コード例 #1
0
ファイル: smtp.py プロジェクト: ytreister/stoq-plugins-public
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        ioc_keys: List[str] = [
            'received',
            'x-orig-ip',
            'x-originating-ip',
            'x-remote-ip',
            'x-sender-ip',
            'body',
            'body_html',
        ]
        self.omit_body = config.getboolean('options',
                                           'omit_body',
                                           fallback=False)
        self.always_dispatch = config.getlist('options',
                                              'always_dispatch',
                                              fallback=[])
        self.archive_attachments = config.getboolean('options',
                                                     'archive_attachments',
                                                     fallback=True)
        self.extract_iocs = config.getboolean('options',
                                              'extract_iocs',
                                              fallback=False)
        self.ioc_keys = config.getlist('options',
                                       'ioc_keys',
                                       fallback=ioc_keys)
コード例 #2
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.dispatch_rules = None
        self.worker_rules = None
        filename = getframeinfo(currentframe()).filename  # type: ignore
        parent = Path(filename).resolve().parent

        self.timeout = config.getint('options', 'timeout', fallback=60)
        self.strings_limit = config.getint('options',
                                           'strings_limit',
                                           fallback=None)
        self.xor_first_match = config.getboolean('options',
                                                 'xor_first_match',
                                                 fallback=True)
        dispatch_ruleset = config.get('options',
                                      'dispatch_rules',
                                      fallback='rules/dispatcher.yar')
        if dispatch_ruleset:
            if not os.path.isabs(dispatch_ruleset):
                dispatch_ruleset = os.path.join(parent, dispatch_ruleset)
            self.dispatch_rules = self._compile_rules(dispatch_ruleset)

        worker_ruleset = config.get('options',
                                    'worker_rules',
                                    fallback='rules/stoq.yar')
        if worker_ruleset:
            if not os.path.isabs(worker_ruleset):
                worker_ruleset = os.path.join(parent, worker_ruleset)
            self.worker_rules = self._compile_rules(worker_ruleset)
コード例 #3
0
ファイル: xyz.py プロジェクト: ytreister/stoq-plugins-public
 def __init__(self, config: StoqConfigParser) -> None:
     super().__init__(config)
     self.decompress_files = config.getboolean(
         'options', 'decompress_files', fallback=True
     )
     self.derive_deflate_level = config.getboolean(
         'options', 'derive_deflate_level', fallback=True
     )
コード例 #4
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.mongo_client = None

        self.mongodb_uri = config.get('options', 'mongodb_uri', fallback=None)
        self.mongodb_collection = config.get(
            'options', 'mongodb_collection', fallback='stoq'
        )
コード例 #5
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.client = None
        self.access_key = config.get('options', 'access_key', fallback=None)
        self.secret_key = config.get('options', 'secret_key', fallback=None)
        self.archive_bucket = config.get('options', 'archive_bucket', fallback=None)
        self.connector_bucket = config.get('options', 'connector_bucket', fallback=None)
        self.use_sha = config.getboolean('archiver', 'use_sha', fallback=True)
コード例 #6
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.apikey = config.get('options', 'apikey', fallback=None)
        self.time_since = config.get('options', 'time_since', fallback='1m')
        self.download = config.getboolean('options',
                                          'download',
                                          fallback=False)
        if not self.apikey:
            raise StoqPluginException('VTMIS API Key does not exist')
コード例 #7
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        filename = getframeinfo(currentframe()).filename  # type: ignore
        parent = Path(filename).resolve().parent

        self.terms = config.get('options', 'terms', fallback='terms.txt')
        if not os.path.isabs(self.terms):
            self.terms = os.path.join(parent, self.terms)
        self.bin = config.get('options', 'bin_path', fallback='xorsearch')
コード例 #8
0
ファイル: base.py プロジェクト: cptfrankdatank/stoq
 def __init__(self, config: StoqConfigParser) -> None:
     self.config = config
     self.plugin_name = config.get('Core', 'Name')
     self.__author__ = config.get('Documentation', 'Author', fallback='')
     self.__version__ = config.get('Documentation', 'Version', fallback='')
     self.__website__ = config.get('Documentation', 'Website', fallback='')
     self.__description__ = config.get('Documentation',
                                       'Description',
                                       fallback='')
     self.log = logging.getLogger(f'stoq.{self.plugin_name}')
コード例 #9
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.publish_archive = config.getboolean(
            'options', 'publish_archive', fallback=True
        )
        self.redis_host = config.get('options', 'redis_host', fallback='127.0.0.1')
        self.redis_port = config.getint('options', 'redis_port', fallback=6379)
        self.max_connections = config.getint('options', 'max_connections', fallback=15)
        self.redis_queue = config.get('options', 'redis_queue', fallback='stoq')
        self._connect()
コード例 #10
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.required_workers.add('mimetype')
        self.timeout = config.getint('options', 'timeout', fallback=45)
        self.passwords = config.getlist(
            'options', 'passwords', fallback=['-', 'infected', 'password']
        )
        self.maximum_size = config.getint(
            'options', 'maximum_size', fallback=50_000_000
        )
コード例 #11
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.opswat_url = config.get('options', 'opswat_url', fallback=None)
        if not self.opswat_url:
            raise StoqPluginException('MetaDefender URL was not provided')
        self.apikey = config.get('options', 'apikey', fallback=None)
        if not self.apikey:
            raise StoqPluginException('MetaDefender API Key was not provided')
        self.delay = config.getint('options', 'delay', fallback=10)
        self.max_attempts = config.getint('options',
                                          'max_attempts',
                                          fallback=10)
コード例 #12
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.source_dir = config.get('options', 'source_dir', fallback=None)
        self.recursive = config.getboolean('options',
                                           'recursive',
                                           fallback=False)
        self.results_dir = config.get('options',
                                      'results_dir',
                                      fallback=os.path.join(
                                          os.getcwd(), 'results'))
        self.date_mode = config.getboolean('options',
                                           'date_mode',
                                           fallback=False)
        self.date_format = config.get('options',
                                      'date_format',
                                      fallback='%Y/%m/%d')
        self.compactly = config.getboolean('options',
                                           'compactly',
                                           fallback=True)
        self.archive_dir = config.get('options',
                                      'archive_dir',
                                      fallback=os.path.join(
                                          os.getcwd(), 'archive'))
        self.use_sha = config.getboolean('options', 'use_sha', fallback=True)
コード例 #13
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.required_workers.add('mimetype')
        self.timeout = config.getint('options', 'timeout', fallback=45)
        self.passwords = config.getlist(
            'options', 'passwords', fallback=['-', 'infected', 'password']
        )
        self.maximum_size = config.getint(
            'options', 'maximum_size', fallback=50_000_000
        )
        self.always_dispatch = config.getlist('options', 'always_dispatch', fallback=[])
        self.archive_extracted = config.getboolean(
            'options', 'archive_extracted', fallback=True
        )
コード例 #14
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.workspaceid = config.get('options', 'workspaceid', fallback=None)
        if not self.workspaceid:
            raise StoqPluginException('workspaceid has not been defined')

        self.workspacekey = config.get('options',
                                       'workspacekey',
                                       fallback=None)
        if not self.workspacekey:
            raise StoqPluginException('workspacekey has not been defined')

        self.logtype = config.get('options', 'logtype', fallback='stoQ')
        self.uri = f'https://{self.workspaceid}.ods.opinsights.azure.com{self.API_RESOURCE}?api-version={self.API_VERSION}'
コード例 #15
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.publish_client = None
        self.ingest_client = None
        self.project_id = config.get('options', 'project_id')
        self.max_messages = config.getint('options',
                                          'max_messages',
                                          fallback=10)
        self.publish_archive = config.getboolean('options',
                                                 'publish_archive',
                                                 fallback=True)
        self.topic = config.get('options', 'topic', fallback='stoq')
        self.subscription = config.get('options',
                                       'subscription',
                                       fallback='stoq')
コード例 #16
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.conn_str = config.get('options', 'conn_str', fallback=None)
        if not self.conn_str:
            raise StoqPluginException('conn_str has not been defined')
        self.results_container = config.get('options',
                                            'results_container',
                                            fallback='stoq-results')
        self.archive_container = config.get('options',
                                            'archive_container',
                                            fallback='stoq-archive')
        self.use_sha = config.getboolean('options', 'use_sha', fallback=True)
        self.use_datetime = config.getboolean('options',
                                              'use_datetime',
                                              fallback=False)
コード例 #17
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.source_dir = config.get('options', 'source_dir', fallback=None)
        if not self.source_dir or not os.path.exists(self.source_dir):
            raise StoqPluginException(
                f"Source directory not defined or doesn't exist: '{self.source_dir}'"
            )
        self.source_dir = os.path.abspath(self.source_dir)
コード例 #18
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        filename = getframeinfo(currentframe()).filename
        parent = Path(filename).resolve().parent

        self.template = config.get('options', 'template', fallback='stoq.tpl')
        if self.template:
            self.template = os.path.abspath(os.path.join(
                parent, self.template))
コード例 #19
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        filename = getframeinfo(currentframe()).filename
        parent = Path(filename).resolve().parent

        self.bin = config.get('options', 'bin', fallback='trid')
        self.skip_warnings = config.getlist(
            'options',
            'skip_warnings',
            fallback=['file seems to be plain text/ASCII'])
        self.trid_defs = config.get('options',
                                    'trid_defs',
                                    fallback='triddefs.trd')
        if not os.path.isabs(self.trid_defs) and self.trid_defs:
            self.trid_defs = os.path.join(parent, self.trid_defs)
        if not os.path.isfile(self.trid_defs):
            raise StoqPluginException(
                f'TrID definitions do not exist at {self.trid_defs}')
コード例 #20
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.project_id = config.get('options', 'project_id', fallback=None)
        if not self.project_id:
            raise StoqPluginException('project_id has not been defined')
        self.archive_bucket = config.get('options', 'archive_bucket', fallback='')
        self.connector_bucket = config.get('options', 'connector_bucket', fallback='')
        self.use_sha = config.getboolean('options', 'use_sha', fallback=True)
        self.use_datetime = config.getboolean('options', 'use_datetime', fallback=False)
        self.max_retries = config.getint('options', 'max_retries', fallback=5)
        self.use_encryption = config.getboolean(
            'options', 'use_encryption', fallback=False
        )
        if self.use_encryption:
            self.crypto_id = config.get('options', 'crypto_id')
            self.keyring_id = config.get('options', 'keyring_id')
            self.location_id = config.get('options', 'location_id')

            # Creates an API client for the KMS API.
            self.kms_client = googleapiclient.discovery.build(
                'cloudkms', 'v1', cache_discovery=False
            )
            self.kms_key = f'projects/{self.project_id}/locations/{self.location_id}/keyRings/{self.keyring_id}/cryptoKeys/{self.crypto_id}'
コード例 #21
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.es = None
        self.es_host = config.get('options', 'es_host', fallback=None)
        self.es_options = json.loads(
            config.get('options', 'es_options', fallback='{}'))
        self.es_timeout = config.getint('options', 'es_timeout', fallback=60)
        self.es_retry = config.getboolean('options', 'es_retry', fallback=True)
        self.es_max_retries = config.getint('options',
                                            'es_max_retries',
                                            fallback=10)
        self.es_index = config.get('options', 'es_index', fallback='stoq')
        self.index_by_month = config.getboolean('options',
                                                'index_by_month',
                                                fallback=True)
コード例 #22
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)
        self.producer = None

        self.servers = config.getlist('options', 'servers', fallback=['127.0.0.1:9092'])
        self.group = config.get('options', 'group', fallback='stoq')
        self.topic = config.get('options', 'topic', fallback="stoq")
        self.publish_archive = config.getboolean(
            'options', 'publish_archive', fallback=True
        )
        self.retries = config.getint('options', 'retries', fallback=5)
        self.session_timeout_ms = config.getint(
            'options', 'session_timeout_ms', fallback=15000
        )
        self.heartbeat_interval_ms = config.getint(
            'options', 'heartbeat_interval_ms', fallback=5000
        )
コード例 #23
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.sandbox_url = config.get('options', 'sandbox_url', fallback=None)
        if not self.sandbox_url:
            raise StoqPluginException("Falcon Sandbox URL was not provided")
        self.apikey = config.get('options', 'apikey', fallback=None)
        if not self.apikey:
            raise StoqPluginException("Falcon Sandbox API Key was not provided")
        self.delay = config.getint('options', 'delay', fallback=30)
        self.max_attempts = config.getint('options', 'max_attempts', fallback=10)
        self.useragent = config.get('options', 'useragent', fallback='Falcon Sandbox')
        # Available environments ID:
        #     300: 'Linux (Ubuntu 16.04, 64 bit)',
        #     200: 'Android Static Analysis’,
        #     160: 'Windows 10 64 bit’,
        #     110: 'Windows 7 64 bit’,
        #     100: ‘Windows 7 32 bit’
        self.environment_id = config.getint('options', 'environment_id', fallback=160)
        self.wait_for_results = config.getboolean(
            'options', 'wait_for_results', fallback=True
        )
コード例 #24
0
 def __init__(self, config: StoqConfigParser) -> None:
     super().__init__(config)
     self.bin = config.get('options', 'bin', fallback='exiftool')
コード例 #25
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.whitelist_file = config.getlist(
            'options', 'whitelist_file', fallback=['whitelist.txt']
        )
        self.iana_url = config.get(
            'options',
            'iana_url',
            fallback='https://data.iana.org/TLD/tlds-alpha-by-domain.txt',
        )
        self.iana_tld_file = config.get(
            'options', 'iana_tld_file', fallback='tlds-alpha-by-domain.txt'
        )
        iana_tlds = self._get_iana_tlds()

        # Helper regexes
        self.helpers: Dict = {}
        self.helpers[
            'dot'
        ] = r"(?:\.|\[\.\]|\<\.\>|\{\.\}|\(\.\)|\<DOT\>|\[DOT\]|\{DOT\}|\(DOT\))"
        self.helpers[
            'at'
        ] = r"(?:@|\[@\]|\<@\>|\{@\}|\(@\)|\<AT\>|\[AT\]|\{AT\}|\(AT\))"
        self.helpers['http'] = r"\b(?:H(?:XX|TT)P|MEOW):\/\/"
        self.helpers['https'] = r"\b(?:H(?:XX|TT)PS|MEOWS):\/\/"
        self.helpers['tld'] = self.helpers['dot'] + r"(?:%s)\b" % iana_tlds
        self.helpers['host'] = r"\b(?:[A-Z0-9\-]+%s){0,4}" % self.helpers['dot']
        self.helpers['domain'] = r"[A-Z0-9\-]{2,50}" + self.helpers['tld']
        self.helpers['fqdn'] = "{0}{1}".format(
            self.helpers['host'], self.helpers['domain']
        )

        # Simple normalizers, post-processing
        # key=regex_name, value=replacement value
        # re.sub(regex_name, replacement)
        self.normalizers = {
            'dot': '.',
            'at': '@',
            'http': 'http://',
            'https': 'https://',
            'tld': lambda m: m.group(0).lower(),
            'domain': lambda m: m.group(0).lower(),
            'fqdn': lambda m: m.group(0).lower(),
        }

        # Data-type regexes
        self.ioctypes: Dict = {}
        self.ioctypes['md5'] = r"\b[A-F0-9]{32}\b"
        self.ioctypes['sha1'] = r"\b[A-F0-9]{40}\b"
        self.ioctypes['sha256'] = r"\b[A-F0-9]{64}\b"
        self.ioctypes['sha512'] = r"\b[A-F0-9]{128}\b"
        self.ioctypes['ipv4'] = (
            r"\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)%s){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"
            % self.helpers['dot']
        )
        self.ioctypes[
            'ipv6'
        ] = r"(?:(?:(?:\b|::)(?:(?:[\dA-F]{1,4}(?::|::)){1,7})(?:[\dA-F]{1,4}))(?:(?:(?:\.\d{1,3})?){3})(?:::|\b))|(?:[\dA-F]{1,4}::)|(?:::[\dA-F]{1,4}(?:(?:(?:\.\d{1,3})?){3}))"
        self.ioctypes['mac_address'] = r"\b(?i)(?:[0-9A-F]{2}[:-]){5}(?:[0-9A-F]{2})\b"
        self.ioctypes['email'] = "{0}{1}{2}".format(
            r"\b[A-Z0-9\.\_\%\+\-]+", self.helpers['at'], self.helpers['fqdn']
        )
        self.ioctypes['domain'] = self.helpers['fqdn']
        self.ioctypes['url'] = "(?:{0}|{1})(?:{2}|{3}|{4}){5}".format(
            self.helpers['http'],
            self.helpers['https'],
            self.helpers['fqdn'],
            self.ioctypes['ipv4'],
            self.ioctypes['ipv6'],
            r"(?:[\:\/][A-Z0-9\/\:\+\%\.\_\-\=\~\&\\#\?]*){0,1}",
        )

        # Compile regexes for faster repeat usage
        self.compiled_re: Dict = {}
        self.whitelist_patterns: Dict[str, Set] = {}
        for ioc in self.ioctypes:
            self.whitelist_patterns[ioc] = set()
            self.compiled_re[ioc] = re.compile(self.ioctypes[ioc], re.IGNORECASE)

        self._load_whitelist()
コード例 #26
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.abstract = config.getbool('options', 'abstract', fallback=True)
コード例 #27
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.pe_headers = config.get('options',
                                     'pe_headers',
                                     fallback='\x4d\x5a|\x5a\x4d').encode()
コード例 #28
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.conn_str = config.get('options', 'conn_str', fallback=None)
        if not self.conn_str:
            raise StoqPluginException('conn_str has not been defined')
コード例 #29
0
ファイル: worker.py プロジェクト: ytreister/stoq
 def __init__(self, config: StoqConfigParser) -> None:
     super().__init__(config)
     self.required_workers = config.getset('options',
                                           'required_workers',
                                           fallback=set())
コード例 #30
0
    def __init__(self, config: StoqConfigParser) -> None:
        super().__init__(config)

        self.apikey = config.get('options', 'apikey', fallback=None)
        if not self.apikey:
            raise StoqPluginException("VTMIS API Key does not exist")