Advertisement
opexxx

iocsplunker.pl

Jul 12th, 2014
362
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 5.14 KB | None | 0 0
  1. #! /usr/bin/perl
  2.  
  3. #
  4. # Script written to pull IP data from openIOC and search Splunk.
  5. #
  6.  
  7. use strict;
  8. use warnings;
  9. $|=1;
  10.  
  11. use LWP::UserAgent;
  12. use XML::LibXML;
  13. my %splunk_id;
  14.  
  15. my @SPLUNK_SERVERS = ("internal.splunk.com:8089");  # set this to your splunk server(s)
  16. my $ioc_dir     = "/tmp/iocfiles";                  # Set to your IOC files location
  17. $splunk_id{'username'} = q/USERNAME/;               # Splunk Username
  18. $splunk_id{'password'} = q/PASSWORD/;               # Splunk Password
  19. $splunk_id{'data_type'} = "csv";
  20.  
  21. sub splunk_login {
  22.     my %BROWSER_PARAMS;
  23.     $BROWSER_PARAMS{'username'}= $_[0];
  24.     $BROWSER_PARAMS{'password'} = $_[1];
  25.    
  26.     my $base_url = "https://".$_[2];
  27.    
  28.     my $browser = LWP::UserAgent->new;
  29.     my $response = $browser->post($base_url."/servicesNS/".$BROWSER_PARAMS{'username'}."/search/auth/login/", \%BROWSER_PARAMS);
  30.     my $auth_key = "Login Error (".$response->content.")";
  31.     if ($response->content =~ /<sessionKey>(.*?)<\/sessionKey>/){$auth_key = $1;};
  32.     return $auth_key;
  33. }
  34. sub splunk_search {
  35.     my %BROWSER_PARAMS;
  36.     $BROWSER_PARAMS{'search'} = $_[0];
  37.    
  38.     my $browser = LWP::UserAgent->new;
  39.     my $base_url = "https://".$_[1];
  40.     $browser->default_header('Authorization' => "Splunk ".$_[2]);  
  41.     my $response = $browser->post($base_url."/servicesNS/".$_[3]."/search/search/jobs", \%BROWSER_PARAMS);
  42.  
  43.     my $search_id = "Error";
  44.     if ($response->content =~ /<sid>(.*?)<\/sid>/){$search_id = $1;};
  45.     return $search_id;
  46. }
  47. sub splunk_status {
  48.     my $base_url = "https://".$_[1];
  49.    
  50.     my $browser = LWP::UserAgent->new;
  51.     $browser->default_header('Authorization' => "Splunk ".$_[2]);
  52.     my $response = $browser->get($base_url."/servicesNS/".$_[3]."/search/search/jobs/".$_[0]);
  53.     if($response->code() != 200){die "Check error (".$response->code().")\n";}
  54.     return $response->content;
  55. }
  56. sub splunk_get_data {
  57.     my $base_url = "https://".$_[1];
  58.    
  59.     my $browser = LWP::UserAgent->new;
  60.     $browser->default_header('Authorization' => "Splunk ".$_[2]);
  61.     my $response = $browser->get($base_url."/servicesNS/".$_[3]."/search/search/jobs/".$_[0]."/results?output_mode=".$_[4]);
  62.    
  63.     if($response->content){return $response->content;}else{return "NULL";}
  64. }
  65. sub xml_dispatchState {
  66.     my $dom = XML::LibXML->load_xml(string => $_[0]);  
  67.     my @CONTENT = $dom->getElementsByTagName("s:key");
  68.    
  69.     for(my $j=0;$j<@CONTENT;$j++){
  70.         my @TYPE_INFO = $CONTENT[$j]->getAttributeNode("name");
  71.         foreach my $type_info (@TYPE_INFO){        
  72.             if ($type_info->nodeValue eq "dispatchState"){return $CONTENT[$j]->textContent;}   
  73.         }              
  74.     }
  75.     return;
  76. }
  77. sub ioc_get_ip {
  78.     my %BAD_IP_LIST;
  79.     my $parser = XML::LibXML->new();
  80.     my $dom = $parser->parse_file($_[0]."/".$_[1]);
  81.     my @CONTENT = $dom->getElementsByTagName("ns0:Content");
  82.     for(my $j=0;$j<@CONTENT;$j++){
  83.         my @TYPE_INFO = $CONTENT[$j]->getAttributeNode("type");
  84.         foreach my $type_info (@TYPE_INFO){
  85.                 if ($type_info->nodeValue eq $_[2]){$BAD_IP_LIST{$CONTENT[$j]->textContent} = $_[1];}          
  86.         }              
  87.     }
  88.     return \%BAD_IP_LIST;
  89. }
  90. sub craft_search{
  91.     my $search_string = "sourcetype != \"audittrail\" ";
  92.     my $search_suffix = "";
  93.    
  94.     if ($_[0] eq 'IP'){
  95.         my $BAD_IP_REF = $_[1];
  96.         foreach my $k (keys %$BAD_IP_REF){
  97.             # Ignore IP's in private address space
  98.             if (!($k =~ /^10\./)){$search_suffix .= $k." OR ";}
  99.         }
  100.         $search_string = $search_string.$search_suffix;
  101.         $search_string =~ s/OR\s+$/\| stats count\(src_ip\) AS \"Hit Count\" by src_ip \, dst_ip | rename src_ip AS \"Source IP\"\, dst_ip AS \"Destination IP\"/;
  102.     }
  103.     return $search_string;
  104. }
  105.  
  106. opendir(DIR, $ioc_dir) or die "Can't open $ioc_dir: $!";
  107. my @FILES = readdir DIR;
  108. closedir DIR;
  109.  
  110. my %BAD_IP; # Hash containing bad IP's
  111. foreach my $file (@FILES){
  112.     if ($file =~ m/\.ioc$/){
  113.         my $tmp_ip_hash = ioc_get_ip($ioc_dir, $file, "IP");
  114.         foreach my $ip_val (keys %$tmp_ip_hash){$BAD_IP{$ip_val}++;}
  115.     }
  116. }      
  117. my $search_string = craft_search('IP', \%BAD_IP);
  118. my $stop_tm = time(); my $start_tm = $stop_tm-(60*60);
  119. my $search = 'search earliest='.$start_tm.' latest='.$stop_tm.' '.$search_string;
  120. print "\n$search\n\n";
  121.  
  122. my %SPLUNK_AUTH;
  123. foreach my $splunk_server (@SPLUNK_SERVERS){
  124.     my $session_key = splunk_login($splunk_id{'username'}, $splunk_id{'password'}, $splunk_server);
  125.     if ($session_key ne "Login Error"){$SPLUNK_AUTH{$splunk_server} = $session_key;}   
  126. }
  127. if (!((keys %SPLUNK_AUTH) >= 1)){die "Splunk login error\n";}
  128.  
  129. my %SEARCH_ID;
  130. while(my ($server, $sessionkey) = each %SPLUNK_AUTH ) {
  131.     $SEARCH_ID{$server} = splunk_search( $search, $server, $sessionkey, $splunk_id{'username'});
  132. }
  133.  
  134. my ($j, $n) = (1, 1);
  135. while ($j){
  136.    
  137.     while ( my ($server, $searchid) = each %SEARCH_ID ) {
  138.         my $current_status = xml_dispatchState(splunk_status($searchid, $server, $SPLUNK_AUTH{$server}, $splunk_id{'username'}));
  139.         print $current_status."...\t\r";
  140.    
  141.         if ($current_status eq "DONE"){
  142.            
  143.             my $results = splunk_get_data($searchid, $server, $SPLUNK_AUTH{$server}, $splunk_id{'username'}, $splunk_id{'data_type'});
  144.             if ($results ne "NULL"){
  145.                 print "\n".$results."\n\n";
  146.             }else{
  147.                 print "\nSearch complete.... No baddies found!\n\n";
  148.             }
  149.             delete($SEARCH_ID{$server});
  150.         }
  151.     }
  152.     if (keys %SEARCH_ID){for (my $sleep=0;$sleep<5;$sleep++){$n++;sleep 1;}}else{$j=0;}
  153. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement