[Group-IB Connector] download feeds from TI convert to STIX objects a… (

#2539)

external-import/group-ib/.env.sample

@@ -0,0 +1,48 @@
+# === OpenCTI Server ===
+# http://opencti:8080 - for docker deployment, http://localhost:8080 - for manual deployment
+OPENCTI_URL=http://opencti:8080
+# Use one as provided by the OpenCTI platform
+OPENCTI_TOKEN=
+
+# === OpenCTI Connector ===
+# Docker container name
+CONTAINER_NAME=gib_connector
+# Generate one with uuidgen (https://www.uuidgenerator.net/version4)
+CONNECTOR_ID=80d059d5-7c3e-4b18-b307-2969a9461e6a
+CONNECTOR_TYPE=EXTERNAL_IMPORT
+# From 0 (Unknown) to 100 (Fully trusted)
+CONNECTOR_CONFIDENCE_LEVEL=100
+# One of the following: debug, info, warning, error
+CONNECTOR_LOG_LEVEL=debug
+# the final letter should be one of 'd', 'h', 'm', 's' standing for day, hour, minute, second respectively.
+CONNECTOR_RUN_EVERY=24h
+CONNECTOR_UPDATE_EXISTING_DATA=true
+CONNECTOR_SCOPE=stix2,ipv4-addr,ipv6-addr,vulnerability,domain,url,StixFile
+CONNECTOR_NAME="Group-IB Connector"
+
+# === Threat Intelligence API Server ===
+# Connector specific parameters. All params are mandatory.
+TI_API_URL=https://tap.group-ib.com/api/v2/
+TI_API_USERNAME=
+TI_API_TOKEN=
+
+# === Threat Intelligence API Proxy ===
+# Proxy specifc parameters. You can leave them blank.
+PROXY_IP=
+PROXY_PORT=
+PROXY_PROTOCOL=
+PROXY_USERNAME=
+PROXY_PASSWORD=
+
+# === Threat Intelligence Collections settings
+# Collections specifc parameters. All params are mandatory.
+IGNORE_NON_MALWARE_DDOS=true
+IGNORE_NON_INDICATOR_THREAT_REPORTS=false
+
+# === RabbitMQ Server used for integration manual run ===
+MQ_HOST=
+MQ_PORT=
+MQ_VHOST=
+MQ_USE_SSL=
+MQ_USER=
+MQ_PASS=

external-import/group-ib/.gitignore

@@ -0,0 +1,139 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+*.log.*
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+
+# Custom ignore
+cache
+
+# Pycharm
+.idea
+
+# Credentials

external-import/group-ib/Dockerfile

@@ -0,0 +1,22 @@
+FROM python:3.11-alpine
+ENV CONNECTOR_TYPE=EXTERNAL_IMPORT
+
+# Install Python modules
+# hadolint ignore=DL3003
+RUN apk --no-cache add git build-base libmagic libffi-dev libxml2-dev libxslt-dev
+COPY requirements.txt /tmp/requirements.txt
+RUN pip3 install --no-cache-dir -r /tmp/requirements.txt
+RUN rm -rf /var/cache/apk/*
+
+# Copy the connector
+COPY src /opt/connector/src
+COPY docs /opt/connector/docs
+WORKDIR /opt/connector/src
+
+# Install TI API lib
+RUN pip3 install /opt/connector/src/lib/cyberintegrations-0.6.6-py3-none-any.whl
+
+# Expose and entrypoint
+COPY entrypoint.sh /
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]