# Sanity check that this is a dns log
if not args.bro_log.endswith('dns.log'):
print('This example only works with Bro dns.log files..')
sys.exit(1)
# File may have a tilde in it
if args.bro_log:
args.bro_log = os.path.expanduser(args.bro_log)
# See if we have a serialized VirusTotal Query Class.
# If we do not have one we'll create a new one
try:
vtq = pickle.load(open('vtq.pkl', 'rb'))
print('Opening VirusTotal Query Cache (cache_size={:d})...'.format(vtq.size))
except IOError:
vtq = vt_query.VTQuery(max_cache_time=60*24*7) # One week cache
# See our 'Risky Domains' Notebook for the analysis and
# statistical methods used to compute this risky set of TLDs
risky_tlds = set(['info', 'tk', 'xyz', 'online', 'club', 'ru', 'website', 'in', 'ws',
'top', 'site', 'work', 'biz', 'name', 'tech', 'loan', 'win', 'pro'])
# Launch long lived process with signal catcher
with signal_utils.signal_catcher(save_vtq):
# Run the bro reader on the dns.log file looking for risky TLDs
reader = bro_log_reader.BroLogReader(args.bro_log)
for row in reader.readrows():
# Pull out the TLD
query = row['query']
# If no args just call help
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
# Sanity check that this is a file log
if not args.bro_log.endswith('files.log'):
print('This example only works with Bro files.log files..')
sys.exit(1)
# File may have a tilde in it
if args.bro_log:
args.bro_log = os.path.expanduser(args.bro_log)
# Create a VirusTotal Query Class
vtq = vt_query.VTQuery()
# Run the bro reader on a given log file
reader = bro_log_reader.BroLogReader(args.bro_log, tail=True)
for row in reader.readrows():
file_sha = row.get('sha256', '-') # Bro uses - for empty field
if file_sha == '-':
file_sha = row.get('sha1', '-') # Bro uses - for empthy field
if file_sha == '-':
print('Should not find a sha256 or a sha1 key! Skipping...')
continue
# Make the query with either sha
results = vtq.query_file(file_sha)
if results.get('positives', 0) > 1: # At least two hits
pprint(results)