This repository has been archived by the owner on Sep 4, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
tc_yara_rules_attributes.py
59 lines (46 loc) · 1.71 KB
/
tc_yara_rules_attributes.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#!/usr/bin/env python3
# parse yara rules from group attributes
import configparser as ConfigParser
import re
import sys
from threatconnect import ThreatConnect
# https://docs.threatconnect.com/en/latest/python/quick_start.html#standard-script-heading
config = ConfigParser.RawConfigParser()
config.read('./tc.conf')
try:
api_access_id = config.get('threatconnect', 'api_access_id')
api_secret_key = config.get('threatconnect', 'api_secret_key')
api_default_org = config.get('threatconnect', 'api_default_org')
api_base_url = config.get('threatconnect', 'api_base_url')
api_result_limit = config.get('threatconnect', 'api_result_limit')
except ConfigParser.NoOptionError:
print('Could not read configuration file.')
sys.exit(1)
tc = ThreatConnect(api_access_id, api_secret_key, api_default_org, api_base_url)
tc.set_api_result_limit(1000)
# instantiate Owners object
#owners = tc.owners()
owners = ['ThreatConnect Intelligence', 'Common Community']
groups = tc.groups()
filter1 = groups.add_filter()
# only retrieve Groups from the given owner(s)
filter1.add_owner(owners)
try:
groups.retrieve()
except RuntimeError as e:
print('Error: {0}'.format(e))
sys.exit(1)
YARA_RULE_RE = "rule\s+[a-zA-Z_](\w{0,127})\s*?{"
for group in groups:
#print(group.name)
# load the attributes
group.load_attributes()
for attribute in group.attributes:
content = attribute.value
# check if yara rule decl in attribute
if re.search(YARA_RULE_RE, content):
print(group.name, group.weblink)
print(attribute.type)
# Indent yara vars
content = content.replace("\n$", "\n $")
print(content)