = config.getint('options', 'es_timeout', fallback=60) self.es_retry = config.getboolean('options', 'es_retry', fallback=True) self.es_max_retries = config.getint('options', 'es_max_retries', fallback=10) self.es_index = config.get('options', 'es_index', fallback='stoq') self.index_by_month = config.getboolean('options', 'index_by_month', fallback=True)
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.producer = None self.servers = config.getlist('options', 'servers', fallback=['127.0.0.1:9092']) self.group = config.get('options', 'group', fallback='stoq') self.topic = config.get('options', 'topic', fallback="stoq") self.publish_archive = config.getboolean( 'options', 'publish_archive', fallback=True ) self.retries = config.getint('options', 'retries', fallback=5) self.session_timeout_ms = config.getint( 'options', 'session_timeout_ms', fallback=15000 ) self.heartbeat_interval_ms = config.getint( 'options', 'heartbeat_interval_ms', fallback=5000 )
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.sandbox_url = config.get('options', 'sandbox_url', fallback=None) if not self.sandbox_url: raise StoqPluginException("Falcon Sandbox URL was not provided") self.apikey = config.get('options', 'apikey', fallback=None) if not self.apikey: raise StoqPluginException("Falcon Sandbox API Key was not provided") self.delay = config.getint('options', 'delay', fallback=30) self.max_attempts = config.getint('options', 'max_attempts', fallback=10) self.useragent = config.get('options', 'useragent', fallback='Falcon Sandbox') # Available environments ID: # 300: 'Linux (Ubuntu 16.04, 64 bit)', # 200: 'Android Static Analysis’, # 160: 'Windows 10 64 bit’, # 110: 'Windows 7 64 bit’, # 100: ‘Windows 7 32 bit’ self.environment_id = config.getint('options', 'environment_id', fallback=160) self.wait_for_results = config.getboolean( 'options', 'wait_for_results', fallback=True )
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.bin = config.get('options', 'bin', fallback='exiftool')
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.whitelist_file = config.getlist( 'options', 'whitelist_file', fallback=['whitelist.txt'] ) self.iana_url = config.get( 'options', 'iana_url', fallback='https://data.iana.org/TLD/tlds-alpha-by-domain.txt', ) self.iana_tld_file = config.get( 'options', 'iana_tld_file', fallback='tlds-alpha-by-domain.txt' ) iana_tlds = self._get_iana_tlds() # Helper regexes self.helpers: Dict = {} self.helpers[ 'dot' ] = r"(?:\.|\[\.\]|\<\.\>|\{\.\}|\(\.\)|\<DOT\>|\[DOT\]|\{DOT\}|\(DOT\))" self.helpers[ 'at' ] = r"(?:@|\[@\]|\<@\>|\{@\}|\(@\)|\<AT\>|\[AT\]|\{AT\}|\(AT\))" self.helpers['http'] = r"\b(?:H(?:XX|TT)P|MEOW):\/\/" self.helpers['https'] = r"\b(?:H(?:XX|TT)PS|MEOWS):\/\/" self.helpers['tld'] = self.helpers['dot'] + r"(?:%s)\b" % iana_tlds self.helpers['host'] = r"\b(?:[A-Z0-9\-]+%s){0,4}" % self.helpers['dot'] self.helpers['domain'] = r"[A-Z0-9\-]{2,50}" + self.helpers['tld'] self.helpers['fqdn'] = "{0}{1}".format( self.helpers['host'], self.helpers['domain'] ) # Simple normalizers, post-processing # key=regex_name, value=replacement value # re.sub(regex_name, replacement) self.normalizers = { 'dot': '.', 'at': '@', 'http': 'http://', 'https': 'https://', 'tld': lambda m: m.group(0).lower(), 'domain': lambda m: m.group(0).lower(), 'fqdn': lambda m: m.group(0).lower(), } # Data-type regexes self.ioctypes: Dict = {} self.ioctypes['md5'] = r"\b[A-F0-9]{32}\b" self.ioctypes['sha1'] = r"\b[A-F0-9]{40}\b" self.ioctypes['sha256'] = r"\b[A-F0-9]{64}\b" self.ioctypes['sha512'] = r"\b[A-F0-9]{128}\b" self.ioctypes['ipv4'] = ( r"\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)%s){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" % self.helpers['dot'] ) self.ioctypes[ 'ipv6' ] = r"(?:(?:(?:\b|::)(?:(?:[\dA-F]{1,4}(?::|::)){1,7})(?:[\dA-F]{1,4}))(?:(?:(?:\.\d{1,3})?){3})(?:::|\b))|(?:[\dA-F]{1,4}::)|(?:::[\dA-F]{1,4}(?:(?:(?:\.\d{1,3})?){3}))" self.ioctypes['mac_address'] = r"\b(?i)(?:[0-9A-F]{2}[:-]){5}(?:[0-9A-F]{2})\b" self.ioctypes['email'] = "{0}{1}{2}".format( r"\b[A-Z0-9\.\_\%\+\-]+", self.helpers['at'], self.helpers['fqdn'] ) self.ioctypes['domain'] = self.helpers['fqdn'] self.ioctypes['url'] = "(?:{0}|{1})(?:{2}|{3}|{4}){5}".format( self.helpers['http'], self.helpers['https'], self.helpers['fqdn'], self.ioctypes['ipv4'], self.ioctypes['ipv6'], r"(?:[\:\/][A-Z0-9\/\:\+\%\.\_\-\=\~\&\\#\?]*){0,1}", ) # Compile regexes for faster repeat usage self.compiled_re: Dict = {} self.whitelist_patterns: Dict[str, Set] = {} for ioc in self.ioctypes: self.whitelist_patterns[ioc] = set() self.compiled_re[ioc] = re.compile(self.ioctypes[ioc], re.IGNORECASE) self._load_whitelist()
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.abstract = config.getbool('options', 'abstract', fallback=True)
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.pe_headers = config.get('options', 'pe_headers', fallback='\x4d\x5a|\x5a\x4d').encode()
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.conn_str = config.get('options', 'conn_str', fallback=None) if not self.conn_str: raise StoqPluginException('conn_str has not been defined')
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.required_workers = config.getset('options', 'required_workers', fallback=set())
def __init__(self, config: StoqConfigParser) -> None: super().__init__(config) self.apikey = config.get('options', 'apikey', fallback=None) if not self.apikey: raise StoqPluginException("VTMIS API Key does not exist")