Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AlienVault OTX API #298

Merged
merged 15 commits into from
Sep 11, 2015
Merged

AlienVault OTX API #298

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
1162c36
alienvault-otx api collector and parser
robcza Aug 25, 2015
e8ae727
OTX SDK added
robcza Aug 25, 2015
0f7d12f
Create README.md
robcza Aug 25, 2015
e961c00
pep8 compliance fixed
robcza Aug 25, 2015
c55d10d
Merge branch 'alienvault-otx' of https://github.com/robcza/intelmq in…
robcza Aug 25, 2015
d60e244
Merge branch 'master' of https://github.com/certtools/intelmq into al…
robcza Sep 2, 2015
edf97f3
time observation in the collector
robcza Sep 2, 2015
2322d00
syntax error fixes
robcza Sep 2, 2015
844653a
working collector + bot, test data provided however there is an issue…
robcza Sep 2, 2015
b9c2e16
license for the AlienVault OTX SDK
robcza Sep 2, 2015
cadc76a
fixed alienvault otx parser + tests
robcza Sep 9, 2015
7e3c9cb
malware.hash_type added to harmonization
robcza Sep 9, 2015
34b9628
malware.hash harmonization and several fixes proposed by @sebix
robcza Sep 9, 2015
d2f8e3d
BUG: Adapt alienvault otx to current master
sebix Sep 11, 2015
95afec8
Merge branch 'master' of https://github.com/certtools/intelmq into al…
robcza Sep 11, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions intelmq/bots/BOTS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,15 @@
"url": "http://dshield.org/asdetailsascii.html?as=<AS Number>"
}
},
"AlienVault OTX": {
"module": "intelmq.bots.collectors.alienvault-otx.collector",
"description": "AlienVault OTX Collector is the bot responsible to get the report through the API. Report could vary according to subscriptions.",
"parameters": {
"api_key": "<insert your api key>",
"feed": "AlienVault OTX",
"rate_limit": "3600"
}
},
"DShield Block": {
"description": "DShield Block Collector is the bot responsible to get the report from source of information.",
"module": "intelmq.bots.collectors.http.collector_http",
Expand Down Expand Up @@ -634,6 +643,11 @@
"module": "intelmq.bots.parsers.alienvault.parser",
"parameters": {}
},
"AlienVault OTX": {
"description": "AlienVault Parser is the bot responsible to parse the report and sanitize the information.",
"module": "intelmq.bots.parsers.alienvault.parser-otx",
"parameters": {}
},
"Arbor": {
"description": "Arbor Parser is the bot responsible to parse the report and sanitize the information.",
"module": "intelmq.bots.parsers.arbor.parser",
Expand Down
104 changes: 104 additions & 0 deletions intelmq/bots/collectors/alienvault-otx/OTXv2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
#!/usr/bin/env python

import httplib
import urlparse
import urllib
import urllib2
import simplejson as json
import time
import re
import logging
import datetime

logger = logging.getLogger("OTXv2")


class InvalidAPIKey(Exception):

def __init__(self, value):
self.value = value

def __str__(self):
return repr(self.value)


class BadRequest(Exception):

def __init__(self, value):
self.value = value

def __str__(self):
return repr(self.value)


class OTXv2(object):

def __init__(self, key, server="http://otx.alienvault.com"):
self.key = key
self.server = server

def get(self, url):
request = urllib2.build_opener()
request.addheaders = [('X-OTX-API-KEY', self.key)]
response = None
try:
response = request.open(url)
except urllib2.URLError as e:
if e.code == 403:
raise InvalidAPIKey("Invalid API Key")
elif e.code == 400:
raise BadRequest("Bad Request")
data = response.read()
json_data = json.loads(data)
return json_data

def getall(self, limit=20):
pulses = []
next = "%s/api/v1/pulses/subscribed?limit=%d" % (self.server, limit)
while next:
json_data = self.get(next)
for r in json_data["results"]:
pulses.append(r)
next = json_data["next"]
return pulses

def getall_iter(self, limit=20):
pulses = []
next = "%s/api/v1/pulses/subscribed?limit=%d" % (self.server, limit)
while next:
json_data = self.get(next)
for r in json_data["results"]:
yield r
next = json_data["next"]

def getsince(self, mytimestamp, limit=20):
pulses = []
next = "%s/api/v1/pulses/subscribed?limit=%d&modified_since=%s" % (
self.server, limit, mytimestamp)
while next:
json_data = self.get(next)
for r in json_data["results"]:
pulses.append(r)
next = json_data["next"]
return pulses

def getsince_iter(self, mytimestamp, limit=20):
pulses = []
next = "%s/api/v1/pulses/subscribed?limit=%d&modified_since=%s" % (
self.server, limit, mytimestamp)
while next:
json_data = self.get(next)
for r in json_data["results"]:
yield r
next = json_data["next"]

def getevents_since(self, mytimestamp, limit=20):
events = []
next = "%s/api/v1/pulses/events?limit=%d&since=%s" % (
self.server, limit, mytimestamp)
while next:
json_data = self.get(next)
for r in json_data["results"]:
events.append(r)
next = json_data["next"]
return events
4 changes: 4 additions & 0 deletions intelmq/bots/collectors/alienvault-otx/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
- Collector for: https://otx.alienvault.com
- Needs this script to be run: https://github.com/AlienVault-Labs/OTX-Python-SDK/blob/master/OTXv2.py
- The runtime.conf parameter "api_key" has to be set (register on the website to get one)

Empty file added intelmq/bots/collectors/alienvault-otx/__init__.py
View file
Open in desktop
Empty file.
28 changes: 28 additions & 0 deletions intelmq/bots/collectors/alienvault-otx/collector.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# -*- coding: utf-8 -*-
from __future__ import unicode_literals
import sys
from OTXv2 import OTXv2
import json

from intelmq.bots.collectors.http.lib import fetch_url
from intelmq.lib.bot import Bot
from intelmq.lib.message import Report


class AlienVaultOTXCollectorBot(Bot):

def process(self):
self.logger.info("Downloading report through API")
otx = OTXv2(self.parameters.api_key)
pulses = otx.getall()
self.logger.info("Report downloaded.")

report = Report()
report.add("raw", json.dumps(pulses), sanitize=True)
report.add("feed.name", self.parameters.feed, sanitize=True)
self.send_message(report)


if __name__ == "__main__":
bot = AlienVaultOTXCollectorBot(sys.argv[1])
bot.start()
86 changes: 86 additions & 0 deletions intelmq/bots/parsers/alienvault/parser-otx.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
# -*- coding: utf-8 -*-
from __future__ import unicode_literals
import sys
import json

from intelmq.lib import utils
from intelmq.lib.bot import Bot
from intelmq.lib.harmonization import DateTime
from intelmq.lib.message import Event

HASHES = {
'FileHash-SHA256': 'SHA-256',
'FileHash-SHA1': 'SHA-1',
'FileHash-MD5': 'MD5'
}


class AlienVaultOTXParserBot(Bot):

def process(self):
report = self.receive_message()
if (report is None or not report.contains("raw"):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a SyntaxError

self.acknowledge_message()
return

time_observation = DateTime().generate_datetime_now()
raw_report = utils.base64_decode(report.value("raw"))

for pulse in json.loads(raw_report):
additional_information = json.dumps(
{'author':pulse['author_name'],
'pulse':pulse['name']})
for indicator in pulse["indicators"]:
event = Event()
#hashes
if indicator["type"] in ['FileHash-SHA256', 'FileHash-SHA1', 'FileHash-MD5']:
event.add('malware.hash', indicator["indicator"], sanitize = True)
# event.add('malware.hash_type', HASHES[indicator["type"]], sanitize = True)
# fqdn
if indicator["type"] in ['hostname', 'domain']:
event.add(
'source.fqdn',
indicator["indicator"],
sanitize=True)
# IP addresses
elif indicator["type"] in ['IPv4', 'IPv6']:
event.add(
'source.ip',
indicator["indicator"],
sanitize=True)
# emails
elif indicator["type"] == 'email':
event.add(
'source.email_address',
indicator["indicator"],
sanitize=True)
# URLs
elif indicator["type"] in ['URL', 'URI']:
event.add(
'source.url',
indicator["indicator"],
sanitize=True)
#CIDR
elif indicator["type"] in ['CIDR']:
event.add(
'source.network',
indicator["indicator"],
sanitize=True)
elif indicator["type"]
#FilePath, Mutex, CVE, hashes - TODO: process these IoCs as well
else:
continue

event.add('comment', pulse['description'])
event.add('additional_information', additional_information)
event.add('classification.type', 'blacklist', sanitize=True)
event.add('time.observation', time_observation, sanitize=True)
event.add('time.source', indicator["created"], sanitize=True)
event.add('feed.name', report.value("feed.name"))
event.add("raw", json.dumps(indicator), sanitize=True)
self.send_message(event)
self.acknowledge_message()

if __name__ == "__main__":
bot = AlienVaultOTXParserBot(sys.argv[1])
bot.start()