2018-06-14 16:47:11 +02:00
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
|
|
|
import json
|
|
|
|
try:
|
|
|
|
from onyphe import Onyphe
|
|
|
|
except ImportError:
|
|
|
|
print("pyonyphe module not installed.")
|
|
|
|
|
|
|
|
misperrors = {'error': 'Error'}
|
|
|
|
|
2018-06-20 15:33:21 +02:00
|
|
|
mispattributes = {'input': ['ip-src', 'ip-dst', 'hostname', 'domain'],
|
2018-12-11 15:29:09 +01:00
|
|
|
'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'url']}
|
2018-06-20 15:33:21 +02:00
|
|
|
|
2018-06-14 16:47:11 +02:00
|
|
|
# possible module-types: 'expansion', 'hover' or both
|
|
|
|
moduleinfo = {'version': '1', 'author': 'Sebastien Larinier @sebdraven',
|
|
|
|
'description': 'Query on Onyphe',
|
|
|
|
'module-type': ['expansion', 'hover']}
|
|
|
|
|
|
|
|
# config fields that your code expects from the site admin
|
|
|
|
moduleconfig = ['apikey']
|
|
|
|
|
|
|
|
|
|
|
|
def handler(q=False):
|
|
|
|
if q:
|
|
|
|
|
|
|
|
request = json.loads(q)
|
|
|
|
|
|
|
|
if not request.get('config') and not (request['config'].get('apikey')):
|
|
|
|
misperrors['error'] = 'Onyphe authentication is missing'
|
|
|
|
return misperrors
|
|
|
|
|
|
|
|
api = Onyphe(request['config'].get('apikey'))
|
|
|
|
|
|
|
|
if not api:
|
|
|
|
misperrors['error'] = 'Onyphe Error instance api'
|
|
|
|
|
|
|
|
ip = ''
|
|
|
|
if request.get('ip-src'):
|
|
|
|
ip = request['ip-src']
|
2018-12-11 15:29:09 +01:00
|
|
|
return handle_ip(api, ip, misperrors)
|
2018-06-14 16:47:11 +02:00
|
|
|
elif request.get('ip-dst'):
|
|
|
|
ip = request['ip-dst']
|
2018-12-11 15:29:09 +01:00
|
|
|
return handle_ip(api, ip, misperrors)
|
2018-06-14 16:47:11 +02:00
|
|
|
elif request.get('domain'):
|
|
|
|
domain = request['domain']
|
2018-06-22 16:06:34 +02:00
|
|
|
return handle_domain(api, domain, misperrors)
|
2018-06-14 16:47:11 +02:00
|
|
|
elif request.get('hostname'):
|
|
|
|
hostname = request['hostname']
|
2018-06-22 16:06:34 +02:00
|
|
|
return handle_domain(api, hostname, misperrors)
|
2018-06-14 16:47:11 +02:00
|
|
|
else:
|
|
|
|
misperrors['error'] = "Unsupported attributes type"
|
|
|
|
return misperrors
|
|
|
|
else:
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
|
|
def handle_domain(api, domain, misperrors):
|
2018-06-22 15:57:52 +02:00
|
|
|
result_filtered = {"results": []}
|
|
|
|
|
|
|
|
r, status_ok = expand_pastries(api, misperrors, domain=domain)
|
|
|
|
|
|
|
|
if status_ok:
|
|
|
|
result_filtered['results'].extend(r)
|
|
|
|
else:
|
|
|
|
misperrors['error'] = 'Error pastries result'
|
|
|
|
return misperrors
|
|
|
|
|
|
|
|
r, status_ok = expand_datascan(api, misperrors, domain=domain)
|
|
|
|
|
|
|
|
if status_ok:
|
|
|
|
result_filtered['results'].extend(r)
|
|
|
|
else:
|
|
|
|
misperrors['error'] = 'Error datascan result '
|
|
|
|
return misperrors
|
|
|
|
|
|
|
|
r, status_ok = expand_threatlist(api, misperrors, domain=domain)
|
|
|
|
|
|
|
|
if status_ok:
|
|
|
|
result_filtered['results'].extend(r)
|
|
|
|
else:
|
|
|
|
misperrors['error'] = 'Error threat list'
|
|
|
|
return misperrors
|
2018-06-22 16:18:23 +02:00
|
|
|
|
|
|
|
return result_filtered
|
2018-06-14 16:47:11 +02:00
|
|
|
|
2018-06-20 11:07:33 +02:00
|
|
|
|
2018-06-14 16:47:11 +02:00
|
|
|
def handle_ip(api, ip, misperrors):
|
|
|
|
result_filtered = {"results": []}
|
|
|
|
|
2018-06-20 11:07:33 +02:00
|
|
|
r, status_ok = expand_syscan(api, ip, misperrors)
|
2018-06-14 16:47:11 +02:00
|
|
|
|
2018-06-20 14:41:57 +02:00
|
|
|
if status_ok:
|
2018-12-11 15:29:09 +01:00
|
|
|
result_filtered['results'].extend(r)
|
2018-06-20 14:41:57 +02:00
|
|
|
else:
|
2018-12-11 15:29:09 +01:00
|
|
|
misperrors['error'] = "Error syscan result"
|
2018-06-14 16:47:11 +02:00
|
|
|
|
2018-12-11 15:29:09 +01:00
|
|
|
r, status_ok = expand_pastries(api, misperrors, ip=ip)
|
2018-06-14 16:47:11 +02:00
|
|
|
|
|
|
|
if status_ok:
|
2018-06-20 12:38:41 +02:00
|
|
|
result_filtered['results'].extend(r)
|
2018-06-14 16:47:11 +02:00
|
|
|
else:
|
2018-06-20 12:32:54 +02:00
|
|
|
misperrors['error'] = 'Error pastries result'
|
|
|
|
return misperrors
|
2018-06-14 16:47:11 +02:00
|
|
|
|
2018-06-20 17:47:11 +02:00
|
|
|
r, status_ok = expand_datascan(api, misperrors, ip=ip)
|
|
|
|
|
|
|
|
if status_ok:
|
2018-06-20 18:05:28 +02:00
|
|
|
result_filtered['results'].extend(r)
|
2018-06-20 17:47:11 +02:00
|
|
|
else:
|
2018-06-22 11:59:09 +02:00
|
|
|
misperrors['error'] = 'Error datascan result '
|
2018-06-20 17:59:49 +02:00
|
|
|
return misperrors
|
2018-06-20 17:47:11 +02:00
|
|
|
|
2018-06-20 15:33:21 +02:00
|
|
|
r, status_ok = expand_forward(api, ip, misperrors)
|
|
|
|
|
|
|
|
if status_ok:
|
|
|
|
result_filtered['results'].extend(r)
|
|
|
|
else:
|
2018-06-22 11:59:09 +02:00
|
|
|
misperrors['error'] = 'Error forward result'
|
2018-06-20 17:59:49 +02:00
|
|
|
return misperrors
|
|
|
|
|
2018-06-20 16:29:04 +02:00
|
|
|
r, status_ok = expand_reverse(api, ip, misperrors)
|
|
|
|
|
|
|
|
if status_ok:
|
|
|
|
result_filtered['results'].extend(r)
|
|
|
|
else:
|
|
|
|
misperrors['error'] = 'Error reverse result'
|
|
|
|
return misperrors
|
|
|
|
|
2018-06-22 11:59:09 +02:00
|
|
|
r, status_ok = expand_threatlist(api, misperrors, ip=ip)
|
|
|
|
|
|
|
|
if status_ok:
|
|
|
|
result_filtered['results'].extend(r)
|
|
|
|
else:
|
|
|
|
misperrors['error'] = 'Error threat list'
|
|
|
|
return misperrors
|
|
|
|
|
2018-06-14 16:47:11 +02:00
|
|
|
return result_filtered
|
|
|
|
|
|
|
|
|
|
|
|
def expand_syscan(api, ip, misperror):
|
|
|
|
status_ok = False
|
2018-06-20 14:41:57 +02:00
|
|
|
r = []
|
|
|
|
asn_list = []
|
|
|
|
os_list = []
|
|
|
|
geoloc = []
|
|
|
|
orgs = []
|
|
|
|
results = api.synscan(ip)
|
|
|
|
|
|
|
|
if results['status'] == 'ok':
|
|
|
|
status_ok = True
|
2018-06-20 14:45:06 +02:00
|
|
|
for elem in results['results']:
|
2018-06-20 14:41:57 +02:00
|
|
|
asn_list.append(elem['asn'])
|
2018-06-20 14:48:18 +02:00
|
|
|
os_target = elem['os']
|
2018-06-20 14:41:57 +02:00
|
|
|
geoloc.append(elem['location'])
|
|
|
|
orgs.append(elem['organization'])
|
2018-06-20 15:05:00 +02:00
|
|
|
if os_target != 'Unknown' and os_target != 'Undefined':
|
2018-06-20 14:41:57 +02:00
|
|
|
os_list.append(elem['os'])
|
|
|
|
|
2018-06-20 14:53:08 +02:00
|
|
|
r.append({'types': ['target-machine'],
|
2018-06-20 15:33:21 +02:00
|
|
|
'values': list(set(os_list)),
|
|
|
|
'categories': ['Targeting data'],
|
|
|
|
'comment': 'OS found on %s with synscan of Onyphe' % ip})
|
2018-06-20 14:41:57 +02:00
|
|
|
|
2018-06-20 14:53:08 +02:00
|
|
|
r.append({'types': ['target-location'],
|
2018-06-20 15:33:21 +02:00
|
|
|
'values': list(set(geoloc)),
|
|
|
|
'categories': ['Targeting data'],
|
|
|
|
'comment': 'Geolocalisation of %s found with synscan of Onyphe'
|
2018-06-20 15:05:00 +02:00
|
|
|
% ip
|
|
|
|
})
|
2018-06-20 14:41:57 +02:00
|
|
|
|
2018-06-20 14:53:08 +02:00
|
|
|
r.append({'types': ['target-org'],
|
2018-06-20 15:05:00 +02:00
|
|
|
'values': list(set(orgs)),
|
|
|
|
'categories': ['Targeting data'],
|
|
|
|
'comment': 'Organisations of %s found with synscan of Onyphe'
|
2018-06-20 17:47:11 +02:00
|
|
|
% ip
|
2018-06-20 15:05:00 +02:00
|
|
|
})
|
2018-06-20 14:41:57 +02:00
|
|
|
|
2018-06-20 15:05:00 +02:00
|
|
|
r.append({'types': ['AS'],
|
|
|
|
'values': list(set(asn_list)),
|
|
|
|
'categories': ['Network activity'],
|
2018-06-20 17:47:11 +02:00
|
|
|
'comment': 'As number of %s found with synscan of Onyphe' % ip
|
2018-06-20 15:05:00 +02:00
|
|
|
})
|
2018-06-14 16:47:11 +02:00
|
|
|
|
2018-06-20 11:07:33 +02:00
|
|
|
return r, status_ok
|
2018-06-14 16:47:11 +02:00
|
|
|
|
|
|
|
|
2018-12-11 15:29:09 +01:00
|
|
|
def expand_datascan(api, misperror, **kwargs):
|
2018-06-14 16:47:11 +02:00
|
|
|
status_ok = False
|
2018-06-20 17:47:11 +02:00
|
|
|
r = []
|
2018-12-11 15:29:09 +01:00
|
|
|
# ip = ''
|
|
|
|
query = ''
|
2018-06-20 17:47:11 +02:00
|
|
|
asn_list = []
|
|
|
|
geoloc = []
|
|
|
|
orgs = []
|
|
|
|
ports = []
|
2018-06-22 16:15:34 +02:00
|
|
|
|
2018-06-20 17:47:11 +02:00
|
|
|
if 'ip' in kwargs:
|
|
|
|
query = kwargs.get('ip')
|
2018-06-22 16:15:34 +02:00
|
|
|
results = api.datascan(query)
|
2018-06-20 17:47:11 +02:00
|
|
|
else:
|
|
|
|
query = kwargs.get('domain')
|
2018-06-22 16:15:34 +02:00
|
|
|
results = api.search_datascan('domain:%s' % query)
|
2018-06-20 18:03:34 +02:00
|
|
|
|
2018-06-20 17:47:11 +02:00
|
|
|
if results['status'] == 'ok':
|
2018-06-20 18:04:12 +02:00
|
|
|
status_ok = True
|
2018-06-20 17:47:11 +02:00
|
|
|
for elem in results['results']:
|
|
|
|
asn_list.append(elem['asn'])
|
|
|
|
geoloc.append(elem['location'])
|
|
|
|
orgs.append(elem['organization'])
|
|
|
|
ports.append(elem['port'])
|
|
|
|
|
|
|
|
r.append({'types': ['port'],
|
|
|
|
'values': list(set(ports)),
|
|
|
|
'categories': ['Other'],
|
|
|
|
'comment': 'Ports of %s found with datascan of Onyphe'
|
2018-06-22 13:03:09 +02:00
|
|
|
% query
|
2018-06-20 17:47:11 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
r.append({'types': ['target-location'],
|
|
|
|
'values': list(set(geoloc)),
|
|
|
|
'categories': ['Targeting data'],
|
|
|
|
'comment': 'Geolocalisation of %s found with synscan of Onyphe'
|
2018-06-22 13:03:09 +02:00
|
|
|
% query
|
2018-06-20 17:47:11 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
r.append({'types': ['target-org'],
|
|
|
|
'values': list(set(orgs)),
|
|
|
|
'categories': ['Targeting data'],
|
|
|
|
'comment': 'Organisations of %s found with synscan of Onyphe'
|
2018-06-22 13:03:09 +02:00
|
|
|
% query
|
2018-06-20 17:47:11 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
r.append({'types': ['AS'],
|
|
|
|
'values': list(set(asn_list)),
|
|
|
|
'categories': ['Network activity'],
|
2018-06-22 13:03:09 +02:00
|
|
|
'comment': 'As number of %s found with synscan of Onyphe' % query
|
2018-06-20 17:47:11 +02:00
|
|
|
})
|
2018-06-20 15:33:21 +02:00
|
|
|
return r, status_ok
|
2018-06-14 16:47:11 +02:00
|
|
|
|
|
|
|
|
|
|
|
def expand_reverse(api, ip, misperror):
|
|
|
|
status_ok = False
|
|
|
|
r = None
|
2018-06-20 16:24:17 +02:00
|
|
|
status_ok = False
|
|
|
|
r = []
|
2018-06-20 16:30:56 +02:00
|
|
|
results = api.reverse(ip)
|
2018-06-20 16:24:17 +02:00
|
|
|
|
|
|
|
domains_reverse = []
|
|
|
|
|
|
|
|
domains = []
|
|
|
|
if results['status'] == 'ok':
|
|
|
|
status_ok = True
|
2018-06-14 16:47:11 +02:00
|
|
|
|
2018-06-20 16:24:17 +02:00
|
|
|
for elem in results['results']:
|
2018-06-20 16:26:09 +02:00
|
|
|
domains_reverse.append(elem['reverse'])
|
2018-06-20 16:24:17 +02:00
|
|
|
domains.append(elem['domain'])
|
|
|
|
|
|
|
|
r.append({'types': ['domain'],
|
|
|
|
'values': list(set(domains)),
|
|
|
|
'categories': ['Network activity'],
|
|
|
|
'comment': 'Domains of %s from forward service of Onyphe' % ip})
|
|
|
|
|
|
|
|
r.append({'types': ['domain'],
|
|
|
|
'values': list(set(domains_reverse)),
|
|
|
|
'categories': ['Network activity'],
|
|
|
|
'comment': 'Reverse Domains of %s from forward service of Onyphe' % ip})
|
2018-06-20 11:07:33 +02:00
|
|
|
return r, status_ok
|
2018-06-14 16:47:11 +02:00
|
|
|
|
|
|
|
|
|
|
|
def expand_forward(api, ip, misperror):
|
|
|
|
status_ok = False
|
2018-06-20 15:33:21 +02:00
|
|
|
r = []
|
|
|
|
results = api.forward(ip)
|
|
|
|
|
|
|
|
domains_forward = []
|
|
|
|
|
|
|
|
domains = []
|
|
|
|
if results['status'] == 'ok':
|
|
|
|
status_ok = True
|
|
|
|
|
|
|
|
for elem in results['results']:
|
|
|
|
domains_forward.append(elem['forward'])
|
|
|
|
domains.append(elem['domain'])
|
|
|
|
|
|
|
|
r.append({'types': ['domain'],
|
|
|
|
'values': list(set(domains)),
|
|
|
|
'categories': ['Network activity'],
|
|
|
|
'comment': 'Domains of %s from forward service of Onyphe' % ip})
|
2018-06-14 16:47:11 +02:00
|
|
|
|
2018-06-20 15:33:21 +02:00
|
|
|
r.append({'types': ['domain'],
|
|
|
|
'values': list(set(domains_forward)),
|
|
|
|
'categories': ['Network activity'],
|
|
|
|
'comment': 'Forward Domains of %s from forward service of Onyphe' % ip})
|
2018-06-20 11:07:33 +02:00
|
|
|
return r, status_ok
|
|
|
|
|
|
|
|
|
|
|
|
def expand_pastries(api, misperror, **kwargs):
|
|
|
|
status_ok = False
|
|
|
|
r = []
|
2018-06-22 15:57:52 +02:00
|
|
|
|
|
|
|
query = None
|
2018-06-20 11:07:33 +02:00
|
|
|
result = None
|
|
|
|
urls_pasties = []
|
|
|
|
domains = []
|
|
|
|
ips = []
|
|
|
|
if 'ip' in kwargs:
|
2018-06-22 15:57:52 +02:00
|
|
|
query = kwargs.get('ip')
|
2018-06-22 16:15:34 +02:00
|
|
|
result = api.pastries(query)
|
2018-06-20 11:07:33 +02:00
|
|
|
if 'domain' in kwargs:
|
2018-06-22 15:57:52 +02:00
|
|
|
query = kwargs.get('domain')
|
2018-06-22 16:15:34 +02:00
|
|
|
result = api.search_pastries('domain:%s' % query)
|
2018-06-20 11:07:33 +02:00
|
|
|
|
2018-12-11 15:29:09 +01:00
|
|
|
if result['status'] == 'ok':
|
2018-06-20 11:07:33 +02:00
|
|
|
status_ok = True
|
|
|
|
for item in result['results']:
|
|
|
|
if item['@category'] == 'pastries':
|
2018-11-11 15:49:14 +01:00
|
|
|
if item['source'] == 'pastebin':
|
2018-06-20 11:07:33 +02:00
|
|
|
urls_pasties.append('https://pastebin.com/raw/%s' % item['key'])
|
|
|
|
|
|
|
|
if 'domain' in item:
|
|
|
|
domains.extend(item['domain'])
|
|
|
|
if 'ip' in item:
|
2018-06-20 12:34:07 +02:00
|
|
|
ips.extend(item['ip'])
|
2018-06-20 11:07:33 +02:00
|
|
|
if 'hostname' in item:
|
|
|
|
domains.extend(item['hostname'])
|
|
|
|
|
2018-06-20 15:07:55 +02:00
|
|
|
r.append({'types': ['url'],
|
|
|
|
'values': urls_pasties,
|
|
|
|
'categories': ['External analysis'],
|
2018-12-11 15:29:09 +01:00
|
|
|
'comment': 'URLs of pasties where %s has found' % query})
|
2018-06-20 12:40:52 +02:00
|
|
|
r.append({'types': ['domain'], 'values': list(set(domains)),
|
2018-06-20 15:05:00 +02:00
|
|
|
'categories': ['Network activity'],
|
2018-06-20 15:07:55 +02:00
|
|
|
'comment': 'Domains found in pasties of Onyphe'})
|
2018-06-20 11:07:33 +02:00
|
|
|
|
|
|
|
r.append({'types': ['ip-dst'], 'values': list(set(ips)),
|
2018-06-20 15:05:00 +02:00
|
|
|
'categories': ['Network activity'],
|
|
|
|
'comment': 'IPs found in pasties of Onyphe'})
|
2018-06-20 11:07:33 +02:00
|
|
|
|
|
|
|
return r, status_ok
|
|
|
|
|
2018-06-14 16:47:11 +02:00
|
|
|
|
2018-12-11 15:29:09 +01:00
|
|
|
def expand_threatlist(api, misperror, **kwargs):
|
2018-06-22 11:59:09 +02:00
|
|
|
status_ok = False
|
|
|
|
r = []
|
|
|
|
|
|
|
|
query = None
|
|
|
|
|
|
|
|
threat_list = []
|
|
|
|
|
|
|
|
if 'ip' in kwargs:
|
|
|
|
query = kwargs.get('ip')
|
2018-06-22 16:15:34 +02:00
|
|
|
results = api.threatlist(query)
|
2018-06-22 11:59:09 +02:00
|
|
|
else:
|
|
|
|
query = kwargs.get('domain')
|
2018-06-22 16:15:34 +02:00
|
|
|
results = api.search_threatlist('domain:%s' % query)
|
2018-06-22 11:59:09 +02:00
|
|
|
|
|
|
|
if results['status'] == 'ok':
|
|
|
|
status_ok = True
|
|
|
|
threat_list = ['seen %s on %s ' % (item['seen_date'], item['threatlist'])
|
|
|
|
for item in results['results']]
|
|
|
|
|
|
|
|
r.append({'types': ['comment'],
|
|
|
|
'categories': ['Other'],
|
2018-06-22 15:14:44 +02:00
|
|
|
'values': threat_list,
|
|
|
|
'comment': '%s is present in threatlist' % query
|
2018-06-22 11:59:09 +02:00
|
|
|
})
|
|
|
|
|
2018-12-11 15:29:09 +01:00
|
|
|
return r, status_ok
|
|
|
|
|
2018-06-22 11:59:09 +02:00
|
|
|
|
2018-06-14 16:47:11 +02:00
|
|
|
def introspection():
|
|
|
|
return mispattributes
|
|
|
|
|
|
|
|
|
|
|
|
def version():
|
|
|
|
moduleinfo['config'] = moduleconfig
|
2018-11-11 15:49:14 +01:00
|
|
|
return moduleinfo
|