def create_google_client(config):
"""
:param: config
{
"proxy_url": xxx,
"proxy_port": xxx,
"proxy_username": xxx,
"proxy_password": xxx,
"proxy_rdns": xxx,
"proxy_type": xxx,
"google_credentials": xxx,
"google_project": xxx,
"google_subscription": xxx,
"scopes": xxx,
"service_name": xxx,
"version": xxx,
}
"""
if config.get("google_credentials"):
credentials = oc.get_application_credential_from_json(
config["google_credentials"])
else:
credentials = oc.GoogleCredentials.get_application_default()
if credentials.create_scoped_required():
credentials = credentials.create_scoped(config["scopes"])
http = sr.build_http_connection(
config, timeout=config.get("pulling_interval", 30))
client = discovery.build(
config["service_name"], config["version"], http=http,
credentials=credentials)
return client
def _build_http_connection(self):
"""
Build connection based on rest.py
"""
enabled = is_true(self.config.get("proxy_enabled", ""))
if not enabled:
if self.config.get("proxy_url"):
del self.config['proxy_url']
if self.config.get("proxy_port"):
del self.config['proxy_port']
return build_http_connection(self.config, timeout=30)
def handleEdit(self, confInfo):
user, app = self.user_app()
proxy_info = self.getProxyInfo(
splunkdMgmtUri=rest.makeSplunkdUri(),
sessionKey=self.getSessionKey(),
user=user,
app=app,
)
proxy_enabled = proxy_info.get("proxy_enabled", False)
http = build_http_connection(proxy_info if proxy_enabled else {})
try:
url = self.callerArgs.data["splunk_poster_url"][0]
for regex in self.allowedURLs:
if re.match(regex, url):
break
else:
RH_Err.ctl(1104, msgx="Unsupported url to be posted")
method = self.callerArgs.data["splunk_poster_method"][0]
if method not in self.allowedMethods:
RH_Err.ctl(1104, msgx="Unsupported method to be posted")
payload = {
key: val[0]
for key, val in self.callerArgs.data.items()
if key in self.retransmittedArgs
}
headers = {
"Content-Type": "application/x-www-form-urlencoded",
}
resp, content = http.request(
url,
method=method,
headers=headers,
body=urllib.parse.urlencode(payload),
)
content = json.loads(content)
if resp.status not in (200, 201, "200", "201"):
RH_Err.ctl(resp.status, msgx=content)
for key, val in content.items():
confInfo[self.callerArgs.id][key] = val
except Exception as exc:
RH_Err.ctl(1104, msgx=exc)
def perform_request(self, method, path, data=None):
# build headers
headers = {'Content-Type': 'application/json'}
if self._token is not None:
headers['X-SecurityCenter'] = self._token
if self._cookie is not None:
headers['Cookie'] = self._cookie
# Only convert the data to JSON if there is data.
if data is not None:
data = json.dumps(data)
# make a request
if self._proxy_config:
http = sr.build_http_connection(
config=self._proxy_config,
timeout=self._timeout,
disable_ssl_validation=self._disable_ssl_certificate_validation
)
else:
http = httplib2.Http(timeout=self._timeout,
disable_ssl_certificate_validation=self.
_disable_ssl_certificate_validation)
response, content = http.request(self._uri(path), method, data,
headers)
if path.find('download') != -1:
return content
result = json.loads(content)
self._error_check(response, result)
set_cookie = response.get('set-cookie')
if set_cookie:
self._cookie = set_cookie[set_cookie.find(',') + 1:].strip()
stulog.logger.debug('{} set-cookie={}'.format(
self._logger_prefix, set_cookie))
stulog.logger.debug('{} self._cookie={}'.format(
self._logger_prefix, self._cookie))
return result['response']
def __init__(self, config):
"""
:params config: dict
{
"token": required,
"hec_server_uri": required,
"proxy_hostname": yyy,
"proxy_url": zz,
"proxy_port": aa,
"proxy_username": bb,
"proxy_password": cc,
"proxy_type": http,http_no_tunnel,sock4,sock5,
"proxy_rdns": 0 or 1,
}
"""
self._config = config
self._http = sr.build_http_connection(
config, disable_ssl_validation=True)
self._compose_uri_headers(config)
def write_events(self, events, retry=3):
"""
:params: events a list of json dict which meets HEC event schema
{
"event": xx,
"index": yy,
"host": yy,
"source": yy,
"sourcetype": yy,
"time": yy,
}
Clients should consider batching, since when batching here, upper layer
may have data loss
"""
last_ex = None
events = self._prepare_events(events)
for _ in range(retry):
try:
response, content = self._http.request(
self._uri, method="POST", headers=self._headers,
body=events)
if response.status in (200, 201):
return
else:
msg = ("Failed to post events to HEC_URI={}, "
"error_code={}, reason={}").format(
self._uri, response.status, content)
logger.error(msg)
# We raise here to commonly use the below code block
raise Exception(msg)
except Exception as e:
last_ex = e
logger.error("Failed to post events to HEC_URI=%s, error=%s",
self._uri, traceback.format_exc())
self._http = sr.build_http_connection(
self._config, disable_ssl_validation=True)
time.sleep(2)
raise last_ex
def create_google_client(config):
"""
:param: config
{
"proxy_url": xxx,
"proxy_port": xxx,
"proxy_username": xxx,
"proxy_password": xxx,
"proxy_rdns": xxx,
"proxy_type": xxx,
"google_credentials": xxx,
"google_project": xxx,
"google_subscriptions": xxx,
"scopes": xxx,
"service_name": xxx,
"version": xxx,
}
"""
scopes = config.get("scopes")
if config.get("google_credentials") and bool(config["google_credentials"]):
credentials = service_account.Credentials.from_service_account_info(
config["google_credentials"]
)
if scopes:
credentials = credentials.with_scopes(scopes)
else:
if scopes:
credentials, project = google.auth.default(scopes=scopes)
else:
credentials, project = google.auth.default()
http = sr.build_http_connection(config, timeout=config.get("pulling_interval", 30))
http = AuthorizedHttp(credentials, http=http)
client = discovery.build(config["service_name"], config["version"], http=http, cache_discovery=False)
return client
def run():
logger.info("Script input start.")
logger.info("Start reading session key")
if sys.stdin.closed:
return
session_key = sys.stdin.read()
logger.info("End reading session key")
splunkd_uri = "https://localhost:8089/"
server_info = sc.ServerInfo(splunkd_uri, session_key)
if not server_info.is_shc_member() or server_info.is_captain():
logger.info(
"This is a single instance or cluster captain. Run the malare_category_update."
)
app_name = "Splunk_TA_symantec-ep"
conf_name = "symantec_ep"
stanza = "symantec_ep_proxy"
base_url = "http://www.symantec.com/xml/rss/azlistings.jsp"
encrypted = "******"
conf_manager = conf.ConfManager(splunkd_uri=splunkd_uri,
session_key=session_key,
owner='-',
app_name=app_name)
conf_manager.reload_conf(conf_name)
stanza_obj = conf_manager.get_conf(conf_name, stanza)
config = {
"username": "",
"password": "",
"proxy_url": "",
"proxy_port": "",
"proxy_username": "",
"proxy_password": "",
}
if stanza_obj["proxy_enabled"] == '1':
config["proxy_url"] = stanza_obj["proxy_url"]
config["proxy_port"] = int(stanza_obj["proxy_port"])
is_encrypted = all(
stanza_obj.get(k, None) == "******"
for k in ("proxy_username", "proxy_password"))
if is_encrypted:
logger.info("Decrypting")
cred_mgr = cred.CredentialManager(session_key=session_key,
app=app_name,
splunkd_uri=splunkd_uri)
user_creds = cred_mgr.get_clear_password("symantec_ep_proxy")
proxy_username = user_creds["symantec_ep_proxy"][
"proxy_username"]
proxy_password = user_creds["symantec_ep_proxy"][
"proxy_password"]
config["proxy_username"] = proxy_username
config["proxy_password"] = proxy_password
else:
if stanza_obj["proxy_username"] is not None and stanza_obj[
"proxy_password"] is not None:
logger.info("Encrypting")
config["proxy_username"] = stanza_obj["proxy_username"]
config["proxy_password"] = stanza_obj["proxy_password"]
cred_mgr = cred.CredentialManager(session_key=session_key,
app=app_name,
splunkd_uri=splunkd_uri)
try:
new_stanza = {}
proxy = {
'proxy_username': config["proxy_username"],
'proxy_password': config["proxy_password"]
}
new_stanza['symantec_ep_proxy'] = proxy
result = cred_mgr.update(new_stanza)
logger.info("Update result:" + str(result))
proxy_stanza = config.copy()
proxy_stanza['proxy_username'] = encrypted
proxy_stanza['proxy_password'] = encrypted
success = conf_manager.update_stanza(
'symantec_ep', 'symantec_ep_proxy', proxy_stanza)
if not success:
logger.error(
"ERROR in writing symantec_ep conf file.")
except Exception:
logger.error("ERROR in updating cred stanza")
logger.error(traceback.format_exc())
try:
try:
http = rest.build_http_connection(config, timeout=60)
except Exception:
logger.error("ERROR in building connection")
return
if http is not None:
url_list = construct_url(base_url)
item_list = extract_xml(http, url_list)
file_name = os.path.join(os.environ['SPLUNK_HOME'], 'etc',
'apps', app_name, 'lookups',
'symantec_ep_malware_categories.csv')
save_lookup_file(file_name, item_list)
logger.info("Start the SPL")
request_url = splunkd_uri + "services/search/jobs/export"
logger.info("Start the SPL")
args = {
"search":
"|inputlookup symantec_ep_malware_category_lookup|outputlookup symantec_ep_malware_category_lookup",
"output_mode": "raw"
}
response, _ = rest.splunkd_request(splunkd_uri=request_url,
data=args,
session_key=session_key,
method='POST')
if response.status not in (200, 201):
logger.error("The SPL is not executed corretcly.")
else:
logger.info("The SPL is executed correctly.")
else:
logger.error("Failed to create http object.")
except Exception:
logger.error("ERROR in updating malware category lookup table.")
else:
logger.info(
"This is not the cluster captain. Do not run the malare_category_update."
)
