hand over previously added IOC record to _get_sessions method to redu…

…ce number of DB queries
intelowlproject · Jan 9, 2025 · f320d4f · f320d4f
1 parent 2b0e113
commit f320d4f
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/greedybear/cronjobs/attacks.py b/greedybear/cronjobs/attacks.py
@@ -30,7 +30,7 @@ def minutes_back_to_lookup(self):
             minutes = 11 if LEGACY_EXTRACTION else EXTRACTION_INTERVAL
         return minutes
 
-    def _add_ioc(self, ioc, attack_type: str, general=None) -> bool:
+    def _add_ioc(self, ioc, attack_type: str, general=None):
         self.log.info(f"saving ioc {ioc} for attack_type {attack_type}")
         if ioc.name in self.whitelist:
             self.log.info(f"not saved {ioc} because is whitelisted")
@@ -63,6 +63,7 @@ def _add_ioc(self, ioc, attack_type: str, general=None) -> bool:
         ioc_record.scanner = attack_type == SCANNER
         ioc_record.payload_request = attack_type == PAYLOAD_REQUEST
         ioc_record.save()
+        return ioc
 
     def _get_attacker_data(self, honeypot, fields: list) -> list:
         hits_by_ip = defaultdict(list)

diff --git a/greedybear/cronjobs/cowrie.py b/greedybear/cronjobs/cowrie.py
@@ -34,10 +34,10 @@ def _get_scanners(self):
         for ioc in self._get_attacker_data(self.cowrie, ATTACK_DATA_FIELDS):
             ioc.cowrie = True
             self.log.info(f"found IP {ioc.name} by honeypot cowrie")
-            self._add_ioc(ioc, attack_type=SCANNER)
+            ioc = self._add_ioc(ioc, attack_type=SCANNER)
             self.added_scanners += 1
             self._extract_possible_payload_in_messages(ioc.name)
-            self._get_sessions(ioc.name)
+            self._get_sessions(ioc)
 
     def _extract_possible_payload_in_messages(self, scanner_ip):
         # looking for URLs inside attacks payloads
@@ -87,7 +87,8 @@ def _get_url_downloads(self):
                 self.added_url_downloads += 1
                 self._add_fks(scanner_ip, hostname)
 
-    def _get_sessions(self, scanner_ip: str):
+    def _get_sessions(self, ioc):
+        scanner_ip = ioc.name
         self.log.info(f"adding cowrie sessions from {scanner_ip}")
         search = self._base_search(self.cowrie)
         search = search.filter("term", src_ip=scanner_ip)
@@ -103,7 +104,7 @@ def _get_sessions(self, scanner_ip: str):
             except CowrieSession.DoesNotExist:
                 session_record = CowrieSession(session_id=sid)
 
-            session_record.source = IOC.objects.filter(name=scanner_ip).first()
+            session_record.source = ioc
             for hit in hits:
                 match hit.eventid:
                     case "cowrie.session.connect":