/
nw_threat_2_UA.py
69 lines (55 loc) · 2.06 KB
/
nw_threat_2_UA.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#!/usr/bin/env python
# Copyright (C) 2012 nwmaltego Developer.
# This file is part of nwmaltego - https://github.com/bostonlink/nwmaltego
# See the file 'LICENSE' for copying permission.
# Maltego NW Threat to Client Application (User Agent)
# Author: David Bressler (@bostonlink)
import sys
import urllib2, urllib, json
from datetime import datetime, timedelta
from lib import nwmodule
# Maltego XML Header
trans_header = """<MaltegoMessage>
<MaltegoTransformResponseMessage>
<Entities>"""
# BASIC HTTP Authentication to NWD
nwmodule.nw_http_auth()
# NW REST API Query amd results
risk_name = sys.argv[1]
fields = sys.argv[2].split('#')
date_t = datetime.today()
tdelta = timedelta(days=1)
diff = date_t - tdelta
diff = "'" + diff.strftime('%Y-%b-%d %H:%M:%S') + "'-'" + date_t.strftime('%Y-%b-%d %H:%M:%S') + "'"
for i in fields:
if 'ip' in i:
parse = i.split('=')
ip = parse[1]
where_clause = '(time=%s) && risk.warning="%s" && ip.src=%s || ip.dst=%s' % (diff, risk_name, ip, ip)
else:
where_clause = '(time=%s) && risk.warning="%s"' % (diff, risk_name)
json_data = json.loads(nwmodule.nwValue(0, 0, 10, 'client', 'application/json', where_clause))
ua_list = []
print trans_header
for d in json_data['results']['fields']:
value = d['value'].decode('ascii')
if value in ip_list:
continue
else:
# Kind of a hack but hey it works!
print """ <Entity Type="netwitness.NWUserAgent">
<Value>%s</Value>
<AdditionalFields>
<Field Name="threat" DisplayName="Threat Name">%s</Field>
<Field Name="metaid1" DisplayName="Meta id1">%s</Field>
<Field Name="metaid2" DisplayName="Meta id2">%s</Field>
<Field Name="type" DisplayName="Type">%s</Field>
<Field Name="count" DisplayName="Count">%s</Field>
</AdditionalFields>
</Entity>""" % (value, risk_name, d['id1'], d['id2'], d['type'], d['count'])
ua_list.append(value)
# Maltego transform XML footer
trans_footer = """ </Entities>
</MaltegoTransformResponseMessage>
</MaltegoMessage> """
print trans_footer