def main(): import argparse parser = argparse.ArgumentParser() parser.add_argument('-j', '--json', action="store_true", dest='as_json', help="Output as JSON") parser.add_argument('--days', '-d', default=1, type=int, help='days to query') parser.add_argument('--start', '-s', default=None, help='start datetime in "yyyy-mm-dd HH:MM:SS" format ' '(or "today HH:MM:SS")') parser.add_argument('--end', '-e', default=None, help='end datetime in "yyyy-mm-dd HH:MM:SS" format ' '(or "today HH:MM:SS")') args = parser.parse_args() client = Client.from_config() kwargs = {'as_json': args.as_json} kwargs['days'] = args.days kwargs['start'] = args.start kwargs['end'] = args.end data = client.get_zlist_urls(days=args.days, start=args.start, end=args.end) if args.as_json: print(json.dumps(data, indent=4)) elif data: print(renderer(data, 'zlist/urls'))
def __init__(self): self.enabled = True self.opts = dict() try: self.client = Client.from_config() except Exception: log.error(traceback.format_exc()) log.error('Failed to load RiskIQ config - disabling RiskIQ plugin.') log.error('Please pip install riskiq and run `riq-config setup`') self.enabled = False
def main(): import argparse parser = argparse.ArgumentParser() subs = parser.add_subparsers(dest='cmd') name_p = subs.add_parser('name') name_p.add_argument('addrs', nargs='+', help='Hostname or IP addresses') name_p.add_argument('--rrtype', '-t', default=None) name_p.add_argument('--json', '-j', action="store_true", help="Output as JSON") name_p.add_argument('--short', '-s', action="store_true", help="Output newline-separated data only") name_p.add_argument('--text', '-T', action="store_true", help="Output full human readable text") name_p.add_argument('--verbose', '-v', action="store_true", help="Output verbose records with first/lastseen times and observed count") data_p = subs.add_parser('data') data_p.add_argument('addrs', nargs='+', help='Hostname or IP addresses') data_p.add_argument('--rrtype', '-t', default=None) data_p.add_argument('--json', '-j', action="store_true", help="Output as JSON") data_p.add_argument('--short', '-s', action="store_true", help="Output newline-separated name only") data_p.add_argument('--text', '-T', action="store_true", help="Output full human readable text") data_p.add_argument('--verbose', '-v', action="store_true", help="Output verbose records with first/lastseen times and observed count") args = parser.parse_args() addrs = util.stdin(args.addrs) for addr in addrs: ip, hostname = ip_hostname(addr) client = Client.from_config() try: data = get_data(client, args.cmd, rrtype=args.rrtype, hostname=hostname, ip=ip) except ValueError as e: parser.print_usage() sys.stderr.write('{}\n'.format(str(e))) sys.exit(1) if args.json: print(json.dumps(data, indent=4)) elif args.short and args.cmd == 'data': print(renderer(data, 'dns/dns_data')) elif args.short and args.cmd == 'name': print(renderer(data, 'dns/dns_name')) elif args.text: print(renderer(data, 'dns/dns')) elif data: print(renderer(data, 'dns/dns_oneline', verbose=args.verbose))
def main(): import argparse parser = argparse.ArgumentParser() parser.add_argument('--domain', '-d') parser.add_argument('--email', '-e') parser.add_argument('--name-server', '-n') parser.add_argument('--max-results', '-m', type=int, default=100) parser.add_argument('-j', '--json', action="store_true", dest='as_json', help="Output as JSON") args = parser.parse_args() client = Client.from_config() results = client.post_whois(domain=args.domain, email=args.email, name_server=args.name_server, max_results=args.max_results) if args.as_json: print(json.dumps(results, indent=4)) else: print(renderer(results, 'whois/whois'))
def main(): parser = ArgumentParser() subs = parser.add_subparsers(dest='cmd') list_parser = subs.add_parser('list', help='list binaries in date range') list_parser.add_argument('--days', '-d', default=1, type=int, help='days to query') list_parser.add_argument('--start', '-s', default=None, help='start datetime in yyyy-mm-dd HH:MM:SS format') list_parser.add_argument('--end', '-e', default=None, help='end datetime in yyyy-mm-dd HH:MM:SS format') list_parser.add_argument('-j', '--json', action="store_true", dest='as_json', help="Output as JSON") download_parser = subs.add_parser('download', help='download from MD5 hash, or hashes') download_parser.add_argument('md5hash', help='md5 hash to download') download_parser.add_argument('output', help='path to output file to, - for stdout') download_parser.add_argument('-j', '--json', action="store_true", dest='as_json', help="Output as JSON") download_parser.add_argument('-d', '--output-dir', help='dir to dump $hash.bin to') args = parser.parse_args() kwargs = {'as_json': args.as_json} if hasattr(args, 'days'): kwargs['days'] = args.days kwargs['start'] = args.start kwargs['end'] = args.end client = Client.from_config() if args.cmd == 'list': bin_list(client, **kwargs) elif args.cmd == 'download': hashes = util.stdin([args.md5hash]) for i, md5hash in enumerate(hashes): output = args.output if output != '-' and len(hashes) > 1: output = '%s.%d' % (args.output, i) bin_download(client, md5hash, output, output_dir=args.output_dir, **kwargs)
def main(): parser = OptionParser() parser.add_option('-q', '--query', dest='query', action="store_true", default=False, help="Query Domain Name") parser.add_option('-d', '--data', dest='rdata', action="store_true", default=False, help="Response Data") parser.add_option('-i', '--ip', dest='rdata_ip', action="store_true", default=False, help="Response Data(IP)") parser.add_option('-t', '--rrtype', dest='rrtype', default=None, help="Record Type") parser.add_option('-j', '--json', dest='json', action="store_true", default=False, help="Output as JSON") options, args = parser.parse_args() if not args: parser.print_help() sys.exit(-1) client = Client.from_config() qtype = None if options.query: qtype = 'query' if options.rdata: qtype = 'data' if options.rdata_ip: qtype = 'ip' results = [] for arg in args: if not qtype: if IP_REGEX.match(arg): qtype = 'ip' else: qtype = 'query' if qtype == 'data': results.append(client.get_dns_data_by_data(arg, rrtype=options.rrtype)) if qtype == 'ip': results.append(client.get_dns_data_by_ip(arg, rrtype=options.rrtype)) if qtype == 'query': results.append(client.get_dns_data_by_name(arg, rrtype=options.rrtype)) results = PassiveDNS(results) if options.json: print(results.json) sys.exit(0) print(results.text) sys.exit(0)
def main(): parser = ArgumentParser() parser.add_argument('--dump-requests', action='store_true') parser.add_argument('--stix', help='output results to STIX file (requires riskiq[stix] package)') subs = parser.add_subparsers(dest='cmd') for module in (lookup, incident, incidentlist, bl_list, malware): module.add_parser(subs) args = parser.parse_args() client = Client.from_config() if args.dump_requests: client._dump_requests() kwargs = {} for kwarg in ('as_json', 'oneline', 'stix', 'days', 'start', 'end', 'verbose', 'timeout', 'six_hours', 'filter', 'confidence', 'template'): if hasattr(args, kwarg): kwargs[kwarg] = getattr(args, kwarg) sub_main = MAIN_FUNC[args.cmd] sub_main(client, args, kwargs)
def main(): parser = ArgumentParser() parser.add_argument('--dump-requests', action='store_true') parser.add_argument( '--stix', help='output results to STIX file (requires riskiq[stix] package)') subs = parser.add_subparsers(dest='cmd') for module in (lookup, incident, incidentlist, bl_list, malware): module.add_parser(subs) args = parser.parse_args() client = Client.from_config() if args.dump_requests: client._dump_requests() kwargs = {} for kwarg in ('as_json', 'oneline', 'stix', 'days', 'start', 'end', 'verbose', 'timeout', 'six_hours', 'filter', 'confidence', 'template'): if hasattr(args, kwarg): kwargs[kwarg] = getattr(args, kwarg) sub_main = MAIN_FUNC[args.cmd] sub_main(client, args, kwargs)
def main(): parser = ArgumentParser() subs = parser.add_subparsers(dest='cmd') list_parser = subs.add_parser('list', help='list binaries in date range') list_parser.add_argument('--days', '-d', default=1, type=int, help='days to query') list_parser.add_argument( '--start', '-s', default=None, help='start datetime in yyyy-mm-dd HH:MM:SS format') list_parser.add_argument('--end', '-e', default=None, help='end datetime in yyyy-mm-dd HH:MM:SS format') list_parser.add_argument('-j', '--json', action="store_true", dest='as_json', help="Output as JSON") download_parser = subs.add_parser('download', help='download from MD5 hash, or hashes') download_parser.add_argument('md5hash', help='md5 hash to download') download_parser.add_argument('output', help='path to output file to, - for stdout') download_parser.add_argument('-j', '--json', action="store_true", dest='as_json', help="Output as JSON") download_parser.add_argument('-d', '--output-dir', help='dir to dump $hash.bin to') args = parser.parse_args() kwargs = {'as_json': args.as_json} if hasattr(args, 'days'): kwargs['days'] = args.days kwargs['start'] = args.start kwargs['end'] = args.end client = Client.from_config() if args.cmd == 'list': bin_list(client, **kwargs) elif args.cmd == 'download': hashes = util.stdin([args.md5hash]) for i, md5hash in enumerate(hashes): output = args.output if output != '-' and len(hashes) > 1: output = '%s.%d' % (args.output, i) bin_download(client, md5hash, output, output_dir=args.output_dir, **kwargs)
tf_team = tf.create_team(options.team) if tf_team.success: print('Team {0} was created with id: {1}'.format( options.team, tf_team.data['id'])) else: print('Problem creating team: {0}'.format(tf_team.message)) exit(1) print( 'Going to create applications in ThreadFix server {0} under team {1}'. format(options.server, options.team)) # Query RiskIQ to request a list of the web sites they've discovered print('Querying RiskIQ to request list of discovered websites') client = Client.from_config() queryString = '' filter = { 'field': FilterField.AssetType, 'value': FilterValue.WebSite, 'type': FilterOperation.Equals } results = client.post_inventory_search(queryString, filter) inventory_assets = results['inventoryAsset'] for asset in inventory_assets: website = asset['webSite'] print('Website identified: {0}'.format(website['initialUrl'])) # Create the application in ThreadFix, if needed
def main(): import argparse parser = argparse.ArgumentParser() subs = parser.add_subparsers(dest='cmd') get_parser = subs.add_parser( 'get', help='Retrieve a single landingpage by MD5 hash') get_parser.add_argument('md5_hashes', nargs='+') get_parser.add_argument('--whois', '-w', action='store_true', help='whether to include whois information') get_parser.add_argument('-j', '--json', action="store_true", dest='as_json', help="Output as JSON") submit_parser = subs.add_parser( 'submit', help='Submit at least one or many landing pages.') submit_parser.add_argument('urls', nargs='+') submit_parser.add_argument('--project', '-p', help='Project name to submit to') submit_parser.add_argument('--keyword', '-k', help='Optional Keyword') submit_parser.add_argument( '--md5', '-m', help='Optional MD5 representing the canonical ID') submit_parser.add_argument( '--pingback-url', '-P', help='Optional URL to be GET requested upon completion of analysis') submit_parser.add_argument( '--fields', '-f', nargs='*', help='Optional list of custom fields eg -f foo=bar alpha=beta') submit_parser.add_argument('-j', '--json', action="store_true", dest='as_json', help="Output as JSON") crawled_parser = subs.add_parser( 'crawled', help='List landing pages by crawl date - maximum of 100') crawled_parser.add_argument('--whois', '-w', action='store_true', help='whether to include whois information') crawled_parser.add_argument('--days', '-d', default=None, type=int, help='days to query') crawled_parser.add_argument( '--start', '-s', default=None, help='start datetime in yyyy-mm-dd HH:MM:SS format, or "today HH:MM:SS"' ) crawled_parser.add_argument( '--end', '-e', default=None, help='end datetime in yyyy-mm-dd HH:MM:SS format, or "today HH:MM:SS"') crawled_parser.add_argument('-j', '--json', action="store_true", dest='as_json', help="Output as JSON") flagged_parser = subs.add_parser( 'flagged', help='List landing pages by known profile creation date - ' 'maximum of 100') flagged_parser.add_argument('--whois', '-w', action='store_true', help='whether to include whois information') flagged_parser.add_argument('--days', '-d', default=None, type=int, help='days to query') flagged_parser.add_argument( '--start', '-s', default=None, help='start datetime in yyyy-mm-dd HH:MM:SS format, or "today HH:MM:SS"' ) flagged_parser.add_argument( '--end', '-e', default=None, help='end datetime in yyyy-mm-dd HH:MM:SS format, or "today HH:MM:SS"') flagged_parser.add_argument('-j', '--json', action="store_true", dest='as_json', help="Output as JSON") binary_parser = subs.add_parser( 'binary', help='List landing pages with malicious binary incidents. ' 'A malicious binary is any non-text file that is suspected of ' 'containing malware or exploit code. A landing page is linked to ' 'any such binary that is embedded or easily reachable from it.') binary_parser.add_argument('--whois', '-w', action='store_true', help='whether to include whois information') binary_parser.add_argument('--days', '-d', default=1, type=int, help='days to query') binary_parser.add_argument( '--start', '-s', default=None, help='start datetime in yyyy-mm-dd HH:MM:SS format, or "today HH:MM:SS"' ) binary_parser.add_argument( '--end', '-e', default=None, help='end datetime in yyyy-mm-dd HH:MM:SS format, or "today HH:MM:SS"') binary_parser.add_argument('-j', '--json', action="store_true", dest='as_json', help="Output as JSON") pjs_parser = subs.add_parser( 'projects', help='List all projects that landing pages may be submitted to.') pjs_parser.add_argument('-j', '--json', action="store_true", dest='as_json', help="Output as JSON") args = parser.parse_args() client = Client.from_config() kwargs = {'as_json': args.as_json} if hasattr(args, 'whois'): kwargs['whois'] = args.whois if hasattr(args, 'days'): kwargs['days'] = args.days kwargs['start'] = args.start kwargs['end'] = args.end if args.cmd == 'get': md5_hashes = util.stdin(args.md5_hashes) for md5_hash in md5_hashes: lp_get(client, md5_hash, **kwargs) elif args.cmd == 'submit': urls = util.stdin(args.urls) kwargs.update({ 'keyword': args.keyword, 'md5_hash': args.md5, 'pingback_url': args.pingback_url, 'project_name': args.project, }) if args.fields: kwargs.update( {'fields': dict([f.split('=') for f in args.fields])}) if len(urls) == 1: lp_submit(client, urls[0], **kwargs) else: lp_submit_bulk(client, urls, **kwargs) elif args.cmd == 'crawled': lp_crawled(client, **kwargs) elif args.cmd == 'flagged': lp_flagged(client, **kwargs) elif args.cmd == 'binary': lp_binary(client, **kwargs) elif args.cmd == 'projects': lp_projects(client, **kwargs)
print ('Team {0} already exists. Will add applications to that team'.format(options.team)) else: print ('Team {0} does not exist. Creating'.format(options.team)) tf_team = tf.create_team(options.team) if tf_team.success: print ('Team {0} was created with id: {1}'.format(options.team, tf_team.data['id'])) else: print ('Problem creating team: {0}'.format(tf_team.message)) exit(1) print ('Going to create applications in ThreadFix server {0} under team {1}'.format(options.server, options.team)) # Query RiskIQ to request a list of the web sites they've discovered print ('Querying RiskIQ to request list of discovered websites') client = Client.from_config() queryString = '' filter = {'field':FilterField.AssetType, 'value':FilterValue.WebSite, 'type':FilterOperation.Equals} results = client.post_inventory_search(queryString, filter) inventory_assets = results['inventoryAsset'] for asset in inventory_assets: website = asset['webSite'] print('Website identified: {0}'.format(website['initialUrl'])) # Create the application in ThreadFix, if needed if options.create: application_name = website['initialUrl'] # Use the application name also for the ThreadFix application URL because that is what RiskIQ gives us tf_application = tf.create_application(tf_team.data['id'], application_name, application_name)
def main(): parser = OptionParser() parser.add_option('-q', '--query', dest='query', action="store_true", default=False, help="Query Domain Name") parser.add_option('-d', '--data', dest='rdata', action="store_true", default=False, help="Response Data") parser.add_option('-i', '--ip', dest='rdata_ip', action="store_true", default=False, help="Response Data(IP)") parser.add_option('-t', '--rrtype', dest='rrtype', default=None, help="Record Type") parser.add_option('-j', '--json', dest='json', action="store_true", default=False, help="Output as JSON") options, args = parser.parse_args() if not args: parser.print_help() sys.exit(-1) client = Client.from_config() qtype = None if options.query: qtype = 'query' if options.rdata: qtype = 'data' if options.rdata_ip: qtype = 'ip' results = [] for arg in args: if not qtype: if IP_REGEX.match(arg): qtype = 'ip' else: qtype = 'query' if qtype == 'data': results.append( client.get_dns_data_by_data(arg, rrtype=options.rrtype)) if qtype == 'ip': results.append( client.get_dns_data_by_ip(arg, rrtype=options.rrtype)) if qtype == 'query': results.append( client.get_dns_data_by_name(arg, rrtype=options.rrtype)) results = PassiveDNS(results) if options.json: print(results.json) sys.exit(0) print(results.text) sys.exit(0)
def main(): import argparse parser = argparse.ArgumentParser() subs = parser.add_subparsers(dest='cmd') get_parser = subs.add_parser('get', help='Retrieve a single landingpage by MD5 hash') get_parser.add_argument('md5_hashes', nargs='+') get_parser.add_argument('--whois', '-w', action='store_true', help='whether to include whois information') get_parser.add_argument('-j', '--json', action="store_true", dest='as_json', help="Output as JSON") submit_parser = subs.add_parser('submit', help='Submit at least one or many landing pages.') submit_parser.add_argument('urls', nargs='+') submit_parser.add_argument('--project', '-p', help='Project name to submit to') submit_parser.add_argument('--keyword', '-k', help='Optional Keyword') submit_parser.add_argument('--md5', '-m', help='Optional MD5 representing the canonical ID') submit_parser.add_argument('--pingback-url', '-P', help='Optional URL to be GET requested upon completion of analysis') submit_parser.add_argument('--fields', '-f', nargs='*', help='Optional list of custom fields eg -f foo=bar alpha=beta') submit_parser.add_argument('-j', '--json', action="store_true", dest='as_json', help="Output as JSON") crawled_parser = subs.add_parser('crawled', help='List landing pages by crawl date - maximum of 100') crawled_parser.add_argument('--whois', '-w', action='store_true', help='whether to include whois information') crawled_parser.add_argument('--days', '-d', default=None, type=int, help='days to query') crawled_parser.add_argument('--start', '-s', default=None, help='start datetime in yyyy-mm-dd HH:MM:SS format, or "today HH:MM:SS"') crawled_parser.add_argument('--end', '-e', default=None, help='end datetime in yyyy-mm-dd HH:MM:SS format, or "today HH:MM:SS"') crawled_parser.add_argument('-j', '--json', action="store_true", dest='as_json', help="Output as JSON") flagged_parser = subs.add_parser('flagged', help='List landing pages by known profile creation date - ' 'maximum of 100') flagged_parser.add_argument('--whois', '-w', action='store_true', help='whether to include whois information') flagged_parser.add_argument('--days', '-d', default=None, type=int, help='days to query') flagged_parser.add_argument('--start', '-s', default=None, help='start datetime in yyyy-mm-dd HH:MM:SS format, or "today HH:MM:SS"') flagged_parser.add_argument('--end', '-e', default=None, help='end datetime in yyyy-mm-dd HH:MM:SS format, or "today HH:MM:SS"') flagged_parser.add_argument('-j', '--json', action="store_true", dest='as_json', help="Output as JSON") binary_parser = subs.add_parser('binary', help='List landing pages with malicious binary incidents. ' 'A malicious binary is any non-text file that is suspected of ' 'containing malware or exploit code. A landing page is linked to ' 'any such binary that is embedded or easily reachable from it.' ) binary_parser.add_argument('--whois', '-w', action='store_true', help='whether to include whois information') binary_parser.add_argument('--days', '-d', default=1, type=int, help='days to query') binary_parser.add_argument('--start', '-s', default=None, help='start datetime in yyyy-mm-dd HH:MM:SS format, or "today HH:MM:SS"') binary_parser.add_argument('--end', '-e', default=None, help='end datetime in yyyy-mm-dd HH:MM:SS format, or "today HH:MM:SS"') binary_parser.add_argument('-j', '--json', action="store_true", dest='as_json', help="Output as JSON") pjs_parser = subs.add_parser('projects', help='List all projects that landing pages may be submitted to.') pjs_parser.add_argument('-j', '--json', action="store_true", dest='as_json', help="Output as JSON") args = parser.parse_args() client = Client.from_config() kwargs = {'as_json': args.as_json} if hasattr(args, 'whois'): kwargs['whois'] = args.whois if hasattr(args, 'days'): kwargs['days'] = args.days kwargs['start'] = args.start kwargs['end'] = args.end if args.cmd == 'get': md5_hashes = util.stdin(args.md5_hashes) for md5_hash in md5_hashes: lp_get(client, md5_hash, **kwargs) elif args.cmd == 'submit': urls = util.stdin(args.urls) kwargs.update({ 'keyword': args.keyword, 'md5_hash': args.md5, 'pingback_url': args.pingback_url, 'project_name': args.project, }) if args.fields: kwargs.update({'fields': dict([f.split('=') for f in args.fields])}) if len(urls) == 1: lp_submit(client, urls[0], **kwargs) else: lp_submit_bulk(client, urls, **kwargs) elif args.cmd == 'crawled': lp_crawled(client, **kwargs) elif args.cmd == 'flagged': lp_flagged(client, **kwargs) elif args.cmd == 'binary': lp_binary(client, **kwargs) elif args.cmd == 'projects': lp_projects(client, **kwargs)