csirtgsdk submission with token

[micheloosterhof]

Hi.

I'm trying to update the csirtgsdk module in Cowrie. I'm using

csirtgsdk                     1.1.5

and then (abbreviated):

from csirtgsdk.indicator import Indicator
from csirtgsdk.client import http
self.client = http.HTTP(token=token)
ret = Indicator(i, client=self.client).submit()

The Indicator() doesn't seem to take the client object. I'd rather not use environment variable CSIRTG_TOKEN but pass it into the client object. How do i submit an indicator with a custom client object?

regards,

Michel.

[wesyoung]

happy to accept pull requests- we tried that early on but envvars are bit more flexible.. have you tried modifying os envvar before csirtgsdk is pulled in?

https://stackoverflow.com/questions/1681208/python-platform-independent-way-to-modify-path-environment-variable

that said- starting to simplify the sdk a little with a v2:

https://github.com/csirtgadgets/csirtgsdk-py-v2

maybe we can make that a little easier depending on what you're trying to do?

[micheloosterhof]

I tried to change the environment variable already but couldn't make it work. So the variable is read at the moment of import of the csirtgsdk module? That could explain it, because my imports come before the rest of the logic (setting the env. variable).

All i'm trying to do is to submit an indicator to csirtg through a cowrie output module. I think you wrote the original src/cowrie/output/csirtg.py file, but it uses an ancient version of the pip library and that pulls in outdated dependencies. I'd like it updated to the latest versions of csirtg libraries and latest dependencies.

[micheloosterhof]

Yeah confirmed the TOKEN variable is set upon module loading. The client can receive a TOKEN through a named variable, but the Indicator object doesn't seem to take the client object. It's documented as a parameter, but the documentation doesn't seem to reflect reality.

Why not do it like this:

class Indicator(object):
    """
    Represents an Indicator object
    https://github.com/csirtgadgets/csirtgsdk/wiki/API#indicators
    """
    def __init__(self, kwargs):
        """
        :param client: csirtgsdk.client.Client object
        :param kwargs: dict of Indicator
        :return: Indicator object
        Example:
            Indicator({
                'indicator': 'example.org',
                'tags': 'botnet',
                'lasttime': '2015-01-01T00:00:59Z',
                'comment': 'example comment',
                'attachment': '/tmp/malware.zip'
            }).create()
        """

        self.logger = logging.getLogger(__name__)
        self.client = Client()

        required = {'user', 'feed'}

becomes:

class Indicator(object):
    """
    Represents an Indicator object
    https://github.com/csirtgadgets/csirtgsdk/wiki/API#indicators
    """
    def __init__(self, indidict, client=None):
        """
        :param indidict: dict of Indicator
        :param client: csirtgsdk.client.Client object
        :return: Indicator object
        Example:
            Indicator({
                'indicator': 'example.org',
                'tags': 'botnet',
                'lasttime': '2015-01-01T00:00:59Z',
                'comment': 'example comment',
                'attachment': '/tmp/malware.zip'
            }).create()
        """

        self.logger = logging.getLogger(__name__)
        if client is None:
            self.client = Client()
        else:
            self.client = client
        required = {'user', 'feed'}

I was a bit confused by the kwargs, is this intended to be kwargs? Or is it expecting a dictionary as input? because kwargs turns named arguments into a dictionary, but that's mostly a naming convention. So in the exampe I renamed it to indidict to stop people having expectations about kwargs.