Repository files navigation

Python wrapper for some NSOC tools. Corsair aims to implementRESTFul wrappers for different tools commonly used by Network and Security Operations Centers (NSOC).

The main idea behind Corsair is to provide a method to access different APIs to facilitate the task of integrating tools. So far, each tool has at least three kinds of classes:

• Api: the higher level of abstraction, which connects to the API.
• Endpoint: uses endpoints to connect to certain API resources, by usingCRUD methods.
• Request: execute actions in a given API endpoint or resource, usingHTTP methods.

EachApi class has particular properties according to the API it's representing. TheEndpoint class implements the CRUD methods themselves, usually:

• create to insert new items,
• read to retrieve a certain number of items,
• update to alter certain items, and
• delete to erase items.

TheRequest class implements methods to interact with the server using HTTP, by handling URLs (filter parameters), headers (likeContent-Type andAuthorization), and methods (likeGET,PUT,PATCH, andDELETE). As all examples accross this repository present, the user will only have to connect to certain API usingApi classes and understand what endpoints are available inEndpoint class. This should be enough to make all interactions.

It's a project decision to return almost "raw" data from API, so the consumer must treat this data. This is done because at this point of the project, it'll take a lot of time to understand all resources provided by each API and organize the way they will output data.

This is the URL template Corsair tries to implement:

https://app.corp/api/endpoint/resource/suffix?filter=f1&filter2=2\__________________/\_______/\_______/\_____/\__________________/     Base URL       Endpoint  Resource Suffix      Filters\___________________________/\__________________________________/    Corsair will implement         Corsair will facilitate,                                 but programmer must implement

According to common bibliography, thatsuffix field doesn't exist, but some APIs use it, like IBM/QRadar. In that case, when the programmer wants details on certain resources, he must insert/results in the URL. It exposes some issues around standardization accross multiple vendors, because some of them wisely prefer to use filters for such things, but others use theresources field or even HTTP headers.

By default, Corsair wrappers will verify TLS certificates, but sometimes programmer could want to avoid this behaviour. That's whyApi classes have thetls_verify parameter set toTrue. Changing the value toFalse makes Corsair inform tourllib.urlopen to use a different context that bypasses TLS verification.

Another important project decision is to implement all wrappers using only thePython Standard Library.

Run tests with:

$ python -m unittest tests.test_prime_api$ python -m unittest tests.test_netbox_api$ python -m unittest tests.test_qradar_api$ python -m unittest tests.test_hibp_api$ python -m unittest tests.test_vt_api$ python -m unittest tests.test_ise_api$ python -m unittest tests.test_rdap_api