[52da40]: phish / build_phish.py Maximize Restore History

Download this file

build_phish.py    129 lines (107 with data), 5.0 kB

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# build_phish:
#
# pcain - 10/2012.
#
# This routine does the compilation of stuff to create a PhraudReport and
# an EventData structure. The pieces of an EventData are different enough for
# different event types that it's easier to let each have their own.
#
import iodef.base
import iodef.phish
def build_eventData( config, stuff, impactStr, methodStr, descriptionStr, detectTimeStr ):
eventData = iodef.base.EventData()
# This is the non-iodef extra stuff.
eventAdditionalData = iodef.base.ExtensionType(dtype='xml')
eventAdditionalData.content_ = []
eventAdditionalData.content_.append(stuff )
eventAdditionalData.anytypeobjs_ = []
eventAdditionalData.add_anytypeobjs_( type( stuff))
eventData.add_AdditionalData( eventAdditionalData)
# This is the boring, eventData, used in all APWG reports.
eventData.Description = [iodef.base.MLStringType(
lang=config.get('iodef','Language'),
valueOf_= descriptionStr )]
eventData.DetectTime = detectTimeStr
eventAssessment = iodef.base.Assessment()
impact = iodef.base.Impact()
impact.lang = config.get('iodef','Language')
impact.setValueOf_ = impactStr
'''confidence = iodef.Confidence.factory()
confidence.rating = config.get('iodef-Event','Confidence-rating')
confidence.setValueOf_( config.get('iodef-Event','Confidence-value'))
impact.add_Confidence( confidence)'''
eventAssessment.add_Impact( impact)
eventData.Assessment = eventAssessment
method = iodef.base.Method()
method.Description = [iodef.base.MLStringType(lang='po-MI', valueOf_=methodStr)]
eventData.add_Method(method)
return (eventData)
def build_phraudReport( config, phishStruct, message):
dCSite = iodef.phish.DCSite_type(DCType=phishStruct['collector']['type'], Node=None, DomainData=None, Assessment=None)
# Use the default if one was not included.
confidence=phishStruct['collector']['confidence'] or config.get('phish','DcSiteConfidence')
if phishStruct['collector']['type'] == 'web':
siteURL = iodef.phish.SiteURLType(
confidence=confidence,
valueOf_= iodef.base.MLStringType( valueOf_=phishStruct['collector']['uri'],
lang=phishStruct['lang']))
dCSite.set_SiteURL( siteURL)
if phishStruct['collector']['type'] == 'email':
siteEmail = iodef.phish.EmailSiteType(
confidence=confidence,
valueOf_= iodef.base.MLStringType( valueOf_=phishStruct['collector']['uri'],
lang=phishStruct['lang']))
dCSite.set_EmailSite( siteEmail)
if phishStruct['collector']['type'] == 'unspecified':
siteUnknown = iodef.phish.UnknownType(
confidence=confidence,
valueOf_= iodef.base.MLStringType( valueOf_=phishStruct['collector']['uri'], lang=phishStruct['lang']))
dCSite.set_Unknown( siteUnknown)
if phishStruct['collector']['type'] == 'automation':
siteAddress = iodef.phish.SystemType()
siteAddress.set_confidence(confidence)
siteAddr = iodef.base.Address( valueOf_=phishStruct['collector']['uri'])
siteAddress.set_Address(siteAddr)
dCSite.set_System( siteAddress)
if phishStruct['collector']['type'] == 'domain':
siteDomain = iodef.phish.DomainType(
confidence=confidence,
valueOf_= iodef.base.MLStringType( valueOf_=phishStruct['collector']['uri'], lang=phishStruct['lang']))
dCSite.set_Domain( siteDomain)
# if phishStruct['collector']['type'] == 'phonenumber':
# siteEmail = iodef.phish.EmailSiteType(
# confidence=confidence,
# valueOf_= phishStruct['collector']['url'])
# dCSite.set_SiteEmail( siteEmail)
eMail = iodef.phish.EmailRecord_type(EmailCount=phishStruct['count'], EmailComments=None)
eMail.set_EmailMessage( iodef.base.MLStringType( valueOf_=message,
lang=phishStruct['collector']['lang']))
''' Make up a lure source if one not found '''
lureSystem = iodef.base.System()
lureSystem.set_Node( iodef.base.Node(NodeName=[ iodef.base.MLStringType( valueOf_='unknown')]))
lure = iodef.phish.LureSource_type()
lure.add_System( lureSystem)
OrigSens = iodef.phish.OriginatingSensor_type()
OrigSens.OriginatingSensorType = config.get('phish','SensorType')
OrigSens.DateFirstSeen = phishStruct['datetime'] or (datetime.utcnow().replace(microsecond=0).isoformat()+config.get('iodef-Contact','Timezone'))
OrigSens.add_System( lureSystem)
brand = iodef.base.MLStringType( lang='en-US', valueOf_=phishStruct['brand'])
brands = []
brands.append( brand)
phraudReport = iodef.phish.PhraudReport.factory(
ext_value = None, Version='1.0',
FraudType = 'phishing',
PhishNameRef = None,
PhishNameLocalRef = None,
FraudParameter = iodef.base.MLStringType( valueOf_=phishStruct['subject']),
FraudedBrandName = brands,
LureSource = [lure],
OriginatingSensor = [OrigSens],
EmailRecord = eMail,
DCSite = [dCSite],
TakeDownInfo = None,
ArchivedData = None,
RelatedData = None,
CorrelationData = None,
PRComments = None)
return (phraudReport)