class Display_Intelligence():
def __init__(self):
self.link = Database("Intelligence")
super().__init__()
def display_ioc(self, type):
result = {}
result["data"] = []
select_result = self.link.select(type,
query={},
sort="disclosure_time")
if select_result:
for alert in select_result:
alert.pop("_id")
result["data"].append(alert)
self.link.close()
result["data"] = list_dict_duplicate_removal(result["data"])
return result
def ioc_count(self):
result = {}
count = 0
for ioc_type in ioc:
result[ioc_type] = self.link.count(ioc_type)
count += count + result[ioc_type]
result["count"] = count
self.link.close()
# result["data"] = list_dict_duplicate_removal(result["data"])
return result
class Search():
def __init__(self, data):
self.link = Database("Intelligence")
self.search_type = list(data.keys())[0]
self.search_value = data[self.search_type]
self.result = {}
self.result["data"] = []
super().__init__()
def search_local(self):
result_local = {}
result_local["from"] = "local"
result_local["type"] = self.search_type
result_local["value"] = self.search_value
try:
local = self.link.select(
self.search_type, query={self.search_type:
self.search_value})[0]
result_local["result"] = "success"
result_local["tags"] = local["tags"]
# result_local["time"] = local["disclosure_time"]
except:
result_local["result"] = "fail"
self.link.close()
return (result_local)
def search_venuseye(self):
check_url = {
"ip": "https://www.venuseye.com.cn/ve/ip/ioc",
"email": "https://www.venuseye.com.cn/ve/email/ioc",
"domain": "https://www.venuseye.com.cn/ve/domain/ioc",
"hash": {
"sha256": "https://www.venuseye.com.cn/ve/sample/sha256",
"sha1": "https://www.venuseye.com.cn/ve/sample/sha1",
"md5": "https://www.venuseye.com.cn/ve/sample/md5"
}
}
venuseye_reslut = {}
venuseye_reslut["from"] = "venuseye"
venuseye_reslut["type"] = self.search_type
venuseye_reslut["value"] = self.search_value
try:
if self.search_type == "hash":
if len(self.search_value) == 32:
venuseye = json.loads(
requests.post(check_url["hash"]["md5"], {
"target": self.search_value
}).content)
elif len(self.search_value) == 40:
venuseye = json.loads(
requests.post(check_url["hash"]["sha1"], {
"target": self.search_value
}).content)
elif len(self.search_value) == 64:
venuseye = json.loads(
requests.post(check_url["hash"]["sha256"], {
"target": self.search_value
}).content)
venuseye_reslut["tags"] = venuseye["data"]["tags"]
else:
venuseye = json.loads(
requests.post(check_url[self.search_type], {
"target": self.search_value
}).content)
venuseye_reslut["result"] = "success"
venuseye_reslut["tags"] = []
for ioc in venuseye["data"]["ioc"]:
for tag in ioc["categories"]:
venuseye_reslut["tags"].append(tag)
venuseye_reslut["tags"] = [
x for x in set(venuseye_reslut["tags"])
]
except:
venuseye_reslut["result"] = "fail"
return venuseye_reslut
def get_reslut(self):
self.result["data"].append(self.search_local())
self.result["data"].append(self.search_venuseye())
return self.result
class Display_Semitic():
def __init__(self):
self.link = Database("Semitic")
super().__init__()
def display_alert_rule(self):
result = {}
result["data"] = []
select_result = self.link.select("alert", query={})
if select_result:
for alert in select_result:
alert.pop("_id")
result["data"].append(alert)
result["data"] = list_dict_duplicate_removal(result["data"])
self.link.close()
return result
def display_alert_ioc(self):
result = {}
result["data"] = []
select_result = self.link.select("alert_ioc", query={})
if select_result:
for alert in select_result:
alert.pop("_id")
result["data"].append(alert)
self.link.close()
result["data"] = list_dict_duplicate_removal(result["data"])
return result
def display_service(self):
result = {}
result["data"] = []
select_result = self.link.select("service", query={})
if select_result:
for service in select_result:
service.pop("_id")
result["data"].append(service)
self.link.close()
result["data"] = list_dict_duplicate_removal(result["data"])
return result
def display_proto(self, type):
result = {}
result["data"] = []
select_result = self.link.select(type, query={})
for proto in select_result:
proto.pop("_id")
if type == "http":
if proto["uri"] == "/api/upload_eve":
continue
result["data"].append(proto)
self.link.close
result["data"] = list_dict_duplicate_removal(result["data"])
return result
def alert_count(self):
result = {}
result["rule_count"] = self.link.count("alert")
result["ioc_count"] = self.link.count("alert_ioc")
result["count"] = result["rule_count"] + result["ioc_count"]
self.link.close()
return result
def proto_count(self):
result = {}
count = 0
for proto_type in proto:
result[proto_type] = self.link.count(proto_type)
count += self.link.count(proto_type)
result["count"] = result["tcp"] + result['udp']
self.link.close()
return result
def eve_count(self):
result = {"count": self.link.count("eve")}
return result
class IoC():
def __init__(self):
self.key_list = [
"flow_id", "time", "src_ip", "src_port", "dest_ip", "dest_port"
]
self.link_mongo = Database("Intelligence")
def deal_tcp(self, tcp_list):
ioc_result = []
for tcp_dict in tcp_list:
ip_list = [tcp_dict["src_ip"], tcp_dict["dest_ip"]]
for ip in ip_list:
if not private_ip(ip):
try:
result = self.link_mongo.select("ip", {"ip": ip})[0]
if result["tags"]:
ioc_alert = {}
for key in self.key_list:
ioc_alert[key] = tcp_dict[key]
ioc_alert["ioc"] = result["ip"]
ioc_alert["tags"] = result["tags"]
ioc_result.append(ioc_alert)
except:
pass
return ioc_result
# {'flow_id': 980766215639499, 'time': '2020-04-20T09:39:48.628757+0000', 'src_ip': '192.168.1.100', 'src_port': 60932, 'dest_ip': '36.152.44.96', 'dest_port': 443, 'sni': 'www.baidu.com', '_id': ObjectId('5ea18add65f32300fca3c016')}
def deal_tls(self, tls_list):
ioc_result = []
for tls_dict in tls_list:
try:
result = self.link_mongo.select("domain",
{"domain": tls_dict["sni"]})[0]
if result["tags"]:
ioc_alert = {}
for key in self.key_list:
ioc_alert[key] = tls_dict[key]
ioc_alert["ioc"] = result["domain"]
ioc_alert["tags"] = result["tags"]
ioc_result.append(ioc_alert)
except:
pass
return ioc_result
# {'flow_id': 1210501935253800, 'time': '2019-12-16T12:00:26.080135+0000', 'src_ip': '192.168.63.20', 'src_port': 62419, 'dest_ip': '101.231.64.109', 'dest_port': 81, 'hostname': '101.231.64.109', 'uri': '/mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333', 'method': 'POST', '_id': ObjectId('5ea194764eeb0d1f8cb7a959')}
def deal_http(self, http_list):
ioc_result = []
for http_dict in http_list:
try:
result = self.link_mongo.select(
"url", {"url": {
"$regex": http_dict["hostname"]
}})[0]
if result["tags"]:
ioc_alert = {}
for key in self.key_list:
ioc_alert[key] = http_dict[key]
ioc_alert["ioc"] = result["url"]
ioc_alert["tags"] = result["tags"]
ioc_result.append(ioc_alert)
except:
pass
return ioc_result
# {'flow_id': 2206433917676972, 'time': '2020-04-20T09:39:46.011692+0000', 'src_ip': '192.168.1.100', 'src_port': 3143, 'dest_ip': '211.138.180.3', 'dest_port': 53, 'rrname': ['www.bing.com'], '_id': ObjectId('5ea19ded9dae6710b5616387')}
def deal_dns(self, dns_list):
ioc_result = []
for dns_dict in dns_list:
try:
for rrname in dns_dict["rrname"]:
try:
result = self.link_mongo.select(
"domain", {"domain": rrname})[0]
except:
result = self.link_mongo.select(
"url", {"url": {
"$regex": rrname
}})[0]
finally:
pass
if result["tags"]:
ioc_alert = {}
for key in self.key_list:
ioc_alert[key] = dns_dict[key]
try:
ioc_alert["ioc"] = result["domain"]
except:
ioc_alert["ioc"] = result["url"]
ioc_alert["tags"] = result["tags"]
ioc_result.append(ioc_alert)
except:
pass
return ioc_result