How to use the zat.utils.signal_utils function in zat

To help you get started, we’ve selected a few zat examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github SuperCowPowers / zat / examples / yara_matches.py View on Github external
if not os.path.isfile(args.rule_index):
        print('--rule-index file not found.. should be /full/path/to/yara/rules/index.yar')
        sys.exit(1)
    if not os.path.isdir(args.extract_dir):
        print('--extract-dir directory not found.. should be /full/path/to/bro/extract_files')
        sys.exit(1)

    # Load/compile the yara rules
    my_rules = yara.compile(args.rule_index)

    # Create DirWatcher and start watching the Zeek extract_files directory
    print('Watching Extract Files Directory: {:s}'.format(args.extract_dir))
    dir_watcher.DirWatcher(args.extract_dir, callback=yara_match, rules=my_rules)

    # Okay so just wait around for files to be dropped by Zeek or someone hits Ctrl-C
    with signal_utils.signal_catcher(my_exit):
        while True:
            time.sleep(.5)
github SuperCowPowers / zat / examples / kafka_print.py View on Github external
sys.exit(1)

    # Create a Kafka Consumer and subscribe to the topics
    all_topics = ['capture_loss', 'dns', 'http', 'ssl', 'weird', 'conn', 'files', 'x509']
    kserver = args.server
    topics = args.topics if args.topics != ['all'] else all_topics
    print('Subscribing to: {!r}'.format(topics))
    try:
        consumer = KafkaConsumer(*topics, bootstrap_servers=[kserver],
                                 value_deserializer=lambda x: json.loads(x.decode('utf-8')))
    except NoBrokersAvailable:
        print('Could not connect to Kafka server: {:s}'.format(args.server))
        sys.exit(-1)

    # Launch long lived process with signal catcher
    with signal_utils.signal_catcher(exit_program):

        # Now lets process our Kafka Messages
        for message in consumer:
            topic = message.topic
            message = message.value
            print('\n{:s}'.format(topic.upper()))
            pprint(message)
github SuperCowPowers / zat / examples / risky_dns.py View on Github external
# See if we have a serialized VirusTotal Query Class.
        # If we do not have one we'll create a new one
        try:
            vtq = pickle.load(open('vtq.pkl', 'rb'))
            print('Opening VirusTotal Query Cache (cache_size={:d})...'.format(vtq.size))
        except IOError:
            vtq = vt_query.VTQuery(max_cache_time=60*24*7) # One week cache

        # See our 'Risky Domains' Notebook for the analysis and
        # statistical methods used to compute this risky set of TLDs
        risky_tlds = set(['info', 'tk', 'xyz', 'online', 'club', 'ru', 'website', 'in', 'ws',
                          'top', 'site', 'work', 'biz', 'name', 'tech', 'loan', 'win', 'pro'])

        # Launch long lived process with signal catcher
        with signal_utils.signal_catcher(save_vtq):

            # Run the bro reader on the dns.log file looking for risky TLDs
            reader = bro_log_reader.BroLogReader(args.bro_log)
            for row in reader.readrows():

                # Pull out the TLD
                query = row['query']
                tld = tldextract.extract(query).suffix

                # Check if the TLD is in the risky group
                if tld in risky_tlds:
                    # Make the query with the full query
                    results = vtq.query_url(query)
                    if results.get('positives', 0) > 3: # At least four hits
                        print('\nRisky Domain DNS Query Found')
                        print('From: {:s} To: {:s} QType: {:s} RCode: {:s}'.format(row['id.orig_h'],
github SuperCowPowers / zat / examples / kafka_risky_dns.py View on Github external
# See if we have a serialized VirusTotal Query Class.
    # If we do not have one we'll create a new one
    try:
        vtq = pickle.load(open('vtq.pkl', 'rb'))
        print('Opening VirusTotal Query Cache (cache_size={:d})...'.format(vtq.size))
    except IOError:
        vtq = vt_query.VTQuery(max_cache_time=60*24*7)  # One week cache

    # See our 'Risky Domains' Notebook for the analysis and
    # statistical methods used to compute this risky set of TLDs
    risky_tlds = set(['info', 'tk', 'xyz', 'online', 'club', 'ru', 'website', 'in', 'ws',
                      'top', 'site', 'work', 'biz', 'name', 'tech', 'loan', 'win', 'pro'])

    # Launch long lived process with signal catcher
    with signal_utils.signal_catcher(save_vtq):

        # Now lets process our Kafka 'dns' Messages
        for message in consumer:
            dns_message = message.value

            # Pull out the TLD
            query = dns_message.get('query')
            tld = tldextract.extract(query).suffix if query else None

            # Check if the TLD is in the risky group
            if tld in risky_tlds:
                print('\n'+query)
                # Make the query with the full query
                results = vtq.query_url(query)
                if results.get('positives', 0) > 3:  # At least four hits
                    print('Risky Domain DNS Query Found')