From 50012b9f5ca27d20b1e7e6145386ef3cd7d5efb8 Mon Sep 17 00:00:00 2001
From: Scott Finlon <finlon@gmail.com>
Date: Thu, 20 Jun 2019 12:45:35 -0400
Subject: [PATCH] add option for zeek in addition to bro (#131)

---
 csirtg_indicator/format/__init__.py |  2 +
 csirtg_indicator/format/zzeek.py    | 97 +++++++++++++++++++++++++++++
 2 files changed, 99 insertions(+)
 create mode 100644 csirtg_indicator/format/zzeek.py

diff --git a/csirtg_indicator/format/__init__.py b/csirtg_indicator/format/__init__.py
index fee750a..94cea07 100644
--- a/csirtg_indicator/format/__init__.py
+++ b/csirtg_indicator/format/__init__.py
@@ -2,6 +2,7 @@
 from .zcsv import Csv
 from .zjson import Json
 from .zbro import Bro
+from .zzeek import Zeek
 from .zsnort import Snort
 from .zbind import Bind
 from .zbindrpz import BindRPZ
@@ -11,6 +12,7 @@
     'csv': Csv,
     'json': Json,
     'bro': Bro,
+    'zeek': Zeek,
     'snort': Snort,
     'bind': Bind,
     'bindrpz': BindRPZ,
diff --git a/csirtg_indicator/format/zzeek.py b/csirtg_indicator/format/zzeek.py
new file mode 100644
index 0000000..39b5811
--- /dev/null
+++ b/csirtg_indicator/format/zzeek.py
@@ -0,0 +1,97 @@
+from .plugin import Plugin
+import re
+from csirtg_indicator import Indicator
+from csirtg_indicator.constants import PYVERSION
+try:
+    from StringIO import StringIO
+except ImportError:
+    from io import StringIO
+
+
+from pprint import pprint
+
+itype = {
+    'ipv4': 'ADDR',
+    'ipv6': 'ADDR',
+    'url': 'URL',
+    'fqdn': 'DOMAIN',
+    'md5': 'FILE_HASH',
+    'sha1': 'FILE_HASH',
+    'sha256': 'FILE_HASH',
+}
+
+COLUMNS = ['fields', 'indicator', 'indicator_type', 'meta.cif_tags', 'meta.cif_confidence', 'meta.cif_source', 'meta.do_notice']
+
+HEADER = '#' + '\t'.join(COLUMNS)
+SEP = '|'
+
+
+def _i_to_zeek(i, cols):
+    if isinstance(i, Indicator):
+        i = i.__dict__()
+
+    cols = ['indicator', 'itype', 'tags', 'confidence', 'provider']
+    r = []
+    
+    if i['itype'] is 'url':
+        i['indicator'] = re.sub(r'(https?\:\/\/)', '', i['indicator'])
+
+    for c in cols:
+        y = i.get(c, '-')
+
+        if type(y) is list:
+            y = SEP.join(y)
+
+        if isinstance(y, int):
+            y = str(y)
+
+        if PYVERSION == 2:
+            if isinstance(y, unicode):
+                y = y.encode('utf-8')
+        else:
+            if isinstance(y, bytes):
+                y = y.encode('utf-8')
+
+        if c is 'itype':
+            y = 'Intel::{0}'.format(itype[i[c]])
+
+        r.append(str(y))
+
+    r.append('T')
+    return "\t".join(r)
+
+
+def get_lines(data, cols=COLUMNS):
+    output = StringIO()
+    output.write("{0}\n".format(HEADER))
+    cols = ['indicator', 'itype', 'tags', 'confidence', 'provider']
+
+    for i in data:
+        i = _i_to_zeek(i, cols)
+
+        output.write(i)
+        output.write("\n")
+        yield output.getvalue()
+
+        if isinstance(output, StringIO):
+            output.truncate(0)
+
+
+class Zeek(Plugin):
+    __name__ = 'zeek'
+
+    def __init__(self, *args, **kwargs):
+        super(Zeek, self).__init__(*args, **kwargs)
+
+        self.cols = COLUMNS
+
+    def __repr__(self):
+        text = []
+        for i in self.data:
+            i = _i_to_zeek(i, self.cols)
+            text.append(i)
+
+        text = "\n".join(text)
+
+        text = "{0}\n{1}".format(HEADER, text)
+        return text