Merge pull request #12 from CybercentreCanada/assemblyline/issues/193

Assemblyline/issues/193
CybercentreCanada · Feb 20, 2024 · 89461c1 · 89461c1
2 parents 78680b9 + 707df3c
commit 89461c1
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 4 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -1,6 +1,6 @@
 {
     "editor.codeActionsOnSave": {
-        "source.organizeImports": true
+        "source.organizeImports": "explicit"
     },
     "editor.formatOnSave": true,
     "editor.rulers": [

diff --git a/README.md b/README.md
@@ -52,3 +52,10 @@ config:
 ```
 
 You can also override Assemblyline's default scoring of badlist matches (1000 points) by providing a `score` per source.
+
+### Automated Expiration
+
+By default, we assume that all the items added to the Badlist will be valid forever but that's not always the cases.
+You will also be able to set a DTL (Days to Live) period for items that belong to a source using `dtl`.
+
+If there are multiple sources with DTLs configured that raise an item, then the expiry date will be extended by the sum of the DTL values at the time of importing.
diff --git a/badlist/badlist.py b/badlist/badlist.py
@@ -119,8 +119,8 @@ def execute(self, request):
                 bad_ioc_section = ResultOrderedKeyValueSection(
                     title_text=f"'{badlisted['tag']['value']}' tag was found in the list of bad IOCs",
                     body={
-                        "IOC": badlisted["tag"]["type"],
-                        "IOC Type": badlisted["tag"]["value"],
+                        "IOC": badlisted["tag"]["value"],
+                        "IOC Type": badlisted["tag"]["type"],
                         "First added": badlisted["added"],
                         "Last updated": badlisted["updated"],
                     },
@@ -141,7 +141,7 @@ def execute(self, request):
                     if source["type"] == "user":
                         msg = f"User '{source['name']}' deemed the tag as bad for the following reason(s):"
                     else:
-                        signatures[source['name']] = 1
+                        signatures[source["name"]] = 1
                         msg = f"External source '{source['name']}' deems the tag as bad for the following reason(s):"
 
                     bad_ioc_section.add_subsection(

diff --git a/badlist/update_server.py b/badlist/update_server.py
@@ -134,6 +134,10 @@ def prepare_item(bl_item):
 
                 bl_item["attribution"] = attr
 
+                # Optionally set an expiration DTL based on the source
+                if source_cfg.get("dtl"):
+                    bl_item["dtl"] = int(source_cfg["dtl"])
+
             references = [r for r in references if re.match(FULL_URI, r)]
             badlist_items = []