Пример #1
0
        def on_message(identifier, channel, payload):
            if channel == "thug.events":
                fpath = os.path.join(OUTDIR, str(time.strftime("%Y%m%d-%H%M%S", time.gmtime()) + ".xml"))
                with open(fpath, "wb") as fd:
                    fd.write(payload)

                sd = functions.getthugevents(payload)

                if str(sd) != "{}":
                    # log.info(len(str(sd)))
                    log.info(str(sd))
                    functions.jsonsend("localhost", 9999, json.dumps(sd))
                else:
                    log.info("cannot send sd to logstash: sd={}")

            if channel == "thug.files":
                try:
                    decoded = json.loads(str(payload))
                except:
                    decoded = {"raw": payload}

                sd = functions.getthugfiles(decoded, thugOUTDIR)

                if str(sd) != "{}":
                    logthug.info(str(sd))
                    functions.jsonsend("localhost", 9999, json.dumps(sd))
Пример #2
0
		def on_message(identifier, channel, payload):
			try:
				decoded = json.loads(str(payload))
			except:
				decoded = {'raw': payload}

			if channel == 'dionaea.capture':
				csv = ', '.join(['{0} = {1}'.format(i, decoded[i]) for i in ['url', 'daddr', 'saddr', 'dport', 'sport', 'md5', 'sha512']])
				outmsg = 'PUBLISH channel = %s, identifier = %s, %s' % (channel, identifier, csv)
				log.info(outmsg)
				
				occurrence = datetime.datetime.now().isoformat()
				event={'saddr':decoded['saddr'], 'sport':decoded['sport'], 'daddr':decoded['daddr'], 'dport':decoded['dport']}
				
				APIKEY = functions.getconf('virustotal', 'APIKEY')
				vtresult= functions.vt_getreport(decoded['md5'], APIKEY)
				md5list={'md5':decoded['md5'], 'malurl':decoded['url'], 'malhostname':urlparse(decoded['url']).hostname, 'malscheme':urlparse(decoded['url']).scheme, 'vtresult':vtresult}
				
				geoinfo = functions.geohostname(urlparse(decoded['url']).hostname)
				hostnamelist = {'hostname':urlparse(decoded['url']).hostname, 'underpath':[urlparse(decoded['url']).path], 'scheme':urlparse(decoded['url']).scheme, 'geoinfo':geoinfo}
				
				sd = {
					"occurrence" : occurrence,
					"startURL"  : decoded['url'],
					"event" : event,
					"md5List" : md5list,
					"hostnameList": hostnamelist
				}
				functions.jsonsend("localhost", 8888, json.dumps(sd))
				return
			
			if channel == 'mwbinary.dionaea.sensorunique':
				md5sum = hashlib.md5(payload).hexdigest()
				fpath = os.path.join(OUTDIR, md5sum)
				try:
					with open(fpath, 'wb') as fd:
						fd.write(payload)
				except:
					outfd = open(OUTFILE, 'a')
					print >>outfd, '{0} ERROR could not write to {1}'.format(datetime.datetime.now().ctime(), fpath)
					outfd.flush()
Пример #3
0
      "md5"     : malitem,
      "basic"   : basic,
      "scans"   : scans,
      "network" : network
    }
    
    return sd

  
if __name__ == '__main__':
  sd = {}
  malfiles = es_getmd5('2013-10-30', '2013-10-30')

  for md5item in malfiles:
    
    for urlitem in md5item['malurlList']:
      geoinfo = functions.geohostname(urlparse(urlitem['malurl']).hostname)
      hostnamelist = {'hostname':urlparse(urlitem['malurl']).hostname, 'scheme':urlparse(urlitem['malurl']).scheme, 'geoinfo':geoinfo}
      urlitem.update(hostnamelist)
      
    sd.update({'malurlList': md5item['malurlList']})
    
    try:
      sdvt = vt_private_getallinfo(md5item['md5'])
      if sdvt != None :
        sd.update(sdvt)
      
      functions.jsonsend("localhost", 3333, json.dumps(sd))
    except simplejson.decoder.JSONDecodeError:
      continue