misp-dashboard/zmq_subscriber.py

#!/usr/bin/env python3.5

import time, datetime
import zmq
import redis
import random
import configparser
import os
import sys
import json
import geoip2.database

configfile = os.path.join(os.environ['VIRTUAL_ENV'], '../config.cfg')
cfg = configparser.ConfigParser()
cfg.read(configfile)

zmq_url = cfg.get('RedisLog', 'zmq_url')
zmq_url = "tcp://192.168.56.50:50000"
zmq_url = "tcp://localhost:9990"
channel = cfg.get('RedisLog', 'channel')
context = zmq.Context()
socket = context.socket(zmq.SUB)
socket.connect(zmq_url)
socket.setsockopt_string(zmq.SUBSCRIBE, '')

redis_server = redis.StrictRedis(
        host=cfg.get('RedisLog', 'host'),
        port=cfg.getint('RedisLog', 'port'),
        db=cfg.getint('RedisLog', 'db'))
serv_coord = redis.StrictRedis(
        host='localhost',
        port=6250,
        db=1) 
path_to_db = "/home/sami/Downloads/GeoLite2-City_20171003/GeoLite2-City.mmdb"
reader = geoip2.database.Reader(path_to_db)

channel_proc = "CoordToProcess"
channel_disp = "PicToDisplay"


def publish_coord(coord):
    pass

def get_ip(data):
    pass

def ip_to_coord(ip):
    resp = reader.city(ip)
    lat = float(resp.location.latitude)
    lon = float(resp.location.longitude)
    # 0.0001 correspond to ~10m
    # Cast the float so that it has the correct float format
    lat_corrected = float("{:.4f}".format(lat))
    lon_corrected = float("{:.4f}".format(lon))
    return { 'coord': {'lat': lat_corrected, 'lon': lon_corrected}, 'full_rep': resp }

def default_log(jsonevent):
    print('sending', 'log')
    return
    #redis_server.publish(channel, json.dumps(jsonevent))

def default_keepalive(jsonevent):
    print('sending', 'keepalive')
    to_push = [ jsonevent['uptime'] ]
    to_send = { 'name': 'Keepalive', 'log': json.dumps(to_push) }
    redis_server.publish(channel, json.dumps(to_send))

def default_event(jsonevent):
    print('sending', 'event')
    #fields: threat_level_id, id, info
    jsonevent = jsonevent['Event']
    to_push = []
    for field in json.loads(cfg.get('Log', 'fieldname_order'))[1:]:
        to_push.append(jsonevent[field])

    to_send = { 'name': 'Event', 'log': json.dumps(to_push) }
    redis_server.publish(channel, json.dumps(to_send))

def default_attribute(jsonattr):
    print('sending', 'attribute')
    jsonattr = jsonattr['Attribute']
    to_push = []
    for field in json.loads(cfg.get('Log', 'fieldname_order')):
        to_push.append(jsonattr[field])

    #try to get coord
    if jsonattr['category'] == "Network activity":
        handleCoord(jsonattr['value'], jsonattr['category'])

    to_send = { 'name': 'Attribute', 'log': json.dumps(to_push) }
    redis_server.publish(channel, json.dumps(to_send))

def handleCoord(supposed_ip, categ):
    try:
        rep = ip_to_coord(supposed_ip)
        coord = rep['coord']
        coord_dic = {'lat': coord['lat'], 'lon': coord['lon']}
        coord_list = [coord['lat'], coord['lon']]
        print(coord_list)
        now = datetime.datetime.now()
        today_str = str(now.year)+str(now.month)+str(now.day)
        keyname = 'GEO_' + today_str
        serv_coord.zincrby(keyname, coord_list)
        to_send = {
                "coord": coord,
                "categ": categ,
                "value": supposed_ip,
                "country": rep['full_rep'].country.name,
                "specifName": rep['full_rep'].subdivisions.most_specific.name,
                "cityName": rep['full_rep'].city.name,
                }
        serv_coord.publish(channel_disp, json.dumps(to_send))
    except ValueError:
        print("can't resolve ip")

def process_log(event):
    event = event.decode('utf8')
    topic, eventdata = event.split(' ', maxsplit=1)
    jsonevent = json.loads(eventdata)
    dico_action[topic](jsonevent)


def main():
    while True:
        content = socket.recv()
        content.replace(b'\n', b'') # remove \n...
        process_log(content)


dico_action = {
        "misp_json":                default_event,
        "misp_json_self":           default_keepalive,
        "misp_json_attribute":      default_attribute,
        "misp_json_sighting":       default_log,
        "misp_json_organisation":   default_log,
        "misp_json_user":           default_log,
        "misp_json_conversation":   default_log
        }


if __name__ == "__main__":
    main()
    reader.close()
Display the number of log message in a dynamic chart + started support of multiple feeds 2017-08-24 16:02:28 +02:00			`#!/usr/bin/env python3.5`

Added zrank for coord 2017-10-20 16:55:07 +02:00			`import time, datetime`
Display the number of log message in a dynamic chart + started support of multiple feeds 2017-08-24 16:02:28 +02:00			`import zmq`
			`import redis`
			`import random`
Support of unknown number of feeders + display log messages 2017-09-11 14:53:06 +02:00			`import configparser`
			`import os`
			`import sys`
			`import json`
Started support of MISP ZMQ 2017-10-13 15:03:09 +02:00			`import geoip2.database`
Display the number of log message in a dynamic chart + started support of multiple feeds 2017-08-24 16:02:28 +02:00
Support of unknown number of feeders + display log messages 2017-09-11 14:53:06 +02:00			`configfile = os.path.join(os.environ['VIRTUAL_ENV'], '../config.cfg')`
			`cfg = configparser.ConfigParser()`
			`cfg.read(configfile)`

Added openstreetmap maps from coord 2017-10-11 10:47:11 +02:00			`zmq_url = cfg.get('RedisLog', 'zmq_url')`
Started support of MISP ZMQ 2017-10-13 15:03:09 +02:00			`zmq_url = "tcp://192.168.56.50:50000"`
			`zmq_url = "tcp://localhost:9990"`
Added openstreetmap maps from coord 2017-10-11 10:47:11 +02:00			`channel = cfg.get('RedisLog', 'channel')`
Display the number of log message in a dynamic chart + started support of multiple feeds 2017-08-24 16:02:28 +02:00			`context = zmq.Context()`
			`socket = context.socket(zmq.SUB)`
			`socket.connect(zmq_url)`
Started support of MISP ZMQ 2017-10-13 15:03:09 +02:00			`socket.setsockopt_string(zmq.SUBSCRIBE, '')`
Display the number of log message in a dynamic chart + started support of multiple feeds 2017-08-24 16:02:28 +02:00
			`redis_server = redis.StrictRedis(`
Added openstreetmap maps from coord 2017-10-11 10:47:11 +02:00			`host=cfg.get('RedisLog', 'host'),`
			`port=cfg.getint('RedisLog', 'port'),`
			`db=cfg.getint('RedisLog', 'db'))`
			`serv_coord = redis.StrictRedis(`
			`host='localhost',`
			`port=6250,`
			`db=1)`
Started support of MISP ZMQ 2017-10-13 15:03:09 +02:00			`path_to_db = "/home/sami/Downloads/GeoLite2-City_20171003/GeoLite2-City.mmdb"`
			`reader = geoip2.database.Reader(path_to_db)`
Added openstreetmap maps from coord 2017-10-11 10:47:11 +02:00
			`channel_proc = "CoordToProcess"`
			`channel_disp = "PicToDisplay"`
Display the number of log message in a dynamic chart + started support of multiple feeds 2017-08-24 16:02:28 +02:00

Started support of MISP ZMQ 2017-10-13 15:03:09 +02:00			`def publish_coord(coord):`
			`pass`

			`def get_ip(data):`
			`pass`

			`def ip_to_coord(ip):`
			`resp = reader.city(ip)`
Added zrank for coord 2017-10-20 16:55:07 +02:00			`lat = float(resp.location.latitude)`
			`lon = float(resp.location.longitude)`
			`# 0.0001 correspond to ~10m`
			`# Cast the float so that it has the correct float format`
			`lat_corrected = float("{:.4f}".format(lat))`
			`lon_corrected = float("{:.4f}".format(lon))`
Added city&country in marker + autoRotation on event 2017-10-23 14:38:47 +02:00			`return { 'coord': {'lat': lat_corrected, 'lon': lon_corrected}, 'full_rep': resp }`
Started support of MISP ZMQ 2017-10-13 15:03:09 +02:00
			`def default_log(jsonevent):`
			`print('sending', 'log')`
			`return`
			`#redis_server.publish(channel, json.dumps(jsonevent))`

			`def default_keepalive(jsonevent):`
			`print('sending', 'keepalive')`
			`to_push = [ jsonevent['uptime'] ]`
			`to_send = { 'name': 'Keepalive', 'log': json.dumps(to_push) }`
			`redis_server.publish(channel, json.dumps(to_send))`

			`def default_event(jsonevent):`
			`print('sending', 'event')`
Moved more to config 2017-10-23 15:44:16 +02:00			`#fields: threat_level_id, id, info`
Started support of MISP ZMQ 2017-10-13 15:03:09 +02:00			`jsonevent = jsonevent['Event']`
Moved more to config 2017-10-23 15:44:16 +02:00			`to_push = []`
			`for field in json.loads(cfg.get('Log', 'fieldname_order'))[1:]:`
			`to_push.append(jsonevent[field])`

Started support of MISP ZMQ 2017-10-13 15:03:09 +02:00			`to_send = { 'name': 'Event', 'log': json.dumps(to_push) }`
			`redis_server.publish(channel, json.dumps(to_send))`

Added zrank for coord 2017-10-20 16:55:07 +02:00			`def default_attribute(jsonattr):`
Started support of MISP ZMQ 2017-10-13 15:03:09 +02:00			`print('sending', 'attribute')`
Added zrank for coord 2017-10-20 16:55:07 +02:00			`jsonattr = jsonattr['Attribute']`
Moved more to config 2017-10-23 15:44:16 +02:00			`to_push = []`
Consider time as a default value in logs table 2017-10-23 15:47:34 +02:00			`for field in json.loads(cfg.get('Log', 'fieldname_order')):`
Moved more to config 2017-10-23 15:44:16 +02:00			`to_push.append(jsonattr[field])`
Started support of MISP ZMQ 2017-10-13 15:03:09 +02:00
			`#try to get coord`
Added zrank for coord 2017-10-20 16:55:07 +02:00			`if jsonattr['category'] == "Network activity":`
Manage map from classes + Added more event info in zmq feed 2017-10-23 12:01:48 +02:00			`handleCoord(jsonattr['value'], jsonattr['category'])`
Started support of MISP ZMQ 2017-10-13 15:03:09 +02:00
			`to_send = { 'name': 'Attribute', 'log': json.dumps(to_push) }`
Support of unknown number of feeders + display log messages 2017-09-11 14:53:06 +02:00			`redis_server.publish(channel, json.dumps(to_send))`

Manage map from classes + Added more event info in zmq feed 2017-10-23 12:01:48 +02:00			`def handleCoord(supposed_ip, categ):`
Added zrank for coord 2017-10-20 16:55:07 +02:00			`try:`
Added city&country in marker + autoRotation on event 2017-10-23 14:38:47 +02:00			`rep = ip_to_coord(supposed_ip)`
			`coord = rep['coord']`
Added zrank for coord 2017-10-20 16:55:07 +02:00			`coord_dic = {'lat': coord['lat'], 'lon': coord['lon']}`
			`coord_list = [coord['lat'], coord['lon']]`
			`print(coord_list)`
			`now = datetime.datetime.now()`
			`today_str = str(now.year)+str(now.month)+str(now.day)`
			`keyname = 'GEO_' + today_str`
Manage map from classes + Added more event info in zmq feed 2017-10-23 12:01:48 +02:00			`serv_coord.zincrby(keyname, coord_list)`
			`to_send = {`
			`"coord": coord,`
			`"categ": categ,`
Added city&country in marker + autoRotation on event 2017-10-23 14:38:47 +02:00			`"value": supposed_ip,`
			`"country": rep['full_rep'].country.name,`
			`"specifName": rep['full_rep'].subdivisions.most_specific.name,`
			`"cityName": rep['full_rep'].city.name,`
Manage map from classes + Added more event info in zmq feed 2017-10-23 12:01:48 +02:00			`}`
			`serv_coord.publish(channel_disp, json.dumps(to_send))`
Added zrank for coord 2017-10-20 16:55:07 +02:00			`except ValueError:`
			`print("can't resolve ip")`
Support of unknown number of feeders + display log messages 2017-09-11 14:53:06 +02:00
Started support of MISP ZMQ 2017-10-13 15:03:09 +02:00			`def process_log(event):`
			`event = event.decode('utf8')`
			`topic, eventdata = event.split(' ', maxsplit=1)`
			`jsonevent = json.loads(eventdata)`
			`dico_action[topic](jsonevent)`


			`def main():`
			`while True:`
			`content = socket.recv()`
			`content.replace(b'\n', b'') # remove \n...`
			`process_log(content)`


			`dico_action = {`
			`"misp_json": default_event,`
			`"misp_json_self": default_keepalive,`
			`"misp_json_attribute": default_attribute,`
			`"misp_json_sighting": default_log,`
			`"misp_json_organisation": default_log,`
			`"misp_json_user": default_log,`
			`"misp_json_conversation": default_log`
			`}`


			`if __name__ == "__main__":`
			`main()`
			`reader.close()`