cif-client 1.0.2 → 1.0.3

data.tar.gz.sig

@@ -1,2 +1,4 @@
-��l �|f��
-TȤ�[ѝئw�qCG��N�;V<�N{�$_E�q����#�?d
+���
+�qo��Ȥ"j�b��>��]_܇�#��OS5�Bg�+��g�]I�p!�Yv���"y4L
�ɟ�n8mSv�=�`����'v
C���3y�i�!{1
+�F�9*"�~�j��z�2r~�����{��:����z�3QT�~B���3y���/�z
+@��s$���-�B����^QFf���

data/bin/cifcli

@@ -0,0 +1,140 @@
+#!/usr/bin/env ruby
+# DESCRIPTION: queries collective-intelligence-framework sources
+
+require 'cif/client'
+require 'getoptlong'
+require 'yaml'
+require 'json'
+require 'snort-rule'
+require 'configparser'
+
+def usage
+	puts "Usage: #{$0} [-h] [-c <config>] [-s <severity>] [-r <restriction>] [-n] [-x|-j|-y|-t|-o] [-d <delim>] <query> [<query> ...]"
+	puts "-h               prints this help"
+	puts "-c <config>      specifies a configuration file with the API key and host endpoint"
+	puts "-s <severity>    severity: low, medium, or high"
+	puts "-r <restriction> examples: need-to-know and private"
+	puts "-n               requests the server to not log the query"
+	puts "-x               outputs in XML"
+	puts "-j               outputs in JSON"
+	puts "-y               outputs in YAML"
+	puts "-o               outputs in SNORT formatted rules"
+	puts "-t               outputs in ASCII text (broken in 1.0.0)"
+	puts "-d <delimiter>   specifies the delimiter for text (default tab)"
+	puts "<query>          terms, usually domains, IPs, or CIDRs, that are being queried from the CIF"
+	exit
+end
+
+def format_results(results,format,delim)
+	return unless results
+	case format
+	when 'xml'
+		results.to_xml
+	when 'json'
+		results.to_json
+	when 'yaml'
+		results.to_yaml
+	when 'text'
+		fields = nil
+		output = ""
+		results['entry'].each do |item|
+			unless fields
+				fields = item.keys 
+				output += fields.join(delim)+"\n"
+			end
+			sep = ""
+			fields.each do |field|
+				output += sep
+				output += item[field].chomp if item[field] and item[field].class == String
+				sep = delim
+			end
+			output += "\n"
+		end
+		output
+	when 'snort'
+		sid = 1
+		output = ""
+		results['entry'].each do |item|
+			begin
+				item = item['Incident']
+				next unless item['EventData']['Flow']['System']['Node']['Address']
+				portlist = item['EventData']['Flow']['System']['Service']['Portlist']
+				rule = Snort::Rule.new
+			
+				rule.dst = item['EventData']['Flow']['System']['Node']['Address']
+				rule.dport = portlist || 'any'
+				rule.opts['msg'] = "#{item['restriction']} - #{item['description']}" if item['restriction'] and item['description']
+				rule.opts['threshold'] = 'type limit,track by_src,count 1,seconds 3600'
+				rule.opts['sid'] = sid
+				sid += 1
+				rule.opts['reference'] = item['AlternativeID']['IncidentID']['content'] if item['AlternativeID']['IncidentID']['content']
+				output += rule.to_s + "\n"
+			rescue Exception => e
+				# do nothing
+			end
+		end
+		output
+	end
+end
+
+opts = GetoptLong.new(
+	[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
+	[ '--config', '-c', GetoptLong::REQUIRED_ARGUMENT ],
+	[ '--severity', '-s', GetoptLong::REQUIRED_ARGUMENT ],
+	[ '--restriction', '-r', GetoptLong::REQUIRED_ARGUMENT ],
+	[ '--nolog', '-n', GetoptLong::NO_ARGUMENT ],
+	[ '--xml', '-x', GetoptLong::NO_ARGUMENT ],
+	[ '--json', '-j', GetoptLong::NO_ARGUMENT ],
+	[ '--yaml', '-y', GetoptLong::NO_ARGUMENT ],
+	[ '--delim', '-d', GetoptLong::REQUIRED_ARGUMENT ],
+	[ '--text', '-t', GetoptLong::NO_ARGUMENT ],
+	[ '--snort', '-o', GetoptLong::NO_ARGUMENT ]
+)
+config = "#{ENV['HOME']}/.cif"
+severity = nil
+restriction = nil
+nolog = false
+format = 'text'
+delim = "\t"
+
+opts.each do |opt, arg|
+	case opt
+	when '--help'
+		usage
+	when '--config'
+		config = arg
+	when '--severity'
+		severity = arg
+	when '--restriction'
+		restriction = arg
+	when '--nolog'
+		nolog = true
+	when '--xml'
+		format = 'xml'
+	when '--json'
+		format = 'json'
+	when '--yaml'
+		format = 'yaml'
+	when '--snort'
+		format = 'snort'
+	when '--delim'
+		delim = arg
+	when '--text'
+		format = 'text'
+	else
+		usage
+	end
+end
+usage if ARGV.length == 0
+unless(File.exists?(config))
+	puts "cifcli requires a configuration file to work. It defaults to ~/.cif"
+	puts "please refer to the documentation for more detail"
+	exit
+end
+config = ConfigParser.new(config)
+host = config['client']['host']
+apikey = config['client']['apikey']
+client = CIF::Client.new(host,apikey,severity,restriction,nolog)
+ARGV.each do |query|
+	puts format_results(client.query(query),format,delim)
+end

data/cif-client.gemspec

@@ -20,6 +20,7 @@ Gem::Specification.new do |spec|
 
 	spec.add_runtime_dependency "configparser", "~> 0.1.1"
 	spec.add_runtime_dependency "json", "~> 1.4.3"
+	spec.add_runtime_dependency "snort-rule", "~> 0.0.1"
 	spec.add_development_dependency "bundler", "~> 1.3"
 	spec.add_development_dependency "rake"
 

data/lib/cif/client/version.rb

@@ -1,5 +1,5 @@
 module CIF
   class Client
-    VERSION = "1.0.2"
+    VERSION = "1.0.3"
   end
 end

metadata

@@ -1,158 +1,173 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: cif-client
-version: !ruby/object:Gem::Version 
-  hash: 19
+version: !ruby/object:Gem::Version
+  version: 1.0.3
   prerelease: 
-  segments: 
-  - 1
-  - 0
-  - 2
-  version: 1.0.2
 platform: ruby
-authors: 
+authors:
 - chrislee35
 autorequire: 
 bindir: bin
-cert_chain: 
-- |
-  -----BEGIN CERTIFICATE-----
-  MIIDYjCCAkqgAwIBAgIBADANBgkqhkiG9w0BAQUFADBXMREwDwYDVQQDDAhydWJ5
-  Z2VtczEYMBYGCgmSJomT8ixkARkWCGNocmlzbGVlMRMwEQYKCZImiZPyLGQBGRYD
-  ZGhzMRMwEQYKCZImiZPyLGQBGRYDb3JnMB4XDTEzMDUyMjEyNTk0N1oXDTE0MDUy
-  MjEyNTk0N1owVzERMA8GA1UEAwwIcnVieWdlbXMxGDAWBgoJkiaJk/IsZAEZFghj
-  aHJpc2xlZTETMBEGCgmSJomT8ixkARkWA2RoczETMBEGCgmSJomT8ixkARkWA29y
-  ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANcPrx8BZiWIR9xWWG8I
-  tqR538tS1t+UJ4FZFl+1vrtU9TiuWX3Vj37TwUpa2fFkziK0n5KupVThyEhcem5m
-  OGRjvgrRFbWQJSSscIKOpwqURHVKRpV9gVz/Hnzk8S+xotUR1Buo3Ugr+I1jHewD
-  Cgr+y+zgZbtjtHsJtsuujkOcPhEjjUinj68L9Fz9BdeJQt+IacjwAzULix6jWCht
-  Uc+g+0z8Esryca2G6I1GsrgX6WHw8dykyQDT9dCtS2flCOwSC1R0K5T/xHW54f+5
-  wcw8mm53KLNe+tmgVC6ZHyME+qJsBnP6uxF0aTEnGA/jDBQDhQNTF0ZP/abzyTsL
-  zjUCAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0OBBYEFO8w
-  +aeP7T6kVJblCg6eusOII9DfMA0GCSqGSIb3DQEBBQUAA4IBAQBCQyRJLXsBo2Fy
-  8W6e/W4RemQRrlAw9DK5O6U71JtedVob2oq+Ob+zmS+PifE2+L+3RiJ2H6VTlOzi
-  x+A061MUXhGraqVq4J2FC8kt4EQywAD0P0Ta5GU24CGSF08Y3GkJy1Sa4XqTC2YC
-  o51s7JP+tkCCtpVYSdzJhTllieRAWBpGV1dtaoeUKE6tYPMBkosxSRcVGczk/Sc3
-  7eQCpexYy9JlUBI9u3BqIY9E+l+MSn8ihXSPmyK0DgrhaCu+voaSFVOX6Y+B5qbo
-  jLXMQu2ZgISYwXNjNbGVHehut82U7U9oiHoWcrOGazaRUmGO9TXP+aJLH0gw2dcK
-  AfMglXPi
-  -----END CERTIFICATE-----
-
-date: 2013-06-02 00:00:00 Z
-dependencies: 
-- !ruby/object:Gem::Dependency 
+cert_chain:
+- !binary |-
+  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZakNDQWtxZ0F3SUJB
+  Z0lCQURBTkJna3Foa2lHOXcwQkFRVUZBREJYTVJFd0R3WURWUVFEREFoeWRX
+  SjUKWjJWdGN6RVlNQllHQ2dtU0pvbVQ4aXhrQVJrV0NHTm9jbWx6YkdWbE1S
+  TXdFUVlLQ1pJbWlaUHlMR1FCR1JZRApaR2h6TVJNd0VRWUtDWkltaVpQeUxH
+  UUJHUllEYjNKbk1CNFhEVEV6TURVeU1qRXlOVGswTjFvWERURTBNRFV5Ck1q
+  RXlOVGswTjFvd1Z6RVJNQThHQTFVRUF3d0ljblZpZVdkbGJYTXhHREFXQmdv
+  SmtpYUprL0lzWkFFWkZnaGoKYUhKcGMyeGxaVEVUTUJFR0NnbVNKb21UOGl4
+  a0FSa1dBMlJvY3pFVE1CRUdDZ21TSm9tVDhpeGtBUmtXQTI5eQpaekNDQVNJ
+  d0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFOY1ByeDhC
+  WmlXSVI5eFdXRzhJCnRxUjUzOHRTMXQrVUo0RlpGbCsxdnJ0VTlUaXVXWDNW
+  ajM3VHdVcGEyZkZremlLMG41S3VwVlRoeUVoY2VtNW0KT0dSanZnclJGYldR
+  SlNTc2NJS09wd3FVUkhWS1JwVjlnVnovSG56azhTK3hvdFVSMUJ1bzNVZ3Ir
+  STFqSGV3RApDZ3IreSt6Z1pidGp0SHNKdHN1dWprT2NQaEVqalVpbmo2OEw5
+  Rno5QmRlSlF0K0lhY2p3QXpVTGl4NmpXQ2h0ClVjK2crMHo4RXNyeWNhMkc2
+  STFHc3JnWDZXSHc4ZHlreVFEVDlkQ3RTMmZsQ093U0MxUjBLNVQveEhXNTRm
+  KzUKd2N3OG1tNTNLTE5lK3RtZ1ZDNlpIeU1FK3FKc0JuUDZ1eEYwYVRFbkdB
+  L2pEQlFEaFFOVEYwWlAvYWJ6eVRzTAp6alVDQXdFQUFhTTVNRGN3Q1FZRFZS
+  MFRCQUl3QURBTEJnTlZIUThFQkFNQ0JMQXdIUVlEVlIwT0JCWUVGTzh3Cith
+  ZVA3VDZrVkpibENnNmV1c09JSTlEZk1BMEdDU3FHU0liM0RRRUJCUVVBQTRJ
+  QkFRQkNReVJKTFhzQm8yRnkKOFc2ZS9XNFJlbVFScmxBdzlESzVPNlU3MUp0
+  ZWRWb2Iyb3ErT2Irem1TK1BpZkUyK0wrM1JpSjJINlZUbE96aQp4K0EwNjFN
+  VVhoR3JhcVZxNEoyRkM4a3Q0RVF5d0FEMFAwVGE1R1UyNENHU0YwOFkzR2tK
+  eTFTYTRYcVRDMllDCm81MXM3SlArdGtDQ3RwVllTZHpKaFRsbGllUkFXQnBH
+  VjFkdGFvZVVLRTZ0WVBNQmtvc3hTUmNWR2N6ay9TYzMKN2VRQ3BleFl5OUps
+  VUJJOXUzQnFJWTlFK2wrTVNuOGloWFNQbXlLMERncmhhQ3Urdm9hU0ZWT1g2
+  WStCNXFibwpqTFhNUXUyWmdJU1l3WE5qTmJHVkhlaHV0ODJVN1U5b2lIb1dj
+  ck9HYXphUlVtR085VFhQK2FKTEgwZ3cyZGNLCkFmTWdsWFBpCi0tLS0tRU5E
+  IENFUlRJRklDQVRFLS0tLS0K
+date: 2013-06-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: configparser
-  version_requirements: &id001 !ruby/object:Gem::Requirement 
+  requirement: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 25
-        segments: 
-        - 0
-        - 1
-        - 1
+      - !ruby/object:Gem::Version
         version: 0.1.1
-  prerelease: false
   type: :runtime
-  requirement: *id001
-- !ruby/object:Gem::Dependency 
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+- !ruby/object:Gem::Dependency
   name: json
-  version_requirements: &id002 !ruby/object:Gem::Requirement 
+  requirement: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 1
-        segments: 
-        - 1
-        - 4
-        - 3
+      - !ruby/object:Gem::Version
         version: 1.4.3
+  type: :runtime
   prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.4.3
+- !ruby/object:Gem::Dependency
+  name: snort-rule
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.1
   type: :runtime
-  requirement: *id002
-- !ruby/object:Gem::Dependency 
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.1
+- !ruby/object:Gem::Dependency
   name: bundler
-  version_requirements: &id003 !ruby/object:Gem::Requirement 
+  requirement: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 9
-        segments: 
-        - 1
-        - 3
-        version: "1.3"
-  prerelease: false
+      - !ruby/object:Gem::Version
+        version: '1.3'
   type: :development
-  requirement: *id003
-- !ruby/object:Gem::Dependency 
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
   name: rake
-  version_requirements: &id004 !ruby/object:Gem::Requirement 
+  requirement: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
-  prerelease: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  requirement: *id004
-description: CIF is a cyber threat intelligence management system. CIF allows you to combine known malicious threat information from many sources and use that information for identification (incident response), detection (IDS) and mitigation (null route). The most common types of threat intelligence warehoused in CIF are IP addresses, domains and urls that are observed to be related to malicious activity.
-email: 
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: CIF is a cyber threat intelligence management system. CIF allows you
+  to combine known malicious threat information from many sources and use that information
+  for identification (incident response), detection (IDS) and mitigation (null route).
+  The most common types of threat intelligence warehoused in CIF are IP addresses,
+  domains and urls that are observed to be related to malicious activity.
+email:
 - rubygems@chrislee.dhs.org
-executables: []
-
+executables:
+- cifcli
 extensions: []
-
 extra_rdoc_files: []
-
-files: 
+files:
 - .gitignore
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
+- bin/cifcli
 - cif-client.gemspec
 - lib/cif/client.rb
 - lib/cif/client/version.rb
 - test/helper.rb
 - test/test_cif-client.rb
 homepage: https://code.google.com/p/collective-intelligence-framework/
-licenses: 
+licenses:
 - MIT
 post_install_message: 
 rdoc_options: []
-
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: 
 rubygems_version: 1.8.25
 signing_key: 
 specification_version: 3
 summary: Ruby-based client and library for the Collective Intelligence Framework
-test_files: 
+test_files:
 - test/helper.rb
 - test/test_cif-client.rb