def post(self, request): for indicator in request.POST.getlist('choices'): indicator_type = discover_type(indicator) if indicator_type == "domain": try: monitor = DomainMonitor.objects.get(domain_name=indicator, owner=request.user) except: pass else: monitor.tags.clear() if indicator_type == "ip": try: monitor = IpMonitor.objects.get(ip_address=indicator, owner=request.user) except: pass else: monitor.tags.clear() messages.add_message(request, messages.SUCCESS, self.msg_success) return redirect('monitor_dashboard')
def post(self, request): for indicator in request.POST.getlist('choices'): indicator_type = discover_type(indicator) if indicator_type == "domain": try: DomainMonitor.objects.get(domain_name=indicator, owner=request.user).delete() except: LOGGER.exception("Error deleting domain monitor for value: %s", indicator) if indicator_type == "ip": try: IpMonitor.objects.get(ip_address=indicator, owner=request.user).delete() except: LOGGER.exception("Error deleting IP monitor for value: %s", indicator) if indicator_type == "other": try: CertificateMonitor.objects.get(certificate_value=indicator, owner=request.user).delete() except: LOGGER.exception("Error deleting certificate monitor for value: %s", indicator) messages.add_message(request, messages.SUCCESS, self.msg_success) return redirect('monitor_dashboard')
def clean_indicator(self): indicator = self.cleaned_data.get('indicator').strip().lower() verified_type = discover_type(indicator) if verified_type: self.indicator_type = verified_type if self.indicator_type != "domain" and self.indicator_type != "ip": raise forms.ValidationError('That is not a valid ip or domain') return indicator
def post(self, request): tags = IndicatorTag.objects.filter(tag__in=request.POST.getlist('tags'), owner=request.user) if tags: for indicator in request.POST.getlist('choices'): indicator_type = discover_type(indicator) LOGGER.debug("Applying %d tag(s) to %s indicator: %s", len(tags), indicator_type, indicator) if indicator_type == "domain": try: monitor = DomainMonitor.objects.get(domain_name=indicator, owner=request.user) except: LOGGER.exception("Error retrieving domain indicator '%s'", indicator) else: for tag in tags: LOGGER.debug("Adding tag '%s' to domain value: %s", tag, indicator) monitor.tags.add(tag) if indicator_type == "ip": try: monitor = IpMonitor.objects.get(ip_address=indicator, owner=request.user) except: LOGGER.exception("Error retrieving IP indicator '%s'", indicator) else: for tag in tags: LOGGER.debug("Adding tag '%s' to IP value: %s", tag, indicator) monitor.tags.add(tag) if indicator_type == "other": try: monitor = CertificateMonitor.objects.get(certificate_value=indicator, owner=request.user) except: LOGGER.exception("Error retrieving certificate indicator '%s'", indicator) else: for tag in tags: LOGGER.debug("Adding tag '%s' to certificate value: %s", tag, indicator) monitor.tags.add(tag) messages.add_message(request, messages.SUCCESS, self.msg_success) return redirect('monitor_dashboard')
def clean_indicators(self): submission = self.cleaned_data.get('indicators') indicator_list = re.split(r'[,;|\n\r ]+', submission) for indicator in indicator_list: indicator = indicator.rstrip().lower() indicator_type = discover_type(indicator) if indicator_type == "domain": self.valid_domains.append(indicator) if indicator_type == "ip": self.valid_ips.append(indicator)
def post(self, request): for indicator in request.POST.getlist('choices'): indicator_type = discover_type(indicator) if indicator_type == "domain": try: monitor = DomainMonitor.objects.get( domain_name=indicator, domainsubscription__owner=self.request.user) except: pass else: tag = monitor.tags.get(owner=self.request.user) monitor.tags.remove(tag) #monitor.tags.clear() if indicator_type == "ip": try: monitor = IpMonitor.objects.get( ip_address=indicator, ipsubscription__owner=request.user) except: pass else: tag = monitor.tags.get(owner=self.request.user) monitor.tags.remove(tag) # monitor.tags.clear() if indicator_type == "other": try: monitor = CertificateMonitor.objects.get( certificate_value=indicator, certificatesubscription__owner=self.request.user) except: pass else: tag = monitor.tags.get(owner=self.request.user) monitor.tags.remove(tag) # monitor.tags.clear() messages.add_message(request, messages.SUCCESS, self.msg_success) return redirect('monitor_dashboard')
def clean_indicators(self): submission = self.cleaned_data.get('indicators') indicator_list = re.split(r'[,;|\n\r ]+', submission) for indicator in indicator_list: indicator = indicator.rstrip().lower() indicator_type = discover_type(indicator) if indicator_type == "domain": self.valid_domains.append(indicator) if indicator_type == "ip": self.valid_ips.append(indicator) if indicator_type == "other": LOGGER.warn("Discarding attempt to add '%s' as an IP or Domain to be monitored", indicator) raise ValidationError("%s is not a valid IP or Domain" % indicator)
def post(self, request): for indicator in request.POST.getlist('choices'): indicator_type = discover_type(indicator) if indicator_type == "domain": try: DomainSubscription.objects.get( owner=request.user, domain_name=indicator).delete() CertificateSubscription.objects.get( owner=request.user, certificate=indicator).delete() except: LOGGER.exception( "Error deleting domain monitor for value: %s", indicator) if indicator_type == "ip": try: IpSubscription.objects.get(owner=request.user, ip_address=indicator).delete() except: LOGGER.exception("Error deleting IP monitor for value: %s", indicator) if indicator_type == "other": try: # CertificateMonitor.objects.get(certificate_value=indicator, # owner=request.user).delete() # Added by LNguyen 1/18/2017 - Delete the associations but not the certificate data to preserve # any historical search results CertificateSubscription.objects.get( owner=request.user, certificate=indicator).delete() except Exception as err: LOGGER.exception( "Error deleting certificate monitor for value: %s", indicator, str(err)) messages.add_message(request, messages.SUCCESS, self.msg_success) return redirect('monitor_dashboard')
def clean_indicators(self): submission = self.cleaned_data.get('indicators') indicator_list = re.split(r'[,;|\n\r ]+', submission) for indicator in indicator_list: indicator = indicator.rstrip().lower() indicator_type = discover_type(indicator) if indicator_type == "domain": self.valid_domains.append(indicator) if indicator_type == "ip": self.valid_ips.append(indicator) if indicator_type == "other": LOGGER.warn( "Discarding attempt to add '%s' as an IP or Domain to be monitored", indicator) raise ValidationError("%s is not a valid IP or Domain" % indicator)
def clean_indicator(self): indicator = self.cleaned_data.get('indicator').strip().lower() self.indicator_type = discover_type(indicator) return indicator
def lookup_threatlabs(indicator): """ Created by: Linda Nguyen Date: Apr2017 Find all passive DNS A type records for a given indicator from Threatlabs.IO :param indicator: The indicator value for which to search. :return: A list of passive DNS records and attributes """ result = [] api_key = settings.THREATLABS_API_ID indicator_type = discover_type(indicator) try: type = 'A' # Use this API for ip address type indicators if indicator_type == "ip": url = "https://api.threatlabs.io/pdns/rdata/ip/" + indicator # Else use this API for domain type indicators elif indicator_type == "domain": url = "https://api.threatlabs.io/pdns/rrset/name/" + indicator + "/" + type # Else invalid indicator type, so log error else: errmsg = "Indicator invalid for threatlabs API: " + indicator logger.exception(errmsg) return result response = requests.get(url, headers={'X-API-Key': api_key}) if response.status_code == 200: arrayObj = json.loads( json.dumps(response.content.decode('utf-8').split())) newresult = [] result = [] for domainObj in arrayObj: jsonObj = json.loads(domainObj) domain = jsonObj["rrname"] rdata = ''.join(jsonObj["rdata"]) firstseen = datetime.datetime.fromtimestamp( json.loads(domainObj)["time_first"]) lastseen = datetime.datetime.fromtimestamp( json.loads(domainObj)["time_last"]) newresult.append({ 'ip': rdata, 'domain': domain, 'date': firstseen, 'firstseen': firstseen, 'lastseen': lastseen, 'ip_location': {} }) result = newresult else: errmsg = "Error with ThreatLabs.IO.PDNS: " + str( response.status_code) logger.exception(errmsg) return result except Exception as e: print(str(e)) errmsg = "Error with DNSTwist: " + str(e) logger.exception(errmsg) return result
def check_type(self, indicator): return discover_type(indicator)
def post(self, request): task = request.POST['task_id'] res = GroupResult.restore(task) if res and not res.ready(): return HttpResponse(json.dumps({"status": "loading"}), content_type="application/json") # Task completion allows for origin information to be pulled try: task_origin = TaskTracker.objects.get(group_id=task) record_type = task_origin.type indicator = task_origin.keyword except MultipleObjectsReturned: task_origin = TaskTracker.objects.filter(group_id=task).latest('date') record_type = task_origin.type indicator = task_origin.keyword except ObjectDoesNotExist: record_type = None indicator = None # Pull data according to the record type if record_type == "Recent": self.template_name = "pivoteer/RecentRecords.html" # Current hosting records host_record = IndicatorRecord.objects.recent_hosts(indicator) # We must lookup the country for each IP address for use in the template. # We do this outside the task because we don't know the IP addresses until the task completes. host_records_complete = [] for record in host_record: info = getattr(record, 'info') record.location = geolocate_ip(info['ip']) host_records_complete.append(record) self.template_vars["current_hosts"] = host_records_complete # Current WHOIS record whois_record = IndicatorRecord.objects.recent_whois(indicator) self.template_vars["current_whois"] = whois_record # Current ThreatCrowd record tc_info = IndicatorRecord.objects.recent_tc(indicator) self.template_vars["tc_info"] = tc_info cert_info = IndicatorRecord.objects.recent_cert(indicator) self.template_vars["cert_info"] = cert_info elif record_type == "Historical": self.template_name = "pivoteer/HistoricalRecords.html" # Historical hosting records host_records = IndicatorRecord.objects.historical_hosts(indicator, request) # We must lookup the country for each IP address for use in the template. # We do this outside the task because we don't know the IP addresses until the task completes. host_records_complete = [] for record in host_records: info = getattr(record, 'info') record.location = geolocate_ip(info['ip']) host_records_complete.append(record) self.template_vars["hosting_records"] = host_records_complete # Historical WHOIS records whois_record = IndicatorRecord.objects.historical_whois(indicator) self.template_vars["historical_whois"] = whois_record elif record_type == "Malware": self.template_name = "pivoteer/MalwareRecords.html" malware_records = IndicatorRecord.objects.malware_records(indicator) self.template_vars["malware_records"] = malware_records self.template_vars["origin"] = indicator elif record_type == "SafeBrowsing": safebrowsing_records = IndicatorRecord.objects.safebrowsing_record(indicator) self.template_name = "pivoteer/Google.html" self.template_vars["records"] = safebrowsing_records self.template_vars["google_url"] = settings.GOOGLE_SAFEBROWSING_URL + indicator self.template_vars["origin"] = indicator elif record_type == "Search": self.template_name = "pivoteer/SearchRecords.html" search_records = IndicatorRecord.objects.get_search_records(indicator) self.template_vars["search_records"] = search_records elif record_type == "External": self.template_name = "pivoteer/ExternalRecords.html" self.template_vars['indicator'] = indicator self.template_vars['type'] = discover_type(indicator) return render(request, self.template_name, self.template_vars)
def post(self, request): task = request.POST['task_id'] res = GroupResult.restore(task) if res and not res.ready(): return HttpResponse(json.dumps({"status": "loading"}), content_type="application/json") # Task completion allows for origin information to be pulled try: task_origin = TaskTracker.objects.get(group_id=task) record_type = task_origin.type indicator = task_origin.keyword except MultipleObjectsReturned: task_origin = TaskTracker.objects.filter( group_id=task).latest('date') record_type = task_origin.type indicator = task_origin.keyword except ObjectDoesNotExist: record_type = None indicator = None # Pull data according to the record type if record_type == "Recent": self.template_name = "pivoteer/RecentRecords.html" # Current hosting records host_record = IndicatorRecord.objects.recent_hosts(indicator) # We must lookup the country for each IP address for use in the template. # We do this outside the task because we don't know the IP addresses until the task completes. host_records_complete = [] for record in host_record: info = getattr(record, 'info') record.location = geolocate_ip(info['ip']) host_records_complete.append(record) self.template_vars["current_hosts"] = host_records_complete # Current WHOIS record whois_record = IndicatorRecord.objects.recent_whois(indicator) self.template_vars["current_whois"] = whois_record # Current ThreatCrowd record tc_info = IndicatorRecord.objects.recent_tc(indicator) self.template_vars["tc_info"] = tc_info cert_info = IndicatorRecord.objects.recent_cert(indicator) self.template_vars["cert_info"] = cert_info elif record_type == "Historical": self.template_name = "pivoteer/HistoricalRecords.html" # Historical hosting records host_records = IndicatorRecord.objects.historical_hosts( indicator, request) # We must lookup the country for each IP address for use in the template. # We do this outside the task because we don't know the IP addresses until the task completes. host_records_complete = [] for record in host_records: info = getattr(record, 'info') record.location = geolocate_ip(info['ip']) host_records_complete.append(record) self.template_vars["hosting_records"] = host_records_complete # Historical WHOIS records whois_record = IndicatorRecord.objects.historical_whois(indicator) self.template_vars["historical_whois"] = whois_record elif record_type == "Malware": self.template_name = "pivoteer/MalwareRecords.html" malware_records = IndicatorRecord.objects.malware_records( indicator) self.template_vars["malware_records"] = malware_records self.template_vars["origin"] = indicator elif record_type == "SafeBrowsing": safebrowsing_records = IndicatorRecord.objects.safebrowsing_record( indicator) self.template_name = "pivoteer/Google.html" self.template_vars["records"] = safebrowsing_records self.template_vars[ "google_url"] = settings.GOOGLE_SAFEBROWSING_URL + indicator self.template_vars["origin"] = indicator elif record_type == "Search": self.template_name = "pivoteer/SearchRecords.html" search_records = IndicatorRecord.objects.get_search_records( indicator) self.template_vars["search_records"] = search_records elif record_type == "External": self.template_name = "pivoteer/ExternalRecords.html" self.template_vars['indicator'] = indicator self.template_vars['type'] = discover_type(indicator) return render(request, self.template_name, self.template_vars)