A collection of tools interfacing with RT/RTIR in order to interact with the world (e.g. send out take-down requests or other notifications)
UrlAbusefrom https://github.com/CIRCL/url-abuseRTfrom https://bestpractical.comsed,cut,grepfaupfrom https://github.com/stricaud/faup- Python >=3.4
- Python dependencies:
string,ioc_fanger,pyurlabuse,rt,requests,logging,sphinxapi,urllib3
More tools are likely to be released
get-reports.sh is a standalone tool to iterate through defined submission types. Submission types can be defined as an RT/RTIR search. It keeps a list of definitions in get-reports.inc. There are two modes of operation:
- Automatic processing of the incoming tickets (e.g. any 30 minutes with a cronjob:
30 * * * * cd /home/rommelfs/ticket-tools && ./get-reports.sh shadowserver) - Semi-automatic processing (automatic display of a list of open tickets from one category. One-key decision and processing:
The submission is checked by
UrlAbuseand offers the possibility to - automatically create a take-down request based on templates (from
./templates), the source ticket will be moved to the incident queue. A classification will be added according to the take-down type. - Pre-defined are these types of submissions: phishing, malware, defacement, webshell
- Possible actions are:
- ignore the ticket (keep it open for next run), and continue
- ignore and close the ticket (ticket will be closed without further action, leaving a comment in the ticket)
- exit the program (start next time at the ticket where exited)
- When set up, an external screenshot taking tool can produce a screenshot of the offending site. It will be attached as comment to the ticket.
The tool relies on a working version of create_ticket_with_template.py
create_ticket_with_template.py
Usage: create_ticket_with_template.py Incident-ID Templatename URL [Onlinecheck:True|False] [Queue]
This tools creates a take-down request as an investigation to an incident (Incident-ID). It uses the given Templatename (from ./templates).
The input is based on the given URL, which is checked with UrlAbuse. The verification of the content being online can be skipped (False).
A specific queue can be mentioned (default is 5).
It can also send the contents to a MISP instance.
Requires UrlAbuse from https://github.com/CIRCL/url-abuse
get-urlabuse-reports.sh is a standalone tool to iterate through new UrlAbuse submissions (https://www.circl.lu/urlabuse/ and https://www.circl.lu/services/urlabuse/) from users to the ticket system.
The submission is checked by UrlAbuse and offers the possibility to
- automatically create a take-down request based on templates (from
./templates), the source ticket will be closed - ignore the ticket (ticket will be closed without further action)
- exit the program (start next time at the ticket where exited)
The tool relies on a working version of create_ticket_with_template.py
get-phishlab-reports.sh is a standalone tool to iterate through new Phishlab reports to the ticket system.
The submission is checked by UrlAbuse and offers the possibility to
- automatically create a take-down request based on templates (from
./templates), the source ticket will be closed - ignore the ticket (ticket will be closed without further action)
- exit the program (start next time at the ticket where exited)
The tool relies on a working version of create_ticket_with_template.py
create_bulk_ticket_with_template.py
Usage: create_bulk_ticket_with_template.py Incident-ID Templatename csv-file
This tool creates a take-down request as an investigation to an incident (Incident-ID). It uses the given Templatename (from ./templates).
The input is based on a CSV list as in the following format (example data):
Format: ASN,IP,Country code,Last seen (UTC),Malware,Source Port,Destination IP,Destination Port,Destination Hostname
"12345","1.2.3.4","2018-06-17 16:11:33","necurs","6789","2.3.4.5","80","","tcp"
Entries are grouped by ASN and only one notification per AS number is sent.
get-urlquery-urls.sh fetches the content of new urlquery reports and sends the entries to an XMPP chatroom
get-urlmon-urls.sh fetches the content of new urlquery reports and sends the entries to an XMPP chatroom
get-ms-urls.sh fetches the content of new urlquery reports and sends the entries to an XMPP chatroom