Exemplo n.º 1
0
def _is_ip(input_ip):
    if (ph_utils.is_ip(input_ip)):
        return True

    if (is_ipv6(input_ip)):
        return True

    return False
    def _is_ip(self, input_ip):

        if ph_utils.is_ip(input_ip):
            return True

        if self.is_ipv6(input_ip):
            return True

        return False
Exemplo n.º 3
0
def _get_ioc_type(ioc):

    if util.is_ip(ioc):
        return (phantom.APP_SUCCESS, "ip")

    if util.is_hash(ioc):
        return _get_hash_type(ioc)

    if util.is_domain(ioc):
        return (phantom.APP_SUCCESS, "domain")

    return (phantom.APP_ERROR, "Failed to detect the IOC type")
    def _handle_body(self, body, parsed_mail, email_id):

        local_file_path = body['file_path']
        ips = parsed_mail[PROC_EMAIL_JSON_IPS]
        hashes = parsed_mail[PROC_EMAIL_JSON_HASHES]
        urls = parsed_mail[PROC_EMAIL_JSON_URLS]
        domains = parsed_mail[PROC_EMAIL_JSON_DOMAINS]

        file_data = None

        try:
            with open(local_file_path, 'r') as f:
                file_data = f.read()
        except Exception:
            with open(local_file_path, 'rb') as f:
                file_data = f.read()
            self._base_connector.debug_print(
                "Reading file data using binary mode")

        if (file_data is None) or (len(file_data) == 0):
            return phantom.APP_ERROR

        file_data = UnicodeDammit(file_data).unicode_markup.encode(
            'utf-8').decode('utf-8')

        self._parse_email_headers_as_inline(file_data, parsed_mail, email_id)

        if self._config[PROC_EMAIL_JSON_EXTRACT_DOMAINS]:
            emails = []
            emails.extend(re.findall(email_regexc, file_data))
            emails.extend(re.findall(email_regexc2, file_data))

            for curr_email in emails:
                domain = curr_email[curr_email.rfind('@') + 1:]
                if domain and (not ph_utils.is_ip(domain)):
                    domains.add(domain)

        self._extract_urls_domains(file_data, urls, domains)

        if self._config[PROC_EMAIL_JSON_EXTRACT_IPS]:
            self._get_ips(file_data, ips)

        if self._config[PROC_EMAIL_JSON_EXTRACT_HASHES]:
            hashs_in_mail = re.findall(hash_regexc, file_data)
            if hashs_in_mail:
                hashes |= set(hashs_in_mail)

        return phantom.APP_SUCCESS
Exemplo n.º 5
0
def _get_ioc_type(ioc):

    if util.is_ip(ioc):
        return phantom.APP_SUCCESS, "ip"

    try:
        ipv6_type = ipaddress.IPv6Address(ioc)
        if ipv6_type:
            return phantom.APP_SUCCESS, "ip"
    except:
        pass

    if util.is_hash(ioc):
        return _get_hash_type(ioc)

    if util.is_domain(ioc):
        return phantom.APP_SUCCESS, "domain"

    return phantom.APP_ERROR, "Failed to detect the IOC type"