-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathicsfeedparser.py
606 lines (527 loc) · 24.2 KB
/
icsfeedparser.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
# Simple python script to parse the CISA ICS alert feed
# DISCLAIMER
# The script developed by JHU/APL for the demonstration are not “turn key” and are
# not safe for deployment without being tailored to production infrastructure. These
# files are not being delivered as software and are not appropriate for direct use on any
# production networks. JHU/APL assumes no liability for the direct use of these files and
# they are provided strictly as a reference implementation.
#
# NO WARRANTY, NO LIABILITY. THIS MATERIAL IS PROVIDED “AS IS.” JHU/APL MAKES NO
# REPRESENTATION OR WARRANTY WITH RESPECT TO THE PERFORMANCE OF THE MATERIALS, INCLUDING
# THEIR SAFETY, EFFECTIVENESS, OR COMMERCIAL VIABILITY, AND DISCLAIMS ALL WARRANTIES IN
# THE MATERIAL, WHETHER EXPRESS OR IMPLIED, INCLUDING (BUT NOT LIMITED TO) ANY AND ALL
# IMPLIED WARRANTIES OF PERFORMANCE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
# AND NON-INFRINGEMENT OF INTELLECTUAL PROPERTY OR OTHER THIRD PARTY RIGHTS. ANY USER OF
# THE MATERIAL ASSUMES THE ENTIRE RISK AND LIABILITY FOR USING THE MATERIAL. IN NO EVENT
# SHALL JHU/APL BE LIABLE TO ANY USER OF THE MATERIAL FOR ANY ACTUAL, INDIRECT,
# CONSEQUENTIAL, SPECIAL OR OTHER DAMAGES ARISING FROM THE USE OF, OR INABILITY TO USE,
# THE MATERIAL, INCLUDING, BUT NOT LIMITED TO, ANY DAMAGES FOR LOST PROFITS.
import configparser
import os
import smtplib
import sys
from datetime import datetime
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from textwrap import dedent
from typing import List, Union
import bleach
import feedparser
import requests
from bs4 import BeautifulSoup
CONFIG = None
DOUBLE_MATCH_WARNING = "ATTENTION: The following alert references your specified vendors AND products!"
EMPTY_NIST_VULN_URL = "http://web.nvd.nist.gov/view/vuln/detail?vulnId="
# Class to store feed data
class ICSFeedData:
def __init__(self, entry, max_hours_back):
# Init everything at the top, even if we don't have values for it yet, so it's easy to come back
# and look at.
self.entry = entry
self.entry_id = ""
self.date_published = None
self.is_old = False
self.has_data = False
self.cvss_scores = ""
self.attention = ""
self.vendor = ""
self.equipment = ""
self.vulns = ""
self.cves = []
# Note: Although feedparser does its own sanitizing, best we play it safe and use a known good one like
# bleach throughout here. However, bleach only prevents unsafe tags. We need to manually remove the <p> here
# to better display to the user.
self.entry.summary = bleach.clean(self.entry.summary.replace("<p>", "").replace("</p>", ""))
if len(self.entry.summary.split("\n")) > 3:
self.entry.summary = "" # Empty summary if it's too long (comes from a mistake in the feed)
entry.link = bleach.clean(entry.link.lower())
link = entry.link
link_split = link.split('icsa-', 1)
if len(link_split) == 2:
self.entry_id = 'icsa-' + link_split[1]
else:
link_split = link.split('icsma-', 1)
self.entry_id = 'icsma-' + link_split[1]
self.entry_id = self.entry_id.upper()
# Get the time published, and don't retrieve further if the date is too far in the past
entry.published = bleach.clean(entry.published)
self.date_published = datetime.strptime(entry.published[:-6], "%a, %d %b %y %H:%M:%S")
now = datetime.now()
diff = now - self.date_published
hours_since = diff.total_seconds() / 60 / 60
if hours_since > max_hours_back:
self.is_old = True
else:
# Retrieve main page and fetch information
entry_page = requests.get(link, timeout=CONFIG["timeout_time"])
entry_soup = BeautifulSoup(entry_page.content, 'html.parser')
tags = entry_soup.find_all()
for tag in tags:
# Search on the actual page for data, since <meta> tags are inconsistent
# (see https://www.cisa.gov/uscert/ics/advisories/icsa-22-181-03 as an example of a bad meta tag)
if "1. EXECUTIVE SUMMARY" == tag.text:
info_tag = tag.next_sibling.next_element
for list_item in info_tag:
if hasattr(list_item, "text") and list_item.text != "":
text = bleach.clean(list_item.text)
if "CVSS" in text:
self.cvss_score = text.rsplit(" ", maxsplit=1)[-1]
elif "ATTENTION:" in text:
self.attention = text[len("ATTENTION: "):]
elif "Vendor:" in text:
self.vendor = text[len("Vendor: "):]
elif "Equipment:" in text:
self.equipment = text[len("Equipment: "):]
elif "Vulnerabilities:" in text:
self.vulns = text[len("Vulnerabilities: "):]
elif "Vulnerability:" in text:
self.vulns = text[len("Vulnerability: "):]
elif "3.2 VULNERABILITY OVERVIEW" == tag.text:
tag = tag.next_sibling
while tag.text != "3.3 BACKGROUND" and tag.name in ["p", None]:
tag_text = tag.text.replace("\u200b",
"") # Some entries have zero-width spaces. Get rid of them.
if tag_text.startswith("CVE-"):
# Need to do the extra replace for no-break spaces that can be found sometimes
self.cves.append(tag_text.split(" ")[0].replace("has", "").strip())
tag = tag.next_sibling
self.has_data = self.cvss_score and self.attention and self.vendor and self.equipment and self.vulns
@property
def severity(self):
scores = self.cvss_score.split(".")
major_score = int(scores[0])
if major_score < 4:
return "Low"
elif major_score < 7:
return "Medium"
elif major_score < 9:
return "High"
else:
return "Critical"
def data_applicable(self, equipment_list: List[str], vendors_list: List[str]) -> int:
"""Check if Vulnerability Applicable.
Checks if this vulnerability is in the list of equipment and/or vendors.
Args:
equipment_list: String list of equipment to check against
vendors_list: List of vendors to check against
Returns:
0 if this data is not in either list, 1 if this data is in only the vendor list or equipment list, and
2 if it's in both lists.
"""
score = 0
for e in equipment_list:
if e.lower() in self.equipment.lower():
score += 1
break
for v in vendors_list:
if v.lower() in self.vendor.lower():
score += 1
break
return score
def __str__(self):
out = f"{'-' * 8}{self.entry.title} ({self.entry_id}) {'-' * 8}\n"
if self.has_data:
out += dedent(f"""
Published: {self.entry.published} at: {self.entry.link}
CVSS Score: {self.cvss_score} ({self.severity} Severity)
Attention: {self.attention}
Vendor Affected: {self.vendor}
Equipment Affected: {self.equipment}
Vulnerabilities: {self.vulns}
CVEs: {' '.join(self.cves) if len(self.cves) > 0 else 'None'}
""")
if self.entry.summary:
out += f"\nSummary: {self.entry.summary}"
out += f"\nLink to ICS Page: {self.entry.link}"
elif self.is_old:
out += "\nNo Data! Did not obtain data due to this entry having been created too long ago!"
else:
out += "\nNo Data! Failed to retrieve it!"
return out
def make_slack_message(data: ICSFeedData, double_matches: bool) -> dict:
"""Make Slack Text from ICSFeedData.
Translates an ICSFeedData instance into a string formatted as a Slack message.
Args:
data: An ICSFeedData representing an ICS report.
double_matches: Whether to include an extra warning that this warning is very applicable.
Returns:
A dictionary representing JSON to be sent to Slack's API.
"""
content = {}
blocks = []
cvss_str = ""
is_critical = data.severity == "Critical"
is_high_or_critical = data.severity == "High" or is_critical
if is_critical:
cvss_str += "!" * 16 + " "
if is_high_or_critical:
cvss_str += "*"
cvss_str += f"CVSS Score: {data.cvss_score} ({data.severity} Severity)"
if is_high_or_critical:
cvss_str += "*"
if is_critical:
cvss_str += " " + "!" * 16
double_match_str = "*" + DOUBLE_MATCH_WARNING + "*\n" if double_matches else ""
blocks.append({
"type": "section",
"text": {
"type": "mrkdwn",
"text": dedent(f"""
*{data.entry.title} ({data.entry_id})*
{double_match_str}{cvss_str}
""")
}
})
body = dedent(f"""
Published: {data.entry.published}
Attention: {data.attention}
Vendor Affected: {data.vendor}
Equipment Affected: {data.equipment}
Vulnerabilities: {data.vulns}
CVEs: {' '.join([f"<{EMPTY_NIST_VULN_URL + cve}|{cve}> " for cve in data.cves]) if len(data.cves) > 0 else "None"}
""")
if data.entry.summary:
body += f"\nSummary: {data.entry.summary}"
body += f"\n<{data.entry.link}|ICS Page>"
blocks.append({
"type": "section",
"text": {
"type": "mrkdwn",
"text": body
}
})
content["blocks"] = blocks
return content
def make_html(data: ICSFeedData, double_matches: bool) -> str:
"""Make HTML from ICSFeedData.
Translates an ICSFeedData instance into an alright-looking HTML document.
Args:
data: An ICSFeedData representing an ICS report.
double_matches: Whether to include an extra warning that this vulnerability is very applicable.
Returns:
A string of an HTML document to be sent via email.
"""
cve_html = ""
if len(data.cves) > 0:
cve_html = "<h2 style=\"font-weight: normal\">CVEs: "
for cve in data.cves:
cve_html += f"<span><a href={EMPTY_NIST_VULN_URL + cve}>{cve}</a></span> "
cve_html += "</h2>"
html = f"""
<html><head><div style="text-align: center">
{f'<h1 style="color: red">{DOUBLE_MATCH_WARNING}</h1>' if double_matches else ''}
<h1>{data.entry.title} ({data.entry_id})</h1>
</div></head>
<body>
<div style="text-align: center">
<h3 style="font-weight: normal">Published: {data.date_published}</h3>
<h2 style="font-weight: normal; color: darkred">CVSS Score: {data.cvss_score}</h2>
<h2 style="font-weight: normal">Attention: {data.attention}</h2>
<h2 style="font-weight: normal">Affected Product: {data.equipment} from {data.vendor}</h2>
<h2 style="font-weight: normal">Vulnerabilities: {data.vulns}</h2>
{cve_html}
<h3 style="font-weight: normal">{data.entry.summary}</h3>
<a href="{data.entry.link}"><h2 style="font-weight: normal">View ICS Page</h2></a>
</div>
</body>
</html>
"""
return html
def send_mail(subject: str, plain_text: str, html: Union[str, None] = None, to_error: bool = False):
try:
msgs = []
receivers = CONFIG["error_receivers"] if to_error else CONFIG["receivers"]
for receiver in receivers:
msg = MIMEMultipart("alternative")
msg["Subject"] = subject
msg["From"] = CONFIG["from_address"]
msg["To"] = receiver
if html is not None:
msg.attach(MIMEText(html, "html"))
msg.attach(MIMEText(plain_text, "plain"))
msgs.append(msg)
if CONFIG["mail_ssl"]:
smtp = smtplib.SMTP_SSL(host=CONFIG["mail_server"], port=CONFIG["mail_server_port"])
else:
smtp = smtplib.SMTP(host=CONFIG["mail_server"], port=CONFIG["mail_server_port"])
smtp.starttls()
if CONFIG["username"] and CONFIG["password"]:
smtp.login(CONFIG["username"], CONFIG["password"])
for msg in msgs:
smtp.send_message(msg, CONFIG["from_address"], msg["To"])
smtp.quit()
except smtplib.SMTPException as e:
print("Error while sending emails!")
print(e)
def notify_of_vuln(feed_data: ICSFeedData, double_matches: bool):
"""Notify of Vulnerability.
Notifies the end user(s) of a vulnerability.
Args:
feed_data: The ICSFeedData instance to report.
double_matches: Whether both the equipment and vendor matched up during checking
"""
if not double_matches and CONFIG["only_double_match"]:
return # Bail early if we're only looking for double matches and we don't double match
print(f"Notifying of vulnerability for {feed_data.entry.title}{' with full applicability' if double_matches else ''}.")
plain_text = ""
if double_matches:
plain_text += DOUBLE_MATCH_WARNING + "\n"
plain_text += str(feed_data) + "\n"
if CONFIG["use_emails"]:
html = make_html(feed_data, double_matches)
send_mail("Vulnerability Notification", plain_text, html)
if CONFIG["use_slack"]:
requests.post(CONFIG["slack_url"],
json=make_slack_message(feed_data, double_matches), verify=CONFIG["requests_verify"], timeout=CONFIG["timeout_time"])
def get_entries_for_past_hours(hours_back: int) -> List[ICSFeedData]:
"""Get Entries for Past Hours.
Gets all the entries in the ICS feed from the past hours_back hours.
Args:
hours_back: The amount of hours to look back.
Returns:
A list of ICSFeedData instances containing all the vulnerability reports from the past hours_back hours.
"""
entries = []
icsa = feedparser.parse('https://www.cisa.gov/uscert/ics/advisories/advisories.xml')
icsa_entries = icsa.entries
if icsa.bozo:
handle_error("Failed to retrieve ICS advisories.", icsa.bozo_exception)
if len(icsa_entries) == 0:
handle_error("Retrieved no ICS advisories. This is likely some sort of error.", None)
for entry_in in icsa_entries:
try:
data = ICSFeedData(entry_in, hours_back)
except Exception as e:
handle_error("Failed to parse ICS advisory entry!", e)
if data.has_data or not data.is_old:
entries.append(data)
else: # Break if we created an old instance
break
return entries
def get_valid_lines(file_name: str) -> List[str]:
"""Get All Good Lines.
Gets all lines from file_name that aren't empty.
Args:
file_name: File name to retrieve lines from.
Returns:
A list of non-empty lines from file_name.
"""
with open(file_name, "r") as f:
lines_raw = f.read().strip().replace("\r", "").split("\n")
good_lines = []
for line in lines_raw:
line = line.strip()
if len(line) > 0:
good_lines.append(line)
return good_lines
def fetch_config() -> dict:
"""Fetch Config.
Fetches the config from config.ini and returns a dictionary from it for ICSFeedParser to use.
Returns:
The aforementioned dictionary.
"""
config_dict = {}
config = configparser.ConfigParser()
config.read("config.ini")
config_dict["use_emails"] = config["Mail Settings"].getboolean("use email notifications", fallback=True)
config_dict["use_email_errors"] = config["Mail Settings"].getboolean("use email error notifications", fallback=True)
config_dict["use_slack"] = config["Slack Settings"].getboolean("use slack notifications", fallback=True)
config_dict["use_slack_errors"] = config["Slack Settings"].getboolean("use slack error notifications",
fallback=True)
config_dict["mail_server"] = config["Mail Settings"]["mail server"]
config_dict["mail_server_port"] = config["Mail Settings"].getint("mail server port", fallback=25)
config_dict["mail_ssl"] = config["Mail Settings"].getboolean("mail uses ssl encryption",
fallback=config_dict["mail_server_port"] == 465)
config_dict["from_address"] = config["Mail Settings"]["notification from email address"]
config_dict["username"] = config["Mail Settings"]["smtp username"]
config_dict["password"] = config["Mail Settings"]["smtp password"]
config_dict["hours_back_to_check"] = \
config["Notifier Settings"].getint("days back to check", fallback=1) * 24 + 0.1
config_dict["only_double_match"] = config["Notifier Settings"] \
.getboolean("only notify when vendor and equipment match", fallback=True)
config_dict["receivers"] = get_valid_lines("notification_recipients.txt")
config_dict["error_receivers"] = get_valid_lines("error_recipients.txt")
config_dict["vendors"] = get_valid_lines("vendors.txt")
config_dict["equipment"] = get_valid_lines("equipment.txt")
config_dict["slack_url"] = config["Slack Settings"]["slack webhook url"]
config_dict["slack_error_url"] = config["Slack Settings"]["slack error webhook url"]
config_dict["requests_verify"] = config["Notifier Settings"].getboolean("use ssl verification", fallback=True)
if config_dict["use_emails"]:
for receiver in config_dict["receivers"]:
if "@example.com" in receiver:
print("You cannot send emails to users at example.com!")
sys.exit(1)
if config_dict["use_email_errors"]:
for receiver in config_dict["error_receivers"]:
if "@example.com" in receiver:
print("You cannot send emails to users at example.com!")
sys.exit(1)
if config_dict["use_slack"] and config_dict["slack_url"] == "https://hooks.slack.com/services/YOUR/HOOK/HERE":
print("Please set the Slack URL to something other than the example URL!")
sys.exit(1)
if config_dict["use_slack_errors"] and \
config_dict["slack_error_url"]== "https://hooks.slack.com/services/YOUR/HOOK/HERE":
print("Please set the Slack URL to something other than the example URL!")
sys.exit(1)
# Hardcoded config values
config_dict["timeout_time"] = 60
return config_dict
def check_write_config() -> bool:
"""Write Config.
Writes the default config file if it doesn't already exist.
Returns:
True if the config was written, False if it was already there.
"""
to_ret = False
if not os.path.exists("config.ini"):
config = configparser.ConfigParser()
config["Mail Settings"] = {
"Use Email Notifications": "True",
"Use Email Error Notifications": "True",
"Mail Server": "mail.example.com",
"Mail Server Port": "25",
"Mail Uses SSL Encryption": "False",
"SMTP Username": "ENTER USERNAME HERE, OR LEAVE BLANK IF AUTHENTICATION IS NOT NEEDED",
"SMTP Password": "ENTER PASSWORD HERE, OR LEAVE BLANK IF AUTHENTICATION IS NOT NEEDED",
"Notification From Email Address": "[email protected]"
}
config["Slack Settings"] = {
"Use Slack Notifications": "True",
"Slack Webhook URL": "https://hooks.slack.com/services/YOUR/HOOK/HERE",
"Use Slack Error Notifications": "True",
"Slack Error Webhook URL": "https://hooks.slack.com/services/YOUR/HOOK/HERE"
}
config["Notifier Settings"] = {
"Days Back to Check": "1",
"Only Notify When Vendor And Equipment Match": "False",
"Use SSL Verification": "True"
}
with open("config.ini", "w") as f:
config.write(f)
print("Wrote config file for editing.")
to_ret = True
if not os.path.exists("vendors.txt"):
with open("vendors.txt", "w") as f:
f.write(dedent("""
Example Vendor. Change Me!
Another Vendor! Change Me as well!
"""))
print("Wrote vendors.txt file for editing.")
to_ret = True
if not os.path.exists("equipment.txt"):
with open("equipment.txt", "w") as f:
f.write(dedent("""
MODEL1-CHANGEME
CHANGEMETOO
"""))
print("Wrote equipment.txt file for editing.")
to_ret = True
if not os.path.exists("notification_recipients.txt"):
with open("notification_recipients.txt", "w") as f:
f.write(dedent("""
"""))
print("Wrote notification_recipients.txt file for editing.")
to_ret = True
if not os.path.exists("error_recipients.txt"):
with open("error_recipients.txt", "w") as f:
f.write("[email protected]")
print("Wrote error_recipients.txt file for editing.")
to_ret = True
return to_ret
def handle_error(error_message: str, error: Union[None, Exception]):
print("ERROR: " + error_message)
# When handling errors, try-except email sending and Slack messages in case one fails so the other gets through
if CONFIG["use_slack_errors"]:
try:
exception_msg = "*Error from ICSFeedParser script:* " + str(error) if error is not None else ""
r = requests.post(CONFIG["slack_error_url"], json={
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": dedent(f"""
*An error has occurred!*
*Error:* {error_message}
{exception_msg}
""")
}
}
]
}, verify=CONFIG["requests_verify"], timeout=CONFIG["timeout_time"])
if not r.ok:
print(f"Failed to send error to Slack with reason: {r.reason}.")
except Exception as e:
print("Failed to send error to Slack.")
print(str(e))
if CONFIG["use_email_errors"]:
try:
error_email_msg = f"<h2 style=\"font-weight: normal\">Error from ICSFeedParser script: {str(error)}</h2>"\
if error is not None else ""
html = f"""
<head>
<div style="text-align: center">
<h1 style="color: red">ICSFeedParser Error</h1>
</div>
</head>
<body>
<div style="text-align: center">
<h2 style="font-weight: normal; color: darkred">An error has occurred in ICSFeedParser.</h2>
<h2 style="font-weight: normal">Error Message: {error_message}</h2>
{error_email_msg}
</div>
</body>
</html>
"""
plaintext = dedent(f"""
An error has occured in ICSFeedParser.
Error Message: {error_message}
{str(error) if error is not None else ''}
""")
send_mail("ICSFeedParser Error", plaintext, html, True)
except Exception as e:
print("Failed to send error via email.")
print(str(e))
if error is not None:
raise error
raise RuntimeError(error_message)
def main():
"""Main Function."""
print("Fetching entries...")
entries = get_entries_for_past_hours(CONFIG["hours_back_to_check"])
print(f"Checking {str(len(entries))} entries and notifying...")
for e in entries:
applicable = e.data_applicable(CONFIG["equipment"], CONFIG["vendors"])
if applicable:
notify_of_vuln(e, applicable == 2)
print("Process completed successfully!")
if __name__ == "__main__":
print("Loading Config...")
if check_write_config():
print("Wrote configuration files! Please edit them as needed!")
sys.exit(0)
else:
CONFIG = fetch_config()
main()