Files

 master

/

datper_elk.py

Blame

Blame

Latest commit

 

History

History

49 lines (43 loc) · 1.38 KB

 master

/

datper_elk.py

Top

File metadata and controls

• Code
• Blame

49 lines (43 loc) · 1.38 KB

Raw

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

#!/usr/bin/env python

#

# LICENSE

# Please refer to the LICENSE.txt in the https://github.com/JPCERTCC/aa-tools/

#

import re

import sys

from binascii import crc32

import json

from elasticsearch import Elasticsearch

filter_1 = re.compile('(http://[\da-z\.-]+\.[a-z\.]{2,6}/[\/\w_\.-]+\?[\da-z]{3,8}=([\da-f]{8})([\da-f]{8})[1-2]{1}\S+)\s', re.IGNORECASE)

def checkDatper(message):

m1 = filter_1.search(message)

if m1:

url = m1.group(1).lower()

d1 = m1.group(2).lower()

d2 = m1.group(3).lower()

d1_crc32 = '%08x' % (crc32(d1.encode('utf-8')) & 0xffffffff)

if d1_crc32 == d2:

return 'yes'

else:

return 'no'

else:

return 'no'

def updateElastic(es_api, index):

es = Elasticsearch(es_api)

res = es.search(index=index, body={ 'query': { 'match_all' : {} } })

for hit in res['hits']['hits']:

id = hit['_id']

type = hit['_type']

message = hit['_source']['message']

datper = checkDatper(message)

es.update(index=index, doc_type=type, id=id, body={ 'doc': { 'datper' : datper } })

if __name__ == '__main__':

if len(sys.argv) > 1:

updateElastic(sys.argv[1], sys.argv[2])

elif len(sys.argv) == 1:

result = None

try:

result = checkDatper(sys.argv[1])

except Exception as e:

result = e.message

print(result)