max_results = 1
host_validation = '^([A-Za-z0-9\.\_\-]+)$'
the_time = util.mktimegm(time.gmtime())
## retrieve results and settings
results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
logger.debug(settings)
## modular action hooks
modaction_payload = {
'sid': settings.get('sid', ''),
'owner': settings.get('owner'),
'app': settings.get('namespace')
}
modaction = ModularAction(json.dumps(modaction_payload),
logger,
action_name="ping")
## override defaults w/ opts below
if len(sys.argv) > 1:
for a in sys.argv:
if a.startswith('host=') or a.startswith('dest='):
where = a.find('=')
host = a[where + 1:len(a)]
elif a.startswith('host_field=') or a.startswith('dest_field='):
where = a.find('=')
host_field = a[where + 1:len(a)]
elif a.startswith('orig_sid='):
where = a.find('=')
orig_sid = a[where + 1:len(a)]
elif a.startswith('orig_rid'):
## if risk_object val represents key in result
if val and param=='risk_object':
val = result.get(val)
## try default
if not val:
val = default
return val
if __name__ == "__main__":
if len(sys.argv) < 2 or sys.argv[1] != "--execute":
print >> sys.stderr, "FATAL Unsupported execution mode (expected --execute flag)"
sys.exit(1)
try:
modaction = ModularAction(sys.stdin.read(), logger, 'risk')
logger.debug(modaction.settings)
## add status info
modaction.addinfo()
## search_name
search_name = modaction.search_name or 'AdHoc Risk Score'
## index
index = modaction.configuration.get('index', 'risk')
## process results
with gzip.open(modaction.results_file, 'rb') as fh:
events = []
for num, result in enumerate(csv.DictReader(fh)):
## set rid to row # (0->n) if unset
result.setdefault('rid', str(num))
## risk params
if not ip_match and not mac_match:
if not dns_determined:
new_result['%sDns' %
asset_keys[asset_key]] = possible_dns
dns_determined = True
return new_result
if __name__ == "__main__":
if len(sys.argv) < 2 or sys.argv[1] != "--execute":
print >> sys.stderr, "FATAL Unsupported execution mode (expected --execute flag)"
sys.exit(1)
try:
modaction = ModularAction(sys.stdin.read(), logger, 'send2uba')
## validate ubaroute
if not validate_ubaroute(modaction.session_key):
raise ValueError('server undefined for ubaroute')
## add status info
modaction.addinfo()
## index
index = 'ubaroute'
## process results
with gzip.open(modaction.results_file, 'rb') as fh:
events = []
for num, result in enumerate(csv.DictReader(fh)):
## set rid to row # (0->n) if unset
result.setdefault('rid', str(num))
modaction.update(result)
def do_nbtstat(argv,
input_str=None,
outputfile=sys.stdout,
logger=logging.getLogger('dummy')):
## defaults
nbtstat = None
orig_sid = None
orig_rid = None
host = None
host_field = None
MAX_RESULTS = 1
max_results = 1
host_validation = '^([A-Za-z0-9\.\_\-]+)$'
ip_rex = re.compile('^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$')
the_time = util.mktimegm(time.gmtime())
## retrieve results and settings
results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults(
input_str)
logger.debug(settings)
## modular action hooks
modaction_payload = {
'sid': settings.get('sid', ''),
'owner': settings.get('owner'),
'app': settings.get('namespace')
}
modaction = ModularAction(json.dumps(modaction_payload),
logger,
action_name="nbtstat")
## override defaults w/ opts below
if len(argv) > 1:
for a in argv:
if a.startswith('host=') or a.startswith('dest='):
where = a.find('=')
host = a[where + 1:len(a)]
elif a.startswith('host_field=') or a.startswith('dest_field='):
where = a.find('=')
host_field = a[where + 1:len(a)]
elif a.startswith('orig_sid='):
where = a.find('=')
orig_sid = a[where + 1:len(a)]
elif a.startswith('orig_rid'):
where = a.find('=')
orig_rid = a[where + 1:len(a)]
elif a.startswith('max_results'):
where = a.find('=')
max_results = a[where + 1:len(a)]
try:
if int(max_results) > 0:
MAX_RESULTS = int(max_results)
except:
pass
logger.info('max_results setting determined: %s', MAX_RESULTS)
handleError = errorHandler(modaction, outputfile, logger)
## validate presence of host/host_field
if not host and not host_field:
signature = 'Must specify either host or host_field'
handleError(signature)
return
## set up single result
if host:
host_field = 'host'
result = {'host': host}
if orig_sid and orig_rid:
result.update({'orig_sid': orig_sid, 'orig_rid': orig_rid})
results = [result]
## process result(s)
new_results = []
rids = []
results_processed = 0
for num, result in enumerate(results):
if results_processed >= MAX_RESULTS:
break
## set result id
result.setdefault('rid', str(num))
## update and invoke
modaction.update(result)
modaction.invoke()
## validate host_field is present in result
if host_field not in result:
signature = 'host_field not present in result set'
handleError(signature)
return
else:
## handle MV
hosts = result[host_field].split('\n')
## iterate hosts (as MV is a possibility)
for host in hosts:
if results_processed >= MAX_RESULTS:
break
results_processed += 1
## validate host value but don't exit
if re.match(host_validation, host):
ip_match = ip_rex.match(host)
## set up new result which will be sent back to splunk
new_result = {
'_time': the_time,
'sid': modaction.sid,
'rid': modaction.rid,
'dest': host
}
if modaction.orig_sid and modaction.orig_rid:
new_result.update({
'orig_sid': modaction.orig_sid,
'orig_rid': modaction.orig_rid
})
## determine nbtstat_cmd
if os.name == 'nt':
if ip_match:
nbtstat_cmd = ['nbtstat', '-A', host]
else:
nbtstat_cmd = ['nbtstat', '-a', host]
elif sys.platform == 'darwin':
if ip_match:
nbtstat_cmd = None
modaction.message(
'Unable to perform reverse netbios lookup',
status='failure',
level=logging.WARN)
else:
nbtstat_cmd = ['smbutil', 'lookup', host]
else:
if ip_match:
nbtstat_cmd = ['nmblookup', '-A', host]
else:
nbtstat_cmd = ['nmblookup', host]
## do nbtstat
if nbtstat_cmd:
try:
nbtstat = subprocess.Popen(nbtstat_cmd,
stdout=subprocess.PIPE)
new_result['_raw'] = nbtstat.communicate()[0]
except Exception:
signature = 'Exception when executing nbtstat command'
handleError(signature)
return
## add to successful rid list
rids.append(
modaction.rid_ntuple(modaction.orig_sid, modaction.rid,
modaction.orig_rid))
## add result for intersplunk output
new_results.append(new_result)
## add result for event creation
modaction.addevent(new_result['_raw'], 'nbtstat')
else:
modaction.message('Invalid characters detected in host input',
status='failure',
level=logging.WARN)
if len(new_results) > 0:
if modaction.writeevents(index='main', source='nbtstat'):
modaction.message('Successfully created splunk event',
status='success',
rids=rids)
else:
modaction.message('Failed to create splunk event',
status='failure',
rids=rids,
level=logging.ERROR)
splunk.Intersplunk.outputResults(new_results, outputfile=outputfile)
