2017-08-24 16:02:28 +02:00
|
|
|
#!/usr/bin/env python3.5
|
|
|
|
|
2017-10-20 16:55:07 +02:00
|
|
|
import time, datetime
|
2017-08-24 16:02:28 +02:00
|
|
|
import zmq
|
|
|
|
import redis
|
|
|
|
import random
|
2017-09-11 14:53:06 +02:00
|
|
|
import configparser
|
|
|
|
import os
|
|
|
|
import sys
|
|
|
|
import json
|
2017-10-13 15:03:09 +02:00
|
|
|
import geoip2.database
|
2017-08-24 16:02:28 +02:00
|
|
|
|
2017-09-11 14:53:06 +02:00
|
|
|
configfile = os.path.join(os.environ['VIRTUAL_ENV'], '../config.cfg')
|
|
|
|
cfg = configparser.ConfigParser()
|
|
|
|
cfg.read(configfile)
|
|
|
|
|
2017-10-11 10:47:11 +02:00
|
|
|
zmq_url = cfg.get('RedisLog', 'zmq_url')
|
2017-10-13 15:03:09 +02:00
|
|
|
zmq_url = "tcp://192.168.56.50:50000"
|
|
|
|
zmq_url = "tcp://localhost:9990"
|
2017-10-11 10:47:11 +02:00
|
|
|
channel = cfg.get('RedisLog', 'channel')
|
2017-08-24 16:02:28 +02:00
|
|
|
context = zmq.Context()
|
|
|
|
socket = context.socket(zmq.SUB)
|
|
|
|
socket.connect(zmq_url)
|
2017-10-13 15:03:09 +02:00
|
|
|
socket.setsockopt_string(zmq.SUBSCRIBE, '')
|
2017-08-24 16:02:28 +02:00
|
|
|
|
|
|
|
redis_server = redis.StrictRedis(
|
2017-10-11 10:47:11 +02:00
|
|
|
host=cfg.get('RedisLog', 'host'),
|
|
|
|
port=cfg.getint('RedisLog', 'port'),
|
|
|
|
db=cfg.getint('RedisLog', 'db'))
|
|
|
|
serv_coord = redis.StrictRedis(
|
|
|
|
host='localhost',
|
|
|
|
port=6250,
|
|
|
|
db=1)
|
2017-10-13 15:03:09 +02:00
|
|
|
path_to_db = "/home/sami/Downloads/GeoLite2-City_20171003/GeoLite2-City.mmdb"
|
|
|
|
reader = geoip2.database.Reader(path_to_db)
|
2017-10-11 10:47:11 +02:00
|
|
|
|
|
|
|
channel_proc = "CoordToProcess"
|
|
|
|
channel_disp = "PicToDisplay"
|
2017-08-24 16:02:28 +02:00
|
|
|
|
|
|
|
|
2017-10-13 15:03:09 +02:00
|
|
|
def publish_coord(coord):
|
|
|
|
pass
|
|
|
|
|
|
|
|
def get_ip(data):
|
|
|
|
pass
|
|
|
|
|
|
|
|
def ip_to_coord(ip):
|
|
|
|
resp = reader.city(ip)
|
2017-10-20 16:55:07 +02:00
|
|
|
lat = float(resp.location.latitude)
|
|
|
|
lon = float(resp.location.longitude)
|
|
|
|
# 0.0001 correspond to ~10m
|
|
|
|
# Cast the float so that it has the correct float format
|
|
|
|
lat_corrected = float("{:.4f}".format(lat))
|
|
|
|
lon_corrected = float("{:.4f}".format(lon))
|
|
|
|
return {'lat': lat_corrected, 'lon': lon_corrected}
|
2017-10-13 15:03:09 +02:00
|
|
|
|
|
|
|
def default_log(jsonevent):
|
|
|
|
print('sending', 'log')
|
|
|
|
return
|
|
|
|
#redis_server.publish(channel, json.dumps(jsonevent))
|
|
|
|
|
|
|
|
def default_keepalive(jsonevent):
|
|
|
|
print('sending', 'keepalive')
|
|
|
|
to_push = [ jsonevent['uptime'] ]
|
|
|
|
to_send = { 'name': 'Keepalive', 'log': json.dumps(to_push) }
|
|
|
|
redis_server.publish(channel, json.dumps(to_send))
|
|
|
|
|
|
|
|
def default_event(jsonevent):
|
|
|
|
print('sending', 'event')
|
|
|
|
jsonevent = jsonevent['Event']
|
|
|
|
to_push = [
|
|
|
|
jsonevent['threat_level_id'],
|
|
|
|
jsonevent['id'],
|
|
|
|
jsonevent['info'],
|
|
|
|
]
|
|
|
|
to_send = { 'name': 'Event', 'log': json.dumps(to_push) }
|
|
|
|
redis_server.publish(channel, json.dumps(to_send))
|
|
|
|
|
2017-10-20 16:55:07 +02:00
|
|
|
def default_attribute(jsonattr):
|
2017-10-13 15:03:09 +02:00
|
|
|
print('sending', 'attribute')
|
2017-10-20 16:55:07 +02:00
|
|
|
jsonattr = jsonattr['Attribute']
|
2017-10-13 15:03:09 +02:00
|
|
|
to_push = [
|
2017-10-20 16:55:07 +02:00
|
|
|
jsonattr['id'],
|
|
|
|
jsonattr['category'],
|
|
|
|
jsonattr['type'],
|
|
|
|
jsonattr['value'],
|
2017-10-13 15:03:09 +02:00
|
|
|
]
|
|
|
|
|
|
|
|
#try to get coord
|
2017-10-20 16:55:07 +02:00
|
|
|
if jsonattr['category'] == "Network activity":
|
|
|
|
handleCoord(jsonattr['value'])
|
2017-10-13 15:03:09 +02:00
|
|
|
|
|
|
|
to_send = { 'name': 'Attribute', 'log': json.dumps(to_push) }
|
2017-09-11 14:53:06 +02:00
|
|
|
redis_server.publish(channel, json.dumps(to_send))
|
|
|
|
|
2017-10-20 16:55:07 +02:00
|
|
|
def handleCoord(value):
|
|
|
|
try:
|
|
|
|
coord = ip_to_coord(value)
|
|
|
|
coord_dic = {'lat': coord['lat'], 'lon': coord['lon']}
|
|
|
|
coord_list = [coord['lat'], coord['lon']]
|
|
|
|
print(coord_list)
|
|
|
|
now = datetime.datetime.now()
|
|
|
|
today_str = str(now.year)+str(now.month)+str(now.day)
|
|
|
|
keyname = 'GEO_' + today_str
|
|
|
|
#serv_coord.zincrby(keyname, coord_list)
|
|
|
|
serv_coord.publish(channel_disp, json.dumps({ "coord": coord }))
|
|
|
|
print('coord sent')
|
|
|
|
except ValueError:
|
|
|
|
print("can't resolve ip")
|
2017-09-11 14:53:06 +02:00
|
|
|
|
2017-10-13 15:03:09 +02:00
|
|
|
def process_log(event):
|
|
|
|
event = event.decode('utf8')
|
|
|
|
topic, eventdata = event.split(' ', maxsplit=1)
|
|
|
|
jsonevent = json.loads(eventdata)
|
|
|
|
dico_action[topic](jsonevent)
|
|
|
|
|
|
|
|
|
|
|
|
def main():
|
|
|
|
while True:
|
|
|
|
content = socket.recv()
|
|
|
|
content.replace(b'\n', b'') # remove \n...
|
|
|
|
process_log(content)
|
|
|
|
|
|
|
|
def log_feed():
|
|
|
|
with open('misp-zmq.2', 'ba') as f:
|
|
|
|
|
|
|
|
while True:
|
|
|
|
time.sleep(1.0)
|
|
|
|
content = socket.recv()
|
|
|
|
content.replace(b'\n', b'') # remove \n...
|
|
|
|
f.write(content)
|
|
|
|
f.write(b'\n')
|
|
|
|
print(content)
|
|
|
|
#redis_server.publish(channel, content)
|
|
|
|
|
|
|
|
#if random.randint(1,10)<5:
|
|
|
|
# time.sleep(0.5)
|
|
|
|
# redis_server.publish(channel, content)
|
|
|
|
|
|
|
|
#if random.randint(1,10)<5:
|
|
|
|
# time.sleep(0.5)
|
|
|
|
# redis_server.publish(channel, content)
|
|
|
|
|
|
|
|
dico_action = {
|
|
|
|
"misp_json": default_event,
|
|
|
|
"misp_json_self": default_keepalive,
|
|
|
|
"misp_json_attribute": default_attribute,
|
|
|
|
"misp_json_sighting": default_log,
|
|
|
|
"misp_json_organisation": default_log,
|
|
|
|
"misp_json_user": default_log,
|
|
|
|
"misp_json_conversation": default_log
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
main()
|
|
|
|
reader.close()
|
|
|
|
|