def process(self): report = self.receive_message() if report is None or not report.contains("raw"): self.acknowledge_message() return columns = [ "__IGNORE__", "source.url", "event_description.url", "time.source", "__IGNORE__", "__IGNORE__", "__IGNORE__", "event_description.target" ] raw_report = utils.base64_decode(report.get("raw")) for row in utils.csv_reader(raw_report): # ignore headers if "phish_id" in row: continue event = Event(report) for key, value in zip(columns, row): if key == "__IGNORE__": continue event.add(key, value) event.add('classification.type', u'phishing') event.add("raw", ",".join(row)) self.send_message(event) self.acknowledge_message()
def process(self): report = self.receive_message() if not report or not report.contains("raw"): self.acknowledge_message() return raw_report = utils.base64_decode(report.get("raw")) for row in utils.csv_reader(raw_report): event = Event(report) self.logger.debug(repr(row)) event.add("time.source", row[0].replace('_', ' ') + " UTC") if row[1] != '-': event.add("source.url", self.add_http(row[1])) try: event.add("source.ip", row[2]) except InvalidValue: event.add("source.url", self.add_http(row[2])) event.add('source.ip', urlparse(row[2]).netloc) event.add("source.reverse_dns", row[3]) event.add("event_description.text", row[4]) # TODO: ignore abuse contact for now event.add("source.asn", int(row[6])) event.add('classification.type', u'malware') event.add("raw", ",".join(row)) self.send_message(event) self.acknowledge_message()
def process(self): report = self.receive_message() if not report or not report.contains("raw"): self.acknowledge_message() return raw_report = utils.base64_decode(report.value("raw")) for row in utils.csv_reader(raw_report): event = Event(report) self.logger.debug(repr(row)) event.add("time.source", row[0].replace('_', ' ') + " UTC") if row[1] != '-': event.add("source.url", self.add_http(row[1])) try: event.add("source.ip", row[2]) except InvalidValue: event.add("source.url", self.add_http(row[2])) event.add('source.ip', urlparse(row[2]).netloc) event.add("source.reverse_dns", row[3]) event.add("event_description.text", row[4]) # TODO: ignore abuse contact for now event.add("source.asn", int(row[6])) event.add('classification.type', u'malware') event.add("raw", ",".join(row)) self.send_message(event) self.acknowledge_message()
def process(self): report = self.receive_message() if not report or not report.contains("raw"): self.acknowledge_message() return raw_report = utils.base64_decode(report.value("raw")) for row in utils.csv_reader(raw_report): event = Event(report) self.logger.debug(repr(row)) event.add("time.source", row[0].replace("_", " ") + " UTC", sanitize=True) if row[1] != "-": event.add("source.url", row[1], sanitize=True) try: event.add("source.ip", row[2], sanitize=True) except InvalidValue: event.add("source.url", row[2], sanitize=True) event.add("source.ip", urlparse(row[2]).netloc, sanitize=True) event.add("source.reverse_dns", row[3], sanitize=True) event.add("event_description.text", row[4], sanitize=True) # TODO: ignore abuse contact for now event.add("source.asn", int(row[6])) event.add("classification.type", "malware") event.add("raw", ",".join(row), sanitize=True) self.send_message(event) self.acknowledge_message()
def process(self): report = self.receive_message() if report is None or not report.contains("raw"): self.acknowledge_message() return columns = [ "source.ip", "__IGNORE__", "event_description.text", "__IGNORE__" ] headers = True raw_report = utils.base64_decode(report.get("raw")) for row in utils.csv_reader(raw_report): # ignore headers if headers: headers = False continue event = Event(report) for key, value in zip(columns, row): if key == "__IGNORE__": continue event.add(key, value) event.add('classification.type', u'scanner') event.add("raw", ",".join(row)) self.send_message(event) self.acknowledge_message()
def process(self): report = self.receive_message() if report is None or not report.contains("raw"): self.acknowledge_message() return raw_report = utils.base64_decode(report["raw"]) for row in utils.csv_reader(raw_report, dictreader=True): event = Event(report) extra = {} event.add('time.source', row['timestamp']+' UTC') event.add('source.ip', row['ip']) event.add('source.port', row['port']) event.add('source.asn', row['asn']) event.add('source.geolocation.cc', row['geo']) event.add('source.geolocation.region', row['region']) event.add('source.geolocation.city', row['city']) if row['hostname']: event.add('source.reverse_dns', row['hostname']) event.add('protocol.transport', row['type']) event.add('malware.name', row['infection']) if row['url']: event.add('destination.url', row['url']) if row['agent']: extra['user_agent'] = row['agent'] event.add('destination.ip', row['cc']) event.add('destination.port', row['cc_port']) event.add('destination.asn', row['cc_asn']) event.add('destination.geolocation.cc', row['cc_geo']) if row['cc_dns']: event.add('destination.reverse_dns', row['cc_dns']) extra['connection_count'] = int(row['count']) if row['proxy']: extra['proxy'] = row['proxy'] if row['application']: event.add('protocol.application', row['type']) extra['os.name'] = row['p0f_genre'] extra['os.version'] = row['p0f_detail'] if 'machine_name' in row and row['machine_name']: event.add('source.local_hostname', row['type']) if 'id' in row and row['id']: extra['bot_id'] = row['id'] if int(row['naics']): extra['naics'] = int(row['naics']) if int(row['sic']): extra['sic'] = int(row['sic']) event.add('extra', extra) event.add('classification.type', 'botnet drone') event.add('raw', '"'+','.join(map(str, row.items()))+'"') self.send_message(event) self.acknowledge_message()
def process(self): report = self.receive_message() if report is None or not report.contains("raw"): self.acknowledge_message() return raw_report = utils.base64_decode(report.get("raw")) for row in utils.csv_reader(raw_report, dictreader=True): event = Event(report) for key, value in row.items(): if not value: continue if key is None: self.logger.warning('Value without key found, skipping the' ' value: {!r}'.format(value)) continue key = COLUMNS[key] if key == "__IGNORE__" or key == "__TDB__": continue if key == "source.fqdn" and IPAddress.is_valid(value, sanitize=True): continue if key == "time.source": value = value + " UTC" if key == "source.asn" and value.startswith("ASNA"): continue if key == "source.asn": for asn in value.split(','): if asn.startswith("AS"): value = asn.split("AS")[1] break event.add(key, value) event.add('classification.type', u'malware') event.add("raw", ",".join(row)) self.send_message(event) self.acknowledge_message()
def process(self): report = self.receive_message() if report is None or not report.contains("raw"): self.acknowledge_message() return raw_report = utils.base64_decode(report["raw"]) for row in utils.csv_reader(raw_report, dictreader=True): event = Event(report) extra = {} event.add("time.source", row["timestamp"] + " UTC") event.add("source.ip", row["ip"]) event.add("protocol.transport", row["protocol"]) event.add("source.port", row["port"]) event.add("source.reverse_dns", row["hostname"]) extra["sysdesc"] = row["sysdesc"] extra["sysname"] = row["sysname"] event.add("source.asn", row["asn"]) event.add("source.geolocation.cc", row["geo"]) event.add("source.geolocation.region", row["region"]) event.add("source.geolocation.city", row["city"]) if int(row["naics"]): extra["naics"] = int(row["naics"]) if int(row["sic"]): extra["sic"] = int(row["sic"]) if row["sector"]: extra["sector"] = row["sector"] event.add("extra", extra) event.add("protocol.application", "snmp") event.add("classification.type", "vulnerable service") event.add("classification.identifier", "snmp") event.add("raw", '"' + ",".join(map(str, row.items())) + '"') self.send_message(event) self.acknowledge_message()
def process(self): report = self.receive_message() if report is None or not report.contains("raw"): self.acknowledge_message() return raw_report = utils.base64_decode(report["raw"]) for row in utils.csv_reader(raw_report, dictreader=True): event = Event(report) extra = {} event.add('time.source', row['timestamp']+' UTC') event.add('source.ip', row['ip']) event.add('protocol.transport', row['protocol']) event.add('source.port', row['port']) event.add('source.reverse_dns', row['hostname']) extra['sysdesc'] = row['sysdesc'] extra['sysname'] = row['sysname'] event.add('source.asn', row['asn']) event.add('source.geolocation.cc', row['geo']) event.add('source.geolocation.region', row['region']) event.add('source.geolocation.city', row['city']) if int(row['naics']): extra['naics'] = int(row['naics']) if int(row['sic']): extra['sic'] = int(row['sic']) if row['sector']: extra['sector'] = row['sector'] event.add('extra', extra) event.add('protocol.application', 'snmp') event.add('classification.type', 'vulnerable service') event.add('classification.identifier', 'snmp') event.add('raw', '"'+','.join(map(str, row.items()))+'"') self.send_message(event) self.acknowledge_message()
def process(self): report = self.receive_message() if report is None or not report.contains("raw"): self.acknowledge_message() return columns = ["__IGNORE__", "source.url", "event_description.url", "time.source", "__IGNORE__", "__IGNORE__", "__IGNORE__", "event_description.target" ] raw_report = utils.base64_decode(report.get("raw")) for row in utils.csv_reader(raw_report): # ignore headers if "phish_id" in row: continue event = Event(report) for key, value in zip(columns, row): if key == "__IGNORE__": continue event.add(key, value) event.add('classification.type', u'phishing') event.add("raw", ",".join(row)) self.send_message(event) self.acknowledge_message()
def process(self): report = self.receive_message() if report is None or not report.contains("raw"): self.acknowledge_message() return raw_report = utils.base64_decode(report["raw"]) for row in utils.csv_reader(raw_report, dictreader=True): event = Event(report) extra = {} event.add('time.source', row['timestamp']+' UTC') event.add('source.ip', row['ip']) event.add('protocol.transport', row['protocol']) event.add('source.port', row['port']) event.add('source.reverse_dns', row['hostname']) event.add('protocol.application', row['tag']) extra['quote'] = row['quote'] event.add('source.asn', row['asn']) event.add('source.geolocation.cc', row['geo']) event.add('source.geolocation.region', row['region']) event.add('source.geolocation.city', row['city']) if int(row['naics']): extra['naics'] = int(row['naics']) if int(row['sic']): extra['sic'] = int(row['sic']) if row['sector']: extra['sector'] = row['sector'] event.add('extra', extra) event.add('classification.type', 'vulnerable service') event.add('classification.identifier', 'qotd') event.add('raw', '"'+','.join(map(str, row.items()))+'"') self.send_message(event) self.acknowledge_message()
def process(self): report = self.receive_message() if not report or not report.contains("raw"): self.acknowledge_message() return columns = self.parameters.columns raw_report = utils.base64_decode(report.value("raw")) # ignore lines starting with # raw_report = re.sub(r'(?m)^#.*\n?', '', raw_report) # ignore null bytes raw_report = re.sub(r'(?m)\0', '', raw_report) for row in utils.csv_reader(raw_report, delimiter=str(self.parameters.delimiter)): event = Event(report) for key, value in zip(columns, row): if key in ["__IGNORE__", ""]: continue try: if key in ["time.source", "time.destination"]: value = parse(value, fuzzy=True).isoformat() value += " UTC" # regex from http://stackoverflow.com/a/23483979 # matching ipv4/ipv6 IP within string elif key in ["source.ip", "destination.ip"]: value = re.compile( '(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])' '\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0' '-5])|(([a-zA-Z]|[a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9])' '\.)*([A-Za-z]|[A-Za-z][A-Za-z0-9\-]*[A-Za-z0-9])|' '\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(' '([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]' '|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d' '\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[' '0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[' '1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|' ':))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1' ',3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d' '\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){' '3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,' '4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-' '4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-' '9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-' 'Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0' '-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1' '\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}((' '(:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4' '}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[' '0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]' '{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2' '[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|' '[1-9]?\d)){3}))|:)))(%.+)?').match(value).group() elif key.endswith('.url') and '://' not in value: value = self.parameters.default_url_protocol + value except: self.logger.exception('Encountered error while parsing' 'line in csv file, ignoring.') continue event.add(key, value) event.add('classification.type', self.parameters.type) event.add("raw", ",".join(row)) self.send_message(event) self.acknowledge_message()
def process(self): report = self.receive_message() if report is None or not report.contains("raw"): self.acknowledge_message() return raw_report = utils.base64_decode(report["raw"]) for row in utils.csv_reader(raw_report, dictreader=True): event = Event(report) extra = {} self.logger.debug(repr(row)) event.add('time.source', row['timestamp'] + ' UTC') event.add('source.ip', row['ip']) event.add('source.asn', row['asn']) event.add('source.geolocation.cc', row['geo']) if row['http_host'] and row['url']: event.add('destination.url', row['http_host'] + row['url']) elif row['url']: extra['url'] = row['url'] # incomplete URL event.add('malware.name', row['type']) if row['http_agent']: extra['http_agent'] = row['http_agent'] if row['tor']: event.add('source.tor_node', row['tor']) event.add('source.port', row['src_port']) if row['p0f_genre']: extra['os.name'] = row['p0f_genre'] if row['p0f_detail']: extra['os.version'] = row['p0f_detail'] if row['hostname']: event.add('source.reverse_dns', row['hostname']) event.add('destination.port', row['dst_port']) if row['http_host']: extra['http_host'] = row['http_host'] if row['http_referer'] not in ['', 'null']: extra['http_referer'] = row['http_referer'] if row['http_referer_asn']: extra['http_referer_asn'] = row['http_referer_asn'] if row['http_referer_geo']: extra['http_referer_geo'] = row['http_referer_geo'] if row['dst_ip']: event.add('destination.ip', row['dst_ip']) if row['dst_asn']: event.add('destination.asn', row['dst_asn']) if row['dst_geo']: event.add('destination.geolocation.cc', row['dst_geo']) if int(row['naics']): extra['naics'] = int(row['naics']) if int(row['sic']): extra['sic'] = int(row['sic']) event.add('raw', '"' + ','.join(map(str, row.items())) + '"') if extra: event.add('extra', extra) event.add('classification.type', 'botnet drone') event.add('protocol.application', 'http') self.send_message(event) self.acknowledge_message()
def process(self): report = self.receive_message() if not report or not report.contains("raw"): self.acknowledge_message() return columns = self.parameters.columns raw_report = utils.base64_decode(report.get("raw")) # ignore lines starting with # raw_report = re.sub(r'(?m)^#.*\n?', '', raw_report) # ignore null bytes raw_report = re.sub(r'(?m)\0', '', raw_report) for row in utils.csv_reader(raw_report, delimiter=str(self.parameters.delimiter)): event = Event(report) for key, value in zip(columns, row): if key in ["__IGNORE__", ""]: continue try: if key in ["time.source", "time.destination"]: value = parse(value, fuzzy=True).isoformat() value += " UTC" # regex from http://stackoverflow.com/a/23483979 # matching ipv4/ipv6 IP within string elif key in ["source.ip", "destination.ip"]: value = re.compile( '(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])' '\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0' '-5])|(([a-zA-Z]|[a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9])' '\.)*([A-Za-z]|[A-Za-z][A-Za-z0-9\-]*[A-Za-z0-9])|' '\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(' '([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]' '|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d' '\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[' '0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[' '1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|' ':))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1' ',3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d' '\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){' '3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,' '4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-' '4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-' '9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-' 'Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0' '-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1' '\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}((' '(:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4' '}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[' '0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]' '{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2' '[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|' '[1-9]?\d)){3}))|:)))(%.+)?').match(value).group() elif key.endswith('.url') and '://' not in value: value = self.parameters.default_url_protocol + value except: self.logger.exception('Encountered error while parsing' 'line in csv file, ignoring.') continue event.add(key, value) event.add('classification.type', self.parameters.type) event.add("raw", ",".join(row)) self.send_message(event) self.acknowledge_message()
def process(self): report = self.receive_message() if report is None or not report.contains("raw"): self.acknowledge_message() return raw_report = utils.base64_decode(report["raw"]) for row in utils.csv_reader(raw_report, dictreader=True): event = Event(report) extra = {} self.logger.debug(repr(row)) event.add('time.source', row['timestamp']+' UTC') event.add('source.ip', row['ip']) event.add('source.asn', row['asn']) event.add('source.geolocation.cc', row['geo']) if row['http_host'] and row['url']: event.add('destination.url', row['http_host']+row['url']) elif row['url']: extra['url'] = row['url'] # incomplete URL event.add('malware.name', row['type']) if row['http_agent']: extra['http_agent'] = row['http_agent'] if row['tor']: event.add('source.tor_node', row['tor']) event.add('source.port', row['src_port']) if row['p0f_genre']: extra['os.name'] = row['p0f_genre'] if row['p0f_detail']: extra['os.version'] = row['p0f_detail'] if row['hostname']: event.add('source.reverse_dns', row['hostname']) event.add('destination.port', row['dst_port']) if row['http_host']: extra['http_host'] = row['http_host'] if row['http_referer'] not in ['', 'null']: extra['http_referer'] = row['http_referer'] if row['http_referer_asn']: extra['http_referer_asn'] = row['http_referer_asn'] if row['http_referer_geo']: extra['http_referer_geo'] = row['http_referer_geo'] if row['dst_ip']: event.add('destination.ip', row['dst_ip']) if row['dst_asn']: event.add('destination.asn', row['dst_asn']) if row['dst_geo']: event.add('destination.geolocation.cc', row['dst_geo']) if int(row['naics']): extra['naics'] = int(row['naics']) if int(row['sic']): extra['sic'] = int(row['sic']) event.add('raw', '"'+','.join(map(str, row.items()))+'"') if extra: event.add('extra', extra) event.add('classification.type', 'botnet drone') event.add('protocol.application', 'http') self.send_message(event) self.acknowledge_message()