From b934c64e38ce1f776c08b4645dc74111365193a2 Mon Sep 17 00:00:00 2001 From: smicallef Date: Thu, 7 Apr 2022 08:37:23 +0200 Subject: [PATCH] Add the ability to run correlation rules against historical scans. --- sf.py | 10 ++++++++++ spiderfoot/correlation.py | 1 + 2 files changed, 11 insertions(+) diff --git a/sf.py b/sf.py index 90f67e5837..f89b55aeb8 100755 --- a/sf.py +++ b/sf.py @@ -95,6 +95,7 @@ def main(): p.add_argument("-l", metavar="IP:port", help="IP and port to listen on.") p.add_argument("-m", metavar="mod1,mod2,...", type=str, help="Modules to enable.") p.add_argument("-M", "--modules", action='store_true', help="List available modules.") + p.add_argument("-C", "--correlate", metavar="scanID", help="Run correlation rules against a scan ID.") p.add_argument("-s", metavar="TARGET", help="Target for the scan.") p.add_argument("-t", metavar="type1,type2,...", type=str, help="Event types to collect (modules selected automatically).") p.add_argument("-u", choices=["all", "footprint", "investigate", "passive"], type=str, help="Select modules automatically by use case") @@ -204,6 +205,15 @@ def main(): # Add descriptions of the global config options sfConfig['__globaloptdescs__'] = sfOptdescs + if args.correlate: + if not correlationRulesRaw: + log.error("Unable to perform correlations as no correlation rules were found.") + sys.exit(-1) + log.info(f"Running {len(correlationRulesRaw)} correlation rules against scan, {args.correlate}.") + corr = SpiderFootCorrelator(dbh, correlationRulesRaw, args.correlate) + corr.run_correlations() + sys.exit(0) + if args.modules: log.info("Modules available:") for m in sorted(sfModules.keys()): diff --git a/spiderfoot/correlation.py b/spiderfoot/correlation.py index 4c60ed7779..1343b9a491 100644 --- a/spiderfoot/correlation.py +++ b/spiderfoot/correlation.py @@ -46,6 +46,7 @@ def __init__(self, dbh: SpiderFootDb, ruleset: dict, scanId: str = None): self.dbh = dbh self.scanId = scanId self.types = self.dbh.eventTypes() + self.rules = list() for t in self.types: self.type_entity_map[t[1]] = t[3]