- Adding '-tifeeds' parameter to summarize the ThreatDB Feeds currently stored.

joeavanzato · joeavanzato · commit 50aad3e0169f · 2024-01-30T08:33:34.000-05:00
diff --git a/helpers/threatIntel.go b/helpers/threatIntel.go
@@ -33,6 +33,11 @@ type threatsCatReport struct {
 	count    int
 }
 
+type feedReport struct {
+	url  string
+	name string
+}
+
 type iPCheckResults struct {
 	feed_name string
 	category  string
@@ -73,6 +78,42 @@ func SummarizeThreatDB(logger zerolog.Logger) {
 	}
 }
 
+func SummarizeThreatFeeds(logger zerolog.Logger) {
+	db, err := OpenDBConnection(logger)
+	logger.Info().Msg("Summarizing ThreatDB Feeds")
+	if err != nil {
+		logger.Error().Msg("Could not initialize access to threat DB!")
+		return
+	}
+	query := "SELECT COUNT(*) FROM feeds"
+	rows, err := db.Query(query)
+	if err != nil {
+		logger.Error().Msg(err.Error())
+		return
+	}
+	var feedCount string
+	for rows.Next() {
+		err = rows.Scan(&feedCount)
+	}
+	rows.Close()
+	logger.Info().Msgf("Total Feeds: %v", feedCount)
+
+	query_types := "SELECT feed_url, feed_name FROM feeds"
+	rows_types, err := db.Query(query_types)
+	if err != nil {
+		logger.Error().Msg(err.Error())
+		return
+	}
+	for rows_types.Next() {
+		tmp := feedReport{}
+		if err := rows_types.Scan(&tmp.url, &tmp.name); err != nil {
+			logger.Error().Msg(err.Error())
+			return
+		}
+		logger.Info().Msgf("Feed Name: %v, URL: %v", tmp.name, tmp.url)
+	}
+}
+
 func BuildThreatDB(arguments map[string]any, logger zerolog.Logger) error {
 	// First check if the db exists - if not, initialize the database
 	// Table name: ips
diff --git a/main.go b/main.go
@@ -50,6 +50,7 @@ func parseArgs(logger zerolog.Logger) (map[string]any, error) {
 	intelfile := flag.String("intelfile", "", "The path to a local text file to be added to the threat intelligence database.  Must also specify the 'type' of intel using -inteltype as well as the name via -intelname")
 	inteltype := flag.String("inteltype", "", "A string-based identifier that will appear when matches occur - tor, suspicious, proxy, etc - something to identify what type of file we are ingesting.  Must also specify the file via -intelfile and name via -intelname.")
 	summarizeti := flag.Bool("summarizeti", false, "Summarize the contents of the ThreatDB, if it exists.")
+	tifeeds := flag.Bool("tifeeds", false, "See all currently ingested Threat Indicator Feeds")
 	fullparse := flag.Bool("fullparse", false, "If specified, will scan entire files for all possible keys to use in CSV rather than generalizing messages into an entire column - increases processing time.  Use to expand JSON blobs inside columnar data with -jsoncol to provide the name of the column.")
 	updategeo := flag.Bool("updategeo", false, "Update local MaxMind databases, even if they are detected.")
 	passthrough := flag.Bool("passthrough", false, "Skip all enrichment steps - only perform log conversion to CSV")
@@ -89,6 +90,7 @@ func parseArgs(logger zerolog.Logger) (map[string]any, error) {
 		"inteltype":       *inteltype,
 		"intelname":       *intelname,
 		"summarizeti":     *summarizeti,
+		"tifeeds":         *tifeeds,
 		"fullparse":       *fullparse,
 		"updategeo":       *updategeo,
 		"passthrough":     *passthrough,
@@ -516,6 +518,16 @@ func main() {
 		return
 	}
 
+	if arguments["tifeeds"].(bool) {
+		_, err := os.Stat(helpers.ThreatDBFile)
+		if errors.Is(err, os.ErrNotExist) {
+			logger.Error().Msg(err.Error())
+		} else {
+			helpers.SummarizeThreatFeeds(logger)
+		}
+		return
+	}
+
 	if arguments["useti"].(bool) {
 		_, err := os.Stat(helpers.ThreatDBFile)
 		if errors.Is(err, os.ErrNotExist) {
