def submit_to_cif(data, host, ssl, token, cache):
logging.debug('Initializing Client instance to host={}, with ssl={}'.format(host, ssl))
cli = Client(token=token,
remote=host,
verify_ssl=ssl)
logging.info('Submitting indicator: {0}'.format(data))
try:
r = cli.indicators_create(json.dumps(data))
cache.setcache(data['indicator'])
logging.debug('Indicator submitted with id {}'.format(r))
return True
except Exception as e:
logging.error('Error submitting indicator: {0}'.format(repr(e)))
return False
def submit_to_cif(data, host, ssl, token, cache):
logging.debug(
'Initializing Client instance to host={}, with ssl={}'.format(
host, ssl))
cli = Client(token=token, remote=host, verify_ssl=ssl)
logging.info('Submitting indicator: {0}'.format(data))
try:
r = cli.indicators_create(json.dumps(data))
cache.setcache(data['indicator'])
logging.debug('Indicator submitted with id {}'.format(r))
return True
except (SubmissionFailed, Exception) as e:
if isinstance(e, SubmissionFailed):
logging.error(
'Submission failed due to authorization error; please correct your host/key, remove this container, and try again'
)
return False
else:
logging.error('Error submitting indicator: {} {}'.format(
type(e).__name__, e.args))
return False
def submit_safelist(self, l):
cli = Client(token=self.token,
remote=self.remote,
verify_ssl=self.verify)
filters = [f for f in self._list_to_filters(l)]
try:
i = 1
for data in self._chunks(filters, 500):
ret = cli.indicators_create(json.dumps(data))
logger.debug('Submitted chunk {} with return status {}'.format(
i, ret))
i += 1
except Exception as e:
logger.warning('Exception during get_feed: {}'.format(e))
logger.debug('CLI: {}, Filters: {}'.format(cli, data))
backoff = randint(30, 120)
logger.warning(
'Backing off {} seconds after failure'.format(backoff))
time.sleep(backoff)
sys.exit(1)
logger.info('Complete submission of safelist with size {}'.format(
str(len(l))))
def run(self):
Responder.run(self)
confidence = None
indicators = []
# case details
if self.get_param('data._type') == 'case_artifact':
a = {}
a['indicator'] = self.get_param('data.data', None, 'Missing indicator')
a['tags'] = self.get_param('data.tags')
a['tlp'] = self.get_param('data.tlp', None)
a['desc'] = self.get_param('data.message', None)
a['lasttime'] = self.get_param('data.createdAt', None)
indicators.append(a)
# alert details
if self.get_param('data._type') == 'alert':
for i in self.get_param('data.artifacts'):
a = {}
a['indicator'] = i['data']
a['tags'] = i['tags']
a['tlp'] = self.get_param('data.tlp', None)
a['desc'] = self.get_param('data.description', None)
a['lasttime'] = self.get_param('data.createdAt', None)
if self.get_param('data.updatedAt'):
a['lasttime'] = self.get_param('data.updatedAt')
indicators.append(a)
for i in indicators:
# map TLP to word
tlp = self.TLP_MAP[str(i['tlp'])]
# process tags
tags = i['tags']
for t in list(tags):
# confidence tag check
if 'confidence:' in t:
tags.remove(t)
(k, v) = t.split(':')
confidence = int(v)
# remove other directive tags
elif ':' in t:
tags.remove(t)
# set to default confidence if not defined
if not confidence:
confidence = self.d_confidence
# convert lasttime
lasttime = datetime.utcfromtimestamp(i['lasttime']/1000).strftime('%Y-%m-%dT%H:%M:%S.%fZ')
# build indicator
ii = {
'indicator': i['indicator'],
'confidence': confidence,
'description': i['desc'],
'tags': tags,
'tlp': tlp,
'group': self.group,
'lasttime': lasttime
}
# create indicator object
try:
ii = Indicator(**ii)
except InvalidIndicator as e:
self.error("Invalid CIF indicator {}".format(e))
except Exception as e:
self.error("CIF indicator error: {}".format(e))
# submit indicator
cli = Client(token=self.token, remote=self.remote, verify_ssl=self.verify_ssl)
try:
r = cli.indicators_create(ii)
except Exception as e:
self.error("CIF submission error: {}".format(e))
self.report({'message': '{} indicator(s) submitted to CIFv3'.format(len(indicators))})
