mirror of https://github.com/CIRCL/AIL-framework
239 lines
7.0 KiB
Python
Executable File
239 lines
7.0 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
# -*-coding:UTF-8 -*
|
|
|
|
"""
|
|
module
|
|
====================
|
|
|
|
This module send tagged pastes to MISP or THE HIVE Project
|
|
|
|
"""
|
|
|
|
import redis
|
|
import sys
|
|
import os
|
|
import time
|
|
import json
|
|
import configparser
|
|
|
|
from pubsublogger import publisher
|
|
from Helper import Process
|
|
from packages import Paste
|
|
import ailleakObject
|
|
|
|
import uuid
|
|
|
|
from pymisp import PyMISP
|
|
|
|
sys.path.append('../configs/keys')
|
|
|
|
# import MISP KEYS
|
|
try:
|
|
from mispKEYS import misp_url, misp_key, misp_verifycert
|
|
flag_misp = True
|
|
except:
|
|
print('Misp keys not present')
|
|
flag_misp = False
|
|
|
|
# import The Hive Keys
|
|
try:
|
|
from theHiveKEYS import the_hive_url, the_hive_key, the_hive_verifycert
|
|
if the_hive_url == '':
|
|
flag_the_hive = False
|
|
else:
|
|
flag_the_hive = True
|
|
except:
|
|
print('The HIVE keys not present')
|
|
flag_the_hive = False
|
|
HiveApi = False
|
|
|
|
from thehive4py.api import TheHiveApi
|
|
import thehive4py.exceptions
|
|
from thehive4py.models import Alert, AlertArtifact
|
|
from thehive4py.models import Case, CaseTask, CustomFieldHelper
|
|
|
|
|
|
|
|
def create_the_hive_alert(source, path, tag):
|
|
tags = list(r_serv_metadata.smembers('tag:'+path))
|
|
|
|
artifacts = [
|
|
AlertArtifact( dataType='uuid-ail', data=r_serv_db.get('ail:uuid') ),
|
|
AlertArtifact( dataType='file', data=path, tags=tags )
|
|
]
|
|
|
|
l_tags = tag.split(',')
|
|
|
|
# Prepare the sample Alert
|
|
sourceRef = str(uuid.uuid4())[0:6]
|
|
alert = Alert(title='AIL Leak',
|
|
tlp=3,
|
|
tags=l_tags,
|
|
description='infoleak',
|
|
type='ail',
|
|
source=source,
|
|
sourceRef=sourceRef,
|
|
artifacts=artifacts)
|
|
|
|
# Create the Alert
|
|
id = None
|
|
try:
|
|
response = HiveApi.create_alert(alert)
|
|
if response.status_code == 201:
|
|
#print(json.dumps(response.json(), indent=4, sort_keys=True))
|
|
print('Alert Created')
|
|
print('')
|
|
id = response.json()['id']
|
|
else:
|
|
print('ko: {}/{}'.format(response.status_code, response.text))
|
|
return 0
|
|
except:
|
|
print('hive connection error')
|
|
|
|
def feeder(message, count=0):
|
|
|
|
if flag_the_hive or flag_misp:
|
|
tag, path = message.split(';')
|
|
## FIXME: remove it
|
|
if PASTES_FOLDER not in path:
|
|
path = os.path.join(PASTES_FOLDER, path)
|
|
try:
|
|
paste = Paste.Paste(path)
|
|
except FileNotFoundError:
|
|
if count < 10:
|
|
r_serv_db.zincrby('mess_not_saved_export', message, 1)
|
|
return 0
|
|
else:
|
|
r_serv_db.zrem('mess_not_saved_export', message)
|
|
print('Error: {} do not exist, tag= {}'.format(path, tag))
|
|
return 0
|
|
|
|
source = '/'.join(paste.p_path.split('/')[-6:])
|
|
|
|
if HiveApi != False:
|
|
if int(r_serv_db.get('hive:auto-alerts')) == 1:
|
|
whitelist_hive = r_serv_db.scard('whitelist_hive')
|
|
if r_serv_db.sismember('whitelist_hive', tag):
|
|
create_the_hive_alert(source, path, tag)
|
|
else:
|
|
print('hive, auto alerts creation disable')
|
|
if flag_misp:
|
|
if int(r_serv_db.get('misp:auto-events')) == 1:
|
|
if r_serv_db.sismember('whitelist_misp', tag):
|
|
misp_wrapper.pushToMISP(uuid_ail, path, tag)
|
|
else:
|
|
print('misp, auto events creation disable')
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
publisher.port = 6380
|
|
publisher.channel = "Script"
|
|
|
|
config_section = 'MISP_The_hive_feeder'
|
|
|
|
configfile = os.path.join(os.environ['AIL_BIN'], 'packages/config.cfg')
|
|
if not os.path.exists(configfile):
|
|
raise Exception('Unable to find the configuration file. \
|
|
Did you set environment variables? \
|
|
Or activate the virtualenv.')
|
|
|
|
cfg = configparser.ConfigParser()
|
|
cfg.read(configfile)
|
|
|
|
r_serv_db = redis.StrictRedis(
|
|
host=cfg.get("ARDB_DB", "host"),
|
|
port=cfg.getint("ARDB_DB", "port"),
|
|
db=cfg.getint("ARDB_DB", "db"),
|
|
decode_responses=True)
|
|
|
|
r_serv_metadata = redis.StrictRedis(
|
|
host=cfg.get("ARDB_Metadata", "host"),
|
|
port=cfg.getint("ARDB_Metadata", "port"),
|
|
db=cfg.getint("ARDB_Metadata", "db"),
|
|
decode_responses=True)
|
|
|
|
# set sensor uuid
|
|
uuid_ail = r_serv_db.get('ail:uuid')
|
|
if uuid_ail is None:
|
|
uuid_ail = r_serv_db.set('ail:uuid', uuid.uuid4() )
|
|
|
|
# set default
|
|
if r_serv_db.get('hive:auto-alerts') is None:
|
|
r_serv_db.set('hive:auto-alerts', 0)
|
|
|
|
if r_serv_db.get('misp:auto-events') is None:
|
|
r_serv_db.set('misp:auto-events', 0)
|
|
|
|
p = Process(config_section)
|
|
# create MISP connection
|
|
if flag_misp:
|
|
try:
|
|
pymisp = PyMISP(misp_url, misp_key, misp_verifycert)
|
|
except:
|
|
flag_misp = False
|
|
r_serv_db.set('ail:misp', False)
|
|
print('Not connected to MISP')
|
|
|
|
if flag_misp:
|
|
try:
|
|
misp_wrapper = ailleakObject.ObjectWrapper(pymisp)
|
|
r_serv_db.set('ail:misp', True)
|
|
print('Connected to MISP:', misp_url)
|
|
except e:
|
|
flag_misp = False
|
|
r_serv_db.set('ail:misp', False)
|
|
print(e)
|
|
print('Not connected to MISP')
|
|
|
|
# create The HIVE connection
|
|
if flag_the_hive:
|
|
try:
|
|
HiveApi = TheHiveApi(the_hive_url, the_hive_key, cert = the_hive_verifycert)
|
|
except:
|
|
HiveApi = False
|
|
flag_the_hive = False
|
|
r_serv_db.set('ail:thehive', False)
|
|
print('Not connected to The HIVE')
|
|
else:
|
|
HiveApi = False
|
|
|
|
if HiveApi != False and flag_the_hive:
|
|
try:
|
|
HiveApi.get_alert(0)
|
|
r_serv_db.set('ail:thehive', True)
|
|
print('Connected to The HIVE:', the_hive_url)
|
|
except thehive4py.exceptions.AlertException:
|
|
HiveApi = False
|
|
flag_the_hive = False
|
|
r_serv_db.set('ail:thehive', False)
|
|
print('Not connected to The HIVE')
|
|
|
|
refresh_time = 3
|
|
## FIXME: remove it
|
|
PASTES_FOLDER = os.path.join(os.environ['AIL_HOME'], cfg.get("Directories", "pastes"))
|
|
time_1 = time.time()
|
|
|
|
while True:
|
|
|
|
# Get one message from the input queue
|
|
message = p.get_from_set()
|
|
if message is None:
|
|
|
|
# handle not saved pastes
|
|
if int(time.time() - time_1) > refresh_time:
|
|
|
|
num_queu = r_serv_db.zcard('mess_not_saved_export')
|
|
list_queu = r_serv_db.zrange('mess_not_saved_export', 0, -1, withscores=True)
|
|
|
|
if num_queu and list_queu:
|
|
for i in range(0, num_queu):
|
|
feeder(list_queu[i][0],list_queu[i][1])
|
|
|
|
time_1 = time.time()
|
|
else:
|
|
publisher.debug("{} queue is empty, waiting 1s".format(config_section))
|
|
time.sleep(1)
|
|
else:
|
|
feeder(message)
|