├── LICENSE
├── README.md
├── cef.py
├── checkioc.py
├── dataload.py
├── datasrc
    ├── alexa_exception.txt
    ├── alexalist.txt
    ├── except_list.txt
    ├── google_ip.txt
    ├── md5.txt
    ├── microsoft_ip.txt
    ├── sha1.txt
    ├── sha256.txt
    ├── tlds-alpha-by-domain.txt
    ├── yahoo_ip.txt
    └── yara-export-discarded.txt
├── ioctest.py
├── keys.py
└── sourcefilelist.py


/LICENSE:
--------------------------------------------------------------------------------
  1 |                     GNU GENERAL PUBLIC LICENSE
  2 |                        Version 3, 29 June 2007
  3 | 
  4 |  Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
  5 |  Everyone is permitted to copy and distribute verbatim copies
  6 |  of this license document, but changing it is not allowed.
  7 | 
  8 |                             Preamble
  9 | 
 10 |   The GNU General Public License is a free, copyleft license for
 11 | software and other kinds of works.
 12 | 
 13 |   The licenses for most software and other practical works are designed
 14 | to take away your freedom to share and change the works.  By contrast,
 15 | the GNU General Public License is intended to guarantee your freedom to
 16 | share and change all versions of a program--to make sure it remains free
 17 | software for all its users.  We, the Free Software Foundation, use the
 18 | GNU General Public License for most of our software; it applies also to
 19 | any other work released this way by its authors.  You can apply it to
 20 | your programs, too.
 21 | 
 22 |   When we speak of free software, we are referring to freedom, not
 23 | price.  Our General Public Licenses are designed to make sure that you
 24 | have the freedom to distribute copies of free software (and charge for
 25 | them if you wish), that you receive source code or can get it if you
 26 | want it, that you can change the software or use pieces of it in new
 27 | free programs, and that you know you can do these things.
 28 | 
 29 |   To protect your rights, we need to prevent others from denying you
 30 | these rights or asking you to surrender the rights.  Therefore, you have
 31 | certain responsibilities if you distribute copies of the software, or if
 32 | you modify it: responsibilities to respect the freedom of others.
 33 | 
 34 |   For example, if you distribute copies of such a program, whether
 35 | gratis or for a fee, you must pass on to the recipients the same
 36 | freedoms that you received.  You must make sure that they, too, receive
 37 | or can get the source code.  And you must show them these terms so they
 38 | know their rights.
 39 | 
 40 |   Developers that use the GNU GPL protect your rights with two steps:
 41 | (1) assert copyright on the software, and (2) offer you this License
 42 | giving you legal permission to copy, distribute and/or modify it.
 43 | 
 44 |   For the developers' and authors' protection, the GPL clearly explains
 45 | that there is no warranty for this free software.  For both users' and
 46 | authors' sake, the GPL requires that modified versions be marked as
 47 | changed, so that their problems will not be attributed erroneously to
 48 | authors of previous versions.
 49 | 
 50 |   Some devices are designed to deny users access to install or run
 51 | modified versions of the software inside them, although the manufacturer
 52 | can do so.  This is fundamentally incompatible with the aim of
 53 | protecting users' freedom to change the software.  The systematic
 54 | pattern of such abuse occurs in the area of products for individuals to
 55 | use, which is precisely where it is most unacceptable.  Therefore, we
 56 | have designed this version of the GPL to prohibit the practice for those
 57 | products.  If such problems arise substantially in other domains, we
 58 | stand ready to extend this provision to those domains in future versions
 59 | of the GPL, as needed to protect the freedom of users.
 60 | 
 61 |   Finally, every program is threatened constantly by software patents.
 62 | States should not allow patents to restrict development and use of
 63 | software on general-purpose computers, but in those that do, we wish to
 64 | avoid the special danger that patents applied to a free program could
 65 | make it effectively proprietary.  To prevent this, the GPL assures that
 66 | patents cannot be used to render the program non-free.
 67 | 
 68 |   The precise terms and conditions for copying, distribution and
 69 | modification follow.
 70 | 
 71 |                        TERMS AND CONDITIONS
 72 | 
 73 |   0. Definitions.
 74 | 
 75 |   "This License" refers to version 3 of the GNU General Public License.
 76 | 
 77 |   "Copyright" also means copyright-like laws that apply to other kinds of
 78 | works, such as semiconductor masks.
 79 | 
 80 |   "The Program" refers to any copyrightable work licensed under this
 81 | License.  Each licensee is addressed as "you".  "Licensees" and
 82 | "recipients" may be individuals or organizations.
 83 | 
 84 |   To "modify" a work means to copy from or adapt all or part of the work
 85 | in a fashion requiring copyright permission, other than the making of an
 86 | exact copy.  The resulting work is called a "modified version" of the
 87 | earlier work or a work "based on" the earlier work.
 88 | 
 89 |   A "covered work" means either the unmodified Program or a work based
 90 | on the Program.
 91 | 
 92 |   To "propagate" a work means to do anything with it that, without
 93 | permission, would make you directly or secondarily liable for
 94 | infringement under applicable copyright law, except executing it on a
 95 | computer or modifying a private copy.  Propagation includes copying,
 96 | distribution (with or without modification), making available to the
 97 | public, and in some countries other activities as well.
 98 | 
 99 |   To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies.  Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 | 
103 |   An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License.  If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 | 
112 |   1. Source Code.
113 | 
114 |   The "source code" for a work means the preferred form of the work
115 | for making modifications to it.  "Object code" means any non-source
116 | form of a work.
117 | 
118 |   A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 | 
123 |   The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form.  A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 | 
134 |   The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities.  However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work.  For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 | 
147 |   The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 | 
151 |   The Corresponding Source for a work in source code form is that
152 | same work.
153 | 
154 |   2. Basic Permissions.
155 | 
156 |   All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met.  This License explicitly affirms your unlimited
159 | permission to run the unmodified Program.  The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work.  This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 | 
164 |   You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force.  You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright.  Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 | 
175 |   Conveying under any other circumstances is permitted solely under
176 | the conditions stated below.  Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 | 
179 |   3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 | 
181 |   No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 | 
187 |   When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 | 
195 |   4. Conveying Verbatim Copies.
196 | 
197 |   You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 | 
205 |   You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 | 
208 |   5. Conveying Modified Source Versions.
209 | 
210 |   You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 | 
214 |     a) The work must carry prominent notices stating that you modified
215 |     it, and giving a relevant date.
216 | 
217 |     b) The work must carry prominent notices stating that it is
218 |     released under this License and any conditions added under section
219 |     7.  This requirement modifies the requirement in section 4 to
220 |     "keep intact all notices".
221 | 
222 |     c) You must license the entire work, as a whole, under this
223 |     License to anyone who comes into possession of a copy.  This
224 |     License will therefore apply, along with any applicable section 7
225 |     additional terms, to the whole of the work, and all its parts,
226 |     regardless of how they are packaged.  This License gives no
227 |     permission to license the work in any other way, but it does not
228 |     invalidate such permission if you have separately received it.
229 | 
230 |     d) If the work has interactive user interfaces, each must display
231 |     Appropriate Legal Notices; however, if the Program has interactive
232 |     interfaces that do not display Appropriate Legal Notices, your
233 |     work need not make them do so.
234 | 
235 |   A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit.  Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 | 
245 |   6. Conveying Non-Source Forms.
246 | 
247 |   You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 | 
252 |     a) Convey the object code in, or embodied in, a physical product
253 |     (including a physical distribution medium), accompanied by the
254 |     Corresponding Source fixed on a durable physical medium
255 |     customarily used for software interchange.
256 | 
257 |     b) Convey the object code in, or embodied in, a physical product
258 |     (including a physical distribution medium), accompanied by a
259 |     written offer, valid for at least three years and valid for as
260 |     long as you offer spare parts or customer support for that product
261 |     model, to give anyone who possesses the object code either (1) a
262 |     copy of the Corresponding Source for all the software in the
263 |     product that is covered by this License, on a durable physical
264 |     medium customarily used for software interchange, for a price no
265 |     more than your reasonable cost of physically performing this
266 |     conveying of source, or (2) access to copy the
267 |     Corresponding Source from a network server at no charge.
268 | 
269 |     c) Convey individual copies of the object code with a copy of the
270 |     written offer to provide the Corresponding Source.  This
271 |     alternative is allowed only occasionally and noncommercially, and
272 |     only if you received the object code with such an offer, in accord
273 |     with subsection 6b.
274 | 
275 |     d) Convey the object code by offering access from a designated
276 |     place (gratis or for a charge), and offer equivalent access to the
277 |     Corresponding Source in the same way through the same place at no
278 |     further charge.  You need not require recipients to copy the
279 |     Corresponding Source along with the object code.  If the place to
280 |     copy the object code is a network server, the Corresponding Source
281 |     may be on a different server (operated by you or a third party)
282 |     that supports equivalent copying facilities, provided you maintain
283 |     clear directions next to the object code saying where to find the
284 |     Corresponding Source.  Regardless of what server hosts the
285 |     Corresponding Source, you remain obligated to ensure that it is
286 |     available for as long as needed to satisfy these requirements.
287 | 
288 |     e) Convey the object code using peer-to-peer transmission, provided
289 |     you inform other peers where the object code and Corresponding
290 |     Source of the work are being offered to the general public at no
291 |     charge under subsection 6d.
292 | 
293 |   A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 | 
297 |   A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling.  In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage.  For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product.  A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 | 
310 |   "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source.  The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 | 
318 |   If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information.  But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 | 
329 |   The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed.  Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 | 
337 |   Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 | 
343 |   7. Additional Terms.
344 | 
345 |   "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law.  If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 | 
354 |   When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it.  (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.)  You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 | 
361 |   Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 | 
365 |     a) Disclaiming warranty or limiting liability differently from the
366 |     terms of sections 15 and 16 of this License; or
367 | 
368 |     b) Requiring preservation of specified reasonable legal notices or
369 |     author attributions in that material or in the Appropriate Legal
370 |     Notices displayed by works containing it; or
371 | 
372 |     c) Prohibiting misrepresentation of the origin of that material, or
373 |     requiring that modified versions of such material be marked in
374 |     reasonable ways as different from the original version; or
375 | 
376 |     d) Limiting the use for publicity purposes of names of licensors or
377 |     authors of the material; or
378 | 
379 |     e) Declining to grant rights under trademark law for use of some
380 |     trade names, trademarks, or service marks; or
381 | 
382 |     f) Requiring indemnification of licensors and authors of that
383 |     material by anyone who conveys the material (or modified versions of
384 |     it) with contractual assumptions of liability to the recipient, for
385 |     any liability that these contractual assumptions directly impose on
386 |     those licensors and authors.
387 | 
388 |   All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10.  If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term.  If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 | 
398 |   If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 | 
403 |   Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 | 
407 |   8. Termination.
408 | 
409 |   You may not propagate or modify a covered work except as expressly
410 | provided under this License.  Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 | 
415 |   However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 | 
422 |   Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 | 
429 |   Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License.  If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 | 
435 |   9. Acceptance Not Required for Having Copies.
436 | 
437 |   You are not required to accept this License in order to receive or
438 | run a copy of the Program.  Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance.  However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work.  These actions infringe copyright if you do
443 | not accept this License.  Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 | 
446 |   10. Automatic Licensing of Downstream Recipients.
447 | 
448 |   Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License.  You are not responsible
451 | for enforcing compliance by third parties with this License.
452 | 
453 |   An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations.  If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 | 
463 |   You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License.  For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 | 
471 |   11. Patents.
472 | 
473 |   A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based.  The
475 | work thus licensed is called the contributor's "contributor version".
476 | 
477 |   A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version.  For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 | 
487 |   Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 | 
492 |   In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement).  To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 | 
499 |   If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients.  "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 | 
513 |   If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 | 
521 |   A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License.  You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 | 
536 |   Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 | 
540 |   12. No Surrender of Others' Freedom.
541 | 
542 |   If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License.  If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all.  For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 | 
552 |   13. Use with the GNU Affero General Public License.
553 | 
554 |   Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work.  The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 | 
563 |   14. Revised Versions of this License.
564 | 
565 |   The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time.  Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 | 
570 |   Each version is given a distinguishing version number.  If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation.  If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 | 
579 |   If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 | 
584 |   Later license versions may give you additional or different
585 | permissions.  However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 | 
589 |   15. Disclaimer of Warranty.
590 | 
591 |   THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 | 
600 |   16. Limitation of Liability.
601 | 
602 |   IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 | 
612 |   17. Interpretation of Sections 15 and 16.
613 | 
614 |   If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 | 
621 |                      END OF TERMS AND CONDITIONS
622 | 
623 |             How to Apply These Terms to Your New Programs
624 | 
625 |   If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 | 
629 |   To do so, attach the following notices to the program.  It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 | 
634 |     {one line to give the program's name and a brief idea of what it does.}
635 |     Copyright (C) {year}  {name of author}
636 | 
637 |     This program is free software: you can redistribute it and/or modify
638 |     it under the terms of the GNU General Public License as published by
639 |     the Free Software Foundation, either version 3 of the License, or
640 |     (at your option) any later version.
641 | 
642 |     This program is distributed in the hope that it will be useful,
643 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
644 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
645 |     GNU General Public License for more details.
646 | 
647 |     You should have received a copy of the GNU General Public License
648 |     along with this program.  If not, see <http://www.gnu.org/licenses/>.
649 | 
650 | Also add information on how to contact you by electronic and paper mail.
651 | 
652 |   If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 | 
655 |     {project}  Copyright (C) {year}  {fullname}
656 |     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 |     This is free software, and you are welcome to redistribute it
658 |     under certain conditions; type `show c' for details.
659 | 
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License.  Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 | 
664 |   You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | <http://www.gnu.org/licenses/>.
668 | 
669 |   The GNU General Public License does not permit incorporating your program
670 | into proprietary programs.  If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library.  If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License.  But first, please read
674 | <http://www.gnu.org/philosophy/why-not-lgpl.html>.
675 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # MISP-IOC-Validator
  2 | 
  3 | The main purpose is to validate the format of the different IOC from MISP and to remove false positive by comparing these IOC to existing known false positive (known SHA1 or SHA256 of a file, ...). There is however a lot of other features available.
  4 | 
  5 | **Features:**
  6 | - IOC validation (format, detect false positive iocs, ...)
  7 | - Export the IOC and the result of the validation of the IOC in CEF format (to a SIEM for example)
  8 | - Send the ioc and the result of the check to a syslog server
  9 | - Validate and export YARA and SNORT rules in a file that can be automaticaly integrated to FireEye sensors or SourceFire Snort
 10 | - Send results of IOC check by mail that give the reason of the error with the IOC that didn't pass the checks.
 11 | - STIX format export (only hashes for the moment)
 12 | - ...
 13 | 
 14 | ## Prerequisite
 15 | 
 16 | - install of the following modules:
 17 |  - PyMISP module : https://github.com/CIRCL/PyMISP
 18 |  - Netaddr module : https://pypi.python.org/pypi/netaddr
 19 |  - Python-dumbpig : https://github.com/MrJester/python-dumbpig
 20 |  - Python yara module : https://github.com/VirusTotal/yara
 21 |  - STIX : https://stixproject.github.io/
 22 |  - CybOX : https://cyboxproject.github.io/ 
 23 | - Create source files used in sourcefilelist.py. These files should contains the list of false positive.
 24 |  - The default list available are more or less empty, so you have to enter you own values, here ares some references :
 25 |   - http://data.iana.org/TLD/tlds-alpha-by-domain.txt
 26 |   - http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
 27 |   - http://www.nsrl.nist.gov/Downloads.htm
 28 | - Configure keys.py. Please check https://github.com/CIRCL/PyMISP for more details.
 29 | - Configure mail in checkioc.py : MAIL_FROM and MAIL_SERVER. 
 30 | 
 31 | ## Usage and Examples
 32 | 
 33 | **Display of the result**
 34 | ```
 35 | -v, --verbose : Print the result of each test of attributes. The format used is a CEF syslog format that can be translated by a SIEM
 36 | -q, --quiet   : Suppress all outputs (Useful when running in background)
 37 | ```
 38 | If none of them have been selected, you will just have outputs of what is processing (timeframe and number of ioc processed)
 39 | 
 40 | **Check the IOC from MISP of the last day**
 41 | 
 42 | Syntax is really close to the last function of PyMISP
 43 | ```
 44 | parameter : -l, --last
 45 | ./checkioc.py -l 1d -v
 46 | ```
 47 | 
 48 | **Check the IOC from MISP of the last day only for domains**
 49 | ```
 50 | parameter : -l, --last
 51 | parameter : -o, --only
 52 | ./checkioc.py -l 1d -o domain -v
 53 | ```
 54 | 
 55 | **Check the IOC from MISP of the last day only for domains and hostnames**
 56 | ```
 57 | parameter : -l, --last
 58 | parameter : -o, --only
 59 | ./checkioc.py -l 1d -o domain hostname -v
 60 | ```
 61 | **Check the IOC from MISP of the last day for all type except domains and hostname**
 62 | 
 63 | Works like -o
 64 | ```
 65 | parameter : -l, --last
 66 | parameter : -w, --without
 67 | ./checkioc.py -l 1d -w domain hostname -v
 68 | ```
 69 | 
 70 | **Which other IOC types are supported for filtering**
 71 | ```
 72 | ./checkioc.py --print_types
 73 | ip-src
 74 | yara
 75 | domain
 76 | hostname
 77 | ...
 78 | ```
 79 | 
 80 | **Check the IOC from MISP of a specific period in time**
 81 | 
 82 | In this example we are checking for all ioc from 2015-01-01 to 2016-06-01. The request to server is split in slice of 5 days between these days. Every check of these slice is separated by a little break of 10 seconds. 
 83 | ```
 84 | parameter : -s, --start   date should be YYYY-MM-DD
 85 | parameter : -e, --end     date should be YYYY-MM-DD
 86 | optional parameter : -d, --day_slice   cut the timerange between start and end in slice of days define in this parameter. This allow to create smaller ioc request to the server.
 87 | optional parameter : -t, --time_wait   should be used with -d. This parameters tells the number of seconds that the program will wait before two slice defined with -d. This again in order to avoid overload of the server. This parameter is however only effective if IOC exists during such slice of time otherwise it is ignored.
 88 | 
 89 | ./checkioc.py -s 2015-01-01 -e 2016-06-01 -d 5 -t 10 -v
 90 | ```
 91 | 
 92 | **Check the IOC from MISP of the last day and send result using syslog**
 93 | ```
 94 | parameter : -l, --last
 95 | parameter : -i IP, --ip IP        Syslog server ip
 96 | parameter : -p PORT, --port PORT  Syslog server port (udp)
 97 | 
 98 | ./checkioc.py -l 1d -i 10.0.0.1 -p 514 -v
 99 | ```
100 | 
101 | **Check the IOC from MISP of the last day and send result using syslog**
102 | ```
103 | parameter : -l, --last
104 | parameter : -i IP, --ip IP        Syslog server ip
105 | parameter : -p PORT, --port PORT  Syslog server port (udp)
106 | 
107 | ./checkioc.py -l 1d -i 10.0.0.1 -p 514 -v
108 | ```
109 | 
110 | **Check the IOC (md5 and sha1) from MISP of the last day and export iocs to a STIX file**
111 | 
112 | Check the ioc from MISP which are valid according to the analyser and export ioc to STIX file. (Only hashes for the moment)
113 | 
114 | The indicator title is the misp attribute id of the IOC.
115 | ```
116 | parameter : -l, --last
117 | parameter : -x STIX_EXPORT_PATH, --stix_export_path STIX_EXPORT_PATH  Valid ioc STIX format file path (only for hashes) 
118 | 
119 | ./checkioc.py -l 1d -o md5 sha1 -x /opt/stix_ioc.xml
120 | ```
121 | 
122 | **Check the IOC from MISP of the last day and export yara rules to a file**
123 | 
124 | Check the yara rules from MISP which are valid according to the analyser and export rules in a file. Please note that we also consider import of modules and some other syntax as wrong because it is not compatible with FireEye for the moment.
125 | ```
126 | parameter : -l, --last
127 | parameter : -y YARA_EXPORT_PATH, --yara_export_path  Valid yara rules export file path 
128 | 
129 | ./checkioc.py -l 1d -y /opt/valid_yara.txt
130 | 
131 | You can populate datasrc/yara-export-discarded.txt file if you need to discard some rules from the export.
132 | This file contains yara rule names (1 per line) of rules that should be discarded.
133 | ```
134 | 
135 | **Check the IOC from MISP of the last day and export snort rules to a file**
136 | 
137 | Check the snort rules from MISP which are valid according to the analyser and export rules in a file. Please note that it modifies the version and the ID in order to have something locally unique that can be sent to a snort. The name of the rule will also have [MISP] as prefix.
138 | ```
139 | parameter : -l, --last
140 | parameter : -z SNORT_EXPORT_PATH, --snort_export_path SNORT_EXPORT_PATH  Valid snort rules export file path 
141 | 
142 | ./checkioc.py -l 1d -y /opt/valid_snort.txt
143 | ```
144 | 
145 | **Check the IOC from MISP of the last day and send the result of wrong IOC in a mail**
146 | 
147 | Don't forget to modify variables as said in the Prerequisite section.
148 | ```
149 | parameter : -l, --last
150 | parameter : -m MAIL, --mail MAIL Email that will receive results of wrong IOCs.
151 | ```
152 | 
153 | **Check the IOC from MISP of the last day and use a lock file to prevent multiple execution at the same time**
154 | 
155 | This function is useful when you know you can have problems with concurrent access as it is the case with the option of attribute tracking define after.
156 | ```
157 | parameter : -l, --last
158 | parameter : --lock LOCK  Specify a lock file to prevent multiple execution.
159 | ./checkioc.py -l 1d --lock /tmp/lockfile
160 | ```
161 | 
162 | **Check the IOC from MISP of the last day and use an history file to avoid to recheck the same IOC multiple time**
163 | 
164 | This function is useful to avoid rechecking attributes that have already been validated and that didn't change since.
165 | The file will store the IOC uuid and his last modification time in oder to track new changes and the need of rechecking this IOC. The lock function defined above can be useful in order to avoid access conflict of this file.
166 | ```
167 | parameter : -l, --last
168 | parameter :  -a ATTRIBUTE_TRACKING, --attribute_tracking ATTRIBUTE_TRACKING   this is file used to track already processed IOC based on its uuid and modification date
169 | ./checkioc.py -l 1d -a /opt/ioc_tracked.txt
170 | ```
171 | 
172 | **Exception List**
173 | 
174 | You can add IOCs in datasrc/except_list.txt if you want to force them as NOK. This feature is not working for YARA and SNORT rules.
175 | 
176 | ## External Source
177 | 
178 | - MISP : https://github.com/MISP/MISP
179 | - PyMISP module : https://github.com/CIRCL/PyMISP
180 | - Netaddr module : https://pypi.python.org/pypi/netaddr
181 | - Python-dumbpig : https://github.com/MrJester/python-dumbpig
182 | - yara : https://github.com/VirusTotal/yara
183 | - STIX : https://stixproject.github.io/
184 | - CybOX : https://cyboxproject.github.io/ 
185 | - TLDS : http://data.iana.org/TLD/tlds-alpha-by-domain.txt
186 | 


--------------------------------------------------------------------------------
/cef.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # -*- coding: utf-8 -*-
  3 | 
  4 | # MISP-IOC-Validator - Validate IOC from MISP ; Export results and iocs to SIEM and sensors using syslog and CEF format
  5 | #
  6 | # Copyright (C) 2016 Thomas Hilt
  7 | #
  8 | # This program is free software: you can redistribute it and/or modify
  9 | # it under the terms of the GNU Affero General Public License as published by
 10 | # the Free Software Foundation, either version 3 of the License, or
 11 | # (at your option) any later version.
 12 | #
 13 | # This program is distributed in the hope that it will be useful,
 14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 16 | # GNU Affero General Public License for more details.
 17 | #
 18 | # You should have received a copy of the GNU Affero General Public License
 19 | # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 20 | 
 21 | import json
 22 | import time
 23 | 
 24 | MISP_VERSION = ""
 25 | 
 26 | _FACILITY = {
 27 |     'kern': 0, 'user': 1, 'mail': 2, 'daemon': 3,
 28 |     'auth': 4, 'syslog': 5, 'lpr': 6, 'news': 7,
 29 |     'uucp': 8, 'cron': 9, 'authpriv': 10, 'ftp': 11,
 30 |     'local0': 16, 'local1': 17, 'local2': 18, 'local3': 19,
 31 |     'local4': 20, 'local5': 21, 'local6': 22, 'local7': 23,
 32 | }
 33 | 
 34 | _LEVEL = {
 35 |     'emerg': 0, 'alert':1, 'crit': 2, 'err': 3,
 36 |     'warning': 4, 'notice': 5, 'info': 6, 'debug': 7
 37 | }
 38 | 
 39 | _MAX_VAL_SIZE = 100
 40 | 
 41 | def _get_partial_syslog_message(message,level='info',facility='daemon'):
 42 |     '''Returns a syslog formatted message without date and host information.
 43 | 
 44 |     message -- message that should be formatted to syslog format.
 45 |     level -- syslog level tag.
 46 |     facility -- syslog facility tag.
 47 |     '''
 48 |     level = _LEVEL[level]
 49 |     facility = _FACILITY[facility]
 50 |     message = '<%d>misp-daemon.info: %s' % (level + facility*8, message)
 51 |     return message
 52 | 
 53 | def _get_truncated_value(value):
 54 |     '''Returns a truncated value of data with __TRUNCATED concatenated at the end if data length is superior to global variable _MAX_VAL_SIZE.
 55 | 
 56 |     value -- string that should be truncated.
 57 |     '''
 58 |     global _MAX_VAL_SIZE
 59 |     return (value[:_MAX_VAL_SIZE] + '__TRUNCATED') if len(value) > _MAX_VAL_SIZE else value
 60 | 
 61 | 
 62 | def _get_yara_signature_name(rule):
 63 |     '''Returns the signature name part of a yara rule
 64 | 
 65 |     rule -- contains the yara rule.
 66 |     '''
 67 |     i = rule.find('rule ') + 5
 68 |     j = rule.find(':')
 69 |     rule = rule[i:j]
 70 |     rule = rule.replace(' ','')
 71 |     return rule
 72 | 
 73 | def get_CEF_syslog(device_version='0',cef_event_dict=None, cef_attribute_dict=None, result=None, reason=None):
 74 |     '''Returns a CEF formatted line within a partial syslog message.
 75 |        This syslog format is partial as date and host information are discarded.
 76 |        It looks to be the only way to make this logs recognized by Arcsight. FireEye appliances are doing the same with their CEF.
 77 | 
 78 |     device_version -- version of the MISP instance. (default '0')
 79 |     cef_event_dict -- dict that contains event details. (default None)
 80 |     cef_attribute_dict -- dict that contains attribute details. (default None)
 81 |     result -- result of the IOC analysis (OK or NOK). (default None)
 82 |     reason -- reason that explains the result of the analysis. (default None) 
 83 |     '''
 84 | 
 85 |     filename = ''
 86 |     filehash = ''
 87 |     destip = ''
 88 | 
 89 |     event_id = cef_event_dict['id']
 90 |     event_time = cef_event_dict['date']
 91 |     event_description = cef_event_dict['info']
 92 | 
 93 |     event_source = cef_event_dict['Orgcname']
 94 |     threat_level = cef_event_dict['threat_level_id']
 95 | 
 96 |     attribute_id = cef_attribute_dict['id']
 97 |     value = cef_attribute_dict['value']
 98 | 
 99 |     attribute_type = cef_attribute_dict['type']
100 |     attribute_uuid = cef_attribute_dict['uuid']
101 |     attribute_category = cef_attribute_dict['category']
102 |     to_ids = cef_attribute_dict['to_ids']
103 | 
104 |     if attribute_type  == 'filename|md5' or attribute_type == 'filename|sha1' or attribute_type == 'filename|sha256':
105 |         filename = value.split('|')[0]
106 |         filehash = value.split('|')[1]
107 | 
108 |     elif attribute_type  == 'md5' or attribute_type == 'sha1' or attribute_type == 'sha256':  #only hash
109 |         filehash = value
110 | 
111 |     elif attribute_type  == 'filename':   #only filename
112 |         filename = value
113 | 
114 |     if attribute_type  == 'ip-src' or attribute_type  == 'ip-dst':
115 |         destip = value
116 | 
117 |     if attribute_type  == 'yara':
118 |         value = _get_yara_signature_name(value)
119 | 
120 |     #truncate big strings if too long
121 | 
122 |     #value = _get_truncated_value(value)
123 | 
124 |     event_description = _get_truncated_value(event_description)
125 |     reason = _get_truncated_value(reason)
126 | 
127 |     #header
128 | 
129 |     # escape '|' and '\' for header
130 |     attribute_type = attribute_type.replace('\\','\\\\').replace('|','\|').replace('\n',' ').replace('\r',' ')
131 |     event_description = event_description.replace('\\','\\\\').replace('|','\|').replace('\n',' ').replace('\r',' ')
132 |     filename = filename.replace('\\','\\\\').replace('|','\|').replace('\n',' ').replace('\r',' ')
133 | 
134 |     cef_string = 'CEF:0|MISP|ValidityCheck|'
135 |     cef_string += device_version + '|'
136 |     cef_string += attribute_type + '|'
137 |     cef_string += event_description + '|'
138 |     cef_string += threat_level + '|'
139 | 
140 |     #Extension
141 | 
142 |     # escape '\' and '=' for extensions
143 |     value = value.replace('\\','\\\\').replace('=','\=')
144 |     event_source = event_source.replace('\\','\\\\').replace('=','\=')
145 |     attribute_category = attribute_category.replace('\\','\\\\').replace('=','\=')
146 |     result = result.replace('\\','\\\\').replace('=','\=')
147 |     filename = filename.replace('\\','\\\\').replace('=','\=')
148 | 
149 |     cef_string += 'externalId=' + attribute_id
150 |     cef_string += ' msg=' + value
151 |     cef_string += ' act=' + event_source
152 |     cef_string += ' cn1=' + event_id
153 | 
154 |     if to_ids in 'true':
155 |         cef_string += ' cn2=' + '1'
156 |     else:
157 |         cef_string += ' cn2=' + '0'
158 | 
159 |     cef_string += ' cs1=' + attribute_uuid
160 |     cef_string += ' cs4=' + attribute_category
161 |     cef_string += ' cs5=' + result
162 |     cef_string += ' deviceCustomDate1=' + event_time
163 |     cef_string += ' dst=' + destip
164 |     cef_string += ' fname=' + filename
165 |     cef_string += ' fileHash=' + filehash
166 |     cef_string += ' reason=' + reason
167 | 
168 |     return _get_partial_syslog_message(cef_string)
169 | 
170 | 


--------------------------------------------------------------------------------
/checkioc.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # -*- coding: utf-8 -*-
  3 | 
  4 | # MISP-IOC-Validator - Validate IOC from MISP ; Export results and iocs to SIEM and sensors using syslog and CEF format
  5 | #
  6 | # Copyright (C) 2016 Thomas Hilt
  7 | #
  8 | # This program is free software: you can redistribute it and/or modify
  9 | # it under the terms of the GNU Affero General Public License as published by
 10 | # the Free Software Foundation, either version 3 of the License, or
 11 | # (at your option) any later version.
 12 | #
 13 | # This program is distributed in the hope that it will be useful,
 14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 16 | # GNU Affero General Public License for more details.
 17 | #
 18 | # You should have received a copy of the GNU Affero General Public License
 19 | # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 20 | 
 21 | from pymisp import PyMISP
 22 | from keys import misp_url, misp_key, misp_verifycert
 23 | from netaddr import IPNetwork, IPAddress
 24 | import argparse
 25 | import os
 26 | import os.path
 27 | import json
 28 | import time
 29 | import socket
 30 | from datetime import timedelta, date, datetime
 31 | from shutil import copyfile
 32 | from cybox.objects.file_object import File
 33 | import stix.utils as utils
 34 | from stix.core import STIXPackage, STIXHeader
 35 | from stix.indicator import Indicator
 36 | import dumbpig
 37 | from cef import *
 38 | from ioctest import *
 39 | from dataload import *
 40 | import time
 41 | import smtplib
 42 | import sys
 43 | import csv
 44 | import re
 45 | 
 46 | from email.mime.text import MIMEText
 47 | 
 48 | #import requests
 49 | #from requests.packages.urllib3.exceptions import InsecureRequestWarning
 50 | #requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 51 | 
 52 | MAIL_FROM = 'localhost@localhost.local'
 53 | MAIL_SERVER = 'smtp.localhost.local'
 54 | 
 55 | yara_processed = set()
 56 | snort_processed = set()
 57 | mailed_attributes = set()
 58 | 
 59 | stix_supported = set(['filename|sha1','sha1','filename|md5','md5','filename|sha256','sha256'])
 60 | stix_indicators = set()
 61 | 
 62 | def _get_misp_version(misp):
 63 |     '''Return the version of misp from the misp instance given.
 64 | 
 65 |     misp -- misp instance connected.
 66 |     '''
 67 |     misp_version = json.dumps(misp.get_version()).encode('utf8').decode('string_escape')
 68 |     misp_version = misp_version[1::] # remove first "
 69 |     misp_version = misp_version[:-1] # remove last "
 70 |     misp_version = misp_version.split(':')[1]
 71 |     misp_version = misp_version.strip(' ')
 72 |     misp_version = misp_version.strip('"')
 73 | 
 74 |     return misp_version
 75 | 
 76 | def _perdelta(start, end, delta):
 77 |     '''Generates and yields dates between start and end with a gap of days between dates defined by delta.
 78 | 
 79 |     start -- start date of the range.
 80 |     end -- end date of the range.
 81 |     delta -- day gap number between dates to yield.
 82 |     '''
 83 |     curr = start
 84 |     while curr < end:
 85 |         yield curr
 86 |         curr += delta
 87 | 
 88 | def _create_date_list(start, end, delta):
 89 |     '''Returns a list of the dates between start and end with a gap of days between dates defined by delta.
 90 | 
 91 |     start -- start date of the range.
 92 |     end -- end date of the range.
 93 |     delta -- day gap number between dates to return.
 94 |     '''
 95 |     dates=start.split('-')
 96 |     start_date = date(int(dates[0]), int(dates[1]), int(dates[2]))
 97 | 
 98 |     datee=end.split('-')
 99 |     end_date = date(int(datee[0]), int(datee[1]), int(datee[2]))
100 | 
101 |     rangesize = int(delta)
102 | 
103 |     datelist = [str(result) for result in _perdelta(start_date,end_date,timedelta(days=rangesize))]
104 |     datelist.append(str(end_date)) # add border date
105 | 
106 |     return datelist
107 | 
108 | def _get_stix_indicator(ioc, uuid, stix_file):
109 |     '''Add one ioc to a stix indicator and return the indicator object
110 | 
111 |     ioc -- contains the ioc value
112 |     uuid -- uuid of the ioc (attribute uuid)
113 |     stix_file -- stix file to write
114 |     '''
115 | 
116 |     if '|' in ioc: # like in filename|md5
117 |         ioc = ioc.split('|')[1]
118 | 
119 |     f = File()
120 | 
121 |     indicator = Indicator()
122 |     indicator.title = uuid
123 |     indicator.description = ("ioc with MISP attribute id : " + uuid)
124 |     indicator.set_producer_identity("checkioc of tom8941")
125 |     indicator.set_produced_time(utils.dates.now())
126 | 
127 |     f.add_hash(ioc)
128 |     indicator.add_object(f)
129 | 
130 |     return indicator
131 | 
132 | def _export_yara(yara_rule,yara_file,yara_except_set):
133 |     '''Write yara_rule in yara_file
134 | 
135 |     yara_rule -- Yara rule to write.
136 |     yara_file -- File to write.
137 |     yara_except_set -- Set of yara rules to discard from the export.
138 |     '''
139 |     yara_name_match = re.search('^(private|global| )*rule\s*\w*',yara_rule,re.MULTILINE)
140 | 
141 |     if yara_name_match:
142 |         yara_name = yara_name_match.group().replace('rule','').strip(' \t\n\r')
143 |         yara_name_match_import = re.search('^import',yara_rule,re.MULTILINE)
144 |         if not yara_name_match_import:
145 |             if yara_name not in yara_processed and yara_name not in yara_except_set: #avoid duplicates and unwanted rules
146 |                 yara_processed.add(yara_name)
147 |                 yara_export_file.write(yara_rule)
148 |                 yara_export_file.write('\n')
149 | 
150 | def _export_snort(snort_rule,snort_file):
151 |     '''Write snort_rule in snort_file
152 | 
153 |     snort_rule -- Yara rule to write.
154 |     snort_file -- File to write.
155 |     '''
156 |     snort_name_match = re.search('msg:\"[^"]*";',snort_rule,re.MULTILINE)
157 | 
158 |     if snort_name_match:
159 |         snort_name = snort_name_match.group()
160 |         snort_name = snort_name[5:-2]
161 | 
162 |         if snort_rule not in snort_processed: #avoid duplicates
163 |             snort_processed.add(snort_rule)
164 |             snort_rule = snort_rule.replace('msg:"','msg:"[MISP] ')
165 |             snort_export_file.write(snort_rule)
166 |             snort_export_file.write('\n')
167 | 
168 | def _read_attribute_tracking_file(tracking_filepath):
169 |     '''Read a csv formatted file that should contain a list of uuid,date of attributes and return a dictionary using uuid as key and date as value.
170 | 
171 |     tracking_filepath -- Path of the csv formatted file ("," as separator) that contains a list of uuid,date of attributes processed.
172 |     '''
173 |     dic = {}
174 |     if os.path.exists(tracking_filepath):
175 |         if os.path.isfile(tracking_filepath):
176 |             with open(tracking_filepath, 'r') as tracking_file:
177 |                 csv_reader = csv.reader(tracking_file, delimiter=',')
178 |                 for row in csv_reader:
179 |                     dic[row[0]] = row[1]
180 | 
181 |             tracking_file.close()
182 | 
183 |     return dic
184 | 
185 | def _update_attribute_tracking_file(tracking_filepath, tracking_dict):
186 |     '''Convert a dictionary using attribute uuid as key and attribute date as value into a csv formatted file that should contain a list of uuid,date of attributes.
187 | 
188 |     tracking_filepath -- Path of the csv formatted file ("," as separator) that contains a list of uuid,date of attributes processed.
189 |     tracking_dict -- Dictionary using attribute uuid as key and attribute date as value.
190 |     '''
191 |     with open(tracking_filepath, 'w') as tracking_file:
192 |         for key in tracking_dict:
193 |             tracking_file.write(key + ',' + tracking_dict[key] + '\n')
194 | 
195 |     tracking_file.close()
196 | 
197 | def _add_to_mailed_attributes(event, attribute, reason):
198 |     '''Add the attribute and reason of failure to the set of attribute that will be sent by mail.
199 | 
200 |     event -- Event realted to the attribute.
201 |     attribute -- Attribute to add to the set of mailed attributes.
202 |     reason -- contains the reason of the failure.
203 |     '''
204 |     mailed_attributes.add((event['Orgname'], event['Orgcname'], event['uuid'], attribute['uuid'], event['info'], reason))
205 | 
206 | def _send_attributes_mail(mail_address, attribute_set):
207 |     '''Send the the content of attribute_set by mail to mail_address
208 | 
209 |     attribute_set -- contains the attributes contents.
210 |     mail_address -- contain the mail address that will recieve the results.
211 |     '''
212 | 
213 |     msg = 'List of problems with IOCs : \n\n'
214 |     msg += 'Org / OrgC / Event UUID / Attribute UUID / Description / Error message \n\n'
215 | 
216 |     for result in attribute_set:
217 |        msg += str(result[0]) + ' / ' + str(result[1]) + ' / ' + str(result[2]) + ' / ' + str(result[3]) + ' / ' + str(result[4]) + ' / ' + str(result[5]) + '\n'
218 | 
219 |     mime_msg = MIMEText(msg)
220 |     mime_msg['Subject'] = '[MISP-EU] MISP Quality check'
221 |     s = smtplib.SMTP(MAIL_SERVER)
222 |     s.sendmail(MAIL_FROM, mail_address, mime_msg.as_string())
223 |     s.quit()
224 | 
225 | def check_last(misp, last="1d", datasrc_dict=None, allowed_attribute_set=None, quiet=False, attribute_status_dict={}, stix_export_file=None, yara_export_file=None, snort_export_file=None, to_mail=False):
226 |     '''Check attributes from events published during the last period defined.
227 | 
228 |     misp -- misp instance connected.
229 |     last -- last period used to catch events. (default 1d)
230 |     datasrc_dict -- dict that contains data source sets used for checks. (default None)
231 |     allowed_attribute_set -- set that contains the misp attibute types that would be checked. (default None)
232 |     quiet -- define if processing output should be displayed. (default False)
233 |     attribute_status_dict -- define the file used to track attributes processed. (default {})
234 |     yara_export_file -- define the file used to export valid yara rules. (default None)
235 |     snort_export_file -- define the file used to export valid snort rules. (default None)
236 |     to_mail -- define if the set of attributes that should be mailed have to be filled. (default False)
237 |     '''
238 |     res = misp.download_last(last)
239 | 
240 |     if  'response' in res.keys():
241 |         json_events = res['response']
242 |     else:
243 |         if not quiet:
244 |             print 'No attributes in the specified period'
245 |         return
246 |     j=0
247 | 
248 |     for result in check_attributes(json_events,datasrc_dict,allowed_attribute_set, attribute_status_dict):
249 |         if result:
250 |             j+=1
251 |             if stix_export_file is not None and result['result'] == 'OK':
252 |                 if result['attribute_dict']['type'] in stix_supported:
253 |                     stix_indicators.add(_get_stix_indicator(result['attribute_dict']['value'],result['attribute_dict']['uuid'], stix_export_file))
254 | 
255 |             if yara_export_file is not None and result['result'] == 'OK':
256 |                 if result['attribute_dict']['type'] == 'yara':
257 |                     _export_yara(result['attribute_dict']['value'], yara_export_file,datasrc_dict['yara_export_except'])
258 | 
259 |             if snort_export_file is not None and result['result'] == 'OK':
260 |                 if result['attribute_dict']['type'] == 'snort':
261 |                     _export_snort(result['attribute_dict']['value'], snort_export_file)
262 | 
263 |             if to_mail and result['result'] == 'NOK':
264 |                 _add_to_mailed_attributes(result['event_dict'], result['attribute_dict'], result['reason'])
265 | 
266 |             yield get_CEF_syslog(_get_misp_version(misp), result['event_dict'], result['attribute_dict'], result['result'], result['reason'])
267 | 
268 |     if not quiet:
269 |         print 'Processing of last ' + last + ' : ' + str(j) + ' attributes processed'
270 | 
271 | def sliced_search(misp, date_from=None, date_to=None, day_slice=1, time_wait=0, datasrc_dict=None, allowed_attribute_set=None, quiet=False, attribute_status_dict={}, stix_export_file=None, yara_export_file=None, snort_export_file=None, to_mail=False):
272 |     '''Check attributes from events created during the given time range.
273 | 
274 |     misp -- misp instance connected.
275 |     date_from -- start date of the range. (default None)
276 |     date_to -- end date of the range. (default None)
277 |     day_slice -- define that size in days of subranges generated to check events in order to perform checks in smaller. (default 1)
278 |     time_wait -- define the time to wait between checks of two subranges generated by the day_slice parameter in order to reduce misp server request load. (default 0)
279 |     datasrc_dict -- dict that contains data source sets used for checks. (default None)
280 |     allowed_attribute_set -- Dictionary using attribute uuid as key and attribute date as value used to track attributes updates. (default None)
281 |     quiet -- define if processing output should be displayed. (default False)
282 |     attribute_status_dict -- define the file used to track attributes processed. (default {})
283 |     yara_export_file -- define the file used to export valid yara rules. (default None)
284 |     snort_export_file -- define the file used to export valid snort rules. (default None)
285 |     to_mail -- define if the set of attributes that should be mailed have to be filled. (default False)
286 |     '''
287 |     datelist = _create_date_list(date_from, date_to, day_slice)
288 | 
289 |     for i in range(0,len(datelist) - 1):
290 |         res = misp.search(date_from=datelist[i],date_to=datelist[i+1])
291 |         if  'response' in res.keys():
292 |             json_events = res['response']
293 |         else:
294 |             if not quiet:
295 |                 print 'Processing from ' + datelist[i] + ' to ' + datelist[i+1] + ': No attributes'
296 | 
297 |             yield None
298 |             continue
299 |         j=0
300 | 
301 |         for result in check_attributes(json_events,datasrc_dict,allowed_attribute_set, attribute_status_dict):
302 |             if result:
303 |                 j+=1
304 |                 if stix_export_file is not None and result['result'] == 'OK':
305 |                     if result['attribute_dict']['type'] in stix_supported:
306 |                         stix_indicators.add(_get_stix_indicator(result['attribute_dict']['value'],result['attribute_dict']['uuid'], stix_export_file))
307 | 
308 |                 if yara_export_file is not None and result['result'] == 'OK':
309 |                     if result['attribute_dict']['type'] == 'yara':
310 |                         _export_yara(result['attribute_dict']['value'], yara_export_file, datasrc_dict['yara_export_except'])
311 | 
312 |                 if snort_export_file is not None and result['result'] == 'OK':
313 |                     if result['attribute_dict']['type'] == 'snort':
314 |                         _export_snort(result['attribute_dict']['value'], snort_export_file)
315 | 
316 |                 if to_mail and result['result'] == 'NOK':
317 |                     _add_to_mailed_attributes(result['event_dict'], result['attribute_dict'], result['reason'])
318 | 
319 |                 yield get_CEF_syslog(_get_misp_version(misp), result['event_dict'], result['attribute_dict'], result['result'], result['reason'])
320 | 
321 |         if not quiet:
322 |             print 'Processing from ' + datelist[i] + ' to ' + datelist[i+1] + ': ' + str(j) + ' attributes processed'
323 | 
324 |         time.sleep(int(time_wait))
325 | 
326 | def update_tracking_last(misp, last="1d", allowed_attribute_set=None, quiet=False, attribute_status_dict={}):
327 |     '''Update the attribute tracking file using the last function to fetch events.
328 | 
329 |     misp -- misp instance connected.
330 |     last -- last period used to catch events. (default 1d)
331 |     allowed_attribute_set -- set that contains the misp attibute types that would be checked. (default None)
332 |     quiet -- define if processing output should be displayed. (default False)
333 |     attribute_status_dict -- define the file used to track attributes processed. (default {})
334 |     '''
335 |     res = misp.download_last(last)
336 | 
337 |     if  'response' in res.keys():
338 |         json_events = res['response']
339 |     else:
340 |         if not quiet:
341 |             print 'No attributes in the specified period'
342 |         return
343 |     j=0
344 | 
345 |     for result in track_attributes(json_events,allowed_attribute_set, attribute_status_dict):
346 |         if result:
347 |             j+=1
348 | 
349 |     if not quiet:
350 |         print 'Processing of last ' + last + ' : ' + str(j) + ' attributes processed'
351 | 
352 | def update_tracking(misp, date_from=None, date_to=None, day_slice=1, time_wait=0, allowed_attribute_set=None, quiet=False, attribute_status_dict={}):
353 |     '''Update the attribute tracking file using the range search function to fetch events.
354 | 
355 |     misp -- misp instance connected.
356 |     date_from -- start date of the range. (default None)
357 |     date_to -- end date of the range. (default None)
358 |     day_slice -- define that size in days of subranges generated to check events in order to perform checks in smaller. (default 1)
359 |     time_wait -- define the time to wait between checks of two subranges generated by the day_slice parameter in order to reduce misp server request load. (default 0)
360 |     allowed_attribute_set -- Dictionary using attribute uuid as key and attribute date as value used to track attributes updates. (default None)
361 |     quiet -- define if processing output should be displayed. (default False)
362 |     attribute_status_dict -- define the file used to track attributes processed. (default {})
363 |     '''
364 |     datelist = _create_date_list(date_from, date_to, day_slice)
365 | 
366 |     for i in range(0,len(datelist) - 1):
367 |         res = misp.search(date_from=datelist[i],date_to=datelist[i+1])
368 |         if  'response' in res.keys():
369 |             json_events = res['response']
370 |         else:
371 |             if not quiet:
372 |                 print 'Processing from ' + datelist[i] + ' to ' + datelist[i+1] + ': No attributes'
373 |             continue
374 | 
375 |         j=0
376 |         for result in track_attributes(json_events,allowed_attribute_set, attribute_status_dict):
377 |             if result:
378 |                 j+=1
379 | 
380 |         if not quiet:
381 |             print 'Processing from ' + datelist[i] + ' to ' + datelist[i+1] + ': ' + str(j) + ' attributes processed'
382 | 
383 |         time.sleep(int(time_wait))
384 | 
385 | ############################################
386 | #################  Main ####################
387 | ############################################
388 | 
389 | if __name__ == '__main__':
390 |     '''
391 | 
392 |     '''
393 |     parser = argparse.ArgumentParser(description='Download events from a MISP instance and verify their validity.')
394 |     parser.add_argument("--print_types",help="Print valid MISP attribute types", action="store_true")
395 |     parser.add_argument("--update_tracking_only", help="update the file used to track already processed attributes. Should be used with -s and -e.", action="store_true")
396 |     parser.add_argument("--lock", help="Specify a lock file to prevent multiple execution.")
397 |     parser.add_argument("-l", "--last", help="can be defined in days, hours, minutes (for example 5d or 12h or 30m)")
398 |     parser.add_argument("-s", "--start", help="start date of time range YYYY-MM-DD format")
399 |     parser.add_argument("-e", "--end", help="end date of time range YYYY-MM-DD format")
400 |     parser.add_argument("-d", "--day_slice",help="size of dayrange in days")
401 |     parser.add_argument("-t", "--time_wait",default=0,help="time to wait between processing of 2 range of days in seconds")
402 |     parser.add_argument("-i", "--ip", help="Syslog server ip")
403 |     parser.add_argument("-p", "--port", help="Syslog server port")
404 |     parser.add_argument("-x", "--stix_export_path", help="Valid ioc STIX format file path (only for hashes)")
405 |     parser.add_argument("-y", "--yara_export_path", help="Valid yara rules export file path")
406 |     parser.add_argument("-z", "--snort_export_path", help="Valid snort rules export file path")
407 |     parser.add_argument("-a", "--attribute_tracking", help="file used to track already processed attributes based on its uuid and modification date")
408 |     parser.add_argument("-m", "--mail", help="Email that will receive results of wrong IOCs.")
409 | 
410 |     argtypegroup = parser.add_mutually_exclusive_group()
411 |     argtypegroup.add_argument("-o", "--only", nargs="+",help="Only attribute type given")
412 |     argtypegroup.add_argument("-w", "--without", nargs="+",help="Without attribute type given")
413 | 
414 |     argverb_group = parser.add_mutually_exclusive_group()
415 |     argverb_group.add_argument("-v", "--verbose", help="Print the result of each test of attributes.", action="store_true")
416 |     argverb_group.add_argument("-q", "--quiet", help="Suppress all outputs", action="store_true")
417 | 
418 |     args = parser.parse_args()
419 | 
420 |     if args.print_types:
421 |         print 'List of valid attributes : '
422 |         for e in allowed_attribute_set:
423 |             print e
424 |         exit(0)
425 | 
426 |     if not args.quiet:
427 |         print time.strftime("%c")
428 | 
429 |     if args.lock:
430 |         if os.path.exists(args.lock):
431 |             if os.path.isfile(args.lock):
432 |                 print "Lock file already exists. Please wait until the other process has finished or delete this file."
433 |                 exit(0)
434 |             else:
435 |                 print "Lock file path already exists but it is not a file. Please suppress it."
436 |                 exit(0)
437 |         else:
438 |             with open(args.lock, 'w') as lock_file:
439 |                 lock_file.write('1\n')
440 |             lock_file.close()
441 | 
442 |     if args.stix_export_path:
443 |         stix_export_file = open(args.stix_export_path, 'w')
444 |     else:
445 |         stix_export_file = None
446 | 
447 |     if args.yara_export_path:
448 |         yara_export_file = open(args.yara_export_path, 'w')
449 |     else:
450 |         yara_export_file = None
451 | 
452 |     if args.snort_export_path:
453 |         snort_export_file = open(args.snort_export_path, 'w')
454 |     else:
455 |         snort_export_file = None
456 | 
457 |     if args.only:
458 |         if any(e not in allowed_attribute_set for e in args.only):
459 |             print 'Some elements of the attribute list are not valid. Use --print_types, to show the valid ones'
460 |             exit(0)
461 |         else:
462 |             allowed_attribute_set.clear()
463 |             for e in args.only:
464 |                 allowed_attribute_set.add(e)
465 | 
466 |     if args.without:
467 |         if any(e not in allowed_attribute_set for e in args.without):
468 |             print 'Some elements of the attribute list are not valid. Use --print-types, to show the valid ones'
469 |             exit(0)
470 |         else:
471 |             for e in args.without:
472 |                 allowed_attribute_set.remove(e)
473 | 
474 |     if not args.update_tracking_only:
475 |         datasrc_dict = import_external_sources(allowed_attribute_set) # Load datasets
476 | 
477 |     if args.attribute_tracking:
478 |         attribute_status_dict = _read_attribute_tracking_file(args.attribute_tracking)
479 |         if os.path.exists(args.attribute_tracking):
480 |             if os.path.isfile(args.attribute_tracking):
481 |                 copyfile(args.attribute_tracking, args.attribute_tracking + '.bak')
482 | 
483 |     misp = PyMISP(misp_url, misp_key, misp_verifycert, 'json')
484 | 
485 |     sock = None
486 | 
487 |     if args.ip is not None and args.port is not None:
488 |         sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
489 |         sock.connect((args.ip,int(args.port)))
490 | 
491 |     if args.update_tracking_only:
492 |         if not args.attribute_tracking:
493 |             print "-a or --attribute_tracking parameter missing."
494 |             exit(0)
495 |         
496 |         if args.last: 
497 |             update_tracking_last(misp,args.last,allowed_attribute_set, args.quiet, attribute_status_dict)
498 |    
499 |         else:
500 |             print "-l/--last or, -s/--start and -e/--end parameters missing."
501 |             exit(0)
502 | 
503 |             if args.day_slice is None:
504 |                 date_format = "%Y-%m-%d"
505 |                 delta = datetime.datetime.strptime(args.end,date_format) - datetime.datetime.strptime(args.start,date_format)
506 |                 update_tracking(misp,args.start,args.end,str(int(delta.days)),0,allowed_attribute_set, args.quiet, attribute_status_dict)
507 |             else:
508 |                 update_tracking(misp,args.start,args.end,args.day_slice,args.time_wait,allowed_attribute_set,args.quiet,attribute_status_dict)
509 | 
510 |     elif args.last is not None:
511 |         for message in check_last(misp,args.last,datasrc_dict, allowed_attribute_set, args.quiet, attribute_status_dict, stix_export_file, yara_export_file, snort_export_file, bool(args.mail)):
512 |             if args.verbose and message is not None:
513 |                 print message
514 |             if isinstance(sock,socket.socket) and message is not None:
515 |                 sock.send(message)
516 | 
517 |     elif args.day_slice is None:
518 |         date_format = "%Y-%m-%d"
519 |         delta = datetime.datetime.strptime(args.end,date_format) - datetime.datetime.strptime(args.start,date_format)
520 |         for message in sliced_search(misp,args.start,args.end,str(int(delta.days)),0,datasrc_dict, allowed_attribute_set, args.quiet, attribute_status_dict, stix_export_file, yara_export_file, snort_export_file, bool(args.mail)):
521 |             if args.verbose and message is not None:
522 |                 print message
523 |             if isinstance(sock,socket.socket) and message is not None:
524 |                 sock.send(message)
525 | 
526 |     else:
527 |         for message in sliced_search(misp,args.start,args.end,args.day_slice,args.time_wait,datasrc_dict, allowed_attribute_set, args.quiet, attribute_status_dict, stix_export_file, yara_export_file, snort_export_file, bool(args.mail)):
528 |             if args.verbose and message is not None:
529 |                 print message
530 |             if isinstance(sock,socket.socket) and message is not None:
531 |                 sock.send(message)
532 | 
533 |     if isinstance(sock,socket.socket):
534 |         sock.close()
535 | 
536 |     if args.stix_export_path:
537 |         stix_package = STIXPackage()
538 |         stix_header = STIXHeader()
539 |         stix_header.description = "MISP checkioc STIX export"
540 |         stix_package.stix_header = stix_header
541 | 
542 |         for indicator in stix_indicators:
543 |             stix_package.add(indicator)
544 | 
545 |         stix_export_file.write(stix_package.to_xml())
546 | 
547 |         stix_export_file.close()
548 | 
549 |     if args.yara_export_path:
550 |         yara_export_file.close()
551 | 
552 |     if args.snort_export_path:
553 |         snort_export_file.close()
554 | 
555 |     if args.attribute_tracking:
556 |         _update_attribute_tracking_file(args.attribute_tracking, attribute_status_dict)
557 |         if os.path.exists(args.attribute_tracking + '.bak'):
558 |             if os.path.isfile(args.attribute_tracking + '.bak'):
559 |                 os.remove(args.attribute_tracking + '.bak')
560 | 
561 |     if args.mail:
562 |         _send_attributes_mail(args.mail, mailed_attributes)
563 | 
564 |     if args.lock:
565 |         if os.path.exists(args.lock):
566 |             if os.path.isfile(args.lock):
567 |                 os.remove(args.lock)
568 | 
569 |     if not args.quiet:
570 |         print time.strftime("%c")
571 | 
572 |     exit(0)
573 | 


--------------------------------------------------------------------------------
/dataload.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | # MISP-IOC-Validator - Validate IOC from MISP ; Export results and iocs to SIEM and sensors using syslog and CEF format
 5 | #
 6 | # Copyright (C) 2016 Thomas Hilt
 7 | #
 8 | # This program is free software: you can redistribute it and/or modify
 9 | # it under the terms of the GNU Affero General Public License as published by
10 | # the Free Software Foundation, either version 3 of the License, or
11 | # (at your option) any later version.
12 | #
13 | # This program is distributed in the hope that it will be useful,
14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16 | # GNU Affero General Public License for more details.
17 | #
18 | # You should have received a copy of the GNU Affero General Public License
19 | # along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 | 
21 | from sourcefilelist import *
22 | 
23 | def import_external_sources(attribute_set):
24 |     '''Returns dict of sets where each set contains values of the files referenced in sourcefilelist.
25 | 
26 |     attribute_set -- set of misp attribute types that would be concerned by the import.
27 |     '''
28 |     data = {}
29 |     data['tld'] = frozenset()
30 |     data['googleip'] = frozenset()
31 |     data['yahooip'] = frozenset()
32 |     data['microsoftip'] = frozenset()
33 |     data['alexa_all'] = frozenset() 
34 |     data['alexa_except'] = frozenset()
35 |     data['md5'] = frozenset()
36 |     data['sha1'] = frozenset()
37 |     data['sha256'] = frozenset()
38 | 
39 |     data['tld'] = frozenset(line.lower().strip() for line in open(tld_list_filepath))
40 |     data['googleip'] = frozenset(line.strip() for line in open(google_ip_list_filepath))
41 |     data['yahooip'] = frozenset(line.strip() for line in open(yahoo_ip_list_filepath))
42 |     data['microsoftip'] = frozenset(line.strip() for line in open(microsoft_ip_list_filepath))
43 |     data['alexa_all'] = frozenset(line.lower().strip() for line in open(alexa_list_filepath))  #full alexa list
44 |     data['alexa_except'] = frozenset(line.lower().strip() for line in open(alexa_exception_list_filepath)) #dyndns ips
45 |     data['yara_export_except'] = frozenset(line.strip() for line in open(yara_export_exception_list_filepath)) #list of names of yara rules to discard from export
46 |     data['except_list'] = frozenset(line.lower().strip() for line in open(except_list_filepath))  #ioc exception list
47 | 
48 |     data['alexa'] = data['alexa_all'] - data['alexa_except'] # remove elements from except list
49 |    
50 |     if 'md5' in attribute_set or 'filename|md5' in attribute_set:
51 |         data['md5'] = frozenset(line.lower().strip() for line in open(md5_list_filepath))
52 | 
53 |     if 'sha1' in attribute_set or 'filename|sha1' in attribute_set:
54 |         data['sha1'] = frozenset(line.lower().strip() for line in open(sha1_list_filepath))
55 | 
56 |     if 'sha256' in attribute_set or 'filename|sha256' in attribute_set:
57 |         data['sha256'] = frozenset(line.lower().strip() for line in open(sha256_list_filepath))
58 | 
59 |     return data
60 | 


--------------------------------------------------------------------------------
/datasrc/alexa_exception.txt:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/datasrc/alexalist.txt:
--------------------------------------------------------------------------------
1 | google.com
2 | youtube.com
3 | facebook.com
4 | 


--------------------------------------------------------------------------------
/datasrc/except_list.txt:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/datasrc/google_ip.txt:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/datasrc/md5.txt:
--------------------------------------------------------------------------------
1 | d41d8cd98f00b204e9800998ecf8427e
2 | 


--------------------------------------------------------------------------------
/datasrc/microsoft_ip.txt:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/datasrc/sha1.txt:
--------------------------------------------------------------------------------
1 | da39a3ee5e6b4b0d3255bfef95601890afd80709
2 | 


--------------------------------------------------------------------------------
/datasrc/sha256.txt:
--------------------------------------------------------------------------------
1 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
2 | 


--------------------------------------------------------------------------------
/datasrc/tlds-alpha-by-domain.txt:
--------------------------------------------------------------------------------
   1 | AAA
   2 | AARP
   3 | ABARTH
   4 | ABB
   5 | ABBOTT
   6 | ABBVIE
   7 | ABC
   8 | ABLE
   9 | ABOGADO
  10 | ABUDHABI
  11 | AC
  12 | ACADEMY
  13 | ACCENTURE
  14 | ACCOUNTANT
  15 | ACCOUNTANTS
  16 | ACO
  17 | ACTIVE
  18 | ACTOR
  19 | AD
  20 | ADAC
  21 | ADS
  22 | ADULT
  23 | AE
  24 | AEG
  25 | AERO
  26 | AETNA
  27 | AF
  28 | AFAMILYCOMPANY
  29 | AFL
  30 | AG
  31 | AGAKHAN
  32 | AGENCY
  33 | AI
  34 | AIG
  35 | AIRBUS
  36 | AIRFORCE
  37 | AIRTEL
  38 | AKDN
  39 | AL
  40 | ALFAROMEO
  41 | ALIBABA
  42 | ALIPAY
  43 | ALLFINANZ
  44 | ALLSTATE
  45 | ALLY
  46 | ALSACE
  47 | ALSTOM
  48 | AM
  49 | AMERICANEXPRESS
  50 | AMERICANFAMILY
  51 | AMEX
  52 | AMFAM
  53 | AMICA
  54 | AMSTERDAM
  55 | ANALYTICS
  56 | ANDROID
  57 | ANQUAN
  58 | ANZ
  59 | AO
  60 | APARTMENTS
  61 | APP
  62 | APPLE
  63 | AQ
  64 | AQUARELLE
  65 | AR
  66 | ARAMCO
  67 | ARCHI
  68 | ARMY
  69 | ARPA
  70 | ART
  71 | ARTE
  72 | AS
  73 | ASDA
  74 | ASIA
  75 | ASSOCIATES
  76 | AT
  77 | ATHLETA
  78 | ATTORNEY
  79 | AU
  80 | AUCTION
  81 | AUDI
  82 | AUDIBLE
  83 | AUDIO
  84 | AUTHOR
  85 | AUTO
  86 | AUTOS
  87 | AVIANCA
  88 | AW
  89 | AWS
  90 | AX
  91 | AXA
  92 | AZ
  93 | AZURE
  94 | BA
  95 | BABY
  96 | BAIDU
  97 | BANAMEX
  98 | BANANAREPUBLIC
  99 | BAND
 100 | BANK
 101 | BAR
 102 | BARCELONA
 103 | BARCLAYCARD
 104 | BARCLAYS
 105 | BAREFOOT
 106 | BARGAINS
 107 | BAUHAUS
 108 | BAYERN
 109 | BB
 110 | BBC
 111 | BBT
 112 | BBVA
 113 | BCG
 114 | BCN
 115 | BD
 116 | BE
 117 | BEATS
 118 | BEAUTY
 119 | BEER
 120 | BENTLEY
 121 | BERLIN
 122 | BEST
 123 | BESTBUY
 124 | BET
 125 | BF
 126 | BG
 127 | BH
 128 | BHARTI
 129 | BI
 130 | BIBLE
 131 | BID
 132 | BIKE
 133 | BING
 134 | BINGO
 135 | BIO
 136 | BIZ
 137 | BJ
 138 | BLACK
 139 | BLACKFRIDAY
 140 | BLANCO
 141 | BLOCKBUSTER
 142 | BLOG
 143 | BLOOMBERG
 144 | BLUE
 145 | BM
 146 | BMS
 147 | BMW
 148 | BN
 149 | BNL
 150 | BNPPARIBAS
 151 | BO
 152 | BOATS
 153 | BOEHRINGER
 154 | BOFA
 155 | BOM
 156 | BOND
 157 | BOO
 158 | BOOK
 159 | BOOKING
 160 | BOOTS
 161 | BOSCH
 162 | BOSTIK
 163 | BOT
 164 | BOUTIQUE
 165 | BR
 166 | BRADESCO
 167 | BRIDGESTONE
 168 | BROADWAY
 169 | BROKER
 170 | BROTHER
 171 | BRUSSELS
 172 | BS
 173 | BT
 174 | BUDAPEST
 175 | BUGATTI
 176 | BUILD
 177 | BUILDERS
 178 | BUSINESS
 179 | BUY
 180 | BUZZ
 181 | BV
 182 | BW
 183 | BY
 184 | BZ
 185 | BZH
 186 | CA
 187 | CAB
 188 | CAFE
 189 | CAL
 190 | CALL
 191 | CALVINKLEIN
 192 | CAM
 193 | CAMERA
 194 | CAMP
 195 | CANCERRESEARCH
 196 | CANON
 197 | CAPETOWN
 198 | CAPITAL
 199 | CAPITALONE
 200 | CAR
 201 | CARAVAN
 202 | CARDS
 203 | CARE
 204 | CAREER
 205 | CAREERS
 206 | CARS
 207 | CARTIER
 208 | CASA
 209 | CASH
 210 | CASINO
 211 | CAT
 212 | CATERING
 213 | CBA
 214 | CBN
 215 | CBRE
 216 | CBS
 217 | CC
 218 | CD
 219 | CEB
 220 | CENTER
 221 | CEO
 222 | CERN
 223 | CF
 224 | CFA
 225 | CFD
 226 | CG
 227 | CH
 228 | CHANEL
 229 | CHANNEL
 230 | CHASE
 231 | CHAT
 232 | CHEAP
 233 | CHINTAI
 234 | CHLOE
 235 | CHRISTMAS
 236 | CHROME
 237 | CHRYSLER
 238 | CHURCH
 239 | CI
 240 | CIPRIANI
 241 | CIRCLE
 242 | CISCO
 243 | CITADEL
 244 | CITI
 245 | CITIC
 246 | CITY
 247 | CITYEATS
 248 | CK
 249 | CL
 250 | CLAIMS
 251 | CLEANING
 252 | CLICK
 253 | CLINIC
 254 | CLINIQUE
 255 | CLOTHING
 256 | CLOUD
 257 | CLUB
 258 | CLUBMED
 259 | CM
 260 | CN
 261 | CO
 262 | COACH
 263 | CODES
 264 | COFFEE
 265 | COLLEGE
 266 | COLOGNE
 267 | COM
 268 | COMCAST
 269 | COMMBANK
 270 | COMMUNITY
 271 | COMPANY
 272 | COMPARE
 273 | COMPUTER
 274 | COMSEC
 275 | CONDOS
 276 | CONSTRUCTION
 277 | CONSULTING
 278 | CONTACT
 279 | CONTRACTORS
 280 | COOKING
 281 | COOKINGCHANNEL
 282 | COOL
 283 | COOP
 284 | CORSICA
 285 | COUNTRY
 286 | COUPON
 287 | COUPONS
 288 | COURSES
 289 | CR
 290 | CREDIT
 291 | CREDITCARD
 292 | CREDITUNION
 293 | CRICKET
 294 | CROWN
 295 | CRS
 296 | CRUISES
 297 | CSC
 298 | CU
 299 | CUISINELLA
 300 | CV
 301 | CW
 302 | CX
 303 | CY
 304 | CYMRU
 305 | CYOU
 306 | CZ
 307 | DABUR
 308 | DAD
 309 | DANCE
 310 | DATE
 311 | DATING
 312 | DATSUN
 313 | DAY
 314 | DCLK
 315 | DDS
 316 | DE
 317 | DEAL
 318 | DEALER
 319 | DEALS
 320 | DEGREE
 321 | DELIVERY
 322 | DELL
 323 | DELOITTE
 324 | DELTA
 325 | DEMOCRAT
 326 | DENTAL
 327 | DENTIST
 328 | DESI
 329 | DESIGN
 330 | DEV
 331 | DHL
 332 | DIAMONDS
 333 | DIET
 334 | DIGITAL
 335 | DIRECT
 336 | DIRECTORY
 337 | DISCOUNT
 338 | DISCOVER
 339 | DISH
 340 | DJ
 341 | DK
 342 | DM
 343 | DNP
 344 | DO
 345 | DOCS
 346 | DOCTOR
 347 | DODGE
 348 | DOG
 349 | DOHA
 350 | DOMAINS
 351 | DOT
 352 | DOWNLOAD
 353 | DRIVE
 354 | DTV
 355 | DUBAI
 356 | DUCK
 357 | DUNLOP
 358 | DUNS
 359 | DUPONT
 360 | DURBAN
 361 | DVAG
 362 | DZ
 363 | EARTH
 364 | EAT
 365 | EC
 366 | EDEKA
 367 | EDU
 368 | EDUCATION
 369 | EE
 370 | EG
 371 | EMAIL
 372 | EMERCK
 373 | ENERGY
 374 | ENGINEER
 375 | ENGINEERING
 376 | ENTERPRISES
 377 | EPOST
 378 | EPSON
 379 | EQUIPMENT
 380 | ER
 381 | ERICSSON
 382 | ERNI
 383 | ES
 384 | ESQ
 385 | ESTATE
 386 | ESURANCE
 387 | ET
 388 | EU
 389 | EUROVISION
 390 | EUS
 391 | EVENTS
 392 | EVERBANK
 393 | EXCHANGE
 394 | EXPERT
 395 | EXPOSED
 396 | EXPRESS
 397 | EXTRASPACE
 398 | FAGE
 399 | FAIL
 400 | FAIRWINDS
 401 | FAITH
 402 | FAMILY
 403 | FAN
 404 | FANS
 405 | FARM
 406 | FARMERS
 407 | FASHION
 408 | FAST
 409 | FEDEX
 410 | FEEDBACK
 411 | FERRARI
 412 | FERRERO
 413 | FI
 414 | FIAT
 415 | FIDELITY
 416 | FILM
 417 | FINAL
 418 | FINANCE
 419 | FINANCIAL
 420 | FIRE
 421 | FIRESTONE
 422 | FIRMDALE
 423 | FISH
 424 | FISHING
 425 | FIT
 426 | FITNESS
 427 | FJ
 428 | FK
 429 | FLICKR
 430 | FLIGHTS
 431 | FLIR
 432 | FLORIST
 433 | FLOWERS
 434 | FLY
 435 | FM
 436 | FO
 437 | FOO
 438 | FOODNETWORK
 439 | FOOTBALL
 440 | FORD
 441 | FOREX
 442 | FORSALE
 443 | FORUM
 444 | FOUNDATION
 445 | FOX
 446 | FR
 447 | FRESENIUS
 448 | FRL
 449 | FROGANS
 450 | FRONTDOOR
 451 | FRONTIER
 452 | FTR
 453 | FUJITSU
 454 | FUJIXEROX
 455 | FUND
 456 | FURNITURE
 457 | FUTBOL
 458 | FYI
 459 | GA
 460 | GAL
 461 | GALLERY
 462 | GALLO
 463 | GALLUP
 464 | GAME
 465 | GAMES
 466 | GAP
 467 | GARDEN
 468 | GB
 469 | GBIZ
 470 | GD
 471 | GDN
 472 | GE
 473 | GEA
 474 | GENT
 475 | GENTING
 476 | GF
 477 | GG
 478 | GGEE
 479 | GH
 480 | GI
 481 | GIFT
 482 | GIFTS
 483 | GIVES
 484 | GIVING
 485 | GL
 486 | GLADE
 487 | GLASS
 488 | GLE
 489 | GLOBAL
 490 | GLOBO
 491 | GM
 492 | GMAIL
 493 | GMBH
 494 | GMO
 495 | GMX
 496 | GN
 497 | GODADDY
 498 | GOLD
 499 | GOLDPOINT
 500 | GOLF
 501 | GOO
 502 | GOODHANDS
 503 | GOODYEAR
 504 | GOOG
 505 | GOOGLE
 506 | GOP
 507 | GOT
 508 | GOV
 509 | GP
 510 | GQ
 511 | GR
 512 | GRAINGER
 513 | GRAPHICS
 514 | GRATIS
 515 | GREEN
 516 | GRIPE
 517 | GROUP
 518 | GS
 519 | GT
 520 | GU
 521 | GUARDIAN
 522 | GUCCI
 523 | GUGE
 524 | GUIDE
 525 | GUITARS
 526 | GURU
 527 | GW
 528 | GY
 529 | HAMBURG
 530 | HANGOUT
 531 | HAUS
 532 | HBO
 533 | HDFCBANK
 534 | HEALTH
 535 | HEALTHCARE
 536 | HELP
 537 | HELSINKI
 538 | HERE
 539 | HERMES
 540 | HGTV
 541 | HIPHOP
 542 | HISAMITSU
 543 | HITACHI
 544 | HIV
 545 | HK
 546 | HKT
 547 | HM
 548 | HN
 549 | HOCKEY
 550 | HOLDINGS
 551 | HOLIDAY
 552 | HOMEDEPOT
 553 | HOMEGOODS
 554 | HOMES
 555 | HOMESENSE
 556 | HONDA
 557 | HONEYWELL
 558 | HORSE
 559 | HOST
 560 | HOSTING
 561 | HOT
 562 | HOTELES
 563 | HOTMAIL
 564 | HOUSE
 565 | HOW
 566 | HR
 567 | HSBC
 568 | HT
 569 | HTC
 570 | HU
 571 | HUGHES
 572 | HYATT
 573 | HYUNDAI
 574 | IBM
 575 | ICBC
 576 | ICE
 577 | ICU
 578 | ID
 579 | IE
 580 | IEEE
 581 | IFM
 582 | IINET
 583 | IKANO
 584 | IL
 585 | IM
 586 | IMAMAT
 587 | IMDB
 588 | IMMO
 589 | IMMOBILIEN
 590 | IN
 591 | INDUSTRIES
 592 | INFINITI
 593 | INFO
 594 | ING
 595 | INK
 596 | INSTITUTE
 597 | INSURANCE
 598 | INSURE
 599 | INT
 600 | INTEL
 601 | INTERNATIONAL
 602 | INTUIT
 603 | INVESTMENTS
 604 | IO
 605 | IPIRANGA
 606 | IQ
 607 | IR
 608 | IRISH
 609 | IS
 610 | ISELECT
 611 | ISMAILI
 612 | IST
 613 | ISTANBUL
 614 | IT
 615 | ITAU
 616 | ITV
 617 | IWC
 618 | JAGUAR
 619 | JAVA
 620 | JCB
 621 | JCP
 622 | JE
 623 | JEEP
 624 | JETZT
 625 | JEWELRY
 626 | JLC
 627 | JLL
 628 | JM
 629 | JMP
 630 | JNJ
 631 | JO
 632 | JOBS
 633 | JOBURG
 634 | JOT
 635 | JOY
 636 | JP
 637 | JPMORGAN
 638 | JPRS
 639 | JUEGOS
 640 | JUNIPER
 641 | KAUFEN
 642 | KDDI
 643 | KE
 644 | KERRYHOTELS
 645 | KERRYLOGISTICS
 646 | KERRYPROPERTIES
 647 | KFH
 648 | KG
 649 | KH
 650 | KI
 651 | KIA
 652 | KIM
 653 | KINDER
 654 | KINDLE
 655 | KITCHEN
 656 | KIWI
 657 | KM
 658 | KN
 659 | KOELN
 660 | KOMATSU
 661 | KOSHER
 662 | KP
 663 | KPMG
 664 | KPN
 665 | KR
 666 | KRD
 667 | KRED
 668 | KUOKGROUP
 669 | KW
 670 | KY
 671 | KYOTO
 672 | KZ
 673 | LA
 674 | LACAIXA
 675 | LADBROKES
 676 | LAMBORGHINI
 677 | LAMER
 678 | LANCASTER
 679 | LANCIA
 680 | LANCOME
 681 | LAND
 682 | LANDROVER
 683 | LANXESS
 684 | LASALLE
 685 | LAT
 686 | LATINO
 687 | LATROBE
 688 | LAW
 689 | LAWYER
 690 | LB
 691 | LC
 692 | LDS
 693 | LEASE
 694 | LECLERC
 695 | LEFRAK
 696 | LEGAL
 697 | LEGO
 698 | LEXUS
 699 | LGBT
 700 | LI
 701 | LIAISON
 702 | LIDL
 703 | LIFE
 704 | LIFEINSURANCE
 705 | LIFESTYLE
 706 | LIGHTING
 707 | LIKE
 708 | LILLY
 709 | LIMITED
 710 | LIMO
 711 | LINCOLN
 712 | LINDE
 713 | LINK
 714 | LIPSY
 715 | LIVE
 716 | LIVING
 717 | LIXIL
 718 | LK
 719 | LOAN
 720 | LOANS
 721 | LOCKER
 722 | LOCUS
 723 | LOFT
 724 | LOL
 725 | LONDON
 726 | LOTTE
 727 | LOTTO
 728 | LOVE
 729 | LPL
 730 | LPLFINANCIAL
 731 | LR
 732 | LS
 733 | LT
 734 | LTD
 735 | LTDA
 736 | LU
 737 | LUNDBECK
 738 | LUPIN
 739 | LUXE
 740 | LUXURY
 741 | LV
 742 | LY
 743 | MA
 744 | MACYS
 745 | MADRID
 746 | MAIF
 747 | MAISON
 748 | MAKEUP
 749 | MAN
 750 | MANAGEMENT
 751 | MANGO
 752 | MARKET
 753 | MARKETING
 754 | MARKETS
 755 | MARRIOTT
 756 | MARSHALLS
 757 | MASERATI
 758 | MATTEL
 759 | MBA
 760 | MC
 761 | MCD
 762 | MCDONALDS
 763 | MCKINSEY
 764 | MD
 765 | ME
 766 | MED
 767 | MEDIA
 768 | MEET
 769 | MELBOURNE
 770 | MEME
 771 | MEMORIAL
 772 | MEN
 773 | MENU
 774 | MEO
 775 | METLIFE
 776 | MG
 777 | MH
 778 | MIAMI
 779 | MICROSOFT
 780 | MIL
 781 | MINI
 782 | MINT
 783 | MIT
 784 | MITSUBISHI
 785 | MK
 786 | ML
 787 | MLB
 788 | MLS
 789 | MM
 790 | MMA
 791 | MN
 792 | MO
 793 | MOBI
 794 | MOBILY
 795 | MODA
 796 | MOE
 797 | MOI
 798 | MOM
 799 | MONASH
 800 | MONEY
 801 | MONTBLANC
 802 | MOPAR
 803 | MORMON
 804 | MORTGAGE
 805 | MOSCOW
 806 | MOTORCYCLES
 807 | MOV
 808 | MOVIE
 809 | MOVISTAR
 810 | MP
 811 | MQ
 812 | MR
 813 | MS
 814 | MSD
 815 | MT
 816 | MTN
 817 | MTPC
 818 | MTR
 819 | MU
 820 | MUSEUM
 821 | MUTUAL
 822 | MUTUELLE
 823 | MV
 824 | MW
 825 | MX
 826 | MY
 827 | MZ
 828 | NA
 829 | NADEX
 830 | NAGOYA
 831 | NAME
 832 | NATIONWIDE
 833 | NATURA
 834 | NAVY
 835 | NBA
 836 | NC
 837 | NE
 838 | NEC
 839 | NET
 840 | NETBANK
 841 | NETFLIX
 842 | NETWORK
 843 | NEUSTAR
 844 | NEW
 845 | NEWS
 846 | NEXT
 847 | NEXTDIRECT
 848 | NEXUS
 849 | NF
 850 | NFL
 851 | NG
 852 | NGO
 853 | NHK
 854 | NI
 855 | NICO
 856 | NIKE
 857 | NIKON
 858 | NINJA
 859 | NISSAN
 860 | NISSAY
 861 | NL
 862 | NO
 863 | NOKIA
 864 | NORTHWESTERNMUTUAL
 865 | NORTON
 866 | NOW
 867 | NOWRUZ
 868 | NOWTV
 869 | NP
 870 | NR
 871 | NRA
 872 | NRW
 873 | NTT
 874 | NU
 875 | NYC
 876 | NZ
 877 | OBI
 878 | OFF
 879 | OFFICE
 880 | OKINAWA
 881 | OLAYAN
 882 | OLAYANGROUP
 883 | OLDNAVY
 884 | OLLO
 885 | OM
 886 | OMEGA
 887 | ONE
 888 | ONG
 889 | ONL
 890 | ONLINE
 891 | ONYOURSIDE
 892 | OOO
 893 | OPEN
 894 | ORACLE
 895 | ORANGE
 896 | ORG
 897 | ORGANIC
 898 | ORIENTEXPRESS
 899 | ORIGINS
 900 | OSAKA
 901 | OTSUKA
 902 | OTT
 903 | OVH
 904 | PA
 905 | PAGE
 906 | PAMPEREDCHEF
 907 | PANASONIC
 908 | PANERAI
 909 | PARIS
 910 | PARS
 911 | PARTNERS
 912 | PARTS
 913 | PARTY
 914 | PASSAGENS
 915 | PAY
 916 | PCCW
 917 | PE
 918 | PET
 919 | PF
 920 | PFIZER
 921 | PG
 922 | PH
 923 | PHARMACY
 924 | PHILIPS
 925 | PHOTO
 926 | PHOTOGRAPHY
 927 | PHOTOS
 928 | PHYSIO
 929 | PIAGET
 930 | PICS
 931 | PICTET
 932 | PICTURES
 933 | PID
 934 | PIN
 935 | PING
 936 | PINK
 937 | PIONEER
 938 | PIZZA
 939 | PK
 940 | PL
 941 | PLACE
 942 | PLAY
 943 | PLAYSTATION
 944 | PLUMBING
 945 | PLUS
 946 | PM
 947 | PN
 948 | PNC
 949 | POHL
 950 | POKER
 951 | POLITIE
 952 | PORN
 953 | POST
 954 | PR
 955 | PRAMERICA
 956 | PRAXI
 957 | PRESS
 958 | PRIME
 959 | PRO
 960 | PROD
 961 | PRODUCTIONS
 962 | PROF
 963 | PROGRESSIVE
 964 | PROMO
 965 | PROPERTIES
 966 | PROPERTY
 967 | PROTECTION
 968 | PRU
 969 | PRUDENTIAL
 970 | PS
 971 | PT
 972 | PUB
 973 | PW
 974 | PWC
 975 | PY
 976 | QA
 977 | QPON
 978 | QUEBEC
 979 | QUEST
 980 | QVC
 981 | RACING
 982 | RAID
 983 | RE
 984 | READ
 985 | REALESTATE
 986 | REALTOR
 987 | REALTY
 988 | RECIPES
 989 | RED
 990 | REDSTONE
 991 | REDUMBRELLA
 992 | REHAB
 993 | REISE
 994 | REISEN
 995 | REIT
 996 | REN
 997 | RENT
 998 | RENTALS
 999 | REPAIR
1000 | REPORT
1001 | REPUBLICAN
1002 | REST
1003 | RESTAURANT
1004 | REVIEW
1005 | REVIEWS
1006 | REXROTH
1007 | RICH
1008 | RICHARDLI
1009 | RICOH
1010 | RIGHTATHOME
1011 | RIO
1012 | RIP
1013 | RO
1014 | ROCHER
1015 | ROCKS
1016 | RODEO
1017 | ROOM
1018 | RS
1019 | RSVP
1020 | RU
1021 | RUHR
1022 | RUN
1023 | RW
1024 | RWE
1025 | RYUKYU
1026 | SA
1027 | SAARLAND
1028 | SAFE
1029 | SAFETY
1030 | SAKURA
1031 | SALE
1032 | SALON
1033 | SAMSUNG
1034 | SANDVIK
1035 | SANDVIKCOROMANT
1036 | SANOFI
1037 | SAP
1038 | SAPO
1039 | SARL
1040 | SAS
1041 | SAVE
1042 | SAXO
1043 | SB
1044 | SBI
1045 | SBS
1046 | SC
1047 | SCA
1048 | SCB
1049 | SCHAEFFLER
1050 | SCHMIDT
1051 | SCHOLARSHIPS
1052 | SCHOOL
1053 | SCHULE
1054 | SCHWARZ
1055 | SCIENCE
1056 | SCJOHNSON
1057 | SCOR
1058 | SCOT
1059 | SD
1060 | SE
1061 | SEAT
1062 | SECURE
1063 | SECURITY
1064 | SEEK
1065 | SELECT
1066 | SENER
1067 | SERVICES
1068 | SES
1069 | SEVEN
1070 | SEW
1071 | SEX
1072 | SEXY
1073 | SFR
1074 | SG
1075 | SH
1076 | SHANGRILA
1077 | SHARP
1078 | SHAW
1079 | SHELL
1080 | SHIA
1081 | SHIKSHA
1082 | SHOES
1083 | SHOP
1084 | SHOPPING
1085 | SHOUJI
1086 | SHOW
1087 | SHOWTIME
1088 | SHRIRAM
1089 | SI
1090 | SILK
1091 | SINA
1092 | SINGLES
1093 | SITE
1094 | SJ
1095 | SK
1096 | SKI
1097 | SKIN
1098 | SKY
1099 | SKYPE
1100 | SL
1101 | SLING
1102 | SM
1103 | SMART
1104 | SMILE
1105 | SN
1106 | SNCF
1107 | SO
1108 | SOCCER
1109 | SOCIAL
1110 | SOFTBANK
1111 | SOFTWARE
1112 | SOHU
1113 | SOLAR
1114 | SOLUTIONS
1115 | SONG
1116 | SONY
1117 | SOY
1118 | SPACE
1119 | SPIEGEL
1120 | SPOT
1121 | SPREADBETTING
1122 | SR
1123 | SRL
1124 | SRT
1125 | ST
1126 | STADA
1127 | STAPLES
1128 | STAR
1129 | STARHUB
1130 | STATEBANK
1131 | STATEFARM
1132 | STATOIL
1133 | STC
1134 | STCGROUP
1135 | STOCKHOLM
1136 | STORAGE
1137 | STORE
1138 | STREAM
1139 | STUDIO
1140 | STUDY
1141 | STYLE
1142 | SU
1143 | SUCKS
1144 | SUPPLIES
1145 | SUPPLY
1146 | SUPPORT
1147 | SURF
1148 | SURGERY
1149 | SUZUKI
1150 | SV
1151 | SWATCH
1152 | SWIFTCOVER
1153 | SWISS
1154 | SX
1155 | SY
1156 | SYDNEY
1157 | SYMANTEC
1158 | SYSTEMS
1159 | SZ
1160 | TAB
1161 | TAIPEI
1162 | TALK
1163 | TAOBAO
1164 | TARGET
1165 | TATAMOTORS
1166 | TATAR
1167 | TATTOO
1168 | TAX
1169 | TAXI
1170 | TC
1171 | TCI
1172 | TD
1173 | TDK
1174 | TEAM
1175 | TECH
1176 | TECHNOLOGY
1177 | TEL
1178 | TELECITY
1179 | TELEFONICA
1180 | TEMASEK
1181 | TENNIS
1182 | TEVA
1183 | TF
1184 | TG
1185 | TH
1186 | THD
1187 | THEATER
1188 | THEATRE
1189 | TIAA
1190 | TICKETS
1191 | TIENDA
1192 | TIFFANY
1193 | TIPS
1194 | TIRES
1195 | TIROL
1196 | TJ
1197 | TJMAXX
1198 | TJX
1199 | TK
1200 | TKMAXX
1201 | TL
1202 | TM
1203 | TMALL
1204 | TN
1205 | TO
1206 | TODAY
1207 | TOKYO
1208 | TOOLS
1209 | TOP
1210 | TORAY
1211 | TOSHIBA
1212 | TOTAL
1213 | TOURS
1214 | TOWN
1215 | TOYOTA
1216 | TOYS
1217 | TR
1218 | TRADE
1219 | TRADING
1220 | TRAINING
1221 | TRAVEL
1222 | TRAVELCHANNEL
1223 | TRAVELERS
1224 | TRAVELERSINSURANCE
1225 | TRUST
1226 | TRV
1227 | TT
1228 | TUBE
1229 | TUI
1230 | TUNES
1231 | TUSHU
1232 | TV
1233 | TVS
1234 | TW
1235 | TZ
1236 | UA
1237 | UBS
1238 | UCONNECT
1239 | UG
1240 | UK
1241 | UNICOM
1242 | UNIVERSITY
1243 | UNO
1244 | UOL
1245 | UPS
1246 | US
1247 | UY
1248 | UZ
1249 | VA
1250 | VACATIONS
1251 | VANA
1252 | VC
1253 | VE
1254 | VEGAS
1255 | VENTURES
1256 | VERISIGN
1257 | VERSICHERUNG
1258 | VET
1259 | VG
1260 | VI
1261 | VIAJES
1262 | VIDEO
1263 | VIG
1264 | VIKING
1265 | VILLAS
1266 | VIN
1267 | VIP
1268 | VIRGIN
1269 | VISA
1270 | VISION
1271 | VISTA
1272 | VISTAPRINT
1273 | VIVA
1274 | VIVO
1275 | VLAANDEREN
1276 | VN
1277 | VODKA
1278 | VOLKSWAGEN
1279 | VOTE
1280 | VOTING
1281 | VOTO
1282 | VOYAGE
1283 | VU
1284 | VUELOS
1285 | WALES
1286 | WALTER
1287 | WANG
1288 | WANGGOU
1289 | WARMAN
1290 | WATCH
1291 | WATCHES
1292 | WEATHER
1293 | WEATHERCHANNEL
1294 | WEBCAM
1295 | WEBER
1296 | WEBSITE
1297 | WED
1298 | WEDDING
1299 | WEIBO
1300 | WEIR
1301 | WF
1302 | WHOSWHO
1303 | WIEN
1304 | WIKI
1305 | WILLIAMHILL
1306 | WIN
1307 | WINDOWS
1308 | WINE
1309 | WINNERS
1310 | WME
1311 | WOLTERSKLUWER
1312 | WOODSIDE
1313 | WORK
1314 | WORKS
1315 | WORLD
1316 | WS
1317 | WTC
1318 | WTF
1319 | XBOX
1320 | XEROX
1321 | XFINITY
1322 | XIHUAN
1323 | XIN
1324 | XN--11B4C3D
1325 | XN--1CK2E1B
1326 | XN--1QQW23A
1327 | XN--30RR7Y
1328 | XN--3BST00M
1329 | XN--3DS443G
1330 | XN--3E0B707E
1331 | XN--3PXU8K
1332 | XN--42C2D9A
1333 | XN--45BRJ9C
1334 | XN--45Q11C
1335 | XN--4GBRIM
1336 | XN--55QW42G
1337 | XN--55QX5D
1338 | XN--5SU34J936BGSG
1339 | XN--5TZM5G
1340 | XN--6FRZ82G
1341 | XN--6QQ986B3XL
1342 | XN--80ADXHKS
1343 | XN--80AO21A
1344 | XN--80ASEHDB
1345 | XN--80ASWG
1346 | XN--8Y0A063A
1347 | XN--90A3AC
1348 | XN--90AE
1349 | XN--90AIS
1350 | XN--9DBQ2A
1351 | XN--9ET52U
1352 | XN--9KRT00A
1353 | XN--B4W605FERD
1354 | XN--BCK1B9A5DRE4C
1355 | XN--C1AVG
1356 | XN--C2BR7G
1357 | XN--CCK2B3B
1358 | XN--CG4BKI
1359 | XN--CLCHC0EA0B2G2A9GCD
1360 | XN--CZR694B
1361 | XN--CZRS0T
1362 | XN--CZRU2D
1363 | XN--D1ACJ3B
1364 | XN--D1ALF
1365 | XN--E1A4C
1366 | XN--ECKVDTC9D
1367 | XN--EFVY88H
1368 | XN--ESTV75G
1369 | XN--FCT429K
1370 | XN--FHBEI
1371 | XN--FIQ228C5HS
1372 | XN--FIQ64B
1373 | XN--FIQS8S
1374 | XN--FIQZ9S
1375 | XN--FJQ720A
1376 | XN--FLW351E
1377 | XN--FPCRJ9C3D
1378 | XN--FZC2C9E2C
1379 | XN--FZYS8D69UVGM
1380 | XN--G2XX48C
1381 | XN--GCKR3F0F
1382 | XN--GECRJ9C
1383 | XN--H2BRJ9C
1384 | XN--HXT814E
1385 | XN--I1B6B1A6A2E
1386 | XN--IMR513N
1387 | XN--IO0A7I
1388 | XN--J1AEF
1389 | XN--J1AMH
1390 | XN--J6W193G
1391 | XN--JLQ61U9W7B
1392 | XN--JVR189M
1393 | XN--KCRX77D1X4A
1394 | XN--KPRW13D
1395 | XN--KPRY57D
1396 | XN--KPU716F
1397 | XN--KPUT3I
1398 | XN--L1ACC
1399 | XN--LGBBAT1AD8J
1400 | XN--MGB9AWBF
1401 | XN--MGBA3A3EJT
1402 | XN--MGBA3A4F16A
1403 | XN--MGBA7C0BBN0A
1404 | XN--MGBAAM7A8H
1405 | XN--MGBAB2BD
1406 | XN--MGBAYH7GPA
1407 | XN--MGBB9FBPOB
1408 | XN--MGBBH1A71E
1409 | XN--MGBC0A9AZCG
1410 | XN--MGBCA7DZDO
1411 | XN--MGBERP4A5D4AR
1412 | XN--MGBPL2FH
1413 | XN--MGBT3DHD
1414 | XN--MGBTX2B
1415 | XN--MGBX4CD0AB
1416 | XN--MIX891F
1417 | XN--MK1BU44C
1418 | XN--MXTQ1M
1419 | XN--NGBC5AZD
1420 | XN--NGBE9E0A
1421 | XN--NODE
1422 | XN--NQV7F
1423 | XN--NQV7FS00EMA
1424 | XN--NYQY26A
1425 | XN--O3CW4H
1426 | XN--OGBPF8FL
1427 | XN--P1ACF
1428 | XN--P1AI
1429 | XN--PBT977C
1430 | XN--PGBS0DH
1431 | XN--PSSY2U
1432 | XN--Q9JYB4C
1433 | XN--QCKA1PMC
1434 | XN--QXAM
1435 | XN--RHQV96G
1436 | XN--ROVU88B
1437 | XN--S9BRJ9C
1438 | XN--SES554G
1439 | XN--T60B56A
1440 | XN--TCKWE
1441 | XN--UNUP4Y
1442 | XN--VERMGENSBERATER-CTB
1443 | XN--VERMGENSBERATUNG-PWB
1444 | XN--VHQUV
1445 | XN--VUQ861B
1446 | XN--W4R85EL8FHU5DNRA
1447 | XN--W4RS40L
1448 | XN--WGBH1C
1449 | XN--WGBL6A
1450 | XN--XHQ521B
1451 | XN--XKC2AL3HYE2A
1452 | XN--XKC2DL3A5EE0H
1453 | XN--Y9A3AQ
1454 | XN--YFRO4I67O
1455 | XN--YGBI2AMMX
1456 | XN--ZFR164B
1457 | XPERIA
1458 | XXX
1459 | XYZ
1460 | YACHTS
1461 | YAHOO
1462 | YAMAXUN
1463 | YANDEX
1464 | YE
1465 | YODOBASHI
1466 | YOGA
1467 | YOKOHAMA
1468 | YOU
1469 | YOUTUBE
1470 | YT
1471 | YUN
1472 | ZA
1473 | ZAPPOS
1474 | ZARA
1475 | ZERO
1476 | ZIP
1477 | ZIPPO
1478 | ZM
1479 | ZONE
1480 | ZUERICH
1481 | ZW
1482 | 


--------------------------------------------------------------------------------
/datasrc/yahoo_ip.txt:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/datasrc/yara-export-discarded.txt:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/ioctest.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # -*- coding: utf-8 -*-
  3 | 
  4 | # MISP-IOC-Validator - Validate IOC from MISP ; Export results and iocs to SIEM and sensors using syslog and CEF format
  5 | #
  6 | # Copyright (C) 2016 Thomas Hilt
  7 | #
  8 | # This program is free software: you can redistribute it and/or modify
  9 | # it under the terms of the GNU Affero General Public License as published by
 10 | # the Free Software Foundation, either version 3 of the License, or
 11 | # (at your option) any later version.
 12 | #
 13 | # This program is distributed in the hope that it will be useful,
 14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 16 | # GNU Affero General Public License for more details.
 17 | #
 18 | # You should have received a copy of the GNU Affero General Public License
 19 | # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 20 | 
 21 | from netaddr import IPNetwork, IPAddress
 22 | import json
 23 | import os
 24 | import yara
 25 | import dumbpig
 26 | import random
 27 | import string
 28 | import time
 29 | import datetime
 30 | import re
 31 | import csv
 32 | 
 33 | ##############
 34 | ###Constant###
 35 | ##############
 36 | 
 37 | DOMAIN_FORMAT = '^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' # RFC1123
 38 | HOSTNAME_FORMAT = '^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' # RFC1123
 39 | 
 40 | DOMAIN_REGEX = re.compile(DOMAIN_FORMAT)
 41 | HOSTNAME_REGEX = re.compile(HOSTNAME_FORMAT)
 42 | 
 43 | DOMAIN_ALLOWED_CHARS_SET = frozenset(['A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','-','.'])
 44 | HOSTNAME_ALLOWED_CHARS_SET =  frozenset(['A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','-','.'])
 45 | URL_ALLOWED_CHARS_SET =  frozenset(['A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','-','.','_','~',':','/','?','#','[',']','@','!','$','&','\'','(',')','*','+',',',';','=','%'])
 46 | TRUST_DOMAIN = '    '  # change me
 47 | 
 48 | #allowed_attribute_set = set(['domain','comment','other','filename','md5','url','patttern-in-file','regkey','regkey|value','mutex','ip-src','ip-dst','hostname','email-src','filename|sha1','filename|md5','pattern-in-traffic','malware-sample','link','sha1','AS','text','attachment','user-agent','filename|sha256','pattern-in-memory','http-method','sha256','vulnerability','email-subject','email-dst','email-attachment','snort','yara','named pipe','target-org','target-location','uri','domain|ip','threat-actor'])
 49 | 
 50 | allowed_attribute_set = set(['domain','url','ip-src','ip-dst','hostname','filename|sha1','sha1','filename|md5','md5','filename|sha256','sha256','snort','yara','text'])
 51 | to_ids_attribute_set = set(['filename|sha1','sha1','filename|md5','md5','filename|sha256','sha256','snort','yara'])
 52 | no_to_ids_attribute_set = set(['link','threat-actor','vulnerability','text','AS','http-method'])
 53 | 
 54 | lowercase_attribute_set = set(['domain','hostname','md5','sha1','sha256','filename|md5','filename|sha1','filename|sha256'])
 55 | 
 56 | snort_sid_regexp = re.compile('sid:( )*\w*;')
 57 | snort_rev_regexp = re.compile('rev:( )*\w*;')
 58 | 
 59 | attribute_processed = set()
 60 | attribute_status_dict = {}
 61 | 
 62 | ############################################
 63 | ########## General Test Functions ##########
 64 | ############################################
 65 | 
 66 | def _is_ip_private(ip):
 67 |     '''Check if the ip given is in RFC1918 IP range (Private ip).
 68 | 
 69 |     ip -- ip to check in string format.
 70 |     '''
 71 |     return IPAddress(ip).is_private()
 72 | 
 73 | def _is_ip_in_set(ip, ip_set):
 74 |     '''Check if the ip given is in a ip range contained in ip_set.
 75 | 
 76 |     ip -- ip to check in string format.
 77 |     ip_set -- set of ip range in string format.
 78 |     '''
 79 |     return any(IPAddress(ip) in IPNetwork(range) for range in ip_set)
 80 | 
 81 | def _is_tld_valid(name,valid_tld_string_set):
 82 |     '''Check if name contains a valid tld string given by valid_tld_string_set.
 83 | 
 84 |     name -- hostname or domain to check (case sensitive).
 85 |     valid_tld_string_set -- list of valid TLD.
 86 |     '''
 87 |     tld_domain = name.rpartition('.')[-1]
 88 |     return tld_domain in valid_tld_string_set
 89 | 
 90 | def _has_invalid_characters(string, valid_char_set):
 91 |     '''Check if a string contains characters that do not belongs to valid_char_set.
 92 | 
 93 |     string -- string to check.
 94 |     valid_char_set -- set of valid characters.
 95 |     '''
 96 |     strcharset = frozenset(string)
 97 |     return not strcharset.issubset(valid_char_set)
 98 | 
 99 | def _is_in_domain(name,top_domain_split):
100 |     '''Check if name belongs to a specific top domain given by top_domain.
101 | 
102 |     name -- name to check (case sensitive).
103 |     top_domain_split -- list of string that contains the top level domain (case sensitive).
104 |     '''
105 |     dom_list = name.split('.')
106 | 
107 |     dom_list_len = len(dom_list)
108 |     i = dom_list_len - 1 
109 | 
110 |     for dom in reversed(top_domain_split):
111 |         if i >= 0:
112 |             if dom_list[i] != dom:
113 |                 return False
114 |         else:
115 |             return True
116 | 
117 |         i -= 1
118 | 
119 |     return True
120 | 
121 | def _is_in_domain_set(name,domain_set):
122 |     '''Check if name belongs to domain_set.
123 | 
124 |     name -- name to check (case sensitive).
125 |     domain_set -- set of domain to compare (case sensitive).
126 |     '''
127 |     #return any(_is_in_domain(name,domain) for domain in split_domain_set)
128 |     dom_list = name.split('.')
129 | 
130 |     dompart = name.split('.')
131 |     currdom = '' # domain build progressively by adding one by one top domain
132 | 
133 |     i=0 # treat the first part of the list that doesn't need '.'
134 | 
135 |     for part in reversed(dompart):
136 |         if i == 0:
137 |             currdom = part
138 |             i = 1
139 |         else:
140 |             currdom = part + '.' + currdom
141 | 
142 |         if currdom in domain_set:
143 |             return True
144 | 
145 |     return False
146 | 
147 | def _is_valid_md5(checksum):
148 |     '''Check if the md5 given is valid.
149 | 
150 |     checksum -- checksum of the file to check.
151 |     '''
152 | 
153 |     return re.match('([a-fA-F\d]{32})',checksum)
154 | 
155 | def _is_valid_sha1(checksum):
156 |     '''Check if the sha1 given is valid.
157 | 
158 |     checksum -- checksum of the file to check.
159 |     '''
160 | 
161 |     return re.match('([a-fA-F\d]{40})',checksum)
162 | 
163 | def _is_valid_sha256(checksum):
164 |     '''Check if the sha256 given is valid.
165 | 
166 |     checksum -- checksum of the file to check.
167 |     '''
168 | 
169 |     return re.match('([a-fA-F\d]{64})',checksum)
170 | 
171 | def _is_empty_file_md5(checksum):
172 |     '''Check if the md5 given is the one of a void file.
173 | 
174 |     checksum -- checksum of the file to check (case sensitive).
175 |     '''
176 |     return checksum == 'd41d8cd98f00b204e9800998ecf8427e'
177 | 
178 | def _is_empty_file_sha1(checksum):
179 |     '''Check if the sha1 given is the one of a void file.
180 | 
181 |     checksum -- checksum of the file to check (case sensitive).
182 |     '''
183 |     return checksum == 'da39a3ee5e6b4b0d3255bfef95601890afd80709'
184 | 
185 | def _is_empty_file_sha256(checksum):
186 |     '''Check if the sha256 given is the one of a void file.
187 | 
188 |     checksum -- checksum: checksum of the file to check (case sensitive).
189 |     '''
190 |     return checksum == 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
191 | 
192 | def _is_checksum_in_set(checksum,set):
193 |     '''Check if a specific checksum belongs to a specific set.
194 | 
195 |     checksum -- checksum that is tested (case sensitive).
196 |     set -- set of checksum to compare with the tested one.
197 |     '''
198 |     return checksum in set
199 | 
200 | def _is_name_length_valid(domain_name):
201 |     '''Check if the length of the name is valid according to RFC1123.
202 | 
203 |     domain_name -- domain name to check
204 |     '''
205 |     if len(domain_name) > 253:
206 |         return False
207 |     else:
208 |         label_list = domain_name.split('.')
209 |         if any(len(l)>63 for l in label_list):
210 |             return False
211 |         else:
212 |             return True
213 | 
214 | def _is_protocol_valid(url):
215 |     '''Check if the url given start with a valid protocol (http://, https:// or ftp://).
216 | 
217 |     url -- url to check
218 |     '''
219 |     return url.startswith('http://') or url.startswith('https://') or url.startswith('ftp://')
220 | 
221 | def _is_slow_yara_rule(rule):
222 |     '''Check if the yara rule given is matching a slow yara rule pattern.
223 | 
224 |     rule -- YARA rule to test.
225 | 
226 |     '''
227 |     return re.match('\$[^\s][\s]*=[\s]*(\/[^\/]{1,4}[^\\]\/|\"[^\"]{1,4}\"|\{[0-9A-Fa-f\s]{2,16}\})',rule)
228 | 
229 | def _is_yara_rule_invalid(rule):
230 |     '''Check if the yara rule given is invalid by trying to compile it.
231 | 
232 |     rule -- YARA rule to test.
233 |     '''
234 |     try:
235 |         yara.compile(source = rule , includes=False, error_on_warning=True)
236 |         return None
237 |     except Exception as e:
238 |         return str(e)
239 | 
240 | def _is_snort_rule_invalid(rule):
241 |     '''Check if the snort rule given is invalid by trying to compile it.
242 | 
243 |     rule -- Snort rule to test.
244 |     '''
245 |     filepath = '/tmp/tmp_' + ''.join(random.choice(string.lowercase) for i in range(8))
246 |     f = open(filepath, "w")
247 |     f.write(rule)
248 |     f.close()
249 | 
250 |     if not rule.startswith('alert'):
251 |         return 'Snort rule does not start with "alert"'
252 | 
253 |     if "threshold" in rule:
254 |         return 'threshold in snort rule is deprecated'
255 | 
256 |     dp = dumbpig.RuleChecker()
257 | 
258 |     dp.set_rule_file(filepath)
259 |     dp.test_rule_file()
260 |     os.remove(filepath)
261 | 
262 |     result = json.dumps(dp.json_output()).encode('utf8').decode('string_escape')
263 | 
264 |     if (result == '"{}"'):
265 |         return None
266 |     else:
267 |         return result
268 | 
269 | ############################################
270 | ######## Attribute Check Functions #########
271 | ############################################
272 | 
273 | def _check_ipSrc(event_dict, attribute_dict, datasrc_dict):
274 |     '''Check the source ip validity.
275 | 
276 |     event_dict -- dict that contains event details.
277 |     attribute_dict -- dict that contains attribute details.
278 |     datasrc_dict -- dict that contains data source sets used for checks.
279 |     '''
280 |     value = attribute_dict['value']
281 |     resultdict = {}
282 |     resultdict['event_dict'] = event_dict
283 |     resultdict['attribute_dict'] = attribute_dict
284 | 
285 |     if value in datasrc_dict['except_list']:
286 |         resultdict['result'] = 'NOK'
287 |         resultdict['reason'] = 'belongs to an exception of the list'
288 |         return resultdict
289 | 
290 |     if _is_ip_private(value):
291 |         resultdict['result'] = 'NOK'
292 |         resultdict['reason'] = 'it is a private ip address'
293 |         return resultdict
294 | 
295 |     if _is_ip_in_set(value, datasrc_dict['googleip']):
296 |         resultdict['result'] = 'NOK'
297 |         resultdict['reason'] = 'it is an IP from Google'
298 |         return resultdict
299 | 
300 |     if _is_ip_in_set(value, datasrc_dict['yahooip']):
301 |         resultdict['result'] = 'NOK'
302 |         resultdict['reason'] = 'it is an IP from Yahoo'
303 |         return resultdict
304 | 
305 |     if _is_ip_in_set(value, datasrc_dict['microsoftip']):
306 |         resultdict['result'] = 'NOK'
307 |         resultdict['reason'] = 'it is an IP from Microsoft'
308 |         return resultdict
309 | 
310 |     resultdict['result'] = 'OK'
311 |     resultdict['reason'] = 'attribute has been validated'
312 |     return resultdict
313 | 
314 | def _check_ipDst(event_dict, attribute_dict, datasrc_dict):
315 |     '''Check the destination ip validity.
316 | 
317 |     event_dict -- dict that contains event details.
318 |     attribute_dict -- dict that contains attribute details.
319 |     datasrc_dict -- dict that contains data source sets used for checks.
320 |     '''
321 |     value = attribute_dict['value']
322 |     resultdict = {}
323 |     resultdict['event_dict'] = event_dict
324 |     resultdict['attribute_dict'] = attribute_dict
325 | 
326 |     if value in datasrc_dict['except_list']:
327 |         resultdict['result'] = 'NOK'
328 |         resultdict['reason'] = 'belongs to an exception of the list'
329 |         return resultdict
330 | 
331 |     if _is_ip_private(value):
332 |         resultdict['result'] = 'NOK'
333 |         resultdict['reason'] = 'it is a private ip address'
334 |         return resultdict
335 | 
336 |     if _is_ip_in_set(value, datasrc_dict['googleip']):
337 |         resultdict['result'] = 'NOK'
338 |         resultdict['reason'] = 'it is an IP from Google'
339 |         return resultdict
340 | 
341 |     if _is_ip_in_set(value, datasrc_dict['yahooip']):
342 |         resultdict['result'] = 'NOK'
343 |         resultdict['reason'] = 'it is an IP from Yahoo'
344 |         return resultdict
345 | 
346 |     if _is_ip_in_set(value, datasrc_dict['microsoftip']):
347 |         resultdict['result'] = 'NOK'
348 |         resultdict['reason'] = 'it is an IP from Microsoft'
349 |         return resultdict
350 | 
351 |     resultdict['result'] = 'OK'
352 |     resultdict['reason'] = 'attribute has been validated'
353 |     return resultdict
354 | 
355 | def _check_domain(event_dict, attribute_dict, datasrc_dict):
356 |     '''Check the domain validity.
357 | 
358 |     event_dict -- dict that contains event details.
359 |     attribute_dict -- dict that contains attribute details.
360 |     datasrc_dict -- dict that contains data source sets used for checks.
361 |     '''
362 |     value = attribute_dict['value']
363 |     resultdict = {}
364 |     resultdict['event_dict'] = event_dict
365 |     resultdict['attribute_dict'] = attribute_dict
366 | 
367 |     if value in datasrc_dict['except_list']:
368 |         resultdict['result'] = 'NOK'
369 |         resultdict['reason'] = 'belongs to an exception of the list'
370 |         return resultdict
371 | 
372 |     if not _is_name_length_valid(value):
373 |         resultdict['result'] = 'NOK'
374 |         resultdict['reason'] = 'lengths of name and labels are not valid'
375 |         return resultdict
376 | 
377 |     if _has_invalid_characters(value,DOMAIN_ALLOWED_CHARS_SET):
378 |         resultdict['result'] = 'NOK'
379 |         resultdict['reason'] = 'characters used are invalid'
380 |         return resultdict
381 | 
382 |     if not DOMAIN_REGEX.match(value):
383 |         resultdict['result'] = 'NOK'
384 |         resultdict['reason'] = 'it is not matching RFC1123'
385 |         return resultdict
386 | 
387 |     if _is_in_domain(value,TRUST_DOMAIN):
388 |         resultdict['result'] = 'NOK'
389 |         resultdict['reason'] = 'it belongs to a TRUST domain'
390 |         return resultdict
391 | 
392 |     if not _is_tld_valid(value, datasrc_dict['tld']):
393 |         resultdict['result'] = 'NOK'
394 |         resultdict['reason'] = 'there is no valid TLD'
395 |         return resultdict
396 | 
397 |     if _is_in_domain_set(value, datasrc_dict['alexa']):
398 |         resultdict['result'] = 'NOK'
399 |         resultdict['reason'] = 'it belongs to an alexa top 1M domain'
400 |         return resultdict
401 | 
402 |     resultdict['result'] = 'OK'
403 |     resultdict['reason'] = 'attribute has been validated'
404 |     return resultdict
405 | 
406 | def _check_hostname(event_dict, attribute_dict, datasrc_dict):
407 |     '''Check the hostname validity.
408 | 
409 |     event_dict -- dict that contains event details.
410 |     attribute_dict -- dict that contains attribute details.
411 |     datasrc_dict -- dict that contains data source sets used for checks.
412 |     '''
413 | 
414 |     value = attribute_dict['value']
415 |     resultdict = {}
416 |     resultdict['event_dict'] = event_dict
417 |     resultdict['attribute_dict'] = attribute_dict
418 | 
419 |     if value in datasrc_dict['except_list']:
420 |         resultdict['result'] = 'NOK'
421 |         resultdict['reason'] = 'belongs to an exception of the list'
422 |         return resultdict
423 | 
424 |     if not _is_name_length_valid(value):
425 |         resultdict['result'] = 'NOK'
426 |         resultdict['reason'] = 'lengths of name and labels are not valid'
427 |         return resultdict
428 | 
429 |     if _has_invalid_characters(value,HOSTNAME_ALLOWED_CHARS_SET):
430 |         resultdict['result'] = 'NOK'
431 |         resultdict['reason'] = 'characters used are invalid'
432 |         return resultdict
433 | 
434 |     if not HOSTNAME_REGEX.match(value):
435 |         resultdict['result'] = 'NOK'
436 |         resultdict['reason'] = 'it is not matching RFC1123'
437 |         return resultdict
438 | 
439 |     if _is_in_domain(value,TRUST_DOMAIN):
440 |         resultdict['result'] = 'NOK'
441 |         resultdict['reason'] = 'it belongs to a TRUST domain'
442 |         return resultdict
443 | 
444 |     if not _is_tld_valid(value, datasrc_dict['tld']):
445 |         resultdict['result'] = 'NOK'
446 |         resultdict['reason'] = 'there is no valid TLD'
447 |         return resultdict
448 | 
449 |     if _is_in_domain_set(value, datasrc_dict['alexa']):
450 |         resultdict['result'] = 'NOK'
451 |         resultdict['reason'] = 'it belongs to an alexa top 1M domain'
452 |         return resultdict
453 | 
454 |     resultdict['result'] = 'OK'
455 |     resultdict['reason'] = 'attribute has been validated'
456 |     return resultdict
457 | 
458 | def _check_url(event_dict, attribute_dict, datasrc_dict):
459 |     '''Check the url validity.
460 | 
461 |     event_dict -- dict that contains event details.
462 |     attribute_dict -- dict that contains attribute details.
463 |     datasrc_dict -- dict that contains data source sets used for checks.
464 |     '''
465 |     value = attribute_dict['value']
466 |     resultdict = {}
467 |     resultdict['event_dict'] = event_dict
468 |     resultdict['attribute_dict'] = attribute_dict
469 | 
470 |     if value in datasrc_dict['except_list']:
471 |         resultdict['result'] = 'NOK'
472 |         resultdict['reason'] = 'belongs to an exception of the list'
473 |         return resultdict
474 | 
475 |     if not _is_protocol_valid(value): 
476 |         resultdict['result'] = 'NOK'
477 |         resultdict['reason'] = 'protocol used is not valid'
478 |         return resultdict
479 | 
480 |     if _has_invalid_characters(value,URL_ALLOWED_CHARS_SET):  #TEST ID31
481 |         resultdict['result'] = 'NOK'
482 |         resultdict['reason'] = 'characters used are invalid'
483 |         return resultdict
484 | 
485 |     resultdict['result'] = 'OK'
486 |     resultdict['reason'] = 'attribute has been validated'
487 |     return resultdict
488 | 
489 | def _check_md5(event_dict, attribute_dict, datasrc_dict):
490 |     '''Check the md5 validity.
491 | 
492 |     event_dict -- dict that contains event details.
493 |     attribute_dict -- dict that contains attribute details.
494 |     datasrc_dict -- dict that contains data source sets used for checks.
495 |     '''
496 |     value = attribute_dict['value']
497 |     resultdict = {}
498 |     resultdict['event_dict'] = event_dict
499 |     resultdict['attribute_dict'] = attribute_dict
500 | 
501 |     if '|' in value: #if format is filename|checksum
502 |         value = value.split('|')[1] #retreive only checksum for tests
503 | 
504 |     if value in datasrc_dict['except_list']:
505 |         resultdict['result'] = 'NOK'
506 |         resultdict['reason'] = 'belongs to an exception of the list'
507 |         return resultdict
508 |         
509 |     if not _is_valid_md5(value):
510 |         resultdict['result'] = 'NOK'
511 |         resultdict['reason'] = 'checksum is not valid'
512 |         return resultdict
513 | 
514 |     if _is_empty_file_md5(value):  
515 |         resultdict['result'] = 'NOK'
516 |         resultdict['reason'] = 'checksum is the one of an empty file'
517 |         return resultdict
518 | 
519 |     if _is_checksum_in_set(value,datasrc_dict['md5']):
520 |         resultdict['result'] = 'NOK'
521 |         resultdict['reason'] = 'checksum belongs to NSRL List'
522 |         return resultdict
523 | 
524 |     resultdict['result'] = 'OK'
525 |     resultdict['reason'] = 'attribute has been validated'
526 |     return resultdict
527 | 
528 | def _check_sha1(event_dict, attribute_dict, datasrc_dict):
529 |     '''Check the sha1 validity.
530 | 
531 |     event_dict -- dict that contains event details.
532 |     attribute_dict -- dict that contains attribute details.
533 |     datasrc_dict -- dict that contains data source sets used for checks.
534 |     '''
535 |     value = attribute_dict['value']
536 |     resultdict = {}
537 |     resultdict['event_dict'] = event_dict
538 |     resultdict['attribute_dict'] = attribute_dict
539 | 
540 |     if '|' in value: #if format is filename|checksum
541 |         value = value.split('|')[1] #retreive only checksum for tests
542 | 
543 |     if value in datasrc_dict['except_list']:
544 |         resultdict['result'] = 'NOK'
545 |         resultdict['reason'] = 'belongs to an exception of the list'
546 |         return resultdict
547 | 
548 |     if not _is_valid_sha1(value):
549 |         resultdict['result'] = 'NOK'
550 |         resultdict['reason'] = 'checksum is not valid'
551 |         return resultdict
552 | 
553 |     if _is_empty_file_sha1(value):  
554 |         resultdict['result'] = 'NOK'
555 |         resultdict['reason'] = 'checksum is the one of an empty file'
556 |         return resultdict
557 | 
558 |     if _is_checksum_in_set(value,datasrc_dict['sha1']):
559 |         resultdict['result'] = 'NOK'
560 |         resultdict['reason'] = 'checksum belongs to NSRL List'
561 |         return resultdict
562 | 
563 |     resultdict['result'] = 'OK'
564 |     resultdict['reason'] = 'attribute has been validated'
565 |     return resultdict
566 | 
567 | def _check_sha256(event_dict, attribute_dict, datasrc_dict):
568 |     '''Check the sha256 validity.
569 | 
570 |     event_dict -- dict that contains event details.
571 |     attribute_dict -- dict that contains attribute details.
572 |     datasrc_dict -- dict that contains data source sets used for checks.
573 |     '''
574 |     value = attribute_dict['value']
575 |     resultdict = {}
576 |     resultdict['event_dict'] = event_dict
577 |     resultdict['attribute_dict'] = attribute_dict
578 | 
579 |     if '|' in value: #if format is filename|checksum
580 |         value = value.split('|')[1] #retreive only checksum for tests
581 | 
582 |     if value in datasrc_dict['except_list']:
583 |         resultdict['result'] = 'NOK'
584 |         resultdict['reason'] = 'belongs to an exception of the list'
585 |         return resultdict
586 | 
587 |     if not _is_valid_sha256(value):
588 |         resultdict['result'] = 'NOK'
589 |         resultdict['reason'] = 'checksum is not valid'
590 |         return resultdict
591 | 
592 |     if _is_empty_file_sha256(value): 
593 |         resultdict['result'] = 'NOK'
594 |         resultdict['reason'] = 'checksum is the one of an empty file'
595 |         return resultdict
596 | 
597 |     if _is_checksum_in_set(value,datasrc_dict['sha256']):
598 |         resultdict['result'] = 'NOK'
599 |         resultdict['reason'] = 'checksum belongs to NSRL List'
600 |         return resultdict
601 | 
602 |     resultdict['result'] = 'OK'
603 |     resultdict['reason'] = 'attribute has been validated'
604 |     return resultdict
605 | 
606 | def _check_yara(event_dict, attribute_dict):
607 |     '''Check the yara validity.
608 | 
609 |     event_dict -- dict that contains event details.
610 |     attribute_dict -- dict that contains attribute details.
611 |     '''
612 |     value = attribute_dict['value']
613 |     resultdict = {}
614 |     resultdict['event_dict'] = event_dict
615 |     resultdict['attribute_dict'] = attribute_dict
616 | 
617 |     error = _is_yara_rule_invalid(value)
618 | 
619 |     if error:
620 |         resultdict['result'] = 'NOK'
621 |         resultdict['reason'] = 'YARA rule is not valid : ' + error
622 |         return resultdict
623 | 
624 |     if _is_slow_yara_rule(value):
625 |         resultdict['result'] = 'NOK'
626 |         resultdict['reason'] = 'it is a slow performing yara rule'
627 |         return resultdict
628 | 
629 |     resultdict['result'] = 'OK'
630 |     resultdict['reason'] = 'attribute has been validated'
631 |     return resultdict
632 | 
633 | def _check_snort(event_dict, attribute_dict):
634 |     '''Check the snort validity.
635 | 
636 |     event_dict -- dict that contains event details.
637 |     attribute_dict -- dict that contains attribute details.
638 |     '''
639 |     value = attribute_dict['value']
640 |     resultdict = {}
641 |     resultdict['event_dict'] = event_dict
642 |     resultdict['attribute_dict'] = attribute_dict
643 | 
644 |     error = _is_snort_rule_invalid(value)
645 | 
646 |     if error:
647 |         resultdict['result'] = 'NOK'
648 |         resultdict['reason'] = 'Snort rule is not valid : ' + error
649 |         return resultdict
650 | 
651 |     resultdict['result'] = 'OK'
652 |     resultdict['reason'] = 'attribute has been validated'
653 |     return resultdict
654 | 
655 | ############################################
656 | ############## Get Functions ###############
657 | ############################################
658 | 
659 | def _get_event_elements(event):
660 |     '''Returns a dict object that contains elements of an event.
661 | 
662 |     event -- json snippet that contains an event.
663 |     '''
664 |     event_id = json.dumps(event['id']).encode('utf8').decode('string_escape')
665 |     event_id = event_id[1::] # remove first "
666 |     event_id = event_id[:-1] # remove last "
667 | 
668 |     event_uuid = json.dumps(event['uuid']).encode('utf8').decode('string_escape')
669 |     event_uuid = event_uuid[1::] # remove first "
670 |     event_uuid = event_uuid[:-1] # remove last "
671 | 
672 |     event_time = json.dumps(event['date']).encode('utf8').decode('string_escape')
673 |     event_time = event_time[1::] # remove first "
674 |     event_time = event_time[:-1] # remove last "
675 |     event_time = str(int(time.mktime(time.strptime(event_time, "%Y-%m-%d")))*1000)
676 | 
677 |     event_description = json.dumps(event['info']).encode('utf8').decode('string_escape')
678 |     event_description = event_description[1::] # remove first "
679 |     event_description = event_description[:-1] # remove last "
680 | 
681 |     event_source_org = json.dumps(event['Org']['name']).encode('utf8').decode('string_escape')
682 |     event_source_org = event_source_org[1::] # remove first "
683 |     event_source_org = event_source_org[:-1] # remove last "
684 | 
685 |     event_source_orgc = json.dumps(event['Orgc']['name']).encode('utf8').decode('string_escape')
686 |     event_source_orgc = event_source_orgc[1::] # remove first "
687 |     event_source_orgc = event_source_orgc[:-1] # remove last "
688 | 
689 |     threat_level = json.dumps(event['threat_level_id']).encode('utf8').decode('string_escape')
690 |     threat_level = threat_level[1::] # remove first "
691 |     threat_level = threat_level[:-1] # remove last "
692 | 
693 |     return dict([('id',event_id),('uuid',event_uuid),('date',event_time),('info',event_description),('Orgname',event_source_org),('Orgcname',event_source_orgc),('threat_level_id',threat_level)])
694 | 
695 | def _get_attribute_elements(attribute):
696 |     '''Returns a dict object that contains elements of an attribute.
697 | 
698 |     attribute -- json snippet that contains an attribute.
699 |     '''
700 |     attribute_id = json.dumps(attribute['id']).encode('utf8').decode('string_escape')
701 |     attribute_id = attribute_id[1::]
702 |     attribute_id = attribute_id[:-1]
703 | 
704 |     attribute_type = json.dumps(attribute['type']).encode('utf8').decode('string_escape')
705 |     attribute_type = attribute_type[1::] # remove first "
706 |     attribute_type = attribute_type[:-1] # remove last "
707 | 
708 |     value = json.dumps(attribute['value']).encode('utf8').decode('string_escape')
709 |     value = value[1::] # remove first "
710 |     value = value[:-1] # remove last "
711 | 
712 |     if attribute_type in lowercase_attribute_set:
713 |         value = value.lower()
714 | 
715 |     to_ids = json.dumps(attribute['to_ids']).encode('utf8').decode('string_escape')
716 | 
717 |     attribute_uuid  = json.dumps(attribute['uuid']).encode('utf8').decode('string_escape')
718 |     attribute_uuid  = attribute_uuid [1::] # remove first "
719 |     attribute_uuid  = attribute_uuid [:-1] # remove last "
720 | 
721 |     attribute_category = json.dumps(attribute['category']).encode('utf8').decode('string_escape')
722 |     attribute_category = attribute_category[1::]
723 |     attribute_category = attribute_category[:-1]
724 | 
725 |     if attribute_type == 'snort':
726 |         value = value.replace('\n\r','')
727 |         value = value.replace('\n','')
728 |         value = value.replace('\r','')
729 |         snort_new_sid = 990000000 + int(attribute_id) # Local snort rules sid start at 1000000
730 |         value = snort_sid_regexp.sub('sid:' + str(snort_new_sid) + ';',value)
731 |         value = snort_rev_regexp.sub('rev:1;',value)
732 | 
733 |     return dict([('id',attribute_id), ('value',value), ('type',attribute_type), ('to_ids', to_ids), ('uuid', attribute_uuid ), ('category',attribute_category)])
734 | 
735 | ############################################
736 | ############## Main Functions ##############
737 | ############################################
738 | 
739 | def check_attribute(event_dict, attribute_dict, datasrc_dict, allowed_attribute_set, attribute_status_dict):
740 |     '''Check attribute validity defined by dicts of values.
741 | 
742 |     event_dict -- dict that contains event details.
743 |     attribute_dict -- dict that contains attribute details.
744 |     datasrc_dict -- dict that contains data source sets used for checks.
745 |     attribute_status_dict -- define the file used to export valid yara rules.
746 |     allowed_attribute_set -- set that contains the misp attibute types that would be checked.
747 |     '''
748 |     attribute_type = attribute_dict['type']
749 |     to_ids =  attribute_dict['to_ids']
750 | 
751 |     resultdict = {}
752 |     resultdict['event_dict'] = event_dict
753 |     resultdict['attribute_dict'] = attribute_dict
754 | 
755 |     try:
756 |         if (not attribute_dict['uuid'] in attribute_status_dict.keys()) or (attribute_status_dict[attribute_dict['uuid']] != event_dict['date']): # attribute absent or outdated
757 |             if attribute_type in allowed_attribute_set and attribute_dict['uuid'] not in attribute_processed:
758 |                 attribute_status_dict[attribute_dict['uuid']] = event_dict['date']
759 |                 attribute_processed.add(attribute_dict['uuid']) #add to list of already processed attribute
760 |                 if to_ids in 'true' or attribute_type == 'yara' or attribute_type == 'snort': #snort and yara should always be in to_ids. Because of too many mistakes, we have to do that
761 |                     if attribute_type in no_to_ids_attribute_set:
762 |                         resultdict['result'] = 'NOK'
763 |                         resultdict['reason'] = 'incoherent True value for to_ids associated to ' + attribute_type
764 |                         return resultdict
765 | 
766 |                     if attribute_type == 'ip-src':
767 |                         return _check_ipSrc(event_dict, attribute_dict, datasrc_dict)
768 |     
769 |                     elif attribute_type == 'ip-dst':
770 |                         return _check_ipDst(event_dict, attribute_dict, datasrc_dict)
771 | 
772 |                     elif attribute_type == 'domain':
773 |                         return _check_domain(event_dict, attribute_dict, datasrc_dict)
774 | 
775 |                     elif attribute_type == 'hostname':
776 |                         return _check_hostname(event_dict, attribute_dict, datasrc_dict)
777 | 
778 |                     elif attribute_type == 'url':
779 |                         return _check_url(event_dict, attribute_dict, datasrc_dict)
780 | 
781 |                     elif attribute_type == 'md5' or attribute_type == 'filename|md5':
782 |                         return _check_md5(event_dict, attribute_dict, datasrc_dict)
783 |  
784 |                     elif attribute_type == 'sha1' or attribute_type == 'filename|sha1':
785 |                         return _check_sha1(event_dict, attribute_dict, datasrc_dict)
786 | 
787 |                     elif attribute_type == 'sha256' or attribute_type == 'filename|sha256':
788 |                         return _check_sha256(event_dict, attribute_dict, datasrc_dict)
789 | 
790 |                     elif attribute_type == 'yara':
791 |                         return _check_yara(event_dict, attribute_dict)
792 | 
793 |                     elif attribute_type == 'snort':
794 |                         return _check_snort(event_dict, attribute_dict)
795 |                 else:
796 |                     if attribute_type in to_ids_attribute_set:
797 |                         resultdict['result'] = 'NOK'
798 |                         resultdict['reason'] = 'incoherent False value for to_ids associated to ' + attribute_type
799 |                         return resultdict
800 |                     else:
801 |                         resultdict['result'] = 'NOK'
802 |                         resultdict['reason'] = 'to_ids value is set to False'
803 |                         return resultdict
804 |             else:
805 |                 return None
806 |         else:
807 |             return None
808 |          
809 |     except Exception as e:
810 |         resultdict['result'] = 'NOK'
811 |         resultdict['reason'] = 'attribute is badly formatted and generates an exception' + str(e)
812 |         return resultdict
813 | 
814 | def check_attributes(json_events, datasrc_dict, allowed_attribute_set, attribute_status_dict):
815 |     '''Check attributes validity from a list of events in json format.
816 | 
817 |     json_events -- json of the events with attributes that should be checked.
818 |     datasrc_dict -- dict that contains data source sets used for checks.
819 |     allowed_attribute_set -- set that contains the misp attibute types that would be checked.
820 |     attribute_status_dict -- define the file used to export valid yara rules.
821 |     '''
822 | 
823 |     for i in range(len(json_events)):
824 |         for j in range(len(json_events[i]['Event']['Attribute'])):
825 |             event = json_events[i]['Event']
826 |             attribute = json_events[i]['Event']['Attribute'][j]
827 | 
828 |             event_dict = _get_event_elements(event)
829 |             attribute_dict = _get_attribute_elements(attribute)
830 | 
831 |             yield check_attribute(event_dict, attribute_dict, datasrc_dict, allowed_attribute_set, attribute_status_dict)
832 | 
833 | def track_attributes(json_events, allowed_attribute_set, attribute_status_dict):
834 |     '''Check attributes validity from a list of events in json format.
835 | 
836 |     json_events -- json of the events with attributes that should be checked.
837 |     allowed_attribute_set -- set that contains the misp attibute types that would be checked.
838 |     attribute_status_dict -- define the file used to export valid yara rules.
839 |     '''
840 | 
841 |     for i in range(len(json_events)):
842 |         for j in range(len(json_events[i]['Event']['Attribute'])):
843 |             event = json_events[i]['Event']
844 |             attribute = json_events[i]['Event']['Attribute'][j]
845 | 
846 |             event_dict = _get_event_elements(event)
847 |             attribute_dict = _get_attribute_elements(attribute)
848 | 
849 |             attribute_type = attribute_dict['type']
850 | 
851 |             if (not attribute_dict['uuid'] in attribute_status_dict.keys()) or (attribute_status_dict[attribute_dict['uuid']] != event_dict['date']): # attribute absent or outdated
852 |                 if attribute_type in allowed_attribute_set and attribute_dict['uuid'] not in attribute_processed:
853 |                     attribute_status_dict[attribute_dict['uuid']] = event_dict['date']
854 |                     attribute_processed.add(attribute_dict['uuid']) #add to list of already processed attribute
855 |                     yield True
856 | 
857 | 


--------------------------------------------------------------------------------
/keys.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | # MISP-IOC-Validator - Validate IOC from MISP ; Export results and iocs to SIEM and sensors using syslog and CEF format
 5 | #
 6 | # Copyright (C) 2016 Thomas Hilt
 7 | #
 8 | # This program is free software: you can redistribute it and/or modify
 9 | # it under the terms of the GNU Affero General Public License as published by
10 | # the Free Software Foundation, either version 3 of the License, or
11 | # (at your option) any later version.
12 | #
13 | # This program is distributed in the hope that it will be useful,
14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16 | # GNU Affero General Public License for more details.
17 | #
18 | # You should have received a copy of the GNU Affero General Public License
19 | # along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 | 
21 | misp_url = 'https://mispserver.local'
22 | misp_key = 'FGHGFHGFHGFHGFHGFHGFHGF' # The MISP auth key can be found on the MISP web interface under the automation section
23 | misp_verifycert = True # True if you have a valid cert on your server
24 | 


--------------------------------------------------------------------------------
/sourcefilelist.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | # MISP-IOC-Validator - Validate IOC from MISP ; Export results and iocs to SIEM and sensors using syslog and CEF format
 5 | #
 6 | # Copyright (C) 2016 Thomas Hilt
 7 | #
 8 | # This program is free software: you can redistribute it and/or modify
 9 | # it under the terms of the GNU Affero General Public License as published by
10 | # the Free Software Foundation, either version 3 of the License, or
11 | # (at your option) any later version.
12 | #
13 | # This program is distributed in the hope that it will be useful,
14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16 | # GNU Affero General Public License for more details.
17 | #
18 | # You should have received a copy of the GNU Affero General Public License
19 | # along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 | 
21 | tld_list_filepath = 'datasrc/tlds-alpha-by-domain.txt'          #list of existing TLD
22 | google_ip_list_filepath = 'datasrc/google_ip.txt'               #ip address or range of google CIDR notation
23 | yahoo_ip_list_filepath = 'datasrc/yahoo_ip.txt'                 #ip address or range of yahoo CIDR notation
24 | microsoft_ip_list_filepath = 'datasrc/microsoft_ip.txt'         #ip address or range of microsoft CIDR notation
25 | alexa_list_filepath = 'datasrc/alexalist.txt'                   #alexa top 1M list (without the first line of csv file)
26 | alexa_exception_list_filepath = 'datasrc/alexa_exception.txt'   #some domain that we want to exclude from alexa list
27 | yara_export_exception_list_filepath = 'datasrc/yara-export-discarded.txt' #contain a list of name of yara rule (one per line) to exclude from the yara export function
28 | md5_list_filepath = 'datasrc/md5.txt'                           #MD5 of known "safe" file
29 | sha1_list_filepath = 'datasrc/sha1.txt'                         #SHA1 of known "safe" file
30 | sha256_list_filepath = 'datasrc/sha256.txt'                     #SHA256 of known "safe" file
31 | except_list_filepath = 'datasrc/except_list.txt'                #List of IOC value to exclude directly (force the check to NOK, this is not working for YARA and SNORT)
32 | 


--------------------------------------------------------------------------------