Last active
December 9, 2016 01:25
-
-
Save zmallen/b5ca9ca75fc788dbd340384c1ac8e022 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pygraylog.graylogapi import GraylogAPI | |
| import base64 | |
| import datetime | |
| import requests | |
| url = 'http://graylog-url.com' | |
| username = 'USERNAME' | |
| password = 'PASSWORD' | |
| def build_data_dict(): | |
| feed_file = 'dga-feed.txt' | |
| lines = [] | |
| for line in open(feed_file): | |
| if not line.startswith('#'): | |
| lines.append(line) | |
| data = {} | |
| for line in lines: | |
| linesplit = line.split(',') | |
| data[linesplit[0]] = { | |
| 'info': linesplit[1], | |
| 'date_found': linesplit[2], | |
| 'manual': linesplit[3] | |
| } | |
| return data | |
| def search_graylog(now, five_min): | |
| q = '*' | |
| field = 'dest_host' | |
| results = [] | |
| api = GraylogAPI(url, username=username, password=password) | |
| # Example response fixture, Graylog also returns built_query, missing, other | |
| # time, total | |
| #return { | |
| # 'terms': { | |
| # 'ekwhyavcvitjp.co.uk': 1, | |
| # 'google.com': 2, | |
| # 'gmail.com': 500 | |
| # } | |
| #} | |
| results = api.search.universal.absolute.terms.get(field=field, query=q, from_=five_min, to=now) | |
| return results | |
| def find_dgas(results, data_dict, now, five_min): | |
| alerts = [] | |
| # get the terms -- these are the counts of hostnames returned from the query | |
| for term in results['terms'].keys(): | |
| if term in data_dict: | |
| alert = { | |
| 'hostname': term, | |
| 'alert': 'DGA', | |
| 'from': five_min, | |
| 'to': now, | |
| 'info': data_dict[term]['info'] | |
| } | |
| alerts.append(alert) | |
| return alerts | |
| def build_auth_header(): | |
| payload = username + ':' + password | |
| header = { | |
| 'Authorization' : 'Basic ' + base64.b64encode(payload) | |
| } | |
| return header | |
| def send_to_graylog(alerts): | |
| header = build_auth_header() | |
| for alert in alerts: | |
| requests.post(url, data=alert, headers=header) | |
| def main(): | |
| # build 'threat intel' dict | |
| data_dict = build_data_dict() | |
| # build absolute time window | |
| now = datetime.datetime.now() | |
| five_min = now - datetime.timedelta(minutes=5) | |
| now_str = now.strftime('%Y-%m-%d %H:%M:00') | |
| five_min_str = five_min.strftime('%Y-%m-%d %H:%M:00') | |
| # query graylog | |
| results = search_graylog(now_str, five_min_str) | |
| if results: | |
| # if we get results, see if they were DGAs | |
| alerts = find_dgas(results, data_dict, now_str, five_min_str) | |
| if len(alerts) > 0: | |
| #send alerts here | |
| send_to_graylog(alerts) | |
| if __name__ == '__main__': | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment