255 lines
7.2 KiB
Plaintext
255 lines
7.2 KiB
Plaintext
# copy or link this file to ~/.visidatarc
|
||
options.disp_date_fmt="%Y-%m-%dT%H:%M:%S"
|
||
|
||
|
||
from datetime import datetime
|
||
import functools
|
||
import json
|
||
|
||
def what(item):
|
||
return f"{type(item)}:{str(item)}"
|
||
|
||
def avgdiff(values):
|
||
L = sorted(values)
|
||
a = L[1:]
|
||
b = L[:-1]
|
||
c = sum([abs(x[0]-x[1]) for x in zip(a,b)])
|
||
return c/len(a)
|
||
|
||
aggregator('avgdiff', avgdiff)
|
||
|
||
def logtime(val):
|
||
a=str(val)
|
||
a=a.strip()
|
||
a=a.split(" ")
|
||
d=a[0].split("/")
|
||
t=a[1].split(":")
|
||
if (a[2] == "PM") and (t[0] != "12"):
|
||
t[0]=str(int(t[0])+12)
|
||
if (a[2] == "AM") and (t[0] == "12"):
|
||
t[0]="0"
|
||
return datetime(int(d[2]),int(d[0]),int(d[1]),int(t[0]),int(t[1]),int(t[2])).timestamp()
|
||
|
||
def tsfromtime(val, format):
|
||
import time
|
||
from calendar import timegm
|
||
utc_time = time.strptime(str(val).strip(), format)
|
||
return timegm(utc_time)
|
||
|
||
def timefromts(val):
|
||
try:
|
||
return datetime.utcfromtimestamp(float(val))
|
||
except ValueError:
|
||
pass
|
||
try:
|
||
return datetime.utcfromtimestamp(float(val)/1000)
|
||
except ValueError:
|
||
pass
|
||
try:
|
||
return datetime.utcfromtimestamp(float(val)/1000000)
|
||
except ValueError:
|
||
pass
|
||
|
||
|
||
# sym-ts = hexNcoded NT-Timestamp = Nanoseconds since 01.01.1601
|
||
def sym_time(val):
|
||
a = int(val, 16) # decode hex
|
||
# convert to seconds and subtract offset to 01.01.1970
|
||
b = (a / 10000000) - 11644473600
|
||
return datetime.fromtimestamp(b)
|
||
|
||
|
||
@functools.lru_cache()
|
||
def vendor(mac):
|
||
try:
|
||
from mac_vendor_lookup import InvalidMacError, MacLookup as mlu
|
||
try:
|
||
return mlu().lookup(mac.strip())
|
||
except InvalidMacError:
|
||
return f"not a MAC {str(mac).strip()} of type {type(mac)}"
|
||
except ModuleNotFoundError:
|
||
return "module not available"
|
||
|
||
@functools.lru_cache(maxsize=1000)
|
||
def _get_vt():
|
||
try:
|
||
from virus_total_apis import PublicApi as VirusTotalPublicApi
|
||
with open('~/.virustotal_api_key') as af:
|
||
API_KEY = af.readline()
|
||
vt = VirusTotalPublicApi(API_KEY)
|
||
return vt
|
||
except:
|
||
return None
|
||
|
||
@functools.lru_cache()
|
||
def vt_ip(ip):
|
||
vt = _get_vt()
|
||
if vt is None:
|
||
return "VT-Error"
|
||
response = vt.get_ip_report(ip)
|
||
return response
|
||
|
||
@functools.lru_cache()
|
||
def vt_file(hash):
|
||
vt = _get_vt()
|
||
if vt is None:
|
||
return "VT-Error"
|
||
response = vt.get_file_report(hash)
|
||
return response
|
||
|
||
|
||
@functools.lru_cache(maxsize=1000)
|
||
def dns_lookup(domain, record='A'):
|
||
if len(domain.split(",")) > 1:
|
||
return ",".join([dns_lookup(x, record) for x in domain.split(",")])
|
||
try:
|
||
import dns
|
||
import dns.resolver as rs
|
||
result = rs.query(domain, record)
|
||
return ",".join([x.to_text() for x in result])
|
||
except dns.resolver.NoAnswer as e:
|
||
return ""
|
||
except dns.exception.DNSException as e:
|
||
# return e.msg
|
||
return ""
|
||
except ModuleNotFoundError:
|
||
return "module not available"
|
||
|
||
@functools.lru_cache()
|
||
def _asn(ip):
|
||
from bs4 import BeautifulSoup
|
||
import requests
|
||
data = { 'q': ip,'query': 'Query'}
|
||
response = requests.post('https://asnip.net/ip2asn.php', data=data)
|
||
soup=BeautifulSoup(response.text,features='lxml')
|
||
table=soup.find_all('table')[1]
|
||
row=table.find_all('tr')[1]
|
||
cols = [ele.text.strip() for ele in row.find_all('td') ]
|
||
res = { 'asn' : cols[0] }
|
||
res['ip'] = cols[1]
|
||
res['name'] = cols[2]
|
||
res['country'] = ""
|
||
if "," in res['name']:
|
||
name_split=res['name'].split(",")
|
||
res['country']=name_split[-1].strip()
|
||
res['name']=" ".join(name_split[:-1])
|
||
return res
|
||
|
||
@functools.lru_cache()
|
||
def asn(ip, type="asn"):
|
||
if len(ip.split(",")) > 1:
|
||
return ",".join([_asn(x, type) for x in ip.split(",")])
|
||
try:
|
||
return _asn(ip)[type]
|
||
except:
|
||
return ""
|
||
|
||
@functools.lru_cache(maxsize=1000)
|
||
def _ipinfo(ip):
|
||
try:
|
||
import requests
|
||
import json
|
||
r = requests.get(url='http://ipinfo.io/{}/json'.format(ip))
|
||
return r.json()
|
||
except json.JSONDecodeError as e:
|
||
return None
|
||
except ModuleNotFoundError:
|
||
return None
|
||
|
||
|
||
@functools.lru_cache()
|
||
def ipinfo(ip, type="country"):
|
||
if len(ip.split(",")) > 1:
|
||
return ",".join([ipinfo(x, type) for x in ip.split(",")])
|
||
try:
|
||
return _ipinfo(ip)[type]
|
||
except:
|
||
return ""
|
||
|
||
|
||
@functools.lru_cache()
|
||
def mx_lookup(domain):
|
||
domain = domain.lstrip("www.")
|
||
try:
|
||
mxs = dns_lookup(domain, 'MX').split(",")
|
||
mxt = [x.split(" ")[1] for x in mxs if len(x.split(" ")) == 2]
|
||
return ",".join(mxt)
|
||
except Exception as e:
|
||
return str(e)
|
||
|
||
|
||
@functools.lru_cache(maxsize=1000)
|
||
def grab_banner(ip, port=25):
|
||
if len(ip.split(",")) > 1:
|
||
return ",".join([grab_banner(x, port) for x in ip.split(",")])
|
||
try:
|
||
import socket
|
||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # TCP
|
||
sock.settimeout(2)
|
||
sock.connect((ip, port))
|
||
ret = sock.recv(1024)
|
||
return str(ret.strip().decode())
|
||
except:
|
||
return ""
|
||
|
||
|
||
def sym_id(val):
|
||
event_ids = {
|
||
"2": "Scan Stopped",
|
||
"3": "Scan Started",
|
||
"4": "Definition File Sent To Server",
|
||
"5": "Virus Found",
|
||
"6": "Scan Omission",
|
||
"7": "Definition File Loaded",
|
||
"10": "Checksum",
|
||
"11": "Auto-Protect",
|
||
"12": "Configuration Changed",
|
||
"13": "Symantec AntiVirus Shutdown",
|
||
"14": "Symantec AntiVirus Startup",
|
||
"16": "Definition File Download",
|
||
"17": "Scan Action Auto-Changed",
|
||
"18": "Sent To Quarantine Server",
|
||
"19": "Delivered To Symantec Security Response",
|
||
"20": "Backup Restore Error",
|
||
"21": "Scan Aborted",
|
||
"22": "Load Error",
|
||
"23": "Symantec AntiVirus Auto-Protect Loaded",
|
||
"24": "Symantec AntiVirus Auto-Protect Unloaded",
|
||
"26": "Scan Delayed",
|
||
"27": "Scan Re-started",
|
||
"34": "Log Forwarding Error",
|
||
"39": "Definitions Rollback",
|
||
"40": "Definitions Unprotected",
|
||
"41": "Auto-Protect Error",
|
||
"42": "Configuration Error",
|
||
"45": "SymProtect Action",
|
||
"46": "Detection Start",
|
||
"47": "Detection Action",
|
||
"48": "Pending Remediation Action",
|
||
"49": "Failed Remediation Action",
|
||
"50": "Successful Remediation Action",
|
||
"51": "Detection Finish",
|
||
"65": "Scan Stopped",
|
||
"66": "Scan Started",
|
||
"71": "Threat Now Whitelisted",
|
||
"72": "Interesting Process Found Start",
|
||
"73": "SONAR engine load error",
|
||
"74": "SONAR definitions load error",
|
||
"75": "Interesting Process Found Finish",
|
||
"76": "SONAR operating system not supported",
|
||
"77": "SONAR Detected Threat Now Known",
|
||
"78": "SONAR engine is disabled",
|
||
"79": "SONAR engine is enabled",
|
||
"80": "Definition load failed",
|
||
"81": "Cache server error",
|
||
"82": "Reputation check timed out"}
|
||
return event_ids[val]
|
||
|
||
# convert 4-byte integer to IP-String
|
||
def int2ip(zahl):
|
||
return ".".join([str(c) for c in zahl.to_bytes(4,'big')])
|
||
|
||
# convert IP-String to Integer
|
||
def ip2int(ip):
|
||
return int.from_bytes(b"".join([int(c).to_bytes(1,'big') for c in b.split('.')]),'big')
|