greynoise_list.py

'''

greynoise_list

Helpful functions for parsing out data from the Grey Noise dataset. 

get_categories() returns all the categories currently used in the data.

map_ips_cat() returns a dictionary with categories as keys mapped to ips. 

Copyright (c) 2017 Rich Kelley
    Contact: 
        @RGKelley5
        RK5DEVMAIL[A T]gmail[D O T]com
        www.bytesdarkly.com
    License: MIT

Dependencies: 
-------------
Grey Noise Python API: https://github.com/phyler/greynoise

Usage:
------

root@kali:~/greynoise# python -i ../greynoise_list.py 
>>> worm_ips = map_ips_cat(categories=['worm'])
>>> len(worm_ips['worm'])
5160
>>> for i in worm_ips['worm'][:15]:
...  print i
... 
194.243.136.186
185.55.218.154
40.112.187.193
58.218.200.114
158.255.4.188
125.77.30.12
39.155.134.198
58.120.27.153
223.72.95.237
68.64.238.114
120.131.3.58
223.72.98.223
61.158.162.166
182.18.23.106
218.2.0.180

'''

import greynoise


def get_categories():

    '''
        Currently returns:
            search_engine
            scanner
            tool
            hosting
            actor
            worm
            activity

    '''
    categories = set()

    for tag in greynoise.list_tags():
        for record in greynoise.query_tag(tag):
            categories.add(record['category'])
    
    return categories


def map_ips_cat(categories=None, tags=None):

    cat_map = {}

    if not categories:
        categories = get_categories()

    for cat in categories:
        cat_map[cat] = []

    if not tags:
        tags = greynoise.list_tags()

    for tag in tags:
        for record in greynoise.query_tag(tag):
            if record['category'] in cat_map:
                cat_map[record['category']].append(record['ip'])

    return cat_map