cif-client 1.0.2 → 1.0.3

Sign up to get free protection for your applications and to get access to all the features.
data.tar.gz.sig CHANGED
@@ -1,2 +1,4 @@
1
- ��l �|f��
2
- TȤ�[ѝئwqCG��N�;V<�N {�$_E�q����#�?d
1
+ ���
2
+ qo��Ȥ"j�b��>��]_܇�#��OS5�Bg�+��g�]I�p!�Yv���"y4L�ɟ�n8mSv�=�`����'vC� ��3y�i�!{1
3
+ �F�9*"�~�j��z�2r~�����{��:����z�3QT�~B���3y���/�z
4
+ @��s$���-�B����^QFf���
@@ -0,0 +1,140 @@
1
+ #!/usr/bin/env ruby
2
+ # DESCRIPTION: queries collective-intelligence-framework sources
3
+
4
+ require 'cif/client'
5
+ require 'getoptlong'
6
+ require 'yaml'
7
+ require 'json'
8
+ require 'snort-rule'
9
+ require 'configparser'
10
+
11
+ def usage
12
+ puts "Usage: #{$0} [-h] [-c <config>] [-s <severity>] [-r <restriction>] [-n] [-x|-j|-y|-t|-o] [-d <delim>] <query> [<query> ...]"
13
+ puts "-h prints this help"
14
+ puts "-c <config> specifies a configuration file with the API key and host endpoint"
15
+ puts "-s <severity> severity: low, medium, or high"
16
+ puts "-r <restriction> examples: need-to-know and private"
17
+ puts "-n requests the server to not log the query"
18
+ puts "-x outputs in XML"
19
+ puts "-j outputs in JSON"
20
+ puts "-y outputs in YAML"
21
+ puts "-o outputs in SNORT formatted rules"
22
+ puts "-t outputs in ASCII text (broken in 1.0.0)"
23
+ puts "-d <delimiter> specifies the delimiter for text (default tab)"
24
+ puts "<query> terms, usually domains, IPs, or CIDRs, that are being queried from the CIF"
25
+ exit
26
+ end
27
+
28
+ def format_results(results,format,delim)
29
+ return unless results
30
+ case format
31
+ when 'xml'
32
+ results.to_xml
33
+ when 'json'
34
+ results.to_json
35
+ when 'yaml'
36
+ results.to_yaml
37
+ when 'text'
38
+ fields = nil
39
+ output = ""
40
+ results['entry'].each do |item|
41
+ unless fields
42
+ fields = item.keys
43
+ output += fields.join(delim)+"\n"
44
+ end
45
+ sep = ""
46
+ fields.each do |field|
47
+ output += sep
48
+ output += item[field].chomp if item[field] and item[field].class == String
49
+ sep = delim
50
+ end
51
+ output += "\n"
52
+ end
53
+ output
54
+ when 'snort'
55
+ sid = 1
56
+ output = ""
57
+ results['entry'].each do |item|
58
+ begin
59
+ item = item['Incident']
60
+ next unless item['EventData']['Flow']['System']['Node']['Address']
61
+ portlist = item['EventData']['Flow']['System']['Service']['Portlist']
62
+ rule = Snort::Rule.new
63
+
64
+ rule.dst = item['EventData']['Flow']['System']['Node']['Address']
65
+ rule.dport = portlist || 'any'
66
+ rule.opts['msg'] = "#{item['restriction']} - #{item['description']}" if item['restriction'] and item['description']
67
+ rule.opts['threshold'] = 'type limit,track by_src,count 1,seconds 3600'
68
+ rule.opts['sid'] = sid
69
+ sid += 1
70
+ rule.opts['reference'] = item['AlternativeID']['IncidentID']['content'] if item['AlternativeID']['IncidentID']['content']
71
+ output += rule.to_s + "\n"
72
+ rescue Exception => e
73
+ # do nothing
74
+ end
75
+ end
76
+ output
77
+ end
78
+ end
79
+
80
+ opts = GetoptLong.new(
81
+ [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
82
+ [ '--config', '-c', GetoptLong::REQUIRED_ARGUMENT ],
83
+ [ '--severity', '-s', GetoptLong::REQUIRED_ARGUMENT ],
84
+ [ '--restriction', '-r', GetoptLong::REQUIRED_ARGUMENT ],
85
+ [ '--nolog', '-n', GetoptLong::NO_ARGUMENT ],
86
+ [ '--xml', '-x', GetoptLong::NO_ARGUMENT ],
87
+ [ '--json', '-j', GetoptLong::NO_ARGUMENT ],
88
+ [ '--yaml', '-y', GetoptLong::NO_ARGUMENT ],
89
+ [ '--delim', '-d', GetoptLong::REQUIRED_ARGUMENT ],
90
+ [ '--text', '-t', GetoptLong::NO_ARGUMENT ],
91
+ [ '--snort', '-o', GetoptLong::NO_ARGUMENT ]
92
+ )
93
+ config = "#{ENV['HOME']}/.cif"
94
+ severity = nil
95
+ restriction = nil
96
+ nolog = false
97
+ format = 'text'
98
+ delim = "\t"
99
+
100
+ opts.each do |opt, arg|
101
+ case opt
102
+ when '--help'
103
+ usage
104
+ when '--config'
105
+ config = arg
106
+ when '--severity'
107
+ severity = arg
108
+ when '--restriction'
109
+ restriction = arg
110
+ when '--nolog'
111
+ nolog = true
112
+ when '--xml'
113
+ format = 'xml'
114
+ when '--json'
115
+ format = 'json'
116
+ when '--yaml'
117
+ format = 'yaml'
118
+ when '--snort'
119
+ format = 'snort'
120
+ when '--delim'
121
+ delim = arg
122
+ when '--text'
123
+ format = 'text'
124
+ else
125
+ usage
126
+ end
127
+ end
128
+ usage if ARGV.length == 0
129
+ unless(File.exists?(config))
130
+ puts "cifcli requires a configuration file to work. It defaults to ~/.cif"
131
+ puts "please refer to the documentation for more detail"
132
+ exit
133
+ end
134
+ config = ConfigParser.new(config)
135
+ host = config['client']['host']
136
+ apikey = config['client']['apikey']
137
+ client = CIF::Client.new(host,apikey,severity,restriction,nolog)
138
+ ARGV.each do |query|
139
+ puts format_results(client.query(query),format,delim)
140
+ end
@@ -20,6 +20,7 @@ Gem::Specification.new do |spec|
20
20
 
21
21
  spec.add_runtime_dependency "configparser", "~> 0.1.1"
22
22
  spec.add_runtime_dependency "json", "~> 1.4.3"
23
+ spec.add_runtime_dependency "snort-rule", "~> 0.0.1"
23
24
  spec.add_development_dependency "bundler", "~> 1.3"
24
25
  spec.add_development_dependency "rake"
25
26
 
@@ -1,5 +1,5 @@
1
1
  module CIF
2
2
  class Client
3
- VERSION = "1.0.2"
3
+ VERSION = "1.0.3"
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,158 +1,173 @@
1
- --- !ruby/object:Gem::Specification
1
+ --- !ruby/object:Gem::Specification
2
2
  name: cif-client
3
- version: !ruby/object:Gem::Version
4
- hash: 19
3
+ version: !ruby/object:Gem::Version
4
+ version: 1.0.3
5
5
  prerelease:
6
- segments:
7
- - 1
8
- - 0
9
- - 2
10
- version: 1.0.2
11
6
  platform: ruby
12
- authors:
7
+ authors:
13
8
  - chrislee35
14
9
  autorequire:
15
10
  bindir: bin
16
- cert_chain:
17
- - |
18
- -----BEGIN CERTIFICATE-----
19
- MIIDYjCCAkqgAwIBAgIBADANBgkqhkiG9w0BAQUFADBXMREwDwYDVQQDDAhydWJ5
20
- Z2VtczEYMBYGCgmSJomT8ixkARkWCGNocmlzbGVlMRMwEQYKCZImiZPyLGQBGRYD
21
- ZGhzMRMwEQYKCZImiZPyLGQBGRYDb3JnMB4XDTEzMDUyMjEyNTk0N1oXDTE0MDUy
22
- MjEyNTk0N1owVzERMA8GA1UEAwwIcnVieWdlbXMxGDAWBgoJkiaJk/IsZAEZFghj
23
- aHJpc2xlZTETMBEGCgmSJomT8ixkARkWA2RoczETMBEGCgmSJomT8ixkARkWA29y
24
- ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANcPrx8BZiWIR9xWWG8I
25
- tqR538tS1t+UJ4FZFl+1vrtU9TiuWX3Vj37TwUpa2fFkziK0n5KupVThyEhcem5m
26
- OGRjvgrRFbWQJSSscIKOpwqURHVKRpV9gVz/Hnzk8S+xotUR1Buo3Ugr+I1jHewD
27
- Cgr+y+zgZbtjtHsJtsuujkOcPhEjjUinj68L9Fz9BdeJQt+IacjwAzULix6jWCht
28
- Uc+g+0z8Esryca2G6I1GsrgX6WHw8dykyQDT9dCtS2flCOwSC1R0K5T/xHW54f+5
29
- wcw8mm53KLNe+tmgVC6ZHyME+qJsBnP6uxF0aTEnGA/jDBQDhQNTF0ZP/abzyTsL
30
- zjUCAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0OBBYEFO8w
31
- +aeP7T6kVJblCg6eusOII9DfMA0GCSqGSIb3DQEBBQUAA4IBAQBCQyRJLXsBo2Fy
32
- 8W6e/W4RemQRrlAw9DK5O6U71JtedVob2oq+Ob+zmS+PifE2+L+3RiJ2H6VTlOzi
33
- x+A061MUXhGraqVq4J2FC8kt4EQywAD0P0Ta5GU24CGSF08Y3GkJy1Sa4XqTC2YC
34
- o51s7JP+tkCCtpVYSdzJhTllieRAWBpGV1dtaoeUKE6tYPMBkosxSRcVGczk/Sc3
35
- 7eQCpexYy9JlUBI9u3BqIY9E+l+MSn8ihXSPmyK0DgrhaCu+voaSFVOX6Y+B5qbo
36
- jLXMQu2ZgISYwXNjNbGVHehut82U7U9oiHoWcrOGazaRUmGO9TXP+aJLH0gw2dcK
37
- AfMglXPi
38
- -----END CERTIFICATE-----
39
-
40
- date: 2013-06-02 00:00:00 Z
41
- dependencies:
42
- - !ruby/object:Gem::Dependency
11
+ cert_chain:
12
+ - !binary |-
13
+ LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZakNDQWtxZ0F3SUJB
14
+ Z0lCQURBTkJna3Foa2lHOXcwQkFRVUZBREJYTVJFd0R3WURWUVFEREFoeWRX
15
+ SjUKWjJWdGN6RVlNQllHQ2dtU0pvbVQ4aXhrQVJrV0NHTm9jbWx6YkdWbE1S
16
+ TXdFUVlLQ1pJbWlaUHlMR1FCR1JZRApaR2h6TVJNd0VRWUtDWkltaVpQeUxH
17
+ UUJHUllEYjNKbk1CNFhEVEV6TURVeU1qRXlOVGswTjFvWERURTBNRFV5Ck1q
18
+ RXlOVGswTjFvd1Z6RVJNQThHQTFVRUF3d0ljblZpZVdkbGJYTXhHREFXQmdv
19
+ SmtpYUprL0lzWkFFWkZnaGoKYUhKcGMyeGxaVEVUTUJFR0NnbVNKb21UOGl4
20
+ a0FSa1dBMlJvY3pFVE1CRUdDZ21TSm9tVDhpeGtBUmtXQTI5eQpaekNDQVNJ
21
+ d0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFOY1ByeDhC
22
+ WmlXSVI5eFdXRzhJCnRxUjUzOHRTMXQrVUo0RlpGbCsxdnJ0VTlUaXVXWDNW
23
+ ajM3VHdVcGEyZkZremlLMG41S3VwVlRoeUVoY2VtNW0KT0dSanZnclJGYldR
24
+ SlNTc2NJS09wd3FVUkhWS1JwVjlnVnovSG56azhTK3hvdFVSMUJ1bzNVZ3Ir
25
+ STFqSGV3RApDZ3IreSt6Z1pidGp0SHNKdHN1dWprT2NQaEVqalVpbmo2OEw5
26
+ Rno5QmRlSlF0K0lhY2p3QXpVTGl4NmpXQ2h0ClVjK2crMHo4RXNyeWNhMkc2
27
+ STFHc3JnWDZXSHc4ZHlreVFEVDlkQ3RTMmZsQ093U0MxUjBLNVQveEhXNTRm
28
+ KzUKd2N3OG1tNTNLTE5lK3RtZ1ZDNlpIeU1FK3FKc0JuUDZ1eEYwYVRFbkdB
29
+ L2pEQlFEaFFOVEYwWlAvYWJ6eVRzTAp6alVDQXdFQUFhTTVNRGN3Q1FZRFZS
30
+ MFRCQUl3QURBTEJnTlZIUThFQkFNQ0JMQXdIUVlEVlIwT0JCWUVGTzh3Cith
31
+ ZVA3VDZrVkpibENnNmV1c09JSTlEZk1BMEdDU3FHU0liM0RRRUJCUVVBQTRJ
32
+ QkFRQkNReVJKTFhzQm8yRnkKOFc2ZS9XNFJlbVFScmxBdzlESzVPNlU3MUp0
33
+ ZWRWb2Iyb3ErT2Irem1TK1BpZkUyK0wrM1JpSjJINlZUbE96aQp4K0EwNjFN
34
+ VVhoR3JhcVZxNEoyRkM4a3Q0RVF5d0FEMFAwVGE1R1UyNENHU0YwOFkzR2tK
35
+ eTFTYTRYcVRDMllDCm81MXM3SlArdGtDQ3RwVllTZHpKaFRsbGllUkFXQnBH
36
+ VjFkdGFvZVVLRTZ0WVBNQmtvc3hTUmNWR2N6ay9TYzMKN2VRQ3BleFl5OUps
37
+ VUJJOXUzQnFJWTlFK2wrTVNuOGloWFNQbXlLMERncmhhQ3Urdm9hU0ZWT1g2
38
+ WStCNXFibwpqTFhNUXUyWmdJU1l3WE5qTmJHVkhlaHV0ODJVN1U5b2lIb1dj
39
+ ck9HYXphUlVtR085VFhQK2FKTEgwZ3cyZGNLCkFmTWdsWFBpCi0tLS0tRU5E
40
+ IENFUlRJRklDQVRFLS0tLS0K
41
+ date: 2013-06-02 00:00:00.000000000 Z
42
+ dependencies:
43
+ - !ruby/object:Gem::Dependency
43
44
  name: configparser
44
- version_requirements: &id001 !ruby/object:Gem::Requirement
45
+ requirement: !ruby/object:Gem::Requirement
45
46
  none: false
46
- requirements:
47
+ requirements:
47
48
  - - ~>
48
- - !ruby/object:Gem::Version
49
- hash: 25
50
- segments:
51
- - 0
52
- - 1
53
- - 1
49
+ - !ruby/object:Gem::Version
54
50
  version: 0.1.1
55
- prerelease: false
56
51
  type: :runtime
57
- requirement: *id001
58
- - !ruby/object:Gem::Dependency
52
+ prerelease: false
53
+ version_requirements: !ruby/object:Gem::Requirement
54
+ none: false
55
+ requirements:
56
+ - - ~>
57
+ - !ruby/object:Gem::Version
58
+ version: 0.1.1
59
+ - !ruby/object:Gem::Dependency
59
60
  name: json
60
- version_requirements: &id002 !ruby/object:Gem::Requirement
61
+ requirement: !ruby/object:Gem::Requirement
61
62
  none: false
62
- requirements:
63
+ requirements:
63
64
  - - ~>
64
- - !ruby/object:Gem::Version
65
- hash: 1
66
- segments:
67
- - 1
68
- - 4
69
- - 3
65
+ - !ruby/object:Gem::Version
70
66
  version: 1.4.3
67
+ type: :runtime
71
68
  prerelease: false
69
+ version_requirements: !ruby/object:Gem::Requirement
70
+ none: false
71
+ requirements:
72
+ - - ~>
73
+ - !ruby/object:Gem::Version
74
+ version: 1.4.3
75
+ - !ruby/object:Gem::Dependency
76
+ name: snort-rule
77
+ requirement: !ruby/object:Gem::Requirement
78
+ none: false
79
+ requirements:
80
+ - - ~>
81
+ - !ruby/object:Gem::Version
82
+ version: 0.0.1
72
83
  type: :runtime
73
- requirement: *id002
74
- - !ruby/object:Gem::Dependency
84
+ prerelease: false
85
+ version_requirements: !ruby/object:Gem::Requirement
86
+ none: false
87
+ requirements:
88
+ - - ~>
89
+ - !ruby/object:Gem::Version
90
+ version: 0.0.1
91
+ - !ruby/object:Gem::Dependency
75
92
  name: bundler
76
- version_requirements: &id003 !ruby/object:Gem::Requirement
93
+ requirement: !ruby/object:Gem::Requirement
77
94
  none: false
78
- requirements:
95
+ requirements:
79
96
  - - ~>
80
- - !ruby/object:Gem::Version
81
- hash: 9
82
- segments:
83
- - 1
84
- - 3
85
- version: "1.3"
86
- prerelease: false
97
+ - !ruby/object:Gem::Version
98
+ version: '1.3'
87
99
  type: :development
88
- requirement: *id003
89
- - !ruby/object:Gem::Dependency
100
+ prerelease: false
101
+ version_requirements: !ruby/object:Gem::Requirement
102
+ none: false
103
+ requirements:
104
+ - - ~>
105
+ - !ruby/object:Gem::Version
106
+ version: '1.3'
107
+ - !ruby/object:Gem::Dependency
90
108
  name: rake
91
- version_requirements: &id004 !ruby/object:Gem::Requirement
109
+ requirement: !ruby/object:Gem::Requirement
92
110
  none: false
93
- requirements:
94
- - - ">="
95
- - !ruby/object:Gem::Version
96
- hash: 3
97
- segments:
98
- - 0
99
- version: "0"
100
- prerelease: false
111
+ requirements:
112
+ - - ! '>='
113
+ - !ruby/object:Gem::Version
114
+ version: '0'
101
115
  type: :development
102
- requirement: *id004
103
- description: CIF is a cyber threat intelligence management system. CIF allows you to combine known malicious threat information from many sources and use that information for identification (incident response), detection (IDS) and mitigation (null route). The most common types of threat intelligence warehoused in CIF are IP addresses, domains and urls that are observed to be related to malicious activity.
104
- email:
116
+ prerelease: false
117
+ version_requirements: !ruby/object:Gem::Requirement
118
+ none: false
119
+ requirements:
120
+ - - ! '>='
121
+ - !ruby/object:Gem::Version
122
+ version: '0'
123
+ description: CIF is a cyber threat intelligence management system. CIF allows you
124
+ to combine known malicious threat information from many sources and use that information
125
+ for identification (incident response), detection (IDS) and mitigation (null route).
126
+ The most common types of threat intelligence warehoused in CIF are IP addresses,
127
+ domains and urls that are observed to be related to malicious activity.
128
+ email:
105
129
  - rubygems@chrislee.dhs.org
106
- executables: []
107
-
130
+ executables:
131
+ - cifcli
108
132
  extensions: []
109
-
110
133
  extra_rdoc_files: []
111
-
112
- files:
134
+ files:
113
135
  - .gitignore
114
136
  - Gemfile
115
137
  - LICENSE.txt
116
138
  - README.md
117
139
  - Rakefile
140
+ - bin/cifcli
118
141
  - cif-client.gemspec
119
142
  - lib/cif/client.rb
120
143
  - lib/cif/client/version.rb
121
144
  - test/helper.rb
122
145
  - test/test_cif-client.rb
123
146
  homepage: https://code.google.com/p/collective-intelligence-framework/
124
- licenses:
147
+ licenses:
125
148
  - MIT
126
149
  post_install_message:
127
150
  rdoc_options: []
128
-
129
- require_paths:
151
+ require_paths:
130
152
  - lib
131
- required_ruby_version: !ruby/object:Gem::Requirement
153
+ required_ruby_version: !ruby/object:Gem::Requirement
132
154
  none: false
133
- requirements:
134
- - - ">="
135
- - !ruby/object:Gem::Version
136
- hash: 3
137
- segments:
138
- - 0
139
- version: "0"
140
- required_rubygems_version: !ruby/object:Gem::Requirement
155
+ requirements:
156
+ - - ! '>='
157
+ - !ruby/object:Gem::Version
158
+ version: '0'
159
+ required_rubygems_version: !ruby/object:Gem::Requirement
141
160
  none: false
142
- requirements:
143
- - - ">="
144
- - !ruby/object:Gem::Version
145
- hash: 3
146
- segments:
147
- - 0
148
- version: "0"
161
+ requirements:
162
+ - - ! '>='
163
+ - !ruby/object:Gem::Version
164
+ version: '0'
149
165
  requirements: []
150
-
151
166
  rubyforge_project:
152
167
  rubygems_version: 1.8.25
153
168
  signing_key:
154
169
  specification_version: 3
155
170
  summary: Ruby-based client and library for the Collective Intelligence Framework
156
- test_files:
171
+ test_files:
157
172
  - test/helper.rb
158
173
  - test/test_cif-client.rb
metadata.gz.sig CHANGED
Binary file