def tag(self, new_tags, strict=False, expiration=None):
"""Tags an observable.
An observable can be tagged to add more information as to what it represents.
Args:
new_tags:
An array of strings to tag the observable with.
strict:
Set to ``True`` to replace all existing tags with the ``new_tags``.
expiration:
Timedelta field after which the Tag will not be considered fresh anymore.
Returns:
A fresh Observable instance as reloaded from the database.
"""
new_tags = iterify(new_tags)
if strict:
remove = set([t.name for t in self.tags]) - set(new_tags)
for tag in remove:
self.modify(pull__tags__name=tag)
tagged = False
for new_tag in new_tags:
if new_tag.strip() != '':
tagged = True
new_tag = Tag(name=new_tag)
new_tag.clean()
try: # check if tag is a replacement
tag = Tag.objects.get(replaces=new_tag.name)
except DoesNotExist:
tag = Tag.get_or_create(name=new_tag.name)
if not expiration:
expiration = tag.default_expiration
extra_tags = tag.produces + [tag]
# search for related entities and link them
for e in Entity.objects(tags__in=[tag.name]):
self.active_link_to(e, 'Tagged', 'tags', clean_old=False)
for tag in extra_tags:
if not self.modify(
{"tags__name": tag.name},
set__tags__S__fresh=True,
set__tags__S__last_seen=datetime.utcnow()):
self.modify(push__tags=ObservableTag(
name=tag.name, expiration=expiration))
tag.modify(inc__count=1)
if tagged:
self.update(set__last_tagged=datetime.utcnow())
return self.reload()
def nodesearch(self, query):
result = []
query = re.compile("^{}".format(query), re.IGNORECASE)
observables = Observable.objects(value=query).limit(5)
entities = Entity.objects(name=query).limit(5)
for results in [observables, entities]:
for node in results:
result.append(node.to_mongo())
return render(result)
def parse_play_spawn_mob(self):
if not self.wrapper.javaserver.entity_control:
return True
if self.server.version < PROTOCOL_1_9START:
dt = self.packet.readpkt(
[VARINT, NULL, UBYTE, INT, INT, INT, BYTE, BYTE, BYTE, REST])
dt[3], dt[4], dt[5] = dt[3] / 32, dt[4] / 32, dt[5] / 32
# "varint:eid|ubyte:type_|int:x|int:y|int:z|byte:pitch|byte:yaw|"
# "byte:head_pitch|...
# STOP PARSING HERE: short:velocityX|short:velocityY|
# short:velocityZ|rest:metadata")
else:
dt = self.packet.readpkt([
VARINT, UUID, UBYTE, DOUBLE, DOUBLE, DOUBLE, BYTE, BYTE, BYTE,
REST
])
# ("varint:eid|uuid:entityUUID|ubyte:type_|int:x|int:y|int:z|"
# "byte:pitch|byte:yaw|byte:head_pitch|
# STOP PARSING HERE: short:velocityX|short:velocityY|
# short:velocityZ|rest:metadata")
entityuuid = dt[1]
# if the dt[2] mob type is not in our defined entity types,
# it won't be tracked.. however, the undefined mob will not
# cause an exception.
if dt[2] in self.wrapper.javaserver.entity_control.entitytypes:
mobname = self.wrapper.javaserver.entity_control.entitytypes[
dt[2]]["name"]
newmob = {
dt[0]:
Entity(dt[0], entityuuid, dt[2], mobname, (
dt[3],
dt[4],
dt[5],
), (dt[6], dt[7], dt[8]), False, self.client.username)
}
self.wrapper.javaserver.entity_control.entities.update(newmob)
return True
def parse_play_spawn_object(self):
# objects are entities and are GC-ed by detroy entities packet
if not self.wrapper.javaserver.entity_control:
return True # return now if no object tracking
if self.server.version < PROTOCOL_1_9START:
dt = self.packet.readpkt(
[VARINT, NULL, BYTE, INT, INT, INT, BYTE, BYTE])
dt[3], dt[4], dt[5] = dt[3] / 32, dt[4] / 32, dt[5] / 32
# "varint:eid|byte:type_|int:x|int:y|int:z|byte:pitch|byte:yaw")
else:
dt = self.packet.readpkt(
[VARINT, UUID, BYTE, DOUBLE, DOUBLE, DOUBLE, BYTE, BYTE])
# "varint:eid|uuid:objectUUID|byte:type_|int:x|int:y|int:z|
# byte:pitch|byte:yaw|int:info|
# short:velocityX|short:velocityY|short:velocityZ")
entityuuid = dt[1]
# we have to check these first, lest the object type be new
# and cause an exception.
if dt[2] in self.wrapper.javaserver.entity_control.objecttypes:
objectname = self.wrapper.javaserver.entity_control.objecttypes[
dt[2]]
newobject = {
dt[0]:
Entity(dt[0], entityuuid, dt[2], objectname, (
dt[3],
dt[4],
dt[5],
), (dt[6], dt[7]), True, self.client.username)
}
# in many places here, we could have used another self definition
# like self.entities = self.wrapper.javaserver..., but we chose
# not to to make sure (given the lagacy complexity of the code)
# that we remember where all these classes and methods are
# in the code and to keep a mental picture of the code layout.
self.wrapper.javaserver.entity_control.entities.update(newobject)
return True
def info(self):
i = Entity.info(self)
i['family'] = self.family.name if self.family else None
i['id'] = str(self.id)
i['type'] = "Malware"
return i
def get_form(klass):
form = Entity.get_form(override=klass)
form.aliases = StringListField("Aliases")
return form
def info(self):
i = Entity.info(self)
i["rdap"] = self.rdap
i["type"] = "Company"
return i
def info(self):
i = Entity.info(self)
i['id'] = str(self.id)
i['type'] = 'ExploitKit'
return i
def info(self):
i = Entity.info(self)
i["type"] = "ExploitKit"
return i
def info(self):
i = Entity.info(self)
i['aliases'] = self.aliases
i['type'] = "Campaign"
return i
def info(self):
i = Entity.info(self)
i['killchain'] = self.KILL_CHAIN_STEPS[self.killchain]
i['type'] = 'TTP'
return i
def info(self):
i = Entity.info(self)
i['type'] = 'Exploit'
return i
def info(self):
i = Entity.info(self)
i["family"] = self.family.name if self.family else None
i["type"] = "Malware"
return i
def info(self):
i = Entity.info(self)
i["killchain"] = self.KILL_CHAIN_STEPS[self.killchain]
i["type"] = "TTP"
return i
def info(self):
i = Entity.info(self)
i["aliases"] = self.aliases
i["type"] = "Actor"
return i
def info(self):
i = Entity.info(self)
i['rdap'] = self.rdap
i['type'] = "Company"
return i
def info(self):
i = Entity.info(self)
i['aliases'] = self.aliases
i['type'] = "Actor"
return i
def post_save(self, e, request):
links = list(
Entity.objects(
name__in=set(request.form.get("links", "").split(","))))
for l in links:
e.action(l, "web interface")
def info(self):
i = Entity.info(self)
i["aliases"] = self.aliases
i["type"] = "Campaign"
return i