def update_last_update(last_update: int) -> None:
"Write last update from disk (~/.cache/<worker_name>/last_update)"
cache_filename: Text = os.path.join(
caep.get_cache_dir(worker.worker_name(), create=True), "last_update")
# Write last update timestamp to disk
with open(cache_filename, "w") as f:
f.write(str(last_update))
def main() -> None:
""" Main function """
# Look for default ini file in "/etc/actworkers.ini" and ~/config/actworkers/actworkers.ini
# (or replace .config with $XDG_CONFIG_DIR if set)
args = worker.handle_args(parseargs())
auth = None
if args.http_user:
auth = (args.http_user, args.http_password)
actapi = act.api.Act(args.act_baseurl,
args.user_id,
args.loglevel,
args.logfile,
worker.worker_name(),
requests_common_kwargs={'auth': auth})
if args.type:
types = [args.type]
else:
types = list(MITRE_URLS.keys())
for mitre_type in types:
url = MITRE_URLS.get(mitre_type.lower())
if not url:
error("Unknown mitre type: {}. Valid types: {}".format(
mitre_type, ",".join(MITRE_URLS.keys())))
sys.exit(2)
cache = notify_cache(args.notifycache)
# Get attack dataset as Stix Memory Store
attack = get_attack(url, args.proxy_string, args.http_timeout)
techniques_notify = add_techniques(actapi, attack, args.output_format)
groups_notify = add_groups(actapi, attack, args.output_format)
software_notify = add_software(actapi, attack, args.output_format)
# filter revoked objects from those allready notified
notify = [
notify
for notify in techniques_notify + groups_notify + software_notify
if notify.id not in cache
]
if notify:
notified = send_notification(notify, args.smtphost, args.sender,
args.recipient, url)
for object_id in notified:
# Add object to cache, so we will not be notified on the same object on the next run
add_to_cache(args.notifycache, object_id)
def main() -> None:
"""main function"""
# Look for default ini file in "/etc/actworkers.ini" and ~/config/actworkers/actworkers.ini
# (or replace .config with $XDG_CONFIG_DIR if set)
args = worker.handle_args(parseargs())
auth = None
if args.http_user:
auth = (args.http_user, args.http_password)
actapi = act.api.Act(args.act_baseurl,
args.user_id,
args.loglevel,
args.logfile,
worker.worker_name(),
requests_common_kwargs={'auth': auth})
if not args.country_codes:
sys.stderr.write(
"You must specify --country-codes on command line or in config file\n"
)
sys.exit(1)
if not os.path.isfile(args.country_codes):
sys.stderr.write(
"Country/region file not found at specified location: {}\n".format(
args.country_codes))
sys.exit(2)
# Get map of CC -> Country Name
cn_map = get_cn_map(args.country_codes)
db_cache = get_db_cache(CACHE_DIR)
# Read IPs from stdin
if args.stdin:
in_data = [ip for ip in sys.stdin.read().split("\n")]
handle_ip(actapi, cn_map, in_data, db_cache, args.output_format)
# Bulk lookup
elif args.bulk:
all_ips = [ip for ip in open(args.bulk, "r")]
batch_size = 50
i = 0
while i < len(all_ips):
handle_ip(actapi, cn_map, (all_ips[i:i + batch_size]), db_cache,
args.output_format)
i += batch_size
time.sleep(1)
db_cache.close()
def get_last_update() -> int:
"Get last update from disk (~/.cache/<worker_name>/last_update)"
cache_filename: Text = os.path.join(
caep.get_cache_dir(worker.worker_name(), create=True), "last_update")
if os.path.isfile(cache_filename):
# Read last_update from last recorded succsfully recieved event
with open(cache_filename) as f:
last_update = int(f.read().strip())
debug("last update starting at {}".format(last_update))
else:
# last_update not specified, set to now-1w
last_update = int((time.time() - 3600 * 24 * 7) * 1000)
info("last update not specified, autoconfigured as {}".format(
last_update))
return last_update
def main() -> None:
"""main function"""
# Look for default ini file in "/etc/actworkers.ini" and ~/config/actworkers/actworkers.ini
# (or replace .config with $XDG_CONFIG_DIR if set)
args = worker.handle_args(parseargs())
if not args.apikey:
sys.stderr.write(
"You must specify --apikey on command line or in config file\n")
sys.exit(1)
auth = None
if args.http_user:
auth = (args.http_user, args.http_password)
actapi = act.api.Act(args.act_baseurl,
args.user_id,
args.loglevel,
args.logfile,
worker.worker_name(),
requests_common_kwargs={'auth': auth})
in_data = sys.stdin.read().strip()
proxies = {
'http': args.proxy_string,
'https': args.proxy_string
} if args.proxy_string else None
vtapi = VirusTotalApi(args.apikey, proxies=proxies)
if args.hexdigest:
handle_hexdigest(actapi,
vtapi,
in_data,
output_format=args.output_format)
if args.ip:
handle_ip(actapi, vtapi, in_data, output_format=args.output_format)
if args.domain:
handle_domain(actapi, vtapi, in_data, output_format=args.output_format)
def main_log_error() -> None:
"Call main() and log all exceptions as errors"
try:
# Look for default ini file in "/etc/actworkers.ini" and ~/config/actworkers/actworkers.ini
# (or replace .config with $XDG_CONFIG_DIR if set)
args = worker.handle_args(worker.parseargs("Generic uploader"))
auth = None
if args.http_user:
auth = (args.http_user, args.http_password)
actapi = act.api.Act(args.act_baseurl,
args.user_id,
args.loglevel,
args.logfile,
worker.worker_name(),
requests_common_kwargs={'auth': auth})
main(actapi)
except Exception:
error("Unhandled exception: {}".format(traceback.format_exc()))
raise
def main() -> None:
"""main function"""
# Look for default ini file in "/etc/actworkers.ini" and ~/config/actworkers/actworkers.ini
# (or replace .config with $XDG_CONFIG_DIR if set)
args = worker.handle_args(parseargs())
auth = None
if args.http_user:
auth = (args.http_user, args.http_password)
actapi = act.api.Act(args.act_baseurl,
args.user_id,
args.loglevel,
args.logfile,
worker.worker_name(),
requests_common_kwargs={'auth': auth})
# Add IOCs from reports to the ACT platform
add_to_act(
actapi,
get_scio_report(),
args.output_format,
)
def main() -> None:
# Look for default ini file in "/etc/actworkers.ini" and ~/config/actworkers/actworkers.ini
# (or replace .config with $XDG_CONFIG_DIR if set)
args = worker.handle_args(parseargs())
auth = None
if args.http_user:
auth = (args.http_user, args.http_password)
actapi = act.api.Act(args.act_baseurl, args.user_id, args.loglevel, args.logfile, worker.worker_name(), requests_common_kwargs={'auth': auth})
process(actapi, args.pdns_baseurl, args.apikey, args.timeout, args.proxy_string, args.output_format)
def main_log_error() -> None:
"Main function. Log all exceptions to error"
# Look for default ini file in "/etc/actworkers.ini" and ~/config/actworkers/actworkers.ini
# (or replace .config with $XDG_CONFIG_DIR if set)
args = worker.handle_args(parseargs())
auth = None
if args.http_user:
auth = (args.http_user, args.http_password)
actapi = act.api.Act(args.act_baseurl, args.user_id, args.loglevel, args.logfile, worker.worker_name(), requests_common_kwargs={'auth': auth})
try:
process(
actapi,
worker.fetch_json(args.country_region_url, args.proxy_string, args.http_timeout),
args.output_format
)
except Exception:
error("Unhandled exception: {}".format(traceback.format_exc()))
raise
def main() -> None:
"""program entry point"""
# Look for default ini file in "/etc/actworkers.ini" and ~/config/actworkers/actworkers.ini
# (or replace .config with $XDG_CONFIG_DIR if set)
args = worker.handle_args(parseargs())
manifest_dir = args.manifest_dir
auth = None
if args.http_user:
auth = (args.http_user, args.http_password)
actapi = act.api.Act(args.act_baseurl, args.user_id, args.loglevel, args.logfile, worker.worker_name(), requests_common_kwargs={'auth': auth})
verify_manifest_dir(manifest_dir)
misp_feeds_file = os.path.join(manifest_dir, "misp_feeds.txt")
with open(misp_feeds_file) as f:
for line in f:
feed_data = handle_feed(manifest_dir, line.strip(), args.proxy_string, args.cert_file)
for event in feed_data:
n = 0
e = 0
act.api.helpers.handle_fact(
actapi.fact("hasTitle", event.info)
.source("report", str(event.uuid)),
output_format=args.output_format)
n += 1
try:
act.api.helpers.handle_fact(
actapi.fact("externalLink")
.source("uri", "{0}/{1}.json".format(line.strip(), event.uuid))
.destination("report", str(event.uuid)),
output_format=args.output_format)
n += 1
except act.api.base.ResponseError as err:
e += 1
error("Error adding fact to platform", exc_info=True)
for attribute in event.attributes:
if not attribute.act_type:
continue
try:
act.api.helpers.handle_fact(
actapi.fact("seenIn", "report")
.source(attribute.act_type, attribute.value)
.destination("report", str(event.uuid)),
output_format=args.output_format)
n += 1
except act.api.base.ResponseError as err:
e += 1
error("Error adding fact to platform", exc_info=True)
info("{0} facts. {1} errors.".format(n, e))