Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

[edbb89]: bot / bot_fromStruct.py Maximize Restore History

Download this file

bot_fromStruct.py    233 lines (185 with data), 7.8 kB

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
''' bot_fromStruct.py
This file receives a filled-in botStruct and generatea an
IODEF-compliant APWG Bot reporting Document.
[1] - pcain@apwg.org - 8/2012
'''
import uuid, sys, time, getopt, StringIO
from datetime import datetime
sys.path.append('../common')
sys.path.append('../')
import iodef.base
import iodef.bot
import iodef.markings
from send_to_apwg import send_to_apwg
from askQuestions import askQuestions
CONFIG = './iodef_bot_config.ini'
def readConfig():
import ConfigParser
config = ConfigParser.SafeConfigParser()
config.read(CONFIG)
return config
def build_botDetails(botStruct, config):
''' This routine take sa bunch of stuff from the botStruct
and returns a comleted EventData suitable for an IODEF-Document.
'''
eventData = iodef.base.EventData()
botDetails = iodef.bot.BotDetails(
BotType = [iodef.base.MLStringType( valueOf_= botStruct['botType'] )],
BotVersion = botStruct['botVersion'],
DetectedBy = botStruct['detectedBy'],
BotNetName = iodef.base.MLStringType( valueOf_=botStruct['botNetName']),
BotActivity = iodef.base.MLStringType( valueOf_=botStruct['botActivity'])
)
# This is the boring, eventData, used in all APWG reports.
eventData.Description = [iodef.base.MLStringType(
lang=config.get('iodef','Language'),
valueOf_= config.get('iodef-Event','Description'))]
eventData.DetectTime = botStruct['detectTime']
eventAssessment = iodef.base.Assessment()
impact = iodef.base.Impact()
impact.lang = config.get('iodef','Language')
impact.setValueOf_ = config.get('iodef-Event','Impact')
'''confidence = iodef.Confidence.factory()
confidence.rating = config.get('iodef-Event','Confidence-rating')
confidence.setValueOf_( config.get('iodef-Event','Confidence-value'))
impact.add_Confidence( confidence)'''
eventAssessment.add_Impact( impact)
eventData.Assessment = eventAssessment
method = iodef.base.Method()
method.Description = [iodef.base.MLStringType(lang='po-MI',valueOf_='A infected system report')]
eventData.add_Method(method)
# This is the stuff for Bots: source, controller, etc
flow = iodef.base.Flow()
# we do it three different ways for demonstration
# The infected system
nodeI = iodef.base.Node()
nodeI.Address = [iodef.base.Address( category=botStruct['infectee']['addressType'], valueOf_=botStruct['infectee']['address'])]
nodeI.NodeName = [iodef.base.MLStringType(valueOf_=botStruct['infectee']['dnsName'])]
systemI = iodef.base.System( category='ext-value', ext_category='infected', Node=nodeI)
flow.System = [systemI]
# The bot controller
nodeC=iodef.base.Node( Address=[iodef.base.Address( category=botStruct['controller']['addressType'], valueOf_=botStruct['controller']['address'])], NodeName=[iodef.base.MLStringType(valueOf_=botStruct['controller']['dnsName'])])
systemC = iodef.base.System( category='ext-value', ext_category='controller', Node=nodeC)
flow.add_System(systemC)
# The infector
if botStruct['infector']:
systemB = iodef.base.System(
category='ext-value', ext_category='infector',
Node=iodef.base.Node(
Address=[iodef.base.Address( category=botStruct['infector']['addressType'],
valueOf_=botStruct['infector']['address'])],
NodeName=[iodef.base.MLStringType(valueOf_=botStruct['infector']['dnsName'])]
)
)
flow.add_System(systemB)
eventData.add_Flow(flow)
# This is the non-iodef extra bot stuff.
eventAdditionalData = iodef.base.ExtensionType(dtype='xml')
eventAdditionalData.content_ = []
eventAdditionalData.content_.append(botDetails )
eventAdditionalData.anytypeobjs_ = []
eventAdditionalData.add_anytypeobjs_( type( botDetails))
eventData.add_AdditionalData( eventAdditionalData)
return (eventData)
def build_IODEF(config, eventData):
contact = iodef.base.Contact( )
assessment = iodef.base.Assessment()
markings = iodef.base.ExtensionType(dtype='xml')
incident = iodef.base.Incident(
restriction=config.get('iodef','Restriction'),
purpose='other',
IncidentID=iodef.base.IncidentIDType(name='UUID', valueOf_=str( uuid.uuid1())),
AlternativeID=None,
RelatedActivity=None,
DetectTime=None,
StartTime=None,
EndTime=None,
ReportTime=datetime.utcnow().replace(microsecond=0).isoformat()+'-00:00',
Description=[ iodef.base.MLStringType( lang=config.get('iodef','Language'),
valueOf_=config.get('iodef','Description'))],
Assessment=[assessment],
Method=None,
Contact=[contact],
EventData=[eventData],
History=None,
AdditionalData=None)
''' Get the Contact data from the config '''
''' This is way too complex to write in the above init ars. '''
contact.type_ = config.get('iodef-Contact','Type')
contact.role = config.get('iodef-Contact','Role')
contactName = iodef.base.MLStringType(
valueOf_ = config.get('iodef-Contact','Name'), lang = 'en-US')
contact.set_ContactName( contactName)
contactEmail = iodef.base.ContactMeansType.factory()
contactEmail.set_valueOf_( config.get('iodef-Contact','Email') )
contact.add_Email(contactEmail)
contact.Timezone = config.get('iodef-Contact','Timezone')
assessment.add_Impact( iodef.base.MLStringType(
lang = config.get('iodef','Language'),
valueOf_ = config.get('iodef','Impact')))
''' The EventData structure '''
'''Add the redistribution markings '''
community = iodef.markings.community()
community.name = config.get('iodef','Community-name')
community.tag = []
community.add_tag(iodef.base.MLStringType(valueOf_=config.get('iodef','Community-tag')))
markXML = iodef.markings.dataMarkings( community=[community], sensitivity = config.get('iodef','Sensitivity'))
''' These four lines make using any-types much easier. '''
markings.content_ = []
markings.content_.append( markXML )
markings.anytypeobjs_ = []
markings.add_anytypeobjs_( type( markXML))
incident.add_AdditionalData( markings)
return( incident)
#--------- MAIN -------------
def usage():
print "Call with a botStruct filename."
def main(argv):
_language = "en-US"
_testing = False
_dump = False
try:
opts, args = getopt.getopt(argv, "htdl", ["help", "testing", "dump", "language="])
except getopt.GetoptError:
usage()
sys.exit(2)
for opt, arg in opts:
if opt in ("-h", "--help"):
usage()
sys.exit()
elif opt == '-t':
_testing = True
from botStruct_test import botStruct
elif opt == '-l':
_language = arg
elif opt == '-d':
_dump = True
if not _testing:
botStruct = {}
''' Step 1: Read static configs '''
config = readConfig()
''' Step 2: Get data about infected system '''
if not _testing:
askQuestions(_language, botStruct)
''' Step 3: Build BotDetails Element '''
botz = build_botDetails(botStruct, config)
''' Step 4: Encase botDetails into Incident '''
incident = build_IODEF(config, botz)
''' Step 5: Put the actual IODEF-Doc together. '''
doc = iodef.base.IODEF_Document.factory()
doc.add_Incident(incident)
doc.lang = config.get('iodef','Language')
''' Step 6: Send the completed doc to a repository. '''
docString = StringIO.StringIO()
doc.export(docString,0)
if _dump:
print docString.getvalue()
else:
errcode, incidentId, errmsg = send_to_apwg(config, docString.getvalue())
if errcode != '0':
print "ERROR"
print "Error: %s - incidentId: %s - msg: %s" % (errcode,incidentId,errmsg)
# Implied exit
if __name__ == '__main__':
import pdb; pdb.set_trace()
main(sys.argv[1:])