downloadOTX.sh: Automating AlienVault OTX collection

February 18, 2015 — Leave a comment

One of the least glamorous parts of network security is capturing information on Internet hosts that exhibit malicious intent.  Here is a script that I’ve created to help automate the process of collecting AlienVault’s Open Threat Exchange (OTX) reports:

[code language=”bash”]#!/usr/bin/sh
#
# downloadOTX.sh
#
# This script uses AlienVault’s Open Threat Exchange (OTX) to download a PDF
# containing the IP reputation of the IP Addresses provided.
#
# USAGE:
# $ ./downloadOTX.sh 1.2.3.4
# $ ./downloadOTX.sh 1.2.3.4 1.2.3.5 1.2.3.6 etc.
#

# Set path to save files:
path=/Downloads/

# Set filename prefix and/or suffix:
prefix=
suffix=\_otx.pdf

for args in "$@"
do
wget http://www.alienvault.com/apps/api/threat/pdf/?ip=$args -O $path$prefix$args$suffix
done[/code]

I haven’t tested this script in a true Linux environment, but it works fine in Cygwin. (Not my preferred environment, but it’s what I have to work with.)

[code language=”text”]
aaron@host ~
$ ./downloadOTX.sh 62.210.143.132 62.210.247.144 62.210.248.159
–2015-02-16 10:39:12– http://www.alienvault.com/apps/api/threat/pdf/?ip=62.210.143.132
Resolving www.alienvault.com (www.alienvault.com)… 64.62.160.26
Connecting to www.alienvault.com (www.alienvault.com)|64.62.160.26|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://www.alienvault.com/apps/api/threat/pdf/?ip=62.210.143.132 [following]
–2015-02-16 10:39:12– https://www.alienvault.com/apps/api/threat/pdf/?ip=62.210.143.132
Connecting to www.alienvault.com (www.alienvault.com)|64.62.160.26|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [application/pdf]
Saving to: ‘/home/aaron/Downloads/62.210.143.132_otx.pdf’

/home/aaron/Down [ <=> ] 161.49K 401KB/s in 0.4s

2015-02-16 10:39:29 (401 KB/s) – ‘/home/aaron/Downloads/62.210.143.132_otx.pdf’ saved [165368]

–2015-02-16 10:39:29– http://www.alienvault.com/apps/api/threat/pdf/?ip=62.210.247.144
Resolving www.alienvault.com (www.alienvault.com)… 64.62.160.26
Connecting to www.alienvault.com (www.alienvault.com)|64.62.160.26|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://www.alienvault.com/apps/api/threat/pdf/?ip=62.210.247.144 [following]
–2015-02-16 10:39:30– https://www.alienvault.com/apps/api/threat/pdf/?ip=62.210.247.144
Connecting to www.alienvault.com (www.alienvault.com)|64.62.160.26|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [application/pdf]
Saving to: ‘/home/aaron/Downloads/62.210.247.144_otx.pdf’

/home/aaron/Down [ <=> ] 161.32K 168KB/s in 1.0s

2015-02-16 10:39:40 (168 KB/s) – ‘/home/aaron/Downloads/62.210.247.144_otx.pdf’ saved [165192]

–2015-02-16 10:39:40– http://www.alienvault.com/apps/api/threat/pdf/?ip=62.210.248.159
Resolving www.alienvault.com (www.alienvault.com)… 64.62.160.26
Connecting to www.alienvault.com (www.alienvault.com)|64.62.160.26|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://www.alienvault.com/apps/api/threat/pdf/?ip=62.210.248.159 [following]
–2015-02-16 10:39:41– https://www.alienvault.com/apps/api/threat/pdf/?ip=62.210.248.159
Connecting to www.alienvault.com (www.alienvault.com)|64.62.160.26|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [application/pdf]
Saving to: ‘/home/aaron/Downloads/62.210.248.159_otx.pdf’

/home/aaron/Down [ <=> ] 82.06K 332KB/s in 0.2s

2015-02-16 10:39:49 (332 KB/s) – ‘/home/aaron/Downloads/62.210.248.159_otx.pdf’ saved [84033]

aaron@host ~
$ cd Downloads/

aaron@host ~/Downloads
$ ls -alF
total 436
drwxr-xr-x+ 1 aaron Domain Users 0 Feb 16 10:39 ./
drwxr-xr-x+ 1 aaron Domain Users 0 Feb 16 10:12 ../
-rw-r–r– 1 aaron Domain Users 165368 Feb 16 10:39 62.210.143.132_otx.pdf
-rw-r–r– 1 aaron Domain Users 1593 Feb 16 10:35 62.210.143.132_whois.txt
-rw-r–r– 1 aaron Domain Users 165192 Feb 16 10:39 62.210.247.144_otx.pdf
-rw-r–r– 1 aaron Domain Users 1593 Feb 16 10:35 62.210.247.144_whois.txt
-rw-r–r– 1 aaron Domain Users 84033 Feb 16 10:39 62.210.248.159_otx.pdf
-rw-r–r– 1 aaron Domain Users 1593 Feb 16 10:35 62.210.248.159_whois.txt

aaron@host ~/Downloads
$
[/code]

(Sorry about the lack of a screenshot — couldn’t get my image capture software to properly scroll the window. #geekfail)

Have any scripts you’d like to share? I’d like to see what you’ve come up to make your tedious tasks easier to tackle.

I’ve also created a GitHub Gist for this shell script.

Aaron Melton

Posts

No Comments

Be the first to start the conversation.

Leave a Reply

Text formatting is available via select HTML.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> 

*