def _get_indicator(i): i2 = Indicator() timestamps = [] ports = [] # prioritize the various elements.. for e in i: if i[e] == 'CC': i2.cc = e continue if i[e] == 'indicator': if i2.indicator: i2.reference = e else: i2.indicator = e continue if i[e] == 'timestamp': timestamps.append(get_ts(e)) continue if i[e] == 'float': i2.asn = e continue if i[e] == 'int': ports.append(e) continue if i[e] == 'description': i2.description = e continue if i[e] == 'string': if re.match(r'[0-9A-Za-z\.\s\/]+', e) and i2.asn: i2.asn_desc = e continue if 4 <= len(e) <= 10 and re.match('[a-z-A-Z]+,?', e) \ and e not in ['ipv4', 'fqdn', 'url', 'ipv6']: i2.tags = [e] continue if ' ' in e and 5 <= len(e) and not i2.asn_desc: i2.description = e continue _calc_timestamps(i2, timestamps) _calc_ports(i2, ports) return i2
def get_indicator(l, hints=None): i = OrderedDict() if not isinstance(l, list): l = [l] # step 1, detect datatypes for e in l: if not isinstance(e, (str, bytes)): continue e = e.rstrip() e = e.lstrip() if re.match('^[a-zA-Z]{2}$', e): i[e] = 'CC' continue t = None try: t = resolve_itype(e.rstrip('/')) # 25553.0 ASN formats trip up FQDN resolve itype if t and not (t == 'fqdn' and re.match('^\d+\.[0-9]$', e)): i[e] = 'indicator' continue except Exception: pass if isinstance(e, int): i[e] = 'int' continue if isinstance(e, float) or re.match('^\d+\.[0-9]$', e): i[e] = 'float' continue if is_timestamp(e): i[e] = 'timestamp' continue if isinstance(e, (str, bytes)): if hints: for ii in range(0, 25): if len(hints) == ii: break if e.lower() == hints[ii].lower(): i[e] = 'description' break if not i.get(e): i[e] = 'string' i2 = Indicator() timestamps = [] ports = [] for e in i: if i[e] == 'CC': i2.cc = e continue if i[e] == 'indicator': if i2.indicator: i2.reference = e else: i2.indicator = e continue if i[e] == 'timestamp': timestamps.append(parse_timestamp(e)) continue if i[e] == 'float': i2.asn = e continue if i[e] == 'int': ports.append(e) continue if i[e] == 'description': i2.description = e continue if i[e] == 'string': if re.match(r'[0-9A-Za-z\.\s\/]+', e) and i2.asn: i2.asn_desc = e continue if 4 <= len(e) <= 10 and re.match('[a-z-A-Z]+,?', e) and e not in [ 'ipv4', 'fqdn', 'url', 'ipv6' ]: i2.tags = [e] continue if ' ' in e and 5 <= len(e) and not i2.asn_desc: i2.description = e continue timestamps = sorted(timestamps, reverse=True) if len(timestamps) > 0: i2.last_at = timestamps[0] if len(timestamps) > 1: i2.first_at = timestamps[1] if len(ports) > 0: if len(ports) == 1: i2.portlist = ports[0] else: if ports[0] > ports[1]: i2.portlist = ports[0] i2.dest_portlist = ports[1] else: i2.portlist = ports[1] i2.dest_portlist = ports[0] return i2