def to_indicators(self,
type="hostname",
category="exploit",
author=None,
source="Blacklist conversion",
prob=0.7,
description=None,
version=1):
inds = []
for b in self.bl:
des = Descriptor(category=category,
author=author,
source=source,
prob=prob,
type=type,
value=b)
if description != None:
des.description = description
ii = Indicator(des)
ii.value = lt.Match(type, b)
inds.append(ii)
i = Indicators(version=version,
description="Blacklist",
indicators=inds)
return i
def load_value(obj):
if "type" in obj:
return lt.Match(obj["type"], obj["value"])
elif "or" in obj:
return lt.Or([load_value(v) for v in obj["or"]])
elif "and" in obj:
return lt.And([load_value(v) for v in obj["and"]])
elif "not" in obj:
return lt.Not(load_value(obj["not"]))
else:
raise RuntimeError("Can't parse value")
def load_value(obj):
""" Loads an value from a Python dict object """
if "type" in obj:
return lt.Match(obj["type"], obj["value"])
elif "or" in obj:
return lt.Or([load_value(v) for v in obj["or"]])
elif "and" in obj:
return lt.And([load_value(v) for v in obj["and"]])
elif "not" in obj:
return lt.Not(load_value(obj["not"]))
else:
raise RuntimeError("Can't parse value")
def to_detector(self,
match="dns",
type="hostname",
category="exploit",
author="osint.bambenekconsulting.com",
source="Blacklist conversion",
prob=0.7,
description=None):
inds = []
for b in self.bl:
if len(b) < 1: continue
if b[0][0] == '#': continue
if len(b) < 4: continue
value = b[0]
des = Descriptor(category=category,
author=author,
source=source,
prob=prob,
type=type,
value=value)
h = hashlib.new('md5')
h.update(("bamabenek:" + value).encode("utf-8"))
id = h.hexdigest()
ind = Indicator(des, id)
ind.value = lt.Match(type=type, value=value)
inds.append(ind)
return Indicators(version=1,
description="Bambenek IOCs",
indicators=inds)
def to_detector(self,
type="hostname",
category="exploit",
author=None,
source="Blacklist conversion",
prob=0.7,
description=None):
inds = []
for b in self.bl:
if len(b) < 1: continue
if b[0][0] == '#': continue
if len(b) < 7: continue
url = b[2]
h = hashlib.new('md5')
h.update(("urlhaus:" + url).encode("utf-8"))
id = h.hexdigest()
des = Descriptor(category=category,
author=author,
source=source,
prob=prob,
type=type,
value=b)
if description != None:
des.description = description
ii = Indicator(des, id)
ii.value = lt.Match(type, b)
inds.append(ii)
return Indicators(version=1,
description="Urlhaus IOCs",
indicators=inds)