def _sync_request(dxl_client, request, response_timeout, payload_dict):
"""
Performs a synchronous DXL request and returns the payload
:param dxl_client: The DXL client with which to perform the request
:param request: The DXL request to send
:param response_timeout: The maximum amount of time to wait for a response
:param payload_dict: The dictionary (``dict``) to use as the payload of the DXL request
:return: The result of the remote command execution (resulting payload)
"""
# Set the payload
MessageUtils.dict_to_json_payload(request, payload_dict)
# Display the request that is going to be sent
logger.debug(
"Request:\n%s",
MessageUtils.dict_to_json(payload_dict, pretty_print=True))
# Send the request and wait for a response (synchronous)
res = dxl_client.sync_request(request, timeout=response_timeout)
if res.message_type == Message.MESSAGE_TYPE_ERROR:
raise Exception("Error: " + res.error_message + " (" +
str(res.error_code) + ")")
# Return a dictionary corresponding to the response payload
ret_val = MessageUtils.decode_payload(res)
# Display the response
logger.debug("Response:\n%s", ret_val)
return ret_val
def unknown_call(path):
return MessageUtils.dict_to_json(
{
"unit_test_error_unknown_api": path
},
pretty_print=False
)
def system_find_command(self, request):
# Create the response
response = Response(request)
response.payload = MessageUtils.dict_to_json(SYSTEM_FIND_PAYLOAD)
self._client.send_response(response)
def ip_rep_cmd(parsed_url):
ip_param = \
urlparse.parse_qs(parsed_url.query)[ApiVoidCallback.PARAM_IP][0]
if ip_param == SAMPLE_IP:
return MessageUtils.dict_to_json(SAMPLE_IP_REP, pretty_print=False)
return MockApiVoidServerRequestHandler.bad_param(
ApiVoidCallback.PARAM_IP, ip_param)
def file_rescan(self, req_dict):
rules = [
VirusTotalApiClient._PARAM_RESOURCE in req_dict,
req_dict[VirusTotalApiClient._PARAM_RESOURCE] == SAMPLE_FILE
]
if not all(rules):
return self.STATUS_FAILED_MESSAGE
res_payload = copy.deepcopy(SAMPLE_FILE_RESCAN)
received_params = {}
if VirusTotalApiClient._PARAM_DATE in req_dict:
received_params[VirusTotalApiClient._PARAM_DATE] = \
req_dict[VirusTotalApiClient._PARAM_DATE]
if VirusTotalApiClient._PARAM_PERIOD in req_dict:
received_params[VirusTotalApiClient._PARAM_PERIOD] = \
req_dict[VirusTotalApiClient._PARAM_PERIOD]
if VirusTotalApiClient._PARAM_REPEAT in req_dict:
received_params[VirusTotalApiClient._PARAM_REPEAT] = \
req_dict[VirusTotalApiClient._PARAM_REPEAT]
if VirusTotalApiClient._PARAM_NOTIFY_URL in req_dict:
received_params[VirusTotalApiClient._PARAM_NOTIFY_URL] = \
req_dict[VirusTotalApiClient._PARAM_NOTIFY_URL]
if VirusTotalApiClient._PARAM_NOTIFY_CHANGES_ONLY in req_dict:
received_params[VirusTotalApiClient._PARAM_NOTIFY_CHANGES_ONLY] = \
req_dict[VirusTotalApiClient._PARAM_NOTIFY_CHANGES_ONLY]
res_payload[RECEIVED_PARAMS_KEY] = received_params
return MessageUtils.dict_to_json(res_payload, True)
def bad_param(param_name, param_val):
return MessageUtils.dict_to_json(
{
"unit_test_bad_param_name": param_name,
"unit_test_bad_param_val": param_val
},
pretty_print=False)
def bad_param(param_name, param_val, expected_val='unknown'):
return MessageUtils.dict_to_json(
{
"bad_param_name": param_name,
"bad_param_val": param_val,
"exp_param_val": expected_val
},
pretty_print=False)
def threatlog_cmd(parsed_url):
host = \
urlparse.parse_qs(parsed_url.query)[ApiVoidCallback.PARAM_HOST][0]
if host == SAMPLE_HOST:
return MessageUtils.dict_to_json(SAMPLE_THREATLOG,
pretty_print=False)
return MockApiVoidServerRequestHandler.bad_param(
ApiVoidCallback.PARAM_HOST, host)
def parked_domain_cmd(parsed_url):
host = \
urlparse.parse_qs(parsed_url.query)[ApiVoidCallback.PARAM_HOST][0]
if host == SAMPLE_HOST:
return MessageUtils.dict_to_json(SAMPLE_PARKED_DOMAIN,
pretty_print=False)
return MockApiVoidServerRequestHandler.bad_param(
ApiVoidCallback.PARAM_HOST, host)
def email_verify_cmd(parsed_url):
host = \
urlparse.parse_qs(parsed_url.query)[ApiVoidCallback.PARAM_HOST][0]
if host == SAMPLE_HOST:
return MessageUtils.dict_to_json(SAMPLE_EMAIL_VERIFY,
pretty_print=False)
return MockApiVoidServerRequestHandler.bad_param(
ApiVoidCallback.PARAM_HOST, host)
def system_find_command(self, request, params):
# Create the response
response = Response(request)
response.payload = MessageUtils.dict_to_json(
SYSTEM_FIND_PAYLOAD if params ==
{"searchText": SYSTEM_FIND_OSTYPE_LINUX} else [])
self._client.send_response(response)
def domain_report(self, req_dict):
rules = [
VirusTotalApiClient._PARAM_DOMAIN in req_dict,
req_dict[VirusTotalApiClient._PARAM_DOMAIN] == SAMPLE_DOMAIN
]
if not all(rules):
return self.STATUS_FAILED_MESSAGE
return MessageUtils.dict_to_json(SAMPLE_DOMAIN_REPORT, True)
def ip_report(self, req_dict):
rules = [
VirusTotalApiClient._PARAM_IP in req_dict,
req_dict[VirusTotalApiClient._PARAM_IP] == SAMPLE_IP
]
if not all(rules):
return self.STATUS_FAILED_MESSAGE
return MessageUtils.dict_to_json(SAMPLE_IP_ADDRESS_REPORT, True)
def url_scan(self, req_dict):
rules = [
VirusTotalApiClient._PARAM_URL in req_dict,
req_dict[VirusTotalApiClient._PARAM_URL] == SAMPLE_URL
]
if not all(rules):
return self.STATUS_FAILED_MESSAGE
return MessageUtils.dict_to_json(SAMPLE_URL_SCAN, True)
def on_event(self, event):
event_payload_dict = MessageUtils.json_payload_to_dict(event)
# Check the event payload to see if the OpenDXL event was triggered
# by the new MISP event that the sample created.
if "Event" in event_payload_dict and \
"info" in event_payload_dict["Event"] and \
event_payload_dict["Event"]["info"] == \
"OpenDXL MISP event notification example":
# Print the payload for the received event
print("Received event:\n{}".format(
MessageUtils.dict_to_json(event_payload_dict,
pretty_print=True)))
def dns_lookup_cmd(parsed_url):
action = \
urlparse.parse_qs(parsed_url.query)[ApiVoidCallback.PARAM_ACTION][0]
host = \
urlparse.parse_qs(parsed_url.query)[ApiVoidCallback.PARAM_HOST][0]
if action == SAMPLE_ACTION:
if host == SAMPLE_HOST:
return MessageUtils.dict_to_json(SAMPLE_DNS_LOOKUP,
pretty_print=False)
return MockApiVoidServerRequestHandler.bad_param(
ApiVoidCallback.PARAM_HOST, host)
return MockApiVoidServerRequestHandler.bad_param(
ApiVoidCallback.PARAM_ACTION, action)
def file_report(self, req_dict):
rules = [
VirusTotalApiClient._PARAM_RESOURCE in req_dict,
req_dict[VirusTotalApiClient._PARAM_RESOURCE] == SAMPLE_FILE
]
if not all(rules):
return self.STATUS_FAILED_MESSAGE
res_payload = copy.deepcopy(SAMPLE_FILE_REPORT)
received_params = {}
if VirusTotalApiClient._PARAM_ALLINFO in req_dict:
received_params[VirusTotalApiClient._PARAM_ALLINFO] = \
req_dict[VirusTotalApiClient._PARAM_ALLINFO]
res_payload[RECEIVED_PARAMS_KEY] = received_params
return MessageUtils.dict_to_json(res_payload, True)
def help_command(self, request):
# Create the response
response = Response(request)
cmd_array = []
for cmd in self.KNOWN_COMMANDS:
cmd_string = cmd["name"] + " "
for param in cmd["parameters"]:
cmd_string += "[" + param + "] "
cmd_string += "- " + cmd["description"]
cmd_array.append(cmd_string)
response.payload = MessageUtils.dict_to_json(cmd_array)
self._client.send_response(response)
def _sync_request(dxl_client, request, response_timeout, payload_dict):
"""
Performs a synchronous DXL request and returns the payload
:param dxl_client: The DXL client with which to perform the request
:param request: The DXL request to send
:param response_timeout: The maximum amount of time to wait for a response
:param payload_dict: The dictionary (``dict``) to use as the payload of the DXL request
:return: The result of the remote command execution (resulting payload)
"""
# Set the payload
MessageUtils.dict_to_json_payload(request, payload_dict)
# Display the request that is going to be sent
logger.debug("Request:\n%s",
MessageUtils.dict_to_json(payload_dict,
pretty_print=True))
# Send the request and wait for a response (synchronous)
return dxl_client.sync_request(request, timeout=response_timeout)
def url_report_cmd(self, parsed_url):
url = \
urlparse.parse_qs(parsed_url.query)[VirusTotalApiRequestCallback.PARAM_RESOURCE][0]
if url == SAMPLE_URL:
return MessageUtils.dict_to_json(SAMPLE_URL_REPORT, pretty_print=False)
return self.bad_param(VirusTotalApiRequestCallback.PARAM_RESOURCE, url)
def stats_remained_cmd():
return MessageUtils.dict_to_json(SAMPLE_STATS_REMAINED,
pretty_print=False)
# Create DXL configuration from file
config = DxlClientConfig.create_dxl_config_from_file(CONFIG_FILE)
# IP address of the endpoint for which to clear the policy
HOST_IP = "<SPECIFY_IP_ADDRESS>"
# Create the client
with DxlClient(config) as dxl_client:
# Connect to the fabric
dxl_client.connect()
logger.info("Connected to DXL fabric.")
# Create client wrapper
client = CiscoPxGridClient(dxl_client)
try:
# Invoke 'clear endpoint policy by IP' method on service
resp_dict = client.anc.clear_endpoint_policy_by_ip(HOST_IP)
# Print out the response (convert dictionary to JSON for pretty
# printing)
print("Response:\n{0}".format(
MessageUtils.dict_to_json(resp_dict, pretty_print=True)))
except Exception as ex:
# An exception should be raised if a policy has not already been
# associated with the endpoint.
print(str(ex))
ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES]
# Display prevalence (if it exists)
if FileEnterpriseAttrib.PREVALENCE in ent_rep_attribs:
print("\tEnterprise prevalence: " + \
ent_rep_attribs[FileEnterpriseAttrib.PREVALENCE])
# Display first contact date (if it exists)
if FileEnterpriseAttrib.FIRST_CONTACT in ent_rep_attribs:
print("\tFirst contact: " + \
FileEnterpriseAttrib.to_localtime_string(
ent_rep_attribs[FileEnterpriseAttrib.FIRST_CONTACT]))
# Display the full file reputation response
print("\nFull file reputation response:\n" + \
MessageUtils.dict_to_json(reputations_dict, True))
#
# Perform the certificate reputation query
#
reputations_dict = tie_client.get_certificate_reputation(
CERTIFICATE_BODY_SHA1, CERTIFICATE_PUBLIC_KEY_SHA1)
print("\nCertificate reputation response:")
# Display the Global Threat Intelligence(GTI) trust level for the certificate
if CertProvider.GTI in reputations_dict:
gti_rep = reputations_dict[CertProvider.GTI]
print("\tGlobal Threat Intelligence (GTI) trust level: " \
+ str(gti_rep[ReputationProp.TRUST_LEVEL]))
MessageUtils.dict_to_json_payload(req, {
"query": {
"_string": "title:(OpenDXL AND Observable)"
},
"range": "0-1"
})
# Set the payload for the search case request
case_search_response = client.sync_request(req, timeout=30)
if case_search_response.message_type is not Message.MESSAGE_TYPE_ERROR:
# Display results for the search case request
case_search_response_dict = MessageUtils.json_payload_to_dict(
case_search_response)
print("Response for the search case request: '{0}'".format(
MessageUtils.dict_to_json(case_search_response_dict,
pretty_print=True)))
else:
print("Error invoking service with topic '{0}': {1} ({2})".format(
request_topic, case_search_response.error_message,
case_search_response.error_code))
exit(1)
if case_search_response_dict:
# Extract the id of the case from the results of the search case request
case_id = case_search_response_dict[0]["id"]
# Create the search case observable request
request_topic = "/opendxl-thehive/service/thehive-api/case/observable/search"
req = Request(request_topic)
# Set the payload for the search case observable request. The query
new_event_request, {
"distribution": 3,
"info": "OpenDXL MISP new event example",
"analysis": 1,
"threat_level_id": 3
})
# Send the new event request
new_event_response = client.sync_request(new_event_request, timeout=30)
if new_event_response.message_type != Message.MESSAGE_TYPE_ERROR:
# Display results for the new event request
new_event_response_dict = MessageUtils.json_payload_to_dict(
new_event_response)
print("Response to the new event request:\n{}".format(
MessageUtils.dict_to_json(new_event_response_dict,
pretty_print=True)))
else:
print("Error invoking service with topic '{}': {} ({})".format(
request_topic, new_event_response.error_message,
new_event_response.error_code))
exit(1)
# Create the new search request
request_topic = "/opendxl-misp/service/misp-api/search"
search_request = Request(request_topic)
# Set the payload for the search request
MessageUtils.dict_to_json_payload(
search_request, {
"eventid": new_event_response_dict["Event"]["id"],
})
def ip_report_cmd(self, parsed_url):
ip_address = \
urlparse.parse_qs(parsed_url.query)[VirusTotalApiRequestCallback.PARAM_IP][0]
if ip_address == SAMPLE_IP:
return MessageUtils.dict_to_json(SAMPLE_IP_ADDRESS_REPORT, pretty_print=False)
return self.bad_param(VirusTotalApiRequestCallback.PARAM_IP, ip_address)
def domain_report_cmd(self, parsed_url):
domain = \
urlparse.parse_qs(parsed_url.query)[VirusTotalApiRequestCallback.PARAM_DOMAIN][0]
if domain == SAMPLE_DOMAIN:
return MessageUtils.dict_to_json(SAMPLE_DOMAIN_REPORT, pretty_print=False)
return self.bad_param(VirusTotalApiRequestCallback.PARAM_DOMAIN, domain)
def on_update_policy(self, update_dict):
print("on_update_policy\n" +
MessageUtils.dict_to_json(update_dict, pretty_print=True))
def file_rescan_cmd(self, parsed_url):
resource = \
urlparse.parse_qs(parsed_url.query)[VirusTotalApiRequestCallback.PARAM_RESOURCE][0]
if resource == SAMPLE_FILE:
return MessageUtils.dict_to_json(SAMPLE_FILE_RESCAN, pretty_print=False)
return self.bad_param(VirusTotalApiRequestCallback.PARAM_RESOURCE, resource)
def url_scan_cmd(self, parsed_url):
url = \
urlparse.parse_qs(parsed_url.query)[VirusTotalApiRequestCallback.PARAM_URL][0]
if url == SAMPLE_URL:
return MessageUtils.dict_to_json(SAMPLE_URL_SCAN, pretty_print=False)
return self.bad_param(VirusTotalApiRequestCallback.PARAM_URL, url)