def merge_signatures():
"""Merge a signature into another
From Data: merge_from_id (int), merge_to_id (int)
Return: merged yara_rule artifact dictionary"""
merge_from_id = request.json.get("merge_from_id", None)
merge_to_id = request.json.get("merge_to_id", None)
if not merge_from_id or not merge_to_id:
abort(412, description="Not enough info provided")
merge_from_yr = yara_rule.Yara_rule.query.filter_by(
id=merge_from_id).first()
merge_to_yr = yara_rule.Yara_rule.query.filter_by(id=merge_to_id).first()
merged_state = "Merged"
if not cfg_states.Cfg_states.query.filter_by(state=merged_state).first():
db.session.add(cfg_states.Cfg_states(state=merged_state))
db.session.commit()
merge_from_yr.state = merged_state
db.session.add(merge_from_yr)
merged_into_comment = "This yara rule was merged into signature '%s' with event id '%s' by '%s'" % (
merge_to_yr.name, merge_to_yr.eventid, current_user.email)
db.session.add(
comments.Comments(comment=merged_into_comment,
entity_type=ENTITY_MAPPING["SIGNATURE"],
entity_id=merge_from_yr.id,
user_id=current_user.id))
merged_from_comment = "The yara rule '%s' with event id '%s' was merged into this yara rule by '%s'" % (
merge_from_yr.name, merge_from_yr.eventid, current_user.email)
db.session.add(
comments.Comments(comment=merged_from_comment,
entity_type=ENTITY_MAPPING["SIGNATURE"],
entity_id=merge_to_yr.id,
user_id=current_user.id))
db.session.commit()
delete_bookmarks(ENTITY_MAPPING["SIGNATURE"], merge_from_id,
current_user.id)
return get_yara_rule(merge_to_yr.id)
def update_cfg_states(id):
"""Update config state associated with the given id
From Data: state (str), is_release_state (bool)
Return: config setting dictionary"""
entity = cfg_states.Cfg_states.query.get(id)
if not entity:
abort(404)
entity = cfg_states.Cfg_states(
state=request.json['state'],
id=id,
is_release_state=0
if not request.json.get("is_release_state", None) else 1,
is_staging_state=0
if not request.json.get("is_staging_state", None) else 1,
is_retired_state=0
if not request.json.get("is_retired_state", None) else 1)
if (entity.is_staging_state + entity.is_retired_state +
entity.is_release_state) > 1:
raise Exception(
"You cannot have a single state as draft, release, or retired state."
)
if entity.is_release_state:
cfg_states.Cfg_states.query.filter(
cfg_states.Cfg_states.is_release_state > 0).update(
{cfg_states.Cfg_states.is_release_state: 0})
elif entity.is_retired_state:
cfg_states.Cfg_states.query.filter(
cfg_states.Cfg_states.is_retired_state > 0).update(
{cfg_states.Cfg_states.is_retired_state: 0})
elif entity.is_staging_state:
cfg_states.Cfg_states.query.filter(
cfg_states.Cfg_states.is_staging_state > 0).update(
{cfg_states.Cfg_states.is_staging_state: 0})
db.session.merge(entity)
db.session.commit()
return jsonify(entity.to_dict()), 200
def create_cfg_states():
"""Create config state
From Data: state (str), is_release_state (bool)
Return: config state dictionary
"""
entity = cfg_states.Cfg_states(
state=request.json['state'],
is_release_state=0
if not request.json.get("is_release_state", None) else 1,
is_staging_state=0
if not request.json.get("is_staging_state", None) else 1,
is_retired_state=0
if not request.json.get("is_retired_state", None) else 1)
if (entity.is_staging_state + entity.is_retired_state +
entity.is_release_state) > 1:
raise Exception(
"You cannot have a single state as draft, release, or retired state."
)
if entity.is_release_state:
cfg_states.Cfg_states.query.filter(
cfg_states.Cfg_states.is_release_state > 0).update(
{cfg_states.Cfg_states.is_release_state: 0})
elif entity.is_retired_state:
cfg_states.Cfg_states.query.filter(
cfg_states.Cfg_states.is_retired_state > 0).update(
{cfg_states.Cfg_states.is_retired_state: 0})
elif entity.is_staging_state:
cfg_states.Cfg_states.query.filter(
cfg_states.Cfg_states.is_staging_state > 0).update(
{cfg_states.Cfg_states.is_staging_state: 0})
db.session.add(entity)
db.session.commit()
return jsonify(entity.to_dict()), 201
def save_artifacts(extract_ip,
extract_dns,
extract_signature,
artifacts,
shared_reference=None,
shared_state=None,
shared_owner=None,
metadata_field_mapping={}):
default_state = "Imported"
return_artifacts = []
duplicate_artifacts = []
fields_to_add = {}
if not cfg_states.Cfg_states.query.filter_by(state=default_state).first():
db.session.add(cfg_states.Cfg_states(state=default_state))
db.session.commit()
for artifact in artifacts:
try:
if artifact["type"].lower() == "ip" and extract_ip:
old_ip = c2ip.C2ip.query.filter(
c2ip.C2ip.ip == artifact["artifact"]).first()
if old_ip:
message = "System comment: duplicate IP '%s' found at '%s' by '%s'" % (
artifact["artifact"], shared_reference
if shared_reference else "no reference provided",
current_user.email)
db.session.add(
comments.Comments(comment=message,
entity_type=ENTITY_MAPPING["IP"],
entity_id=old_ip.id,
user_id=current_user.id))
duplicate_artifacts.append(artifact)
else:
ip = c2ip.C2ip.get_c2ip_from_ip(artifact["artifact"])
ip.created_user_id, ip.modified_user_id = current_user.id, current_user.id
ip.state = default_state if not shared_state else shared_state
if shared_reference:
ip.reference_link = shared_reference
if shared_owner:
ip.owner_user_id = shared_owner
db.session.add(ip)
return_artifacts.append(ip)
elif artifact["type"].lower() == "dns" and extract_dns:
old_dns = c2dns.C2dns.query.filter(
c2dns.C2dns.domain_name == artifact["artifact"]).first()
if old_dns:
message = "System comment: duplicate DNS '%s' found at '%s' by '%s'" % (
artifact["artifact"], shared_reference
if shared_reference else "no reference provided",
current_user.email)
db.session.add(
comments.Comments(comment=message,
entity_type=ENTITY_MAPPING["DNS"],
entity_id=old_dns.id,
user_id=current_user.id))
duplicate_artifacts.append(artifact)
else:
dns = c2dns.C2dns.get_c2dns_from_hostname(
artifact["artifact"])
dns.created_user_id, dns.modified_user_id = current_user.id, current_user.id
dns.state = default_state if not shared_state else shared_state
if shared_reference:
dns.reference_link = shared_reference
if shared_state:
dns.state = shared_state
if shared_owner:
dns.owner_user_id = shared_owner
db.session.add(dns)
return_artifacts.append(dns)
elif artifact["type"].lower() == "yara_rule" and extract_signature:
yr, fta = yara_rule.Yara_rule.get_yara_rule_from_yara_dict(
artifact, metadata_field_mapping)
yr.created_user_id, yr.modified_user_id = current_user.id, current_user.id
yr.state = default_state if not shared_state else shared_state
if shared_reference:
yr.reference_link = shared_reference
if shared_owner:
yr.owner_user_id = shared_owner
db.session.add(yr)
return_artifacts.append(yr)
fields_to_add[yr] = fta
except Exception, e:
app.logger.exception(e)
app.logger.error("Failed to commit artifacts '%s'" % (artifact))
def save_artifacts(extract_ip,
extract_dns,
extract_signature,
artifacts,
shared_reference=None,
shared_description=None,
shared_state=None,
shared_owner=None,
metadata_field_mapping={}):
default_state = "Imported"
return_artifacts = []
duplicate_artifacts = []
fields_to_add = {}
metadata_to_save_ip = []
metadata_to_save_dns = []
error_artifacts = []
domain_names = {
domain_name.domain_name.lower(): domain_name
for domain_name in c2dns.C2dns.query.all()
}
ip_addresses = {
ipaddress.ip: ipaddress
for ipaddress in c2ip.C2ip.query.all()
}
yara_rules = {
yr.name: yr
for yr in db.session.query(yara_rule.Yara_rule).all()
}
unique_rule_name_enforcement = cfg_settings.Cfg_settings.get_setting(
"ENFORCE_UNIQUE_YARA_RULE_NAMES")
if not cfg_states.Cfg_states.query.filter_by(state=default_state).first():
db.session.add(cfg_states.Cfg_states(state=default_state))
db.session.commit()
for artifact in artifacts:
try:
if artifact["type"].lower() == "ip" and extract_ip:
# old_ip = c2ip.C2ip.query.filter(c2ip.C2ip.ip == artifact["artifact"]).first()
old_ip = ip_addresses.get(artifact["artifact"], None)
if old_ip:
message = "System comment: duplicate IP '%s' found at '%s' by '%s'" % (
artifact["artifact"], shared_reference
if shared_reference else "no reference provided",
current_user.email)
db.session.add(
comments.Comments(comment=message,
entity_type=ENTITY_MAPPING["IP"],
entity_id=old_ip.id,
user_id=current_user.id))
duplicate_artifacts.append(artifact)
continue
else:
ip = c2ip.C2ip.get_c2ip_from_ip(artifact,
metadata_field_mapping)
ip.created_user_id, ip.modified_user_id = current_user.id, current_user.id
ip.state = default_state if not shared_state else shared_state
if shared_reference:
ip.references = shared_reference
if shared_description:
ip.description = shared_description
if shared_owner:
ip.owner_user_id = shared_owner
if artifact.get("metadata"):
metadata_to_save_ip.append((ip, artifact["metadata"]))
db.session.add(ip)
return_artifacts.append(ip)
elif artifact["type"].lower() in ["dns", "domain_name"
] and extract_dns:
# old_dns = c2dns.C2dns.query.filter(c2dns.C2dns.domain_name == artifact["artifact"]).first()
old_dns = domain_names.get(artifact["artifact"].lower(), None)
if old_dns:
message = "System comment: duplicate DNS '%s' found at '%s' by '%s'" % (
artifact["artifact"], shared_reference
if shared_reference else "no reference provided",
current_user.email)
db.session.add(
comments.Comments(comment=message,
entity_type=ENTITY_MAPPING["DNS"],
entity_id=old_dns.id,
user_id=current_user.id))
duplicate_artifacts.append(artifact)
continue
else:
dns = c2dns.C2dns.get_c2dns_from_hostname(
artifact, metadata_field_mapping)
dns.created_user_id, dns.modified_user_id = current_user.id, current_user.id
dns.state = default_state if not shared_state else shared_state
if shared_reference:
dns.references = shared_reference
if shared_description:
dns.description = shared_description
if shared_state:
dns.state = shared_state
if shared_owner:
dns.owner_user_id = shared_owner
if artifact.get("metadata", None):
metadata_to_save_dns.append(
(dns, artifact["metadata"]))
db.session.add(dns)
return_artifacts.append(dns)
elif artifact["type"].lower() == "yara_rule" and extract_signature:
yr = yara_rules.get(artifact["rule"]["rule_name"], None)
if unique_rule_name_enforcement and yr:
duplicate_artifacts.append(artifact)
continue
yr, fta = yara_rule.Yara_rule.get_yara_rule_from_yara_dict(
artifact, metadata_field_mapping)
yr.created_user_id, yr.modified_user_id = current_user.id, current_user.id
yr.state = default_state if not shared_state else shared_state
if shared_reference:
yr.references = shared_reference
if shared_description:
yr.description = shared_description
if shared_owner:
yr.owner_user_id = shared_owner
db.session.add(yr)
return_artifacts.append(yr)
fields_to_add[yr] = fta
except Exception as e:
app.logger.exception(e)
if type(e) == UnicodeEncodeError:
error_artifacts.append(
(artifact, "Unicode error: %s" % e.reason))
else:
error_artifacts.append((artifact, e.message))
app.logger.error("Failed to commit artifacts '%s'" % artifact)
db.session.commit()
if fields_to_add:
for yr, fields in fields_to_add.iteritems():
for field in fields:
field.artifact_id = yr.id
field.created_user_id = current_user.id
db.session.add(field)
db.session.commit()
if metadata_to_save_ip:
metadata_cache = Metadata.get_metadata_cache()
for metadata_to_save in metadata_to_save_ip:
artifact, metadata = metadata_to_save
for m in c2ip.C2ip.get_metadata_to_save(artifact, metadata,
metadata_cache):
db.session.add(m)
db.session.commit()
if metadata_to_save_dns:
metadata_cache = Metadata.get_metadata_cache()
for metadata_to_save in metadata_to_save_dns:
artifact, metadata = metadata_to_save
for m in c2dns.C2dns.get_metadata_to_save(artifact, metadata,
metadata_cache):
db.session.add(m)
db.session.commit()
return {
"committed": [artifact.to_dict() for artifact in return_artifacts],
"duplicates": duplicate_artifacts,
"errors": error_artifacts
}