def test_convert_to_nw_time(self):
expected_nw_time = "2018-Dec-18 13:28:45"
nw_time = datetime.datetime.strptime(convert_to_nw_time(1545157725000),\
'%Y-%b-%d %H:%M:%S')
nw_time_timezone = nw_time.astimezone(pytz.timezone("America/New_York"))\
.strftime('%Y-%b-%d %H:%M:%S')
assert nw_time_timezone == expected_nw_time
def _netwitness_retrieve_log_data(self, event, *args, **kwargs):
"""Function: Returns back either a log file from Netwitness."""
try:
# Get the function parameters:
nw_data_format = self.get_select_param(
kwargs.get("nw_data_format")) # select
yield StatusMessage("Retrieving {} logs...".format(nw_data_format))
nw_start_time = kwargs.get("nw_start_time") # int
if nw_start_time is None:
raise FunctionError(
"nw_start_time must be set in order to run this function.")
nw_end_time = kwargs.get("nw_end_time") # int
if nw_end_time is None:
raise FunctionError(
"nw_end_time must be set in order to run this function.")
incident_id = kwargs.get("incident_id") # number
# Initialize resilient_lib objects (handles the select input)
results_payload = ResultPayload("fn_rsa_netwitness", **kwargs)
req_common = RequestsCommon(self.opts)
log.info("nw_data_format: %s", nw_data_format)
log.info("nw_start_time: %s", nw_start_time)
log.info("nw_end_time: %s", nw_end_time)
data_file = {}
start_time = convert_to_nw_time(nw_start_time)
end_time = convert_to_nw_time(nw_end_time)
# Get all common variables from app.config
url = self.options.get("nw_log_server_url")
username = self.options.get("nw_log_server_user")
password = self.options.get("nw_log_server_password")
nw_verify = self.options.get("nw_log_server_verify")
# Dict lookup for render format
render_format_dict = {
"logs_text": "logs",
"logs_csv": "text/csv",
"logs_xml": "text/xml",
"logs_json": "application/json"
}
# Make sure format is a supported case
if nw_data_format not in render_format_dict:
raise FunctionError("{} is not a supported format to retrieve logs"\
.format(nw_data_format))
# Return log data in json format
if nw_data_format == "logs_json":
data_file = get_nw_session_logs_file(url, username, password, nw_verify, \
start_time, end_time, req_common, render_format=render_format_dict[nw_data_format], resp_type="json")
# Return log data in text format
else:
data_file = get_nw_session_logs_file(url, username, password, nw_verify, \
start_time, end_time, req_common, render_format=render_format_dict[nw_data_format])
log.debug("data_file: %s", data_file)
results = results_payload.done(True, data_file)
log.debug("RESULTS: %s", results)
# Check for empty log files
# (if empty, no log file will be attached and a note will
# be added in the workflow post-process)
if results["content"]:
yield StatusMessage("Logs found, creating attachment...")
# Get client, attachment name, and content of log files from netwitness
rest_client = self.rest_client()
# Determine the proper extension for the attachment name
if nw_data_format == "logs_text":
ext = "txt"
else:
ext = nw_data_format[5:] # for csv, xml, json
attachment_name = u"Log file for {} - {}.{}".format(
nw_start_time, nw_end_time, ext)
if nw_data_format == "logs_json":
datastream = BytesIO(
json.dumps(results['content'],
indent=4).encode('utf-8'))
elif sys.version_info.major < 3:
datastream = StringIO(results["content"])
else:
datastream = BytesIO(results["content"].encode("utf-8"))
write_file_attachment(rest_client, attachment_name,\
datastream, incident_id, None)
yield StatusMessage("Done...")
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception as error:
yield FunctionError(error)
def _netwitness_retrieve_pcap_data(self, event, *args, **kwargs):
"""Function: Returns back either a pcap file from Netwitness,
and attaches it to an incident."""
try:
yield StatusMessage("Starting...")
# Get the function parameters:
nw_event_session_ids = kwargs.get("nw_event_session_ids") # text
nw_start_time = kwargs.get("nw_start_time") # text
nw_end_time = kwargs.get("nw_end_time") # text
incident_id = str(kwargs.get("incident_id")) # number
# Initialize resilient_lib objects (handles the select input)
results_payload = ResultPayload("fn_rsa_netwitness", **{"nw_event_session_ids":\
nw_event_session_ids, "incident_id": incident_id})
req_common = RequestsCommon(self.opts)
# Verify inputs are set correctly
if nw_event_session_ids is None:
if nw_start_time is None or nw_end_time is None:
raise FunctionError("Either nw_event_session_ids or nw_start_time and "\
"nw_end_time must be set for this function to run correctly.")
log.info("nw_event_session_ids: %s", nw_event_session_ids)
log.info("nw_start_time: %s", nw_start_time)
log.info("nw_end_time: %s", nw_end_time)
log.info("incident_id: %s", incident_id)
# Get all common variables from app.config
url = self.options.get("nw_packet_server_url")
username = self.options.get("nw_packet_server_user")
password = self.options.get("nw_packet_server_password")
nw_verify = self.options.get("nw_packet_server_verify")
# User session id if avaiable
if nw_event_session_ids:
pcap_file = get_nw_session_pcap_file(url, username, password, nw_verify,\
nw_event_session_ids, req_common)
file_name = "PCAP file for session IDs: {}.pcap".format(
nw_event_session_ids)
else:
nw_start = convert_to_nw_time(nw_start_time)
nw_end = convert_to_nw_time(nw_end_time)
pcap_file = get_nw_session_pcap_file_time(url, username, password, nw_verify,\
nw_start, nw_end, req_common)
file_name = "PCAP file between {} and {}.pcap".format(
nw_start, nw_end)
rest_client = self.rest_client()
results = results_payload.done(True, {})
if sys.version_info.major < 3:
datastream = StringIO(pcap_file)
else:
datastream = BytesIO(pcap_file)
log.debug("pcap_file: %s", pcap_file[1000:])
write_file_attachment(rest_client, file_name, datastream,
incident_id, None)
yield StatusMessage("PCAP file added as attachment to Incident {}"\
.format(str(incident_id)))
yield StatusMessage("Done...")
log.debug("RESULTS: %s", results)
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception as error:
yield FunctionError(error)
def _netwitness_retrieve_log_data(self, event, *args, **kwargs):
"""Function: Returns back either a log file from Netwitness."""
try:
yield StatusMessage("Retrieving logs...")
# Get the function parameters:
nw_data_format = self.get_select_param(kwargs.get("nw_data_format")) # select
nw_start_time = kwargs.get("nw_start_time") # int
if nw_start_time is None:
raise FunctionError("nw_start_time must be set in order to run this function.")
nw_end_time = kwargs.get("nw_end_time") # int
if nw_end_time is None:
raise FunctionError("nw_end_time must be set in order to run this function.")
# Initialize resilient_lib objects (handles the select input)
rp = ResultPayload("fn_rsa_netwitness", **kwargs)
req_common = RequestsCommon(self.opts)
log.info("nw_data_format: %s", nw_data_format)
log.info("nw_start_time: %s", nw_start_time)
log.info("nw_end_time: %s", nw_end_time)
data_file = {}
start_time = convert_to_nw_time(nw_start_time)
end_time = convert_to_nw_time(nw_end_time)
# Get all common variables from app.config
url = self.options.get("nw_log_server_url")
username = self.options.get("nw_log_server_user")
password = self.options.get("nw_log_server_password")
nw_verify = self.options.get("nw_log_server_verify")
# Dict lookup for render format
render_format_dict = {
"logs_text": "logs",
"logs_csv": "text/csv",
"logs_xml": "text/xml",
"logs_json": "application/json"
}
# Make sure format is a supported case
if nw_data_format not in render_format_dict:
raise FunctionError("{} is not a supported format to retrieve logs".format(nw_data_format))
# Return log data in json format
if nw_data_format == "logs_json":
data_file = get_nw_session_logs_file(url, username, password, nw_verify, start_time, end_time,
req_common, render_format=render_format_dict.get("nw_data_format"),
resp_type="json")
# Return log data in text format
else:
data_file = get_nw_session_logs_file(url, username, password, nw_verify, start_time, end_time,
req_common, render_format=render_format_dict.get("nw_data_format"))
log.debug("data_file: {}".format(data_file))
results = rp.done(True, data_file)
log.debug("RESULTS: %s", results)
yield StatusMessage("Done...")
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception as e:
yield FunctionError(e)
def test_convert_to_nw_time(self):
expected_nw_time = "2018-Dec-18 13:28:45"
nw_time = convert_to_nw_time(int("1545157725000"))
assert nw_time == expected_nw_time
