intelmq-extensions 1.8.1__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- intelmq_extensions/__init__.py +0 -0
- intelmq_extensions/bots/__init__.py +0 -0
- intelmq_extensions/bots/collectors/blackkite/__init__.py +0 -0
- intelmq_extensions/bots/collectors/blackkite/_client.py +167 -0
- intelmq_extensions/bots/collectors/blackkite/collector.py +182 -0
- intelmq_extensions/bots/collectors/disp/__init__.py +0 -0
- intelmq_extensions/bots/collectors/disp/_client.py +121 -0
- intelmq_extensions/bots/collectors/disp/collector.py +104 -0
- intelmq_extensions/bots/collectors/xmpp/__init__.py +0 -0
- intelmq_extensions/bots/collectors/xmpp/collector.py +210 -0
- intelmq_extensions/bots/experts/__init__.py +0 -0
- intelmq_extensions/bots/experts/certat_contact_intern/__init__.py +0 -0
- intelmq_extensions/bots/experts/certat_contact_intern/expert.py +139 -0
- intelmq_extensions/bots/experts/copy_extra/__init__.py +0 -0
- intelmq_extensions/bots/experts/copy_extra/expert.py +27 -0
- intelmq_extensions/bots/experts/event_group_splitter/__init__.py +0 -0
- intelmq_extensions/bots/experts/event_group_splitter/expert.py +117 -0
- intelmq_extensions/bots/experts/event_splitter/__init__.py +0 -0
- intelmq_extensions/bots/experts/event_splitter/expert.py +41 -0
- intelmq_extensions/bots/experts/squelcher/__init__.py +0 -0
- intelmq_extensions/bots/experts/squelcher/expert.py +316 -0
- intelmq_extensions/bots/experts/vulnerability_lookup/__init__.py +0 -0
- intelmq_extensions/bots/experts/vulnerability_lookup/expert.py +136 -0
- intelmq_extensions/bots/outputs/__init__.py +0 -0
- intelmq_extensions/bots/outputs/mattermost/__init__.py +0 -0
- intelmq_extensions/bots/outputs/mattermost/output.py +113 -0
- intelmq_extensions/bots/outputs/to_logs/__init__.py +0 -0
- intelmq_extensions/bots/outputs/to_logs/output.py +12 -0
- intelmq_extensions/bots/outputs/xmpp/__init__.py +0 -0
- intelmq_extensions/bots/outputs/xmpp/output.py +180 -0
- intelmq_extensions/bots/parsers/__init__.py +0 -0
- intelmq_extensions/bots/parsers/blackkite/__init__.py +0 -0
- intelmq_extensions/bots/parsers/blackkite/_transformers.py +202 -0
- intelmq_extensions/bots/parsers/blackkite/parser.py +65 -0
- intelmq_extensions/bots/parsers/disp/__init__.py +0 -0
- intelmq_extensions/bots/parsers/disp/parser.py +125 -0
- intelmq_extensions/bots/parsers/malwaredomains/__init__.py +0 -0
- intelmq_extensions/bots/parsers/malwaredomains/parser.py +63 -0
- intelmq_extensions/cli/__init__.py +0 -0
- intelmq_extensions/cli/create_reports.py +161 -0
- intelmq_extensions/cli/intelmqcli.py +657 -0
- intelmq_extensions/cli/lib.py +670 -0
- intelmq_extensions/cli/utils.py +12 -0
- intelmq_extensions/etc/harmonization.conf +434 -0
- intelmq_extensions/etc/squelcher.conf +52 -0
- intelmq_extensions/lib/__init__.py +0 -0
- intelmq_extensions/lib/api_helpers.py +105 -0
- intelmq_extensions/lib/blackkite.py +29 -0
- intelmq_extensions/tests/__init__.py +0 -0
- intelmq_extensions/tests/base.py +336 -0
- intelmq_extensions/tests/bots/__init__.py +0 -0
- intelmq_extensions/tests/bots/collectors/__init__.py +0 -0
- intelmq_extensions/tests/bots/collectors/blackkite/__init__.py +0 -0
- intelmq_extensions/tests/bots/collectors/blackkite/base.py +45 -0
- intelmq_extensions/tests/bots/collectors/blackkite/test_client.py +154 -0
- intelmq_extensions/tests/bots/collectors/blackkite/test_collector.py +287 -0
- intelmq_extensions/tests/bots/collectors/disp/__init__.py +0 -0
- intelmq_extensions/tests/bots/collectors/disp/base.py +147 -0
- intelmq_extensions/tests/bots/collectors/disp/test_client.py +134 -0
- intelmq_extensions/tests/bots/collectors/disp/test_collector.py +137 -0
- intelmq_extensions/tests/bots/collectors/xmpp/__init__.py +0 -0
- intelmq_extensions/tests/bots/collectors/xmpp/test_collector.py +10 -0
- intelmq_extensions/tests/bots/experts/__init__.py +0 -0
- intelmq_extensions/tests/bots/experts/certat_contact_intern/__init__.py +0 -0
- intelmq_extensions/tests/bots/experts/certat_contact_intern/test_expert.py +176 -0
- intelmq_extensions/tests/bots/experts/copy_extra/__init__.py +0 -0
- intelmq_extensions/tests/bots/experts/copy_extra/test_expert.py +42 -0
- intelmq_extensions/tests/bots/experts/event_group_splitter/__init__.py +0 -0
- intelmq_extensions/tests/bots/experts/event_group_splitter/test_expert.py +302 -0
- intelmq_extensions/tests/bots/experts/event_splitter/__init__.py +0 -0
- intelmq_extensions/tests/bots/experts/event_splitter/test_expert.py +101 -0
- intelmq_extensions/tests/bots/experts/squelcher/__init__.py +0 -0
- intelmq_extensions/tests/bots/experts/squelcher/test_expert.py +548 -0
- intelmq_extensions/tests/bots/experts/vulnerability_lookup/__init__.py +0 -0
- intelmq_extensions/tests/bots/experts/vulnerability_lookup/test_expert.py +203 -0
- intelmq_extensions/tests/bots/outputs/__init__.py +0 -0
- intelmq_extensions/tests/bots/outputs/mattermost/__init__.py +0 -0
- intelmq_extensions/tests/bots/outputs/mattermost/test_output.py +138 -0
- intelmq_extensions/tests/bots/outputs/xmpp/__init__.py +0 -0
- intelmq_extensions/tests/bots/outputs/xmpp/test_output.py +10 -0
- intelmq_extensions/tests/bots/parsers/__init__.py +0 -0
- intelmq_extensions/tests/bots/parsers/blackkite/__init__.py +0 -0
- intelmq_extensions/tests/bots/parsers/blackkite/data.py +69 -0
- intelmq_extensions/tests/bots/parsers/blackkite/test_parser.py +197 -0
- intelmq_extensions/tests/bots/parsers/disp/__init__.py +0 -0
- intelmq_extensions/tests/bots/parsers/disp/test_parser.py +282 -0
- intelmq_extensions/tests/bots/parsers/malwaredomains/__init__.py +0 -0
- intelmq_extensions/tests/bots/parsers/malwaredomains/test_parser.py +62 -0
- intelmq_extensions/tests/cli/__init__.py +0 -0
- intelmq_extensions/tests/cli/test_create_reports.py +97 -0
- intelmq_extensions/tests/cli/test_intelmqcli.py +158 -0
- intelmq_extensions/tests/lib/__init__.py +0 -0
- intelmq_extensions/tests/lib/base.py +81 -0
- intelmq_extensions/tests/lib/test_api_helpers.py +126 -0
- intelmq_extensions-1.8.1.dist-info/METADATA +60 -0
- intelmq_extensions-1.8.1.dist-info/RECORD +100 -0
- intelmq_extensions-1.8.1.dist-info/WHEEL +5 -0
- intelmq_extensions-1.8.1.dist-info/entry_points.txt +33 -0
- intelmq_extensions-1.8.1.dist-info/licenses/LICENSE +661 -0
- intelmq_extensions-1.8.1.dist-info/top_level.txt +1 -0
|
@@ -0,0 +1,161 @@
|
|
|
1
|
+
# -*- coding: utf-8 -*-
|
|
2
|
+
"""
|
|
3
|
+
Create RTIR reports for data without, per feed.code
|
|
4
|
+
|
|
5
|
+
https://github.com/certat/intelmq/issues/53#issuecomment-235338136
|
|
6
|
+
|
|
7
|
+
evlist = get all open events where report_id IS NULL
|
|
8
|
+
foreach distinct feed.codes in evlist
|
|
9
|
+
report_data = create a zipped json file (minus raw attribute) with events from current feed.code
|
|
10
|
+
create report with attachment report_data
|
|
11
|
+
set report_id for the used events to newly created report
|
|
12
|
+
|
|
13
|
+
TODO: Non-batch mode
|
|
14
|
+
"""
|
|
15
|
+
import datetime
|
|
16
|
+
import io
|
|
17
|
+
import json
|
|
18
|
+
import sys
|
|
19
|
+
import time
|
|
20
|
+
import zipfile
|
|
21
|
+
|
|
22
|
+
from intelmq_extensions.cli import lib
|
|
23
|
+
|
|
24
|
+
|
|
25
|
+
class IntelMQCLIContoller(lib.IntelMQCLIContollerTemplate):
|
|
26
|
+
appname = "intelmqcli_create_reports"
|
|
27
|
+
retval = 0
|
|
28
|
+
|
|
29
|
+
def run(self, args: list):
|
|
30
|
+
self.parser.add_argument(
|
|
31
|
+
"-l", "--list-feeds", action="store_true", help="List all open feeds"
|
|
32
|
+
)
|
|
33
|
+
self.parser.add_argument(
|
|
34
|
+
"--internal-notify",
|
|
35
|
+
action="store_true",
|
|
36
|
+
help=(
|
|
37
|
+
"Create open incident reports for further manual work. "
|
|
38
|
+
"Ignore the notify and abuse contact fields filtering; "
|
|
39
|
+
"do not set IntelMQ as ticket owner."
|
|
40
|
+
),
|
|
41
|
+
)
|
|
42
|
+
|
|
43
|
+
self.setup(args)
|
|
44
|
+
self.connect_database()
|
|
45
|
+
|
|
46
|
+
if self.args.list_feeds:
|
|
47
|
+
self.execute(lib.QUERY_OPEN_FEEDCODES)
|
|
48
|
+
for row in self.cur.fetchall():
|
|
49
|
+
if row["feed.code"]:
|
|
50
|
+
print(row["feed.code"])
|
|
51
|
+
return 0
|
|
52
|
+
|
|
53
|
+
if not self.rt.login():
|
|
54
|
+
self.logger.error(
|
|
55
|
+
"Could not login as {} on {}.".format(
|
|
56
|
+
self.config["rt"]["user"], self.config["rt"]["uri"]
|
|
57
|
+
)
|
|
58
|
+
)
|
|
59
|
+
return 2
|
|
60
|
+
else:
|
|
61
|
+
self.logger.info(
|
|
62
|
+
"Logged in as {} on {}.".format(
|
|
63
|
+
self.config["rt"]["user"], self.config["rt"]["uri"]
|
|
64
|
+
)
|
|
65
|
+
)
|
|
66
|
+
|
|
67
|
+
feedcodes_query = lib.QUERY_OPEN_FEEDCODES
|
|
68
|
+
events_query = lib.QUERY_OPEN_EVENTS_BY_FEEDCODE
|
|
69
|
+
ticket_kwargs = dict(Owner=self.config["rt"]["user"])
|
|
70
|
+
if self.args.internal_notify:
|
|
71
|
+
feedcodes_query = lib.INTERNAL_QUERY_OPEN_FEEDCODES
|
|
72
|
+
events_query = lib.INTERNAL_QUERY_OPEN_EVENTS_BY_FEEDCODE
|
|
73
|
+
ticket_kwargs = dict()
|
|
74
|
+
|
|
75
|
+
self.execute(feedcodes_query)
|
|
76
|
+
feedcodes = [x["feed.code"] for x in self.cur.fetchall()]
|
|
77
|
+
if feedcodes:
|
|
78
|
+
self.logger.info(
|
|
79
|
+
"All feeds: " + ", ".join(["%r"] * len(feedcodes)) % tuple(feedcodes)
|
|
80
|
+
)
|
|
81
|
+
else:
|
|
82
|
+
self.logger.info("Nothing to do.")
|
|
83
|
+
for feedcode in feedcodes:
|
|
84
|
+
self.logger.info("Handling feedcode {!r}.".format(feedcode))
|
|
85
|
+
self.execute(events_query, (feedcode,))
|
|
86
|
+
feeddata = []
|
|
87
|
+
self.logger.info("Found %s events." % self.cur.rowcount)
|
|
88
|
+
for row in self.cur:
|
|
89
|
+
"""
|
|
90
|
+
First, we ignore None-data
|
|
91
|
+
Second, we ignore raw
|
|
92
|
+
Third, we convert everything to strings, e.g. datetime-objects
|
|
93
|
+
"""
|
|
94
|
+
feeddata.append(
|
|
95
|
+
{
|
|
96
|
+
k: (str(v) if isinstance(v, datetime.datetime) else v)
|
|
97
|
+
for k, v in row.items()
|
|
98
|
+
if v is not None and k != "raw"
|
|
99
|
+
}
|
|
100
|
+
)
|
|
101
|
+
|
|
102
|
+
attachment = io.BytesIO()
|
|
103
|
+
ziphandle = zipfile.ZipFile(
|
|
104
|
+
attachment, mode="w", compression=zipfile.ZIP_DEFLATED
|
|
105
|
+
)
|
|
106
|
+
ziphandle.writestr(
|
|
107
|
+
"events.json",
|
|
108
|
+
json.dumps(feeddata, sort_keys=True, indent=4, separators=(",", ": ")),
|
|
109
|
+
)
|
|
110
|
+
ziphandle.close()
|
|
111
|
+
attachment.seek(0)
|
|
112
|
+
subject = "Reports of {} on {}".format(feedcode, time.strftime("%Y-%m-%d"))
|
|
113
|
+
|
|
114
|
+
if self.dryrun:
|
|
115
|
+
self.logger.info("Dry run: Skipping creation of report.")
|
|
116
|
+
report_id = None
|
|
117
|
+
else:
|
|
118
|
+
report_id = self.rt.create_ticket(
|
|
119
|
+
Queue="Incident Reports",
|
|
120
|
+
Subject=subject,
|
|
121
|
+
Requestor=self.config["rt"]["incident_report_requestor"].format(
|
|
122
|
+
feedcode=feedcode
|
|
123
|
+
),
|
|
124
|
+
**ticket_kwargs,
|
|
125
|
+
)
|
|
126
|
+
if report_id == -1:
|
|
127
|
+
self.logger.error(
|
|
128
|
+
"Could not create Incident ({}).".format(report_id)
|
|
129
|
+
)
|
|
130
|
+
return 1
|
|
131
|
+
else:
|
|
132
|
+
self.logger.info("Created Report {}.".format(report_id))
|
|
133
|
+
|
|
134
|
+
if self.dryrun:
|
|
135
|
+
self.logger.info("Dry run: Skipping creation of attachment.")
|
|
136
|
+
else:
|
|
137
|
+
comment_id = self.rt.comment(
|
|
138
|
+
report_id, files=[("events.zip", attachment, "application/zip")]
|
|
139
|
+
)
|
|
140
|
+
if not comment_id:
|
|
141
|
+
self.logger.error("Could not correspond with file.")
|
|
142
|
+
return 1
|
|
143
|
+
|
|
144
|
+
if not self.dryrun:
|
|
145
|
+
self.executemany(
|
|
146
|
+
"UPDATE {events} SET rtir_report_id = %s WHERE id = %s",
|
|
147
|
+
[(report_id, row["id"]) for row in feeddata],
|
|
148
|
+
extend=False,
|
|
149
|
+
)
|
|
150
|
+
self.con.commit()
|
|
151
|
+
self.logger.info("Linked events to report.")
|
|
152
|
+
return 0
|
|
153
|
+
|
|
154
|
+
|
|
155
|
+
def main():
|
|
156
|
+
controller = IntelMQCLIContoller()
|
|
157
|
+
sys.exit(controller.run(sys.argv[1:]))
|
|
158
|
+
|
|
159
|
+
|
|
160
|
+
if __name__ == "__main__":
|
|
161
|
+
main()
|