c_meyer/SpyGuard
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

First commit!

Browse Source
This commit is contained in:
sda
2022-11-06 15:51:33 +01:00
parent 283cf9630f
commit 64daa44e9f
225 changed files with 94329 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
server/backend/app/__init__.py Executable file
View File

@ -0,0 +1,15 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from sqlalchemy import create_engine, MetaData, Table
from sqlalchemy.orm import scoped_session, mapper
from sqlalchemy.orm.session import sessionmaker
import sys
parent = "/".join(sys.path[0].split("/")[:-2])
engine = create_engine('sqlite:////{}/database.sqlite3'.format(parent), convert_unicode=True)
metadata = MetaData(bind=engine)
session = scoped_session(sessionmaker(autocommit=False, autoflush=False, bind=engine))
class Model(object):
query = session.query_property()

131
server/backend/app/blueprints/config.py Executable file
View File

@ -0,0 +1,131 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import Blueprint, request, jsonify
from app.decorators import *
from app.classes.config import Config
from app.utils import get_device_uuid
import sys
config_bp = Blueprint("config", __name__)
config = Config()
@config_bp.route('/switch/<cat>/<key>', methods=['GET'])
@require_header_token
def switch(cat, key):
"""Switch the Boolean value of a configuration key.
Args:
cat (str): configuration category
key (key): configuration key
Returns:
dict: operation status
"""
try:
value = config.read_config((cat, key))
if value:
config.write_config(cat, key, False)
res = {"status": True,
"message": "Key switched to false"}
else:
config.write_config(cat, key, True)
res = {"status": True,
"message": "Key switched to true"}
except:
res = {"status": True,
"message": "Issue while changing value"}
return jsonify(res)
@config_bp.route('/ioc-type/add/<tag>', methods=['GET'])
@require_header_token
def ioc_type_add(tag):
"""Add an IOC type - defined via its tag - in the
configuration file for detection.
Args:
tag (str): IOC tag
Returns:
dict: operation status
"""
return jsonify(config.ioc_type_add(tag))
@config_bp.route('/ioc-type/delete/<tag>', methods=['GET'])
@require_header_token
def ioc_type_delete(tag):
"""Delete an IOC type - defined via its tag - in the
configuration file for detection.
Args:
tag (str): IOC tag
Returns:
dict: operation status
"""
return jsonify(config.ioc_type_delete(tag))
@config_bp.route('/edit/<cat>/<key>/<path:value>', methods=['GET'])
@require_header_token
def edit(cat, key, value):
"""Edit the string (or array) value of a configuration key.
Args:
cat (str): configuration category
key (str): configuration key
value (any): configuration value
Returns:
dict: operation status
"""
return jsonify(config.write_config(cat, key, value))
@config_bp.route('/db/export', methods=['GET'])
@require_get_token
def export_db():
"""Export the database.
Returns:
dict: the raw database
"""
return config.export_db()
@config_bp.route('/db/import', methods=['POST'])
@require_header_token
def import_db():
"""Import a database via Flash methods
and replace the existant.
Returns:
dict: operation status
"""
try:
f = request.files["file"]
assert f.read(15) == b"SQLite format 3"
d = "/".join(sys.path[0].split("/")[:-2])
f.save("/{}/database.sqlite3".format(d))
res = {"status": True,
"message": "Database updated"}
except:
res = {"status": False,
"message": "Error while database upload"}
return jsonify(res)
@config_bp.route('/list', methods=['GET'])
def list():
"""List key, values of the configuration
Returns:
dict: configuration content
"""
res = config.export_config()
res["backend"]["password"] = ""
res["device_uuid"] = get_device_uuid()
return jsonify(res)

97
server/backend/app/blueprints/ioc.py Executable file
View File

@ -0,0 +1,97 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import Blueprint, jsonify, Response, request
from app.decorators import require_header_token, require_get_token
from app.classes.iocs import IOCs
import json
from urllib.parse import unquote
ioc_bp = Blueprint("ioc", __name__)
ioc = IOCs()
@ioc_bp.route('/add/<ioc_type>/<ioc_tag>/<ioc_tlp>/<path:ioc_value>', methods=['GET'])
@require_header_token
def add(ioc_type, ioc_tag, ioc_tlp, ioc_value):
"""
Parse and add an IOC to the database.
:return: status of the operation in JSON
"""
source = "backend"
if ioc_type == "snort":
ioc_value = unquote("/".join(request.full_path.split("/")[7:]))
res = IOCs.add(ioc_type, ioc_tag, ioc_tlp, ioc_value, source)
return jsonify(res)
@ioc_bp.route('/add_post', methods=['POST'])
@require_header_token
def add_post():
"""
Parse and add an IOC to the database using the post method.
:return: status of the operation in JSON
"""
data = json.loads(request.data)
ioc = data["data"]["ioc"]
res = IOCs.add(ioc["ioc_type"], ioc["ioc_tag"], ioc["ioc_tlp"], ioc["ioc_value"], ioc["ioc_source"])
return jsonify(res)
@ioc_bp.route('/delete/<ioc_id>', methods=['GET'])
@require_header_token
def delete(ioc_id):
"""
Delete an IOC by its id to the database.
:return: status of the operation in JSON
"""
res = IOCs.delete(ioc_id)
return jsonify(res)
@ioc_bp.route('/search/<term>', methods=['GET'])
@require_header_token
def search(term):
"""
Search IOCs in the database.
:return: potential results in JSON.
"""
res = IOCs.search(term)
return jsonify({"results": [i for i in res]})
@ioc_bp.route('/get/types')
@require_header_token
def get_types():
"""
Retreive a list of IOCs types.
:return: list of types in JSON.
"""
res = IOCs.get_types()
return jsonify({"types": [t for t in res]})
@ioc_bp.route('/get/tags')
@require_header_token
def get_tags():
"""
Retreive a list of IOCs tags.
:return: list of types in JSON.
"""
res = IOCs.get_tags()
return jsonify({"tags": [t for t in res]})
@ioc_bp.route('/export')
@require_get_token
def get_all():
"""
Retreive a list of all IOCs.
:return: list of iocs in JSON.
"""
res = IOCs.get_all()
return Response(json.dumps({"iocs": [i for i in res]}),
mimetype='application/json',
headers={'Content-Disposition': 'attachment;filename=iocs-export.json'})

42
server/backend/app/blueprints/misp.py Executable file
View File

@ -0,0 +1,42 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import Blueprint, jsonify, Response, request
from app.decorators import require_header_token, require_get_token
from app.classes.misp import MISP
import json
misp_bp = Blueprint("misp", __name__)
misp = MISP()
@misp_bp.route('/add', methods=['POST'])
@require_header_token
def add_instance():
"""
Parse and add a MISP instance to the database.
:return: status of the operation in JSON
"""
data = json.loads(request.data)
res = misp.add_instance(data["data"]["instance"])
return jsonify(res)
@misp_bp.route('/delete/<misp_id>', methods=['GET'])
@require_header_token
def delete_instance(misp_id):
"""
Delete a MISP instance by its id to the database.
:return: status of the operation in JSON
"""
res = misp.delete_instance(misp_id)
return jsonify(res)
@misp_bp.route('/get_all', methods=['GET'])
@require_header_token
def get_all():
"""
Retreive a list of all MISP instances.
:return: list of MISP instances in JSON.
"""
res = misp.get_instances()
return jsonify({"results": [i for i in res]})

25
server/backend/app/blueprints/update.py Executable file
View File

@ -0,0 +1,25 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import jsonify, Blueprint
from app.classes.update import Update
from app.decorators import require_header_token
update_bp = Blueprint("update", __name__)
@update_bp.route("/check", methods=["GET"])
@require_header_token
def check():
""" Check the presence of new version """
return jsonify(Update().check_version())
@update_bp.route("/get-version", methods=["GET"])
def get_version():
""" Check the current version """
return jsonify(Update().get_current_version())
@update_bp.route("/process", methods=["GET"])
@require_header_token
def process():
""" Check the presence of new version """
return jsonify(Update().update_instance())

42
server/backend/app/blueprints/watchers.py Executable file
View File

@ -0,0 +1,42 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import Blueprint, jsonify, request
from app.decorators import require_header_token
from app.classes.watchers import Watcher
import json
watchers_bp = Blueprint("watchers", __name__)
watcher = Watcher()
@watchers_bp.route('/add', methods=['POST'])
@require_header_token
def add_instance():
"""
Parse and add a watcher instance.
:return: status of the operation in JSON
"""
data = json.loads(request.data)
res = watcher.add_instance(data["data"]["instance"])
return jsonify(res)
@watchers_bp.route('/delete/<watcher_id>', methods=['GET'])
@require_header_token
def delete_instance(watcher_id):
"""
Delete a watcher by its id.
:return: status of the operation in JSON
"""
res = watcher.delete_instance(watcher_id)
return jsonify(res)
@watchers_bp.route('/get_all', methods=['GET'])
@require_header_token
def get_all():
"""
Retreive a list of all watchers.
:return: list of watcher instances in JSON.
"""
res = watcher.get_instances()
return jsonify({"results": [i for i in res]})

68
server/backend/app/blueprints/whitelist.py Executable file
View File

@ -0,0 +1,68 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import Blueprint, jsonify, Response
from app.decorators import require_header_token, require_get_token
from app.classes.whitelist import WhiteList
import json
whitelist_bp = Blueprint("whitelist", __name__)
whitelist = WhiteList()
@whitelist_bp.route('/add/<elem_type>/<path:elem_value>', methods=['GET'])
@require_header_token
def add(elem_type, elem_value):
"""
Parse and add an element to be whitelisted.
:return: status of the operation in JSON
"""
source = "backend"
res = whitelist.add(elem_type, elem_value, source)
return jsonify(res)
@whitelist_bp.route('/delete/<elem_id>', methods=['GET'])
@require_header_token
def delete(elem_id):
"""
Delete an element by its id to the database.
:return: status of the operation in JSON
"""
res = whitelist.delete(elem_id)
return jsonify(res)
@whitelist_bp.route('/search/<element>', methods=['GET'])
@require_header_token
def search(element):
"""
Search elements in the database.
:return: potential results in JSON.
"""
res = whitelist.search(element)
return jsonify({"results": [e for e in res]})
@whitelist_bp.route('/get/types')
@require_header_token
def get_types():
"""
Retrieve a list of whitelisted elements types.
:return: list of types in JSON.
"""
res = whitelist.get_types()
return jsonify({"types": [t for t in res]})
@whitelist_bp.route('/export')
@require_get_token
def get_all():
"""
Retreive a list of all elements.
:return: list of elements in JSON.
"""
res = whitelist.get_all()
return Response(json.dumps({"elements": [e for e in res]}),
mimetype='application/json',
headers={'Content-Disposition': 'attachment;filename=whitelist-export.json'})

174
server/backend/app/classes/config.py Executable file
View File

@ -0,0 +1,174 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import yaml
import sys
import io
import os
import re
import hashlib
import subprocess as sp
from functools import reduce
from flask import send_file
class Config(object):
def __init__(self):
self.dir = "/".join(sys.path[0].split("/")[:-2])
return None
def read_config(self, path):
"""
Read a single value from the configuration
:return: value (it can be any type)
"""
config = yaml.load(
open(os.path.join(self.dir, "config.yaml"), "r"), Loader=yaml.SafeLoader)
return reduce(dict.get, path, config)
def export_config(self):
"""
Export the configuration
:return: dict (configuration content)
"""
config = yaml.load(open(os.path.join(self.dir, "config.yaml"), "r"), Loader=yaml.SafeLoader)
config["ifaces_in"] = self.get_ifaces_in()
config["ifaces_out"] = self.get_ifaces_out()
config["analysis"]["indicators_types"] = config["analysis"]["indicators_types"] if config["analysis"]["indicators_types"] else []
return config
def ioc_type_add(self, tag):
"""Add an IOC type to the config file
Args:
tag (str): IOC type.
"""
config = yaml.load(open(os.path.join(self.dir, "config.yaml"), "r"), Loader=yaml.SafeLoader)
config["analysis"]["indicators_types"].append(tag)
with open(os.path.join(self.dir, "config.yaml"), "w") as yaml_file:
yaml_file.write(yaml.dump(config, default_flow_style=False))
return {"status": True,
"message": "Configuration updated"}
def ioc_type_delete(self, tag):
"""Delete an IOC type to the config file
Args:
tag (str): IOC type.
"""
config = yaml.load(open(os.path.join(self.dir, "config.yaml"), "r"), Loader=yaml.SafeLoader)
config["analysis"]["indicators_types"].remove(tag)
with open(os.path.join(self.dir, "config.yaml"), "w") as yaml_file:
yaml_file.write(yaml.dump(config, default_flow_style=False))
return {"status": True,
"message": "Configuration updated"}
def write_config(self, cat, key, value) -> dict:
"""Write a value in the configuration
Args:
cat (str): category
key (str): key
value (str): value to write
Returns:
dict: status of the operation.
"""
config = yaml.load(open(os.path.join(self.dir, "config.yaml"), "r"), Loader=yaml.SafeLoader)
# Some checks prior configuration changes.
if cat not in config:
return {"status": False,
"message": "Wrong category specified"}
if key not in config[cat]:
return {"status": False,
"message": "Wrong key specified"}
# Changes for network interfaces.
if cat == "network" and key in ["in", "out"]:
if re.match("^(wlan[0-9]|wl[a-z0-9]{2,20})$", value):
if key == "in":
config[cat][key] = value
if key == "out":
config[cat][key] = value
elif re.match("^(eth[0-9]|en[a-z0-9]{2,20}|ww[a-z0-9]{2,20}|lo)$", value) and key == "out":
config[cat][key] = value
else:
return {"status": False,
"message": "Wrong value specified"}
# Changes for network SSIDs.
elif cat == "network" and key == "ssids":
ssids = list(set(value.split("|"))) if "|" in value else [value]
if len(ssids):
config[cat][key] = ssids
# Changes for backend password.
elif cat == "backend" and key == "password":
config[cat][key] = self.make_password(value)
# Changes for anything not specified.
# Warning: can break your config if you play with it (eg. arrays, ints & bools).
else:
if isinstance(value, bool):
config[cat][key] = value
elif len(value):
config[cat][key] = value
with open(os.path.join(self.dir, "config.yaml"), "w") as yaml_file:
yaml_file.write(yaml.dump(config, default_flow_style=False))
sp.Popen(["systemctl", "restart", "spyguard-frontend"]).wait()
return {"status": True,
"message": "Configuration updated"}
def make_password(self, clear_text):
"""Make a simple sha256 password hash without salt.
Args:
clear_text (str): clear text password
Returns:
string: hexdigest of the password sha256 hash.
"""
return hashlib.sha256(clear_text.encode()).hexdigest()
def export_db(self):
"""Propose the database to download.
Returns:
Response: Flask Response.
"""
with open(os.path.join(self.dir, "database.sqlite3"), "rb") as f:
return send_file(
io.BytesIO(f.read()),
mimetype="application/octet-stream",
as_attachment=True,
attachment_filename='spyguard-export-db.sqlite')
def get_ifaces_in(self) -> list:
""" List the wireless interfaces which can be
used for the access point
Returns:
list: List of available network interfaces
"""
try:
return [i for i in os.listdir("/sys/class/net/") if i.startswith("wl")]
except:
return ["No wireless interface"]
def get_ifaces_out(self) -> list:
""" List the network interfaces which can be
used to access to Internet.
Returns:
list: List of available network interfaces
"""
try:
ifaces = ("wl", "et", "en", "ww", "lo")
return [i for i in os.listdir("/sys/class/net/") if i.startswith(ifaces)]
except:
return ["No network interfaces"]

158
server/backend/app/classes/iocs.py Executable file
View File

@ -0,0 +1,158 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from app import db
from app.db.models import Ioc
from sqlalchemy.sql import exists
from app.definitions import definitions
from flask import escape
import re
import time
class IOCs(object):
def __init__(self):
return None
@staticmethod
def add(ioc_type, ioc_tag, ioc_tlp, ioc_value, source):
"""
Parse and add an IOC to the database.
:return: status of the operation in JSON
"""
ioc_value = ioc_value.lower() if ioc_type != "snort" else ioc_value
ioc_valid = False
if db.session.query(exists().where(Ioc.value == ioc_value)).scalar():
return {"status": False,
"message": "IOC already exists",
"ioc": escape(ioc_value)}
elif ioc_tlp in ["white", "green", "amber", "red"]:
if ioc_type == "unknown":
for t in definitions["iocs_types"]:
if t["regex"] and t["auto"]:
if re.match(t["regex"], ioc_value):
ioc_type = t["type"]
ioc_valid = True
elif ioc_type in [t["type"] for t in definitions["iocs_types"]]:
for t in definitions["iocs_types"]:
if t["type"] == ioc_type and t["regex"]:
if re.match(t["regex"], ioc_value):
ioc_valid = True
break
elif t["type"] == "snort" and ioc_value[0:6] == "alert ":
ioc_valid = True
break
else:
return {"status": True,
"message": "Wrong IOC type",
"ioc": escape(ioc_value),
"type": escape(ioc_type)}
if ioc_valid:
added_on = int(time.time())
db.session.add(Ioc(ioc_value, ioc_type, ioc_tlp,
ioc_tag, source, added_on))
db.session.commit()
return {"status": True,
"message": "IOC added",
"ioc": escape(ioc_value),
"type": escape(ioc_type),
"tlp": escape(ioc_tlp),
"tag": escape(ioc_tag),
"source": escape(source),
"added_on": escape(added_on)}
else:
return {"status": False,
"message": "Wrong IOC format",
"ioc": escape(ioc_value)}
else:
return {"status": False,
"message": "Wrong IOC TLP",
"ioc": escape(ioc_value),
"type": escape(ioc_tlp)}
@staticmethod
def delete(ioc_id):
"""
Delete an IOC by its id in the database.
:return: status of the operation in JSON
"""
if db.session.query(exists().where(Ioc.id == ioc_id)).scalar():
db.session.query(Ioc).filter_by(id=ioc_id).delete()
db.session.commit()
return {"status": True,
"message": "IOC deleted"}
else:
return {"status": False,
"message": "IOC not found"}
@staticmethod
def delete_by_value(ioc_value):
"""
Delete an IOC by its value in the database.
:return: status of the operation in JSON
"""
if db.session.query(exists().where(Ioc.value == ioc_value)).scalar():
db.session.query(Ioc).filter_by(value=ioc_value).delete()
db.session.commit()
return {"status": True,
"message": "IOC deleted"}
else:
return {"status": False,
"message": "IOC not found"}
@staticmethod
def search(term):
"""
Search IOCs in the database.
:return: generator of results.
"""
iocs = db.session.query(Ioc).filter(
Ioc.value.like(term.replace("*", "%"))).all()
for ioc in iocs:
ioc = ioc.__dict__
yield {"id": ioc["id"],
"type": ioc["type"],
"tag": ioc["tag"],
"tlp": ioc["tlp"],
"value": ioc["value"],
"source": ioc["source"]}
@staticmethod
def get_types():
"""
Retreive a list of IOCs types.
:return: generator of iocs types.
"""
for t in definitions["iocs_types"]:
yield {"type": t["type"],
"name": t["name"]}
@staticmethod
def get_tags():
"""
Retreive a list of IOCs tags.
:return: generator of iocs tags.
"""
rtn = [i["tag"] for i in definitions["iocs_tags"]]
for ioc in db.session.query(Ioc).all():
ioc = ioc.__dict__
tag = ioc["tag"]
if tag not in rtn:
rtn.append(tag)
return list(set(rtn))
@staticmethod
def get_all():
"""
Get all IOCs from the database
:return: generator of the records.
"""
for ioc in db.session.query(Ioc).all():
ioc = ioc.__dict__
yield {"id": ioc["id"],
"type": ioc["type"],
"tag": ioc["tag"],
"tlp": ioc["tlp"],
"value": ioc["value"]}

157
server/backend/app/classes/misp.py Executable file
View File

@ -0,0 +1,157 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from app import db
from app.db.models import MISPInst
from app.definitions import definitions as defs
from sqlalchemy.sql import exists
from flask import escape
from pymisp import PyMISP
import re
import time
class MISP(object):
def __init__(self):
return None
def add_instance(self, instance) -> dict:
"""
Parse and add a MISP instance to the database.
:return: status of the operation in JSON
"""
url = instance["url"]
name = instance["name"]
apikey = instance["key"]
verify = instance["ssl"]
last_sync = int(time.time()-31536000) # One year
sameinstances = db.session.query(MISPInst).filter(
MISPInst.url == url, MISPInst.apikey == apikey)
if sameinstances.count():
return {"status": False,
"message": "This MISP instance already exists"}
if name:
if self.test_instance(url, apikey, verify):
added_on = int(time.time())
db.session.add(MISPInst(name, escape(
url), apikey, verify, added_on, last_sync))
db.session.commit()
return {"status": True,
"message": "MISP instance added"}
else:
return {"status": False,
"message": "Please verify the connection to the MISP instance"}
else:
return {"status": False,
"message": "Please provide a name for your instance"}
@staticmethod
def delete_instance(misp_id) -> dict:
"""
Delete a MISP instance by its id in the database.
:return: status of the operation in JSON
"""
if db.session.query(exists().where(MISPInst.id == misp_id)).scalar():
db.session.query(MISPInst).filter_by(id=misp_id).delete()
db.session.commit()
return {"status": True,
"message": "MISP instance deleted"}
else:
return {"status": False,
"message": "MISP instance not found"}
def get_instances(self) -> list:
"""
Get MISP instances from the database
:return: generator of the records.
"""
for misp in db.session.query(MISPInst).all():
misp = misp.__dict__
yield {"id": misp["id"],
"name": misp["name"],
"url": misp["url"],
"apikey": misp["apikey"],
"verifycert": True if misp["verifycert"] else False,
"connected": self.test_instance(misp["url"], misp["apikey"], misp["verifycert"]),
"lastsync": misp["last_sync"]}
@staticmethod
def test_instance(url, apikey, verify) -> bool:
"""
Test the connection of the MISP instance.
:return: generator of the records.
"""
try:
PyMISP(url, apikey, verify)
return True
except:
return False
@staticmethod
def update_sync(misp_id) -> bool:
"""
Update the last synchronization date by the actual date.
:return: bool, True if updated.
"""
try:
misp = MISPInst.query.get(int(misp_id))
misp.last_sync = int(time.time())
db.session.commit()
return True
except:
return False
@staticmethod
def get_iocs(misp_id) -> list:
"""
Get all IOCs from specific MISP instance
:return: generator containing the IOCs.
"""
misp = MISPInst.query.get(int(misp_id))
if misp is not None:
if misp.url and misp.apikey:
try:
# Connect to MISP instance and get network activity attributes.
m = PyMISP(misp.url, misp.apikey, misp.verifycert)
r = m.search("attributes", category="Network activity", date_from=int(misp.last_sync))
except:
print("Unable to connect to the MISP instance ({}/{}).".format(misp.url, misp.apikey))
return []
for attr in r["Attribute"]:
if attr["type"] in ["ip-dst", "domain", "snort", "x509-fingerprint-sha1"]:
ioc = {"value": attr["value"],
"type": None,
"tag": "suspect",
"tlp": "white"}
# Deduce the IOC type.
if re.match(defs["iocs_types"][0]["regex"], attr["value"]):
ioc["type"] = "ip4addr"
elif re.match(defs["iocs_types"][1]["regex"], attr["value"]):
ioc["type"] = "ip6addr"
elif re.match(defs["iocs_types"][2]["regex"], attr["value"]):
ioc["type"] = "cidr"
elif re.match(defs["iocs_types"][3]["regex"], attr["value"]):
ioc["type"] = "domain"
elif re.match(defs["iocs_types"][4]["regex"], attr["value"]):
ioc["type"] = "sha1cert"
elif "alert " in attr["value"][0:6]:
ioc["type"] = "snort"
else:
continue
if "Tag" in attr:
for tag in attr["Tag"]:
# Add a TLP to the IOC if defined in tags.
tlp = re.search(r"^(?:tlp:)(red|green|amber|white)", tag['name'].lower())
if tlp: ioc["tlp"] = tlp.group(1)
# Add possible tag (need to match SpyGuard tags)
if tag["name"].lower() in [t["tag"] for t in defs["iocs_tags"]]:
ioc["tag"] = tag["name"].lower()
yield ioc

73
server/backend/app/classes/update.py Executable file
View File

@ -0,0 +1,73 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from app.utils import read_config
import subprocess as sp
import requests
import json
import os
class Update(object):
def __init__(self):
self.project_url = read_config(("project", "tags_url"))
self.app_path = read_config(("project", "path"))
return None
def check_version(self) -> dict:
""" Check if a new version of SpyGuard is available
by quering the Github api and comparing the last
tag inside the VERSION file.
Returns:
dict: dict containing the available versions.
"""
try:
res = requests.get(self.project_url)
res = json.loads(res.content.decode("utf8"))
with open(os.path.join(self.app_path, "VERSION")) as f:
cv = f.read()
if cv != res[0]["name"]:
return {"status": True,
"message": "A new version is available",
"current_version": cv,
"next_version": res[0]["name"]}
else:
return {"status": True,
"message": "This is the latest version",
"current_version": cv}
except:
return {"status": False,
"message": "Something went wrong (no API access nor version file)"}
def get_current_version(self) -> dict:
""" Get the current version of the Spyguard instance
Returns:
dict: current version or error.
"""
try:
with open(os.path.join(self.app_path, "VERSION")) as f:
return {"status": True,
"current_version": f.read()}
except:
return {"status": False,
"message": "Something went wrong - no version file ?"}
def update_instance(self) -> dict:
"""Launching update.sh to update SpyGuard
Returns:
dict: result of the operation
"""
try:
os.chdir(self.app_path)
sp.Popen(["bash", os.path.join(self.app_path, "update.sh")])
return {"status": True,
"message": "Update successfully launched"}
except:
return {"status": False,
"message": "Issue during the update"}

112
server/backend/app/classes/watchers.py Executable file
View File

@ -0,0 +1,112 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import os
import sys
from typing import Iterator
import requests
import yaml
from flask import escape
from sqlalchemy.sql import exists
class Watcher(object):
def __init__(self):
self.dir = "/".join(sys.path[0].split("/")[:-2])
self.watchers = [w for w in self.get_watchers()]
return None
def add_instance(self, instance) -> dict:
"""Add a watcher instance.
Args:
instance (dict): Instance to add.
Returns:
dict: operation status.
"""
w = { "name" : instance["name"],
"url" : instance["url"],
"type" : instance["type"] }
if w["url"] not in [w["url"] for w in self.watchers]:
self.watchers.append(w)
if self.update_watchers():
return {"status": True,
"message": "Watcher added"}
else:
return {"status": False,
"message": "This watcher already exists"}
def delete_instance(self, watcher_id) -> dict:
"""Delete a watcher defined by its id
Args:
watcher_id (str): watcher id.
Returns:
dict: operation status.
"""
self.watchers.pop(int(watcher_id))
if self.update_watchers():
return {"status": True,
"message": "Watcher deleted"}
else:
return {"status": False,
"message": "Watcher not found"}
def update_watchers(self):
"""Update the watchers files.
Returns:
bool: True if successful
"""
try:
dir = "/".join(sys.path[0].split("/")[:-2])
watchers = yaml.load(open(os.path.join(dir, "watchers.yaml"), "r"), Loader=yaml.SafeLoader)
with open(os.path.join(dir, "watchers.yaml"), "w") as yaml_file:
yaml_file.write(yaml.dump({ "watchers" : self.watchers }, default_flow_style=False))
return True
except:
return False
def get_watchers(self) -> Iterator[list]:
"""Get the watcher instances from the yaml
watchers file
Yields:
Iterator[list]: watchers list
"""
dir = "/".join(sys.path[0].split("/")[:-2])
watchers = yaml.load(open(os.path.join(dir, "watchers.yaml"), "r"), Loader=yaml.SafeLoader)
for watcher in watchers["watchers"]:
yield watcher
def get_instances(self) -> Iterator[list]:
"""Get the watcher instances from the yaml
watchers file
Yields:
Iterator[list]: watchers list
"""
for id, watcher in enumerate(self.get_watchers()):
watcher["id"] = id
watcher["status"] = self.get_watcher_status(watcher["url"])
yield watcher
def get_watcher_status(self, url):
"""Get the status of a watcher by controling
its HTTP status code.
Args:
url (string): The watcher URL
Returns:
bool: True if OK.
"""
res = requests.get(url, verify=False)
if res.status_code == 200:
return True

117
server/backend/app/classes/whitelist.py Executable file
View File

@ -0,0 +1,117 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from app import db
from app.db.models import Whitelist
from sqlalchemy.sql import exists
from app.definitions import definitions
from flask import escape
import re
import time
class WhiteList(object):
def __init__(self):
return None
@staticmethod
def add(elem_type, elem_value, source):
"""
Parse and add an element to be whitelisted.
:return: status of the operation in a dict
"""
elem_value = elem_value.lower()
elem_valid = False
if db.session.query(exists().where(Whitelist.element == elem_value)).scalar():
return {"status": False,
"message": "Element already whitelisted",
"element": escape(elem_value)}
elif elem_type == "unknown":
for t in definitions["whitelist_types"]:
if t["regex"] and t["auto"]:
if re.match(t["regex"], elem_value):
elem_type = t["type"]
elem_valid = True
break
elif elem_type in [t["type"] for t in definitions["whitelist_types"]]:
for t in definitions["whitelist_types"]:
if t["type"] == elem_type and t["regex"]:
if re.match(t["regex"], elem_value):
elem_valid = True
break
if elem_valid:
added_on = int(time.time())
db.session.add(Whitelist(elem_value, elem_type, source, added_on))
db.session.commit()
return {"status": True,
"message": "Element whitelisted",
"element": escape(elem_value)}
else:
return {"status": False,
"message": "Wrong element format",
"element": escape(elem_value)}
@staticmethod
def delete(elem_id):
"""
Delete an element by its id in the database.
:return: status of the operation in a dict
"""
if db.session.query(exists().where(Whitelist.id == elem_id)).scalar():
db.session.query(Whitelist).filter_by(id=elem_id).delete()
db.session.commit()
return {"status": True,
"message": "Element deleted"}
else:
return {"status": False,
"message": "Element not found"}
@staticmethod
def delete_by_value(elem_value):
"""
Delete an element by its value in the database.
:return: status of the operation in a dict
"""
if db.session.query(exists().where(Whitelist.element == elem_value)).scalar():
db.session.query(Whitelist).filter_by(element=elem_value).delete()
db.session.commit()
return {"status": True,
"message": "Element deleted"}
else:
return {"status": False,
"message": "Element not found"}
@staticmethod
def search(element):
"""
Search elements in the database.
:return: generator containing elements.
"""
elems = db.session.query(Whitelist).filter(
Whitelist.element.like(element.replace("*", "%"))).all()
for elem in elems:
elem = elem.__dict__
yield {"id": elem["id"],
"type": elem["type"],
"element": elem["element"]}
@staticmethod
def get_types():
"""
Get types of whitelisted elements.
:return: generator containing types.
"""
for t in definitions["whitelist_types"]:
yield {"type": t["type"], "name": t["name"]}
@staticmethod
def get_all():
"""
Retrieve all whitelisted elements.
:return: generator containing elements.
"""
for elem in db.session.query(Whitelist).all():
elem = elem.__dict__
yield {"type": elem["type"],
"element": elem["element"]}

18
server/backend/app/db/__init__.py Executable file
View File

@ -0,0 +1,18 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from sqlalchemy import create_engine, MetaData, Table
from sqlalchemy.orm import scoped_session, mapper
from sqlalchemy.orm.session import sessionmaker
import sys
parent = "/".join(sys.path[0].split("/")[:-2])
engine = create_engine(
'sqlite:////{}/database.sqlite3'.format(parent), convert_unicode=True)
metadata = MetaData(bind=engine)
session = scoped_session(sessionmaker(
autocommit=False, autoflush=False, bind=engine))
class Model(object):
query = session.query_property()

34
server/backend/app/db/models.py Executable file
View File

@ -0,0 +1,34 @@
from app import db
class Ioc(db.Model):
def __init__(self, value, type, tlp, tag, source, added_on):
self.value = value
self.type = type
self.tlp = tlp
self.tag = tag
self.source = source
self.added_on = added_on
class Whitelist(db.Model):
def __init__(self, element, type, source, added_on):
self.element = element
self.type = type
self.source = source
self.added_on = added_on
class MISPInst(db.Model):
def __init__(self, name, url, key, ssl, added_on, last_sync):
self.name = name
self.url = url
self.apikey = key
self.verifycert = ssl
self.added_on = added_on
self.last_sync = last_sync
db.mapper(Whitelist, db.Table('whitelist', db.metadata, autoload=True))
db.mapper(Ioc, db.Table('iocs', db.metadata, autoload=True))
db.mapper(MISPInst, db.Table('misp', db.metadata, autoload=True))

65
server/backend/app/decorators.py Executable file
View File

@ -0,0 +1,65 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import request, jsonify
from flask import current_app as app
from flask_httpauth import HTTPBasicAuth
from werkzeug.security import generate_password_hash, check_password_hash
from functools import wraps
from app.utils import read_config
import jwt
import hashlib
auth = HTTPBasicAuth()
@auth.verify_password
def check_creds(user, password):
"""
Check the credentials
:return: :bool: if the authentication succeed.
"""
if user == read_config(("backend", "login")) and check_password(password):
return True
def check_password(password):
"""
Password hashes comparison (submitted and the config one)
:return: True if there is a match between the two hases
"""
if read_config(("backend", "password")) == hashlib.sha256(password.encode()).hexdigest():
return True
def require_header_token(f):
"""
Check the JWT token validity in POST requests.
:return: decorated method
"""
@wraps(f)
def decorated(*args, **kwargs):
try:
token = request.headers['X-Token']
jwt.decode(token, app.config["SECRET_KEY"], "HS256")
return f(*args, **kwargs)
except:
return jsonify({"message": "JWT verification failed"})
return decorated
def require_get_token(f):
"""
Check the JWT token validity in GET requests.
:return: decorated method
"""
@wraps(f)
def decorated(*args, **kwargs):
try:
token = request.args.get("token")
jwt.decode(token, app.config["SECRET_KEY"], "HS256")
return f(*args, **kwargs)
except:
return jsonify({"message": "JWT verification failed"})
return decorated

125
server/backend/app/definitions.py Executable file
View File

@ -0,0 +1,125 @@
definitions = {
"iocs_types" : [
{
"type" : "ip4addr",
"regex" : r"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$",
"name" : "IPv4 Address",
"auto" : True
},
{
"type" : "ip6addr",
"regex" : r"^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$",
"name" : "IPv6 Address",
"auto" : True
},
{
"type" : "cidr",
"regex" : r"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$",
"name" : "Network range",
"auto" : True
},
{
"type" : "domain",
"regex" : r"^((?=[a-z0-9-]{1,63}\.)(xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,63}$",
"name" : "Domain name",
"auto" : True
},
{
"type" : "sha1cert",
"regex" : r"^[0-9a-f]{40}$",
"name" : "Certificate SHA1",
"auto" : True
},
{
"type" : "jarm",
"regex" : r"^[0-9a-f]{62}$",
"name" : "Jarm hash",
"auto" : True
},
{
"type" : "snort",
"regex" : False,
"name" : "Snort rule",
"auto" : False
},
{
"type" : "ns",
"regex" : r"^((?=[a-z0-9-]{1,63}\.)(xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,63}$",
"name" : "Name Server",
"auto" : False
},
{
"type" : "freedns",
"regex" : r"^((?=[a-z0-9-]{1,63}\.)(xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,63}$",
"name" : "Free DNS",
"auto" : False
},
{
"type" : "tld",
"regex" : r"^\.[a-z]{2,63}$",
"name" : "Suspect TLD",
"auto" : False
}
],
"iocs_tags" : [
{
"tag" : "apt",
"name" : "APT"
},
{
"tag" : "stalkerware",
"name" : "Stalkerware"
},
{
"tag" : "suspect",
"name" : "Suspect"
},
{
"tag" : "malicious",
"name" : "Malicious"
},
{
"tag" : "spyware",
"name" : "Spyware"
},
{
"tag" : "cybercrime",
"name" : "Cybercrime"
},
{
"tag" : "doh",
"name" : "DNS over HTTPs"
},
{
"tag" : "dual",
"name" : "Dual use"
}
],
"whitelist_types" : [
{
"type" : "ip4addr",
"regex" : r"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$",
"name" : "IPv4 Address",
"auto" : True
},
{
"type" : "ip6addr",
"regex" : r"^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$",
"name" : "IPv6 Address",
"auto" : True
},
{
"type" : "cidr",
"regex" : r"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$",
"name" : "Network range",
"auto" : True
},
{
"type" : "domain",
"regex" : r"^((?=[a-z0-9-]{1,63}\.)(xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,63}$",
"name" : "Domain name",
"auto" : True
}
]
}

70
server/backend/app/utils.py Executable file
View File

@ -0,0 +1,70 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import hashlib
import yaml
import os
from functools import reduce
def read_config(path):
"""
Read a value from the configuration
:return: value (it can be any type)
"""
config = yaml.load(open("/usr/share/spyguard/config.yaml", "r"), Loader=yaml.SafeLoader)
return reduce(dict.get, path, config)
def write_config(cat, key, value):
"""
Write a new value in the configuration
:return: bool, operation status
"""
try:
config = yaml.load(open("/usr/share/spyguard/config.yaml", "r"), Loader=yaml.SafeLoader)
config[cat][key] = value
with open(os.path.join(dir, "config.yaml"), "w") as yaml_file:
yaml_file.write(yaml.dump(config, default_flow_style=False))
return True
except:
return False
def get_watchers(watcher_type):
"""
Read a value from the configuration
:return: value (it can be any type)
"""
watchers = yaml.load(open("/usr/share/spyguard/watchers.yaml", "r"), Loader=yaml.SafeLoader)
for watcher in watchers["watchers"]:
if watcher_type == watcher["type"]:
yield watcher
def get_device_uuid() -> str:
"""Get the device UUID
Returns:
str: device uuid
"""
uuid_not_found = False
try:
with open("/sys/class/dmi/id/product_uuid", "r") as uuid:
return uuid.read()
except:
uuid_not_found = True
try:
with open("/proc/cpuinfo") as f:
for line in f.readlines():
if line.startswith("Serial"):
serial = line.split(":")[1].strip().encode('utf8')
hash = hashlib.md5(serial).hexdigest()
return f"{hash[0:8]}-{hash[8:12]}-{hash[12:16]}-{hash[16:20]}-{hash[20:]}"
except:
uuid_not_found = True
if uuid_not_found:
return "00000000-0000-0000-0000-000000000000"

68
server/backend/main.py Executable file
View File

@ -0,0 +1,68 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import Flask, render_template, send_from_directory, jsonify, redirect
from app.decorators import auth
from app.blueprints.ioc import ioc_bp
from app.blueprints.whitelist import whitelist_bp
from app.blueprints.config import config_bp
from app.blueprints.misp import misp_bp
from app.blueprints.watchers import watchers_bp
from app.blueprints.update import update_bp
import datetime
import secrets
import jwt
from app.utils import read_config
from sys import path
app = Flask(__name__, template_folder="../../app/backend/dist")
app.config["SECRET_KEY"] = secrets.token_bytes(32)
@app.route("/", methods=["GET"])
@auth.login_required
def main():
"""
Return the index.html generated by Vue
"""
return render_template("index.html")
@app.route("/api/get-token", methods=["GET"])
@auth.login_required
def get_token():
"""
Return the JWT token for API requests.
"""
token = jwt.encode({"exp": datetime.datetime.now() + datetime.timedelta(hours=24)}, app.config["SECRET_KEY"])
return jsonify({ "token": token.decode("utf8") if type(token) == bytes else token })
@app.route("/<p>/<path:path>", methods=["GET"])
@auth.login_required
def get_file(p, path):
"""
Return the backend assets (css, js files, fonts etc.)
"""
rp = "../../app/backend/dist/{}".format(p)
return send_from_directory(rp, path) if p in ["css", "fonts", "js", "img"] else redirect("/")
@app.errorhandler(404)
def page_not_found(e):
return redirect("/")
# API Blueprints.
app.register_blueprint(ioc_bp, url_prefix='/api/ioc')
app.register_blueprint(whitelist_bp, url_prefix='/api/whitelist')
app.register_blueprint(config_bp, url_prefix='/api/config')
app.register_blueprint(misp_bp, url_prefix='/api/misp')
app.register_blueprint(watchers_bp, url_prefix='/api/watchers')
app.register_blueprint(update_bp, url_prefix='/api/update')
if __name__ == '__main__':
ssl_cert = "{}/{}".format(path[0], 'cert.pem')
ssl_key = "{}/{}".format(path[0], 'key.pem')
if read_config(("backend", "remote_access")):
app.run(host="0.0.0.0", port=8443, ssl_context=(ssl_cert, ssl_key))
else:
app.run(port=8443)

146
server/backend/watchers.py Executable file
View File

@ -0,0 +1,146 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from app.utils import get_watchers
from app.classes.iocs import IOCs
from app.classes.whitelist import WhiteList
from app.classes.misp import MISP
import requests
import json
import urllib3
import time
from multiprocessing import Process
"""
This file is parsing the watchers present
in the configuration file. This in order to get
automatically new iocs / elements from remote
sources without user interaction.
"""
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def watch_iocs():
"""
Retrieve IOCs from the remote URLs defined in config/watchers.
For each IOC, add it to the DB.
"""
watchers = [{"url": w["url"], "status": False} for w in get_watchers("iocs")]
while True:
for w in watchers:
if w["status"] == False:
iocs = IOCs()
iocs_list = []
to_delete = []
try:
res = requests.get(w["url"], verify=False)
if res.status_code == 200:
content = json.loads(res.content)
iocs_list = content["iocs"] if "iocs" in content else []
to_delete = content["to_delete"] if "to_delete" in content else []
else:
w["status"] = False
except:
w["status"] = False
for ioc in iocs_list:
try:
iocs.add(ioc["type"], ioc["tag"],
ioc["tlp"], ioc["value"], "watcher")
w["status"] = True
except:
continue
for ioc in to_delete:
try:
iocs.delete_by_value(ioc["value"])
w["status"] = True
except:
continue
# If at least one URL haven't be parsed, let's retry in 1min.
if False in [w["status"] for w in watchers]:
time.sleep(60)
else:
break
def watch_whitelists():
"""
Retrieve whitelist elements from the remote URLs
defined in config/watchers. For each (new ?) element,
add it to the DB.
"""
watchers = [{"url": w["url"], "status": False} for w in get_watchers("whitelist")]
while True:
for w in watchers:
if w["status"] == False:
whitelist = WhiteList()
elements = []
to_delete = []
try:
res = requests.get(w["url"], verify=False)
if res.status_code == 200:
content = json.loads(res.content)
elements = content["elements"] if "elements" in content else []
to_delete = content["to_delete"] if "to_delete" in content else []
else:
w["status"] = False
except:
w["status"] = False
for elem in elements:
try:
whitelist.add(elem["type"], elem["element"], "watcher")
w["status"] = True
except:
continue
for elem in to_delete:
try:
whitelist.delete_by_value(elem["element"])
w["status"] = True
except:
continue
if False in [w["status"] for w in watchers]:
time.sleep(60)
else:
break
def watch_misp():
"""
Retrieve IOCs from misp instances. Each new element is
tested and then added to the database.
"""
iocs, misp = IOCs(), MISP()
instances = [i for i in misp.get_instances()]
while instances:
for i, ist in enumerate(instances):
status = misp.test_instance(ist["url"],
ist["apikey"],
ist["verifycert"])
if status:
for ioc in misp.get_iocs(ist["id"]):
iocs.add(ioc["type"], ioc["tag"], ioc["tlp"],
ioc["value"], "misp-{}".format(ist["id"]))
misp.update_sync(ist["id"])
instances.pop(i)
if instances: time.sleep(60)
p1 = Process(target=watch_iocs)
p2 = Process(target=watch_whitelists)
p3 = Process(target=watch_misp)
p1.start()
p2.start()
p3.start()