Python check_and_save_intel_alert 예제들

예제 #1

파일: virustotal.py 프로젝트: snkarnam/plgx-esp

    def analyse_hash(self, value, type, node):

        if self.vt:
            result_log_scan_elem = db.session.query(ResultLogScan).filter(
                ResultLogScan.scan_value == value).first()
            response = None
            if result_log_scan_elem:
                if self.name not in result_log_scan_elem.reputations:
                    response = self.vt.get_file_report(value)
                    if 'response_code' in response and response[
                            'response_code'] == 200:
                        newReputations = dict(result_log_scan_elem.reputations)
                        newReputations[self.name] = response
                        result_log_scan_elem.reputations = newReputations
                        db.session.add(result_log_scan_elem)
                        db.session.commit()

                else:
                    response = result_log_scan_elem.reputations[self.name]
            if 'results' in response and 'positives' in response[
                    'results'] and response['results']['positives'] > 0:
                check_and_save_intel_alert(scan_type=type,
                                           scan_value=value,
                                           data=response,
                                           source=self.name,
                                           severity="LOW")

예제 #2

파일: cybercure_intel.py 프로젝트: snkarnam/plgx-esp

    def analyse_domain(self, value, type, node):
        response = cybercure.search('url')
        if 'exists' in response and response['exists'] == True:
            check_and_save_intel_alert(scan_type=type,
                                       scan_value=value,
                                       data={},
                                       source="cybercure",
                                       severity="LOW")

        # TODO(andrew-d): better message?
        current_app.logger.log(self.level, 'Triggered alert: ')

예제 #3

파일: safebrowse.py 프로젝트: snkarnam/plgx-esp

 def analyse_domain(self, value, type, node):
     # TODO(andrew-d): better message?
     r = self.api.lookup_urls(
         url='http://malware.testing.google.test/testing/malware/')
     if 'malicious' in r and r['malicious'] == True:
         check_and_save_intel_alert(scan_type=type,
                                    scan_value=value,
                                    data=r,
                                    source="SafeBrowsing",
                                    severity="LOW")
     current_app.logger.log(self.level, 'Triggered alert: SfeBrowsing ')

예제 #4

파일: virustotal.py 프로젝트: polylogyx/plgx-esp

    def analyse_hash(self, value, type, node):

        if self.vt:
            result_log_scan_elem = db.session.query(ResultLogScan).filter(
                ResultLogScan.scan_value == value).first()
            min_match_count = db.session.query(Settings).filter(
                Settings.name == 'virustotal_min_match_count').first()
            av_engines = [
                item[0]
                for item in db.session.query(VirusTotalAvEngines).filter(
                    VirusTotalAvEngines.status == True).all()
            ]
            response = None
            is_detected = False
            if result_log_scan_elem:
                if self.name not in result_log_scan_elem.reputations:
                    response = self.vt.get_file_report(value)
                    if 'response_code' in response and response[
                            'response_code'] == 200:
                        newReputations = dict(result_log_scan_elem.reputations)
                        newReputations[self.name] = response
                        result_log_scan_elem.reputations = newReputations
                        db.session.add(result_log_scan_elem)
                        db.session.commit()

                else:
                    response = result_log_scan_elem.reputations[self.name]
            if 'results' in response and 'positives' in response[
                    'results'] and response['results']['positives'] > 0:
                for avengine in response['results']['scans']:
                    if response['results']['scans'][avengine][
                            'detected'] == True and avengine in av_engines:
                        is_detected = True
                        break
                if is_detected == False and response['results'][
                        'positives'] >= int(min_match_count.setting):
                    is_detected = True
            if is_detected:
                check_and_save_intel_alert(scan_type=type,
                                           scan_value=value,
                                           data=response,
                                           source=self.name,
                                           severity="LOW")

예제 #5

파일: otx.py 프로젝트: snkarnam/plgx-esp

    def generate_alerts(self):
        try:
            source = self.name
            from polylogyx.database import db
            from polylogyx.models import ResultLogScan
            from polylogyx.utils import check_and_save_intel_alert

            result_log_scans = db.session.query(ResultLogScan).filter(
                ResultLogScan.reputations[source + "_detected"].astext.cast(
                    sqlalchemy.Boolean).is_(True)).all()
            for result_log_scan in result_log_scans:
                check_and_save_intel_alert(
                    scan_type=result_log_scan.scan_type,
                    scan_value=result_log_scan.scan_value,
                    data=result_log_scan.reputations[source],
                    source=source,
                    severity="LOW")
        except Exception as e:
            current_app.logger.error(e)

예제 #6

    def generate_alerts(self):
        try:
            source = self.name
            from polylogyx.models import ResultLogScan
            from polylogyx.database import db
            from polylogyx.utils import check_and_save_intel_alert

            matches = db.session.query(ResultLogScan, IOCIntel.severity).join(
                IOCIntel, IOCIntel.value == ResultLogScan.scan_value).all()
            for match in matches:
                scan_elem = match[0]
                severity = match[1]
                check_and_save_intel_alert(scan_type=scan_elem.scan_type,
                                           scan_value=scan_elem.scan_value,
                                           data={},
                                           source=source,
                                           severity=severity)

        except Exception as e:
            current_app.logger.error(e)

예제 #7

파일: otx.py 프로젝트: snkarnam/plgx-esp

 def analyse_hash(self, value, type, node):
     if self.otx:
         result_log_scan_elem = db.session.query(ResultLogScan).filter(
             ResultLogScan.scan_value == value).first()
         response = {}
         if result_log_scan_elem:
             if self.name not in result_log_scan_elem.reputations:
                 response = is_hash_malicious(value, self.otx)
                 newReputations = dict(result_log_scan_elem.reputations)
                 newReputations[self.name] = response
                 result_log_scan_elem.reputations = newReputations
                 db.session.add(result_log_scan_elem)
                 db.session.commit()
             else:
                 response = result_log_scan_elem.reputations[self.name]
         if 'alerts' in response and len(response['alerts']) > 0:
             check_and_save_intel_alert(scan_type=type,
                                        scan_value=value,
                                        data=response['result'],
                                        source=self.name,
                                        severity="LOW")

예제 #8

파일: ibmxforce.py 프로젝트: polylogyx/plgx-esp

    def generate_alerts(self):

        try:
            from polylogyx.utils import check_and_save_intel_alert

            from polylogyx.models import  ResultLogScan
            from polylogyx.database import db
            source = self.name

            result_log_scans = db.session.query(ResultLogScan).filter(
                ResultLogScan.reputations[source + "_detected"].astext.cast(sqlalchemy.Boolean).is_(True)).all()
            for result_log_scan in result_log_scans:
                severity=Alerts.INFO
                if result_log_scan.reputations[source]['malware']['risk']=='high':
                    severity=Alerts.CRITICAL
                elif result_log_scan.reputations[source]['malware']['risk']=='medium':
                    severity=Alerts.WARNING

                check_and_save_intel_alert(scan_type=result_log_scan.scan_type, scan_value=result_log_scan.scan_value,
                                           data=result_log_scan.reputations[source],
                                           source=source,
                                           severity=severity)
        except Exception as e:
            current_app.logger.error(e)