Created
February 26, 2018 16:32
-
-
Save jgamblin/98010b337bad6d21c82e6fe97ffaf3d4 to your computer and use it in GitHub Desktop.
A script to search CTLogs for keywords and post new certs to a slack channel.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # coding=utf-8 | |
| import certstream | |
| import json | |
| import requests | |
| # Get the webhook_url here: | |
| # https://my.slack.com/services/new/incoming-webhook/ | |
| webhook_url = "HookURL" | |
| keywords = ("hack", "security") | |
| username = "certstream-bot" | |
| channel = "cert-stream" | |
| # Search for domains with the keyword. | |
| def certstream_callback(message, context): | |
| if message['message_type'] == "certificate_update": | |
| all_domains = message['data']['leaf_cert']['all_domains'] | |
| for keyword in keywords: | |
| if keyword in " ".join(all_domains): | |
| common_name = message['data']['leaf_cert']['subject']['CN'] | |
| cert_authority = message['data']['chain'][0]['subject']['O'] | |
| clean_domains = json.dumps(all_domains) | |
| slack_payload = { | |
| "username": "{}".format(username), | |
| "icon_emoji": ":robot_face:", | |
| "channel": "{}".format(channel), | |
| 'text': ":robot_face: I have detected a new certificate that contains the keyword `{}`!:robot_face:\n\n```Common Name: {} \n\nSANS: {} \n\nIssuing CA: {}```".format(keyword, common_name, clean_domains, cert_authority) | |
| } | |
| try: | |
| response = requests.post( | |
| webhook_url, | |
| data=json.dumps(slack_payload), | |
| headers={'Content-Type': 'application/json'}) | |
| print(response) | |
| except Exception as e: | |
| print("Error! {}".format(e)) | |
| certstream.listen_for_events(certstream_callback) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment