Пример #1
0
def update_last_update(last_update: int) -> None:
    "Write last update from disk (~/.cache/<worker_name>/last_update)"
    cache_filename: Text = os.path.join(
        caep.get_cache_dir(worker.worker_name(), create=True), "last_update")

    # Write last update timestamp to disk
    with open(cache_filename, "w") as f:
        f.write(str(last_update))
Пример #2
0
def main() -> None:
    """ Main function """

    # Look for default ini file in "/etc/actworkers.ini" and ~/config/actworkers/actworkers.ini
    # (or replace .config with $XDG_CONFIG_DIR if set)
    args = worker.handle_args(parseargs())

    auth = None
    if args.http_user:
        auth = (args.http_user, args.http_password)

    actapi = act.api.Act(args.act_baseurl,
                         args.user_id,
                         args.loglevel,
                         args.logfile,
                         worker.worker_name(),
                         requests_common_kwargs={'auth': auth})

    if args.type:
        types = [args.type]
    else:
        types = list(MITRE_URLS.keys())

    for mitre_type in types:
        url = MITRE_URLS.get(mitre_type.lower())

        if not url:
            error("Unknown mitre type: {}. Valid types: {}".format(
                mitre_type, ",".join(MITRE_URLS.keys())))
            sys.exit(2)

        cache = notify_cache(args.notifycache)

        # Get attack dataset as Stix Memory Store
        attack = get_attack(url, args.proxy_string, args.http_timeout)

        techniques_notify = add_techniques(actapi, attack, args.output_format)
        groups_notify = add_groups(actapi, attack, args.output_format)
        software_notify = add_software(actapi, attack, args.output_format)

        # filter revoked objects from those allready notified
        notify = [
            notify
            for notify in techniques_notify + groups_notify + software_notify
            if notify.id not in cache
        ]

        if notify:
            notified = send_notification(notify, args.smtphost, args.sender,
                                         args.recipient, url)

            for object_id in notified:
                # Add object to cache, so we will not be notified on the same object on the next run
                add_to_cache(args.notifycache, object_id)
Пример #3
0
def main() -> None:
    """main function"""

    # Look for default ini file in "/etc/actworkers.ini" and ~/config/actworkers/actworkers.ini
    # (or replace .config with $XDG_CONFIG_DIR if set)
    args = worker.handle_args(parseargs())

    auth = None
    if args.http_user:
        auth = (args.http_user, args.http_password)

    actapi = act.api.Act(args.act_baseurl,
                         args.user_id,
                         args.loglevel,
                         args.logfile,
                         worker.worker_name(),
                         requests_common_kwargs={'auth': auth})

    if not args.country_codes:
        sys.stderr.write(
            "You must specify --country-codes on command line or in config file\n"
        )
        sys.exit(1)

    if not os.path.isfile(args.country_codes):
        sys.stderr.write(
            "Country/region file not found at specified location: {}\n".format(
                args.country_codes))
        sys.exit(2)

    # Get map of CC -> Country Name
    cn_map = get_cn_map(args.country_codes)

    db_cache = get_db_cache(CACHE_DIR)

    # Read IPs from stdin
    if args.stdin:
        in_data = [ip for ip in sys.stdin.read().split("\n")]
        handle_ip(actapi, cn_map, in_data, db_cache, args.output_format)

    # Bulk lookup
    elif args.bulk:
        all_ips = [ip for ip in open(args.bulk, "r")]
        batch_size = 50
        i = 0
        while i < len(all_ips):
            handle_ip(actapi, cn_map, (all_ips[i:i + batch_size]), db_cache,
                      args.output_format)
            i += batch_size
            time.sleep(1)

    db_cache.close()
Пример #4
0
def get_last_update() -> int:
    "Get last update from disk (~/.cache/<worker_name>/last_update)"
    cache_filename: Text = os.path.join(
        caep.get_cache_dir(worker.worker_name(), create=True), "last_update")

    if os.path.isfile(cache_filename):
        # Read last_update from last recorded succsfully recieved event
        with open(cache_filename) as f:
            last_update = int(f.read().strip())
            debug("last update starting at {}".format(last_update))
    else:
        # last_update not specified, set to now-1w
        last_update = int((time.time() - 3600 * 24 * 7) * 1000)
        info("last update not specified, autoconfigured as {}".format(
            last_update))

    return last_update
Пример #5
0
def main() -> None:
    """main function"""

    # Look for default ini file in "/etc/actworkers.ini" and ~/config/actworkers/actworkers.ini
    # (or replace .config with $XDG_CONFIG_DIR if set)
    args = worker.handle_args(parseargs())

    if not args.apikey:
        sys.stderr.write(
            "You must specify --apikey on command line or in config file\n")
        sys.exit(1)

    auth = None
    if args.http_user:
        auth = (args.http_user, args.http_password)

    actapi = act.api.Act(args.act_baseurl,
                         args.user_id,
                         args.loglevel,
                         args.logfile,
                         worker.worker_name(),
                         requests_common_kwargs={'auth': auth})

    in_data = sys.stdin.read().strip()

    proxies = {
        'http': args.proxy_string,
        'https': args.proxy_string
    } if args.proxy_string else None

    vtapi = VirusTotalApi(args.apikey, proxies=proxies)

    if args.hexdigest:
        handle_hexdigest(actapi,
                         vtapi,
                         in_data,
                         output_format=args.output_format)

    if args.ip:
        handle_ip(actapi, vtapi, in_data, output_format=args.output_format)

    if args.domain:
        handle_domain(actapi, vtapi, in_data, output_format=args.output_format)
Пример #6
0
def main_log_error() -> None:
    "Call main() and log all exceptions as errors"
    try:
        # Look for default ini file in "/etc/actworkers.ini" and ~/config/actworkers/actworkers.ini
        # (or replace .config with $XDG_CONFIG_DIR if set)
        args = worker.handle_args(worker.parseargs("Generic uploader"))

        auth = None
        if args.http_user:
            auth = (args.http_user, args.http_password)

        actapi = act.api.Act(args.act_baseurl,
                             args.user_id,
                             args.loglevel,
                             args.logfile,
                             worker.worker_name(),
                             requests_common_kwargs={'auth': auth})
        main(actapi)
    except Exception:
        error("Unhandled exception: {}".format(traceback.format_exc()))
        raise
Пример #7
0
def main() -> None:
    """main function"""

    # Look for default ini file in "/etc/actworkers.ini" and ~/config/actworkers/actworkers.ini
    # (or replace .config with $XDG_CONFIG_DIR if set)
    args = worker.handle_args(parseargs())

    auth = None
    if args.http_user:
        auth = (args.http_user, args.http_password)

    actapi = act.api.Act(args.act_baseurl,
                         args.user_id,
                         args.loglevel,
                         args.logfile,
                         worker.worker_name(),
                         requests_common_kwargs={'auth': auth})

    # Add IOCs from reports to the ACT platform
    add_to_act(
        actapi,
        get_scio_report(),
        args.output_format,
    )
Пример #8
0
def main() -> None:
    # Look for default ini file in "/etc/actworkers.ini" and ~/config/actworkers/actworkers.ini
    # (or replace .config with $XDG_CONFIG_DIR if set)
    args = worker.handle_args(parseargs())

    auth = None
    if args.http_user:
        auth = (args.http_user, args.http_password)

    actapi = act.api.Act(args.act_baseurl, args.user_id, args.loglevel, args.logfile, worker.worker_name(), requests_common_kwargs={'auth': auth})

    process(actapi, args.pdns_baseurl, args.apikey, args.timeout, args.proxy_string, args.output_format)
Пример #9
0
def main_log_error() -> None:
    "Main function. Log all exceptions to error"
    # Look for default ini file in "/etc/actworkers.ini" and ~/config/actworkers/actworkers.ini
    # (or replace .config with $XDG_CONFIG_DIR if set)
    args = worker.handle_args(parseargs())

    auth = None
    if args.http_user:
        auth = (args.http_user, args.http_password)

    actapi = act.api.Act(args.act_baseurl, args.user_id, args.loglevel, args.logfile, worker.worker_name(), requests_common_kwargs={'auth': auth})

    try:
        process(
            actapi,
            worker.fetch_json(args.country_region_url, args.proxy_string, args.http_timeout),
            args.output_format
        )
    except Exception:
        error("Unhandled exception: {}".format(traceback.format_exc()))
        raise
Пример #10
0
def main() -> None:
    """program entry point"""

    # Look for default ini file in "/etc/actworkers.ini" and ~/config/actworkers/actworkers.ini
    # (or replace .config with $XDG_CONFIG_DIR if set)
    args = worker.handle_args(parseargs())

    manifest_dir = args.manifest_dir

    auth = None
    if args.http_user:
        auth = (args.http_user, args.http_password)

    actapi = act.api.Act(args.act_baseurl, args.user_id, args.loglevel, args.logfile, worker.worker_name(), requests_common_kwargs={'auth': auth})

    verify_manifest_dir(manifest_dir)
    misp_feeds_file = os.path.join(manifest_dir, "misp_feeds.txt")

    with open(misp_feeds_file) as f:
        for line in f:
            feed_data = handle_feed(manifest_dir, line.strip(), args.proxy_string, args.cert_file)
            for event in feed_data:
                n = 0
                e = 0

                act.api.helpers.handle_fact(
                    actapi.fact("hasTitle", event.info)
                    .source("report", str(event.uuid)),
                    output_format=args.output_format)

                n += 1

                try:
                    act.api.helpers.handle_fact(
                        actapi.fact("externalLink")
                        .source("uri", "{0}/{1}.json".format(line.strip(), event.uuid))
                        .destination("report", str(event.uuid)),
                        output_format=args.output_format)

                    n += 1
                except act.api.base.ResponseError as err:
                    e += 1
                    error("Error adding fact to platform", exc_info=True)

                for attribute in event.attributes:
                    if not attribute.act_type:
                        continue
                    try:
                        act.api.helpers.handle_fact(
                            actapi.fact("seenIn", "report")
                            .source(attribute.act_type, attribute.value)
                            .destination("report", str(event.uuid)),
                            output_format=args.output_format)
                        n += 1
                    except act.api.base.ResponseError as err:
                        e += 1
                        error("Error adding fact to platform", exc_info=True)
                info("{0} facts. {1} errors.".format(n, e))