2020-11-24 19:45:03 +01:00
|
|
|
#!/usr/bin/env python3
|
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
|
|
|
|
|
from app.utils import read_config
|
|
|
|
|
from app.classes.iocs import IOCs
|
|
|
|
|
from app.classes.whitelist import WhiteList
|
2021-06-08 18:22:52 +02:00
|
|
|
from app.classes.misp import MISP
|
2020-11-24 19:45:03 +01:00
|
|
|
|
|
|
|
|
import requests
|
|
|
|
|
import json
|
|
|
|
|
import urllib3
|
|
|
|
|
import time
|
|
|
|
|
from multiprocessing import Process
|
|
|
|
|
|
|
|
|
|
"""
|
2021-02-16 16:55:34 +01:00
|
|
|
This file is parsing the watchers present
|
|
|
|
|
in the configuration file. This in order to get
|
|
|
|
|
automatically new iocs / elements from remote
|
2020-11-24 19:45:03 +01:00
|
|
|
sources without user interaction.
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def watch_iocs():
|
|
|
|
|
"""
|
|
|
|
|
Retrieve IOCs from the remote URLs defined in config/watchers.
|
2021-06-08 18:22:52 +02:00
|
|
|
For each IOC, add it to the DB.
|
2020-11-24 19:45:03 +01:00
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
# Retrieve the URLs from the configuration
|
|
|
|
|
urls = read_config(("watchers", "iocs"))
|
|
|
|
|
watchers = [{"url": url, "status": False} for url in urls]
|
|
|
|
|
|
|
|
|
|
while True:
|
|
|
|
|
for w in watchers:
|
|
|
|
|
if w["status"] == False:
|
|
|
|
|
iocs = IOCs()
|
|
|
|
|
iocs_list = []
|
|
|
|
|
try:
|
|
|
|
|
res = requests.get(w["url"], verify=False)
|
|
|
|
|
if res.status_code == 200:
|
2021-02-16 16:51:36 +01:00
|
|
|
content = json.loads(res.content)
|
2021-06-09 11:11:55 +02:00
|
|
|
iocs_list = content["iocs"] if "iocs" in content else []
|
|
|
|
|
to_delete = content["to_delete"] if "to_delete" in content else []
|
2020-11-24 19:45:03 +01:00
|
|
|
else:
|
|
|
|
|
w["status"] = False
|
|
|
|
|
except:
|
|
|
|
|
w["status"] = False
|
|
|
|
|
|
|
|
|
|
for ioc in iocs_list:
|
|
|
|
|
try:
|
|
|
|
|
iocs.add(ioc["type"], ioc["tag"],
|
|
|
|
|
ioc["tlp"], ioc["value"], "watcher")
|
|
|
|
|
w["status"] = True
|
|
|
|
|
except:
|
|
|
|
|
continue
|
|
|
|
|
|
2021-02-16 16:51:36 +01:00
|
|
|
for ioc in to_delete:
|
|
|
|
|
try:
|
|
|
|
|
iocs.delete_by_value(ioc["value"])
|
|
|
|
|
w["status"] = True
|
|
|
|
|
except:
|
|
|
|
|
continue
|
|
|
|
|
|
2020-11-24 19:45:03 +01:00
|
|
|
# If at least one URL haven't be parsed, let's retry in 1min.
|
|
|
|
|
if False in [w["status"] for w in watchers]:
|
|
|
|
|
time.sleep(60)
|
|
|
|
|
else:
|
|
|
|
|
break
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def watch_whitelists():
|
|
|
|
|
"""
|
2021-02-16 16:55:34 +01:00
|
|
|
Retrieve whitelist elements from the remote URLs
|
|
|
|
|
defined in config/watchers. For each (new ?) element,
|
2020-11-24 19:45:03 +01:00
|
|
|
add it to the DB.
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
urls = read_config(("watchers", "whitelists"))
|
|
|
|
|
watchers = [{"url": url, "status": False} for url in urls]
|
|
|
|
|
|
|
|
|
|
while True:
|
|
|
|
|
for w in watchers:
|
|
|
|
|
if w["status"] == False:
|
|
|
|
|
whitelist = WhiteList()
|
|
|
|
|
elements = []
|
|
|
|
|
try:
|
|
|
|
|
res = requests.get(w["url"], verify=False)
|
|
|
|
|
if res.status_code == 200:
|
2021-02-16 16:51:36 +01:00
|
|
|
content = json.loads(res.content)
|
2021-06-09 11:11:55 +02:00
|
|
|
elements = content["elements"] if "elements" in content else []
|
|
|
|
|
to_delete = content["to_delete"] if "to_delete" in content else []
|
2020-11-24 19:45:03 +01:00
|
|
|
else:
|
|
|
|
|
w["status"] = False
|
|
|
|
|
except:
|
|
|
|
|
w["status"] = False
|
|
|
|
|
|
|
|
|
|
for elem in elements:
|
|
|
|
|
try:
|
|
|
|
|
whitelist.add(elem["type"], elem["element"], "watcher")
|
|
|
|
|
w["status"] = True
|
|
|
|
|
except:
|
|
|
|
|
continue
|
|
|
|
|
|
2021-02-16 16:51:36 +01:00
|
|
|
for elem in to_delete:
|
|
|
|
|
try:
|
|
|
|
|
whitelist.delete_by_value(elem["element"])
|
|
|
|
|
w["status"] = True
|
|
|
|
|
except:
|
|
|
|
|
continue
|
|
|
|
|
|
2020-11-24 19:45:03 +01:00
|
|
|
if False in [w["status"] for w in watchers]:
|
|
|
|
|
time.sleep(60)
|
|
|
|
|
else:
|
|
|
|
|
break
|
|
|
|
|
|
|
|
|
|
|
2021-06-08 18:22:52 +02:00
|
|
|
def watch_misp():
|
|
|
|
|
"""
|
|
|
|
|
Retrieve IOCs from misp instances. Each new element is
|
2021-06-09 11:17:30 +02:00
|
|
|
tested and then added to the database.
|
2021-06-08 18:22:52 +02:00
|
|
|
"""
|
2021-06-09 11:11:55 +02:00
|
|
|
iocs, misp = IOCs(), MISP()
|
|
|
|
|
instances = [i for i in misp.get_instances()]
|
2021-06-08 18:22:52 +02:00
|
|
|
|
2021-06-09 11:11:55 +02:00
|
|
|
while instances:
|
2021-06-11 14:46:11 +02:00
|
|
|
for i, ist in enumerate(instances):
|
|
|
|
|
status = misp.test_instance(ist["url"],
|
|
|
|
|
ist["apikey"],
|
|
|
|
|
ist["verifycert"])
|
|
|
|
|
if status:
|
|
|
|
|
for ioc in misp.get_iocs(ist["id"]):
|
2021-06-09 11:11:55 +02:00
|
|
|
iocs.add(ioc["type"], ioc["tag"], ioc["tlp"],
|
2021-06-11 14:46:11 +02:00
|
|
|
ioc["value"], "misp-{}".format(ist["id"]))
|
|
|
|
|
misp.update_sync(ist["id"])
|
2021-06-09 11:11:55 +02:00
|
|
|
instances.pop(i)
|
|
|
|
|
if instances: time.sleep(60)
|
2021-06-08 18:22:52 +02:00
|
|
|
|
2021-06-10 18:37:40 +02:00
|
|
|
|
2020-11-24 19:45:03 +01:00
|
|
|
p1 = Process(target=watch_iocs)
|
|
|
|
|
p2 = Process(target=watch_whitelists)
|
2021-06-08 18:22:52 +02:00
|
|
|
p3 = Process(target=watch_misp)
|
2020-11-24 19:45:03 +01:00
|
|
|
|
|
|
|
|
p1.start()
|
|
|
|
|
p2.start()
|
2021-06-08 18:22:52 +02:00
|
|
|
p3.start()
|
