Beispiel #1
0
def generate_signature_versions(_id):
    """
    Generate a list of available versions for this Signature.

    :param _id: The ObjectId of the Signature to generate versions for.
    :type _id: str
    :returns: list
    """

    signature = Signature.objects(id=_id).only('link_id').first()
    if not signature:
        return []
    else:
        versions = []
        rvs = Signature.objects(link_id=signature.link_id).only(
            'id', 'title', 'version', 'data')
        for rv in rvs:
            link = reverse('crits-signatures-views-signature_detail',
                           args=(rv.id, ))
            versions.append({
                'title': rv.title,
                'version': rv.version,
                'data': rv.data,
                'link': link
            })
        return versions
Beispiel #2
0
def generate_signature_versions(_id):
    """
    Generate a list of available versions for this Signature.

    :param _id: The ObjectId of the Signature to generate versions for.
    :type _id: str
    :returns: list
    """

    signature = Signature.objects(id=_id).only('link_id').first()
    if not signature:
        return []
    else:
        versions = []
        rvs = Signature.objects(link_id=signature.link_id).only('id',
                                                             'title',
                                                             'version',
                                                             'data')
        for rv in rvs:
            link = reverse('crits.signatures.views.signature_detail',
                           args=(rv.id,))
            versions.append({'title': rv.title,
                            'version': rv.version,
                            'data': rv.data,
                             'link': link})
        return versions
Beispiel #3
0
def generate_signature_versions(_id):
    """
    Generate a list of available versions for this Signature.

    :param _id: The ObjectId of the Signature to generate versions for.
    :type _id: str
    :returns: list
    """

    signature = Signature.objects(id=_id).only("link_id").first()
    if not signature:
        return []
    else:
        versions = []
        rvs = Signature.objects(link_id=signature.link_id).only("id", "title", "version", "data")
        for rv in rvs:
            link = reverse("crits.signatures.views.signature_detail", args=(rv.id,))
            versions.append({"title": rv.title, "version": rv.version, "data": rv.data, "link": link})
        return versions
Beispiel #4
0
def get_id_from_link_and_version(link, version):
    """
    Get the ObjectId from a link_id and version number.

    :param link: The link_id of the Signature.
    :type link: str
    :param version: The version number of the Signature.
    :type version: int
    :returns: None, ObjectId
    """

    signature = Signature.objects(link_id=link, version=version).only('id').first()
    if not signature:
        return None
    else:
        return signature.id
Beispiel #5
0
def get_id_from_link_and_version(link, version):
    """
    Get the ObjectId from a link_id and version number.

    :param link: The link_id of the Signature.
    :type link: str
    :param version: The version number of the Signature.
    :type version: int
    :returns: None, ObjectId
    """

    signature = Signature.objects(link_id=link, version=version).only('id').first()
    if not signature:
        return None
    else:
        return signature.id
Beispiel #6
0
def delete_signature(_id, username=None):
    """
    Delete Signature from CRITs.

    :param _id: The ObjectId of the Signature to delete.
    :type _id: str
    :param username: The user deleting this Signature.
    :type username: str
    :returns: bool
    """

    signature = Signature.objects(id=_id).first()
    if signature:
        signature.delete(username=user.usernamename)
        return True
    else:
        return False
Beispiel #7
0
def delete_signature(_id, username=None):
    """
    Delete Signature from CRITs.

    :param _id: The ObjectId of the Signature to delete.
    :type _id: str
    :param username: The user deleting this Signature.
    :type username: str
    :returns: bool
    """

    if is_admin(username):
        signature = Signature.objects(id=_id).first()
        if signature:
            signature.delete(username=username)
            return True
        else:
            return False
    else:
        return False
Beispiel #8
0
def update_signature_type(type_, id_, data_type, user, **kwargs):
    """
    Update the Signature data type.

    :param type_: The CRITs type of the top-level object.
    :type type_: str
    :param id_: ObjectId of the Signature to update.
    :type id_: str
    :param data_type: The data type to set.
    :type data_type: str
    :param user: The user updating the data type.
    :type user: str
    :returns: dict with keys "success" (boolean) and "message" (str) if failed.
    """

    klass = class_from_type(type_)
    if not klass:
        return {'success': False, 'message': 'Could not find object.'}

    if hasattr(klass, 'source'):
        sources = user_sources(user)
        obj = klass.objects(id=id_, source__name__in=sources).first()
    else:
        obj = klass.objects(id=id_).first()
    if not obj:
        return {'success': False, 'message': 'Could not find object.'}

    signature = Signature.objects(id=id_).first()
    data_type = SignatureType.objects(name=data_type).first()
    if not data_type:
        return None
    else:
        signature.data_type = data_type.name
        try:
            signature.save(username=user.username)
            return {'success': True}
        except ValidationError, e:
            return {'success': False, 'message': str(e)}
Beispiel #9
0
def update_signature_type(type_, id_, data_type, user, **kwargs):
    """
    Update the Signature data type.

    :param type_: The CRITs type of the top-level object.
    :type type_: str
    :param id_: ObjectId of the Signature to update.
    :type id_: str
    :param data_type: The data type to set.
    :type data_type: str
    :param user: The user updating the data type.
    :type user: str
    :returns: dict with keys "success" (boolean) and "message" (str) if failed.
    """

    klass = class_from_type(type_)
    if not klass:
        return {"success": False, "message": "Could not find object."}

    if hasattr(klass, "source"):
        sources = user_sources(user)
        obj = klass.objects(id=id_, source__name__in=sources).first()
    else:
        obj = klass.objects(id=id_).first()
    if not obj:
        return {"success": False, "message": "Could not find object."}

    signature = Signature.objects(id=id_).first()
    data_type = SignatureType.objects(name=data_type).first()
    if not data_type:
        return None
    else:
        signature.data_type = data_type.name
        try:
            signature.save(username=user)
            return {"success": True}
        except ValidationError, e:
            return {"success": False, "message": str(e)}
Beispiel #10
0
def update_signature_type(_id, data_type, analyst):
    """
    Update the Signature data type.

    :param _id: ObjectId of the Signature to update.
    :type _id: str
    :param data_type: The data type to set.
    :type data_type: str
    :param analyst: The user updating the data type.
    :type analyst: str
    :returns: dict with keys "success" (boolean) and "message" (str) if failed.
    """

    signature = Signature.objects(id=_id).first()
    data_type = SignatureType.objects(name=data_type).first()
    if not data_type:
        return None
    else:
        signature.data_type = data_type.name
        try:
            signature.save(username=analyst)
            return {'success': True}
        except ValidationError, e:
            return {'success': False, 'message': str(e)}
Beispiel #11
0
def update_signature_type(_id, data_type, analyst):
    """
    Update the Signature data type.

    :param _id: ObjectId of the Signature to update.
    :type _id: str
    :param data_type: The data type to set.
    :type data_type: str
    :param analyst: The user updating the data type.
    :type analyst: str
    :returns: dict with keys "success" (boolean) and "message" (str) if failed.
    """

    signature = Signature.objects(id=_id).first()
    data_type = SignatureType.objects(name=data_type).first()
    if not data_type:
        return None
    else:
        signature.data_type = data_type.name
        try:
            signature.save(username=analyst)
            return {'success': True}
        except ValidationError, e:
            return {'success': False, 'message': str(e)}
Beispiel #12
0
def handle_signature_file(data,
                          source_name,
                          user=None,
                          description=None,
                          title=None,
                          data_type=None,
                          data_type_min_version=None,
                          data_type_max_version=None,
                          data_type_dependency=None,
                          link_id=None,
                          source_method='',
                          source_reference='',
                          source_tlp='',
                          copy_rels=False,
                          bucket_list=None,
                          ticket=None,
                          related_id=None,
                          related_type=None,
                          relationship_type=None):
    """
    Add Signature.

    :param data: The data of the Signature.
    :type data: str
    :param source_name: The source which provided this Signature.
    :type source_name: str,
                       :class:`crits.core.crits_mongoengine.EmbeddedSource`,
                       list of :class:`crits.core.crits_mongoengine.EmbeddedSource`
    :param user: The user adding the Signature.
    :type user: str
    :param description: Description of the Signature.
    :type description: str
    :param title: Title of the Signature.
    :type title: str
    :param data_type: Datatype of the Signature.
    :type data_type: str
    :param data_type: Datatype of the Signature.
    :type data_type_min_version: str
    :param data_type_min_version: Datatype tool minimum version.
    :type data_type_max_version: str
    :param data_type_max_version: Datatype tool maximum version.
    :type data_type_dependency: list
    :param data_type_dependency: Datatype tool dependency to be run
    :param link_id: LinkId to tie this to another Signature as a new version.
    :type link_id: str
    :param method: The method of acquiring this Signature.
    :type method: str
    :param reference: A reference to the source of this Signature.
    :type reference: str
    :param copy_rels: Copy relationships from the previous version to this one.
    :type copy_rels: bool
    :param bucket_list: Bucket(s) to add to this Signature
    :type bucket_list: str(comma separated) or list.
    :param ticket: Ticket(s) to add to this Signature
    :type ticket: str(comma separated) or list.
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_type: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with keys:
              'success' (boolean),
              'message' (str),
              '_id' (str) if successful.
    """

    if not data or not title or not data_type:
        status = {
            'success': False,
            'message': 'No data object, title, or data type passed in'
        }
        return status

    if not source_name:
        return {"success": False, "message": "Missing source information."}

    rdt = SignatureType.objects(name=data_type).first()
    if not rdt:
        status = {'success': False, 'message': 'Invalid data type passed in'}
        return status

    if len(data) <= 0:
        status = {'success': False, 'message': 'Data length <= 0'}
        return status

    # generate md5 and timestamp
    md5 = hashlib.md5(data).hexdigest()
    timestamp = datetime.datetime.now()

    # generate signature
    signature = Signature()
    signature.created = timestamp
    signature.description = description
    signature.md5 = md5
    signature.data = data
    signature.title = title
    signature.data_type = data_type
    signature.data_type_min_version = data_type_min_version
    signature.data_type_max_version = data_type_max_version

    if data_type_dependency:
        if type(data_type_dependency) == unicode:
            data_type_dependency = data_type_dependency.split(",")

        for item in data_type_dependency:
            if item:
                item = item.strip()
                signature.data_type_dependency.append(str(item))
    else:
        data_type_dependency = []

    # generate new source information and add to sample
    if isinstance(source_name, basestring) and len(source_name) > 0:
        if user.check_source_write(source_name):
            source = create_embedded_source(source_name,
                                            date=timestamp,
                                            method=source_method,
                                            reference=source_reference,
                                            tlp=source_tlp,
                                            analyst=user.username)
            # this will handle adding a new source, or an instance automatically
            signature.add_source(source)
        else:
            return {
                "success":
                False,
                "message":
                "User does not have permission to add object using source %s."
                % source_name
            }
    elif isinstance(source_name, EmbeddedSource):
        signature.add_source(source_name,
                             method=source_method,
                             reference=source_reference,
                             tlp=source_tlp)
    elif isinstance(source_name, list) and len(source_name) > 0:
        for s in source_name:
            if isinstance(s, EmbeddedSource):
                signature.add_source(s,
                                     method=source_method,
                                     reference=source_reference,
                                     source_tlp=source_tlp)

    signature.version = len(Signature.objects(link_id=link_id)) + 1

    if link_id:
        signature.link_id = link_id
        if copy_rels:
            rd2 = Signature.objects(link_id=link_id).first()
            if rd2:
                if len(rd2.relationships):
                    signature.save(username=user.username)
                    signature.reload()
                    for rel in rd2.relationships:
                        # Get object to relate to.
                        rel_item = class_from_id(rel.rel_type, rel.object_id)
                        if rel_item:
                            signature.add_relationship(
                                rel_item,
                                rel.relationship,
                                rel_date=rel.relationship_date,
                                analyst=user.username)

    if bucket_list:
        signature.add_bucket_list(bucket_list, user)

    if ticket:
        signature.add_ticket(ticket, user)

    related_obj = None
    if related_id and related_type:
        related_obj = class_from_id(related_type, related_id)
        if not related_obj:
            status = {'success': False, 'message': 'Related Object not found.'}
            return status

    signature.save(username=user.username)

    if related_obj and signature and relationship_type:
        relationship_type = RelationshipTypes.inverse(
            relationship=relationship_type)
        signature.add_relationship(related_obj,
                                   relationship_type,
                                   analyst=user.username,
                                   get_rels=False)
        signature.save(username=user.username)
        signature.reload()

    # save signature
    signature.save(username=user.username)
    signature.reload()

    status = {
        'success': True,
        'message': 'Uploaded signature',
        '_id': signature.id,
        'object': signature
    }

    return status
Beispiel #13
0
def class_from_id(type_, _id):
    """
    Return an instantiated class object.

    :param type_: The CRITs top-level object type.
    :type type_: str
    :param _id: The ObjectId to search for.
    :type _id: str
    :returns: class which inherits from
              :class:`crits.core.crits_mongoengine.CritsBaseAttributes`
    """

    # doing this to avoid circular imports
    from crits.actors.actor import ActorThreatIdentifier, Actor
    from crits.backdoors.backdoor import Backdoor
    from crits.campaigns.campaign import Campaign
    from crits.certificates.certificate import Certificate
    from crits.comments.comment import Comment
    from crits.core.crits_mongoengine import Action
    from crits.core.source_access import SourceAccess
    from crits.core.user_role import UserRole
    from crits.domains.domain import Domain
    from crits.emails.email import Email
    from crits.events.event import Event
    from crits.exploits.exploit import Exploit
    from crits.indicators.indicator import Indicator
    from crits.ips.ip import IP
    from crits.pcaps.pcap import PCAP
    from crits.raw_data.raw_data import RawData, RawDataType
    from crits.samples.sample import Sample
    from crits.screenshots.screenshot import Screenshot
    from crits.signatures.signature import Signature, SignatureType, SignatureDependency
    from crits.targets.target import Target

    if not _id:
        return None

    # make sure it's a string
    _id = str(_id)

    # Use bson.ObjectId to make sure this is a valid ObjectId, otherwise
    # the queries below will raise a ValidationError exception.
    if not ObjectId.is_valid(_id.decode('utf8')):
        return None

    if type_ == 'Actor':
        return Actor.objects(id=_id).first()
    elif type_ == 'Backdoor':
        return Backdoor.objects(id=_id).first()
    elif type_ == 'ActorThreatIdentifier':
        return ActorThreatIdentifier.objects(id=_id).first()
    elif type_ == 'Campaign':
        return Campaign.objects(id=_id).first()
    elif type_ == 'Certificate':
        return Certificate.objects(id=_id).first()
    elif type_ == 'Comment':
        return Comment.objects(id=_id).first()
    elif type_ == 'Domain':
        return Domain.objects(id=_id).first()
    elif type_ == 'Email':
        return Email.objects(id=_id).first()
    elif type_ == 'Event':
        return Event.objects(id=_id).first()
    elif type_ == 'Exploit':
        return Exploit.objects(id=_id).first()
    elif type_ == 'Indicator':
        return Indicator.objects(id=_id).first()
    elif type_ == 'Action':
        return Action.objects(id=_id).first()
    elif type_ == 'IP':
        return IP.objects(id=_id).first()
    elif type_ == 'PCAP':
        return PCAP.objects(id=_id).first()
    elif type_ == 'RawData':
        return RawData.objects(id=_id).first()
    elif type_ == 'RawDataType':
        return RawDataType.objects(id=_id).first()
    elif type_ == 'Sample':
        return Sample.objects(id=_id).first()
    elif type_ == 'Signature':
        return Signature.objects(id=_id).first()
    elif type_ == 'SignatureType':
        return SignatureType.objects(id=_id).first()
    elif type_ == 'SignatureDependency':
        return SignatureDependency.objects(id=_id).first()
    elif type_ == 'SourceAccess':
        return SourceAccess.objects(id=_id).first()
    elif type_ == 'Screenshot':
        return Screenshot.objects(id=_id).first()
    elif type_ == 'Target':
        return Target.objects(id=_id).first()
    elif type_ == 'UserRole':
        return UserRole.objects(id=_id).first()
    else:
        return None
Beispiel #14
0
def get_signature_details(_id, analyst):
    """
    Generate the data to render the Signature details template.

    :param _id: The ObjectId of the Signature to get details for.
    :type _id: str
    :param analyst: The user requesting this information.
    :type analyst: str
    :returns: template (str), arguments (dict)
    """

    template = None
    sources = user_sources(analyst)
    if not _id:
        signature = None
    else:
        signature = Signature.objects(id=_id, source__name__in=sources).first()
    if not signature:
        template = "error.html"
        args = {'error': 'signature not yet available or you do not have access to view it.'}
    else:

        signature.sanitize("%s" % analyst)

        # remove pending notifications for user
        remove_user_from_notification("%s" % analyst, signature.id, 'Signature')

        # subscription
        subscription = {
                'type': 'Signature',
                'id': signature.id,
                'subscribed': is_user_subscribed("%s" % analyst,
                                                 'Signature', signature.id),
        }

        #objects
        objects = signature.sort_objects()

        #relationships
        relationships = signature.sort_relationships("%s" % analyst, meta=True)

        # relationship
        relationship = {
                'type': 'Signature',
                'value': signature.id
        }

        versions = len(Signature.objects(link_id=signature.link_id).only('id'))

        #comments
        comments = {'comments': signature.get_comments(),
                    'url_key': _id}

        #screenshots
        screenshots = signature.get_screenshots(analyst)

        # favorites
        favorite = is_user_favorite("%s" % analyst, 'Signature', signature.id)

        # services
        service_list = get_supported_services('Signature')

        # analysis results
        service_results = signature.get_analysis_results()

        args = {'service_list': service_list,
                'objects': objects,
                'relationships': relationships,
                'comments': comments,
                'favorite': favorite,
                'relationship': relationship,
                "subscription": subscription,
                "screenshots": screenshots,
                "versions": versions,
                "service_results": service_results,
                "signature": signature}

    return template, args
Beispiel #15
0
def class_from_value(type_, value):
    """
    Return an instantiated class object.

    :param type_: The CRITs top-level object type.
    :type type_: str
    :param value: The value to search for.
    :type value: str
    :returns: class which inherits from
              :class:`crits.core.crits_mongoengine.CritsBaseAttributes`
    """

    # doing this to avoid circular imports
    from crits.actors.actor import ActorThreatIdentifier, Actor
    from crits.backdoors.backdoor import Backdoor
    from crits.campaigns.campaign import Campaign
    from crits.certificates.certificate import Certificate
    from crits.comments.comment import Comment
    from crits.domains.domain import Domain
    from crits.emails.email import Email
    from crits.events.event import Event
    from crits.exploits.exploit import Exploit
    from crits.indicators.indicator import Indicator
    from crits.ips.ip import IP
    from crits.pcaps.pcap import PCAP
    from crits.raw_data.raw_data import RawData
    from crits.samples.sample import Sample
    from crits.screenshots.screenshot import Screenshot
    from crits.signatures.signature import Signature
    from crits.targets.target import Target

    # Make sure value is a string...
    value = str(value)

    # Use bson.ObjectId to make sure this is a valid ObjectId, otherwise
    # the queries below will raise a ValidationError exception.
    if (type_ in ['Backdoor', 'Comment', 'Email', 'Event', 'Exploit',
                  'Indicator', 'Screenshot'] and
       not ObjectId.is_valid(value.decode('utf8'))):
        return None

    if type_ == 'Actor':
        return Actor.objects(name=value).first()
    if type_ == 'Backdoor':
        return Backdoor.objects(id=value).first()
    elif type_ == 'ActorThreatIdentifier':
        return ActorThreatIdentifier.objects(name=value).first()
    elif type_ == 'Campaign':
        return Campaign.objects(name=value).first()
    elif type_ == 'Certificate':
        return Certificate.objects(md5=value).first()
    elif type_ == 'Comment':
        return Comment.objects(id=value).first()
    elif type_ == 'Domain':
        return Domain.objects(domain=value).first()
    elif type_ == 'Email':
        return Email.objects(id=value).first()
    elif type_ == 'Event':
        return Event.objects(id=value).first()
    elif type_ == 'Exploit':
        return Exploit.objects(id=value).first()
    elif type_ == 'Indicator':
        return Indicator.objects(id=value).first()
    elif type_ == 'IP':
        return IP.objects(ip=value).first()
    elif type_ == 'PCAP':
        return PCAP.objects(md5=value).first()
    elif type_ == 'RawData':
        return RawData.objects(md5=value).first()
    elif type_ == 'Sample':
        return Sample.objects(md5=value).first()
    elif type_ == 'Screenshot':
        return Screenshot.objects(id=value).first()
    elif type_ == 'Signature':
        return Signature.objects(md5=value).first()
    elif type_ == 'Target':
        target = Target.objects(email_address=value).first()
        if target:
            return target
        else:
            return Target.objects(email_address__iexact=value).first()
    else:
        return None
Beispiel #16
0
def class_from_id(type_, _id):
    """
    Return an instantiated class object.

    :param type_: The CRITs top-level object type.
    :type type_: str
    :param _id: The ObjectId to search for.
    :type _id: str
    :returns: class which inherits from
              :class:`crits.core.crits_mongoengine.CritsBaseAttributes`
    """

    # doing this to avoid circular imports
    from crits.actors.actor import ActorThreatIdentifier, Actor
    from crits.backdoors.backdoor import Backdoor
    from crits.campaigns.campaign import Campaign
    from crits.certificates.certificate import Certificate
    from crits.comments.comment import Comment
    from crits.core.crits_mongoengine import Action
    from crits.core.source_access import SourceAccess
    from crits.core.user_role import UserRole
    from crits.domains.domain import Domain
    from crits.emails.email import Email
    from crits.events.event import Event
    from crits.exploits.exploit import Exploit
    from crits.indicators.indicator import Indicator
    from crits.ips.ip import IP
    from crits.pcaps.pcap import PCAP
    from crits.raw_data.raw_data import RawData, RawDataType
    from crits.samples.sample import Sample
    from crits.screenshots.screenshot import Screenshot
    from crits.signatures.signature import Signature, SignatureType, SignatureDependency
    from crits.targets.target import Target

    if not _id:
        return None

    # make sure it's a string
    _id = str(_id)

    # Use bson.ObjectId to make sure this is a valid ObjectId, otherwise
    # the queries below will raise a ValidationError exception.
    if not ObjectId.is_valid(_id.decode('utf8')):
        return None

    if type_ == 'Actor':
        return Actor.objects(id=_id).first()
    elif type_ == 'Backdoor':
        return Backdoor.objects(id=_id).first()
    elif type_ == 'ActorThreatIdentifier':
        return ActorThreatIdentifier.objects(id=_id).first()
    elif type_ == 'Campaign':
        return Campaign.objects(id=_id).first()
    elif type_ == 'Certificate':
        return Certificate.objects(id=_id).first()
    elif type_ == 'Comment':
        return Comment.objects(id=_id).first()
    elif type_ == 'Domain':
        return Domain.objects(id=_id).first()
    elif type_ == 'Email':
        return Email.objects(id=_id).first()
    elif type_ == 'Event':
        return Event.objects(id=_id).first()
    elif type_ == 'Exploit':
        return Exploit.objects(id=_id).first()
    elif type_ == 'Indicator':
        return Indicator.objects(id=_id).first()
    elif type_ == 'Action':
        return Action.objects(id=_id).first()
    elif type_ == 'IP':
        return IP.objects(id=_id).first()
    elif type_ == 'PCAP':
        return PCAP.objects(id=_id).first()
    elif type_ == 'RawData':
        return RawData.objects(id=_id).first()
    elif type_ == 'RawDataType':
        return RawDataType.objects(id=_id).first()
    elif type_ == 'Sample':
        return Sample.objects(id=_id).first()
    elif type_ == 'Signature':
        return Signature.objects(id=_id).first()
    elif type_ == 'SignatureType':
        return SignatureType.objects(id=_id).first()
    elif type_ == 'SignatureDependency':
        return SignatureDependency.objects(id=_id).first()
    elif type_ == 'SourceAccess':
        return SourceAccess.objects(id=_id).first()
    elif type_ == 'Screenshot':
        return Screenshot.objects(id=_id).first()
    elif type_ == 'Target':
        return Target.objects(id=_id).first()
    elif type_ == 'UserRole':
        return UserRole.objects(id=_id).first()
    else:
        return None
Beispiel #17
0
def class_from_value(type_, value):
    """
    Return an instantiated class object.

    :param type_: The CRITs top-level object type.
    :type type_: str
    :param value: The value to search for.
    :type value: str
    :returns: class which inherits from
              :class:`crits.core.crits_mongoengine.CritsBaseAttributes`
    """

    # doing this to avoid circular imports
    from crits.actors.actor import ActorThreatIdentifier, Actor
    from crits.backdoors.backdoor import Backdoor
    from crits.campaigns.campaign import Campaign
    from crits.certificates.certificate import Certificate
    from crits.comments.comment import Comment
    from crits.domains.domain import Domain
    from crits.emails.email import Email
    from crits.events.event import Event
    from crits.exploits.exploit import Exploit
    from crits.indicators.indicator import Indicator
    from crits.ips.ip import IP
    from crits.pcaps.pcap import PCAP
    from crits.raw_data.raw_data import RawData
    from crits.samples.sample import Sample
    from crits.screenshots.screenshot import Screenshot
    from crits.signatures.signature import Signature
    from crits.targets.target import Target

    # Make sure value is a string...
    value = str(value)

    # Use bson.ObjectId to make sure this is a valid ObjectId, otherwise
    # the queries below will raise a ValidationError exception.
    if (type_ in [
            'Backdoor', 'Comment', 'Event', 'Exploit', 'Indicator',
            'Screenshot'
    ] and not ObjectId.is_valid(value.decode('utf8'))):
        return None

    if type_ == 'Actor':
        return Actor.objects(name=value).first()
    if type_ == 'Backdoor':
        return Backdoor.objects(id=value).first()
    elif type_ == 'ActorThreatIdentifier':
        return ActorThreatIdentifier.objects(name=value).first()
    elif type_ == 'Campaign':
        return Campaign.objects(name=value).first()
    elif type_ == 'Certificate':
        return Certificate.objects(md5=value).first()
    elif type_ == 'Comment':
        return Comment.objects(id=value).first()
    elif type_ == 'Domain':
        return Domain.objects(domain=value).first()
    elif type_ == 'Email':
        return Email.objects(message_id=value).first()
    elif type_ == 'Event':
        return Event.objects(id=value).first()
    elif type_ == 'Exploit':
        return Exploit.objects(id=value).first()
    elif type_ == 'Indicator':
        return Indicator.objects(id=value).first()
    elif type_ == 'IP':
        return IP.objects(ip=value).first()
    elif type_ == 'PCAP':
        return PCAP.objects(md5=value).first()
    elif type_ == 'RawData':
        return RawData.objects(md5=value).first()
    elif type_ == 'Sample':
        return Sample.objects(md5=value).first()
    elif type_ == 'Screenshot':
        return Screenshot.objects(id=value).first()
    elif type_ == 'Signature':
        return Signature.objects(md5=value).first()
    elif type_ == 'Target':
        target = Target.objects(email_address=value).first()
        if target:
            return target
        else:
            return Target.objects(email_address__iexact=value).first()
    else:
        return None
Beispiel #18
0
def get_signature_details(_id, user):
    """
    Generate the data to render the Signature details template.

    :param _id: The ObjectId of the Signature to get details for.
    :type _id: str
    :param user: The user requesting this information.
    :type user: CRITsUser
    :returns: template (str), arguments (dict)
    """

    template = None
    sources = user_sources(user)
    if not _id:
        signature = None
    else:
        signature = Signature.objects(id=_id, source__name__in=sources).first()

    if not user.check_source_tlp(signature):
        signature = None

    if not signature:
        template = "error.html"
        args = {
            'error':
            'signature not yet available or you do not have access to view it.'
        }
    else:

        signature.sanitize("%s" % user)

        # remove pending notifications for user
        remove_user_from_notification("%s" % user, signature.id, 'Signature')

        # subscription
        subscription = {
            'type':
            'Signature',
            'id':
            signature.id,
            'subscribed':
            is_user_subscribed("%s" % user, 'Signature', signature.id),
        }

        #objects
        objects = signature.sort_objects()

        #relationships
        relationships = signature.sort_relationships("%s" % user, meta=True)

        # relationship
        relationship = {'type': 'Signature', 'value': signature.id}

        versions = len(Signature.objects(link_id=signature.link_id).only('id'))

        #comments
        comments = {'comments': signature.get_comments(), 'url_key': _id}

        #screenshots
        screenshots = signature.get_screenshots(user)

        # favorites
        favorite = is_user_favorite("%s" % user, 'Signature', signature.id)

        # services
        service_list = get_supported_services('Signature')

        # analysis results
        service_results = signature.get_analysis_results()

        args = {
            'service_list': service_list,
            'objects': objects,
            'relationships': relationships,
            'comments': comments,
            'favorite': favorite,
            'relationship': relationship,
            "subscription": subscription,
            "screenshots": screenshots,
            "versions": versions,
            "service_results": service_results,
            "signature": signature,
            'SignatureACL': SignatureACL
        }

    return template, args
Beispiel #19
0
def handle_signature_file(data, source_name, user=None,
                         description=None, title=None, data_type=None,
                         data_type_min_version=None, data_type_max_version=None,
                         data_type_dependency=None, link_id=None, method='', reference='',
                         copy_rels=False, bucket_list=None, ticket=None):
    """
    Add Signature.

    :param data: The data of the Signature.
    :type data: str
    :param source_name: The source which provided this Signature.
    :type source_name: str,
                       :class:`crits.core.crits_mongoengine.EmbeddedSource`,
                       list of :class:`crits.core.crits_mongoengine.EmbeddedSource`
    :param user: The user adding the Signature.
    :type user: str
    :param description: Description of the Signature.
    :type description: str
    :param title: Title of the Signature.
    :type title: str
    :param data_type: Datatype of the Signature.
    :type data_type: str
    :param data_type: Datatype of the Signature.
    :type data_type_min_version: str
    :param data_type_min_version: Datatype tool minimum version.
    :type data_type_max_version: str
    :param data_type_max_version: Datatype tool maximum version.
    :type data_type_dependency: list
    :param data_type_dependency: Datatype tool dependency to be run
    :param link_id: LinkId to tie this to another Signature as a new version.
    :type link_id: str
    :param method: The method of acquiring this Signature.
    :type method: str
    :param reference: A reference to the source of this Signature.
    :type reference: str
    :param copy_rels: Copy relationships from the previous version to this one.
    :type copy_rels: bool
    :param bucket_list: Bucket(s) to add to this Signature
    :type bucket_list: str(comma separated) or list.
    :param ticket: Ticket(s) to add to this Signature
    :type ticket: str(comma separated) or list.
    :returns: dict with keys:
              'success' (boolean),
              'message' (str),
              '_id' (str) if successful.
    """

    if not data or not title or not data_type:
        status = {
            'success':   False,
            'message':  'No data object, title, or data type passed in'
        }
        return status

    if not source_name:
        return {"success" : False, "message" : "Missing source information."}

    rdt = SignatureType.objects(name=data_type).first()
    if not rdt:
        status = {
            'success':   False,
            'message':  'Invalid data type passed in'
        }
        return status

    if len(data) <= 0:
        status = {
            'success':   False,
            'message':  'Data length <= 0'
        }
        return status

    # generate md5 and timestamp
    md5 = hashlib.md5(data).hexdigest()
    timestamp = datetime.datetime.now()
    
    # generate signature
    signature = Signature()
    signature.created = timestamp
    signature.description = description
    signature.md5 = md5
    signature.data = data
    signature.title = title
    signature.data_type = data_type
    signature.data_type_min_version = data_type_min_version
    signature.data_type_max_version = data_type_max_version

    if data_type_dependency:
        if type(data_type_dependency) == unicode:
            data_type_dependency = data_type_dependency.split(",")

        for item in data_type_dependency:
            if item:
                item = item.strip()
                signature.data_type_dependency.append(str(item))
    else:
        data_type_dependency = []

    # generate new source information and add to sample
    if isinstance(source_name, basestring) and len(source_name) > 0:
        source = create_embedded_source(source_name,
                                   date=timestamp,
                                   method=method,
                                   reference=reference,
                                   analyst=user)
        # this will handle adding a new source, or an instance automatically
        signature.add_source(source)
    elif isinstance(source_name, EmbeddedSource):
        signature.add_source(source_name, method=method, reference=reference)
    elif isinstance(source_name, list) and len(source_name) > 0:
        for s in source_name:
            if isinstance(s, EmbeddedSource):
                signature.add_source(s, method=method, reference=reference)

    signature.version = len(Signature.objects(link_id=link_id)) + 1

    if link_id:
        signature.link_id = link_id
        if copy_rels:
            rd2 = Signature.objects(link_id=link_id).first()
            if rd2:
                if len(rd2.relationships):
                    signature.save(username=user)
                    signature.reload()
                    for rel in rd2.relationships:
                        # Get object to relate to.
                        rel_item = class_from_id(rel.rel_type, rel.object_id)
                        if rel_item:
                            signature.add_relationship(rel_item,
                                                      rel.relationship,
                                                      rel_date=rel.relationship_date,
                                                      analyst=user)

    if bucket_list:
        signature.add_bucket_list(bucket_list, user)

    if ticket:
        signature.add_ticket(ticket, user);


    # save signature
    signature.save(username=user)
    signature.reload()

    status = {
        'success':      True,
        'message':      'Uploaded signature',
        '_id':          signature.id,
        'object':       signature
    }

    return status