示例#1
0
 def test_vuln_risklist(self):
     client = ConnectApiClient()
     resp = client.get_vulnerability_risklist(gzip=False)
     itr = resp.iter_lines()
     header = next(itr)
     self.assertIsInstance(header, basestring)
     entries = list(itr)
     self.assertGreater(len(entries), 10)
示例#2
0
 def test_vuln_risklist_gzip(self):
     """download gzip and write to a byte buffer"""
     client = ConnectApiClient()
     resp = client.get_vulnerability_risklist(gzip=True)
     buf = io.BytesIO()
     for itr in resp.iter_content(chunk_size=1024):
         buf.write(itr)
     buf.seek(0)
     self.assertGreater(len(buf.read()), 1000)
     buf.close()
示例#3
0
    def test_vuln_riskrule(self):
        client = ConnectApiClient()
        resp = client.get_vulnerability_riskrules()

        self.assertIsInstance(resp, list)
        self.assertEquals(
            set(resp[0].keys()),
            set([
                'name', 'description', 'count', 'criticality',
                'criticalityLabel'
            ]))
示例#4
0
 def test_ip_demoevents(self):
     client = ConnectApiClient()
     res = client.get_ip_demoevents(limit=1)
     # pylint: disable=anomalous-backslash-in-string
     pattern = '.+ \[127.0.0.1\] \[localhost\]: ' \
               'NetScreen device_id=netscreen2  ' \
               '\[Root\]system-notification-00257\(traffic\): ' \
               'start_time=".+" duration=0 policy_id=320001 ' \
               'service=msrpc Endpoint Mapper\(tcp\) proto=6 src ' \
               'zone=office dst zone=internet action=Permit sent=0 ' \
               'rcvd=16384 dst=.+ src=.+'
     self.assertRegexpMatches(res.text, pattern)
示例#5
0
    def test_domain_search(self):
        client = ConnectApiClient()
        resp = client.search_domains()

        self.assertIsInstance(resp, ConnectApiResponse)
        self.assertIsInstance(resp.entities, types.GeneratorType)

        first_entity = next(resp.entities)
        self.assertIsInstance(first_entity, DotAccessDict)
        self.assertEquals(first_entity.id, first_entity.entity.id)
        self.assertIsInstance(resp.returned_count, int)
        self.assertIsInstance(resp.total_count, long)
        self.assertGreater(resp.returned_count, 0)
示例#6
0
def main():
    parser = argparse.ArgumentParser()
    parser.add_argument(
        '-t',
        '--type',
        type=str,
        required=True,
        choices={"ip", "hash", "domain"},
        help=
        "Type of IoC to process : ip, hash, domain. exp for IP use : --type ip"
    )
    parser.add_argument(
        '-c',
        '--clookup',
        type=str,
        required=False,
        choices={"yes", "no"},
        default='no',
        help="Chose whether to lookup the IP or domain country or not")
    args = parser.parse_args()

    if not os.path.exists(document_root_folder):
        print document_root_folder + ' folder is missing.'
        sys.exit(1)
    if not os.access(document_root_folder, os.W_OK):
        print 'User ' + getpass.getuser(
        ) + ' has no write permission on  ' + document_root_folder
        sys.exit(1)

    print 'Downloading IoC...'
    api = ConnectApiClient(auth=api_key)

    #Name	Risk	RiskString	EvidenceDetails
    with open(document_root_folder + args.type + '.csv', 'wb') as f:
        api.save_risklist(f, args.type, None, 'csv')

    csv_formatter(document_root_folder + args.type + '.csv', args.type,
                  args.clookup)
示例#7
0
 def test_get_url(self):
     client = ConnectApiClient()
     url = 'https://sites.google.com/site/unblockingnotice/'
     resp = client.lookup_url(url)
     self.assertIsInstance(resp, DotAccessDict)
示例#8
0
 def test_get_search(self):
     client = ConnectApiClient()
     resp = client.search("ip",
                          **dict(risk_score="(91,100]", direction='desc'))
     self.assertIsInstance(resp, ConnectApiResponse)
示例#9
0
 def test_get_ip(self):
     client = ConnectApiClient()
     resp = client.lookup_ip("8.8.8.8")
     self.assertIsInstance(resp, DotAccessDict)
示例#10
0
 def test_get_fusion_file(self):
     client = ConnectApiClient()
     info = client.get_fusion_file("/public/default_ip_risklist.csv")
     self.assertIsInstance(info, requests.models.Response)
     self.assertGreater(len(info.content), 0)
示例#11
0
 def test_head_fusion_file(self):
     client = ConnectApiClient()
     info = client.head_fusion_file("/public/default_ip_risklist.csv")
     self.assertIsInstance(info, requests.structures.CaseInsensitiveDict)
示例#12
0
 def test_get_malware(self):
     client = ConnectApiClient()
     resp = client.lookup_malware('KoneQR')
     self.assertIsInstance(resp, DotAccessDict)
示例#13
0
 def test_vuln_riskrule(self):
     client = ConnectApiClient()
     resp = client.get_vulnerability_riskrules()
     self.check_list(resp)
示例#14
0
def domainLookup(args):
    api = ConnectApiClient(auth=args.rf_token)
    print(api.lookup_domain(args.domainname))
示例#15
0
 def test_vuln_demoevents(self):
     client = ConnectApiClient()
     res = client.get_vulnerability_demoevents(limit=1)
     self.assertEquals(res.text[:20], u'{"_scan_result_info"')
示例#16
0
 def test_url_demoevents(self):
     client = ConnectApiClient()
     res = client.get_url_demoevents(limit=1)
     # pylint: disable=anomalous-backslash-in-string
     pattern = '.+\s+\d+ .+ TCP_MISS/.+GET https?://\S+/\S+ - DIRECT/.*'
     self.assertRegexpMatches(res.text, pattern)
示例#17
0
 def test_hash_demoevents(self):
     client = ConnectApiClient()
     res = client.get_hash_demoevents(limit=1)
     pattern = '.+ Application hash: [0-9a-f]+, .+'
     self.assertRegexpMatches(res.text, pattern)
示例#18
0
 def test_vulnerabilty_extension(self):
     client = ConnectApiClient()
     info = client.get_vulnerability_extension("CVE-2014-0160", "shodan")
     self.assertIsInstance(info, DotAccessDict)
示例#19
0
def iplookup(args):
    api = ConnectApiClient(auth=args.rf_token)
    print(api.lookup_ip(args.ipaddress))
示例#20
0
 def test_get_hash_extension(self):
     client = ConnectApiClient()
     hash_val = '21232f297a57a5a743894a0e4a801fc3'
     info = client.get_hash_extension(hash_val, 'active_reversinglabs')
     self.assertIsInstance(info, DotAccessDict)
示例#21
0
if __name__ == '__main__':
    # API key supplied as argument on command line
    # NEVER hardcode an API key, it could be exposed by source control etc >:O
    parser = argparse.ArgumentParser(description='Download and parse IP Risk\
                                                  List data from RF for Zeek')
    parser.add_argument('apikey', type=str, help='RF API key for API auth')
    args = parser.parse_args()

    # Create zeek_intel column names
    f = open("zeek_intel.txt", "w")
    f.write("#fields\tindicator\tindicator_type\tmeta.source\tmeta.risk")
    f.write("\tmeta.riskstring\tmeta.rule\tmeta.criticalitylabel\tmeta.desc")
    f.write("\tmeta.timestamp\tmeta.name\tmeta.criticality\n")

    # Get and parse IP risk list from RF
    api = ConnectApiClient(auth=args.apikey)
    ip_risklist = api.get_ip_risklist()
    decoding_errors = 0
    total = 0
    for ip in ip_risklist.csv_reader:
        total += 1
        try:
            edict = json.loads(ip['EvidenceDetails'])
            for e in edict['EvidenceDetails']:
                f.write(ip['Name'] + "\tIntel::ADDR\tRFAPI\t" + ip['Risk'])
                f.write("\t" + ip['RiskString'] + "\t")
                f.write(e['Rule'] + "\t" + e['CriticalityLabel'] + "\t")
                f.write(e['EvidenceString'] + "\t" + e['Timestamp'] + "\t")
                f.write(e['Name'] + "\t" + str(e['Criticality']))
                f.write("\n")
        except UnicodeEncodeError:
示例#22
0
 def test_hash_riskrule(self):
     client = ConnectApiClient()
     resp = client.get_hash_riskrules()
     self.check_list(resp)