def process_content(self, content, filename):
context = dict(source=self.name)
context['description'] = 'File: {}'.format(filename)
if content.startswith('Certificate:') and content.endswith(
'-----END CERTIFICATE-----\n'):
try:
cert_data = Certificate.from_data(content)
cert_data.add_context(context)
cert_data.add_source(self.name)
except ObservableValidationError as e:
logging.error(e)
else:
try:
observables = Observable.from_string(content)
except Exception as e:
logging.error(e)
return
for key in observables:
for ioc in filter(None, observables[key]):
if key == 'Url' and any(
[domain in ioc for domain in BLACKLIST_DOMAINS]):
continue
try:
ioc_data = self.refs[key].get_or_create(value=ioc)
ioc_data.add_context(context)
ioc_data.add_source(self.name)
except ObservableValidationError as e:
logging.error(e)
except UnicodeDecodeError as e:
logging.error(e)
def analyze(observable, results):
links = set()
if isinstance(observable, Ip):
ip_search = CirclPassiveSSLApi.search_ip(observable,
results.settings)
if ip_search:
json_string = json.dumps(ip_search,
sort_keys=True,
indent=4,
separators=(",", ": "))
results.update(raw=json_string)
for ip_addr, ip_details in ip_search.items():
for cert_sha1 in ip_details.get("certificates", []):
try:
cert_result = CirclPassiveSSLApi.fetch_cert(
cert_sha1, results.settings)
if cert_result:
_info = cert_result.get("info", {})
x509 = load_certificate(
FILETYPE_PEM, cert_result.get("pem"))
der = dump_certificate(FILETYPE_ASN1, x509)
cert_ob = Certificate.from_data(data=der)
subject = CertificateSubject.get_or_create(
value=_info.get("subject", ""))
issuer = CertificateSubject.get_or_create(
value=_info.get("issuer", ""))
links.update(
observable.active_link_to(
cert_ob, "ssl-cert",
"circl_passive_ssl_query"))
links.update(
cert_ob.active_link_to(
subject,
"cert-subject",
"circl_passive_ssl_query",
))
links.update(
cert_ob.active_link_to(
issuer, "cert-issuer",
"circl_passive_ssl_query"))
except Exception as e:
logging.error(
"Error attempting to fetch cert file {}".
format(e))
return list(links)
def _handle_cert(dbase, rec, links):
"""Internal function to handle a record corresponding to an X509
certificate.
"""
raw_data = dbase.from_binary(rec['value'])
cert = Certificate.from_data(raw_data, hash_sha256=rec['infos']['sha256'])
rec['value'] = encode_b64(raw_data).decode()
links.update(
cert.link_to(
CertificateSubject.get_or_create(
value=rec['infos']['subject_text']),
"cert-subject",
"IVRE - X509 subject",
))
links.update(
cert.link_to(
CertificateSubject.get_or_create(
value=rec['infos']['issuer_text']),
"cert-issuer",
"IVRE - X509 issuer",
))
commonname = rec['infos']['subject']['commonName']
if commonname:
while commonname.startswith('*.'):
commonname = commonname[2:]
if commonname:
_try_link(links, cert, Hostname, commonname, "cert-commonname",
"IVRE - X509 Subject commonName")
for san in rec['infos'].get('san', []):
if san.startswith('DNS:'):
san = san[4:]
while san.startswith('*.'):
san = san[2:]
if san:
_try_link(links, cert, Hostname, san, "cert-san",
"IVRE - X509 subjectAltName")
elif san.startswith('IP Address:'):
san = san[11:]
if san:
_try_link(links, cert, Ip, san, "cert-san",
"IVRE - X509 subjectAltName")
elif san.startswith('email:'):
san = san[6:]
if san:
_try_link(links, cert, Email, san, "cert-san",
"IVRE - X509 subjectAltName")
elif san.startswith('URI:'):
san = san[4:]
if san:
_try_link(links, cert, Url, san, "cert-san",
"IVRE - X509 subjectAltName")
else:
LOG.debug('_handle_rec: cannot handle subjectAltName: %r', san)
return cert
def register_certificate(content, context, source):
"""Helper function to register certificate
Args:
content (str): The certificate content.
context (dict): The observable context.
source (str): origin of the observable
"""
try:
cert_data = Certificate.from_data(content)
cert_data.add_context(context)
cert_data.add_source(source)
except ObservableValidationError as e:
logging.error(e)