-
Notifications
You must be signed in to change notification settings - Fork 0
/
otx-cve-lookup.py
122 lines (113 loc) · 5.1 KB
/
otx-cve-lookup.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
#!/usr/bin/env python3
import argparse
import re
import os.path
from OTXv2 import OTXv2
from OTXv2 import IndicatorTypes
# Add your AlienVault OTX API key below
API_KEY = ''
#
# Define API variables
OTX_SERVER = 'https://otx.alienvault.com/'
otx = OTXv2(API_KEY, server=OTX_SERVER)
# Define arguments
parser = argparse.ArgumentParser(description='OTX CVE in wild lookup')
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('-c', '--cve', help='CVE eg; CVE-2020-14882')
group.add_argument('--cvelist', help='Comma-separated list of CVEs eg; CVE-2017-8977,CVE-2017-11882')
group.add_argument('--cvefile', help='New-Line-separated file of CVEs eg; ./cve-list.txt')
group.add_argument('--readfile', help='Regex search plain text file for CVEs eg; ./vulnreport.csv')
parser.add_argument('--csvout', help='Output results in CSV format', action='store_true')
args = vars(parser.parse_args())
# Input argument selection, basically how are we taking in data for lookup
if args["cve"]:
# If a single CVE, pretty simple, set as a single item list for simplicity
cves = [args["cve"]]
elif args["cvelist"]:
# If a comma-separated list of CVEs, just split on ',' to generate a list
cves = args["cvelist"].split(",")
elif args["cvefile"]:
# First make sure the file exists
if os.path.isfile(args["cvefile"]):
cvefile = args["cvefile"]
# Open the file
with open(cvefile) as f:
# Read each line into a list
cves = f.read().splitlines()
elif args["readfile"]:
# First make sure the file exists
if os.path.isfile(args["readfile"]):
cvefile = args["readfile"]
cves = []
# Define our regex for finding CVEs in the file
pattern = re.compile("CVE-\d{4}-\d{4,7}")
# For each line in the open file, scan for regex matches
for line in open(cvefile):
# For any match
for match in re.finditer(pattern, line):
# Append that match to our list of CVEs
# TODO probably want to deduplicate. In fact, dedupe all input options before API query
cves.append(match.group())
# Output argument selection, basically how are we displaying results?
if args["csvout"]:
# Print CSV header
print('cve,exploited in wild,exploit exists')
# For each CVE in the list
for cve in cves:
# Query API for CVE details
indicator_details = otx.get_indicator_details_full(IndicatorTypes.CVE, cve)
# Does the "seen_wild" key exist in the results?
# If not then it hasn't been seen in the wild
if "seen_wild" in indicator_details["general"].keys():
# If the key exists, is the value true or false?
if indicator_details["general"]["seen_wild"]:
in_wild = True
else:
in_wild = False
else:
in_wild = False
# Does the "exploits" key exist in the results?
# If not then there aren't any exploits known to OTX
if "exploits" in indicator_details["general"].keys():
# Since the key exists, is the value true or false?
if indicator_details["general"]["exploits"]:
exploits = True
else:
exploits = False
else:
exploits = False
# Print the CVE results as a comma-separated line
print(f"{cve},{in_wild},{exploits}")
else:
# Print which CVEs we will be looking up (what did we parse from input?)
print(f"Looking up following CVEs:")
for cve in cves:
print(f"\t{cve}")
# For each CVE we'll look up
for cve in cves:
# Print the CVE we're currently looking up.
# I like to do this first since results can take a second or two to process,
# this way we know that there are results processing still.
print(f"[+] {cve}:")
# Query API for CVE details
indicator_details = otx.get_indicator_details_full(IndicatorTypes.CVE, cve)
# Does the "seen_wild" key exist in the results?
# If not then it hasn't been seen in the wild
if "seen_wild" in indicator_details["general"].keys():
# If the key exists, is the value true or false?
if indicator_details["general"]["seen_wild"]:
print(f"[!] ALIENVAULT HAS SEEN THIS ({cve}) ACTIVELY EXPLOITED IN THE WILD")
else:
print(f"[+] Alienvault has NOT seen this ({cve}) actively exploited in the wild")
else:
print(f"[+] Alienvault has NOT seen this ({cve}) actively exploited in the wild")
# Does the "exploits" key exist in the results?
# If not then there aren't any exploits known to OTX
if "exploits" in indicator_details["general"].keys():
# Since the key exists, is the value true or false?
if indicator_details["general"]["exploits"]:
print(f"[!] ALIENVAULT HAS SEEN EXPLOITS FOR THIS ({cve})")
else:
print(f"[+] Alienvault has NOT seen exploits for this ({cve})")
else:
print(f"[+] Alienvault has NOT seen exploits for this ({cve})")