OSTrICa-master
所属分类:GIS/地图编程
开发工具:DOS
文件大小:3073KB
下载次数:1
上传日期:2017-01-11 20:56:59
上 传 者:
fa
说明: ws eiojruwaer otjhno iearhytgoseg
文件列表:
changelog.txt (367, 2016-11-06)
docs (0, 2016-11-06)
docs\Bsides.pdf (1559932, 2016-11-06)
docs\OSTrICaLogo.png (6335, 2016-11-06)
docs\OSTrICaWhitePaper.pdf (528096, 2016-11-06)
docs\OstricaGraph.png (45795, 2016-11-06)
main.py (8111, 2016-11-06)
ostrica (0, 2016-11-06)
ostrica\Plugins (0, 2016-11-06)
ostrica\Plugins\BlackLists (0, 2016-11-06)
ostrica\Plugins\BlackLists\__init__.py (10449, 2016-11-06)
ostrica\Plugins\CymruWhois (0, 2016-11-06)
ostrica\Plugins\CymruWhois\__init__.py (5775, 2016-11-06)
ostrica\Plugins\DeepViz (0, 2016-11-06)
ostrica\Plugins\DeepViz\__init__.py (8847, 2016-11-06)
ostrica\Plugins\DomainBigData (0, 2016-11-06)
ostrica\Plugins\DomainBigData\__init__.py (16310, 2016-11-06)
ostrica\Plugins\NortonSafeWeb (0, 2016-11-06)
ostrica\Plugins\NortonSafeWeb\__init__.py (4171, 2016-11-06)
ostrica\Plugins\PyWhois (0, 2016-11-06)
ostrica\Plugins\PyWhois\__init__.py (12254, 2016-11-06)
ostrica\Plugins\SafeBrowsing (0, 2016-11-06)
ostrica\Plugins\SafeBrowsing\__init__.py (8268, 2016-11-06)
ostrica\Plugins\SpyOnWeb (0, 2016-11-06)
ostrica\Plugins\SpyOnWeb\__init__.py (11074, 2016-11-06)
ostrica\Plugins\TCPIPutils (0, 2016-11-06)
ostrica\Plugins\TCPIPutils\__init__.py (16540, 2016-11-06)
ostrica\Plugins\ThreatCrowd (0, 2016-11-06)
ostrica\Plugins\ThreatCrowd\__init__.py (11673, 2016-11-06)
ostrica\Plugins\ThreatMiner (0, 2016-11-06)
ostrica\Plugins\ThreatMiner\__init__.py (22219, 2016-11-06)
ostrica\Plugins\VT (0, 2016-11-06)
ostrica\Plugins\VT\__init__.py (35257, 2016-11-06)
ostrica\Plugins\WebSiteInformer (0, 2016-11-06)
ostrica\Plugins\WebSiteInformer\__init__.py (8087, 2016-11-06)
ostrica\Plugins\WhoisXmlApi (0, 2016-11-06)
ostrica\Plugins\WhoisXmlApi\__init__.py (3290, 2016-11-06)
... ...
OSTrICa - Open Source Threat Intelligence Collector (An Open Source plugin-oriented framework to collect and visualize Threat Intelligence Information)
========
![OSTrICa Graph]( https://github.com/Ptr32Void/OSTrICa/blob/master/docs/OSTrICaLogo.png "OSTrICa Graph" )
**OSTrICa** stands for Open Source Threat Intelligence Collector and is an Open Source **plugin-oriented framework** to **collect and visualize** Threat Intelligence Information. Furthermore, OSTrICa is also the Italian word for oyster: that's where the logo come from.
SOC analysts, incident responders, attack investigators or cyber-security analysts need to correlate IoCs (Indicator of Compromise), network traffic patterns and any other collected data in order to get a real advantage against cyber-enemies.
This is where **threat intelligence** comes into play, but unfortunately, not all the companies have enough budget to spend on Threat Intelligence Platform and Programs (TIPP); this is the main motivation behind OSTrICa's development.
OSTrICa is a free and open source framework that allows everyone to automatically collect and visualize any sort of threat intelligence data harvested (IoCs), from open, internal and commercial sources using a **plugin based architecture**. The collected intelligence can be analysed by analysts but it can also be **visualized** in a graph format, **suitable for link analysis**. The visualized information can be filtered dynamically and can show, for example, connections between multiple malware based on remote connections, file names, mutex and so on so forth.
## Licence
OSTrICa is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
OSTrICa is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with OSTrICa. If not, see .
## Documentation
Documentation can be found in the docs directory. For example:
* OSTrICa presentation (BSidesUK, London)
* OSTrICa whitepaper that describes its purpose and how it works
## Dependencies
OSTrICa by itself does not need any external library.
Dependencies depends on the installed Plugins. For example:
* `BeautifulSoup`, used by almost all the plugins to scrape web pages
* `dnspython-1.12.0`, mainly used by CymruWhois plugin
* `ipwhois-0.11.1`, used by PyWhois plugin
* `python-deepviz-master`, used by DeepViz plugin (it requires an API key) - At the moment DeepViz plugin is not available to the public.
* `python-whois-0.5.2`, used by PyWhois plugin
* `pythonwhois-2.4.3`, used by PyWhois plugin
* `requests`, used by ThreatCrowd/ThreatMiner plugin (query limit is set)
Note: OSTrICa works on Python version >= 2.7.9
## How to use OSTrICa
In order to use OSTrICa you need to execute the file `main.py`; and to get a list of available commands you need to run the command `help`.
```
> python main.py
OSTrICa v.0.5 - Open Source Threat Intellicence Collector
Developed by: Roberto Sponchioni - @Ptr32Void
write "help" for help
> help
Following options are available
domain - used to collect domains information
Example: domain=google.com or domain=google.com,yahoo.com
ip - used to collect IP information
Example: ip=8.8.8.8 or ip=8.8.8.8,173.194.68.99
md5 - used to collect MD5 information
sha256 - used to collect SHA256 information
asn - used to collect ASN information
email - used to collect email information
graph - generate a graph based on all the information collected
cola_graph - generate a graph based on all the information collected where nodes do not overlap (it might take a while to generate the graph if there are lots of nodes)
gclean - clear graph information
show - show all information that will be collected
run - extract intelligece information
help - this help
plugins - show available plugins
```
To collect the information about specific IoCs you can execute the following commands:
```
>md5=747b3fd525de1af0a56***5aa29779b86,2fdeb22d2fa2***78dca12fb493df24df
>domain=tinyor.info
>ip=195.22.26.248
>email=jgou.veia@gmail.com
>asn=16276
>run
Output created in C:\Users\Roberto\Documents\GitHub\OSTrICa\report\a0b***3ae-e30a-46dc-a1d0-b59e661595c0
> graph
Graph generated in C:\Users\Roberto\Documents\GitHub\OSTrICa\viz\f4da8f02-ec9c-4700-9345-bd715de7789f.html
```
In case a verbose output is needed, it is possible to enable the `DEBUG` option in the `cfg.py`.
The output will be a little bit noisy but it will show more details as per example below:
```
> run
Running DeepViz() on 747b3fd525de1af0a56***5aa29779b86
Running VT() on 747b3fd525de1af0a56***5aa29779b86
cleanup VirusTotal...
Running DeepViz() on 2fdeb22d2fa2***78dca12fb493df24df
Running VT() on 2fdeb22d2fa2***78dca12fb493df24df
cleanup VirusTotal...
Running BlackListChecker() on tinyor.info
cleanup BlackListChecker...
Running DomainBigData() on tinyor.info
cleanup DomainBigData...
```
To generate the graph 2 commands are available:
* `graph`, it generates the graph based on all the collected information
* `cola_graph`, it generates the graph based on all the collected information without nodes overlapping
![OSTrICa Graph]( https://github.com/Ptr32Void/OSTrICa/blob/master/docs/OstricaGraph.png "OSTrICa Graph" )
## Currently available plugins
The following list contains the currently available plugins:
* `ThreatMiner` - Developer `Ptr32Void`
* `ThreatCrowd` - Developer `Ptr32Void`
* `BlackLists` - Developer `Ptr32Void`
* `CymruWhois` - Developer `Ptr32Void`
* `DomainBigData` - Developer `Ptr32Void`
* `NortonSafeWeb` - Developer `Ptr32Void`
* `PyWhois` - Developer `Ptr32Void`
* `SafeBrowsing` - Developer `Ptr32Void`
* `SpyOnWeb` - Developer `Ptr32Void`
* `TCPIPutils` - Developer `Ptr32Void`
* `VirusTotal` - Developer `Ptr32Void`
* `WebSiteInformer` - Developer `Ptr32Void`
* `WhoisXmlApi` - Developer `Ptr32Void`
## How to develop new Plugins
Plugins are stored in the directory named `Plugins`.
To create a new Plugin you need to create a new subdirectory under `Plugins` and within that new directory a new `__init__.py` should be added.
OSTrICa will call 2 functions within each plugins `run` and `data_visualization`, defined as follow:
```python
# intelligence is the IoC provided (eg.: something@yahoo.com)
# extraction_type is the typology (eg.: an MD5 or email, etc)
def run(intelligence, extraction_type):
# function run is the core part of the plugin. It is used to collect the information and afterwards it returns back JSON data as per below:
.... code used to collect Intelligence ....
# a dictionary where extraction_type is the type (md5, email, etc) and intelligence_dictionary is the JSON data collected by the plugin
return {'extraction_type': extraction_type, 'intelligence_information':intelligence_dictionary}
# nodes are passed by OSTrICa itself and should never be overwritten but updated because they might contain details related to the previously collected information
# edges are passed by OSTrICa itself and should never be overwritten but updated because they might contain details related to the previously collected information
# json_data is the json output collected by the plugin
def data_visualization(nodes, edges, json_data):
```
It is also mandatory to return `nodes` and `edges` from `data_visualization` as they are used by OSTrICa. If there is no data to be visualized it is possible to return the nodes/edges with following code:
```python
def data_visualization(nodes, edges, json_data):
return nodes, edges
```
You should also add the following import and variables at the top of the file.
```python
from ostrica.utilities.cfg import Config as cfg # used to include configuration data
# used to identify what kind of data the plugin can extract:
# ip = IP Address information
# domain = Domain information
# asn = ASN information
# md5 = MD5 information
# sha256 = SHA256 information
# email = Email information
extraction_type = [cfg.intelligence_type['ip'], cfg.intelligence_type['domain'], cfg.intelligence_type['asn']]
# True if plugin is enabled, False if not
enabled = True
# Plugin Version
version = 0.1
# Developer(s) name and contact
developer = 'Your Name '
# Plugin Description
description = 'Plugin used to collect information about IPs, domains or ASNs on SafeBrowsing'
# True if visualization module is available for the plugin, False otherwise
visual_data = True
```
近期下载者:
相关文件:
收藏者: