def to_indicators(self, type="hostname", category="exploit", author=None, source="Blacklist conversion", prob=0.7, description=None, version=1): inds = [] for b in self.bl: des = Descriptor(category=category, author=author, source=source, prob=prob, type=type, value=b) if description != None: des.description = description ii = Indicator(des) ii.value = lt.Match(type, b) inds.append(ii) i = Indicators(version=version, description="Blacklist", indicators=inds) return i
def load_value(obj): if "type" in obj: return lt.Match(obj["type"], obj["value"]) elif "or" in obj: return lt.Or([load_value(v) for v in obj["or"]]) elif "and" in obj: return lt.And([load_value(v) for v in obj["and"]]) elif "not" in obj: return lt.Not(load_value(obj["not"])) else: raise RuntimeError("Can't parse value")
def load_value(obj): """ Loads an value from a Python dict object """ if "type" in obj: return lt.Match(obj["type"], obj["value"]) elif "or" in obj: return lt.Or([load_value(v) for v in obj["or"]]) elif "and" in obj: return lt.And([load_value(v) for v in obj["and"]]) elif "not" in obj: return lt.Not(load_value(obj["not"])) else: raise RuntimeError("Can't parse value")
def to_detector(self, match="dns", type="hostname", category="exploit", author="osint.bambenekconsulting.com", source="Blacklist conversion", prob=0.7, description=None): inds = [] for b in self.bl: if len(b) < 1: continue if b[0][0] == '#': continue if len(b) < 4: continue value = b[0] des = Descriptor(category=category, author=author, source=source, prob=prob, type=type, value=value) h = hashlib.new('md5') h.update(("bamabenek:" + value).encode("utf-8")) id = h.hexdigest() ind = Indicator(des, id) ind.value = lt.Match(type=type, value=value) inds.append(ind) return Indicators(version=1, description="Bambenek IOCs", indicators=inds)
def to_detector(self, type="hostname", category="exploit", author=None, source="Blacklist conversion", prob=0.7, description=None): inds = [] for b in self.bl: if len(b) < 1: continue if b[0][0] == '#': continue if len(b) < 7: continue url = b[2] h = hashlib.new('md5') h.update(("urlhaus:" + url).encode("utf-8")) id = h.hexdigest() des = Descriptor(category=category, author=author, source=source, prob=prob, type=type, value=b) if description != None: des.description = description ii = Indicator(des, id) ii.value = lt.Match(type, b) inds.append(ii) return Indicators(version=1, description="Urlhaus IOCs", indicators=inds)