def setUp(self, **kwargs): provided_key = kwargs.get('api_key', '') if provided_key: self.api_key = provided_key else: self.api_key = ALIEN_API_APIKEY self.otx = OTXv2(self.api_key)
def main(): otx_settings = OTXSetting() otx = OTXv2(otx_settings.API_KEY) ip = sys.argv[1] general_result = otx.get_indicator_details_by_section(IndicatorTypes.IPv4, ip, 'general') found_pulse = getPulse(general_result) if found_pulse != '': m.addEntity("otx.OTXPulse", found_pulse) malware_result = otx.get_indicator_details_by_section(IndicatorTypes.IPv4, ip, 'malware') pdns_result = otx.get_indicator_details_by_section(IndicatorTypes.IPv4, ip, 'passive_dns') added_ips = 0 if 'passive_dns' in pdns_result: for pdns in pdns_result['passive_dns']: added_ips +=1 # Dont add too many IPs if fast flux etc if added_ips < 50: hostname = pdns['hostname'] m.addEntity("maltego.Domain", hostname) if 'data' in malware_result: for malware in malware_result['data']: hash = malware['hash'] m.addEntity("maltego.Hash", hash) return
def get_otx_data(indicator, ind_type, otx_api_key): data={'av_general':'n/a','av_reputation':'n/a','av_malware_data':'n/a','av_url_data':'n/a','av_passive_data':'n/a','av_pulse_count':'0','av_tlp':'n/a'} if otx_api_key: try: otx = OTXv2(otx_api_key) indicator_details=None if ind_type=='md5': indicator_details = otx.get_indicator_details_full(IndicatorTypes.FILE_HASH_MD5, indicator) elif ind_type=='sha256': indicator_details = otx.get_indicator_details_full(IndicatorTypes.FILE_HASH_SHA256, indicator) elif ind_type=='domain': indicator_details = otx.get_indicator_details_full(IndicatorTypes.DOMAIN, indicator) elif ind_type=='ip': indicator_details = otx.get_indicator_details_full(IndicatorTypes.IPv4, indicator) if indicator_details: data['av_general'] = str(indicator_details.get('general', {})) data['av_reputation'] = str(indicator_details.get('reputation', {}).get('reputation')) data['av_malware_data'] = str(indicator_details.get('malware', {}).get('data')) data['av_url_data']= str(indicator_details.get('url_list', {}).get('url_list')) data['av_passive_data'] = str(indicator_details.get('passive_dns')) data['av_pulse_count'] = str(indicator_details.get('general', {}).get('pulse_info', {}).get('count')) if indicator_details.get('analysis', {}).get('analysis'): data['av_tlp'] = str(indicator_details.get('analysis', {}).get('analysis', {}).get('metadata',{}).get('tlp')) except Exception as err: print ('OTX error for indicator {}: {}'.format(indicator, traceback.format_exception(type(err), err, err.__traceback__))) return data
def main(): otx_settings = OTXSetting() otx = OTXv2(otx_settings.API_KEY) hash = sys.argv[1] indicator_type = IndicatorTypes.FILE_HASH_SHA256 if len(hash) == 40: indicator_type = IndicatorTypes.FILE_HASH_SHA1 if len(hash) == 32: indicator_type == IndicatorTypes.FILE_HASH_MD5 general_result = otx.get_indicator_details_by_section( indicator_type, hash, 'general') found_pulse = getPulse(general_result) if found_pulse != '': m.addEntity("otx.OTXPulse", found_pulse) analysis_result = otx.get_indicator_details_by_section( indicator_type, hash, 'analysis') try: domainsJ = analysis_result['analysis']['plugins']['cuckoo']['result'][ 'network']['domains'] for dns in domainsJ: # { 'ip': '', 'domain': '' } if len(str(dns).split("'")) > 6: domain = str(dns).split("'")[7] ip = str(dns).split("'")[3] m.addEntity("maltego.IPv4Address", ip) m.addEntity("maltego.Domain", domain) except Exception as ex: pass return
def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self.otx = OTXv2(OTX_API_KEY, OTX_SERVER) self.alerts = [] self.results = [] self.entity_num = 0 self.outfile_dic = {}
def main(): otx_settings = OTXSetting() otx = OTXv2(otx_settings.API_KEY) command_line = " ".join(sys.argv[:]) if 'ID:' in command_line: pulse_id = command_line.split('ID:')[1] if ' ' in pulse_id: pulse_id = pulse_id.split(' ')[0] pulse_indicators = otx.get_pulse_indicators(pulse_id) for ind in pulse_indicators: indicator = ind['indicator'] if 'FileHash' in ind['type']: m.addEntity("maltego.Hash", indicator) if ind['type'] == 'domain' or ind['type'] == 'hostname': m.addEntity("maltego.Domain", indicator) if ind['type'] == 'IPv4': m.addEntity("maltego.IPv4Address", indicator) url = 'https://otx.alienvault.com/api/v1/pulses/' + pulse_id + '/related/' result = requests.get(url).content j = json.loads(result) if 'results' in j: for pulse in j['results']: pulse_author = pulse['author']['username'] if pulse_author == 'AlienVault': pulse_id = pulse['id'] pulse_title = pulse['name'] + ' ID:' + pulse_id m.addEntity("otx.OTXPulse", pulse_title) return
def __init__(self): self.otx = OTXv2 ("Enter OTX key here") self.vt_api = 'Enter VT API key here' self.ipdb = AbuseIPDB ('Enter AbuseIPDB key Here') self.user = '******' self.password = '******' self.vt_base_url = 'https://www.virustotal.com/'
def connect(self, params): api_key, otx_server = params.get(Input.API_KEY).get( "secretKey", None), params.get(Input.URL) try: self.client = OTXv2(api_key, server=otx_server) except Exception as e: raise Exception(f"An error has occurred while connecting: {e}")
def sendTAXII(first=True): config = ConfigParser.ConfigParser() config.read('config.cfg') otx = OTXv2(config.get('otx', 'key')) if first: pulses = otx.getall_iter() mtimestamp = None else: mtimestamp = readTimestamp() pulses = otx.getsince(mtimestamp) if pulses: client = Client() client.from_dict(dict(config.items('taxii'))) for pulse in pulses: if not mtimestamp: mtimestamp = pulse["modified"] st = StixExport(pulse) st.build() print "Sending %s" % pulse["name"] if not client.snd_post('inbox', st.to_xml()): print '######---[ Unable to Send Post ]---######' saveTimestamp(mtimestamp) print "%d new pulses" % len(pulses)
def checkip(request): if request.method == "POST": ip = request.POST.get('ip', False) user = User.objects.get(username=request.session["username"]) otx = OTXv2( "cee9c5f59ddad6f61aead25b961fb1ca6060bee6157137f95a868d5bb0c842e7") re = otx.get_indicator_details_full(IndicatorTypes.IPv4, ip) response = requests.get( 'https://otx.alienvault.com/api/v1/indicators/IPv4/' + ip + '/http_scans') http_scan = response.json() response2 = requests.get( 'https://otx.alienvault.com/api/v1/indicators/IPv4/' + ip + '/passive_dns') passive_dns = response2.json() response3 = requests.get( 'https://otx.alienvault.com/api/v1/indicators/IPv4/' + ip + '/malware') malware = response3.json() if len(http_scan) == 1: http_scan = None req = Requete(type='ip', date=date.today(), name=ip, user=user) req.save() return render( request, 'services/checkip.html', { 'general': re['general'], 'url_list': re['url_list']['url_list'], 'passive_dns': passive_dns['passive_dns'], 'http_scan': http_scan, 'malware': malware['data'] })
def Search(self): display(self.module_name, self.ioc, "INFO", "Search in Alienvault...") try: if "otx_api_keys" in self.config: otx = OTXv2(self.config["otx_api_keys"]) if self.type == "IPv4": indicator = IndicatorTypes.IPv4 if self.type == "IPv6": indicator = IndicatorTypes.IPv6 if self.type == "domain": indicator = IndicatorTypes.DOMAIN if self.type == "URL": indicator = IndicatorTypes.URL if self.type == "MD5": indicator = IndicatorTypes.FILE_HASH_MD5 if self.type == "SHA1": indicator = IndicatorTypes.FILE_HASH_SHA1 if self.type == "SHA256": indicator = IndicatorTypes.FILE_HASH_SHA256 result = otx.get_indicator_details_full(indicator, self.ioc) else: display( self.module_name, message_type="ERROR", string= "Please check if you have otx_api_keys field in config.ini" ) except Exception, e: display(self.module_name, self.ioc, "ERROR", e) return
def getPulseData(): logging.info('Querying AlienVault OTX for recent pulses...') otx = OTXv2(baseConfig.otxKey) days_back = int(baseConfig.osintDays) + 1 date_since = (datetime.datetime.now() - datetime.timedelta(days=days_back)).isoformat() pulses = otx.getsince(date_since, limit=None) ip_list = [] domain_list = [] url_list = [] for pulse in pulses: indicators = pulse['indicators'] if len(indicators) > 0: for indicator in indicators: if indicator['type'] == 'URL': url_list.append(indicator['indicator']) host_indicators = ['domain', 'hostname', 'IPv4'] if indicator['type'] in host_indicators: if isValidIP(indicator['indicator']): ip_list.append(indicator['indicator']) else: domain_list.append(indicator['indicator']) return ip_list, domain_list, url_list
def get_iocs(today): dic = [] cprint("\nCollecting iocs for the date : "+str(today)+"..This may take sometime depending on your network speed..",'yellow', attrs=['bold']) otx = OTXv2("758fe3198bde37e69611027cc1e90ed40d796aaaf7f6bf71470a5e6586eaf9a8") iocs = {} pulses = otx.getall() file = open('./OTX_IoCs.csv'+str(today),'w') for each in pulses: pulsedate=each['created'].split('T')[0] if (pulsedate==today): dic.append(each) for each in dic: for ioc in each['indicators']: iocs['IOC']=str(ioc['indicator']) iocs['IOC_Created']=str(ioc['created']) iocs['Title']=ioc['title'] iocs['Is_active_(0/1)_?']=str(ioc['is_active']) iocs['Type']=ioc['type'] iocs['Tags']=','.join(each['tags']) iocs['Pulse_Created']=str(each['created']) iocs['Malware_Families']=','.join(each['malware_families']) iocs['References']=' '.join(each['references']) iocs['Targeted_Countries']=','.join(each['targeted_countries']) iocs['Industries']=','.join(each['industries']) writer = csv.DictWriter(file, iocs.keys()) if file.tell() == 0: writer.writeheader() for data in iocs: writer.writerow(iocs)
def check_api_key_state(args): print("=" * 80) print("Now checking api key is valid or not...") test_ip = "8.8.8.8" if args.virustotal == False: OTX_SERVER = 'https://otx.alienvault.com/' otx = OTXv2(alienvault_api_key, server=OTX_SERVER) try: result = otx.get_indicator_details_by_section(IndicatorTypes.IPv4, test_ip, 'general') print("Your alienVault API Key is valid.") return True except: print("Your alienVault API Key is Invalid, Please check") return False elif args.virustotal == True: url = 'https://www.virustotal.com/vtapi/v2/ip-address/report' params = {'apikey':virus_total_api_key,'ip': test_ip} response = requests.get(url, params=params) try: result = response.json() print("Your virustotal API Key is valid.") return True except: print("Your virustotal API Key is Invalid, Please check") return False
def get_malicious_ip_and_country(): sample_file_names = os.listdir(has_behavior_malware_dir) ip_country_dic = dict() for sample_file_name in sample_file_names: pcap_file_names = os.listdir(has_behavior_malware_dir + sample_file_name) for pcap_file_name in pcap_file_names: pcap_file_path = has_behavior_malware_dir + sample_file_name + "/" + pcap_file_name pcap = open_pcap(pcap_file_path) pkt_1 = pcap[0] malicious_ip = pkt_1[IP].dst if malicious_ip not in ip_country_dic.keys(): OTX_SERVER = 'https://otx.alienvault.com/' otx = OTXv2(alienvault_api_key, server=OTX_SERVER) try: result = otx.get_indicator_details_by_section( IndicatorTypes.IPv4, malicious_ip, 'general') country = result["country_code"] except: country = "unknown" ip_country_dic[malicious_ip] = country return ip_country_dic
def get_ti_from_OTX(ip, in_file_name, out_file_name, country, ti_type): mStr = '' ip_rep = 0 pulses_names = '' res = '' try: if ti_type == 'ip': res = OTXv2(args.api_key_otx).get_indicator_details_full( IndicatorTypes.IPv4, ip) ip_rep = res['general']['reputation'] print('IP rep: {0}'.format(ip_rep)) # for malicious IPs, get pulse names if '1' in str(ip_rep): pulses_names = getPulseNames( res['general']['pulse_info']['pulses']) print('IP: {0}\tIP Rep: {1}\tIP Pulses'.format( ip, ip_rep, pulses_names)) else: res = OTXv2(args.api_key_otx).search_pulses(ip) # res = OTXv2('0d89be741a69cb6cd8c3b56b0cd0d5ba9dedd0a9c0289b6148de9c3a3a3c2ba1').search_pulses(ip) if 'results' in res and len(res['results']) > 0: for result in res['results']: pulses_names += result['name'] + ' ' + args.pulse_separator # pulses_names += result['name'] + ' ' + '---' pulses_names = pulses_names.rstrip(' ' + args.pulse_separator) print(res) except Exception as e: rl_hit[0] = rl_hit[0] + 1 print('Exception {0} occurred when fetching TI for IP {1} from OTX{2}'. format(e, ip, res)) # write only malicious IPs to output file if '1' in str(ip_rep): mStr = str(pulses_names) add_to_malicious_ips(ip, mStr, type='otx') # put IP records in a separate file if is_ip_malicious(ip): put_ip_records_in_separate_file(ip, in_file_name, 'otx') print('\n\n\n') print('IP: {0}\t OTX TI Results: {1}'.format(ip, mStr)) print('\n\n\n')
def __init__(self): try: api_key = config['AlienVault']['API_KEY'] except KeyError as e: raise KeyError( "Failed to read configurations for AlienVault") from e self.otx = OTXv2(api_key) self.prev_request_time = 0
def process(self): self.logger.info("Downloading report through API") otx = OTXv2(self.parameters.api_key, proxy=self.parameters.https_proxy) pulses = otx.getall() self.logger.info("Report downloaded.") report = self.new_report() report.add("raw", json.dumps(pulses)) self.send_message(report)
def get_ics_pulses(self, api_key, siem_mode): #self.debug = debug self.otx = OTXv2(api_key) if siem_mode: self.separator = "," self.use_csv_header = True self.extension = "csv" self.hash_upper = True self.filename_regex_out = False
def __init__(self, api_key, siem_mode, debug, proxy): self.debug = debug self.otx = OTXv2(api_key, proxy) if siem_mode: self.separator = "," self.use_csv_header = True self.extension = "csv" self.hash_upper = True self.filename_regex_out = False
def main(): # Todo - Used? otx_settings = OTXSetting() otx = OTXv2(otx_settings.API_KEY) email = sys.argv[1] for domain in getDomains(email): m.addEntity("maltego.Domain", domain) return
def Main(IPList, TicketID): conf = LoadConfig.Load() otx = OTXv2(conf["api_keys"]["AlienVaultAPI"]) for IP in IPList: logging.info("[AlienVault] OTX Searching %s" % IP) result = pformat( otx.get_indicator_details_full(IndicatorTypes.IPv4, IP)) otrs_functions.UpdateTicket("", "AlienVault OTX - %s Results" % IP, result, TicketID)
def threat_intelligence(self, ip): """ 威胁情报分析, 威胁情报平台采用OTX ,https://otx.alienvault.com/ :return: """ config = ConfigParser.ConfigParser() config.read('config/config.ini') otx_key = config.get('OTX_Token', 'key') otx = OTXv2(otx_key) otx_result = otx.get_indicator_details_full(IndicatorTypes.IPv4, ip) print(otx_result)
def update_credentials(self): try: credentials = db.session.query(ThreatIntelCredentials).filter( ThreatIntelCredentials.intel_name == 'alienvault').first() if credentials and 'key' in credentials.credentials: self.otx = OTXv2(credentials.credentials['key']) current_app.logger.info('AlienVault OTX api configured') else: self.otx = None current_app.logger.warn('AlienVault OTX api not configured') except Exception as e: current_app.logger.error(e)
def Search(self): mod.display(self.module_name, "", "INFO", "Search in Alienvault OTX ...") try: if "otx_api_keys" in self.config: otx = OTXv2(self.config["otx_api_keys"]) if self.type == "IPv4": indicator = IndicatorTypes.IPv4 if self.type == "IPv6": indicator = IndicatorTypes.IPv6 if self.type == "domain": indicator = IndicatorTypes.DOMAIN if self.type == "URL": indicator = IndicatorTypes.URL if self.type == "MD5": indicator = IndicatorTypes.FILE_HASH_MD5 if self.type == "SHA1": indicator = IndicatorTypes.FILE_HASH_SHA1 if self.type == "SHA256": indicator = IndicatorTypes.FILE_HASH_SHA256 result = otx.get_indicator_details_full(indicator, self.ioc) else: mod.display( self.module_name, self.ioc, message_type="ERROR", string= "Please check if you have otx_api_keys field in btg.cfg") return None except: mod.display( self.module_name, self.ioc, "ERROR", "Could not perform the request, either you did not fill the otx_api_keys field or the key maximum request is reached" ) return None try: if self.ioc == str(result["general"]["indicator"]): _id = str(result["general"]["pulse_info"]["pulses"][0]["id"]) tags = "" for tag in result["general"]["pulse_info"]["pulses"][0][ "tags"]: tags = tags + "%s " % tag mod.display( self.module_name, self.ioc, "FOUND", "Tags: %s| https://otx.alienvault.com/pulse/%s/" % (tags, _id)) except: mod.display(self.module_name, self.ioc, message_type="NOT_FOUND", string="Nothing found in OTX") return None
def process(self): self.logger.info("Downloading report through API") otx = OTXv2(self.parameters.api_key) pulses = otx.getall() self.logger.info("Report downloaded.") report = Report() report.add("raw", json.dumps(pulses), sanitize=True) report.add("feed.name", self.parameters.feed, sanitize=True) report.add("feed.accuracy", self.parameters.accuracy, sanitize=True) time_observation = DateTime().generate_datetime_now() report.add('time.observation', time_observation, sanitize=True) self.send_message(report)
def mainalv(ip,url): """ mainalv is managing alienvault api configuration and call api for IP or api for url. return a string in markdown style. :param ip:ip from user :param url:url from user """ from OTXv2 import OTXv2 import IndicatorTypes ############# API config ############# # ---- Retrieving API Key ---- file = open('api_keys.txt', "r") for line in file: line=line.strip() #Removal of empty lines if (line.find('api_key_alienvault') != -1): api_key_alienvault=line.partition('=')[2] file.close() OTX_SERVER = 'https://otx.alienvault.com/' otx = OTXv2(api_key_alienvault, server=OTX_SERVER) ############# String title ############# stringalv = "##AlienVault" ############# IP ############# if ip != None: alerts = ipalv(otx, ip, IndicatorTypes) if len(alerts) > 0: stringalv = '\n'.join([stringalv, "* {} is identified as potentially malicious".format(ip)]) stringalv = '\n'.join([stringalv, "* {} is in {} AlienVault alerts".format(ip,len(alerts))]) stringalv = '\n'.join([stringalv, "* [AlienVault source link](https://otx.alienvault.io/indicator/ip/{})".format(ip)]) else: stringalv = '\n'.join([stringalv, "* {} is not identified as malicious".format(ip)]) stringalv = '\n'.join([stringalv, "* [AlienVault source link](https://otx.alienvault.io/indicator/ip/{})".format(ip)]) ############# URL############# if url != None: alerts = urlalv(otx, url, IndicatorTypes) if len(alerts) > 0: stringalv = '\n'.join([stringalv, "* {} is identified as potentially malicious".format(url)]) stringalv = '\n'.join([stringalv, "* {} is in {} AlienVault alerts".format(url,len(alerts))]) stringalv = '\n'.join([stringalv, "* [AlienVault source link](https://otx.alienvault.io/indicator/url/{})".format(url)]) else: stringalv = '\n'.join([stringalv, "* {} is not identified".format(url)]) stringalv = '\n'.join([stringalv, "* [AlienVault source link](https://otx.alienvault.io/indicator/url/{})".format(url)]) ############# Rating ############# grade = rating(len(alerts)) return stringalv, grade
def main(api_key, start_date): goat = GoatJockey(topx=1000000) otx = OTXv2(api_key) interesting_iocs = set() for pulse in otx.getsince_iter(start_date): for indicator in pulse['indicators']: b = goat.match(indicator['indicator']) if not b[0]: interesting_iocs.add(indicator['indicator']) for ioc in interesting_iocs: print(ioc)
def process(self): self.logger.info("Downloading report through API.") otx = OTXv2(self.parameters.api_key, proxy=self.parameters.https_proxy) if self.modified_pulses_only: self.logger.info("Fetching only modified pulses.") interval = (datetime.datetime.now() - datetime.timedelta(hours=self.interval)).isoformat() pulses = otx.getsince(interval, limit=9999) else: self.logger.info("Fetching all pulses.") pulses = otx.getall() self.logger.info("Report downloaded.") report = self.new_report() report.add("raw", json.dumps(pulses)) self.send_message(report)
def otx_run(misp): LOGGER.info('Setting up OTX connector...') try: otx = OTXv2(OTX_API_KEY) except Exception as ex: LOGGER.error('Failed to connect to OTX: {0}'.format(str(ex))) sys.exit(1) date_since = (datetime.utcnow() - timedelta(hours=HOURS_TO_CHECK)).isoformat() pulses = get_pulses(otx, date_since) if pulses: process_pulses(misp, pulses) LOGGER.info('Run complete!')