├── test
    ├── __init__.py
    ├── utils
    │   ├── test.json
    │   ├── test.csv
    │   ├── test.xml
    │   ├── test.tsv
    │   ├── test_smrt_utils.py
    │   ├── test.rss
    │   └── test_smrt_column_detection.py
    ├── test_nltk.py
    ├── phishtank
    │   ├── feed.json.gz
    │   ├── phishtank.yml
    │   └── test_phishtank.py
    ├── alexa
    │   ├── alexa_top-1m.csv.zip
    │   ├── alexa.yml
    │   └── test_alexa.py
    ├── malwaredomains
    │   ├── domains.zip
    │   ├── bulk_registrars.zip
    │   ├── url_shorteners.zip
    │   ├── malwaredomains.yml
    │   └── test_malwaredomains.py
    ├── smrt
    │   ├── data
    │   │   ├── csv_quoted.txt
    │   │   ├── feed_regex_2015-01-01.csv
    │   │   ├── feed_defanged.txt
    │   │   └── feed.txt
    │   ├── rules
    │   │   ├── csv_quoted.yml
    │   │   ├── csirtg_defang.yml
    │   │   ├── csirtg.yml
    │   │   └── archiver.yml
    │   ├── test_defang.py
    │   ├── test_csv_quoted.py
    │   ├── test_remote_regex.py
    │   ├── remote_regex.yml
    │   ├── test_smrt.py
    │   └── test_archiver.py
    ├── vxvault
    │   ├── vxvault.yml
    │   ├── feed.txt
    │   └── test_vxvault.py
    ├── openphish
    │   ├── openphish.yml
    │   ├── test_openphish.py
    │   └── feed.txt
    ├── stix
    │   ├── test.yml
    │   └── test_stix.py
    ├── zemail
    │   ├── zemail.yml
    │   ├── test_zemail.py
    │   └── single_plain_01.eml
    ├── pastebin
    │   ├── feed.txt
    │   ├── pastebin.yml
    │   └── test_pastebin.py
    ├── spamcop
    │   ├── spamcop.yml
    │   └── test_spamcop.py
    ├── cef
    │   ├── test_cef.py
    │   └── cef.log
    ├── client
    │   ├── test_cif.py
    │   ├── test_syslog.py
    │   ├── test_splunk.py
    │   ├── test_zyre.py
    │   ├── test_elasticsearch.py
    │   └── test_csirtg_live.py
    ├── ransomware_abuse_ch
    │   ├── ransomware_abuse_ch.yml
    │   └── test_ransomware_abuse_ch.py
    ├── spamhaus
    │   ├── spamhaus.yml
    │   ├── test_spamhaus.py
    │   └── edrop.txt
    ├── packetmail
    │   ├── packetmail.yml
    │   ├── test_packetmail.py
    │   └── feed.txt
    ├── bro
    │   ├── test_bro.py
    │   └── bro.log
    ├── csirtg
    │   ├── feed2_csv.txt
    │   ├── csirtg.yml
    │   ├── test_csirtg.py
    │   └── feed.txt
    ├── sansedu
    │   ├── test_sans.py
    │   ├── sans_edu.yml
    │   ├── low.txt
    │   └── block.txt
    ├── malc0de
    │   ├── malc0de.yml
    │   └── test_malc0de.py
    ├── test_timestamps.py
    ├── ufw
    │   ├── test_ufw.py
    │   ├── ufw_ubuntu16.log
    │   └── ufw.log
    ├── alienvault
    │   ├── feed.txt
    │   ├── alienvault.yml
    │   └── test_alienvault.py
    └── bambenek
    │   ├── bambenek.yml
    │   ├── test_bambenek.py
    │   ├── fqdn_feed.txt
    │   └── ipv4_feed.txt
├── packaging
    ├── debian
    │   ├── compat
    │   ├── install
    │   ├── changelog
    │   ├── rules
    │   ├── control
    │   └── copyright
    └── pyinstaller
    │   └── csirtg-smrt.spec
├── csirtg_smrt
    ├── client
    │   ├── __init__.py
    │   ├── zcifzmq.py
    │   ├── dummy.py
    │   ├── zcif.py
    │   ├── plugin.py
    │   ├── zsplunk.py
    │   ├── zzyre.py
    │   ├── zcsirtg.py
    │   ├── zsyslog.py
    │   ├── zzmq.py
    │   ├── zelasticsearch.py
    │   ├── zcifv2.py
    │   └── ztaxii11.py
    ├── decoders
    │   ├── __init__.py
    │   ├── zgzip.py
    │   └── zzip.py
    ├── __init__.py
    ├── parser
    │   ├── zcsv.py
    │   ├── ztsv.py
    │   ├── pipe.py
    │   ├── semicolon.py
    │   ├── zsyslog.py
    │   ├── zindicator.py
    │   ├── zcifv2.py
    │   ├── zjson.py
    │   ├── zrss.py
    │   ├── zcifv3.py
    │   ├── pattern.py
    │   ├── delim.py
    │   ├── zemail.py
    │   ├── zsmtpd.py
    │   ├── __init__.py
    │   └── bro.py
    ├── exceptions.py
    ├── constants.py
    ├── utils
    │   ├── znltk.py
    │   ├── ztail.py
    │   ├── zcolumns.py
    │   ├── zcontent.py
    │   ├── zarrow.py
    │   └── __init__.py
    └── rule.py
├── .gitattributes
├── tools
    ├── magic1.dll
    └── run_with_env.cmd
├── zyre_requirements.txt
├── extras_requirements.txt
├── dev_requirements.txt
├── .github
    └── issue_template.md
├── setup.cfg
├── examples
    ├── cifv2.yml
    ├── cifv3.yml
    └── csirtg.yml
├── requirements.txt
├── MANIFEST.in
├── .coveragerc
├── Vagrantfile
├── .gitignore
├── .travis.yml
├── setup.py
├── appveyor.yml
├── README.md
└── Makefile


/test/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/packaging/debian/compat:
--------------------------------------------------------------------------------
1 | 9


--------------------------------------------------------------------------------
/csirtg_smrt/client/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/csirtg_smrt/decoders/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/csirtg_smrt/__init__.py:
--------------------------------------------------------------------------------
1 | from .smrt import *
2 | 


--------------------------------------------------------------------------------
/packaging/debian/install:
--------------------------------------------------------------------------------
1 | csirtg-smrt /usr/bin


--------------------------------------------------------------------------------
/test/utils/test.json:
--------------------------------------------------------------------------------
1 | '[{"test": "test"}]'
2 | 


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | csirtg_smrt/_version.py export-subst
2 | 


--------------------------------------------------------------------------------
/test/utils/test.csv:
--------------------------------------------------------------------------------
1 | asdf,asdf,asdf,asdf
2 | asdf,asdf,asdf,asdf
3 | 


--------------------------------------------------------------------------------
/test/utils/test.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <test></test>
3 | </xml>
4 | 


--------------------------------------------------------------------------------
/test/test_nltk.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/csirtgadgets/csirtg-smrt-v1/HEAD/test/test_nltk.py


--------------------------------------------------------------------------------
/tools/magic1.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/csirtgadgets/csirtg-smrt-v1/HEAD/tools/magic1.dll


--------------------------------------------------------------------------------
/test/phishtank/feed.json.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/csirtgadgets/csirtg-smrt-v1/HEAD/test/phishtank/feed.json.gz


--------------------------------------------------------------------------------
/test/utils/test.tsv:
--------------------------------------------------------------------------------
1 | # asdf
2 | #asf
3 | # asdasdf
4 | asdf	asdf	asdf	asdf
5 | asdfasdf	asdfasdf	asdfasdf	asdfasdf
6 | 


--------------------------------------------------------------------------------
/test/alexa/alexa_top-1m.csv.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/csirtgadgets/csirtg-smrt-v1/HEAD/test/alexa/alexa_top-1m.csv.zip


--------------------------------------------------------------------------------
/test/malwaredomains/domains.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/csirtgadgets/csirtg-smrt-v1/HEAD/test/malwaredomains/domains.zip


--------------------------------------------------------------------------------
/test/malwaredomains/bulk_registrars.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/csirtgadgets/csirtg-smrt-v1/HEAD/test/malwaredomains/bulk_registrars.zip


--------------------------------------------------------------------------------
/test/malwaredomains/url_shorteners.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/csirtgadgets/csirtg-smrt-v1/HEAD/test/malwaredomains/url_shorteners.zip


--------------------------------------------------------------------------------
/zyre_requirements.txt:
--------------------------------------------------------------------------------
1 | https://github.com/zeromq/pyzmq/archive/f37052960e1dc510ea2c1d2e69a32d727afa9d69.tar.gz#egg=pyzmq>16.0.1
2 | pyzyre>=0.0.0a4,<1.0


--------------------------------------------------------------------------------
/extras_requirements.txt:
--------------------------------------------------------------------------------
1 | elasticsearch<3.0.0,>=2.0.0
2 | elasticsearch_dsl<3.0.0,>=2.0.0
3 | stix>=1.0,<2.0
4 | libtaxii>=1.1.119
5 | maec
6 | -r requirements.txt
7 | 


--------------------------------------------------------------------------------
/test/smrt/data/csv_quoted.txt:
--------------------------------------------------------------------------------
1 | "2018-05-30 05:39:37","192.168.1.1",66,"example.com","1.2.3, aaabbbcccddd","",,,
2 | "2018-05-30 03:33:51","192.168.1.2",66,"example.com","1,2,3","",,,


--------------------------------------------------------------------------------
/csirtg_smrt/decoders/zgzip.py:
--------------------------------------------------------------------------------
1 | import gzip
2 | 
3 | 
4 | def get_lines(file, split="\n"):
5 | 
6 |     with gzip.open(file, 'rb') as f:
7 |         for l in f:
8 |             yield l
9 | 


--------------------------------------------------------------------------------
/packaging/debian/changelog:
--------------------------------------------------------------------------------
1 | csirtg-smrt (%VERSION%-%RELEASE%~%DIST%) %DIST%; urgency=low
2 | 
3 |   * %VERSION% release
4 | 
5 |  -- CSIRT Gadgets Foundation. <wes@csirtgadgets.org>  %DATE%
6 | 


--------------------------------------------------------------------------------
/dev_requirements.txt:
--------------------------------------------------------------------------------
1 | coverage>=4.2
2 | pytest-cov>=2.6
3 | pytest>=4.2
4 | https://github.com/pyinstaller/pyinstaller/archive/b78bfe530cdc2904f65ce098bdf2de08c9037abb.tar.gz
5 | -r extras_requirements.txt
6 | 


--------------------------------------------------------------------------------
/.github/issue_template.md:
--------------------------------------------------------------------------------
1 | # Expected behavior and actual behavior.
2 | 
3 | # Steps to reporduce the problem
4 | 
5 | # Relevant logs as a result of the actual behavior
6 | 
7 | # Specifications like the version of the project, operating system, or hardware.
8 | 


--------------------------------------------------------------------------------
/packaging/debian/rules:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/make -f
 2 | export DH_VERBOSE=1
 3 | 
 4 | override_dh_auto_build override_dh_auto_install:
 5 | 	@
 6 | 
 7 | override_dh_shlibdeps:
 8 |     dh_shlibdeps --dpkg-shlibdeps-params=--ignore-missing-info
 9 | 
10 | %:
11 | 	dh $@


--------------------------------------------------------------------------------
/setup.cfg:
--------------------------------------------------------------------------------
 1 | [tool:pytest]
 2 | norecursedirs = build
 3 | 
 4 | [versioneer]
 5 | VCS = git
 6 | style = pep440
 7 | versionfile_source = csirtg_smrt/_version.py
 8 | versionfile_build = csirtg_smrt/_version.py
 9 | tag_prefix =
10 | parentdir_prefix = csirtg-smrt-
11 | 


--------------------------------------------------------------------------------
/test/vxvault/vxvault.yml:
--------------------------------------------------------------------------------
 1 | defaults:
 2 |   provider: vxvault.net
 3 |   confidence: 9
 4 |   tlp: green
 5 |   altid_tlp: white
 6 |   tags: malware
 7 |   values:
 8 |     - indicator
 9 | 
10 | feeds:
11 |   urls:
12 |     remote: http://vxvault.net/URL_List.php
13 |     pattern: '^(http:\/\/\S+)$'


--------------------------------------------------------------------------------
/csirtg_smrt/parser/zcsv.py:
--------------------------------------------------------------------------------
 1 | from csirtg_smrt.parser.delim import Delim
 2 | import re
 3 | 
 4 | 
 5 | class Csv(Delim):
 6 | 
 7 |     def __init__(self, *args, **kwargs):
 8 |         super(Csv, self).__init__(*args, **kwargs)
 9 | 
10 |         self.pattern = re.compile(",")
11 | 
12 | Plugin = Csv
13 | 


--------------------------------------------------------------------------------
/csirtg_smrt/parser/ztsv.py:
--------------------------------------------------------------------------------
 1 | from csirtg_smrt.parser.delim import Delim
 2 | import re
 3 | 
 4 | 
 5 | class Tsv(Delim):
 6 | 
 7 |     def __init__(self, *args, **kwargs):
 8 |         super(Tsv, self).__init__(*args, **kwargs)
 9 | 
10 |         self.pattern = re.compile("\t+")
11 | 
12 | Plugin = Tsv
13 | 


--------------------------------------------------------------------------------
/examples/cifv2.yml:
--------------------------------------------------------------------------------
 1 | token: '1234....'
 2 | parser: cifv2
 3 | defaults:
 4 |   provider: example.com
 5 | 
 6 | feeds:
 7 |   port-scanners:
 8 |     filters:
 9 |       otype: ipv4
10 |       tags: scanner
11 |       group: everyone
12 |       limit: 10
13 |     remote: 'https://feeds.example.com/observables'
14 | 


--------------------------------------------------------------------------------
/csirtg_smrt/parser/pipe.py:
--------------------------------------------------------------------------------
 1 | from csirtg_smrt.parser.delim import Delim
 2 | import re
 3 | 
 4 | 
 5 | class Pipe(Delim):
 6 | 
 7 |     def __init__(self, *args, **kwargs):
 8 |         super(Pipe, self).__init__(*args, **kwargs)
 9 | 
10 |         self.pattern = re.compile('\||\s+\|\s+')
11 | 
12 | 
13 | Plugin = Pipe
14 | 


--------------------------------------------------------------------------------
/test/openphish/openphish.yml:
--------------------------------------------------------------------------------
 1 | defaults:
 2 |   tags: phishing
 3 |   protocol: tcp
 4 |   provider: openphish.com
 5 |   tlp: green
 6 |   reference_tlp: white
 7 |   confidence: 9
 8 |   values: indicator
 9 | feeds:
10 |   urls:
11 |     itype: url
12 |     pattern: ^(.+)$
13 |     remote: http://openphish.com/feed.txt
14 | 


--------------------------------------------------------------------------------
/test/stix/test.yml:
--------------------------------------------------------------------------------
 1 | parser: stix
 2 | remote: 'test/stix/feed.xml'
 3 | 
 4 | defaults:
 5 |   provider: test.com
 6 |   confidence: 2
 7 |   tlp: green
 8 |   altid_tlp: white
 9 |   provider: test.com
10 |   tags: botnet
11 | 
12 | feeds:
13 |   fqdn:
14 |     itype: fqdn
15 |     defaults:
16 |       asn_desc: '12'
17 | 


--------------------------------------------------------------------------------
/test/zemail/zemail.yml:
--------------------------------------------------------------------------------
 1 | parser: email
 2 | defaults:
 3 |   tlp: green
 4 |   reference_tlp: white
 5 |   provider: 'csirtg.io'
 6 |   tags:
 7 |     - uce
 8 |   description: 'uce'
 9 |   group: 'everyone'
10 |   confidence: 9
11 | 
12 | feeds:
13 |   abuse:
14 |     remote: stdin
15 |     headers:
16 |       date: lasttime
17 | 


--------------------------------------------------------------------------------
/test/pastebin/feed.txt:
--------------------------------------------------------------------------------
 1 | PSN ComboLIST 5K+
 2 | 
 3 | 15pr17ny@gmail.com:freedom1
 4 | 1thegin@gmail.com:18903417
 5 | 2003@yahoo.com:vale123
 6 | 3seis0@gmail.com:pikolo
 7 | 85toro@gmail.com:toro1985
 8 | a.artz@yahoo.com:trublu21
 9 | a.c.mauriac@wanadoo.fr:9w3cpxt
10 | a.cefai123@outlook.com:Thomas
11 | a.clayton10@gmail.com:clayton5


--------------------------------------------------------------------------------
/test/pastebin/pastebin.yml:
--------------------------------------------------------------------------------
 1 | defaults:
 2 |   provider: pastebin.com
 3 |   confidence: 7
 4 |   tlp: green
 5 |   altid_tlp: white
 6 |   tags:
 7 |     - compromise
 8 |     - credential
 9 | 
10 | feeds:
11 |   creds:
12 |     remote: stdin
13 |     pattern: '^(.+):(.+)$'
14 |     values:
15 |       - indicator
16 |       - additional_data


--------------------------------------------------------------------------------
/csirtg_smrt/parser/semicolon.py:
--------------------------------------------------------------------------------
 1 | from csirtg_smrt.parser.delim import Delim
 2 | import re
 3 | 
 4 | 
 5 | class Semicolon(Delim):
 6 | 
 7 |     def __init__(self, *args, **kwargs):
 8 |         super(Semicolon, self).__init__(*args, **kwargs)
 9 | 
10 |         self.pattern = re.compile('[\s+]?;[\s+]?')
11 | 
12 | 
13 | Plugin = Semicolon
14 | 


--------------------------------------------------------------------------------
/test/smrt/rules/csv_quoted.yml:
--------------------------------------------------------------------------------
 1 | parser: csv
 2 | defaults:
 3 |   provider: example
 4 |   tags:
 5 |     - suspicious
 6 | 
 7 | feeds:
 8 |   test:
 9 |     remote: 'test/smrt/data/csv_quoted.txt'
10 |     defaults:
11 |       values:
12 |         - lasttime
13 |         - indicator
14 |         - portlist
15 |         - additional_data
16 |         - description
17 | 


--------------------------------------------------------------------------------
/test/spamcop/spamcop.yml:
--------------------------------------------------------------------------------
 1 | parser: email
 2 | defaults:
 3 |   tlp: green
 4 |   reference_tlp: white
 5 |   provider: 'spamcop.net'
 6 |   tags:
 7 |     - spam
 8 |     - abuse
 9 |   description: 'abuse report'
10 |   group: 'everyone'
11 |   confidence: 9
12 | 
13 | feeds:
14 |   abuse:
15 |     remote: stdin
16 |     headers:
17 |       x-spamcop-sourceip: indicator
18 |       date: lasttime
19 | 


--------------------------------------------------------------------------------
/test/cef/test_cef.py:
--------------------------------------------------------------------------------
 1 | from csirtg_smrt.parser.cef import parse_line
 2 | 
 3 | 
 4 | def test_cef():
 5 |     file = 'test/cef/cef.log'
 6 | 
 7 |     events = []
 8 |     with open(file) as f:
 9 |         for l in f.read().split("\n"):
10 |             i = parse_line(l)
11 |             events.append(i)
12 | 
13 |     assert len(events) > 0
14 |     assert events[0]['indicator'] == '113.195.145.52'
15 | 


--------------------------------------------------------------------------------
/csirtg_smrt/client/zcifzmq.py:
--------------------------------------------------------------------------------
 1 | from cifsdk.client.zeromq import ZMQ as ZMQClient
 2 | from csirtg_smrt.constants import ROUTER_ADDR
 3 | 
 4 | 
 5 | class CIF(ZMQClient):
 6 | 
 7 |     def __init__(self, remote=ROUTER_ADDR, token=None, **kwargs):
 8 |         if not remote:
 9 |             remote = ROUTER_ADDR
10 | 
11 |         super(CIF, self).__init__(remote, token, **kwargs)
12 | 
13 | Plugin = CIF
14 | 
15 | 


--------------------------------------------------------------------------------
/test/client/test_cif.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from pprint import pprint
 5 | 
 6 | 
 7 | def test_smrt():
 8 |     with Smrt(remote='localhost:514', client='syslog') as s:
 9 |         assert type(s) is Smrt
10 | 
11 |         rule, feed = next(s.load_feeds('test/smrt/rules/csirtg.yml', 'port-scanners'))
12 |         x = list(s.process(rule, feed))
13 |         assert len(x) > 0
14 | 


--------------------------------------------------------------------------------
/csirtg_smrt/client/dummy.py:
--------------------------------------------------------------------------------
 1 | from csirtg_smrt.client.plugin import Client
 2 | 
 3 | 
 4 | class Dummy(Client):
 5 | 
 6 |     def __init__(self, remote, token, **kwargs):
 7 |         super(Dummy, self).__init__(remote, token)
 8 | 
 9 |     def indicators_create(self, data):
10 |         if isinstance(data, dict):
11 |             data = self._kv_to_indicator(data)
12 | 
13 |         return data
14 | 
15 | Plugin = Dummy
16 | 


--------------------------------------------------------------------------------
/test/smrt/test_defang.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from pprint import pprint
 5 | 
 6 | 
 7 | def test_smrt_defang():
 8 |     with Smrt(None, None, client='dummy') as s:
 9 |         assert type(s) is Smrt
10 | 
11 |         x = []
12 |         for r, f in s.load_feeds('test/smrt/rules/csirtg_defang.yml'):
13 |             x = list(s.process(r, f))
14 |             assert len(x) > 0
15 | 
16 | 


--------------------------------------------------------------------------------
/test/client/test_syslog.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from pprint import pprint
 5 | 
 6 | 
 7 | def test_syslog():
 8 |     with Smrt(remote='localhost:514', client='syslog') as s:
 9 |         assert type(s) is Smrt
10 | 
11 |         rule, feed = next(s.load_feeds('test/smrt/rules/csirtg.yml', feed='port-scanners'))
12 |         x = list(s.process(rule, feed))
13 |         assert len(x) > 0
14 | 


--------------------------------------------------------------------------------
/test/ransomware_abuse_ch/ransomware_abuse_ch.yml:
--------------------------------------------------------------------------------
 1 | parser: csv
 2 | defaults:
 3 |   provider: ransomware.abuse.ch
 4 |   tlp: green
 5 |   altid_tlp: white
 6 |   confidence: 9
 7 |   tags: botnet
 8 |   application: https
 9 |   protocol: tcp
10 |   values:
11 |     - reporttime
12 |     - null
13 |     - description
14 |     - null
15 |     - indicator
16 | feeds:
17 |   ransomware:
18 |     remote: http://ransomwaretracker.abuse.ch/feeds/csv


--------------------------------------------------------------------------------
/test/utils/test_smrt_utils.py:
--------------------------------------------------------------------------------
 1 | #from csirtg_smrt.utils.zcontent import get_type
 2 | import os.path
 3 | 
 4 | T = {
 5 |     'test.csv': 'csv',
 6 |     'test.rss': 'rss',
 7 |     'test.json': 'json',
 8 |     'test.tsv': 'tsv',
 9 |     'test.xml': 'xml',
10 | }
11 | 
12 | 
13 | def test_smrt_utils():
14 |     for t in T:
15 |         p = ['test', 'utils', t]
16 |         p = os.path.join(*p)
17 |         #assert T[t] == get_type(p)
18 | 


--------------------------------------------------------------------------------
/csirtg_smrt/exceptions.py:
--------------------------------------------------------------------------------
 1 | 
 2 | class CsirtgException(Exception):
 3 |     def __init__(self, msg):
 4 |         self.msg = "{}".format(msg)
 5 | 
 6 |     def __str__(self):
 7 |         return self.msg
 8 | 
 9 | 
10 | class AuthError(CsirtgException):
11 |     pass
12 | 
13 | 
14 | class TimeoutError(CsirtgException):
15 |     pass
16 | 
17 | 
18 | class RuleUnsupported(CsirtgException):
19 |     pass
20 | 
21 | 
22 | class SubmissionFailure(CsirtgException):
23 |     pass
24 | 


--------------------------------------------------------------------------------
/packaging/debian/control:
--------------------------------------------------------------------------------
 1 | Source: csirtg-smrt
 2 | Priority: optional
 3 | Standards-Version: 3.9.3
 4 | Maintainer: Wes Young <wes@csirtgadgets.org>
 5 | Build-Depends: cdbs, debhelper (>= 5.0.0)
 6 | Homepage: https://github.com/csirtgadgets/csirtg-smrt-py
 7 | Section: contrib/csirtg
 8 | 
 9 | Package: csirtg-smrt
10 | Architecture: amd64
11 | Depends: ${misc:Depends}
12 | Description: commandline utility for parsing threat intelligence
13 |     The fastest way to consume threat intelligence
14 | 


--------------------------------------------------------------------------------
/test/client/test_splunk.py:
--------------------------------------------------------------------------------
 1 | import pytest
 2 | import os
 3 | from csirtg_smrt import Smrt
 4 | from pprint import pprint
 5 | 
 6 | REMOTE = os.environ.get('CSIRTG_SMRT_SPLUNK_NODES', 'localhost:9200')
 7 | 
 8 | @pytest.mark.skip(reason="no way of currently testing this")
 9 | def test_smrt_splunk():
10 |     with Smrt(remote=REMOTE, client='splunk') as s:
11 |         assert type(s) is Smrt
12 | 
13 |         x = s.process('test/smrt/rules/csirtg.yml', feed='port-scanners')
14 |         assert len(x) > 0
15 | 


--------------------------------------------------------------------------------
/test/spamhaus/spamhaus.yml:
--------------------------------------------------------------------------------
 1 | defaults:
 2 |   provider: spamhaus.org
 3 |   confidence: 9 
 4 |   tlp: green
 5 |   reference_tlp: white
 6 |   tags:
 7 |     - suspicious
 8 |     - hijacked
 9 |   reference: http://www.spamhaus.org/sbl/sbl.lasso?query=<reference>
10 |   pattern: '(.+)\s;\s(.+)'
11 |   values:
12 |     - indicator
13 |     - reference
14 | 
15 | feeds:
16 |   drop:
17 |     remote: http://www.spamhaus.org/drop/drop.txt
18 |   edrop:
19 |     remote: http://www.spamhaus.org/drop/edrop.txt
20 | 


--------------------------------------------------------------------------------
/csirtg_smrt/decoders/zzip.py:
--------------------------------------------------------------------------------
 1 | from zipfile import ZipFile
 2 | from csirtg_smrt.constants import PYVERSION
 3 | 
 4 | 
 5 | def get_lines(file, split="\n"):
 6 |     with ZipFile(file) as f:
 7 |         for m in f.infolist():
 8 |             if PYVERSION == 2:
 9 |                 for l in f.read(m.filename).split(split):
10 |                     yield l
11 |             else:
12 |                 with f.open(m.filename) as zip:
13 |                     for l in zip.readlines():
14 |                         yield l
15 | 


--------------------------------------------------------------------------------
/csirtg_smrt/parser/zsyslog.py:
--------------------------------------------------------------------------------
 1 | from csirtg_smrt.parser.pattern import Pattern
 2 | import re
 3 | 
 4 | RE_SYSLOG = '\s|\t'
 5 | 
 6 | 
 7 | class _Syslog(Pattern):
 8 |     # todo - syslog receiver
 9 |     # https://gist.github.com/pklaus/c4c37152e261a9e9331f
10 |     # https://gist.github.com/marcelom/4218010
11 | 
12 |     def __init__(self, *args, **kwargs):
13 |         super(_Syslog, self).__init__(*args, **kwargs)
14 | 
15 |         self.pattern = RE_SYSLOG
16 |         self.split = '='
17 | 
18 | 
19 | Plugin = _Syslog
20 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
 1 | csirtg_indicator>=1.0.6,<2
 2 | PyYAML>=5.1.0
 3 | csirtgsdk>=1.1,<2.0
 4 | csirtg_mail>=0.0.0a9,<2
 5 | ipaddress>=1.0.16
 6 | feedparser>=5.2.1
 7 | nltk>=3.7
 8 | requests>=2.27.1
 9 | pendulum>=2.0.5
10 | arrow>=0.15.2
11 | python-magic>=0.4.6
12 | pyaml>=15.8.2
13 | chardet>=5.0.0
14 | html5lib>=1.1
15 | SQLAlchemy>=1.0.14
16 | tornado>=5.1.0
17 | apwgsdk>=0.0.0a4,<1.0
18 | docker>=6.0.0
19 | lxml==4.9.1
20 | tzlocal>=4.2.0
21 | 
22 | urllib3>=1.26.5 # not directly required, pinned by Snyk to avoid a vulnerability
23 | 


--------------------------------------------------------------------------------
/test/client/test_zyre.py:
--------------------------------------------------------------------------------
 1 | import pytest
 2 | from csirtg_smrt import Smrt
 3 | from pprint import pprint
 4 | 
 5 | ZYRE_TEST = False
 6 | 
 7 | try:
 8 |     import pyzyre
 9 |     ZYRE_TEST = True
10 | except ImportError:
11 |     pass
12 | 
13 | 
14 | @pytest.mark.skipif(ZYRE_TEST is False, reason='pyzyre not installed')
15 | def test_zyre():
16 |     with Smrt(remote=None, client='zyre') as s:
17 |         assert type(s) is Smrt
18 | 
19 |         x = s.process('test/smrt/rules/csirtg.yml', feed='port-scanners', limit=2)
20 |         assert len(x) > 0
21 | 


--------------------------------------------------------------------------------
/test/smrt/test_csv_quoted.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from pprint import pprint
 5 | 
 6 | 
 7 | def test_smrt_csv_quoted():
 8 |     with Smrt(None, None, client='dummy') as s:
 9 |         assert type(s) is Smrt
10 | 
11 |         x = []
12 |         for r, f in s.load_feeds('test/smrt/rules/csv_quoted.yml', feed='test'):
13 |             x = list(s.process(r, f))
14 |             assert len(x) > 0
15 | 
16 |             assert x[0].description == '1.2.3, aaabbbcccddd'
17 |             assert x[1].description == '1,2,3'
18 | 


--------------------------------------------------------------------------------
/test/packetmail/packetmail.yml:
--------------------------------------------------------------------------------
 1 | parser: semicolon
 2 | 
 3 | defaults:
 4 |   protocol: tcp
 5 |   provider: packetmail.net
 6 |   tlp: green
 7 |   altid_tlp: white
 8 |   confidence: 8
 9 |   description: honeypot traffic
10 |   tags:
11 |     - scanner
12 |     - honeynet
13 |     - suspicious
14 | 
15 |   values:
16 |     - indicator
17 |     - lasttime
18 |     - null
19 |     - null
20 | 
21 | feeds:
22 |   iprep:
23 |     remote: https://www.packetmail.net/iprep.txt
24 |     description: 'TCP SYN to 206.82.85.196/30 to a non-listening service or daemon'
25 | 


--------------------------------------------------------------------------------
/examples/cifv3.yml:
--------------------------------------------------------------------------------
 1 | parser: cifv3
 2 | token: xxxxxxxx
 3 | remote: 'https://remote/indicators'
 4 | defaults:
 5 |   provider: provider
 6 |   group: group
 7 | 
 8 | feeds:
 9 |   ipv4:
10 |     itype: ipv4
11 |     filters:
12 |       period: hour
13 |       itype: ipv4
14 |       tags: malware
15 |     map:
16 |       - tlp
17 |       - lasttime
18 |       - indicator
19 |       - count
20 |       - tags
21 |       - confidence
22 |     values:
23 |       - tlp
24 |       - lasttime
25 |       - indicator
26 |       - count
27 |       - tags
28 |       - confidence
29 | 


--------------------------------------------------------------------------------
/MANIFEST.in:
--------------------------------------------------------------------------------
 1 | include 'csirtg_smrt'
 2 | include versioneer.py
 3 | include README README.md COPYING LICENSE
 4 | include MANIFEST.in
 5 | include requirements.txt extras_requirements.txt
 6 | exclude dev_requirements.txt
 7 | include test
 8 | recursive-include examples *
 9 | recursive-include test *.yml
10 | recursive-include test *.txt
11 | recursive-include test *.gz
12 | recursive-include test *.zip
13 | 
14 | recursive-exclude * __pycache__
15 | recursive-exclude * *.pyc
16 | recursive-exclude * *.pyo
17 | recursive-exclude * *.orig
18 | recursive-exclude packaging *
19 | 


--------------------------------------------------------------------------------
/test/vxvault/feed.txt:
--------------------------------------------------------------------------------
 1 | VX Vault last 100 Links
 2 | Wed, 23 Mar 2016 23:10:10 +0000
 3 | 
 4 | http://store.suhaskhamkar.in/plmaz
 5 | http://antalyanalburiye.com/image/payment/client.exe
 6 | http://tirekoypazari.com/lso30sd
 7 | http://naipeclandestino.com.br/image/data/office.exe
 8 | http://tribudellusato.altervista.org/image/templates/office.exe
 9 | http://jeansowghtqq.com/93.exe
10 | http://jeansowghtqq.com/87.exe
11 | http://jeansowghtqq.com/85.exe
12 | http://jeansowghtqq.com/80.exe
13 | http://jeansowghtqq.com/69.exe
14 | http://jeansowghtqq.com/25.exe
15 | http://jeansowghtqq.com/23.exe


--------------------------------------------------------------------------------
/test/bro/test_bro.py:
--------------------------------------------------------------------------------
 1 | from csirtg_smrt.parser.bro import BroTailer
 2 | from pprint import pprint
 3 | 
 4 | 
 5 | def test_bro():
 6 |     file = 'test/bro/bro.log'
 7 | 
 8 |     b = BroTailer(file)
 9 | 
10 |     events = []
11 |     with open(file) as f:
12 |         for l in f.read().split("\n"):
13 |             if l.startswith('#'):
14 |                 continue
15 | 
16 |             i = b.parse_line(l)
17 | 
18 |             if not i:
19 |                 continue
20 | 
21 |             events.append(i)
22 | 
23 |     assert len(events) > 0
24 |     assert events[0]['indicator'] == '138.117.125.206'
25 | 


--------------------------------------------------------------------------------
/test/openphish/test_openphish.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from csirtg_smrt.rule import Rule
 5 | from csirtg_smrt.constants import REMOTE_ADDR
 6 | from pprint import pprint
 7 | import json
 8 | 
 9 | rule = 'test/openphish/openphish.yml'
10 | rule = Rule(path=rule)
11 | rule.fetcher = 'file'
12 | s = Smrt(REMOTE_ADDR, 1234, client='dummy')
13 | 
14 | 
15 | def test_openphish():
16 |     rule.feeds['urls']['remote'] = 'test/openphish/feed.txt'
17 |     x = s.process(rule, feed="urls")
18 |     x = list(x)
19 | 
20 |     assert len(x) > 0
21 |     assert len(x[0].indicator) > 4
22 | 


--------------------------------------------------------------------------------
/test/phishtank/phishtank.yml:
--------------------------------------------------------------------------------
 1 | parser: json
 2 | remote: http://data.phishtank.com/data/online-valid.json.gz
 3 | defaults:
 4 |   provider: phishtank.com
 5 |   tlp: green
 6 |   altid_tlp: white
 7 |   application:
 8 |     - http
 9 |     - https
10 |   confidence: 9
11 |   tags: phishing
12 |   protocol: tcp
13 | 
14 | feeds:
15 |   urls:
16 |     itype: url
17 |     map:
18 |       - submission_time
19 |       - url
20 |       - target
21 |       - phish_detail_url
22 |       - details
23 |     values:
24 |       - lasttime
25 |       - indicator
26 |       - description
27 |       - altid
28 |       - additional_data
29 | 


--------------------------------------------------------------------------------
/csirtg_smrt/client/zcif.py:
--------------------------------------------------------------------------------
 1 | from cifsdk.client.http import HTTP as HTTPClient
 2 | 
 3 | import os
 4 | 
 5 | REMOTE = os.getenv('CIF_REMOTE', 'http://localhost:5000')
 6 | TOKEN = os.getenv('CIF_TOKEN')
 7 | 
 8 | if REMOTE == '':
 9 |     REMOTE = 'http://localhost:5000'
10 | 
11 | if TOKEN == '':
12 |     TOKEN = None
13 | 
14 | 
15 | class CIF(HTTPClient):
16 | 
17 |     def __init__(self, remote=REMOTE, token=TOKEN, **kwargs):
18 |         if not remote:
19 |             remote = REMOTE
20 | 
21 |         if not token:
22 |             token = TOKEN
23 | 
24 |         super(CIF, self).__init__(remote, token, **kwargs)
25 | 
26 | Plugin = CIF
27 | 


--------------------------------------------------------------------------------
/test/utils/test.rss:
--------------------------------------------------------------------------------
 1 | <?xml version='1.0' encoding='ISO-8859-1'?>
 2 | <rss version='2.0'>
 3 | 
 4 | <channel>
 5 | <title>Malc0de Database Feed</title>
 6 | <link>http://malc0de.com/database/</link>
 7 | <description>Updated Feed of Malicious Executables</description>
 8 | <language>en-us</language>
 9 | <copyright>Copyright (C) 2010 malc0de.com</copyright>
10 | <item>
11 | <title>down12.xiazaidc.com</title>
12 | <link>http://malc0de.com/database/index.php?search=down12.xiazaidc.com</link>
13 | <description>URL: , IP Address: 121.41.10.159, Country: CN, ASN: 37963, MD5: 2a65f85d09f36402fbd91484a9a4adac</description>
14 | </item>
15 | <item>
16 | </channel>
17 | </rss>
18 | 


--------------------------------------------------------------------------------
/csirtg_smrt/client/plugin.py:
--------------------------------------------------------------------------------
 1 | from csirtg_indicator import Indicator
 2 | import abc
 3 | 
 4 | 
 5 | class Client(object):
 6 | 
 7 |     def __init__(self, remote=None, token=None, username=None):
 8 |         if remote:
 9 |             self.remote = remote
10 | 
11 |         if token:
12 |             self.token = token
13 | 
14 |         if username:
15 |             self.username = username
16 | 
17 |     def _kv_to_indicator(self, kv):
18 |         return Indicator(**kv)
19 | 
20 |     def ping(self, write=False):
21 |         return True
22 | 
23 |     @abc.abstractmethod
24 |     def indicators_create(self, data, **kwargs):
25 |         raise NotImplementedError
26 | 


--------------------------------------------------------------------------------
/csirtg_smrt/client/zsplunk.py:
--------------------------------------------------------------------------------
 1 | from csirtg_smrt.client.plugin import Client
 2 | 
 3 | # https://github.com/splunk/splunk-sdk-python/blob/master/examples/submit.py
 4 | class _Splunk(Client):
 5 | 
 6 |     __name__ = 'splunk'
 7 | 
 8 |     def __init__(self, remote='localhost:514', *args, **kwargs):
 9 |         super(_Splunk, self).__init__(remote)
10 | 
11 |         raise NotImplemented
12 | 
13 |     def ping(self, write=False):
14 |         raise NotImplemented
15 | 
16 |     def indicators_create(self, data, **kwargs):
17 |         # https://github.com/splunk/splunk-sdk-python/blob/master/examples/submit.py
18 |         raise NotImplemented
19 | 
20 | Plugin = _Splunk
21 | 


--------------------------------------------------------------------------------
/test/zemail/test_zemail.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from csirtg_smrt.rule import Rule
 5 | from csirtg_smrt.constants import REMOTE_ADDR
 6 | from csirtg_smrt.constants import PYVERSION
 7 | 
 8 | rule = 'test/zemail/zemail.yml'
 9 | rule = Rule(path=rule)
10 | rule.fetcher = 'stdin'
11 | s = Smrt(REMOTE_ADDR, 1234, client='dummy')
12 | 
13 | 
14 | def test_zemail():
15 |     feed = 'abuse'
16 |     with open('test/zemail/single_plain_01.eml') as f:
17 |         data = f.read()
18 | 
19 |         x = list(s.process(rule, feed=feed, data=data))
20 | 
21 |         assert len(x) > 0
22 | 
23 |         assert x[0].indicator == 'http://www.socialservices.cn/detail.php?id=9'
24 | 


--------------------------------------------------------------------------------
/csirtg_smrt/parser/zindicator.py:
--------------------------------------------------------------------------------
 1 | from csirtg_smrt.parser import Parser
 2 | from pprint import pprint
 3 | 
 4 | 
 5 | class _Indicator(Parser):
 6 |     def __init__(self, *args, **kwargs):
 7 |         super(_Indicator, self).__init__(*args, **kwargs)
 8 | 
 9 |     def process(self):
10 |         defaults = self._defaults()
11 | 
12 |         for l in self.fetcher.process():
13 |             for e in l:
14 |                 i = {}
15 |                 e = e.__dict__()
16 |                 for k, v in e.items():
17 |                     i[k] = v
18 | 
19 |                 for k, v in defaults.items():
20 |                     i[k] = v
21 | 
22 |                 yield i
23 | 
24 | 
25 | Plugin = _Indicator
26 | 


--------------------------------------------------------------------------------
/test/alexa/alexa.yml:
--------------------------------------------------------------------------------
 1 | parser: csv
 2 | defaults:
 3 |   values:
 4 |     - rank
 5 |     - indicator
 6 |   description: 'eval("alexa #{rank}".format(**obs))'
 7 |   tags: whitelist
 8 |   application:
 9 |       - http
10 |       - https
11 |   protocol: tcp
12 |   altid: 'eval("http://www.alexa.com/siteinfo/{indicator}".format(**obs))'
13 |   provider: alexa.com
14 |   tlp: green
15 |   altid_tlp: white
16 |   confidence: |
17 |     eval(max(0, min(
18 |         125 - 25 * math.ceil(
19 |             math.log10(
20 |                 int(obs['rank'])
21 |             )
22 |         ), 
23 |     95)))
24 | 
25 | feeds:
26 |   topN:
27 |     remote: http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
28 |     limit: 10100
29 |     


--------------------------------------------------------------------------------
/test/csirtg/feed2_csv.txt:
--------------------------------------------------------------------------------
1 | "id","indicator","itype","portlist","firsttime","lasttime","protocol","application","feed_id","created_at","updated_at","description","portlist_src"
2 | "337406","80.82.78.27","ipv4","3389","","","6","","46","2016-03-23 20:35:01 UTC","2016-03-23 20:35:01 UTC","sourced from firewall logs (incomming WAN, TCP, Syn, blocked)","42775"
3 | #"337401","216.243.31.2","ipv4","443","","2016-03-23 20:17:26 UTC","6","","46,2016-03-23 20:22:27 UTC,2016-03-23 20:22:27 UTC","sourced from firewall logs (incomming, TCP, Syn, blocked)",
4 | #"337400","91.236.75.4","ipv4","8080","","2016-03-23 20:14:53 UTC","6","","46,2016-03-23 20:17:26 UTC,2016-03-23 20:17:26 UTC","sourced from firewall logs (incomming, TCP, Syn, blocked)",


--------------------------------------------------------------------------------
/test/pastebin/test_pastebin.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from csirtg_smrt.rule import Rule
 5 | from csirtg_smrt.constants import REMOTE_ADDR
 6 | from pprint import pprint
 7 | 
 8 | rule = 'test/pastebin/pastebin.yml'
 9 | rule = Rule(path=rule)
10 | rule.fetcher = 'file'
11 | 
12 | s = Smrt(REMOTE_ADDR, 1234, client='dummy')
13 | 
14 | 
15 | def test_pastebin_creds():
16 |     rule.feeds['creds']['remote'] = 'test/pastebin/feed.txt'
17 |     x = s.process(rule, feed="creds")
18 |     x = list(x)
19 | 
20 |     assert len(x) > 0
21 | 
22 |     indicators = set()
23 | 
24 |     for xx in x:
25 |         indicators.add(xx.indicator)
26 | 
27 |     assert 'a.clayton10@gmail.com' in indicators
28 | 


--------------------------------------------------------------------------------
/test/smrt/test_remote_regex.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from pprint import pprint
 5 | 
 6 | 
 7 | def test_smrt_remote_regex():
 8 |     with Smrt(None, None, client='dummy') as s:
 9 |         assert type(s) is Smrt
10 | 
11 |         x = []
12 |         for r, f in s.load_feeds('test/smrt/remote_regex.yml', feed='port-scanners'):
13 |             x = list(s.process(r, f))
14 |             assert len(x) > 0
15 | 
16 |         x = []
17 |         for r, f in s.load_feeds('test/smrt/remote_regex.yml', feed='port-scanners-fail'):
18 |             try:
19 |                 x = list(s.process(r, f))
20 |             except RuntimeError as e:
21 |                 pass
22 | 
23 |             assert len(x) == 0
24 | 
25 | 


--------------------------------------------------------------------------------
/test/sansedu/test_sans.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from csirtg_smrt.rule import Rule
 5 | from csirtg_smrt.constants import REMOTE_ADDR
 6 | from pprint import pprint
 7 | 
 8 | rule = 'test/sansedu/sans_edu.yml'
 9 | rule = Rule(path=rule)
10 | rule.fetcher = 'file'
11 | s = Smrt(REMOTE_ADDR, 1234, client='dummy')
12 | 
13 | 
14 | def test_sans_low():
15 |     feed = '02_domains_low'
16 |     x = s.process(rule, feed=feed)
17 |     x = list(x)
18 | 
19 |     assert len(x) > 0
20 | 
21 |     assert len(x[0].indicator) > 4
22 | 
23 | 
24 | def test_sans_block():
25 |     feed = 'block'
26 |     x = s.process(rule, feed=feed)
27 |     x = list(x)
28 | 
29 |     assert len(x) > 0
30 |     assert len(x[0].indicator) > 4
31 | 


--------------------------------------------------------------------------------
/test/spamhaus/test_spamhaus.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from csirtg_smrt.rule import Rule
 5 | from csirtg_smrt.constants import REMOTE_ADDR
 6 | from pprint import pprint
 7 | 
 8 | rule = 'test/spamhaus/spamhaus.yml'
 9 | rule = Rule(path=rule)
10 | rule.fetcher = 'file'
11 | s = Smrt(REMOTE_ADDR, 1234, client='dummy')
12 | 
13 | 
14 | def test_spamhaus_drop():
15 |     rule.feeds['drop']['remote'] = 'test/spamhaus/drop.txt'
16 |     x = s.process(rule, feed="drop")
17 |     x = list(x)
18 |     assert len(list(x)) > 0
19 | 
20 | 
21 | def test_spamhaus_edrop():
22 |     rule.feeds['edrop']['remote'] = 'test/spamhaus/edrop.txt'
23 |     x = s.process(rule, feed="edrop")
24 |     x = list(x)
25 |     assert len(x) > 0
26 | 


--------------------------------------------------------------------------------
/.coveragerc:
--------------------------------------------------------------------------------
 1 | # .coveragerc to control coverage.py
 2 | [run]
 3 | branch = True
 4 | 
 5 | [report]
 6 | # Regexes for lines to exclude from consideration
 7 | exclude_lines =
 8 |     # Have to re-enable the standard pragma
 9 |     pragma: no cover
10 | 
11 |     # Don't complain about missing debug-only code:
12 |     def __repr__
13 |     if self\.debug
14 | 
15 |     # Don't complain if tests don't hit defensive assertion code:
16 |     raise AssertionError
17 |     raise NotImplementedError
18 | 
19 |     # Don't complain if non-runnable code isn't run:
20 |     if 0:
21 |     if __name__ == .__main__.:
22 | 
23 | ignore_errors = True
24 | 
25 | omit =
26 |     #csirtg/smrt/parser/pipe.py
27 |     #cif/_version.py
28 | 
29 | [html]
30 | directory = coverage_html_report
31 | 


--------------------------------------------------------------------------------
/test/phishtank/test_phishtank.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from csirtg_smrt.rule import Rule
 5 | from csirtg_smrt.constants import REMOTE_ADDR
 6 | from pprint import pprint
 7 | 
 8 | rule = 'test/phishtank/phishtank.yml'
 9 | rule = Rule(path=rule)
10 | rule.fetcher = 'file'
11 | s = Smrt(REMOTE_ADDR, 1234, client='dummy')
12 | 
13 | 
14 | def test_phishtank_urls():
15 |     rule.remote = 'test/phishtank/feed.json.gz'
16 |     x = s.process(rule, feed="urls")
17 |     x = list(x)
18 | 
19 |     assert len(x) > 0
20 |     assert len(x[0].indicator) > 4
21 | 
22 |     indicators = set()
23 |     for i in x:
24 |         indicators.add(i.indicator)
25 | 
26 |     assert 'http://charlesleonardconstruction.com/irs/confim/index.html' in indicators
27 | 


--------------------------------------------------------------------------------
/test/smrt/rules/csirtg_defang.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | parser: csv
 3 | replace:
 4 |   indicator:
 5 |     '[.]': '.'
 6 | 
 7 | defaults:
 8 |   provider: csirtg.io
 9 |   altid_tlp: white
10 |   altid: https://csirtg.io/search?q={indicator}
11 |   tlp: white
12 |   confidence: 9
13 |   indicator: eval(indicator.replace('[.]', '.'))
14 |   values:
15 |     - null
16 |     - indicator
17 |     - itype
18 |     - portlist
19 |     - null
20 |     - null
21 |     - protocol
22 |     - application
23 |     - null
24 |     - firsttime
25 |     - lasttime
26 |     - description
27 |     - null
28 | 
29 | feeds:
30 |   # A feed of IP addresses block by a firewall (e.g. port scanners)
31 |   port-scanners:
32 |     remote: 'test/smrt/data/feed_defanged.txt'
33 |     defaults:
34 |       tags:
35 |         - scanner


--------------------------------------------------------------------------------
/test/vxvault/test_vxvault.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from csirtg_smrt.rule import Rule
 5 | from csirtg_smrt.constants import REMOTE_ADDR
 6 | from pprint import pprint
 7 | 
 8 | rule = 'test/vxvault/vxvault.yml'
 9 | rule = Rule(path=rule)
10 | rule.fetcher = 'file'
11 | 
12 | s = Smrt(REMOTE_ADDR, 1234, client='dummy')
13 | 
14 | 
15 | def test_vxvault_urls():
16 |     rule.feeds['urls']['remote'] = 'test/vxvault/feed.txt'
17 |     x = s.process(rule, feed="urls")
18 |     x = list(x)
19 | 
20 |     assert len(x) > 0
21 | 
22 |     urls = set()
23 |     tags = set()
24 | 
25 |     for xx in x:
26 |         urls.add(xx.indicator)
27 |         tags.add(xx.tags[0])
28 | 
29 |     assert 'http://jeansowghtqq.com/85.exe' in urls
30 |     assert 'malware' in tags


--------------------------------------------------------------------------------
/test/malc0de/malc0de.yml:
--------------------------------------------------------------------------------
 1 | parser: rss
 2 | remote: http://malc0de.com/rss
 3 | defaults:
 4 |   confidence: 9
 5 |   tlp: green
 6 |   altid_tlp: white
 7 |   provider: malc0de.com
 8 |   tags: malware
 9 | 
10 | feeds:
11 |   urls:
12 |     itype: url
13 |     pattern:
14 |       description:
15 |         pattern: '^URL: (.+), IP Address: \S+?, Country: \S+, ASN: \S+, MD5: \S+'
16 |         values:
17 |           - indicator
18 |       link:
19 |         pattern: '(\S+)'
20 |         values:
21 |           - altid
22 |   malware:
23 |     itype: md5
24 |     pattern:
25 |       description:
26 |         pattern: '^URL: .+, IP Address: \S+?, Country: \S+, ASN: \S+, MD5: (\S+)'
27 |         values:
28 |           - indicator
29 |       link:
30 |         pattern: '(\S+)'
31 |         values:
32 |           - altid


--------------------------------------------------------------------------------
/test/test_timestamps.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | from csirtg_smrt.utils.zarrow import parse_timestamp
 3 | import arrow
 4 | 
 5 | 
 6 | def test_timestamps():
 7 |     ts = {
 8 |             '2015-01-01': arrow.get('2015-01-01 00:00:00Z'),
 9 |             '2015-01-01T23:59:59Z': arrow.get('2015-01-01 23:59:59Z'),
10 |             1367900664: arrow.get('2013-05-07T04:24:24+00:00'),
11 |             '20160401': arrow.get('2016-04-01T00:00:00+00:00'),
12 |             '2015-01-05T00:00:00.00Z': arrow.get('2015-01-05 00:00:00Z'),
13 |             '2014-01-01T23:59+04:00': arrow.get('2014-01-01T23:59:00+04:00'),
14 |             '20130601235959': arrow.get('2013-06-01T23:59:59+00:00'),
15 |         }
16 | 
17 |     for t in ts:
18 |         x = parse_timestamp(t)
19 |         print(t, x)
20 |         assert x == ts[t]


--------------------------------------------------------------------------------
/test/ufw/test_ufw.py:
--------------------------------------------------------------------------------
 1 | from csirtg_smrt.parser.ufw import parse_line
 2 | 
 3 | 
 4 | def test_ufw():
 5 |     file = 'test/ufw/ufw.log'
 6 | 
 7 |     events = []
 8 |     with open(file) as f:
 9 |         for l in f.read().split("\n"):
10 |             i = parse_line(l)
11 | 
12 |             events.append(i)
13 | 
14 |     assert len(events) > 0
15 |     assert events[0]['indicator'] == '114.33.197.193'
16 | 
17 | 
18 | def test_ufw_ubuntu16():
19 |     file = 'test/ufw/ufw_ubuntu16.log'
20 | 
21 |     events = []
22 |     with open(file) as f:
23 |         for l in f.read().split("\n"):
24 |             i = parse_line(l)
25 | 
26 |             events.append(i)
27 | 
28 |     assert len(events) > 0
29 |     assert events[0]['indicator'] == '10.0.2.2'
30 |     assert events[1]['indicator'] == '61.7.190.140'
31 | 


--------------------------------------------------------------------------------
/test/sansedu/sans_edu.yml:
--------------------------------------------------------------------------------
 1 | skip: '^Site$'
 2 | defaults:
 3 |   tlp: green
 4 |   reference_tlp: white
 5 |   provider: 'isc.sans.edu'
 6 |   pattern:  '^(.+)$'
 7 |   values: indicator
 8 |   tags: suspicious
 9 | 
10 | feeds:
11 |   02_domains_low:
12 |     confidence: 7
13 |     remote: 'test/sansedu/low.txt'
14 | 
15 |   01_domains_medium:
16 |     confidence: 8
17 |     remote:  http://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
18 | 
19 |   00_domains_high:
20 |     confidence: 9
21 |     remote: http://isc.sans.edu/feeds/suspiciousdomains_High.txt
22 | 
23 |   block:
24 |     remote: 'test/sansedu/block.txt'
25 |     confidence: 8 
26 |     pattern: ^(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)\t\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b\t(\d+)
27 |     values:
28 |       - indicator
29 |       - mask
30 |     tags: scanner
31 | 


--------------------------------------------------------------------------------
/test/spamcop/test_spamcop.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from csirtg_smrt.rule import Rule
 5 | from csirtg_smrt.constants import REMOTE_ADDR
 6 | from csirtg_smrt.constants import PYVERSION
 7 | 
 8 | rule = 'test/spamcop/spamcop.yml'
 9 | rule = Rule(path=rule)
10 | rule.fetcher = 'stdin'
11 | s = Smrt(REMOTE_ADDR, 1234, client='dummy')
12 | 
13 | 
14 | def test_spamcop():
15 |     feed = 'abuse'
16 |     rule.feeds[feed]['remote'] = 'stdin'
17 |     with open('test/spamcop/email1.txt') as f:
18 |         data = f.read()
19 | 
20 |         x = list(s.process(rule, feed=feed, data=data))
21 | 
22 |         assert len(x) > 0
23 | 
24 |         assert len(x[0].indicator) > 4
25 | 
26 |         assert x[0].indicator == '204.93.2.6'
27 | 
28 |         assert x[0].message.startswith('znjvbtogehh4qhj')
29 | 


--------------------------------------------------------------------------------
/test/packetmail/test_packetmail.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from csirtg_smrt.rule import Rule
 5 | from csirtg_smrt.constants import REMOTE_ADDR
 6 | from pprint import pprint
 7 | 
 8 | rule = 'test/packetmail/packetmail.yml'
 9 | rule = Rule(path=rule)
10 | rule.fetcher = 'file'
11 | 
12 | s = Smrt(REMOTE_ADDR, 1234, client='dummy')
13 | 
14 | 
15 | def test_packetmail_iprep():
16 |     rule.feeds['iprep']['remote'] = 'test/packetmail/feed.txt'
17 |     x = s.process(rule, feed="iprep")
18 |     x = list(x)
19 |     assert len(x) > 0
20 | 
21 |     ips = set()
22 |     tags = set()
23 | 
24 |     for xx in x:
25 |         ips.add(xx.indicator)
26 |         for t in xx.tags:
27 |             tags.add(t)
28 | 
29 |     assert '179.40.212.141' in ips
30 |     assert '104.131.128.9' in ips
31 | 
32 |     assert 'honeynet' in tags
33 | 


--------------------------------------------------------------------------------
/test/smrt/remote_regex.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | parser: csv
 3 | 
 4 | defaults:
 5 |   provider: csirtg.io
 6 |   altid_tlp: white
 7 |   altid: https://csirtg.io/search?q=<indicator>
 8 |   tlp: white
 9 |   confidence: 9
10 |   values:
11 |     - null
12 |     - indicator
13 |     - itype
14 |     - portlist
15 |     - null
16 |     - null
17 |     - protocol
18 |     - application
19 |     - null
20 |     - firsttime
21 |     - lasttime
22 |     - description
23 |     - null
24 | 
25 | feeds:
26 |   # A feed of IP addresses block by a firewall (e.g. port scanners)
27 |   port-scanners:
28 |     remote: 'test/smrt/data/'
29 |     remote_pattern: '^feed_regex_\d+\-\d+-\d+\.csv$'
30 |     defaults:
31 |       tags:
32 |         - scanner
33 | 
34 |   port-scanners-fail:
35 |     remote: 'test/smrt/data/'
36 |     remote_pattern: '^feed_regex_\d+\-\d+-\d+\.csv2$'
37 |     defaults:
38 |       tags:
39 |         - scanner


--------------------------------------------------------------------------------
/test/alienvault/feed.txt:
--------------------------------------------------------------------------------
 1 | 114.143.191.19#3#2#Scanning Host#IN#Pune#18.5333003998,73.8666992188#11
 2 | 68.15.122.196#3#2#Scanning Host#US#Harrah#35.5018005371,-97.1324005127#11
 3 | 60.173.12.98#3#2#Scanning Host#CN#Shanghai#31.0456008911,121.39969635#11
 4 | 93.158.211.210#4#4#Malicious Host;Scanning Host#NL##52.3666992188,4.90000009537#3;11
 5 | 223.252.32.73#3#2#Scanning Host#AU#Brisbane#-27.4710006714,153.024307251#11
 6 | 180.97.215.63#3#2#Scanning Host#CN#Nanjing#32.0616989136,118.777801514#11
 7 | 150.185.222.55#3#2#Scanning Host#VE#Maracaibo#10.6316995621,-71.6406021118#11
 8 | 47.50.164.186#3#2#Scanning Host#US#Saint Louis#38.6783981323,-90.3769989014#11
 9 | 63.143.42.247#6#4#Spamming#US#Dallas#32.7790985107,-96.8028030396#12
10 | 23.92.83.73#6#2#Spamming#US##38.0,-97.0#12
11 | 93.127.228.36#6#3#Spamming#DE#Frankfurt Am Main#50.1166992188,8.68330001831#12
12 | 63.143.42.246#9#3#Spamming#US#Dallas#32.7790985107,-96.8028030396#12


--------------------------------------------------------------------------------
/test/ransomware_abuse_ch/test_ransomware_abuse_ch.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from csirtg_smrt.rule import Rule
 5 | from csirtg_smrt.constants import REMOTE_ADDR
 6 | from pprint import pprint
 7 | 
 8 | rule = 'test/ransomware_abuse_ch/ransomware_abuse_ch.yml'
 9 | rule = Rule(path=rule)
10 | rule.fetcher = 'file'
11 | 
12 | s = Smrt(REMOTE_ADDR, 1234, client='dummy')
13 | 
14 | 
15 | def test_abuse_ch_ransomware():
16 |     rule.feeds['ransomware']['remote'] = 'test/ransomware_abuse_ch/feed.txt'
17 |     x = s.process(rule, feed="ransomware")
18 |     x = list(x)
19 |     assert len(x) > 0
20 | 
21 |     indicators = set()
22 |     tags = set()
23 | 
24 |     from pprint import pprint
25 |     pprint(x)
26 | 
27 |     for xx in x:
28 |         indicators.add(xx.indicator)
29 |         tags.add(xx.tags[0])
30 | 
31 |     assert 'http://grandaareyoucc.asia/85.exe' in indicators
32 |     assert 'botnet' in tags
33 | 


--------------------------------------------------------------------------------
/test/bambenek/bambenek.yml:
--------------------------------------------------------------------------------
 1 | defaults:
 2 |   provider: osint.bambenekconsulting.com
 3 |   tlp: white
 4 |   altid_tlp: white
 5 |   confidence: 9
 6 |   tags: botnet
 7 |   values:
 8 |       - indicator
 9 |       - description
10 |       - lasttime
11 |       - altid
12 | 
13 | feeds:
14 |   c2-dommasterlist:
15 |     remote: http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt
16 |     pattern: ^(\S+)\,Domain used by ([^,]+)\,([^,]+)\,(\S+)$
17 |   c2-ipmasterlist:
18 |     remote: http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
19 |     pattern: ^(\S+)\,IP used by ([^,]+)\,([^,]+)\,(\S+)$
20 | 
21 | #  Warning: the dga-feed is disabled by default as it is a very large
22 | #           feed at ~800K records and 95MB in size. You must have a
23 | #           large CIF instance to process this data set.
24 | #  dga-feed:
25 | #    remote: http://osint.bambenekconsulting.com/feeds/dga-feed.txt
26 | #    pattern: ^(\S+)\,Domain used by ([^,]+)\,([^,]+)\,(\S+)$


--------------------------------------------------------------------------------
/Vagrantfile:
--------------------------------------------------------------------------------
 1 | #e -*- mode: ruby -*-
 2 | # vi: set ft=ruby :
 3 | 
 4 | # Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
 5 | VAGRANTFILE_API_VERSION = "2"
 6 | VAGRANTFILE_LOCAL = 'Vagrantfile.local'
 7 | 
 8 | $script = <<SCRIPT
 9 | echo 'yes' | sudo add-apt-repository 'ppa:fkrull/deadsnakes-python2.7'
10 | sudo apt-get update && sudo apt-get install -y python2.7 python-pip python3-dev python-dev git libffi-dev libssl-dev sqlite3 build-essential virtualenvwrapper python-virtualenv devscripts debhelper cdbs
11 | SCRIPT
12 | 
13 | Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
14 |   config.vm.provision "shell", inline: $script
15 |   config.vm.box = 'ubuntu/trusty64'
16 | 
17 |   config.vm.provider :virtualbox do |vb|
18 |     vb.customize ["modifyvm", :id, "--cpus", "2", "--ioapic", "on", "--memory", "1024" ]
19 |   end
20 | 
21 |   if File.file?(VAGRANTFILE_LOCAL)
22 |     external = File.read VAGRANTFILE_LOCAL
23 |     eval external
24 |   end
25 | end
26 | 


--------------------------------------------------------------------------------
/test/client/test_elasticsearch.py:
--------------------------------------------------------------------------------
 1 | import pytest
 2 | import os
 3 | from csirtg_smrt import Smrt
 4 | from elasticsearch_dsl.connections import connections
 5 | import elasticsearch
 6 | from pprint import pprint
 7 | 
 8 | REMOTE = os.environ.get('CSIRTG_SMRT_ELASTICSEARCH_NODES', 'localhost:9200')
 9 | ES_TESTS = os.environ.get('CSIRTG_SMRT_ES_TESTS', False)
10 | 
11 | 
12 | @pytest.mark.skipif(ES_TESTS is False, reason='CSIRTG_SMRT_ES_TESTS not set to True')
13 | def test_smrt_elastcisearch():
14 |     with Smrt(remote=REMOTE, client='elasticsearch') as s:
15 |         assert type(s) is Smrt
16 | 
17 |         x = s.process('test/smrt/rules/csirtg.yml', feed='port-scanners')
18 |         assert len(x) > 0
19 | 
20 |         x = s.process('test/smrt/rules/csirtg.yml', feed='port-scanners')
21 |         assert len(x) > 0
22 | 
23 |         # cleanup
24 |         es = connections.get_connection()
25 |         cli = elasticsearch.client.IndicesClient(es)
26 |         cli.delete(index='indicators-*')
27 | 


--------------------------------------------------------------------------------
/test/sansedu/low.txt:
--------------------------------------------------------------------------------
 1 | #
 2 | #   DShield.org Suspicious Domain List
 3 | #    (c) 2015 DShield.org
 4 | #   some rights reserved. Details http://creativecommons.org/licenses/by-nc-sa/2.5/
 5 | #   use on your own risk. No warranties implied.
 6 | #   primary URL: http://www.dshield.org/feeds/suspiciousdomains_High.txt
 7 | #
 8 | #   comments: info@dshield.org
 9 | #    updated: Tue Sep 29 04:07:29 2015 UTC
10 | #
11 | #    This list consists of High Level Sensitivity website URLs
12 | #     Columns (tab delimited):
13 | #
14 | #      (1) site
15 | #
16 | Site
17 | 000007.ru
18 | 000cc.com
19 | 09cd.co.kr
20 | 1-verygoods.ru
21 | 10kpictures.com
22 | 114bds.com
23 | 114oldest.com
24 | 120a.com
25 | 123kochi.com
26 | 123mdw.com
27 | 13grandferi.ru
28 | 1492tapasbar.com
29 | 168asia.com
30 | 18dd.net
31 | 18xn.com
32 | 19tenco.com
33 | 1a-teensbilder.de
34 | 1day.su
35 | 1sense.info
36 | 1speed.info
37 | 1trillionemails.com
38 | 1tvv.com
39 | 1verygoods.ru
40 | 2000tours.com
41 | 2009dddd.cn
42 | 2009llll.cn


--------------------------------------------------------------------------------
/test/smrt/data/feed_regex_2015-01-01.csv:
--------------------------------------------------------------------------------
1 | 337406,80.82.78.27,ipv4,3389,,,6,,46,2016-03-23 20:35:01 UTC,2016-03-23 20:35:01 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",42775
2 | 337401,216.243.31.2,ipv4,443,,2016-03-23 20:17:26 UTC,6,,46,2016-03-23 20:22:27 UTC,2016-03-23 20:22:27 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
3 | 337400,91.236.75.4,ipv4,8080,,2016-03-23 20:14:53 UTC,6,,46,2016-03-23 20:17:26 UTC,2016-03-23 20:17:26 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
4 | 337399,115.230.124.68,ipv4,1433,,2016-03-23 20:14:43 UTC,6,,46,2016-03-23 20:17:26 UTC,2016-03-23 20:17:26 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
5 | 337398,64.125.239.15,ipv4,8000,,,6,,46,2016-03-23 20:10:02 UTC,2016-03-23 20:10:02 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",60484
6 | 337392,93.174.93.94,ipv4,5900,,2016-03-23 20:03:40 UTC,6,,46,2016-03-23 20:07:26 UTC,2016-03-23 20:07:26 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)"


--------------------------------------------------------------------------------
/test/utils/test_smrt_column_detection.py:
--------------------------------------------------------------------------------
 1 | from csirtg_smrt.utils.zcolumns import get_indicator
 2 | from faker import Faker
 3 | fake = Faker()
 4 | from datetime import datetime
 5 | from csirtg_indicator import Indicator
 6 | from pprint import pprint
 7 | from random import randint, shuffle, choice
 8 | 
 9 | 
10 | def test_smrt_column_detection():
11 |     tags = ['scanner', 'phishing', 'botnet', 'malware']
12 |     for x in range(0, 25):
13 |         indicators = [fake.ipv4(), fake.url(), fake.ipv6(), fake.domain_name(), fake.email()]
14 |         for i in indicators:
15 |             i1 = Indicator(i, firsttime=datetime.utcnow(), lasttime=datetime.utcnow(), portlist=randint(1, 65535),
16 |                            tags=choice(tags), description=' '.join(fake.words()))
17 | 
18 |             cols = [i1.indicator, i1.lasttime, i1.portlist, i1.firsttime, i1.tags[0], i1.description]
19 |             shuffle(cols)
20 |             i2 = get_indicator(cols)
21 |             i2.uuid = i1.uuid
22 | 
23 |             #assert i1 == i2
24 | 


--------------------------------------------------------------------------------
/test/alienvault/alienvault.yml:
--------------------------------------------------------------------------------
 1 | defaults:
 2 |   provider: reputation.alienvault.com
 3 |   tlp: white
 4 |   altid_tlp: white
 5 |   values: indicator
 6 | 
 7 | feeds:
 8 |   scanners:
 9 |     remote: https://reputation.alienvault.com/reputation.data
10 |     pattern: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})#\d+#\d+#Scanning Host
11 |     defaults:
12 |       confidence: 7
13 |       tags: scanner
14 |       description: scanning host
15 | 
16 |   spammers:
17 |     remote: https://reputation.alienvault.com/reputation.data
18 |     pattern: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})#\d+#\d+#Spamming
19 |     defaults:
20 |       confidence: 6
21 |       tags: spam
22 |       application: smtp
23 |       portlist: 25
24 |       description: spamming
25 | 
26 |   malware:
27 |     remote: https://reputation.alienvault.com/reputation.data
28 |     pattern: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})#\d+#\d+#Malicious Host
29 |     defaults:
30 |       confidence: 6
31 |       tags:
32 |         - malware
33 |         - suspicious
34 |       description: malicious host
35 | 


--------------------------------------------------------------------------------
/test/smrt/data/feed_defanged.txt:
--------------------------------------------------------------------------------
1 | 337406,80[.]82[.]78[.]27,ipv4,3389,,,6,,46,2016-03-23 20:35:01 UTC,2016-03-23 20:35:01 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",42775
2 | 337401,216[.]243[.]31[.]2,ipv4,443,,2016-03-23 20:17:26 UTC,6,,46,2016-03-23 20:22:27 UTC,2016-03-23 20:22:27 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
3 | 337400,91[.]236[.]75[.]4,ipv4,8080,,2016-03-23 20:14:53 UTC,6,,46,2016-03-23 20:17:26 UTC,2016-03-23 20:17:26 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
4 | 337399,115[.]230[.]124[.]68,ipv4,1433,,2016-03-23 20:14:43 UTC,6,,46,2016-03-23 20:17:26 UTC,2016-03-23 20:17:26 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
5 | 337398,64[.]125[.]239[.]15,ipv4,8000,,,6,,46,2016-03-23 20:10:02 UTC,2016-03-23 20:10:02 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",60484
6 | 337392,93[.]174[.]93[.]94,ipv4,5900,,2016-03-23 20:03:40 UTC,6,,46,2016-03-23 20:07:26 UTC,2016-03-23 20:07:26 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)"


--------------------------------------------------------------------------------
/test/bro/bro.log:
--------------------------------------------------------------------------------
 1 | #separator \x09
 2 | #set_separator	,
 3 | #empty_field	(empty)
 4 | #unset_field	-
 5 | #path	notice
 6 | #open	2017-04-05-13-00-02
 7 | #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 8 | #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
 9 | 1491415201.614778	-	-	-	-	-	-	-	-	-	SSH::Bad_Client	138.117.125.206 connected to SSH with a bad client (GET / HTTP/1.1)	GET / HTTP/1.1	138.117.125.206	-	-	-	nids-prod06a-2	Notice::ACTION_LOG,BHR::ACTION_BHR	3600.000000	F	-	-	-	-	-
10 | 1491415217.040387	-	-	-	-	-	-	-	-	-	Scan::Address_Scan	kk: 5.37.231.72 scanned at least 5 unique hosts on ports 22/tcp, 2222/tcp in 37m16s	remote	5.37.231.72	-	-	-	nids-prod08a-1	Notice::ACTION_LOG,BHR::ACTION_BHR	800.000000	F	-	-	-	-	-
11 | 


--------------------------------------------------------------------------------
/csirtg_smrt/parser/zcifv2.py:
--------------------------------------------------------------------------------
 1 | import json
 2 | from csirtg_smrt.parser import Parser
 3 | import os
 4 | import logging
 5 | 
 6 | TRACE = os.environ.get('CSIRTG_SMRT_PARSER_TRACE')
 7 | 
 8 | logger = logging.getLogger(__name__)
 9 | logger.setLevel(logging.DEBUG)
10 | 
11 | if not TRACE:
12 |     logger.setLevel(logging.ERROR)
13 | 
14 | 
15 | class Cifv2(Parser):
16 | 
17 |     def __init__(self, *args, **kwargs):
18 |         super(Cifv2, self).__init__(*args, **kwargs)
19 | 
20 |     def process(self):
21 |         for l in self.fetcher.process():
22 | 
23 |             try:
24 |                 l = json.loads(l)
25 |             except ValueError as e:
26 |                 logger.error('json parsing error: {}'.format(e))
27 |                 continue
28 | 
29 |             for e in l:
30 |                 e['indicator'] = e['observable']
31 |                 e['itype'] = e['otype']
32 | 
33 |                 e['confidence'] = e['confidence'] / 10.0
34 | 
35 |                 if isinstance(e['group'], list):
36 |                     e['group'] = e['group'][0]
37 |                 
38 |                 yield e
39 | 
40 | Plugin = Cifv2
41 | 


--------------------------------------------------------------------------------
/test/smrt/rules/csirtg.yml:
--------------------------------------------------------------------------------
 1 | # cif-smrt configuration file to pull feeds from csirtg.io
 2 | # For more information see https://csirtg.io
 3 | #
 4 | # If no token is given, the feed by default is a "limited feed"
 5 | # provided by https://csirtg.io. The limits of the "limited feed"
 6 | # are:
 7 | #
 8 | # 1. Only results from the last hour are returned
 9 | # 2. A maximum of 25 results are returned per feed
10 | #
11 | # To remove the limits, sign up for an API key at https://csirtg.io
12 | 
13 | parser: csv
14 | #token: < token here -> get one at https://csirtg.io >
15 | defaults:
16 |   provider: csirtg.io
17 |   altid_tlp: white
18 |   altid: https://csirtg.io/search?q={indicator}
19 |   tlp: white
20 |   confidence: 9
21 |   values:
22 |     - null
23 |     - indicator
24 |     - itype
25 |     - portlist
26 |     - null
27 |     - null
28 |     - protocol
29 |     - application
30 |     - null
31 |     - firsttime
32 |     - lasttime
33 |     - description
34 |     - null
35 | 
36 | feeds:
37 |   # A feed of IP addresses block by a firewall (e.g. port scanners)
38 |   port-scanners:
39 |     remote: 'test/smrt/data/feed.txt'
40 |     defaults:
41 |       tags:
42 |         - scanner


--------------------------------------------------------------------------------
/test/client/test_csirtg_live.py:
--------------------------------------------------------------------------------
 1 | import pytest
 2 | import os
 3 | from csirtg_smrt import Smrt
 4 | from csirtgsdk.client.http import HTTP as CSIRTGClient
 5 | from csirtgsdk.feed import Feed
 6 | from pprint import pprint
 7 | 
 8 | CSIRTGIO_TESTS = os.environ.get('CSIRTG_SMRT_CSIRTGIO_TESTS', False)
 9 | USERNAME = os.environ.get('CSIRTG_SMRT_CSIRTGIO_USERNAME', 'wes')
10 | TOKEN = os.environ.get('CSIRTG_SMRT_CSIRTGIO_TOKEN', False)
11 | FEED = os.environ.get('CSIRTG_SMRT_CSIRTGIO_FEED', 'csirtg_smrt_test')
12 | 
13 | 
14 | @pytest.mark.skipif(CSIRTGIO_TESTS is False, reason='CSIRTG_SMRT_CSIRTGIO_TESTS not set to True')
15 | def test_client_csirtg():
16 |     with Smrt(client='csirtg', username=USERNAME, feed='csirtg_smrt_test', token=TOKEN) as s:
17 |         assert type(s) is Smrt
18 | 
19 |         # create test feed
20 |         cli = CSIRTGClient(token=TOKEN)
21 |         f = Feed(cli).new(USERNAME, FEED)
22 |         assert f
23 |         assert f['user'] == USERNAME
24 | 
25 |         x = s.process('test/smrt/rules/csirtg.yml', feed='port-scanners')
26 |         assert len(x) > 0
27 | 
28 |         # remove test feed
29 |         f = Feed(cli).remove(USERNAME, FEED)
30 |         assert f == 200
31 | 


--------------------------------------------------------------------------------
/test/stix/test_stix.py:
--------------------------------------------------------------------------------
 1 | import pytest
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from csirtg_smrt.rule import Rule
 5 | from csirtg_smrt.constants import REMOTE_ADDR
 6 | from pprint import pprint
 7 | import os
 8 | 
 9 | DISABLE_TESTS = True
10 | if os.environ.get('CSIRTG_SMRT_STIX_TEST'):
11 |     if os.environ['CSIRTG_SMRT_STIX_TEST'] == '1':
12 |         DISABLE_TESTS = False
13 | 
14 | if not DISABLE_TESTS:
15 |     try:
16 |         from stix.core import STIXPackage
17 |     except ImportError:
18 |         raise ImportError('STIX not installed by default, install using `pip install stix`')
19 | 
20 | 
21 | rule = 'test/stix/test.yml'
22 | rule = Rule(path=rule)
23 | s = Smrt(REMOTE_ADDR, 1234, client='dummy')
24 | 
25 | 
26 | @pytest.mark.skipif(DISABLE_TESTS, reason='need to set CSIRTG_SMRT_STIX_TEST=1 to run')
27 | def test_stix():
28 |     x = s.process(rule, feed='fqdn')
29 |     x = list(x)
30 | 
31 |     assert len(x) > 0
32 |     assert len(x[0].indicator) > 4
33 | 
34 |     indicators = set()
35 |     for xx in x:
36 |         indicators.add(xx.indicator)
37 | 
38 |     assert 'http://efax.pfdregistry.org/efax/37486.zip' not in indicators
39 | 
40 |     assert 'www.cderlearn.com' in indicators
41 | 


--------------------------------------------------------------------------------
/test/malc0de/test_malc0de.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from csirtg_smrt.rule import Rule
 5 | from csirtg_smrt.constants import REMOTE_ADDR
 6 | from pprint import pprint
 7 | 
 8 | rule = 'test/malc0de/malc0de.yml'
 9 | rule = Rule(path=rule)
10 | rule.fetcher = 'file'
11 | s = Smrt(REMOTE_ADDR, 1234, client='dummy')
12 | 
13 | 
14 | def test_malc0de_urls():
15 |     rule.remote = 'test/malc0de/feed.txt'
16 |     x = s.process(rule, feed='urls')
17 |     x = list(x)
18 | 
19 |     assert len(x) > 0
20 |     assert len(x[0].indicator) > 4
21 | 
22 |     indicators = set()
23 |     for xx in x:
24 |         indicators.add(xx.indicator)
25 | 
26 |     assert 'http://url.goosai.com/down/ufffdufffd?ufffdufffdufffd?ufffdufffdbreakprisonsearchv2.7u03afu06f0ufffdufffdufffdufffdufffdufffdat25_35027.exe' in indicators
27 | 
28 | 
29 | def test_malc0de_malware():
30 |     rule.remote = 'test/malc0de/feed.txt'
31 |     x = s.process(rule, feed='malware')
32 |     x = list(x)
33 | 
34 |     assert len(x) > 0
35 |     assert len(x[0].indicator) > 4
36 | 
37 |     indicators = set()
38 | 
39 |     for xx in x:
40 |         indicators.add(xx.indicator)
41 | 
42 |     assert '55dd72e153fbd0cf4cb86dc9a742ce74' in indicators
43 | 


--------------------------------------------------------------------------------
/test/ufw/ufw_ubuntu16.log:
--------------------------------------------------------------------------------
1 | Jan 19 19:25:39 ubuntu-xenial kernel: [  842.134908] [UFW BLOCK] IN=enp0s3 OUT= MAC=02:a5:4d:55:cc:47:52:54:00:12:35:02:08:00 SRC=10.0.2.2 DST=10.0.2.15 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=3809 PROTO=TCP SPT=60766 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
2 | Feb  1 18:15:35 ip-172-30-0-158 kernel: [1041652.548288] [UFW BLOCK] IN=eth0 OUT= MAC=0a:e2:d2:62:e5:ae:0a:b3:35:19:7e:54:08:00 SRC=61.7.190.140 DST=172.30.0.158 LEN=44 TOS=0x00 PREC=0x00 TTL=41 ID=24091 PROTO=TCP SPT=2028 DPT=23 WINDOW=11579 RES=0x00 SYN URGP=0
3 | Apr 18 20:17:58 linode kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:e5:62:0a:84:78:ac:57:aa:c1:08:00 SRC=114.255.72.85 DST=172.30.222.161 LEN=52 TOS=0x02 PREC=0x00 TTL=110 ID=23387 DF PROTO=TCP SPT=36592 DPT=3389 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
4 | Apr 18 20:18:52 linode kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:e5:62:0a:84:78:ac:57:a8:41:08:00 SRC=91.230.47.38 DST=172.30.222.161 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=33434 PROTO=TCP SPT=44640 DPT=4970 WINDOW=1024 RES=0x00 SYN URGP=0
5 | Apr 18 20:19:04 linode kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:e5:62:0a:84:78:ac:57:aa:c1:08:00 SRC=91.230.47.38 DST=172.30.222.161 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=20951 PROTO=TCP SPT=44640 DPT=4919 WINDOW=1024 RES=0x00 SYN URGP=0


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | .DS_Store
 2 | deb-build/
 3 | .pypirc
 4 | .vagrant
 5 | *.swp
 6 | chat.py
 7 | pyinstaller-build/
 8 | _version
 9 | csirtg-smrt.yml
10 | # Byte-compiled / optimized / DLL files
11 | .idea
12 | __pycache__/
13 | *.py[cod]
14 | *$py.class
15 | 
16 | # C extensions
17 | *.so
18 | 
19 | # Distribution / packaging
20 | .Python
21 | env/
22 | build/
23 | develop-eggs/
24 | dist/
25 | downloads/
26 | eggs/
27 | .eggs/
28 | lib/
29 | lib64/
30 | parts/
31 | sdist/
32 | var/
33 | *.egg-info/
34 | .installed.cfg
35 | *.egg
36 | 
37 | # PyInstaller
38 | #  Usually these files are written by a python script from a template
39 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
40 | *.manifest
41 | #*.spec
42 | 
43 | # Installer logs
44 | pip-log.txt
45 | pip-delete-this-directory.txt
46 | 
47 | # Unit test / coverage reports
48 | htmlcov/
49 | .tox/
50 | .coverage
51 | .coverage.*
52 | .cache
53 | nosetests.xml
54 | coverage.xml
55 | *,cover
56 | .hypothesis/
57 | 
58 | # Translations
59 | *.mo
60 | *.pot
61 | 
62 | # Django stuff:
63 | *.log
64 | !test/ufw/ufw.log
65 | !test/cef/cef.log
66 | !test/bro/bro.log
67 | 
68 | 
69 | # Sphinx documentation
70 | docs/_build/
71 | 
72 | # PyBuilder
73 | target/
74 | 
75 | #Ipython Notebook
76 | .ipynb_checkpoints
77 | 


--------------------------------------------------------------------------------
/csirtg_smrt/client/zzyre.py:
--------------------------------------------------------------------------------
 1 | import logging
 2 | from time import sleep
 3 | logger = logging.getLogger(__name__)
 4 | 
 5 | import logging
 6 | import os.path
 7 | 
 8 | from csirtg_indicator import Indicator
 9 | from pyzyre.client import Client as ZyreClient
10 | from pprint import pprint
11 | 
12 | GROUP = os.environ.get('ZYRE_GROUP', 'ZYRE')
13 | INTERFACE = os.environ.get('ZSYS_INTERFACE', 'eth0')
14 | GOSSIP = os.getenv('ZYRE_GOSSIP_CONNECT')
15 | 
16 | logger = logging.getLogger()
17 | 
18 | 
19 | class _Zyre(object):
20 | 
21 |     __name__ = 'zyre'
22 | 
23 |     def __init__(self, *args, **kwargs):
24 |         self.interface = kwargs.get('interface', INTERFACE)
25 |         self.group = kwargs.get('group', GROUP)
26 |         self.client = ZyreClient(interface=self.interface, group=self.group)
27 |         self.start()
28 | 
29 |     def start(self):
30 |         self.client.start_zyre()
31 | 
32 |     def stop(self):
33 |         self.client.stop_zyre()
34 | 
35 |     def indicators_create(self, data):
36 |         if isinstance(data, dict):
37 |             data = Indicator(**data)
38 | 
39 |         if isinstance(data, Indicator):
40 |             data = [data]
41 | 
42 |         for i in data:
43 |             self.client.shout(self.group, str(i))
44 | 
45 | Plugin = _Zyre
46 | 


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
 1 | sudo: required
 2 | dist: trusty
 3 | language: python
 4 | cache:
 5 |     - apt
 6 |     - pip
 7 | 
 8 | python:
 9 |   - 2.7
10 |   - 3.5
11 | 
12 | install:
13 |   - pip install pip --upgrade
14 |   - easy_install distribute
15 |   - pip install setuptools --upgrade
16 |   - pip install -r dev_requirements.txt
17 |   - pip install stix
18 | 
19 | script:
20 |   - export CSIRTG_SMRT_STIX_TEST=1
21 |   - python setup.py test
22 |   - python setup.py sdist bdist bdist_wheel
23 | 
24 | notifications:
25 |   email:
26 |     on_success: never
27 |     on_failure: never
28 | 
29 | deploy:
30 |   provider: pypi
31 |   user: wesyoung
32 |   password:
33 |     secure: diKbtf7RnRJAo7MdNW3weZDVAfP8j5XYVbcUa6iYBRpQ02zDBhQuZCtmFRms14Ls9nlj2SvBdchdk7WX5R/YbY8j3mI9VtrXdS58foetDPBMQuGJs2dAagpL/AmhssLRqTjKqTX2GXoEgvrKy/HpMiLqGmFKwvd5SlbEWEuC2BNiEL1r+wj/ZlQ36GHGKvNDRnItfwtTZxcDJ62ssdlWItYoRuZyyHEz5PlcYrnhcQHKKpmzzmeRYHHdG2HB42ynr/Plf4/bIjbK1FIMZz3UxZRujblXMkjIzxx/rngPtrUG5M5V28xva0muWrJNnqOvIoOY/A1oOVbysLsCCYR2uh6NcWfLzEFf2PJhjh3y7YZsTVX2rHrvhRKez1Qs+z6cvhvt4AVWRwilMi7TRkwgERhe0YqrRHT1EM5s1OGGN5rSE3Llqa63yvTi4EuMX0GPKZXdfkbihcY0ENexKfu36K3yBMJ39xmtGMKPiUW+aKLo3RZ+XRa+s28GFA5Tju5IYLeBTEz0QkiiovcK0Tl914jDDDE4BVcipL4DuQtF51qGO+9sgo/ppsFWKDFttIBOFYVk2X7UjY73JaXItpQofUKR1v/PRGZ7YSNfUX91bJUKtZ/nQVEysMkflWoqOv6A1296oje9KGE7cqV+8DCzPiFHQrlyLxJqtKfidMXqZC0=
34 |   on:
35 |     branch: master
36 |     tags: true
37 |     condition: $TRAVIS_PYTHON_VERSION = "3.5"
38 | 


--------------------------------------------------------------------------------
/packaging/debian/copyright:
--------------------------------------------------------------------------------
 1 | Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 2 | Upstream-Name: csirtg-smrt
 3 | Source: http://github.com/csirtgadgets/csirtg-smrt-py
 4 | 
 5 | Files: *
 6 | Copyright: 2016 CSIRT Gadgets
 7 |  Other contributors as noted in the AUTHORS file
 8 | License: LGPL-3.0+
 9 | 
10 | License: LGPL-3.0+
11 |  This package is free software; you can redistribute it and/or
12 |  modify it under the terms of the GNU Lesser General Public
13 |  License as published by the Free Software Foundation; either
14 |  version 3 of the License, or (at your option) any later version.
15 |  .
16 |  This package is distributed in the hope that it will be useful,
17 |  but WITHOUT ANY WARRANTY; without even the implied warranty of
18 |  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
19 |  Lesser General Public License for more details.
20 |  .
21 |  You should have received a copy of the GNU General Public License
22 |  along with this program. If not, see <http://www.gnu.org/licenses/>.
23 |  .
24 |  On Debian systems, the complete text of the GNU Lesser General
25 |  Public License can be found in "/usr/share/common-licenses/LGPL-3".BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
26 |  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
27 |  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
28 |  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
29 |  FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
30 |  IN THE SOFTWARE.


--------------------------------------------------------------------------------
/csirtg_smrt/parser/zjson.py:
--------------------------------------------------------------------------------
 1 | import copy
 2 | import json
 3 | from csirtg_smrt.parser import Parser
 4 | import logging
 5 | import os
 6 | from pprint import pprint
 7 | 
 8 | TRACE = os.environ.get('CSIRTG_SMRT_PARSER_TRACE')
 9 | 
10 | logger = logging.getLogger(__name__)
11 | logger.setLevel(logging.DEBUG)
12 | 
13 | if not TRACE:
14 |     logger.setLevel(logging.ERROR)
15 | 
16 | 
17 | class Json(Parser):
18 | 
19 |     def __init__(self, *args, **kwargs):
20 |         super(Json, self).__init__(*args, **kwargs)
21 | 
22 |     def process(self):
23 |         defaults = self._defaults()
24 |         map = self.rule.feeds[self.feed].get('map')
25 |         values = self.rule.feeds[self.feed].get('values')
26 |         envelope = self.rule.feeds[self.feed].get('envelope')
27 | 
28 |         for l in self.fetcher.process():
29 |             try:
30 |                 l = json.loads(l)
31 |             except ValueError as e:
32 |                 logger.error('json parsing error: {}'.format(e))
33 |                 continue
34 | 
35 |             if envelope:
36 |                 if not isinstance(envelope, list):
37 |                     envelope = [envelope]
38 |                 
39 |                 for a in envelope:
40 |                     l = l[a]
41 | 
42 |             for e in l:
43 |                 i = copy.deepcopy(defaults)
44 | 
45 |                 if map:
46 |                     for x, c in enumerate(map):
47 |                         i[values[x]] = e[c]
48 |                         
49 |                 self.eval_obs(i)
50 | 
51 |                 yield i
52 | 
53 | Plugin = Json
54 | 


--------------------------------------------------------------------------------
/test/alexa/test_alexa.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from csirtg_smrt.rule import Rule
 5 | from csirtg_smrt.constants import REMOTE_ADDR
 6 | from pprint import pprint
 7 | 
 8 | rule = 'test/alexa/alexa.yml'
 9 | rule = Rule(path=rule)
10 | rule.fetcher = 'file'
11 | 
12 | s = Smrt(REMOTE_ADDR, 1234, client='dummy')
13 | 
14 | 
15 | def test_alexa_top1m():
16 |     r, feed = next(s.load_feeds(rule, feed='topN'))
17 | 
18 |     r.defaults['remote'] = 'test/alexa/alexa_top-1m.csv.zip'
19 |     x = s.process(r, feed)
20 |     x = list(x)
21 |     assert len(x) > 0
22 |     
23 |     assert x[0].indicator == "google.com"
24 |     assert x[1].indicator == "youtube.com"
25 |     
26 |     assert int(x[0].confidence) == 95
27 |     assert int(x[9].confidence) == 95
28 |     assert int(x[10].confidence) == 75
29 |     assert int(x[99].confidence) == 75
30 |     assert int(x[100].confidence) == 50
31 |     assert int(x[999].confidence) == 50
32 |     assert int(x[1000].confidence) == 25
33 |     assert int(x[9999].confidence) == 25
34 |     assert int(x[10000].confidence) == 0
35 | 
36 |     assert len(x) == 10100
37 |     
38 |     tags = set()
39 |     for xx in x:
40 |         assert xx.indicator
41 |         assert xx.description
42 |         assert xx.tags
43 |         assert xx.application
44 |         assert xx.protocol
45 |         assert xx.altid
46 |         assert xx.provider
47 |         assert xx.tlp
48 |         assert xx.altid_tlp
49 |         assert xx.confidence >= 0
50 |         
51 |         tags.add(*xx.tags)
52 |         
53 |     assert 'whitelist' in tags
54 | 


--------------------------------------------------------------------------------
/test/malwaredomains/malwaredomains.yml:
--------------------------------------------------------------------------------
 1 | defaults:
 2 |   confidence: 7
 3 |   tlp: green
 4 |   altid_tlp: white
 5 |   provider: malwaredomains.com
 6 | 
 7 | feeds:
 8 |   malware_domains:
 9 |     remote: http://mirror3.malwaredomains.com/files/domains.zip
10 |     pattern: ^\t\S+?\t(\S+)\t(?!phishing|botnet)(\S+)\t(\S+)\t(\S+)
11 |     values:
12 |       - indicator
13 |       - description
14 |       - altid
15 |       - lasttime
16 |     defaults:
17 |       tags:
18 |         - exploit
19 |         - malware
20 | 
21 |   botnet_domains:
22 |     remote: http://mirror3.malwaredomains.com/files/domains.zip
23 |     pattern: ^\t[\S+]?\t(\S+)\tbotnet\t(\S+)\t(\S+)
24 |     values:
25 |       - indicator
26 |       - altid
27 |       - lasttime
28 |     defaults:
29 |       tags:
30 |         - botnet
31 | 
32 |   registrars:
33 |     remote: http://mirror3.malwaredomains.com/files/bulk_registrars.zip
34 |     pattern: '([a-zA-Z\-]+\.[a-z]{2,8})'
35 |     values:
36 |       - indicator
37 |     defaults:
38 |       confidence: 9
39 |       application:
40 |         - dns
41 |       tags:
42 |         - service
43 |         - registrar
44 |         - bulk
45 |       description: bulk domain registration services
46 | 
47 |   url_shorteners:
48 |     remote: 'http://mirror3.malwaredomains.com/files/url_shorteners.zip'
49 |     pattern: '^(\S+)\t#(.+) (http://\S+)$'
50 |     values:
51 |       - indicator
52 |       - altid
53 |     defaults:
54 |       description: url shortening service
55 |       tags:
56 |         - service
57 |         - bulk
58 |       application:
59 |         - http
60 |         - https
61 |       confidence: 9
62 | 


--------------------------------------------------------------------------------
/csirtg_smrt/client/zcsirtg.py:
--------------------------------------------------------------------------------
 1 | from csirtgsdk.client.http import HTTP as CSIRTGClient
 2 | from csirtgsdk.indicator import Indicator
 3 | import csirtg_indicator
 4 | from csirtg_smrt.client.plugin import Client
 5 | from pprint import pprint
 6 | import os
 7 | 
 8 | TOKEN = os.getenv('CSIRTG_TOKEN')
 9 | USER = os.getenv('CSIRTG_USER')
10 | FEED = os.getenv('CSIRTG_FEED')
11 | 
12 | 
13 | class _Csirtg(Client):
14 | 
15 |     def __init__(self, remote='https://csirtg.io/api',
16 |                  token=TOKEN, username=None, feed=None, **kwargs):
17 | 
18 |         if not username:
19 |             username = USER
20 | 
21 |         if not feed:
22 |             feed = FEED
23 | 
24 |         if not token:
25 |             token = TOKEN
26 | 
27 |         super(_Csirtg, self).__init__(remote, token=token)
28 | 
29 |         self.user = username
30 |         self.feed = feed
31 | 
32 |     def start(self):
33 |         return True
34 | 
35 |     def stop(self):
36 |         return True
37 | 
38 |     def indicators_create(self, data):
39 | 
40 |         if not isinstance(data, list):
41 |             data = [data]
42 | 
43 |         indicators = []
44 |         for x in data:
45 |             d = {}
46 | 
47 |             if isinstance(x, csirtg_indicator.Indicator):
48 |                 d = x.__dict__()
49 |             else:
50 |                 d = x
51 |             
52 |             d['feed'] = self.feed
53 |             d['user'] = self.user
54 | 
55 |             i = Indicator(d)
56 | 
57 |             rv = i.submit()
58 |             indicators.append(rv)
59 | 
60 |         assert len(indicators) > 0
61 |         return indicators
62 | 
63 | 
64 | Plugin = _Csirtg
65 | 


--------------------------------------------------------------------------------
/packaging/pyinstaller/csirtg-smrt.spec:
--------------------------------------------------------------------------------
 1 | # -*- mode: python -*-
 2 | from PyInstaller.utils.hooks import collect_submodules
 3 | from glob import glob
 4 | 
 5 | name = 'csirtg-smrt'
 6 | 
 7 | block_cipher = None
 8 | 
 9 | submodules = [
10 |     'csirtg_smrt.client',
11 |     'csirtg_smrt.parser',
12 |     'csirtg_smrt.utils'
13 | ]
14 | 
15 | hidden_imports = []
16 | for s in submodules:
17 |     hidden_imports.extend(collect_submodules(s))
18 | 
19 | data = [
20 |     ('../_version', 'csirtg_smrt'),
21 | ]
22 | 
23 | for f in glob('../csirtg_smrt/client/*.py'):
24 |     data.append((f, 'csirtg_smrt/client'))
25 | 
26 | for f in glob('../csirtg_smrt/parser/*.py'):
27 |     data.append((f, 'csirtg_smrt/parser'))
28 | 
29 | a = Analysis(['csirtg_smrt/smrt.py'],
30 |              binaries=None,
31 |              datas=data,
32 |              hiddenimports=hidden_imports,
33 |              hookspath=None,
34 |              runtime_hooks=None,
35 |              excludes=None,
36 |              win_no_prefer_redirects=None,
37 |              win_private_assemblies=None,
38 |              cipher=block_cipher)
39 | 
40 | pyz = PYZ(a.pure, a.zipped_data,
41 |              cipher=block_cipher)
42 | 
43 | coll = COLLECT(pyz,
44 |                a.scripts,
45 |                a.binaries,
46 |                a.zipfiles,
47 |                a.datas,
48 |                name='test',
49 |                debug=False,
50 |                strip=None,
51 |                upx=True,
52 |                console=True)
53 | 
54 | exe = EXE(pyz,
55 |           a.scripts,
56 |           a.binaries,
57 |           a.zipfiles,
58 |           a.datas,
59 |           name=name,
60 |           debug=False,
61 |           strip=None,
62 |           upx=True,
63 |           console=True)


--------------------------------------------------------------------------------
/test/alienvault/test_alienvault.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from csirtg_smrt.rule import Rule
 5 | from csirtg_smrt.constants import REMOTE_ADDR
 6 | from pprint import pprint
 7 | 
 8 | rule = 'test/alienvault/alienvault.yml'
 9 | rule = Rule(path=rule)
10 | rule.fetcher = 'file'
11 | 
12 | s = Smrt(REMOTE_ADDR, 1234, client='dummy')
13 | 
14 | 
15 | def test_alienvault_scanners():
16 |     rule.feeds['scanners']['remote'] = 'test/alienvault/feed.txt'
17 |     x = s.process(rule, feed="scanners")
18 |     x = list(x)
19 |     assert len(x) > 0
20 | 
21 |     ips = set()
22 |     tags = set()
23 | 
24 |     for xx in x:
25 |         ips.add(xx.indicator)
26 |         tags.add(xx.tags[0])
27 | 
28 |     assert '114.143.191.19' in ips
29 |     assert '180.97.215.63' in ips
30 | 
31 |     assert 'scanner' in tags
32 | 
33 | 
34 | def test_alienvault_spammers():
35 |     rule.feeds['spammers']['remote'] = 'test/alienvault/feed.txt'
36 |     x = s.process(rule, feed="spammers")
37 |     x = list(x)
38 |     assert len(x) > 0
39 | 
40 |     ips = set()
41 |     tags = set()
42 | 
43 |     for xx in x:
44 |         ips.add(xx.indicator)
45 |         tags.add(xx.tags[0])
46 | 
47 |     assert '23.92.83.73' in ips
48 |     assert '93.127.228.36' in ips
49 | 
50 |     assert 'spam' in tags
51 | 
52 | 
53 | def test_alienvault_malware():
54 |     rule.feeds['malware']['remote'] = 'test/alienvault/feed.txt'
55 |     x = s.process(rule, feed="malware")
56 |     x = list(x)
57 |     assert len(x) > 0
58 | 
59 |     ips = set()
60 |     tags = set()
61 | 
62 |     for xx in x:
63 |         ips.add(xx.indicator)
64 |         tags.add(xx.tags[0])
65 | 
66 |     assert '93.158.211.210' in ips
67 | 
68 |     assert 'malware' in tags
69 | 


--------------------------------------------------------------------------------
/test/bambenek/test_bambenek.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from csirtg_smrt.rule import Rule
 5 | from csirtg_smrt.constants import REMOTE_ADDR
 6 | from pprint import pprint
 7 | 
 8 | rule = 'test/bambenek/bambenek.yml'
 9 | rule = Rule(path=rule)
10 | rule.fetcher = 'file'
11 | 
12 | s = Smrt(REMOTE_ADDR, 1234, client='dummy')
13 | 
14 | 
15 | def test_bambenek_fqdn():
16 |     rule.feeds['c2-dommasterlist']['remote'] = 'test/bambenek/fqdn_feed.txt'
17 |     x = s.process(rule, feed="c2-dommasterlist")
18 |     x = list(x)
19 |     assert len(x) > 0
20 | 
21 |     indicators = set()
22 |     tags = set()
23 | 
24 |     for xx in x:
25 |         indicators.add(xx.indicator)
26 |         tags.add(xx.tags[0])
27 |         assert xx.lasttime
28 |         assert xx.description
29 |         assert xx.altid
30 |         assert xx.provider
31 |         assert xx.confidence
32 |         assert xx.tags
33 | 
34 |     assert 'drohppbkxj.com' in indicators
35 |     assert 'inbxvqkegoyapgv.com' in indicators
36 | 
37 |     assert 'botnet' in tags
38 | 
39 | 
40 | def test_bambenek_ipv4():
41 |     rule.feeds['c2-ipmasterlist']['remote'] = 'test/bambenek/ipv4_feed.txt'
42 |     x = s.process(rule, feed="c2-ipmasterlist")
43 |     x = list(x)
44 |     assert len(x) > 0
45 | 
46 |     indicators = set()
47 |     tags = set()
48 | 
49 |     for xx in x:
50 |         indicators.add(xx.indicator)
51 |         tags.add(xx.tags[0])
52 |         assert xx.lasttime
53 |         assert xx.description
54 |         assert xx.altid
55 |         assert xx.provider
56 |         assert xx.confidence
57 |         assert xx.tags
58 | 
59 |     assert '141.8.225.68' in indicators
60 |     assert '185.28.193.192' in indicators
61 | 
62 |     assert 'botnet' in tags
63 | 


--------------------------------------------------------------------------------
/csirtg_smrt/constants.py:
--------------------------------------------------------------------------------
 1 | import os.path
 2 | import tempfile
 3 | import sys
 4 | 
 5 | from ._version import get_versions
 6 | VERSION = get_versions()['version']
 7 | del get_versions
 8 | 
 9 | TEMP_DIR = os.path.join(tempfile.gettempdir())
10 | RUNTIME_PATH = os.environ.get('CSIRTG_SMRT_RUNTIME_PATH', TEMP_DIR)
11 | RUNTIME_PATH = os.path.join(RUNTIME_PATH)
12 | 
13 | SMRT_CACHE = os.path.join(RUNTIME_PATH, 'smrt')
14 | SMRT_CACHE = os.environ.get('CSIRTG_SMRT_CACHE_PATH', SMRT_CACHE)
15 | CACHE_PATH = SMRT_CACHE
16 | 
17 | SMRT_RULES_PATH = os.path.join(RUNTIME_PATH, 'smrt', 'rules')
18 | SMRT_RULES_PATH = os.environ.get('CSIRTG_SMRT_RULES_PATH', SMRT_RULES_PATH)
19 | 
20 | # Logging stuff
21 | LOG_FORMAT = '%(asctime)s - %(levelname)s - %(name)s[%(lineno)s] - %(message)s'
22 | 
23 | LOGLEVEL = 'ERROR'
24 | LOGLEVEL = os.environ.get('CSIRTG_LOGLEVEL', LOGLEVEL).upper()
25 | 
26 | REMOTE_ADDR = 'http://localhost:5000'
27 | REMOTE_ADDR = os.environ.get('CSIRTG_REMOTE_ADDR', REMOTE_ADDR)
28 | 
29 | CONFIG_PATH = os.environ.get('CSIRTG_SMRT_CONFIG_PATH', os.path.join(os.getcwd(), 'csirtg-smrt.yml'))
30 | if not os.path.isfile(CONFIG_PATH):
31 |     CONFIG_PATH = os.path.join(os.path.expanduser('~'), 'csirtg-smrt.yml')
32 | 
33 | PYVERSION = 2
34 | if sys.version_info > (3,):
35 |     PYVERSION = 3
36 | 
37 | 
38 | FIREBALL_SIZE = os.getenv('CSIRTG_SMRT_FIREBALL_SIZE', 100)
39 | if FIREBALL_SIZE == '':
40 |     FIREBALL_SIZE = 100
41 | 
42 | ROUTER_ADDR = "ipc://{}".format(os.path.join(RUNTIME_PATH, 'router.ipc'))
43 | ROUTER_ADDR = os.environ.get('CIF_ROUTER_ADDR', ROUTER_ADDR)
44 | 
45 | 
46 | PORT_APPLICATION_MAP = {
47 |     '21': 'ftp',
48 |     '22': 'ssh',
49 |     '23': 'telnet',
50 |     '80': 'http',
51 |     '443': 'https',
52 |     '3306': 'mysql',
53 |     '5900': 'vnc',
54 |     '3389': 'rdp'
55 | }
56 | 


--------------------------------------------------------------------------------
/csirtg_smrt/client/zsyslog.py:
--------------------------------------------------------------------------------
 1 | from csirtg_indicator import Indicator
 2 | from csirtg_smrt.client.plugin import Client
 3 | import logging
 4 | import logging.handlers
 5 | 
 6 | 
 7 | class _Syslog(Client):
 8 | 
 9 |     __name__ = 'syslog'
10 | 
11 |     def __init__(self, remote='localhost:514', *args, **kwargs):
12 |         super(_Syslog, self).__init__(remote)
13 | 
14 |         self.port = 514
15 |         if ':' in self.remote:
16 |             self.remote, self.port = self.remote.split(':')
17 | 
18 |         self.port = int(self.port)
19 | 
20 |         self.logger = logging.getLogger('csirtg-smrt')
21 |         self.logger.setLevel(logging.INFO)
22 |         handler = logging.handlers.SysLogHandler(address=(self.remote, self.port))
23 |         self.logger.addHandler(handler)
24 | 
25 |     def indicators_create(self, data, **kwargs):
26 |         if isinstance(data, dict):
27 |             data = Indicator(**data)
28 | 
29 |         if isinstance(data, Indicator):
30 |             data = [data]
31 | 
32 |         for i in data:
33 |             firsttime = i.firsttime
34 |             if firsttime:
35 |                 firsttime = firsttime.strftime("%Y-%m-%dT%H:%M:%S.%fZ")
36 | 
37 |             lasttime = i.lasttime
38 |             if lasttime:
39 |                 lasttime = lasttime.strftime("%Y-%m-%dT%H:%M:%S.%fZ")
40 | 
41 |             reporttime = i.reporttime
42 |             if reporttime:
43 |                 reporttime = reporttime.strftime("%Y-%m-%dT%H:%M:%S.%fZ")
44 | 
45 |             line = "provider={} indicator={} tlp={} firsttime={} lasttime={} reporttime={}".format(
46 |                 i.provider,
47 |                 i.indicator,
48 |                 i.tlp,
49 |                 firsttime,
50 |                 lasttime,
51 |                 reporttime,
52 |             )
53 |             self.logger.info(line)
54 | 
55 | Plugin = _Syslog
56 | 


--------------------------------------------------------------------------------
/csirtg_smrt/client/zzmq.py:
--------------------------------------------------------------------------------
 1 | import logging
 2 | from time import sleep
 3 | logger = logging.getLogger(__name__)
 4 | 
 5 | import logging
 6 | import os.path
 7 | 
 8 | from csirtg_indicator import Indicator
 9 | import zmq
10 | from pprint import pprint
11 | 
12 | TYPE = os.environ.get('CSIRTG_SMRT_ZMQ_TYPE', 'PUB')
13 | TOPIC = os.environ.get('CSIRTG_SMRT_ZMQ_TOPIC', 'scanners')
14 | ENDPOINT = os.environ.get('CSIRTG_SMRT_ZMQ_ENDPOINT', 'ipc:///tmp/csirtg_smrt.ipc')
15 | 
16 | TYPE_MAPPING = {
17 |     'PUB': zmq.PUB,
18 |     'PUSH': zmq.PUSH,
19 |     'PUSH_ZYRE_GATEWAY': zmq.DEALER,
20 | }
21 | 
22 | logger = logging.getLogger()
23 | 
24 | 
25 | class _Zmq(object):
26 | 
27 |     __name__ = 'zmq'
28 | 
29 |     def __init__(self, socket_type=TYPE, topic=TOPIC, endpoint=ENDPOINT, *args, **kwargs):
30 |         self.socket_type = socket_type
31 |         self.topic = topic
32 |         self.endpoint = endpoint
33 |         if not endpoint:
34 |             raise ValueError("Invalid endpoint: '{}'".format(endpoint))
35 | 
36 |         context = zmq.Context()
37 |         self.socket = context.socket(TYPE_MAPPING[socket_type])
38 |         self.start()
39 | 
40 |     def start(self):
41 |         self.socket.connect(self.endpoint)
42 | 
43 |     def stop(self):
44 |         self.socket.close()
45 | 
46 |     def indicators_create(self, data):
47 |         if isinstance(data, dict):
48 |             data = Indicator(**data)
49 | 
50 |         if isinstance(data, Indicator):
51 |             data = [data]
52 | 
53 |         if self.socket_type == "PUB":
54 |             for i in data:
55 |                 self.socket.send_multipart([self.topic, str(i)])
56 |             return
57 | 
58 |         if self.socket_type == 'PUSH_ZYRE_GATEWAY':
59 |             for i in data:
60 |                 self.socket.send_multipart(['PUB', self.topic, str(i)])
61 |             return
62 | 
63 |         for i in data:
64 |             self.socket.send(str(i))
65 | 
66 | Plugin = _Zmq
67 | 


--------------------------------------------------------------------------------
/test/smrt/test_smrt.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from csirtg_smrt.rule import Rule
 5 | from csirtg_smrt.constants import REMOTE_ADDR
 6 | from csirtg_smrt.exceptions import RuleUnsupported
 7 | from pprint import pprint
 8 | 
 9 | 
10 | def test_smrt_base():
11 |     with Smrt(REMOTE_ADDR, 1234, client='dummy') as s:
12 |         assert type(s) is Smrt
13 | 
14 |         for r, f in s.load_feeds('test/smrt/rules'):
15 |             x = list(s.process(r, f))
16 |             assert len(x) > 0
17 | 
18 |         x = []
19 |         for r, f in s.load_feeds('test/smrt/rules/csirtg.yml'):
20 |             x = list(s.process(r, f))
21 |             assert len(x) > 0
22 | 
23 |         x = []
24 |         for r, f in s.load_feeds('test/smrt/rules/csirtg.yml', feed='port-scanners'):
25 |             x = list(s.process(r, f))
26 |             assert len(x) > 0
27 | 
28 |         x = []
29 |         try:
30 |             r, f = next(s.load_feeds('test/smrt/rules/csirtg.yml', feed='port-scanners2'))
31 |         except KeyError:
32 |             pass
33 | 
34 |         assert len(x) == 0
35 | 
36 | 
37 | def test_smrt_rule_paths():
38 |     with Smrt(REMOTE_ADDR, 1234, client='dummy') as s:
39 | 
40 |         r, f = next(s.load_feeds('test/smrt/rules/csirtg.yml', feed='port-scanners'))
41 |         assert f is not None
42 |         assert r is not None
43 | 
44 |         r, f = (None, None)
45 | 
46 |         try:
47 |             r, f = next(s.load_feeds('test/smrt/rules/csirtg.yml~', feed='port-scanners'))
48 |         except StopIteration:
49 |             pass
50 | 
51 |         assert f is None
52 | 
53 | 
54 | def test_smrt_line_filter():
55 |     with Smrt(None, None, client='dummy') as s:
56 | 
57 |         r, f = next(s.load_feeds('test/smrt/rules/csirtg.yml', feed='port-scanners'))
58 |         r.line_filter = '109.111.134.64'
59 |         n = list(s.process(r, f))
60 |         assert len(n) == 1
61 |         assert n[0].indicator == '109.111.134.64'


--------------------------------------------------------------------------------
/csirtg_smrt/parser/zrss.py:
--------------------------------------------------------------------------------
 1 | import copy
 2 | import re
 3 | 
 4 | import feedparser
 5 | from pprint import pprint
 6 | from csirtg_smrt.parser import Parser
 7 | 
 8 | 
 9 | class Rss(Parser):
10 | 
11 |     def __init__(self, *args, **kwargs):
12 |         super(Rss, self).__init__(*args, **kwargs)
13 | 
14 |     def process(self):
15 |         defaults = self._defaults()
16 | 
17 |         patterns = copy.deepcopy(self.rule.feeds[self.feed]['pattern'])
18 |         for p in patterns:
19 |             patterns[p]['pattern'] = re.compile(patterns[p]['pattern'])
20 | 
21 |         feed = []
22 |         for l in self.fetcher.process():
23 |             feed.append(l)
24 | 
25 |         feed = "\n".join(feed)
26 |         try:
27 |             feed = feedparser.parse(feed)
28 |         except Exception as e:
29 |             self.logger.error('Error parsing feed: {}'.format(e))
30 |             self.logger.error(defaults['remote'])
31 |             raise e
32 | 
33 |         for e in feed.entries:
34 |             i = copy.deepcopy(defaults)
35 | 
36 |             for k in e:
37 |                 if k == 'summary' and patterns.get('description'):
38 |                     try:
39 |                         m = patterns['description']['pattern'].search(e[k]).groups()
40 |                     except AttributeError:
41 |                         continue
42 | 
43 |                     for idx, c in enumerate(patterns['description']['values']):
44 |                         i[c] = m[idx]
45 | 
46 |                 elif patterns.get(k):
47 |                     try:
48 |                         m = patterns[k]['pattern'].search(e[k]).groups()
49 |                     except AttributeError:
50 |                         continue
51 | 
52 |                     for idx, c in enumerate(patterns[k]['values']):
53 |                         i[c] = m[idx]
54 | 
55 |             if not i.get('indicator'):
56 |                 self.logger.error('missing indicator: {}'.format(e[k]))
57 |                 continue
58 | 
59 |             yield i
60 | 
61 | Plugin = Rss
62 | 


--------------------------------------------------------------------------------
/csirtg_smrt/parser/zcifv3.py:
--------------------------------------------------------------------------------
 1 | import copy
 2 | import json
 3 | from csirtg_smrt.parser import Parser
 4 | from cifsdk.constants import PYVERSION
 5 | import logging
 6 | import os
 7 | from pprint import pprint
 8 | 
 9 | if PYVERSION == 3:
10 |     basestring = (str, bytes)
11 | 
12 | TRACE = os.environ.get('CSIRTG_SMRT_PARSER_TRACE')
13 | 
14 | logger = logging.getLogger(__name__)
15 | logger.setLevel(logging.DEBUG)
16 | 
17 | if not TRACE:
18 |     logger.setLevel(logging.ERROR)
19 | 
20 | 
21 | class cifv3(Parser):
22 | 
23 |     def __init__(self, *args, **kwargs):
24 |         super(cifv3, self).__init__(*args, **kwargs)
25 | 
26 |     def process(self):
27 |         defaults = self._defaults()
28 |         values = self.rule.feeds[self.feed].get('values')
29 |         envelope = self.rule.feeds[self.feed].get('envelope')
30 | 
31 |         for l in self.fetcher.process():
32 |             try:
33 |                 l = json.loads(l)
34 |             except ValueError as e:
35 |                 logger.error('json parsing error: {}'.format(e))
36 |                 continue
37 | 
38 |             if l.get('data') and isinstance(l['data'], basestring) and l['data'].startswith('{"hits":{"hits":[{"_source":'):
39 |                 l['data'] = json.loads(l['data'])
40 |                 l['data'] = [r['_source'] for r in l['data']['hits']['hits']]
41 | 
42 |             if envelope:
43 |                 l = l[envelope]
44 | 
45 |             if l.get('data') != '{}':
46 |                 for e in l['data']:
47 |                     if isinstance(e['group'], list):
48 |                         e['group'] = e['group'][0]
49 | 
50 |                     i = copy.deepcopy(defaults)
51 | 
52 |                     if values:
53 |                         for value in values:
54 |                             i[value] = e.get(value)
55 |                     else:
56 |                         for value in e.keys():
57 |                             i[value] = e.get(value)
58 |                     yield i
59 |             else:
60 |                 return
61 | 
62 | Plugin = cifv3
63 | 


--------------------------------------------------------------------------------
/test/sansedu/block.txt:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | #
 4 | #   DShield.org Recommended Block List
 5 | #    (c) 2007 DShield.org
 6 | #   some rights reserved. Details http://creativecommons.org/licenses/by-nc-sa/2.5/
 7 | #   use on your own risk. No warranties implied.
 8 | #   primary URL: http://feeds.dshield.org/block.txt
 9 | #     PGP Sign.: http://feeds.dshield.org/block.txt.asc
10 | #
11 | #   comments: info@dshield.org
12 | #    updated: Tue Sep 29 11:18:10 2015 UTC
13 | #
14 | #    This list summarizes the top 20 attacking class C (/24) subnets
15 | #   over the last three days. The number of 'attacks' indicates the
16 | #   number of targets reporting scans from this subnet.
17 | #
18 | #
19 | #    Columns (tab delimited):
20 | #
21 | #    (1) start of netblock
22 | #    (2) end of netblock
23 | #    (3) subnet (/24 for class C)
24 | #    (4) number of targets scanned
25 | #    (5) name of Network
26 | #    (6) Country
27 | #    (7) contact email address
28 | #
29 | #    If a range is assigned to multiple users, the first one is listed.
30 | #
31 | Start	End	Netblock	Attacks	Name	Country	email
32 | 207.150.177.0	207.150.177.255	24	13840
33 | 193.104.41.0	193.104.41.255	24	3223
34 | 141.212.122.0	141.212.122.255	24	923	University of Michigan (NET-UMNET3)	US	paul@engin.umich.edu
35 | 115.231.222.0	115.231.222.255	24	865	CHINANET-BACKBONE No.31,Jin-rong Street	CN	anti-spam@mail.lsptt.zj.cn
36 | 43.229.53.0	43.229.53.255	24	786	Japan Inet	JP	admin@v6nic.net
37 | 89.248.172.0	89.248.172.255	24	721
38 | 60.169.78.0	60.169.78.255	24	569	CHINANET-BACKBONE No.31,Jin-rong Street	CN	wang@mail.hf.ah.cninfo.net
39 | 222.186.21.0	222.186.21.255	24	365
40 | 222.186.56.0	222.186.56.255	24	357
41 | 222.186.34.0	222.186.34.255	24	348
42 | 199.203.59.0	199.203.59.255	24	346	Elron Technologies (NETBLK-ELRON-C-BLK1)	US	abuse@netvision.net.il
43 | 104.219.234.0	104.219.234.255	24	341
44 | 96.44.187.0	96.44.187.255	24	320	SPNW - Secured Private Network	US	noc@quadranet.com
45 | 198.55.103.0	198.55.103.255	24	318
46 | 218.65.30.0	218.65.30.255	24	311	CHINANET jiangxi province network	CN	abuse@public1.nc.jx.cn


--------------------------------------------------------------------------------
/test/zemail/single_plain_01.eml:
--------------------------------------------------------------------------------
 1 | Delivered-To: phish@csirtgadgets.org
 2 | Received: by 10.112.40.50 with SMTP id u18csp916705lbk;
 3 |         Sun, 19 Apr 2015 05:50:04 -0700 (PDT)
 4 | X-Received: by 10.42.151.4 with SMTP id c4mr13784232icw.77.1429447803846;
 5 |         Sun, 19 Apr 2015 05:50:03 -0700 (PDT)
 6 | Return-Path: <advertisebz09ua@gmail.com>
 7 | Received: from gmail.com ([61.72.137.254])
 8 |         by mx.google.com with SMTP id s93si13575887ioe.52.2015.04.19.05.50.00
 9 |         for <phish@csirtgadgets.org>;
10 |         Sun, 19 Apr 2015 05:50:03 -0700 (PDT)
11 | Received-SPF: softfail (google.com: domain of transitioning advertisebz09ua@gmail.com does not designate 61.72.137.254 as permitted sender) client-ip=61.72.137.254;
12 | Authentication-Results: mx.google.com;
13 |        spf=softfail (google.com: domain of transitioning advertisebz09ua@gmail.com does not designate 61.72.137.254 as permitted sender) smtp.mail=advertisebz09ua@gmail.com;
14 |        dmarc=fail (p=NONE dis=NONE) header.from=gmail.com
15 | Message-ID: <BE5B7E8D.883B43A2@gmail.com>
16 | Date: Sun, 19 Apr 2015 05:24:33 -0700
17 | Reply-To: "HENRY" <advertisebz09ua@gmail.com>
18 | From: "HENRY" <advertisebz09ua@gmail.com>
19 | User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.19) Gecko/20081209 Thunderbird/2.0.0.19
20 | MIME-Version: 1.0
21 | To: <phish@csirtgadgets.org>
22 | Subject: Boost Social Presence with FB posts likes
23 | Content-Type: text/plain;
24 |     charset="us-ascii"
25 | Content-Transfer-Encoding: 7bit
26 | 
27 | Hello,
28 | Boost your Facebook posts with a massive promotion 
29 | and gain over 10.000 likes in total towards all your posts. 
30 | 
31 | We can promote up to 20 posts links at a time. 
32 | 
33 | Increase exposure with guaranteed promotion service.
34 | 
35 | Use this coupon and get another 10% discount on your purchase
36 | 
37 | ==================
38 | 10% Coupon = EB2CA
39 | ==================
40 | 
41 | Order today, cheap and guaranteed service:
42 | http://www.socialservices.cn/detail.php?id=9
43 | 
44 | Regards
45 | HENRY
46 |  
47 | 
48 | 
49 | 
50 | 
51 | 
52 | 
53 | Unsubscribe option is available on the footer of our website
54 | 
55 | 
56 | 
57 | 


--------------------------------------------------------------------------------
/examples/csirtg.yml:
--------------------------------------------------------------------------------
 1 | # cif-smrt configuration file to pull feeds from csirtg.io
 2 | # For more information see https://csirtg.io
 3 | #
 4 | # If no token is given, the feed by default is a "limited feed"
 5 | # provided by https://csirtg.io. The limits of the "limited feed"
 6 | # are:
 7 | #
 8 | # 1. Only results from the last hour are returned
 9 | # 2. A maximum of 25 results are returned per feed
10 | #
11 | # To remove the limits, sign up for an API key at https://csirtg.io
12 | 
13 | parser: csv
14 | token: 'CSIRTG_TOKEN'  # ENV['CSIRTG_TOKEN'] <get one at https://csirtg.io >
15 | limit: 250
16 | defaults:
17 |   provider: csirtg.io
18 |   altid_tlp: white
19 |   altid: https://csirtg.io/search?q={indicator}
20 |   tlp: white
21 |   confidence: 9
22 |   values:
23 |     - null
24 |     - indicator
25 |     - itype
26 |     - portlist
27 |     - null
28 |     - null
29 |     - protocol
30 |     - application
31 |     - null
32 |     - null
33 |     - lasttime
34 |     - description
35 |     - null
36 | 
37 | feeds:
38 |   # A feed of IP addresses block by a firewall (e.g. port scanners)
39 |   port-scanners:
40 |     remote: https://csirtg.io/api/users/csirtgadgets/feeds/port-scanners.csv
41 |     defaults:
42 |       tags:
43 |         - scanner
44 | 
45 |   # A feed of URLs seen in the message body of UCE email. Do not alert or block
46 |   # on these urls without additional post-processing.
47 |   uce-urls:
48 |     remote: https://csirtg.io/api/users/csirtgadgets/feeds/uce-urls.csv
49 |     defaults:
50 |       tags:
51 |         - uce
52 |         - uce-url
53 | 
54 |   # A feed of email addresses seen in UCE email. Do not alert or block on these
55 |   # email addresses without additional post-processing.
56 |   uce-email-address:
57 |     remote: https://csirtg.io/api/users/csirtgadgets/feeds/uce-email-addresses.csv
58 |     defaults:
59 |       tags:
60 |         - uce
61 |         - uce-email-address
62 | 
63 |   # A feed of IP addresses seen delivering UCE email. This could be a machine that
64 |   # is compromised or a user account has been compromised and used to send UCE.
65 |   uce-ip:
66 |     remote: https://csirtg.io/api/users/csirtgadgets/feeds/uce-ip.csv
67 |     defaults:
68 |       tags:
69 |         - uce
70 |         - uce-ip
71 | 


--------------------------------------------------------------------------------
/test/csirtg/csirtg.yml:
--------------------------------------------------------------------------------
 1 | # cif-smrt configuration file to pull feeds from csirtg.io
 2 | # For more information see https://csirtg.io
 3 | #
 4 | # If no token is given, the feed by default is a "limited feed"
 5 | # provided by https://csirtg.io. The limits of the "limited feed"
 6 | # are:
 7 | #
 8 | # 1. Only results from the last hour are returned
 9 | # 2. A maximum of 25 results are returned per feed
10 | #
11 | # To remove the limits, sign up for an API key at https://csirtg.io
12 | 
13 | parser: csv
14 | #token: < token here -> get one at https://csirtg.io >
15 | #token_header: 'Authorization: Token token='
16 | #username: test
17 | #password: test
18 | 
19 | defaults:
20 |   provider: csirtg.io
21 |   altid_tlp: white
22 |   altid: https://csirtg.io/search?q=<indicator>
23 |   tlp: white
24 |   confidence: 9
25 |   values:
26 |     - null
27 |     - indicator
28 |     - itype
29 |     - portlist
30 |     - null
31 |     - null
32 |     - protocol
33 |     - application
34 |     - null
35 |     - null
36 |     - lasttime
37 |     - description
38 |     - null
39 | 
40 | feeds:
41 |   # A feed of IP addresses block by a firewall (e.g. port scanners)
42 |   port-scanners:
43 |     remote: https://csirtg.io/api/users/csirtgadgets/feeds/port-scanners.csv
44 |     defaults:
45 |       tags:
46 |         - scanner
47 |   # A feed of URLs seen in the message body of UCE email. Do not alert or block
48 |   # on these urls without additional post-processing.
49 |   uce-urls:
50 |     remote: https://csirtg.io/api/users/csirtgadgets/feeds/uce-urls.csv
51 |     defaults:
52 |       tags:
53 |         - uce
54 |         - uce-url
55 |   # A feed of email addresses seen in UCE email. Do not alert or block on these
56 |   # email addresses without additional post-processing.
57 |   uce-email-address:
58 |     remote: https://csirtg.io/api/users/csirtgadgets/feeds/uce-email-addresses.csv
59 |     defaults:
60 |       tags:
61 |         - uce
62 |         - uce-email-address
63 |   # A feed of IP addresses seen delivering UCE email. This could be a machine that
64 |   # is compromised or a user account has been compromised and used to send UCE.
65 |   uce-ip:
66 |     remote: https://csirtg.io/api/users/csirtgadgets/feeds/uce-ip.csv
67 |     defaults:
68 |       tags:
69 |         - uce
70 |         - uce-ip


--------------------------------------------------------------------------------
/csirtg_smrt/parser/pattern.py:
--------------------------------------------------------------------------------
 1 | import copy
 2 | import re
 3 | 
 4 | from csirtg_smrt.parser import Parser
 5 | 
 6 | 
 7 | class Pattern(Parser):
 8 | 
 9 |     def __init__(self, *args, **kwargs):
10 |         super(Pattern, self).__init__(*args, **kwargs)
11 | 
12 |         self.pattern = self.rule.defaults.get('pattern')
13 | 
14 |         if self.rule.feeds[self.feed].get('pattern'):
15 |             self.pattern = self.rule.feeds[self.feed].get('pattern')
16 | 
17 |         if self.pattern:
18 |             self.pattern = re.compile(self.pattern)
19 | 
20 |         self.split = "\n"
21 | 
22 |         if self.rule.feeds[self.feed].get('values'):
23 |             self.cols = self.rule.feeds[self.feed].get('values')
24 |         else:
25 |             self.cols = self.rule.defaults.get('values', [])
26 | 
27 |         self.defaults = self._defaults()
28 | 
29 |         if isinstance(self.cols, str):
30 |             self.cols = self.cols.split(',')
31 | 
32 |     def process(self):
33 |         for l in self.fetcher.process(split=self.split):
34 | 
35 |             if self.ignore(l):  # comment or skip
36 |                 continue
37 | 
38 |             #self.logger.debug(l)
39 | 
40 |             try:
41 |                 m = self.pattern.search(l).groups()
42 |                 if isinstance(m, str):
43 |                     m = [m]
44 |             except ValueError as e:
45 |                 continue
46 |             except AttributeError as e:
47 |                 continue
48 | 
49 |             i = copy.deepcopy(self.defaults)
50 |             for idx, col in enumerate(self.cols):
51 |                 if col:
52 |                     i[col] = m[idx]
53 | 
54 |             i.pop("values", None)
55 |             i.pop("pattern", None)
56 | 
57 |             self.logger.debug(i)
58 | 
59 |             self.eval_obs(i)
60 |             skip = True
61 |             if self.filters and self.filters.keys():
62 |                 for f in self.filters:
63 |                     if i.get(f) and i[f] == self.filters[f]:
64 |                         skip = False
65 |             else:
66 |                 skip = False
67 | 
68 |             if skip:
69 |                 self.logger.debug('skipping %s' % i['indicator'])
70 |                 continue
71 | 
72 |             yield i
73 | 
74 | 
75 | Plugin = Pattern
76 | 


--------------------------------------------------------------------------------
/csirtg_smrt/utils/znltk.py:
--------------------------------------------------------------------------------
 1 | from collections import defaultdict
 2 | from pprint import pprint
 3 | 
 4 | import arrow
 5 | from nltk.tokenize import wordpunct_tokenize
 6 | 
 7 | from csirtg_indicator.utils import resolve_itype
 8 | from csirtg_indicator import Indicator
 9 | from csirtg_indicator.exceptions import InvalidIndicator
10 | 
11 | KNOWN_SEPERATORS = set([',', '|', "\t", ';'])
12 | IGNORE_SEPARATORS = set(['.', '/'])
13 | 
14 | 
15 | def top_tokens(text):
16 |     freq_dict = defaultdict(int)
17 |     tokens = wordpunct_tokenize(text)
18 | 
19 |     for token in tokens:
20 |         freq_dict[token] += 1
21 | 
22 |     return sorted(freq_dict, key=freq_dict.get, reverse=True)
23 | 
24 | 
25 | def find_seperator(text, ignore_known=True):
26 |     if ignore_known:
27 |         for t in top_tokens(text):
28 |             if t not in IGNORE_SEPARATORS:
29 |                 return t
30 | 
31 | 
32 | def text_to_list(text, known_only=True):
33 |     separator = find_seperator(text)
34 |     t_tokens = top_tokens(text)
35 |     top = set()
36 |     for t in range(0, 9):
37 |         top.add(t_tokens[t])
38 | 
39 |     if known_only:
40 |         if separator not in KNOWN_SEPERATORS:
41 | 
42 |             pprint(top)
43 |             raise SystemError('separator not in known list: {}'.format(separator))
44 | 
45 |     ret = []
46 | 
47 |     for l in text.split("\n"):
48 |         if l == '':
49 |             continue
50 | 
51 |         if l.startswith('#') or l.startswith(';'):
52 |             continue
53 | 
54 |         cols = l.split(separator)
55 |         cols = [x.strip() for x in cols]
56 |         indicator = Indicator()
57 |         for e in cols:
58 |             if e:
59 |                 try:
60 |                     i = resolve_itype(e)
61 |                     if i:
62 |                         indicator.indicator = e
63 |                         indicator.itype = i
64 |                 except InvalidIndicator:
65 |                     pass
66 | 
67 |                 try:
68 |                     ts = arrow.get(e)
69 |                     if ts:
70 |                         indicator.lasttime = ts.datetime
71 |                 except (arrow.parser.ParserError, UnicodeDecodeError):
72 |                     pass
73 | 
74 |                 if e in top:
75 |                     indicator.tags = [e]
76 | 
77 |         if indicator.itype and indicator.indicator:
78 |             ret.append(indicator)
79 | 
80 |     return ret
81 | 


--------------------------------------------------------------------------------
/csirtg_smrt/parser/delim.py:
--------------------------------------------------------------------------------
 1 | from csirtg_smrt.parser import Parser
 2 | import copy
 3 | import re
 4 | from pprint import pprint
 5 | import logging
 6 | 
 7 | class Delim(Parser):
 8 | 
 9 |     def __init__(self, *args, **kwargs):
10 |         super(Delim, self).__init__(*args, **kwargs)
11 | 
12 |         self.pattern = re.compile("\s+")
13 | 
14 |         if self.rule.delim_pattern:
15 |             self.pattern = re.compile(self.rule.delim_pattern)
16 | 
17 |     def process(self):
18 |         defaults = self._defaults()
19 | 
20 |         for l in self.fetcher.process():
21 |             if self.ignore(l):  # comment or skip
22 |                 continue
23 | 
24 |             if (l.startswith('"') or l.startswith("'") and self.pattern == re.compile(',')) or (l.count(',') > 2):
25 |                 import csv
26 |                 r = csv.reader([l], delimiter=',', quotechar='"', skipinitialspace=True)
27 |                 m = next(r)
28 |                # pprint(m)
29 |             else:
30 |                 l = l.replace('\"', '')
31 |                 m = self.pattern.split(l)
32 | 
33 |             # l = l.replace('\"', '')
34 |             # m = self.pattern.split(l)
35 | 
36 |             if len(self.cols):
37 |                 i = copy.deepcopy(defaults)
38 | 
39 |                 #pprint(i)
40 |                 for idx, col in enumerate(self.cols):
41 |                     if col:
42 |                         try:
43 |                             i[col] = m[idx]
44 |                         except IndexError as e:
45 |                             continue
46 | 
47 |                 if self.add_orig:
48 |                     i['additional_data'] = l
49 | 
50 |                 i.pop("values", None)
51 | 
52 |                 self.eval_obs(i)
53 | 
54 |                 skip = True
55 |                 if self.filters and self.filters.keys():
56 |                     for f in self.filters:
57 |                         if i.get(f) and i[f] == self.filters[f]:
58 |                             skip = False
59 |                 else:
60 |                     skip = False
61 | 
62 |                 if skip:
63 |                     self.logger.debug('skipping %s' % i['indicator'])
64 |                     continue
65 | 
66 |                 yield i
67 | 
68 |             if self.limit:
69 |                 self.limit -= 1
70 | 
71 |             if self.limit == 0:
72 |                 self.logger.debug('limit reached...')
73 |                 break
74 | 
75 | Plugin = Delim
76 | 


--------------------------------------------------------------------------------
/csirtg_smrt/utils/ztail.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import time
 3 | 
 4 | def open_wait(fn):
 5 |     while True:
 6 |         try:
 7 |             f = open(fn)
 8 |             return f
 9 |         except IOError:
10 |             time.sleep(1)
11 | 
12 | 
13 | def tail(fn):
14 |     """Like tail -F """
15 |     inode = stat_inode(fn)
16 |     f = open_wait(fn)
17 |     f.seek(0, 2)
18 | 
19 |     # Has the file inode changed
20 |     changed = False
21 |     while True:
22 |         l = f.readline()
23 |         if l:
24 |             yield l
25 |         elif changed:
26 |             f.close()
27 |             f = open_wait(fn)
28 |             inode = os.fstat(f.fileno()).st_ino
29 |             changed = False
30 |         elif stat_inode(fn) != inode:
31 |             #set changed to true, but then keep trying to read from the file to
32 |             #check to see if it was written to after it was rotated.
33 |             changed = True
34 |         else:
35 |             time.sleep(1)
36 | 
37 | def stat_inode(fn):
38 |     try :
39 |         return os.stat(fn).st_ino
40 |     except OSError:
41 |         return None
42 | 
43 | def multitail(filenames):
44 |     """ tail multiple files, for each new line yield (filename, line) tuples"""
45 |     files = {}
46 |     for fn in filenames:
47 |         try :
48 |             handle = open(fn)
49 |             handle.seek(0, 2)
50 |             inode = os.fstat(handle.fileno()).st_ino
51 |         except IOError:
52 |             handle = None
53 |             inode = None
54 |         files[fn] = dict(handle=handle, inode=inode)
55 | 
56 |     while True:
57 |         read = False
58 |         for fn, info in files.items():
59 |             l = info['handle'] and info['handle'].readline()
60 |             if l:
61 |                 yield fn, l
62 |                 info['read'] = read = True
63 |             else:
64 |                 info['read'] = False
65 | 
66 |         for fn, info in files.items():
67 |             if not info['handle'] or (info['read'] == False and info['inode'] != stat_inode(fn)):
68 |                 if info['handle']:
69 |                     info['handle'].close()
70 |                 try :
71 |                     info['handle'] = open(fn)
72 |                     info['inode'] = os.fstat(info['handle'].fileno()).st_ino
73 |                 except IOError:
74 |                     info['handle'] = None
75 |                     info['inode'] = None
76 |         if not read:
77 |             time.sleep(1)
78 | 


--------------------------------------------------------------------------------
/test/bambenek/fqdn_feed.txt:
--------------------------------------------------------------------------------
 1 | #############################################################
 2 | ## Master Feed of known, active and non-sinkholed C&Cs domain
 3 | ## names
 4 | ## 
 5 | ## Feed generated at: 2016-06-05 12:18 
 6 | ##
 7 | ## Feed Provided By: John Bambenek of Bambenek Consulting
 8 | ## jcb@bambenekconsulting.com // http://bambenekconsulting.com
 9 | ## Use of this feed is governed by the license here: 
10 | ## http://osint.bambenekconsulting.com/license.txt 
11 | ##
12 | ## For more information on this feed go to: 
13 | ## http://osint.bambenekconsulting.com/manual/c2-dommasterlist.txt
14 | ## 
15 | ## All times are in UTC
16 | #############################################################
17 | ysg9ivv311.com,Domain used by shiotob/urlzone/bebloh,2016-06-05 12:03,http://osint.bambenekconsulting.com/manual/bebloh.txt
18 | pbvcbaswxcrvm.com,Domain used by bedep,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/bedep.txt
19 | ns1.backdates2.com,Domain used by beebone,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/beebone.txt
20 | ns1.dnsfor11.com,Domain used by beebone,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/beebone.txt
21 | ns1.dnsfor15.com,Domain used by beebone,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/beebone.txt
22 | ns1.dnsfor7.com,Domain used by beebone,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/beebone.txt
23 | ns1.dnsfor8.com,Domain used by beebone,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/beebone.txt
24 | sxkpshg41f5pu4y.ddns.net,Domain used by corebot,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/corebot.txt
25 | inbxvqkegoyapgv.com,Domain used by dircrypt,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/dircrypt-iplist.txt
26 | lxpcmncky.com,Domain used by dircrypt,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/dircrypt-iplist.txt
27 | oismeark.com,Domain used by dircrypt,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/dircrypt-iplist.txt
28 | vlbqryjd.com,Domain used by dircrypt,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/dircrypt-iplist.txt
29 | drohppbkxj.com,Domain used by fobber,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/fobber-iplist.txt
30 | gbjtyyhrhk.com,Domain used by fobber,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/fobber-iplist.txt
31 | gjsbydmrpfzsmnfiu.net,Domain used by fobber,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/fobber-iplist.txt


--------------------------------------------------------------------------------
/test/spamhaus/edrop.txt:
--------------------------------------------------------------------------------
 1 | ; Spamhaus EDROP List 2015/09/28 - (c) 2015 The Spamhaus Project
 2 | ; http://www.spamhaus.org/drop/edrop.txt
 3 | ; Last-Modified: Sun, 27 Sep 2015 07:09:26 GMT
 4 | ; Expires: Tue, 29 Sep 2015 05:00:02 GMT
 5 | 27.112.32.0/19 ; SBL237955
 6 | 31.220.46.0/24 ; SBL271386
 7 | 41.71.144.0/21 ; SBL259849
 8 | 41.71.171.0/24 ; SBL260492
 9 | 41.71.176.0/23 ; SBL260482
10 | 41.71.178.0/24 ; SBL260491
11 | 41.71.184.0/22 ; SBL260485
12 | 41.71.188.0/23 ; SBL260487
13 | 41.71.190.0/24 ; SBL260488
14 | 41.71.216.0/23 ; SBL260479
15 | 41.138.164.0/22 ; SBL208933
16 | 41.138.168.0/23 ; SBL208936
17 | 41.138.171.0/24 ; SBL208937
18 | 41.138.172.0/23 ; SBL208940
19 | 41.138.175.0/24 ; SBL208943
20 | 41.138.176.0/20 ; SBL208947
21 | 41.198.80.0/20 ; SBL237957
22 | 41.198.224.0/20 ; SBL237225
23 | 41.203.64.0/24 ; SBL240634
24 | 41.203.67.0/24 ; SBL240635
25 | 41.203.69.0/24 ; SBL233738
26 | 41.203.120.0/21 ; SBL252200
27 | 42.140.0.0/17 ; SBL253830
28 | 43.57.0.0/16 ; SBL271294
29 | 43.181.0.0/16 ; SBL271295
30 | 46.151.48.0/22 ; SBL259590
31 | 46.151.52.0/22 ; SBL243099
32 | 46.166.131.0/24 ; SBL134110
33 | 46.244.10.0/24 ; SBL204158
34 | 58.2.0.0/17 ; SBL249532
35 | 62.112.16.0/21 ; SBL237227
36 | 80.114.192.0/18 ; SBL241019
37 | 81.94.43.0/24 ; SBL131095
38 | 85.239.149.0/24 ; SBL252242
39 | 91.207.7.0/24 ; SBL194244
40 | 91.240.128.0/24 ; SBL245725
41 | 103.37.86.0/24 ; SBL270432
42 | 103.235.174.0/23 ; SBL246066
43 | 107.161.147.0/24 ; SBL263822
44 | 119.227.224.0/19 ; SBL237235
45 | 120.46.0.0/15 ; SBL262362
46 | 120.64.0.0/16 ; SBL253581
47 | 120.67.0.0/16 ; SBL247795
48 | 120.128.128.0/17 ; SBL266080
49 | 120.128.192.0/18 ; SBL253828
50 | 120.129.0.0/17 ; SBL251953
51 | 120.129.128.0/17 ; SBL251954
52 | 120.130.0.0/16 ; SBL253827
53 | 120.130.128.0/18 ; SBL253829
54 | 153.85.0.0/16 ; SBL258301
55 | 162.218.89.0/24 ; SBL264657
56 | 177.47.126.0/24 ; SBL243362
57 | 178.212.56.0/22 ; SBL258669
58 | 181.118.32.0/24 ; SBL249888
59 | 188.247.232.0/24 ; SBL122298
60 | 190.115.22.0/24 ; SBL256461
61 | 193.86.21.0/24 ; SBL244572
62 | 195.214.249.0/24 ; SBL252596
63 | 195.238.180.0/24 ; SBL249181
64 | 195.238.181.0/24 ; SBL249235
65 | 195.238.182.0/24 ; SBL249236
66 | 196.196.8.0/22 ; SBL207820
67 | 199.15.232.0/21 ; SBL218906
68 | 203.119.116.0/22 ; SBL252592
69 | 204.8.87.0/24 ; SBL155924
70 | 208.38.135.0/24 ; SBL178295
71 | 210.57.0.0/19 ; SBL237139
72 | 210.57.128.0/18 ; SBL233459
73 | 210.57.192.0/20 ; SBL237213
74 | 212.95.144.0/22 ; SBL198435
75 | 216.170.114.0/24 ; SBL263821


--------------------------------------------------------------------------------
/test/csirtg/test_csirtg.py:
--------------------------------------------------------------------------------
 1 | import py.test
 2 | 
 3 | from csirtg_smrt import Smrt
 4 | from csirtg_smrt.rule import Rule
 5 | from csirtg_smrt.constants import REMOTE_ADDR
 6 | 
 7 | rule = 'test/csirtg/csirtg.yml'
 8 | rule = Rule(path=rule)
 9 | rule.fetcher = 'file'
10 | 
11 | s = Smrt(REMOTE_ADDR, 1234, client='dummy')
12 | 
13 | 
14 | def test_csirtg_portscanners():
15 |     rule.feeds['port-scanners']['remote'] = 'test/csirtg/feed.txt'
16 |     x = s.process(rule, feed="port-scanners")
17 |     x = list(x)
18 |     assert len(x) > 0
19 | 
20 |     ips = set()
21 |     tags = set()
22 | 
23 |     for xx in x:
24 |         ips.add(xx.indicator)
25 |         tags.add(xx.tags[0])
26 | 
27 |     assert '109.111.134.64' in ips
28 |     assert 'scanner' in tags
29 | 
30 | 
31 | def test_csirtg_skips():
32 |     rule.feeds['port-scanners']['remote'] = 'test/csirtg/feed.txt'
33 |     rule.skip = '216.121.233.27'
34 | 
35 |     x = s.process(rule, feed="port-scanners")
36 |     x = list(x)
37 |     assert len(x) > 0
38 | 
39 |     ips = set()
40 | 
41 |     for xx in x:
42 |         ips.add(xx.indicator)
43 | 
44 |     assert '216.121.233.27' not in ips
45 | 
46 |     ips = set()
47 | 
48 |     rule.skip = None
49 |     rule.feeds['port-scanners']['skip'] = '216.121.233.27'
50 | 
51 |     x = s.process(rule, feed="port-scanners")
52 |     x = list(x)
53 |     assert len(x) > 0
54 | 
55 |     ips = set()
56 | 
57 |     for xx in x:
58 |         ips.add(xx.indicator)
59 | 
60 |     assert '216.121.233.27' not in ips
61 | 
62 | 
63 | def test_csirtg_skips_quotes():
64 |     rule.feeds['port-scanners']['remote'] = 'test/csirtg/feed2_csv.txt'
65 |     rule.skip_first = True
66 |     rule['skip'] = '216.243.31.2'
67 | 
68 |     x = s.process(rule, feed="port-scanners")
69 |     x = list(x)
70 |     assert len(x) > 0
71 | 
72 |     ips = set()
73 | 
74 |     for xx in x:
75 |         ips.add(xx.indicator)
76 | 
77 |     assert '216.243.31.2' not in ips
78 | 
79 | 
80 | def test_csirtg_skips_first():
81 |     rule.feeds['port-scanners']['remote'] = 'test/csirtg/feed2_csv.txt'
82 |     rule.feeds['port-scanners']['skip_first'] = True
83 | 
84 |     x = s.process(rule, feed="port-scanners")
85 |     x = list(x)
86 |     assert len(x) == 1
87 | 
88 | 
89 | def test_csirtg_limits():
90 |     rule.feeds['port-scanners']['remote'] = 'test/csirtg/feed2_csv.txt'
91 |     rule.feeds['port-scanners']['limit'] = 1
92 | 
93 |     x = s.process(rule, feed="port-scanners")
94 |     x = list(x)
95 |     assert len(x) == 1
96 | 


--------------------------------------------------------------------------------
/csirtg_smrt/utils/zcolumns.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | from csirtg_smrt.utils.zarrow import parse_timestamp
 3 | from csirtg_indicator.utils import resolve_itype
 4 | from csirtg_indicator import Indicator
 5 | from pprint import pprint
 6 | from csirtg_smrt.constants import PYVERSION
 7 | 
 8 | if PYVERSION >= 3:
 9 |     basestring = (str, bytes)
10 | 
11 | 
12 | def is_timestamp(s):
13 |     try:
14 |         t = parse_timestamp(s)
15 |         return t
16 |     except Exception:
17 |         pass
18 | 
19 | 
20 | def get_indicator(l):
21 |     i = {}
22 | 
23 |     # step 1, detect datatypes
24 |     for e in l:
25 |         if isinstance(e, int):
26 |             i[e] = 'int'
27 |             continue
28 | 
29 |         t = None
30 |         try:
31 |             t = resolve_itype(e)
32 |             if t:
33 |                 i[e] = 'indicator'
34 |                 continue
35 |         except Exception:
36 |             pass
37 | 
38 |         if is_timestamp(e):
39 |             i[e] = 'timestamp'
40 |             continue
41 | 
42 |         if isinstance(e, basestring):
43 |             i[e] = 'string'
44 | 
45 |     i2 = Indicator()
46 |     timestamps = []
47 |     ports = []
48 | 
49 |     for e in i:
50 |         if i[e] == 'indicator':
51 |             i2.indicator = e
52 |             continue
53 | 
54 |         if i[e] == 'timestamp':
55 |             timestamps.append(e)
56 |             continue
57 | 
58 |         if i[e] == 'int':
59 |             ports.append(e)
60 |             continue
61 | 
62 |         if i[e] == 'string':
63 |             if ' ' in e:
64 |                 i2.description = e
65 |                 continue
66 | 
67 |             if len(e) < 10:
68 |                 i2.tags = [e]
69 |                 continue
70 | 
71 |     timestamps = sorted(timestamps, reverse=True)
72 | 
73 |     if len(timestamps) > 0:
74 |         i2.lasttime = timestamps[0]
75 | 
76 |     if len(timestamps) > 1:
77 |         i2.firsttime = timestamps[1]
78 | 
79 |     if len(ports) > 0:
80 |         if len(ports) == 1:
81 |             i2.portlist = ports[0]
82 |         else:
83 |             if ports[0] > ports[1]:
84 |                 i2.portlist = ports[0]
85 |                 i2.dest_portlist = ports[1]
86 |             else:
87 |                 i2.portlist = ports[1]
88 |                 i2.dest_portlist = ports[0]
89 | 
90 |     return i2
91 | 
92 | 
93 | def main():
94 |     i = ['192.168.1.1', '2015-02-28T00:00:00Z', 'scanner', '2015-02-28T01:00:00Z', 1159, 2293]
95 |     i2 = get_indicator(i)
96 |     print(i2)
97 | 
98 | if __name__ == "__main__":
99 |     main()


--------------------------------------------------------------------------------
/test/smrt/rules/archiver.yml:
--------------------------------------------------------------------------------
  1 | # cif-smrt configuration file to pull feeds from csirtg.io
  2 | # For more information see https://csirtg.io
  3 | #
  4 | # If no token is given, the feed by default is a "limited feed"
  5 | # provided by https://csirtg.io. The limits of the "limited feed"
  6 | # are:
  7 | #
  8 | # 1. Only results from the last hour are returned
  9 | # 2. A maximum of 25 results are returned per feed
 10 | #
 11 | # To remove the limits, sign up for an API key at https://csirtg.io
 12 | 
 13 | parser: csv
 14 | #token: < token here -> get one at https://csirtg.io >
 15 | defaults:
 16 |   provider: csirtg.io
 17 |   altid_tlp: white
 18 |   altid: https://csirtg.io/search?q={indicator}
 19 |   tlp: white
 20 |   confidence: 9
 21 |   tags: scanner
 22 |   values:
 23 |     - null
 24 |     - indicator
 25 |     - itype
 26 |     - portlist
 27 |     - null
 28 |     - null
 29 |     - protocol
 30 |     - application
 31 |     - null
 32 |     - firsttime
 33 |     - lasttime
 34 |     - description
 35 |     - null
 36 | 
 37 | feeds:
 38 |   lasttime:
 39 |     remote: 'test/smrt/data/feed.txt'
 40 |     defaults:
 41 |       values:
 42 |         - null
 43 |         - indicator
 44 |         - itype
 45 |         - portlist
 46 |         - null
 47 |         - null
 48 |         - protocol
 49 |         - application
 50 |         - null
 51 |         - null
 52 |         - lasttime
 53 |         - description
 54 |         - null
 55 | 
 56 |   firsttime:
 57 |     remote: 'test/smrt/data/feed.txt'
 58 |     defaults:
 59 |       values:
 60 |         - null
 61 |         - indicator
 62 |         - itype
 63 |         - portlist
 64 |         - null
 65 |         - null
 66 |         - protocol
 67 |         - application
 68 |         - null
 69 |         - null
 70 |         - lasttime
 71 |         - description
 72 |         - null
 73 | 
 74 |   both:
 75 |     remote: 'test/smrt/data/feed.txt'
 76 |     defaults:
 77 |       values:
 78 |         - null
 79 |         - indicator
 80 |         - itype
 81 |         - portlist
 82 |         - null
 83 |         - null
 84 |         - protocol
 85 |         - application
 86 |         - null
 87 |         - firsttime
 88 |         - lasttime
 89 |         - description
 90 |         - null
 91 | 
 92 |   neither:
 93 |     remote: 'test/smrt/data/feed.txt'
 94 |     defaults:
 95 |       values:
 96 |         - null
 97 |         - indicator
 98 |         - itype
 99 |         - portlist
100 |         - null
101 |         - null
102 |         - protocol
103 |         - application
104 |         - null
105 |         - null
106 |         - null
107 |         - description
108 |         - null
109 | 
110 | 


--------------------------------------------------------------------------------
/setup.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | from setuptools import setup, find_packages
 3 | import versioneer
 4 | import sys
 5 | 
 6 | # vagrant doesn't appreciate hard-linking
 7 | if os.environ.get('USER') == 'vagrant' or os.path.isdir('/vagrant'):
 8 |     del os.link
 9 | 
10 | # https://www.pydanny.com/python-dot-py-tricks.html
11 | if sys.argv[-1] == 'test':
12 |     test_requirements = [
13 |         'pytest',
14 |         'coverage',
15 |         'pytest_cov',
16 |     ]
17 |     try:
18 |         modules = map(__import__, test_requirements)
19 |     except ImportError as e:
20 |         err_msg = e.message.replace("No module named ", "")
21 |         msg = "%s is not installed. Install your test requirements." % err_msg
22 |         raise ImportError(msg)
23 |     r = os.system('py.test test -v --cov=csirtg_smrt --cov-fail-under=45')
24 |     if r == 0:
25 |         sys.exit()
26 |     else:
27 |         raise RuntimeError('tests failed')
28 | 
29 | package_data = {}
30 | if sys.platform == 'nt':
31 |     package_data['csirtg_smrt'] = os.path.join('tools', 'magic1.dll')
32 | 
33 | setup(
34 |     name="csirtg_smrt",
35 |     version=versioneer.get_version(),
36 |     cmdclass=versioneer.get_cmdclass(),
37 |     package_data=package_data,
38 |     description="s.m.r.t",
39 |     long_description="the fastest way to use data",
40 |     url="https://github.com/csirtgadgets/csirtg-smrt-py",
41 |     license='MPL2',
42 |     classifiers=[
43 |                "Topic :: System :: Networking",
44 |                "Environment :: Other Environment",
45 |                "Intended Audience :: Developers",
46 |                "Programming Language :: Python",
47 |                ],
48 |     keywords=['security'],
49 |     author="Wes Young",
50 |     author_email="wes@csirtgadgets.org",
51 |     packages=find_packages(exclude=['test']),
52 |     install_requires=[
53 |         'ipaddress>=1.0.16',
54 |         'feedparser>=5.2.1',
55 |         'nltk>=3.7',
56 |         'requests>=2.27.1',
57 |         'arrow>=0.15.2',
58 |         'python-magic>=0.4.6',
59 |         'pyaml>=15.8.2',
60 |         'chardet>=5.0.0',
61 |         'csirtg_indicator>=1.0.6,<2',
62 |         'csirtg_mail>=0.0.0a1,<2',
63 |         'SQLAlchemy>=1.0.14',
64 |         'tornado>=5.1.0',
65 |         'apwgsdk>=0.0.0a4,<=1.0',
66 |         'docker>=6.0.0',
67 |     ],
68 |     entry_points={
69 |         'console_scripts': [
70 |             'csirtg-smrt=csirtg_smrt.smrt:main',
71 |             'csirtg-ufw=csirtg_smrt.parser.ufw:main',
72 |             'csirtg-cef=csirtg_smrt.parser.cef:main',
73 |             'csirtg-bro=csirtg_smrt.parser.bro:main',
74 |             'csirtg-smtpd=csirtg_smrt.parser.zsmtpd:main',
75 |         ]
76 |     },
77 | )
78 | 


--------------------------------------------------------------------------------
/appveyor.yml:
--------------------------------------------------------------------------------
 1 | # mostly copied from
 2 | environment:
 3 |   global:
 4 |     # SDK v7.0 MSVC Express 2008's SetEnv.cmd script will fail if the
 5 |     # /E:ON and /V:ON options are not enabled in the batch script intepreter
 6 |     # See: http://stackoverflow.com/a/13751649/163740
 7 |     CMD_IN_ENV: "cmd /E:ON /V:ON /C .\\tools\\run_with_env.cmd"
 8 | 
 9 |   matrix:
10 |     - PYTHON: "C:\\Python27"
11 |       PYTHON_VERSION: "2.7.x"
12 |       PYTHON_ARCH: 32
13 |     - PYTHON: "C:\\Python27-x64"
14 |       PYTHON_VERSION: "2.7.x"
15 |       PYTHON_ARCH: 64
16 | #    - PYTHON: "C:\\Python35"
17 | #      PYTHON_VERSION: "3.5.x"
18 | #      PYTHON_ARCH: 32
19 | #    - PYTHON: "C:\\Python35-x64"
20 | #      PYTHON_VERSION: "3.5.x"
21 | #      PYTHON_ARCH: 64
22 | #    - PYTHON: "C:\\Python34"
23 | #      PYTHON_VERSION: "3.4.x"
24 | #      PYTHON_ARCH: 32
25 | #    - PYTHON: "C:\\Python34-x64"
26 | #      PYTHON_VERSION: "3.4.x"
27 | #      PYTHON_ARCH: 64
28 | matrix:
29 |   fast_finish: true
30 | 
31 | install:
32 |   # If there is a newer build queued for the same PR, cancel this one.
33 |   # The AppVeyor 'rollout builds' option is supposed to serve the same
34 |   # purpose but it is problematic because it tends to cancel builds pushed
35 |   # directly to master instead of just PR builds (or the converse).
36 |   # credits: JuliaLang developers.
37 |   - ECHO "Filesystem root:"
38 |   - ps: "ls \"C:/\""
39 | 
40 |   - ECHO "Installed SDKs:"
41 |   - ps: "ls \"C:/Program Files/Microsoft SDKs/Windows\""
42 | 
43 |   # Prepend newly installed Python to the PATH of this build (this cannot be
44 |   # done from inside the powershell script as it would require to restart
45 |   # the parent CMD process).
46 |   - "SET PATH=%PYTHON%;%PYTHON%\\Scripts;%PATH%"
47 | 
48 |   # Check that we have the expected version and architecture for Python
49 |   - "python --version"
50 |   - "python -c \"import struct; print(struct.calcsize('P') * 8)\""
51 | 
52 |   # Upgrade to the latest version of pip to avoid it displaying warnings
53 |   # about it being out of date.
54 |   - "%CMD_IN_ENV% pip install --disable-pip-version-check --user --upgrade pip setuptools wheel cython"
55 | 
56 | build_script:
57 |   # Build the compiled extension
58 |   - "%CMD_IN_ENV% python setup.py bdist_wheel"
59 |   - ps: "ls dist"
60 |   - forfiles /p dist /m *.whl /c "cmd /c pip install @path"
61 | 
62 | test_script:
63 |   # Run the project tests
64 |   - ps: cmd /c 'cd dist & python -c "import csirtg_smrt; print(csirtg_smrt.VERSION)"'
65 | 
66 | after_test:
67 |   # If tests are successful, create binary packages for the project.
68 |   - ps: "ls dist"
69 | 
70 | artifacts:
71 |   # Archive the generated packages in the ci.appveyor.com build report.
72 |   - path: dist\*
73 | 


--------------------------------------------------------------------------------
/test/ufw/ufw.log:
--------------------------------------------------------------------------------
 1 | Nov 23 19:37:32 ip-172-30-0-64 kernel: [199974.947035] [UFW BLOCK] IN=eth0 OUT= MAC=0a:0d:14:95:e5:27:0a:b3:35:19:7e:54:08:00 SRC=114.33.197.193 DST=172.30.0.64 LEN=40 TOS=0x00 PREC=0x00 TTL=41 ID=6624 PROTO=TCP SPT=43861 DPT=23 WINDOW=24253 RES=0x00 SYN URGP=0
 2 | Nov 23 19:38:44 ip-172-30-0-64 kernel: [200047.350688] [UFW BLOCK] IN=eth0 OUT= MAC=0a:0d:14:95:e5:27:0a:b3:35:19:7e:54:08:00 SRC=14.176.205.238 DST=172.30.0.64 LEN=40 TOS=0x00 PREC=0x00 TTL=42 ID=8709 PROTO=TCP SPT=52116 DPT=23 WINDOW=4151 RES=0x00 SYN URGP=0
 3 | Nov 23 19:42:52 ip-172-30-0-64 kernel: [200295.518392] [UFW BLOCK] IN=eth0 OUT= MAC=0a:0d:14:95:e5:27:0a:b3:35:19:7e:54:08:00 SRC=46.188.26.149 DST=172.30.0.64 LEN=44 TOS=0x00 PREC=0x00 TTL=38 ID=38303 PROTO=TCP SPT=3750 DPT=23 WINDOW=7350 RES=0x00 SYN URGP=0
 4 | Nov 23 19:43:42 ip-172-30-0-64 kernel: [200344.677248] [UFW BLOCK] IN=eth0 OUT= MAC=0a:0d:14:95:e5:27:0a:b3:35:19:7e:54:08:00 SRC=61.160.210.39 DST=172.30.0.64 LEN=40 TOS=0x00 PREC=0x00 TTL=101 ID=256 PROTO=TCP SPT=64340 DPT=81 WINDOW=16384 RES=0x00 SYN URGP=0
 5 | Nov 23 19:44:58 ip-172-30-0-64 kernel: [200421.488066] [UFW BLOCK] IN=eth0 OUT= MAC=0a:0d:14:95:e5:27:0a:b3:35:19:7e:54:08:00 SRC=46.188.26.149 DST=172.30.0.64 LEN=44 TOS=0x00 PREC=0x00 TTL=39 ID=38303 PROTO=TCP SPT=3750 DPT=2323 WINDOW=7350 RES=0x00 SYN URGP=0
 6 | Nov 23 19:45:02 ip-172-30-0-64 kernel: [200424.808915] [UFW BLOCK] IN=eth0 OUT= MAC=0a:0d:14:95:e5:27:0a:b3:35:19:7e:54:08:00 SRC=93.174.93.136 DST=172.30.0.64 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=6543 PROTO=TCP SPT=45865 DPT=8118 WINDOW=1024 RES=0x00 SYN URGP=0
 7 | Nov 23 19:45:32 ip-172-30-0-64 kernel: [200455.605618] [UFW BLOCK] IN=eth0 OUT= MAC=0a:0d:14:95:e5:27:0a:b3:35:19:7e:54:08:00 SRC=46.188.26.149 DST=172.30.0.64 LEN=44 TOS=0x00 PREC=0x00 TTL=38 ID=38303 PROTO=TCP SPT=3750 DPT=23 WINDOW=7350 RES=0x00 SYN URGP=0
 8 | Nov 23 19:45:49 ip-172-30-0-64 kernel: [200471.851127] [UFW BLOCK] IN=eth0 OUT= MAC=0a:0d:14:95:e5:27:0a:b3:35:19:7e:54:08:00 SRC=46.188.26.149 DST=172.30.0.64 LEN=44 TOS=0x00 PREC=0x00 TTL=39 ID=38303 PROTO=TCP SPT=3750 DPT=2323 WINDOW=7350 RES=0x00 SYN URGP=0
 9 | Apr 18 20:17:58 linode kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:e5:62:0a:84:78:ac:57:aa:c1:08:00 SRC=114.255.72.85 DST=172.30.222.161 LEN=52 TOS=0x02 PREC=0x00 TTL=110 ID=23387 DF PROTO=TCP SPT=36592 DPT=3389 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
10 | Apr 18 20:18:52 linode kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:e5:62:0a:84:78:ac:57:a8:41:08:00 SRC=91.230.47.38 DST=172.30.222.161 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=33434 PROTO=TCP SPT=44640 DPT=4970 WINDOW=1024 RES=0x00 SYN URGP=0
11 | Apr 18 20:19:04 linode kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:e5:62:0a:84:78:ac:57:aa:c1:08:00 SRC=91.230.47.38 DST=172.30.222.161 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=20951 PROTO=TCP SPT=44640 DPT=4919 WINDOW=1024 RES=0x00 SYN URGP=0


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Getting Started
 2 | Parse data using [simple YAML](https://github.com/csirtgadgets/csirtg-smrt-py/wiki/Examples) and throw it just about anywhere.
 3 | 
 4 | ```
 5 | $ [sudo] pip install csirtg-smrt
 6 | $ curl https://raw.githubusercontent.com/csirtgadgets/csirtg-smrt-py/master/examples/csirtg.yml > csirtg.yml
 7 | $ csirtg-smrt -r csirtg.yml -f port-scanners --format table|csv|bro
 8 | 
 9 | 017-04-12 12:22:26,244 - INFO - csirtg_smrt.smrt[416] - loglevel is: INFO
10 | 2017-04-12 12:22:26,244 - INFO - csirtg_smrt.smrt[116] - processing csirtg.yml
11 | 2017-04-12 12:22:26,251 - INFO - csirtg_smrt.smrt[315] - processing: csirtg.yml - csirtg.io:port-scanners
12 | +-------+----------+----------------------------+-----------------+-------+------------+---------+----------------------------------+-------+-----------+
13 | |  tlp  |  group   |          lasttime          |    indicator    | count | confidence |   tags  |           description            | rdata | provider  |
14 | +-------+----------+----------------------------+-----------------+-------+------------+---------+----------------------------------+-------+-----------+
15 | | white | everyone | 2017-04-12T16:22:06.00000Z |   59.27.82.202  |   1   |    9.0     | scanner | sourced from firewall logs (in.. |       | csirtg.io |
16 | | white | everyone | 2017-04-12T16:21:43.00000Z |  31.162.111.152 |   1   |    9.0     | scanner | sourced from firewall logs (in.. |       | csirtg.io |
17 | | white | everyone | 2017-04-12T16:20:29.00000Z |    5.238.33.0   |   1   |    9.0     | scanner | sourced from firewall logs (in.. |       | csirtg.io |
18 | ...
19 | ```
20 | 
21 | [![YouTube](https://img.youtube.com/vi/0f6WLga2a6s/0.jpg)](https://www.youtube.com/watch?v=0f6WLga2a6s)
22 | 
23 | # Getting Involved
24 | There are many ways to get involved with the project. If you have a new and exciting feature, or even a simple bugfix, simply [fork the repo](https://help.github.com/articles/fork-a-repo), create some simple test cases, [generate a pull-request](https://help.github.com/articles/using-pull-requests) and give yourself credit!
25 | 
26 | If you've never worked on a GitHub project, [this is a good piece](https://guides.github.com/activities/contributing-to-open-source) for getting started.
27 | 
28 | * [the Wiki](https://github.com/csirtgadgets/csirtg-smrt-py/wiki)  
29 | * [Known Issues](https://github.com/csirtgadgets/csirtg-smrt-py/issues?labels=bug&state=open)  
30 | * [How To Contribute](contributing.md)  
31 | * [Mailing List](https://groups.google.com/forum/#!forum/ci-framework)  
32 | * [Need Advanced Help?](https://csirtg.io/support) Partner with us!
33 |  
34 | 
35 | # COPYRIGHT AND LICENCE
36 | 
37 | Copyright (C) 2018 [CSIRT Gadgets Foundation](http://csirtgadgets.org)
38 | 
39 | Free use of this software is granted under the terms of the Mozilla Public License (MPL2). For details see the file `LICENSE` included with the distribution.
40 | 


--------------------------------------------------------------------------------
/test/openphish/feed.txt:
--------------------------------------------------------------------------------
 1 | http://www.kerjakayu.my/.http/
 2 | http://www.tune-way.com/lib/.app.rvhd/https.www.paypal.co.uk.webapps.mppcountry.x-GB&locale.x=en_GB/S45N73H7GC6R374H/29.09.2015/.dispute.centre/.cgi.mpp/.payment.decline.centre/
 3 | http://www.100mattresses.com/a/cbca2ec8f3828b4363598212692f8364/
 4 | http://www.algonquinhotel.com/rbcroyalbank/update/clients/
 5 | http://www.mcveanli.com/kcbhe/1695/genericlogin.php
 6 | http://www.mcveanli.com/kcbhe/1695/
 7 | http://www.welovesfbofo.com/jil/
 8 | http://www.lumino.ca/acd/Index.php
 9 | http://www.pfarrellfamily.com/AOLmailUpdate/Aol.html
10 | http://www.learnfromstevenison.com/trademanagement/cache.php
11 | http://www.kwikvillabali.com
12 | http://www.jeanneachterberg.com/shellyahoo/yahoo%20Index.htm
13 | http://www.tusignificadodeloscolores.com/wp-includes/SimplePie/Decode/HTML/anz.au/ANZAustraliaInternetBankingLogon.htm
14 | http://www.hancockmetro.com/AOL_Update/
15 | http://www.hermandaddelrociodebarcelona.com/wp-admin/rename/update/c2a1f9afe89bda04a6f90c8937b38f1d/
16 | http://www.geelonggpelectrical.com.au/admon/Archive/
17 | http://www.geelonggpelectrical.com.au/olosho/Archive/
18 | http://www.knowledgeyatra.com/wp-includes/js/jcrop/update/newwells/questions.htm
19 | http://www.scottclirehugh.net/lisst/auth/view/document/
20 | http://www.tazbih.com/manny/dpbx/dpbx/
21 | http://www.ormanholding.com/images/dropboxjax/
22 | http://assistir.cannibal-filmes.net/wp-includes/css/onlinebanking/question.php
23 | http://www.lifeimagination.com/hed/
24 | http://www.eureka-mobilje.com/e/wp-includes/Text/Diff/auth/view/document/
25 | http://www.sandwelltraining.com/courses/franceandclick/
26 | http://www.geelonggpelectrical.com.au/matty/Archive/
27 | http://www.gecochile.com/LAU/
28 | http://www.hermandaddelrociodebarcelona.com/wp-admin/rename/update/4735017785dd4f989849fca92f748980/
29 | http://www.hermandaddelrociodebarcelona.com/wp-admin/rename/update/f0e202c2b10ea0014e6276112395f7ee/
30 | http://www.hermandaddelrociodebarcelona.com/wp-admin/rename/update/e4de61c7a65f85c028968a015d6a27c2/
31 | https://link-a-creditcard.faceseformas.com.br/apple-com/
32 | http://www.srisugatha.com/admin/products/kcfinder/upload/files/DHL/hg/DHL.htm
33 | http://www.ferndara.me/wp-includes/fonts/september/09e97c364ff99c16df6191c9de317a3f/
34 | http://www.f1soft.com/assets/max/
35 | http://www.sundaydiary.com/wp-includes/js/tinymce/skins/lightgray/payus/a581a3f504faf8c4c1a460ac3c5e6dd0/
36 | http://www.sundaydiary.com/wp-includes/js/tinymce/skins/lightgray/payus/3e5d23b39f4234d43dd76484986292d8/
37 | http://www.anythingass.com/wellsfargo.online.secrupdate.com/0f71bb2d3653db661a2c847a1c2cc549/questionreviews.htm
38 | http://www.ferndara.me/wp-includes/fonts/september/200dc7663ea11d5698fddaaaeff999ee/
39 | http://www.pandemiadigital.cl/dpbx/dpbx/
40 | http://www.rebelii.org/css/iscao/
41 | http://www.dompdf.info/nt/fox/dropbox/
42 | http://www.closethealthyperson.com/hhh/eponcruser/dropbox4/


--------------------------------------------------------------------------------
/test/malwaredomains/test_malwaredomains.py:
--------------------------------------------------------------------------------
  1 | import py.test
  2 | 
  3 | from csirtg_smrt import Smrt
  4 | from csirtg_smrt.rule import Rule
  5 | from csirtg_smrt.constants import REMOTE_ADDR
  6 | from pprint import pprint
  7 | from csirtg_smrt.utils.zarrow import parse_timestamp
  8 | 
  9 | rule = 'test/malwaredomains/malwaredomains.yml'
 10 | rule = Rule(path=rule)
 11 | rule.fetcher = 'file'
 12 | s = Smrt(REMOTE_ADDR, 1234, client='dummy')
 13 | 
 14 | 
 15 | def test_malwaredomains_malware():
 16 |     rule.remote = 'test/malwaredomains/domains.zip'
 17 |     x = s.process(rule, feed="malware_domains")
 18 |     x = list(x)
 19 | 
 20 |     assert len(x) > 0
 21 |     assert len(x[0].indicator) > 4
 22 | 
 23 |     indicators = set()
 24 |     for i in x:
 25 |         indicators.add(i.indicator)
 26 | 
 27 |     tags = set()
 28 |     for i in x:
 29 |         for t in i.tags:
 30 |             tags.add(t)
 31 | 
 32 |     assert 'exploit' in tags
 33 |     assert 'ccjbox.ivyro.net' in indicators
 34 | 
 35 |     for i in x:
 36 |         assert parse_timestamp(i.reporttime).year > 1980
 37 |         assert parse_timestamp(i.lasttime).year > 1980
 38 |         assert parse_timestamp(i.firsttime).year > 1980
 39 | 
 40 | 
 41 | def test_malwaredomains_botnet():
 42 |     rule.remote = 'test/malwaredomains/domains.zip'
 43 |     x = s.process(rule, feed="botnet_domains")
 44 |     x = list(x)
 45 | 
 46 |     assert len(x) > 0
 47 |     assert len(x[0].indicator) > 4
 48 | 
 49 |     indicators = set()
 50 |     for i in x:
 51 |         indicators.add(i.indicator)
 52 | 
 53 |     tags = set()
 54 |     for i in x:
 55 |         for t in i.tags:
 56 |             tags.add(t)
 57 | 
 58 |     assert 'botnet' in tags
 59 |     assert 'attack_page' not in tags
 60 | 
 61 |     assert '9virgins.com' in indicators
 62 | 
 63 | 
 64 | def test_malwaredomains_registrars():
 65 |     rule.remote = 'test/malwaredomains/bulk_registrars.zip'
 66 |     x = s.process(rule, feed="registrars")
 67 |     x = list(x)
 68 | 
 69 |     assert len(x) > 0
 70 |     assert len(x[0].indicator) > 4
 71 | 
 72 |     indicators = set()
 73 |     for i in x:
 74 |         indicators.add(i.indicator)
 75 | 
 76 |     tags = set()
 77 |     for i in x:
 78 |         for t in i.tags:
 79 |             tags.add(t)
 80 | 
 81 |     assert 'registrar' in tags
 82 |     assert 'aaa.ai' in indicators
 83 | 
 84 | 
 85 | def test_malwaredomains_urlshorteners():
 86 |     rule.remote = 'test/malwaredomains/url_shorteners.zip'
 87 |     x = s.process(rule, feed="url_shorteners")
 88 |     x = list(x)
 89 | 
 90 |     assert len(x) > 0
 91 |     assert len(x[0].indicator) > 4
 92 | 
 93 |     indicators = set()
 94 |     for i in x:
 95 |         indicators.add(i.indicator)
 96 | 
 97 |     tags = set()
 98 |     for i in x:
 99 |         for t in i.tags:
100 |             tags.add(t)
101 | 
102 |     assert 'service' in tags
103 |     assert 'url123.info' in indicators


--------------------------------------------------------------------------------
/test/bambenek/ipv4_feed.txt:
--------------------------------------------------------------------------------
 1 | #############################################################
 2 | ## Master Feed of known, active and non-sinkholed C&Cs IP
 3 | ## addresses
 4 | ##
 5 | ## Feed generated at: 2016-06-05 12:18
 6 | ##
 7 | ## Feed Provided By: John Bambenek of Bambenek Consulting
 8 | ## jcb@bambenekconsulting.com // http://bambenekconsulting.com
 9 | ## Use of this feed is governed by the license here:
10 | ## http://osint.bambenekconsulting.com/license.txt
11 | ##
12 | ## For more information on this feed go to:
13 | ## http://osint.bambenekconsulting.com/manual/c2-ipmasterlist.txt
14 | ##
15 | ## All times are in UTC
16 | #############################################################
17 | 52.4.209.250,IP used by shiotob/urlzone/bebloh C&C,2016-06-05 12:03,http://osint.bambenekconsulting.com/manual/bebloh.txt
18 | 162.255.119.250,IP used by bedep C&C,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/bedep.txt
19 | 31.170.178.179,IP used by beebone C&C,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/beebone.txt
20 | 141.8.225.68,IP used by beebone C&C,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/beebone.txt
21 | 185.28.193.192,IP used by beebone C&C,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/beebone.txt
22 | 204.11.56.48,IP used by beebone C&C,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/beebone.txt
23 | 208.91.197.66,IP used by beebone C&C,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/beebone.txt
24 | 217.160.165.207,IP used by corebot C&C,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/corebot.txt
25 | 173.11.85.180,IP used by dircrypt C&C,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/dircrypt.txt
26 | 51.254.172.105,IP used by fobber C&C,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/fobber.txt
27 | 91.209.77.109,IP used by fobber C&C,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/fobber.txt
28 | 173.11.85.180,IP used by fobber C&C,2016-06-05 12:10,http://osint.bambenekconsulting.com/manual/fobber.txt
29 | 45.32.9.186,IP used by kraken C&C,2016-06-05 12:12,http://osint.bambenekconsulting.com/manual/kraken.txt
30 | 54.72.9.51,IP used by kraken C&C,2016-06-05 12:12,http://osint.bambenekconsulting.com/manual/kraken.txt
31 | 64.21.149.167,IP used by kraken C&C,2016-06-05 12:12,http://osint.bambenekconsulting.com/manual/kraken.txt
32 | 66.29.58.119,IP used by kraken C&C,2016-06-05 12:12,http://osint.bambenekconsulting.com/manual/kraken.txt
33 | 67.59.157.51,IP used by kraken C&C,2016-06-05 12:12,http://osint.bambenekconsulting.com/manual/kraken.txt
34 | 69.41.162.77,IP used by kraken C&C,2016-06-05 12:12,http://osint.bambenekconsulting.com/manual/kraken.txt
35 | 75.5.255.185,IP used by kraken C&C,2016-06-05 12:12,http://osint.bambenekconsulting.com/manual/kraken.txt
36 | 141.8.225.68,IP used by kraken C&C,2016-06-05 12:12,http://osint.bambenekconsulting.com/manual/kraken.txt
37 | 143.215.15.199,IP used by kraken C&C,2016-06-05 12:12,http://osint.bambenekconsulting.com/manual/kraken.txt
38 | 173.11.85.180,IP used by kraken C&C,2016-06-05 12:12,http://osint.bambenekconsulting.com/manual/kraken.txt


--------------------------------------------------------------------------------
/test/cef/cef.log:
--------------------------------------------------------------------------------
 1 | {"client_version":"SSH-2.0-PUTTY","destinationServicename":"sshd","dpt":"2222","dst":"192.168.2.20","duser":"root","level":"info","msg":"Request with password","password":"c4t4r1n4","product":"ssh-auth-logger","server_version":"SSH-2.0-OpenSSH_5.3","spt":"52631","src":"113.195.145.52","time":"2017-04-05T17:27:04Z"}
 2 | {"client_version":"SSH-2.0-PUTTY","destinationServicename":"sshd","dpt":"2222","dst":"192.168.2.20","duser":"root","level":"info","msg":"Request with password","password":"u1551807","product":"ssh-auth-logger","server_version":"SSH-2.0-OpenSSH_5.3","spt":"52631","src":"113.195.145.52","time":"2017-04-05T17:27:05Z"}
 3 | {"client_version":"SSH-2.0-PUTTY","destinationServicename":"sshd","dpt":"2222","dst":"192.168.2.20","duser":"root","level":"info","msg":"Request with password","password":"access","product":"ssh-auth-logger","server_version":"SSH-2.0-OpenSSH_5.3","spt":"52631","src":"113.195.145.52","time":"2017-04-05T17:27:05Z"}
 4 | {"destinationServicename":"sshd","dpt":"2222","dst":"192.168.2.20","level":"info","msg":"Connection","product":"ssh-auth-logger","spt":"36114","src":"116.31.116.47","time":"2017-04-05T17:27:21Z"}
 5 | {"client_version":"SSH-2.0-PUTTY","destinationServicename":"sshd","dpt":"2222","dst":"192.168.2.20","duser":"root","level":"info","msg":"Request with password","password":"cream","product":"ssh-auth-logger","server_version":"SSH-2.0-OpenSSH_5.3","spt":"36114","src":"116.31.116.47","time":"2017-04-05T17:27:22Z"}
 6 | {"client_version":"SSH-2.0-PUTTY","destinationServicename":"sshd","dpt":"2222","dst":"192.168.2.20","duser":"root","level":"info","msg":"Request with password","password":"qq5201314","product":"ssh-auth-logger","server_version":"SSH-2.0-OpenSSH_5.3","spt":"36114","src":"116.31.116.47","time":"2017-04-05T17:27:23Z"}
 7 | {"client_version":"SSH-2.0-PUTTY","destinationServicename":"sshd","dpt":"2222","dst":"192.168.2.20","duser":"root","level":"info","msg":"Request with password","password":"34563e4r5t6y","product":"ssh-auth-logger","server_version":"SSH-2.0-OpenSSH_5.3","spt":"36114","src":"116.31.116.47","time":"2017-04-05T17:27:23Z"}
 8 | {"destinationServicename":"sshd","dpt":"2222","dst":"192.168.2.20","level":"info","msg":"Connection","product":"ssh-auth-logger","spt":"35599","src":"113.195.145.52","time":"2017-04-05T17:27:28Z"}
 9 | {"client_version":"SSH-2.0-PUTTY","destinationServicename":"sshd","dpt":"2222","dst":"192.168.2.20","duser":"root","level":"info","msg":"Request with password","password":"bongo1","product":"ssh-auth-logger","server_version":"SSH-2.0-OpenSSH_5.3","spt":"35599","src":"113.195.145.52","time":"2017-04-05T17:27:30Z"}
10 | {"client_version":"SSH-2.0-PUTTY","destinationServicename":"sshd","dpt":"2222","dst":"192.168.2.20","duser":"root","level":"info","msg":"Request with password","password":"123qaz","product":"ssh-auth-logger","server_version":"SSH-2.0-OpenSSH_5.3","spt":"35599","src":"113.195.145.52","time":"2017-04-05T17:27:30Z"}
11 | {"client_version":"SSH-2.0-PUTTY","destinationServicename":"sshd","dpt":"2222","dst":"192.168.2.20","duser":"root","level":"info","msg":"Request with password","password":"hangjie987","product":"ssh-auth-logger","server_version":"SSH-2.0-OpenSSH_5.3","spt":"35599","src":"113.195.145.52","time":"2017-04-05T17:27:30Z"}


--------------------------------------------------------------------------------
/csirtg_smrt/parser/zemail.py:
--------------------------------------------------------------------------------
  1 | from csirtg_mail import from_string
  2 | from csirtg_smrt.parser import Parser
  3 | import logging
  4 | import os
  5 | import re
  6 | from pprint import pprint
  7 | 
  8 | TOKEN = os.environ.get('CSIRTG_TOKEN', None)
  9 | CSIRTG_SMRT_PREDICT = False
 10 | RE_PREDICT = re.compile(os.getenv('CSIRTG_PREDICT_RE', '^https?'))
 11 | if os.getenv('CSIRTG_SMRT_PREDICT') == '1':
 12 |     CSIRTG_SMRT_PREDICT = True
 13 | 
 14 | try:
 15 |     from csirtgsdk.client import Client as csirtg_client
 16 |     from csirtgsdk.predict import Predict
 17 | except Exception:
 18 |     pass
 19 | 
 20 | logger = logging.getLogger(__name__)
 21 | 
 22 | 
 23 | def _check_predict(i):
 24 |     c = csirtg_client(token=TOKEN)
 25 |     try:
 26 |         return Predict(c).get(i)
 27 |     except NameError:
 28 |         logger.error('missing newer version of csirtgsdk-py')
 29 |         logger.error('run `pip install csirtgsdk --upgrade` and try again')
 30 |         raise SystemExit
 31 | 
 32 | 
 33 | class Email(Parser):
 34 | 
 35 |     def __init__(self, *args, **kwargs):
 36 |         super(Email, self).__init__(*args, **kwargs)
 37 | 
 38 |         self.start_after = None
 39 | 
 40 |         if self.rule.feeds[self.feed].get('start_after'):
 41 |             self.start_after = self.rule.feeds[self.feed]['start_after']
 42 | 
 43 |         self.keep_msg = None
 44 |         if self.rule.feeds[self.feed].get('keep_msg'):
 45 |             self.keep_msg = self.rule.feeds[self.feed]['keep_msg']
 46 | 
 47 |         self.headers = None
 48 |         if self.rule.feeds[self.feed].get('headers'):
 49 |             self.headers = self.rule.feeds[self.feed]['headers']
 50 | 
 51 |     def process(self, data=None):
 52 |         defaults = self._defaults()
 53 | 
 54 |         for d in self.fetcher.process(split=False):
 55 | 
 56 |             body = from_string(d)
 57 | 
 58 |             # if we're pulling intel from headers (eg: spamcop)
 59 | 
 60 |             if 'indicator' in self.headers.values():
 61 |                 i = {}
 62 |                 for k, v in defaults.items():
 63 |                     i[k] = v
 64 | 
 65 |                 for h in self.headers:
 66 |                     if body['headers'].get(h):
 67 |                         i[self.headers[h]] = body['headers'][h][0]
 68 | 
 69 |                 i['message'] = d
 70 |                 yield i
 71 |                 continue
 72 | 
 73 |             # if we're pulling from a suspicious message
 74 |             _indicators = body['urls']
 75 |             _indicators.extend(body['email_addresses'])
 76 | 
 77 |             for _i in _indicators:
 78 |                 i = {}
 79 |                 for k, v in defaults.items():
 80 |                     i[k] = v
 81 | 
 82 |                 if self.headers:
 83 |                     for h in self.headers:
 84 |                         if body['headers'].get(h):
 85 |                             i[self.headers[h]] = body['headers'][h][0]
 86 | 
 87 |                 i['message'] = d
 88 |                 i['indicator'] = _i
 89 | 
 90 |                 if not CSIRTG_SMRT_PREDICT:
 91 |                     yield i
 92 |                     continue
 93 | 
 94 |                 if not RE_PREDICT.match(i['indicator']):
 95 |                     yield i
 96 | 
 97 |                 if _check_predict(i['indicator']):
 98 |                     yield i
 99 | 
100 | Plugin = Email
101 | 


--------------------------------------------------------------------------------
/csirtg_smrt/utils/zcontent.py:
--------------------------------------------------------------------------------
  1 | import magic
  2 | import os
  3 | import sys
  4 | from pprint import pprint
  5 | from csirtg_smrt.constants import PYVERSION
  6 | 
  7 | f = sys.argv[1]
  8 | 
  9 | 
 10 | def _is_ascii(f, mime):
 11 |     if mime.startswith(('text/plain', 'ASCII text')):
 12 |         return True
 13 | 
 14 | 
 15 | def _is_xml(f, mime):
 16 |     if not mime.startswith(("application/xml", "'XML document text")):
 17 |         return
 18 | 
 19 |     first = f.readline()
 20 |     second = f.readline().rstrip("\n")
 21 |     last = f.readlines()[-1].rstrip("\n")
 22 | 
 23 |     if not first.startswith("<?xml "):
 24 |         return
 25 | 
 26 |     if second.startswith("<rss ") and last.endswith("</rss>"):
 27 |         return 'rss'
 28 | 
 29 |     return 'xml'
 30 | 
 31 | 
 32 | def _is_json(f, mime):
 33 |     if not _is_ascii(f, mime):
 34 |         return
 35 | 
 36 |     first = f.readline().rstrip("\n")
 37 |     last = first
 38 |     try:
 39 |         last = f.readlines()[-1].rstrip("\n")
 40 |     except Exception:
 41 |         pass
 42 | 
 43 |     if not first.startswith(("'[{", "'{")):
 44 |         return
 45 | 
 46 |     if not last.endswith(("}]'", "}'")):
 47 |         return
 48 | 
 49 |     return 'json'
 50 | 
 51 | 
 52 | def _is_delimited(f, mime):
 53 |     if not _is_ascii(f, mime):
 54 |         return
 55 | 
 56 |     m = {
 57 |         "\t": 'tsv',
 58 |         ',': 'csv',
 59 |         '|': 'pipe',
 60 |         ';': 'semicolon'
 61 |     }
 62 | 
 63 |     first = f.readline().rstrip("\n")
 64 |     while first.startswith('#'):
 65 |         first = f.readline().rstrip("\n")
 66 | 
 67 |     second = f.readline().rstrip("\n")
 68 |     for d in m:
 69 |         c = first.count(d)
 70 |         if c == 0:
 71 |             continue
 72 | 
 73 |         if second.count(d) == c:
 74 |             return m[d]
 75 | 
 76 |     return False
 77 | 
 78 | TESTS = [
 79 |     _is_delimited,
 80 |     _is_json,
 81 |     _is_xml,
 82 | ]
 83 | 
 84 | 
 85 | def get_mimetype(f):
 86 |     try:
 87 |         ftype = magic.from_file(f, mime=True)
 88 |     except AttributeError:
 89 |         try:
 90 |             mag = magic.open(magic.MAGIC_MIME)
 91 |             mag.load()
 92 |             ftype = mag.file(f)
 93 |         except AttributeError as e:
 94 |             raise RuntimeError('unable to detect cached file type')
 95 | 
 96 |     if PYVERSION < 3:
 97 |         ftype = ftype.decode('utf-8')
 98 | 
 99 |     return ftype
100 | 
101 | 
102 | def get_type(f, mime=None):
103 |     if not mime:
104 |         mime = get_mimetype(f)
105 | 
106 |     if isinstance(f, str):
107 |         f = open(f)
108 | 
109 |     t = None
110 |     for tt in TESTS:
111 |         f.seek(0)
112 |         t = tt(f, mime)
113 |         if t:
114 |             return t
115 | 
116 | 
117 | def is_expected_file(file_path, file_extension=None):
118 |     if not os.path.isfile(file_path):
119 |         raise RuntimeError('Invalid file path specified: {}'.format(file_path))
120 |     if file_extension:
121 |         if not file_path.lower().endswith(file_extension):
122 |             raise RuntimeError('Unexpected file extension for file {}. Expected {}'.format(file_path, file_extension))
123 |     
124 |     return True
125 | 
126 | 
127 | if __name__ == "__main__":
128 |     f = sys.argv[1]
129 |     with open(f) as FILE:
130 |         mime_type = magic.from_file(f)
131 |         print(mime_type)
132 | 
133 |         print(get_type(FILE, mime_type))
134 | 


--------------------------------------------------------------------------------
/csirtg_smrt/utils/zarrow.py:
--------------------------------------------------------------------------------
 1 | import arrow
 2 | import datetime
 3 | import re
 4 | from pprint import pprint
 5 | from arrow.parser import ParserMatchError
 6 | from tzlocal import get_localzone  # pip install tzlocal
 7 | 
 8 | 
 9 | def round_time(dt=datetime.datetime.now(), round=60):
10 |     if isinstance(round, str):
11 |         round = int(round)
12 |     
13 |     seconds = (dt.replace(tzinfo=None) - dt.min).seconds
14 |     rounding = (seconds+round/2) // round * round
15 |     return dt + datetime.timedelta(0, rounding-seconds, -dt.microsecond)
16 | 
17 | 
18 | def _parse_timestamp_syslog(syslog_timestamp):
19 |     """
20 |     Return a timestamp with the correct year and in UTC from a syslog timestamp
21 |     :return: string (ex: 2015-11-11T21:15:29-0000)
22 | 
23 |     Reference:
24 |     https://github.com/logstash-plugins/logstash-filter-date/pull/4/files
25 |     https://github.com/jsvd/logstash-filter-date/blob/cfd8949e94ed0760434e3c9a9ff3da5351b4fd59/lib/logstash/filters/date.rb#L189
26 |     """
27 | 
28 |     local_tz = get_localzone()
29 |     time_now = arrow.get(get_localzone())
30 | 
31 |     # get the current month
32 |     now_month = time_now.month
33 | 
34 |     # semi normalize syslog timestamp
35 |     syslog_timestamp_obj = arrow.get(syslog_timestamp, ['MMM  D HH:mm:ss', 'MMM D HH:mm:ss'])
36 | 
37 |     # get the month of the syslog timestamp
38 |     event_month = syslog_timestamp_obj.month
39 | 
40 |     # calculate event year based on current month and event month
41 |     if event_month == now_month:
42 |         event_year = time_now.year
43 |     elif event_month == 12 and now_month == 1:
44 |         event_year = (time_now.year - 1)
45 |     elif event_month == 1 and now_month == 12:
46 |         event_year = (time_now.year + 1)
47 |     else:
48 |         event_year = time_now.year
49 | 
50 |     # update event year based on calculated result and local timezone
51 |     syslog_timestamp_obj = syslog_timestamp_obj.replace(year=event_year, tzinfo=local_tz.zone)
52 | 
53 |     return syslog_timestamp_obj.to('UTC').format('YYYY-MM-DDTHH:mm:ssZ')
54 | 
55 | 
56 | def parse_timestamp(ts, syslog=False):
57 |     if syslog:
58 |         return _parse_timestamp_syslog(ts)
59 | 
60 |     try:
61 |         t = arrow.get(ts)
62 |         if t.year < 1980:
63 |             if type(ts) == datetime.datetime:
64 |                 ts = str(ts)
65 |             if len(ts) == 8:
66 |                 ts = '{}T00:00:00Z'.format(ts)
67 |                 t = arrow.get(ts, 'YYYYMMDDTHH:mm:ss')
68 | 
69 |             if t.year < 1980:
70 |                 raise RuntimeError('invalid timestamp: %s' % ts)
71 | 
72 |         return t
73 |     except ValueError as e:
74 |         if len(ts) == 14:
75 |             match = re.search('^(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})$', ts)
76 |             if match:
77 |                 ts = '{}-{}-{}T{}:{}:{}Z'.format(match.group(1), match.group(2), match.group(3), match.group(4),
78 |                                                  match.group(5), match.group(6))
79 |                 try:
80 |                     t = arrow.get(ts, 'YYYY-MM-DDTHH:mm:ss')
81 |                 except ParserMatchError as e:
82 |                     t = arrow.get(ts, 'YYYY-MM-DDTHH:mm:ssZ')
83 |                 return t
84 |             else:
85 |                 raise RuntimeError('Invalid Timestamp: %s' % ts)
86 |         else:
87 |             raise RuntimeError('Invalid Timestamp: %s' % ts)
88 |     else:
89 |         raise RuntimeError('Invalid Timestamp: %s' % ts)
90 | 


--------------------------------------------------------------------------------
/csirtg_smrt/utils/__init__.py:
--------------------------------------------------------------------------------
  1 | import pkgutil
  2 | import logging
  3 | from csirtg_smrt.constants import LOG_FORMAT, RUNTIME_PATH, LOGLEVEL, VERSION
  4 | from argparse import ArgumentParser
  5 | import signal
  6 | import yaml
  7 | import os
  8 | 
  9 | 
 10 | def read_config(args):
 11 |     options = {}
 12 |     if os.path.isfile(args.config):
 13 |         with open(args.config) as f:
 14 |             config = yaml.safe_load(f)
 15 | 
 16 |         if not config:
 17 |             return options
 18 | 
 19 |         if config.get('client'):
 20 |             config = config['client']
 21 |         f.close()
 22 |         if not config:
 23 |             return options
 24 |         for k in config:
 25 |             if not options.get(k):
 26 |                 options[k] = config[k]
 27 |     else:
 28 |         return options
 29 | 
 30 |     return options
 31 | 
 32 | 
 33 | def get_argument_parser():
 34 |     BasicArgs = ArgumentParser(add_help=False)
 35 |     BasicArgs.add_argument('-d', '--debug', dest='debug', action="store_true")
 36 |     BasicArgs.add_argument('-v', '--verbose', dest='verbose', action="store_true")
 37 |     BasicArgs.add_argument('-V', '--version', action='version', version=VERSION)
 38 |     BasicArgs.add_argument(
 39 |         "--runtime-path", help="specify the runtime path [default %(default)s]", default=RUNTIME_PATH
 40 |     )
 41 |     return ArgumentParser(parents=[BasicArgs], add_help=False)
 42 | 
 43 | 
 44 | def load_plugin(path, plugin):
 45 |     p = None
 46 |     for loader, modname, is_pkg in pkgutil.iter_modules([path]):
 47 |         if modname == plugin or modname == 'z{}'.format(plugin):
 48 |             p = loader.find_module(modname).load_module(modname)
 49 |             p = p.Plugin
 50 | 
 51 |     return p
 52 | 
 53 | 
 54 | def setup_logging(args):
 55 |     loglevel = logging.getLevelName(LOGLEVEL)
 56 | 
 57 |     if args.verbose:
 58 |         loglevel = logging.INFO
 59 | 
 60 |     if args.debug:
 61 |         loglevel = logging.DEBUG
 62 | 
 63 |     console = logging.StreamHandler()
 64 |     logging.getLogger('').setLevel(loglevel)
 65 |     console.setFormatter(logging.Formatter(LOG_FORMAT))
 66 |     logging.getLogger('').addHandler(console)
 67 | 
 68 | 
 69 | def setup_signals(name):
 70 |     logger = logging.getLogger(__name__)
 71 | 
 72 |     def sigterm_handler(_signo, _stack_frame):
 73 |         logger.info('SIGTERM Caught for {}, shutting down...'.format(name))
 74 |         raise SystemExit
 75 | 
 76 |     signal.signal(signal.SIGTERM, sigterm_handler)
 77 |     signal.signal(signal.SIGINT, sigterm_handler)
 78 | 
 79 | 
 80 | def setup_runtime_path(path):
 81 |     if not os.path.isdir(path):
 82 |         os.mkdir(path)
 83 | 
 84 | 
 85 | def chunk(it, slice=50):
 86 |     """Generate sublists from an iterator
 87 |     >>> list(chunk(iter(range(10)),11))
 88 |     [[0, 1, 2, 3, 4, 5, 6, 7, 8, 9]]
 89 |     >>> list(chunk(iter(range(10)),9))
 90 |     [[0, 1, 2, 3, 4, 5, 6, 7, 8], [9]]
 91 |     >>> list(chunk(iter(range(10)),5))
 92 |     [[0, 1, 2, 3, 4], [5, 6, 7, 8, 9]]
 93 |     >>> list(chunk(iter(range(10)),3))
 94 |     [[0, 1, 2], [3, 4, 5], [6, 7, 8], [9]]
 95 |     >>> list(chunk(iter(range(10)),1))
 96 |     [[0], [1], [2], [3], [4], [5], [6], [7], [8], [9]]
 97 |     """
 98 | 
 99 |     assert(slice > 0)
100 |     a=[]
101 | 
102 |     for x in it:
103 |         if len(a) >= slice :
104 |             yield a
105 |             a=[]
106 |         a.append(x)
107 | 
108 |     if a:
109 |         yield a
110 | 


--------------------------------------------------------------------------------
/csirtg_smrt/client/zelasticsearch.py:
--------------------------------------------------------------------------------
  1 | try:
  2 |     import elasticsearch
  3 | except ImportError:
  4 |     raise ImportError('Requires elasticsearch')
  5 | 
  6 | from csirtg_smrt.client.plugin import Client
  7 | from pprint import pprint
  8 | from elasticsearch_dsl.connections import connections
  9 | from elasticsearch_dsl import DocType, String, Date, Integer, Float, Ip, GeoPoint, Index, Mapping
 10 | from datetime import datetime
 11 | from csirtg_indicator import resolve_itype
 12 | import elasticsearch.exceptions
 13 | import re
 14 | import logging
 15 | 
 16 | logger = logging.getLogger(__name__)
 17 | 
 18 | 
 19 | class Indicator(DocType):
 20 |     indicator = String(index="not_analyzed")
 21 |     indicator_ipv4 = Ip()
 22 |     group = String(multi=True, index="not_analyzed")
 23 |     itype = String(index="not_analyzed")
 24 |     tlp = String(index="not_analyzed")
 25 |     provider = String(index="not_analyzed")
 26 |     portlist = String()
 27 |     asn = Float()
 28 |     asn_desc = String()
 29 |     cc = String()
 30 |     protocol = String()
 31 |     reporttime = Date()
 32 |     lasttime = Date()
 33 |     firsttime = Date()
 34 |     confidence = Float()
 35 |     timezone = String()
 36 |     city = String()
 37 |     description = String(index="not_analyzed")
 38 |     additional_data = String(multi=True)
 39 |     tags = String(multi=True)
 40 |     rdata = String(index="not_analyzed")
 41 |     message = String(multi=True)
 42 | 
 43 | 
 44 | class _ElasticSearch(Client):
 45 |     name = 'elasticsearch'
 46 | 
 47 |     def __init__(self, remote='localhost:9200', index='indicators', **kwargs):
 48 |         super(_ElasticSearch, self).__init__(remote)
 49 | 
 50 |         self.index = index
 51 |         if isinstance(self.remote, str):
 52 |             self.remote = self.remote.split(',')
 53 | 
 54 |         connections.create_connection(hosts=self.remote)
 55 | 
 56 |     def _create_index(self):
 57 |         dt = datetime.utcnow()
 58 |         dt = dt.strftime('%Y.%m')
 59 |         es = connections.get_connection()
 60 |         if not es.indices.exists('indicators-{}'.format(dt)):
 61 |             index = Index('indicators-{}'.format(dt))
 62 |             index.aliases(live={})
 63 |             index.doc_type(Indicator)
 64 |             index.create()
 65 | 
 66 |             m = Mapping('indicator')
 67 |             m.field('indicator_ipv4', 'ip')
 68 |             m.field('indicator_ipv4_mask', 'integer')
 69 |             m.save('indicators-{}'.format(dt))
 70 |         return 'indicators-{}'.format(dt)
 71 | 
 72 |     def indicators_create(self, data):
 73 |         index = self._create_index()
 74 | 
 75 |         doc = data.__dict__()
 76 |         del doc['version']
 77 | 
 78 |         doc['meta'] = {}
 79 |         doc['meta']['index'] = index
 80 | 
 81 |         if resolve_itype(data.indicator) == 'ipv4':
 82 |             match = re.search('^(\S+)\/(\d+)$', data.indicator)
 83 |             if match:
 84 |                 doc['indicator_ipv4'] = match.group(1)
 85 |                 doc['indicator_ipv4_mask'] = match.group(2)
 86 |             else:
 87 |                 doc['indicator_ipv4'] = data.indicator
 88 | 
 89 |         if type(data.group) != list:
 90 |             doc['group'] = [data.group]
 91 | 
 92 |         logger.debug(doc)
 93 |         i = Indicator(**doc)
 94 |         logger.debug(i)
 95 |         if i.save():
 96 |             return i.__dict__['_d_']
 97 |         else:
 98 |             raise RuntimeError('unable to save')
 99 | 
100 | Plugin = _ElasticSearch
101 | 


--------------------------------------------------------------------------------
/test/packetmail/feed.txt:
--------------------------------------------------------------------------------
 1 | #                     - db.findings.dropIndexes();
 2 | #     Tue Jan 24 2017 - HTTP 302 requests to kittenlasers.com (thanks Jim!) due to bandwidth usage, please still use the original URL should resources move again and the HTTP 302 redirect be updated.
 3 | #
 4 | # This list was last updated on Thu Mar 23 07:55:01 2017
 5 | #
 6 | # IP; last_seen; context; cumulative history
 7 | 114.33.197.113; 2017-03-21 12:55:03; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
 8 | 114.35.1.82; 2017-03-21 12:56:09; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 2
 9 | 178.223.87.108; 2017-03-21 12:57:05; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
10 | 1.54.29.215; 2017-03-21 12:58:09; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
11 | 179.40.212.141; 2017-03-21 12:59:02; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
12 | 189.212.144.250; 2017-03-21 13:01:01; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
13 | 179.32.180.203; 2017-03-21 13:02:03; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 2
14 | 14.162.12.153; 2017-03-21 13:03:35; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
15 | 14.176.65.42; 2017-03-21 13:05:46; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
16 | 191.190.77.119; 2017-03-21 13:06:04; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
17 | 113.164.193.91; 2017-03-21 13:07:47; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
18 | 175.182.75.190; 2017-03-21 13:08:05; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
19 | 186.236.187.26; 2017-03-21 13:10:51; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
20 | 118.163.131.73; 2017-03-21 13:11:07; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
21 | 191.250.122.75; 2017-03-21 13:12:04; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
22 | 109.242.80.192; 2017-03-21 13:13:01; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
23 | 107.170.220.174; 2017-03-21 13:13:02; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
24 | 59.61.49.162; 2017-03-21 16:57:03; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
25 | 168.196.127.6; 2017-03-21 16:57:06; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
26 | 104.131.128.9; 2017-03-21 16:58:51; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 2
27 | 115.73.192.50; 2017-03-21 16:59:07; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
28 | 39.45.138.249; 2017-03-21 17:00:17; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
29 | 112.162.97.148; 2017-03-21 17:03:29; Honeypot hits in 3600 hash-collection seconds: 1; Cumulative honeypot hits for IP over all days: 1
30 | 


--------------------------------------------------------------------------------
/tools/run_with_env.cmd:
--------------------------------------------------------------------------------
 1 | :: Copied FROM https://github.com/ogrisel/python-appveyor-demo/blob/master/appveyor/run_with_env.cmd
 2 | 
 3 | :: To build extensions for 64 bit Python 3, we need to configure environment
 4 | :: variables to use the MSVC 2010 C++ compilers from GRMSDKX_EN_DVD.iso of:
 5 | :: MS Windows SDK for Windows 7 and .NET Framework 4 (SDK v7.1)
 6 | ::
 7 | :: To build extensions for 64 bit Python 2, we need to configure environment
 8 | :: variables to use the MSVC 2008 C++ compilers from GRMSDKX_EN_DVD.iso of:
 9 | :: MS Windows SDK for Windows 7 and .NET Framework 3.5 (SDK v7.0)
10 | ::
11 | :: 32 bit builds, and 64-bit builds for 3.5 and beyond, do not require specific
12 | :: environment configurations.
13 | ::
14 | :: Note: this script needs to be run with the /E:ON and /V:ON flags for the
15 | :: cmd interpreter, at least for (SDK v7.0)
16 | ::
17 | :: More details at:
18 | :: https://github.com/cython/cython/wiki/64BitCythonExtensionsOnWindows
19 | :: http://stackoverflow.com/a/13751649/163740
20 | ::
21 | :: Author: Olivier Grisel
22 | :: License: CC0 1.0 Universal: http://creativecommons.org/publicdomain/zero/1.0/
23 | ::
24 | :: Notes about batch files for Python people:
25 | ::
26 | :: Quotes in values are literally part of the values:
27 | ::      SET FOO="bar"
28 | :: FOO is now five characters long: " b a r "
29 | :: If you don't want quotes, don't include them on the right-hand side.
30 | ::
31 | :: The CALL lines at the end of this file look redundant, but if you move them
32 | :: outside of the IF clauses, they do not run properly in the SET_SDK_64==Y
33 | :: case, I don't know why.
34 | @ECHO OFF
35 | 
36 | SET COMMAND_TO_RUN=%*
37 | SET WIN_SDK_ROOT=C:\Program Files\Microsoft SDKs\Windows
38 | SET WIN_WDK=c:\Program Files (x86)\Windows Kits\10\Include\wdf
39 | 
40 | :: Extract the major and minor versions, and allow for the minor version to be
41 | :: more than 9.  This requires the version number to have two dots in it.
42 | SET MAJOR_PYTHON_VERSION=%PYTHON_VERSION:~0,1%
43 | IF "%PYTHON_VERSION:~3,1%" == "." (
44 |     SET MINOR_PYTHON_VERSION=%PYTHON_VERSION:~2,1%
45 | ) ELSE (
46 |     SET MINOR_PYTHON_VERSION=%PYTHON_VERSION:~2,2%
47 | )
48 | 
49 | :: Based on the Python version, determine what SDK version to use, and whether
50 | :: to set the SDK for 64-bit.
51 | IF %MAJOR_PYTHON_VERSION% == 2 (
52 |     SET WINDOWS_SDK_VERSION="v7.0"
53 |     SET SET_SDK_64=Y
54 | ) ELSE (
55 |     IF %MAJOR_PYTHON_VERSION% == 3 (
56 |         SET WINDOWS_SDK_VERSION="v7.1"
57 |         IF %MINOR_PYTHON_VERSION% LEQ 4 (
58 |             SET SET_SDK_64=Y
59 |         ) ELSE (
60 |             SET SET_SDK_64=N
61 |             SET PYZMQ_BUNDLE_CRT=1
62 |             IF EXIST "%WIN_WDK%" (
63 |                 :: See: https://connect.microsoft.com/VisualStudio/feedback/details/1610302/
64 |                 REN "%WIN_WDK%" 0wdf
65 |             )
66 |         )
67 |     ) ELSE (
68 |         ECHO Unsupported Python version: "%MAJOR_PYTHON_VERSION%"
69 |         EXIT 1
70 |     )
71 | )
72 | 
73 | IF %PYTHON_ARCH% == 64 (
74 |     IF %SET_SDK_64% == Y (
75 |         ECHO Configuring Windows SDK %WINDOWS_SDK_VERSION% for Python %MAJOR_PYTHON_VERSION% on a 64 bit architecture
76 |         SET DISTUTILS_USE_SDK=1
77 |         SET MSSdk=1
78 |         "%WIN_SDK_ROOT%\%WINDOWS_SDK_VERSION%\Setup\WindowsSdkVer.exe" -q -version:%WINDOWS_SDK_VERSION%
79 |         "%WIN_SDK_ROOT%\%WINDOWS_SDK_VERSION%\Bin\SetEnv.cmd" /x64 /release
80 |         ECHO Executing: %COMMAND_TO_RUN%
81 |         call %COMMAND_TO_RUN% || EXIT 1
82 |     ) ELSE (
83 |         ECHO Using default MSVC build environment for 64 bit architecture
84 |         ECHO Executing: %COMMAND_TO_RUN%
85 |         call %COMMAND_TO_RUN% || EXIT 1
86 |     )
87 | ) ELSE (
88 |     ECHO Using default MSVC build environment for 32 bit architecture
89 |     ECHO Executing: %COMMAND_TO_RUN%
90 |     call %COMMAND_TO_RUN% || EXIT 1
91 | )
92 | 


--------------------------------------------------------------------------------
/csirtg_smrt/parser/zsmtpd.py:
--------------------------------------------------------------------------------
  1 | import asyncore
  2 | from smtpd import SMTPServer
  3 | import logging
  4 | from argparse import ArgumentParser
  5 | from argparse import RawDescriptionHelpFormatter
  6 | import textwrap
  7 | import os
  8 | import json
  9 | from pprint import pprint
 10 | import arrow
 11 | from datetime import datetime
 12 | from csirtg_smrt.smrt import Smrt
 13 | from csirtg_indicator.indicator import Indicator
 14 | #from csirtg_smrt.utils import setup_logging, get_argument_parser, setup_signals
 15 | #from csirtg_indicator.format import FORMATS
 16 | import socket
 17 | 
 18 | # logging configuration
 19 | LOG_FORMAT = '%(asctime)s - %(levelname)s - %(name)s[%(lineno)s] - %(message)s'
 20 | logger = logging.getLogger('')
 21 | 
 22 | PROVIDER = os.environ.get('CSIRTG_SMRT_SMTP_PROVIDER', socket.gethostname())
 23 | INTERFACE = os.getenv('ZSYS_INTERFACE', 'eth0')
 24 | ZYRE_GROUP = os.getenv('ZYRE_GROUP', 'spam')
 25 | 
 26 | # https://pymotw.com/2/smtpd/
 27 | # https://docs.python.org/3/library/smtpd.html
 28 | class EmlServer(SMTPServer):
 29 |     client = None
 30 |     no = 0
 31 |     log_message = None
 32 | 
 33 |     def process_message(self, peer, mailfrom, rcpttos, data):
 34 |         if self.log_message:
 35 |             filename = '%s/%s-%d.eml' % (self.log_message, datetime.now().strftime('%Y%m%d%H%M%S'), self.no)
 36 |             f = open(filename, 'w')
 37 |             f.write(data)
 38 |             f.close
 39 |             logger.info('%s saved.' % filename)
 40 | 
 41 |         m = {
 42 |             'peer': peer,
 43 |             'mailfrom': mailfrom,
 44 |             'rcpttos': rcpttos,
 45 |             'data': data
 46 |         }
 47 |         logger.debug('{}'.format(json.dumps(m, indent=4)))
 48 |         ts = datetime.utcnow().strftime('%Y-%m-%dT%H:%M:%S.%sZ')
 49 |         i = Indicator(
 50 |             indicator=peer[0],
 51 |             tags=['smtp', 'spam', 'relay'],
 52 |             description='peer using open smtp relay',
 53 |             provider=PROVIDER,
 54 |             portlist=25,
 55 |             message=data,
 56 |             lasttime=ts,
 57 |             firsttime=ts,
 58 |             reporttime=ts,
 59 |             additional_data={
 60 |                 'from': mailfrom,
 61 |                 'recpttos': rcpttos,
 62 |                 'src_portlist': peer[1],
 63 |             }
 64 |         )
 65 | 
 66 |         logger.debug(i)
 67 |         if self.client:
 68 |             self.client.indicators_create(i)
 69 | 
 70 |         self.no += 1
 71 | 
 72 | 
 73 | def main():
 74 |     p = ArgumentParser(
 75 |         description=textwrap.dedent('''\
 76 |                 example usage:
 77 |                     $ csirtg-smtpd
 78 |                     $ ZYRE_GROUP=honeynet csirtg-smtod --port 2525
 79 |                 '''),
 80 |         formatter_class=RawDescriptionHelpFormatter,
 81 |         prog='csirtg-smtpd',
 82 |     )
 83 | 
 84 |     p.add_argument('--client', default='stdout')
 85 |     p.add_argument('--port', help='specify smtp listener port', default=2525)
 86 |     p.add_argument('--listen', default='localhost')
 87 |     p.add_argument('--interface', default=INTERFACE)
 88 |     p.add_argument('--group', default=ZYRE_GROUP)
 89 |     p.add_argument('-d', '--debug', action='store_true')
 90 |     p.add_argument('--log')
 91 |     p.add_argument('--remote')
 92 |     p.add_argument('--user')
 93 |     p.add_argument('--feed')
 94 |     p.add_argument('--token')
 95 | 
 96 |     args = p.parse_args()
 97 | 
 98 |     loglevel = logging.INFO
 99 |     verbose = False
100 |     if args.debug:
101 |         loglevel = logging.DEBUG
102 |         verbose = '1'
103 | 
104 |     console = logging.StreamHandler()
105 |     logging.getLogger('').setLevel(loglevel)
106 |     console.setFormatter(logging.Formatter(LOG_FORMAT))
107 |     logging.getLogger('').addHandler(console)
108 |     logging.propagate = False
109 | 
110 |     logger.info('starting listener: {}:{}'.format(args.listen, args.port))
111 |     server = EmlServer((args.listen, int(args.port)), None)
112 |     if args.log:
113 |         logger.info('logging messages to: {}'.format(args.log))
114 |         server.log_message = args.log
115 | 
116 |     if args.client != 'stdout':
117 |         s = Smrt(remote=args.remote, token=args.token, username=args.user, client=args.client, feed=args.feed)
118 |         server.client = s.client
119 |         server.client.start()
120 | 
121 |     try:
122 |         asyncore.loop()
123 |     except KeyboardInterrupt:
124 |         pass
125 | 
126 | 
127 | if __name__ == '__main__':
128 |     main()
129 | 


--------------------------------------------------------------------------------
/test/csirtg/feed.txt:
--------------------------------------------------------------------------------
 1 | # THIS IS A UNAUTHENTICATED AND LIMITED FEED PROVIDED BY https://csirtg.io
 2 | # IT IS LICENSED UNDER THE http://creativecommons.org/licenses/by-sa/4.0 LICENSE
 3 | # THE LIMITS ARE RESULTS CREATED WITHIN THE LAST HOUR AND A MAXIMUM RETURN OF 25
 4 | # TO REMOVE THE LIMITS, SIGN UP FOR AN API KEY AT https://csirtg.io
 5 | # ENJOY!
 6 | # id,indicator,itype,portlist,firsttime,lasttime,protocol,application,feed_id,created_at,updated_at,description,portlist_src
 7 | 337406,80.82.78.27,ipv4,3389,,,6,,46,2016-03-23 20:35:01 UTC,2016-03-23 20:35:01 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",42775
 8 | 337401,216.243.31.2,ipv4,443,,2016-03-23 20:17:26 UTC,6,,46,2016-03-23 20:22:27 UTC,2016-03-23 20:22:27 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
 9 | 337400,91.236.75.4,ipv4,8080,,2016-03-23 20:14:53 UTC,6,,46,2016-03-23 20:17:26 UTC,2016-03-23 20:17:26 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
10 | 337399,115.230.124.68,ipv4,1433,,2016-03-23 20:14:43 UTC,6,,46,2016-03-23 20:17:26 UTC,2016-03-23 20:17:26 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
11 | 337398,64.125.239.15,ipv4,8000,,,6,,46,2016-03-23 20:10:02 UTC,2016-03-23 20:10:02 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",60484
12 | 337392,93.174.93.94,ipv4,5900,,2016-03-23 20:03:40 UTC,6,,46,2016-03-23 20:07:26 UTC,2016-03-23 20:07:26 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
13 | 337391,122.233.251.205,ipv4,110,,2016-03-23 20:03:19 UTC,6,,46,2016-03-23 20:07:26 UTC,2016-03-23 20:07:26 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
14 | 337390,122.233.251.205,ipv4,110,,2016-03-23 20:03:13 UTC,6,,46,2016-03-23 20:07:25 UTC,2016-03-23 20:07:25 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
15 | 337389,122.233.251.205,ipv4,110,,2016-03-23 20:03:10 UTC,6,,46,2016-03-23 20:07:25 UTC,2016-03-23 20:07:25 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
16 | 337385,222.186.51.180,ipv4,1433,,2016-03-23 19:58:03 UTC,6,,46,2016-03-23 20:02:25 UTC,2016-03-23 20:02:25 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
17 | 337384,59.9.48.2,ipv4,23,,,6,,46,2016-03-23 20:00:04 UTC,2016-03-23 20:00:04 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",48900
18 | 337383,90.16.74.112,ipv4,47623,,,6,,46,2016-03-23 20:00:03 UTC,2016-03-23 20:00:03 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",53689
19 | 337382,90.16.74.112,ipv4,47623,,,6,,46,2016-03-23 20:00:03 UTC,2016-03-23 20:00:03 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",53689
20 | 337381,90.16.74.112,ipv4,47623,,,6,,46,2016-03-23 20:00:01 UTC,2016-03-23 20:00:01 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",53689
21 | 337380,45.35.20.231,ipv4,1433,,,6,,46,2016-03-23 20:00:01 UTC,2016-03-23 20:00:01 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",6000
22 | 337379,93.174.93.94,ipv4,23,,2016-03-23 19:57:21 UTC,6,,46,2016-03-23 19:57:25 UTC,2016-03-23 19:57:25 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
23 | 337378,183.60.227.122,ipv4,1434,,2016-03-23 19:56:58 UTC,6,,46,2016-03-23 19:57:25 UTC,2016-03-23 19:57:25 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
24 | 337377,182.59.202.61,ipv4,23,,2016-03-23 19:51:17 UTC,6,,46,2016-03-23 19:52:24 UTC,2016-03-23 19:52:24 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
25 | 337376,182.59.202.61,ipv4,23,,2016-03-23 19:51:11 UTC,6,,46,2016-03-23 19:52:24 UTC,2016-03-23 19:52:24 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
26 | 337375,182.59.202.61,ipv4,23,,2016-03-23 19:51:08 UTC,6,,46,2016-03-23 19:52:24 UTC,2016-03-23 19:52:24 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
27 | 337374,23.102.43.117,ipv4,22,,,6,,46,2016-03-23 19:45:01 UTC,2016-03-23 19:45:01 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",30985
28 | 337370,216.121.233.27,ipv4,49786,,,6,,46,2016-03-23 19:40:04 UTC,2016-03-23 19:40:04 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",54322
29 | 337369,216.121.233.27,ipv4,49786,,,6,,46,2016-03-23 19:40:03 UTC,2016-03-23 19:40:03 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",54322
30 | 337368,216.121.233.27,ipv4,49786,,,6,,46,2016-03-23 19:40:03 UTC,2016-03-23 19:40:03 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",54322
31 | 337367,109.111.134.64,ipv4,49786,,,6,,46,2016-03-23 19:40:02 UTC,2016-03-23 19:40:02 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",55767
32 | 


--------------------------------------------------------------------------------
/test/smrt/data/feed.txt:
--------------------------------------------------------------------------------
 1 | # THIS IS A UNAUTHENTICATED AND LIMITED FEED PROVIDED BY https://csirtg.io
 2 | # IT IS LICENSED UNDER THE http://creativecommons.org/licenses/by-sa/4.0 LICENSE
 3 | # THE LIMITS ARE RESULTS CREATED WITHIN THE LAST HOUR AND A MAXIMUM RETURN OF 25
 4 | # TO REMOVE THE LIMITS, SIGN UP FOR AN API KEY AT https://csirtg.io
 5 | # ENJOY!
 6 | # id,indicator,itype,portlist,firsttime,lasttime,protocol,application,feed_id,created_at,updated_at,description,portlist_src
 7 | 337406,80.82.78.27,ipv4,3389,,,6,,46,2016-03-23 20:35:01 UTC,2016-03-23 20:35:01 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",42775
 8 | 337401,216.243.31.2,ipv4,443,,2016-03-23 20:17:26 UTC,6,,46,2016-03-23 20:22:27 UTC,2016-03-23 20:22:27 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
 9 | 337400,91.236.75.4,ipv4,8080,,2016-03-23 20:14:53 UTC,6,,46,2016-03-23 20:17:26 UTC,2016-03-23 20:17:26 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
10 | 337399,115.230.124.68,ipv4,1433,,2016-03-23 20:14:43 UTC,6,,46,2016-03-23 20:17:26 UTC,2016-03-23 20:17:26 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
11 | 337398,64.125.239.15,ipv4,8000,,,6,,46,2016-03-23 20:10:02 UTC,2016-03-23 20:10:02 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",60484
12 | 337392,93.174.93.94,ipv4,5900,,2016-03-23 20:03:40 UTC,6,,46,2016-03-23 20:07:26 UTC,2016-03-23 20:07:26 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
13 | 337391,122.233.251.205,ipv4,110,,2016-03-23 20:03:19 UTC,6,,46,2016-03-23 20:07:26 UTC,2016-03-23 20:07:26 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
14 | 337390,122.233.251.205,ipv4,110,,2016-03-23 20:03:13 UTC,6,,46,2016-03-23 20:07:25 UTC,2016-03-23 20:07:25 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
15 | 337389,122.233.251.205,ipv4,110,,2016-03-23 20:03:10 UTC,6,,46,2016-03-23 20:07:25 UTC,2016-03-23 20:07:25 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
16 | 337385,222.186.51.180,ipv4,1433,,2016-03-23 19:58:03 UTC,6,,46,2016-03-23 20:02:25 UTC,2016-03-23 20:02:25 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
17 | 337384,59.9.48.2,ipv4,23,,,6,,46,2016-03-23 20:00:04 UTC,2016-03-23 20:00:04 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",48900
18 | 337383,90.16.74.112,ipv4,47623,,,6,,46,2016-03-23 20:00:03 UTC,2016-03-23 20:00:03 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",53689
19 | 337382,90.16.74.112,ipv4,47623,,,6,,46,2016-03-23 20:00:03 UTC,2016-03-23 20:00:03 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",53689
20 | 337381,90.16.74.112,ipv4,47623,,,6,,46,2016-03-23 20:00:01 UTC,2016-03-23 20:00:01 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",53689
21 | 337380,45.35.20.231,ipv4,1433,,,6,,46,2016-03-23 20:00:01 UTC,2016-03-23 20:00:01 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",6000
22 | 337379,93.174.93.94,ipv4,23,,2016-03-23 19:57:21 UTC,6,,46,2016-03-23 19:57:25 UTC,2016-03-23 19:57:25 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
23 | 337378,183.60.227.122,ipv4,1434,,2016-03-23 19:56:58 UTC,6,,46,2016-03-23 19:57:25 UTC,2016-03-23 19:57:25 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
24 | 337377,182.59.202.61,ipv4,23,,2016-03-23 19:51:17 UTC,6,,46,2016-03-23 19:52:24 UTC,2016-03-23 19:52:24 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
25 | 337376,182.59.202.61,ipv4,23,,2016-03-23 19:51:11 UTC,6,,46,2016-03-23 19:52:24 UTC,2016-03-23 19:52:24 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
26 | 337375,182.59.202.61,ipv4,23,,2016-03-23 19:51:08 UTC,6,,46,2016-03-23 19:52:24 UTC,2016-03-23 19:52:24 UTC,"sourced from firewall logs (incomming, TCP, Syn, blocked)",
27 | 337374,23.102.43.117,ipv4,22,,,6,,46,2016-03-23 19:45:01 UTC,2016-03-23 19:45:01 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",30985
28 | 337370,216.121.233.27,ipv4,49786,,,6,,46,2016-03-23 19:40:04 UTC,2016-03-23 19:40:04 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",54322
29 | 337369,216.121.233.27,ipv4,49786,,,6,,46,2016-03-23 19:40:03 UTC,2016-03-23 19:40:03 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",54322
30 | 337368,216.121.233.27,ipv4,49786,,,6,,46,2016-03-23 19:40:03 UTC,2016-03-23 19:40:03 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",54322
31 | 337367,109.111.134.64,ipv4,49786,,,6,,46,2016-03-23 19:40:02 UTC,2016-03-23 19:40:02 UTC,"sourced from firewall logs (incomming WAN, TCP, Syn, blocked)",55767
32 | 


--------------------------------------------------------------------------------
/test/smrt/test_archiver.py:
--------------------------------------------------------------------------------
  1 | import py.test
  2 | 
  3 | from csirtg_smrt import Smrt
  4 | from csirtg_smrt.constants import REMOTE_ADDR
  5 | from pprint import pprint
  6 | import tempfile
  7 | from csirtg_smrt.archiver import Archiver
  8 | import logging
  9 | 
 10 | #logging.basicConfig(level=logging.DEBUG)
 11 | 
 12 | 
 13 | def test_smrt_archiver_lasttime():
 14 |     tmpfile = tempfile.mktemp()
 15 |     archiver = Archiver(dbfile=tmpfile)
 16 |     rule = 'test/smrt/rules/archiver.yml'
 17 |     feed = 'lasttime'
 18 | 
 19 |     with Smrt(REMOTE_ADDR, 1234, client='stdout', archiver=archiver) as s:
 20 |         assert type(s) is Smrt
 21 | 
 22 |         for r, f in s.load_feeds(rule, feed=feed):
 23 |             x = list(s.process(r, f))
 24 |             assert len(x) > 0
 25 | 
 26 |             f = {i.indicator: i.__dict__() for i in x}
 27 |             assert f['216.243.31.2']['lasttime'] == '2016-03-23T20:22:27.000000Z'
 28 | 
 29 |     with Smrt(REMOTE_ADDR, 1234, client='stdout', archiver=archiver) as s:
 30 |         assert type(s) is Smrt
 31 | 
 32 |         for r, f in s.load_feeds(rule, feed=feed):
 33 |             x = list(s.process(r, f))
 34 |             assert len(x) == 0
 35 | 
 36 | 
 37 | def test_smrt_archiver_firsttime():
 38 |     tmpfile = tempfile.mktemp()
 39 |     archiver = Archiver(dbfile=tmpfile)
 40 |     rule = 'test/smrt/rules/archiver.yml'
 41 |     feed = 'firsttime'
 42 | 
 43 |     with Smrt(REMOTE_ADDR, 1234, client='stdout', archiver=archiver) as s:
 44 |         assert type(s) is Smrt
 45 | 
 46 |         for r, f in s.load_feeds(rule, feed=feed):
 47 |             x = list(s.process(r, f))
 48 |             assert len(x) > 0
 49 | 
 50 |             f = {i.indicator: i.__dict__() for i in x}
 51 |             assert f['216.243.31.2']['lasttime'] == '2016-03-23T20:22:27.000000Z'
 52 | 
 53 |     with Smrt(REMOTE_ADDR, 1234, client='stdout', archiver=archiver) as s:
 54 |         assert type(s) is Smrt
 55 | 
 56 |         for r, f in s.load_feeds(rule, feed=feed):
 57 |             x = list(s.process(r, f))
 58 |             assert len(x) == 0
 59 | 
 60 | 
 61 | def test_smrt_archiver_both():
 62 |     tmpfile = tempfile.mktemp()
 63 |     archiver = Archiver(dbfile=tmpfile)
 64 |     rule = 'test/smrt/rules/archiver.yml'
 65 |     feed = 'both'
 66 | 
 67 |     with Smrt(REMOTE_ADDR, 1234, client='stdout', archiver=archiver) as s:
 68 |         assert type(s) is Smrt
 69 | 
 70 |         for r, f in s.load_feeds(rule, feed=feed):
 71 |             x = list(s.process(r, f))
 72 |             assert len(x) > 0
 73 | 
 74 |             f = {i.indicator: i.__dict__() for i in x}
 75 |             assert f['216.243.31.2']['lasttime'] == '2016-03-23T20:22:27.000000Z'
 76 | 
 77 |     with Smrt(REMOTE_ADDR, 1234, client='stdout', archiver=archiver) as s:
 78 |         assert type(s) is Smrt
 79 | 
 80 |         for r, f in s.load_feeds(rule, feed=feed):
 81 |             x = list(s.process(r, f))
 82 |             assert len(x) == 0
 83 | 
 84 | 
 85 | def test_smrt_archiver_neither():
 86 |     tmpfile = tempfile.mktemp()
 87 |     archiver = Archiver(dbfile=tmpfile)
 88 |     rule = 'test/smrt/rules/archiver.yml'
 89 |     feed = 'neither'
 90 | 
 91 |     with Smrt(REMOTE_ADDR, 1234, client='stdout', archiver=archiver) as s:
 92 |         assert type(s) is Smrt
 93 | 
 94 |         for r, f in s.load_feeds(rule, feed=feed):
 95 |             x = list(s.process(r, f))
 96 |             assert len(x) > 0
 97 | 
 98 |             f = {i.indicator: i.__dict__() for i in x}
 99 |             
100 |             assert f['216.243.31.2'].get('lasttime') is None
101 | 
102 |     with Smrt(REMOTE_ADDR, 1234, client='stdout', archiver=archiver) as s:
103 |         assert type(s) is Smrt
104 | 
105 |         for r, f in s.load_feeds(rule, feed=feed):
106 |             x = list(s.process(r, f))
107 |             assert len(x) == 0
108 | 
109 | 
110 | def test_smrt_archiver_lasttime_clear():
111 |     tmpfile = tempfile.mktemp()
112 |     archiver = Archiver(dbfile=tmpfile)
113 |     rule = 'test/smrt/rules/archiver.yml'
114 |     feed = 'lasttime'
115 | 
116 |     with Smrt(REMOTE_ADDR, 1234, client='stdout', archiver=archiver) as s:
117 |         assert type(s) is Smrt
118 | 
119 |         for r, f in s.load_feeds(rule, feed=feed):
120 |             x = list(s.process(r, f))
121 |             assert len(x) > 0
122 | 
123 |             f = {i.indicator: i.__dict__() for i in x}
124 |             assert f['216.243.31.2']['lasttime'] == '2016-03-23T20:22:27.000000Z'
125 | 
126 |     archiver.clear_memcache()
127 |     with Smrt(REMOTE_ADDR, 1234, client='stdout', archiver=archiver) as s:
128 |         assert type(s) is Smrt
129 | 
130 |         for r, f in s.load_feeds(rule, feed=feed):
131 |             x = list(s.process(r, f))
132 |             assert len(x) == 0


--------------------------------------------------------------------------------
/csirtg_smrt/rule.py:
--------------------------------------------------------------------------------
  1 | import yaml
  2 | import json
  3 | import logging
  4 | from csirtg_smrt.exceptions import RuleUnsupported
  5 | from csirtg_smrt.utils.zcontent import is_expected_file
  6 | import os
  7 | 
  8 | 
  9 | class Rule(dict):
 10 | 
 11 |     def __init__(self, path=None, rule=None, **kwargs):
 12 |         self.logger = logging.getLogger(__name__)
 13 |         if path:
 14 |             if path.endswith('.yml'):
 15 |                 with open(path) as f:
 16 |                     try:
 17 |                         d = yaml.safe_load(f)
 18 |                     except Exception as e:
 19 |                         self.logger.error('unable to parse {0}'.format(path))
 20 |                         raise RuntimeError(e)
 21 | 
 22 |                 self.defaults = d.get('defaults')
 23 |                 self.feeds = d.get('feeds')
 24 |                 self.parser = d.get('parser')
 25 |                 self.fetcher = d.get('fetcher')
 26 |                 self.skip = d.get('skip')
 27 |                 self.skip_first = d.get('skip_first')
 28 |                 self.remote = d.get('remote')
 29 |                 self.replace = d.get('replace')
 30 |                 self.itype = d.get('itype')
 31 |                 self.remote_pattern = d.get('remote_pattern')
 32 |                 self.token = d.get('token')
 33 |                 self.token_header = d.get('token_header')
 34 |                 self.username = d.get("username")
 35 |                 self.password = d.get("password")
 36 |                 self.filters = d.get('filters')
 37 |                 self.delim_pattern = d.get('delim_pattern')
 38 |                 self.line_filter = d.get('line_filter')
 39 |                 self.limit = d.get('limit')
 40 |                 if d.get('key_file'):
 41 |                     if is_expected_file(d['key_file'], '.pem'):
 42 |                         self.key_file = d.get('key_file')
 43 |                 else:
 44 |                     self.key_file = None
 45 | 
 46 |                 if d.get('cert_file'):
 47 |                     if is_expected_file(d['cert_file'], '.crt'):
 48 |                         self.cert_file = d.get('cert_file')
 49 |                 else:
 50 |                     self.cert_file = None
 51 | 
 52 |             else:
 53 |                 raise RuleUnsupported('unsupported file type: {}'.format(path))
 54 |         else:
 55 |             self.defaults = rule.get('defaults')
 56 |             self.feeds = rule.get('feeds')
 57 |             self.parser = rule.get('parser')
 58 |             self.fetcher = rule.get('fetcher')
 59 |             self.skip = rule.get('skip')
 60 |             self.skip_first = rule.get('skip_first')
 61 |             self.remote = rule.get('remote')
 62 |             self.replace = rule.get('replace')
 63 |             self.itype = rule.get('itype')
 64 |             self.remote_pattern = rule.get('remote_pattern')
 65 |             self.token = rule.get('token')
 66 |             self.token_header = rule.get('token_header')
 67 |             self.username = rule.get('username')
 68 |             self.password = rule.get('password')
 69 |             self.filters = rule.get('filters')
 70 |             self.delim_pattern = rule.get('delim_pattern')
 71 |             self.line_filter = rule.get('line_filter')
 72 |             self.limit = rule.get('limit')
 73 |             if rule.get('key_file'):
 74 |                 if is_expected_file(rule['key_file'], '.pem'):
 75 |                     self.key_file = rule.get('key_file')
 76 |             else:
 77 |                 self.key_file = None
 78 | 
 79 |             if rule.get('cert_file'):
 80 |                 if is_expected_file(rule['cert_file'], '.crt'):
 81 |                     self.cert_file = rule.get('cert_file')
 82 |             else:
 83 |                 self.cert_file = None
 84 | 
 85 |         if self.token and self.token.endswith('_TOKEN'):
 86 |             self.token = os.getenv(self.token)
 87 | 
 88 |     def __repr__(self):
 89 |         return json.dumps({
 90 |             "defaults": self.defaults,
 91 |             "feeds": self.feeds,
 92 |             "parser": self.parser,
 93 |             "fetcher": self.fetcher,
 94 |             'skip': self.skip,
 95 |             "skip_first": self.skip_first,
 96 |             'remote': self.remote,
 97 |             'remote_pattern': self.remote_pattern,
 98 |             'replace': self.replace,
 99 |             'itype': self.itype,
100 |             'filters': self.filters,
101 |             'delim_pattern': self.delim_pattern,
102 |             'line_filter': self.line_filter,
103 |             'limit': self.limit,
104 |             'token': self.token,
105 |             'key_file': self.key_file,
106 |             'cert_file': self.cert_file
107 |         }, sort_keys=True, indent=4, separators=(',', ': '))
108 | 


--------------------------------------------------------------------------------
/csirtg_smrt/client/zcifv2.py:
--------------------------------------------------------------------------------
  1 | from cifsdk.client.http import HTTP as HTTPClient
  2 | import os
  3 | import logging
  4 | from pprint import pprint
  5 | import ujson as json
  6 | from cifsdk.exceptions import AuthError
  7 | import zlib
  8 | from base64 import b64decode
  9 | import binascii
 10 | import arrow
 11 | 
 12 | REMOTE = os.environ.get('CSIRTG_SMRT_CIF_REMOTE', 'http://localhost:5000')
 13 | 
 14 | logger = logging.getLogger(__name__)
 15 | 
 16 | 
 17 | class CIF(HTTPClient):
 18 | 
 19 |     def __init__(self, remote=None, token=None, **kwargs):
 20 |         if not remote:
 21 |             remote = REMOTE
 22 | 
 23 |         super(CIF, self).__init__(remote, token, **kwargs)
 24 | 
 25 |         self.session.headers["Accept"] = 'application/vnd.cif.v2+json'
 26 |         del self.session.headers['Accept-Encoding']
 27 |         #self.nowait = True
 28 | 
 29 |     def _get(self, uri, params={}):
 30 |         if not uri.startswith('http'):
 31 |             uri = self.remote + uri
 32 | 
 33 |         body = self.session.get(uri, params=params, verify=self.verify_ssl)
 34 | 
 35 |         if body.status_code > 303:
 36 |             err = 'request failed: %s' % str(body.status_code)
 37 |             logger.error(err)
 38 | 
 39 |             if body.status_code == 401:
 40 |                 raise AuthError('invalid token')
 41 |             elif body.status_code == 404:
 42 |                 err = 'not found'
 43 |                 raise RuntimeError(err)
 44 |             elif body.status_code == 408:
 45 |                 raise TimeoutError('timeout')
 46 |             else:
 47 |                 try:
 48 |                     err = json.loads(body.content).get('message')
 49 |                     raise RuntimeError(err)
 50 |                 except ValueError as e:
 51 |                     err = body.content
 52 |                     logger.error(err)
 53 |                     raise RuntimeError(err)
 54 | 
 55 |         data = body.content
 56 |         try:
 57 |             data = zlib.decompress(b64decode(data))
 58 |         except (TypeError, binascii.Error) as e:
 59 |             pass
 60 |         except Exception as e:
 61 |             pass
 62 | 
 63 |         msgs = json.loads(data.decode('utf-8'))
 64 |         if not msgs.get('data'):
 65 |             return msgs
 66 | 
 67 |         if isinstance(msgs['data'], list):
 68 |             for m in msgs['data']:
 69 |                 if m.get('message'):
 70 |                     try:
 71 |                         m['message'] = b64decode(m['message'])
 72 |                     except Exception as e:
 73 |                         pass
 74 |         return msgs
 75 | 
 76 |     def _post(self, uri, data):
 77 |         if type(data) == dict:
 78 |             data = [data]
 79 | 
 80 |         if type(data[0]) != dict:
 81 |             raise RuntimeError('submitted data must be a dictionary')
 82 | 
 83 |         data = json.dumps(data)
 84 | 
 85 |         if self.nowait:
 86 |             uri = "{0}?nowait=1".format(uri)
 87 | 
 88 |         logger.debug('uri: %s' % uri)
 89 | 
 90 |         body = self.session.post(uri, data=data, verify=self.verify_ssl)
 91 |         logger.debug('status code: ' + str(body.status_code))
 92 |         if body.status_code > 299:
 93 |             logger.error('request failed: %s' % str(body.status_code))
 94 |             logger.error(json.loads(body.text).get('message'))
 95 |             return None
 96 | 
 97 |         body = json.loads(body.text)
 98 |         return body
 99 | 
100 |     def indicators_create(self, data):
101 |         if not isinstance(data, list):
102 |             data = [data]
103 | 
104 |         new = []
105 |         for d in data:
106 |             d = d.__dict__()
107 |             d['observable'] = d.pop('indicator')
108 |             d['otype'] = d.pop('itype')
109 | 
110 |             if d.get('reporttime'):
111 |                 d['reporttime'] = arrow.get(d['reporttime']).datetime.strftime('%Y-%m-%dT%m:%H:%SZ')
112 | 
113 |             if d.get('lasttime'):
114 |                 d['lasttime'] = arrow.get(d['lasttime']).datetime.strftime('%Y-%m-%dT%m:%H:%SZ')
115 |             else:
116 |                 d['lasttime'] = d['reporttime']
117 | 
118 |             if d.get('firsttime'):
119 |                 d['firsttime'] = arrow.get(d['firsttime']).datetime.strftime('%Y-%m-%dT%m:%H:%SZ')
120 | 
121 |             if d.get('reference'):
122 |                 d['altid'] = d['reference']
123 |                 d['altid_tlp'] = d.get('reference_tlp')
124 | 
125 |             del d['uuid']
126 |             del d['count']
127 |             new.append(d)
128 | 
129 |         data = new
130 | 
131 |         uri = "{0}/observables".format(self.remote)
132 |         logger.debug(uri)
133 | 
134 |         rv = self._post(uri, data)
135 |         return len(rv)
136 | 
137 | Plugin = CIF
138 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
  1 | NAME = csirtg-smrt
  2 | VERSION := $(shell git describe | cut -f1 -d' ')
  3 | OS = $(shell uname -s)
  4 | PYTHON = python
  5 | 
  6 | .PHONY: all build test
  7 | 
  8 | all: build test
  9 | 
 10 | test:
 11 | 	py.test --cov=csirtg-smrt
 12 | 
 13 | pep8:
 14 | 	@echo "#############################################"
 15 | 	@echo "# Running PEP8 Compliance Tests"
 16 | 	@echo "#############################################"
 17 | 	-pep8 -r --ignore=E501,E221,W291,W391,E302,E251,E203,W293,E231,E303,E201,E225,E261,E241 csirtg_smrt/
 18 | 
 19 | python:
 20 | 	$(PYTHON) setup.py build
 21 | 
 22 | install:
 23 | 	$(PYTHON) setup.py install
 24 | 
 25 | clean:
 26 | 	@echo "Cleaning up distutils stuff"
 27 | 	rm -rf build
 28 | 	rm -rf dist
 29 | 	@echo "Cleaning up byte compiled python stuff"
 30 | 	find . -type f -regex ".*\.py[co]$$" -delete
 31 | 	find . -type d -regex ".*__pycache__" -delete
 32 | 	@echo "Cleaning up output from test runs"
 33 | 	rm -rf tests/__pycache__
 34 | 	@echo "Cleaning up RPM building stuff"
 35 | 	rm -rf MANIFEST rpm-build
 36 | 	@echo "Cleaning up Debian building stuff"
 37 | 	find . -type f -name '*.pyc' -delete
 38 | 
 39 | sdist: clean
 40 | 	$(PYTHON) setup.py sdist
 41 | 
 42 | wheel: clean
 43 | 	$(PYTHON) setup.py bdist_wheel
 44 | 
 45 | # Pyinstaller params
 46 | # https://mborgerson.com/creating-an-executable-from-a-python-script
 47 | # TODO - move build up to main dir instead of cif/ fix the pathex in specs
 48 | PYINSTALLER = pyinstaller
 49 | PYINSTALLER_OPTS = --distpath=$(PYINSTALLER_DIST_PATH) --workpath=$(PYINSTALLER_WORK_PATH) -y --onefile
 50 | PYINSTALLER_SPEC_DIR = packaging/pyinstaller
 51 | PYINSTALLER_SPECS = csirtg-smrt.spec
 52 | PYINSTALLER_BUILD = pyinstaller-build
 53 | PYINSTALLER_DIST_PATH = dist
 54 | PYINSTALLER_WORK_PATH = temp
 55 | VERSION = `git describe`
 56 | 
 57 | bin:
 58 | 	mkdir -p $(PYINSTALLER_BUILD) ;
 59 | 	rm -rf $(PYINSTALLER_BUILD)/$(PYINSTALLER_WORK_PATH)/*
 60 | 	cp -a csirtg_smrt $(PYINSTALLER_BUILD) ;
 61 | 	echo $(VERSION) > _version ;
 62 | 	cp -a $(PYINSTALLER_SPEC_DIR)/*.spec $(PYINSTALLER_BUILD)/ ;
 63 | 	@for SPEC in $(PYINSTALLER_SPECS) ; do \
 64 | 		(cd $(PYINSTALLER_BUILD) && $(PYINSTALLER) $(PYINSTALLER_OPTS) $${SPEC} ) ; \
 65 | 	done
 66 | 
 67 | pyinstaller-clean:
 68 | 	rm -rf
 69 | 
 70 | 
 71 | # DEB build parameters
 72 | DEBUILD_BIN ?= debuild
 73 | DPUT_BIN ?= dput
 74 | DPUT_OPTS ?=
 75 | DEB_DATE := $(shell date +"%a, %d %b %Y %T %z")
 76 | ifeq ($(OFFICIAL),yes)
 77 |     DEB_RELEASE = $(RELEASE)ppa
 78 |     # Sign OFFICIAL builds using 'DEBSIGN_KEYID'
 79 |     # DEBSIGN_KEYID is required when signing
 80 |     ifneq ($(DEBSIGN_KEYID),)
 81 |         DEBUILD_OPTS += -k$(DEBSIGN_KEYID)
 82 |     endif
 83 | else
 84 |     DEB_RELEASE = 0.git$(DATE)$(GITINFO)
 85 |     # Do not sign unofficial builds
 86 |     DEBUILD_OPTS += -uc -us
 87 |     DPUT_OPTS += -u
 88 | endif
 89 | DEBUILD = $(DEBUILD_BIN) $(DEBUILD_OPTS)
 90 | DEB_PPA ?= ppa
 91 | # Choose the desired Ubuntu release: lucid precise saucy trusty
 92 | DEB_DIST ?= unstable
 93 | 
 94 | debian:
 95 | 	@for DIST in $(DEB_DIST) ; do \
 96 | 	    mkdir -p deb-build/$${DIST}/$(NAME)-$(VERSION)/ ; \
 97 | 	    cp -a packaging/debian deb-build/$${DIST}/$(NAME)-$(VERSION)/ ; \
 98 | 	    cp -a $(PYINSTALLER_BUILD)/$(PYINSTALLER_DIST_PATH)/* deb-build/$${DIST}/$(NAME)-$(VERSION)/ ; \
 99 |         sed -ie "s|%VERSION%|$(VERSION)|g;s|%RELEASE%|$(DEB_RELEASE)|;s|%DIST%|$${DIST}|g;s|%DATE%|$(DEB_DATE)|g" deb-build/$${DIST}/$(NAME)-$(VERSION)/debian/changelog ; \
100 | 	done
101 | 
102 | deb: debian
103 | 	@for DIST in $(DEB_DIST) ; do \
104 | 	    (cd deb-build/$${DIST}/$(NAME)-$(VERSION)/ && $(DEBUILD) -b) ; \
105 | 	done
106 | 	@echo "#############################################"
107 | 	@echo "csirtg-smrt DEB artifacts:"
108 | 	@for DIST in $(DEB_DIST) ; do \
109 | 	    echo deb-build/$${DIST}/$(NAME)_$(VERSION)-$(DEB_RELEASE)~$${DIST}_amd64.changes ; \
110 | 	done
111 | 	@echo "#############################################"
112 | 
113 | debian-clean:
114 | 	rm -rf deb-build
115 | 
116 | # RPM build parameters
117 | RPMSPECDIR= packaging/rpm
118 | RPMSPEC = $(RPMSPECDIR)/bearded-avenger.spec
119 | RPMDIST = $(shell rpm --eval '%{?dist}')
120 | RPMRELEASE = $(RELEASE)
121 | ifneq ($(OFFICIAL),yes)
122 |     RPMRELEASE = 0.git$(DATE)$(GITINFO)
123 | endif
124 | RPMNVR = "$(NAME)-$(VERSION)-$(RPMRELEASE)$(RPMDIST)"
125 | 
126 | rpmcommon: pyinstaller-clean bin
127 | 	@mkdir -p rpm-build
128 | 	cp -a $(PYINSTALLER_DIST_PATH)/* rpm-build/
129 | 	cp -a packaging/rpm/*.spec rpm-build/
130 | 	@sed -e 's#^Version:.*#Version: $(VERSION)#' -e 's#^Release:.*#Release: $(RPMRELEASE)%{?dist}#' $(RPMSPEC) >rpm-build/$(NAME).spec
131 | 
132 | rpm: rpmcommon
133 | 	@rpmbuild --define "_topdir %(pwd)/rpm-build" \
134 | 	--define "_builddir %{_topdir}" \
135 | 	--define "_rpmdir %{_topdir}" \
136 | 	--define "_srcrpmdir %{_topdir}" \
137 | 	--define "_specdir $(RPMSPECDIR)" \
138 | 	--define "_sourcedir %{_topdir}" \
139 | 	--define "_rpmfilename %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" \
140 | 	-ba rpm-build/$(NAME).spec
141 | 	@rm -f rpm-build/$(NAME).spec
142 | 	@echo "#############################################"
143 | 	@echo "bearded-avenger RPM is built:"
144 | 	@echo "    rpm-build/$(RPMNVR).noarch.rpm"
145 | 	@echo "#############################################"
146 | 
147 | clean: debian-clean pyinstaller-clean
148 | 


--------------------------------------------------------------------------------
/csirtg_smrt/parser/__init__.py:
--------------------------------------------------------------------------------
  1 | import copy
  2 | import logging
  3 | import re
  4 | import math
  5 | from ..constants import PYVERSION, FIREBALL_SIZE
  6 | 
  7 | RE_COMMENTS = '^([#|;]+)'
  8 | 
  9 | 
 10 | class Parser(object):
 11 | 
 12 |     def __init__(self, client, fetcher, rule, feed, limit=None, filters=None, fireball=False):
 13 | 
 14 |         self.logger = logging.getLogger(__name__)
 15 |         self.client = client
 16 |         self.fetcher = fetcher
 17 |         self.rule = rule
 18 |         self.feed = feed
 19 |         self.limit = limit
 20 |         self.skip = None
 21 |         self.filters = filters
 22 |         self.skip_first = False
 23 |         self.itype = None
 24 |         self.line_filter = None
 25 |         self.add_orig = False
 26 | 
 27 |         if fireball:
 28 |             self.fireball = int(FIREBALL_SIZE)
 29 |         else:
 30 |             self.fireball = False
 31 | 
 32 |         if self.limit is not None:
 33 |             self.limit = int(limit)
 34 | 
 35 |         self.comments = re.compile(RE_COMMENTS)
 36 | 
 37 |         if self.rule.feeds[self.feed].get('skip'):
 38 |             self.skip = re.compile(self.rule.feeds[self.feed]['skip'])
 39 |         elif self.rule.skip:
 40 |             self.skip = re.compile(self.rule.skip)
 41 | 
 42 |         if self.rule.feeds[self.feed].get('skip_first'):
 43 |             self.skip_first = True
 44 |         elif self.rule.skip_first:
 45 |             self.skip_first = True
 46 | 
 47 |         if self.rule.feeds[self.feed].get('itype'):
 48 |             self.itype = self.rule.feeds[self.feed]['itype']
 49 |         elif self.rule.itype:
 50 |             self.itype = self.rule.itype
 51 | 
 52 |         if self.rule.feeds[self.feed].get('line_filter'):
 53 |             self.line_filter = self.rule.feeds[self.feed]['line_filter']
 54 |         elif self.rule.line_filter:
 55 |             self.line_filter = self.rule.line_filter
 56 | 
 57 |         if self.line_filter:
 58 |             self.line_filter = re.compile(self.line_filter)
 59 | 
 60 |         self.line_count = 0
 61 |         
 62 |         # prioritize column values in order: feed values > feed defaults values > rule defaults values > rule values
 63 |         if self.rule.feeds[self.feed].get('values'):
 64 |             self.cols = self.rule.feeds[self.feed].get('values')
 65 |         elif self.rule.feeds[self.feed].get('defaults', {}).get('values'):
 66 |             self.cols = self.rule.feeds[self.feed]['defaults'].get('values')
 67 |         elif self.rule.defaults.get('values'):
 68 |             self.cols = self.rule.defaults.get('values')
 69 |         else:
 70 |             self.cols = self.rule.get('values', [])
 71 | 
 72 |         if isinstance(self.cols, str):
 73 |             self.cols = self.cols.split(',')
 74 | 
 75 |     def ignore(self, line):
 76 |         if line == '':
 77 |             return True
 78 | 
 79 |         if self.is_comment(line):
 80 |             return True
 81 | 
 82 |         self.line_count += 1
 83 |         if self.line_count == 1 and self.skip_first:
 84 |             return True
 85 | 
 86 |         if self.skip:
 87 |             if self.skip.search(line):
 88 |                 return True
 89 | 
 90 |         if self.line_filter:
 91 |             if not self.line_filter.search(line):
 92 |                 return True
 93 | 
 94 |     def is_comment(self, line):
 95 |         if self.comments.search(line):
 96 |             return True
 97 | 
 98 |     def _defaults(self):
 99 |         defaults = copy.deepcopy(self.rule.defaults)
100 | 
101 |         if self.rule.feeds[self.feed].get('defaults'):
102 |             for d in self.rule.feeds[self.feed].get('defaults'):
103 |                 defaults[d] = self.rule.feeds[self.feed]['defaults'][d]
104 | 
105 |         return defaults
106 | 
107 |     def eval_obs(self, obs, value=None):
108 |         if value is None:
109 |             value = obs
110 | 
111 |         if isinstance(value, dict):
112 |             for k in list(value.keys()):
113 |                 value[k] = self.eval_obs(obs, value[k])
114 |         elif isinstance(value, list):
115 |             for i in range(len(value)):
116 |                 value[i] = self.eval_obs(obs, value[i])
117 |         elif PYVERSION > 2 and isinstance(value, (str, bytes)):
118 |             try:
119 |                 m = re.match('^eval\((.*)\)$', value.strip(), re.MULTILINE | re.DOTALL)
120 |                 if m:
121 |                     value = eval(m.group(1),{"__builtins__":None, 'math': math, 'max': max, 'min': min, 'int': int, 'float': float, 'str': str, 'unicode': bytes},{'obs': obs})
122 |             except Exception as e:
123 |                 self.logger.warn('Could not evaluate expression "{}", exception: {}'.format(value, e))
124 |         elif PYVERSION == 2 and isinstance(value, (str, unicode)):
125 |             try:
126 |                 m = re.match('^eval\((.*)\)$', value.strip(), re.MULTILINE | re.DOTALL)
127 |                 if m:
128 |                     value = eval(m.group(1),{"__builtins__":None, 'math': math, 'max': max, 'min': min, 'int': int, 'float': float, 'str': str, 'unicode': unicode},{'obs': obs})
129 |             except Exception as e:
130 |                 self.logger.warn('Could not evaluate expression "{}", exception: {}'.format(value, e))
131 | 
132 |         return value
133 | 
134 |     def process(self):
135 |         raise NotImplementedError
136 | 


--------------------------------------------------------------------------------
/csirtg_smrt/client/ztaxii11.py:
--------------------------------------------------------------------------------
  1 | from libtaxii.constants import *
  2 | from csirtg_smrt.parser.zstix import _parse_stix_package
  3 | from csirtg_indicator import Indicator
  4 | from urllib.parse import urlparse
  5 | from dateutil.tz import tzutc
  6 | from datetime import datetime, timedelta
  7 | from lxml.etree import fromstring as lxml_fromstring
  8 | from stix.core import STIXPackage
  9 | import libtaxii as t
 10 | import libtaxii.clients as tc
 11 | import libtaxii.messages_11 as tm11
 12 | import logging
 13 | import uuid
 14 | 
 15 | logger = logging.getLogger(__name__)
 16 | 
 17 | # TAXII v1.1 client
 18 | class _TAXII(object):
 19 |     __name__ = 'taxii11'
 20 | 
 21 |     def __init__(self, **kwargs):
 22 | 
 23 |         self.username = kwargs.get('username')
 24 |         self.password = kwargs.get('password')
 25 |         self.remote = kwargs.get('remote')
 26 |         self.key_file = kwargs.get('key_file')
 27 |         self.cert_file = kwargs.get('cert_file')
 28 |         
 29 |         self.client = tc.HttpClient()
 30 |         self.up = urlparse(self.remote)
 31 |         if self.up.scheme.startswith('https'):
 32 |             self.client.set_use_https(True)
 33 | 
 34 |         if self.username and self.password:
 35 |             self.client.set_auth_type(tc.HttpClient.AUTH_BASIC)
 36 |             self.client.set_auth_credentials({
 37 |                 'username': self.username,
 38 |                 'password': self.password
 39 |             })
 40 |         
 41 |         # support client cert, default disabled
 42 |         if self.key_file and self.cert_file:
 43 |             # auth_basic = 1; auth_cert = 2; auth_cert_basic = 3
 44 |             if self.client.auth_type:
 45 |                 self.client.set_auth_type(tc.HttpClient.AUTH_CERT_BASIC)
 46 |             else:
 47 |                 self.client.set_auth_type(tc.HttpClient.AUTH_CERT)
 48 | 
 49 |             self.client.auth_credentials.update({
 50 |                 'key_file': self.key_file,
 51 |                 'cert_file': self.cert_file 
 52 |             })
 53 | 
 54 |     def ping(self, write=False):
 55 |         raise NotImplemented
 56 | 
 57 |     def indicators_create(self, data, **kwargs):
 58 |         raise NotImplemented
 59 | 
 60 |     
 61 |     def _parse_taxii_content(self, taxii_content):
 62 |         indicators_to_add = {}
 63 |         for stix_obj in taxii_content:
 64 |             try:
 65 |                 stix_parsed = STIXPackage.from_xml(lxml_fromstring(stix_obj.content))
 66 |             except NotImplementedError as e:
 67 |                 if str(e).endswith("AISMarkingStructure'"):
 68 |                     import stix.extensions.marking.ais
 69 |                     stix_parsed = STIXPackage.from_xml(lxml_fromstring(stix_obj.content))
 70 |                 else:
 71 |                     raise
 72 |             except Exception as e:
 73 |                 logger.error('Error parsing STIX object: {}'.format(e))
 74 |                 continue
 75 | 
 76 |             try:
 77 |                 tmp = _parse_stix_package(stix_parsed)
 78 |             except NotImplementedError as e:
 79 |                 if str(e).endswith("AISMarkingStructure'"):
 80 |                     import stix.extensions.marking.ais
 81 |                     tmp = _parse_stix_package(stix_parsed)
 82 |                 else:
 83 |                     raise
 84 |             
 85 |             for obs_key, value in tmp.items():
 86 |                 if obs_key in indicators_to_add:
 87 |                     indicators_to_add[obs_key].update(value)
 88 |                 else:
 89 |                     indicators_to_add[obs_key] = value
 90 | 
 91 |         for i_dict in indicators_to_add.values():
 92 |             if i_dict.get('indicator'):
 93 |                 logger.debug('adding indicator {}'.format(i_dict['indicator']))
 94 |                 yield Indicator(**i_dict)
 95 | 
 96 | 
 97 |     def indicators(self, collection_name, starttime=(datetime.now(tzutc()) - timedelta(hours=1)),
 98 |             endtime=datetime.now(tzutc()),
 99 |             subscription_id=None
100 |         ):
101 |         delivery_params = tm11.DeliveryParameters(VID_TAXII_HTTP_10, self.remote, VID_TAXII_XML_11)
102 |         """
103 |         poll_params = tm11.PollParameters(response_type=RT_COUNT_ONLY,
104 |             #content_bindings=[tm11.ContentBinding(CB_STIX_XML_11)], 
105 |             delivery_parameters=delivery_params
106 |             )
107 |         """
108 |         poll_params = tm11.PollRequest.PollParameters()
109 |         poll_req = tm11.PollRequest(message_id=tm11.generate_message_id(),
110 |             collection_name=collection_name,
111 |             exclusive_begin_timestamp_label=starttime,
112 |             inclusive_end_timestamp_label=endtime,
113 |             poll_parameters=poll_params,
114 |             subscription_id=subscription_id
115 |             )
116 | 
117 |         logger.debug('TAXII collection poll request: {}'.format(poll_req.to_xml(pretty_print=True)))
118 | 
119 |         poll_req_xml = poll_req.to_xml()
120 |         http_resp = self.client.call_taxii_service2(self.up.hostname,
121 |             self.up.path,
122 |             VID_TAXII_XML_11,
123 |             poll_req_xml,
124 |             self.up.port
125 |             )
126 |         taxii_message = t.get_message_from_http_response(http_resp, poll_req.message_id)
127 | 
128 |         logger.debug('TAXII collection poll response: {}'.format(taxii_message.to_xml(pretty_print=True)))
129 | 
130 |         if taxii_message.message_type == MSG_STATUS_MESSAGE:
131 |             if taxii_message.status_type == ST_SUCCESS:
132 |                 logger.info('TAXII polled successfully but returned no results')
133 |                 return []
134 |             raise RuntimeError('TAXII polling failed: {} - {}'.format(taxii_message.status_type, taxii_message.message))
135 | 
136 |         return self._parse_taxii_content(taxii_message.content_blocks)
137 | 


--------------------------------------------------------------------------------
/csirtg_smrt/parser/bro.py:
--------------------------------------------------------------------------------
  1 | from csirtg_smrt.utils.ztail import tail
  2 | from json import loads as json_loads
  3 | import logging
  4 | import os
  5 | from csirtg_indicator import Indicator
  6 | from pprint import pprint
  7 | from argparse import ArgumentParser
  8 | from argparse import RawDescriptionHelpFormatter
  9 | import textwrap
 10 | from csirtg_smrt.utils import setup_logging, get_argument_parser
 11 | from csirtg_indicator.format import FORMATS
 12 | import re
 13 | # logging configuration
 14 | LOG_FORMAT = '%(asctime)s - %(levelname)s - %(name)s[%(lineno)s] - %(message)s'
 15 | logger = logging.getLogger('')
 16 | 
 17 | PROVIDER = os.environ.get('CSIRTG_SMRT_PROVIDER')
 18 | 
 19 | # https://github.com/JustinAzoff/bro-pdns/blob/master/bro_pdns.py#L27
 20 | CORE_FIELDS = set('src ts dst'.split())
 21 | 
 22 | 
 23 | class BroTailer(object):
 24 | 
 25 |     def __init__(self, file, json=False, **kwargs):
 26 |         self.headers = {}
 27 | 
 28 |         with open(file) as _file:
 29 |             line = ''
 30 |             it = iter(_file)
 31 | 
 32 |             while not line.startswith("#types"):
 33 |                 line = next(it).rstrip()
 34 |                 k, v = line[1:].split(None, 1)
 35 |                 self.headers[k] = v
 36 | 
 37 |             self.sep = self.headers['separator'].encode('utf-8').decode("unicode_escape")
 38 | 
 39 |             for k, v in self.headers.items():
 40 |                 if self.sep in v:
 41 |                     self.headers[k] = v.split(self.sep)
 42 | 
 43 |             self.headers['separator'] = self.sep
 44 |             self.fields = self.headers['fields']
 45 |             self.types = self.headers['types']
 46 |             self.set_sep = self.headers['set_separator']
 47 |             self.vectors = [field for field, type in zip(self.fields, self.types) if type.startswith("vector[")]
 48 | 
 49 |     def parse_line(self, line):
 50 |         if line.startswith("#close"):
 51 |             return
 52 | 
 53 |         if not len(line):
 54 |             return
 55 | 
 56 |         parts = line.rstrip().split(self.sep)
 57 | 
 58 |         record = dict(zip(self.fields, parts))
 59 | 
 60 |         for k in record:
 61 |             if record[k] == '-':
 62 |                 record[k] = None
 63 | 
 64 |         for f in self.vectors:
 65 |             record[f] = record[f].split(self.set_sep)
 66 | 
 67 |         description = "{note}: {msg}".format(**record)
 68 |         data = {
 69 |             "indicator": record['src'],
 70 |             "description": description,
 71 |             "lasttime": record['ts'],
 72 |             "firsttime": record['ts'],
 73 |         }
 74 | 
 75 |         if record.get('dest'):
 76 |             data["dest"] = record.get("dst")
 77 | 
 78 |         additional_data = {}
 79 |         for k, v in record.items():
 80 |             if k not in CORE_FIELDS:
 81 |                 if v is not None:
 82 |                     additional_data[k] = v
 83 | 
 84 |         if additional_data:
 85 |             data["additional_data"] = additional_data
 86 | 
 87 |         return data
 88 | 
 89 | 
 90 | def main():
 91 |     p = get_argument_parser()
 92 |     p = ArgumentParser(
 93 |         description=textwrap.dedent('''\
 94 |             Env Variables:
 95 |                 CSIRTG_RUNTIME_PATH
 96 | 
 97 |             example usage:
 98 |                 $ csirtg-bro -f /var/log/foo.log
 99 |                 $ ZYRE_GROUP=honeynet csirtg-bro -d -f /var/log/foo.log --client zyre
100 |                 $ csirtg-bro -f /var/log/foo.log --client csirtg --user wes --feed scanners -d
101 |             '''),
102 |         formatter_class=RawDescriptionHelpFormatter,
103 |         prog='csirtg-bro',
104 |         parents=[p],
105 |     )
106 | 
107 |     p.add_argument('--no-verify-ssl', help='turn TLS/SSL verification OFF', action='store_true')
108 |     p.add_argument('-f', '--file')
109 |     p.add_argument('--client', default='stdout')
110 |     p.add_argument('--user')
111 |     p.add_argument('--feed')
112 |     p.add_argument('--format', default='csv')
113 |     p.add_argument('--tags', help='specify indicator tags [default %(default)s', default='scanner')
114 |     p.add_argument('--provider', help='specify provider [default %(default)s]', default=PROVIDER)
115 | 
116 |     args = p.parse_args()
117 | 
118 |     if not args.provider:
119 |         raise RuntimeError('Missing --provider flag')
120 |     if not args.file:
121 |         raise RuntimeError('Missing --file flag')
122 | 
123 |     # setup logging
124 |     setup_logging(args)
125 | 
126 |     logger.debug('starting on: {}'.format(args.file))
127 | 
128 |     verify_ssl = True
129 |     if args.no_verify_ssl:
130 |         verify_ssl = False
131 | 
132 |     from csirtg_smrt import Smrt
133 |     s = Smrt(client=args.client, username=args.user, feed=args.feed, verify_ssl=verify_ssl)
134 | 
135 |     b = BroTailer(args.file)
136 | 
137 |     try:
138 |         for l in tail(args.file):
139 |             if l.startswith('#'):
140 |                 continue
141 | 
142 |             i = b.parse_line(l)
143 | 
144 |             if not i:
145 |                 logger.debug('skipping line')
146 |                 continue
147 | 
148 |             i = Indicator(**i)
149 | 
150 |             logger.debug(i)
151 | 
152 |             i.provider = args.provider
153 |             i.tags = args.tags
154 | 
155 |             if args.client == 'stdout':
156 |                 print(FORMATS[args.format](data=[i]))
157 |             else:
158 |                 try:
159 |                     s.client.indicators_create(i)
160 |                     logger.info('indicator created: {}'.format(i.indicator))
161 |                 except Exception as e:
162 |                     logger.error(e)
163 | 
164 |     except Exception as e:
165 |         logger.error(e)
166 | 
167 |     except KeyboardInterrupt:
168 |         logger.info('SIGINT caught... stopping')
169 |         if args.client != 'stdout':
170 |             s.client.stop()
171 | 
172 |     logger.info('exiting...')
173 | 
174 | if __name__ == '__main__':
175 |     main()
176 | 


--------------------------------------------------------------------------------