downloadOTX.sh: Automating AlienVault OTX collection

February 18, 2015 — Leave a comment

One of the least glamorous parts of network security is capturing information on Internet hosts that exhibit malicious intent.  Here is a script that I’ve created to help automate the process of collecting AlienVault’s Open Threat Exchange (OTX) reports:

#!/usr/bin/sh
#
# downloadOTX.sh
#
# This script uses AlienVault's Open Threat Exchange (OTX) to download a PDF
# containing the IP reputation of the IP Addresses provided.
#
# USAGE:
# $ ./downloadOTX.sh 1.2.3.4
# $ ./downloadOTX.sh 1.2.3.4 1.2.3.5 1.2.3.6 etc.
#

# Set path to save files:
path=/Downloads/

# Set filename prefix and/or suffix:
prefix=
suffix=\_otx.pdf

for args in "$@"
do
    wget http://www.alienvault.com/apps/api/threat/pdf/?ip=$args -O $path$prefix$args$suffix
done

I haven’t tested this script in a true Linux environment, but it works fine in Cygwin. (Not my preferred environment, but it’s what I have to work with.)

aaron@host ~
$ ./downloadOTX.sh 62.210.143.132 62.210.247.144 62.210.248.159
--2015-02-16 10:39:12--  http://www.alienvault.com/apps/api/threat/pdf/?ip=62.210.143.132
Resolving www.alienvault.com (www.alienvault.com)... 64.62.160.26
Connecting to www.alienvault.com (www.alienvault.com)|64.62.160.26|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.alienvault.com/apps/api/threat/pdf/?ip=62.210.143.132 [following]
--2015-02-16 10:39:12--  https://www.alienvault.com/apps/api/threat/pdf/?ip=62.210.143.132
Connecting to www.alienvault.com (www.alienvault.com)|64.62.160.26|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/pdf]
Saving to: ‘/home/aaron/Downloads/62.210.143.132_otx.pdf’

/home/aaron/Down     [  <=>                 ] 161.49K   401KB/s   in 0.4s

2015-02-16 10:39:29 (401 KB/s) - ‘/home/aaron/Downloads/62.210.143.132_otx.pdf’ saved [165368]

--2015-02-16 10:39:29--  http://www.alienvault.com/apps/api/threat/pdf/?ip=62.210.247.144
Resolving www.alienvault.com (www.alienvault.com)... 64.62.160.26
Connecting to www.alienvault.com (www.alienvault.com)|64.62.160.26|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.alienvault.com/apps/api/threat/pdf/?ip=62.210.247.144 [following]
--2015-02-16 10:39:30--  https://www.alienvault.com/apps/api/threat/pdf/?ip=62.210.247.144
Connecting to www.alienvault.com (www.alienvault.com)|64.62.160.26|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/pdf]
Saving to: ‘/home/aaron/Downloads/62.210.247.144_otx.pdf’

/home/aaron/Down     [     <=>              ] 161.32K   168KB/s   in 1.0s

2015-02-16 10:39:40 (168 KB/s) - ‘/home/aaron/Downloads/62.210.247.144_otx.pdf’ saved [165192]

--2015-02-16 10:39:40--  http://www.alienvault.com/apps/api/threat/pdf/?ip=62.210.248.159
Resolving www.alienvault.com (www.alienvault.com)... 64.62.160.26
Connecting to www.alienvault.com (www.alienvault.com)|64.62.160.26|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.alienvault.com/apps/api/threat/pdf/?ip=62.210.248.159 [following]
--2015-02-16 10:39:41--  https://www.alienvault.com/apps/api/threat/pdf/?ip=62.210.248.159
Connecting to www.alienvault.com (www.alienvault.com)|64.62.160.26|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/pdf]
Saving to: ‘/home/aaron/Downloads/62.210.248.159_otx.pdf’

/home/aaron/Down     [  <=>                 ]  82.06K   332KB/s   in 0.2s

2015-02-16 10:39:49 (332 KB/s) - ‘/home/aaron/Downloads/62.210.248.159_otx.pdf’ saved [84033]

aaron@host ~
$ cd Downloads/

aaron@host ~/Downloads
$ ls -alF
total 436
drwxr-xr-x+ 1 aaron Domain Users      0 Feb 16 10:39 ./
drwxr-xr-x+ 1 aaron Domain Users      0 Feb 16 10:12 ../
-rw-r--r--  1 aaron Domain Users 165368 Feb 16 10:39 62.210.143.132_otx.pdf
-rw-r--r--  1 aaron Domain Users   1593 Feb 16 10:35 62.210.143.132_whois.txt
-rw-r--r--  1 aaron Domain Users 165192 Feb 16 10:39 62.210.247.144_otx.pdf
-rw-r--r--  1 aaron Domain Users   1593 Feb 16 10:35 62.210.247.144_whois.txt
-rw-r--r--  1 aaron Domain Users  84033 Feb 16 10:39 62.210.248.159_otx.pdf
-rw-r--r--  1 aaron Domain Users   1593 Feb 16 10:35 62.210.248.159_whois.txt

aaron@host ~/Downloads
$

(Sorry about the lack of a screenshot — couldn’t get my image capture software to properly scroll the window. #geekfail)

Have any scripts you’d like to share? I’d like to see what you’ve come up to make your tedious tasks easier to tackle.

I’ve also created a GitHub Gist for this shell script.

Aaron Melton

Posts

No Comments

Be the first to start the conversation.

Leave a Reply

Text formatting is available via select HTML.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> 

*