def set_backdoor_version(id_, version, user, **kwargs):
"""
Set a Backdoor name.
:param id_: Backdoor ObjectId.
:type id_: str
:param version: The new version.
:type version: str
:param user: The user updating the version.
:type user: str
:returns: dict with keys:
"success" (boolean),
"message" (str),
"""
sources = user_sources(user)
backdoor = Backdoor.objects(id=id_, source__name__in=sources).first()
if not backdoor:
return {'success': False, 'message': "Could not find backdoor"}
# Make sure we don't have a backdoor with that name and new version yet.
existing_backdoor = Backdoor.objects(name=backdoor.name,
version=version,
source__name__in=sources).first()
if existing_backdoor:
# Be sure to return the same error message so backdoors can not be
# enumerated via this method.
return {'success': False, 'message': "Could not find backdoor"}
backdoor.version = version.strip()
backdoor.save(username=user)
return {'success': True}
def get_sample_rels(rel, eid, sources):
s_list = []
for r in rel:
if r.rel_type == 'Sample':
s = class_from_id(r.rel_type, r.object_id)
if not s:
continue
if not source_match(s.source, sources):
continue
obj_list = get_md5_objects(r.object_id, sources)
# Walk the relationships on this sample, see if it is related to
# a backdoor. Take the first backdoor that comes up, it may or
# may not be the versioned one.
backdoor_name = "None"
for sample_r in s.relationships:
if sample_r.rel_type == 'Backdoor':
backdoor = Backdoor.objects(id=sample_r.object_id).first()
if backdoor and source_match(backdoor.source, sources):
backdoor_name = backdoor.name
break
s_list.append({
'md5': s.md5,
'email_id': eid,
'mimetype': s.mimetype,
'filename': s.filename,
'backdoor': backdoor_name,
'objects': obj_list,
})
return s_list
def get_sample_rels(rel, eid, sources):
s_list = []
for r in rel:
if r.rel_type == 'Sample':
s = class_from_id(r.rel_type, r.object_id)
if not s:
continue
if not source_match(s.source, sources):
continue
obj_list = get_md5_objects(r.object_id, sources)
# Walk the relationships on this sample, see if it is related to
# a backdoor. Take the first backdoor that comes up, it may or
# may not be the versioned one.
backdoor_name = "None"
for sample_r in s.relationships:
if sample_r.rel_type == 'Backdoor':
backdoor = Backdoor.objects(id=sample_r.object_id).first()
if backdoor and source_match(backdoor.source, sources):
backdoor_name = backdoor.name
break
s_list.append({
'md5': s.md5,
'email_id': eid,
'mimetype': s.mimetype,
'filename': s.filename,
'backdoor': backdoor_name,
'objects': obj_list,
})
return s_list
def get_backdoor_names(user, **kwargs):
"""
Get a list of unique backdoor names.
:param user: The user requesting the names.
:returns: list of tuples
"""
sources = user_sources(user)
only = ('name', 'version')
bds = Backdoor.objects(source__name__in=sources).only(*only)
names = []
for b in bds:
if (b.name, b.version) not in names:
names.append((b.name, b.version))
return names
def backdoor_remove(id_, username):
"""
Remove a Backdoor from CRITs.
:param id_: The ObjectId of the Backdoor to remove.
:type id_: str
:param username: The user removing this Backdoor.
:type username: str
:returns: dict with keys "success" (boolean) and "message" (str) if failed.
"""
backdoor = Backdoor.objects(id=id_).first()
if backdoor:
backdoor.delete(username=username)
return {'success': True}
else:
return {'success': False, 'message': 'Could not find Backdoor.'}
def backdoor_remove(id_, username):
"""
Remove a Backdoor from CRITs.
:param id_: The ObjectId of the Backdoor to remove.
:type id_: str
:param username: The user removing this Backdoor.
:type username: str
:returns: dict with keys "success" (boolean) and "message" (str) if failed.
"""
backdoor = Backdoor.objects(id=id_).first()
if backdoor:
backdoor.delete(username=username)
return {'success': True}
else:
return {'success': False, 'message': 'Could not find Backdoor.'}
def generate_anb_event_data(type_, cid, data, sources):
types = ['Email', 'Sample', 'Indicator', 'IP', 'Domain', 'Event']
related_objects = collect_objects(
type_,
cid,
1, # Depth limit
250, # Total limit
100, # Rel limit
types,
sources,
need_filedata=False)
for (obj_id, (obj_type, obj)) in related_objects.iteritems():
if obj_type == 'Email':
data['emails'] += "%s,%s,%s,%s,%s,%s,%s\r\n" % (
cid, obj_id, obj.isodate, obj.sender, obj.subject,
obj.x_originating_ip, obj.x_mailer)
elif obj_type == 'Sample':
# Walk the relationships on this sample, see if it is related to
# a backdoor. Take the first backdoor that comes up, it may or
# may not be the versioned one.
backdoor_name = "None"
for rel in obj.relationships:
if rel.rel_type == 'Backdoor':
backdoor = Backdoor.objects(id=rel.object_id).first()
if backdoor and source_match(backdoor.source, sources):
backdoor_name = backdoor.name
break
data['samples'] += "%s,%s,%s,%s,%s,%s\r\n" % (
cid, obj_id, obj.md5, obj.mimetype, obj.filename,
backdoor_name)
for inner_obj in obj.obj:
data['objects'] += "%s,%s,%s\r\n" % (
obj_id, inner_obj.object_type, inner_obj.value)
elif obj_type == 'Indicator':
data['indicators'] += "%s,%s,%s,%s\r\n" % (cid, obj_id,
obj.ind_type, obj.value)
elif obj_type == 'IP':
data['ips'] += "%s,%s,%s,%s\r\n" % (cid, obj_id, obj.ip_type,
obj.ip)
elif obj_type == 'Domain':
data['domains'] += "%s,%s,%s,%s\r\n" % (
cid, obj_id, obj.record_type, obj.domain)
elif obj_type == 'Event':
data['events'] += "%s,%s,%s\r\n" % (cid, obj_id, obj.title)
return data
def update_backdoor_aliases(id_, aliases, user, **kwargs):
"""
Update aliases for a Backdoor.
:param id_: The ObjectId of the Backdoor to update.
:type id_: str
:param aliases: The aliases we are setting.
:type aliases: list
:param user: The user updating the aliases.
:type user: str
:returns: dict
"""
sources = user_sources(user)
backdoor = Backdoor.objects(id=id_, source__name__in=sources).first()
if not backdoor:
return {'success': False, 'message': 'No backdoor could be found.'}
else:
backdoor.update_aliases(aliases)
backdoor.save(username=user)
return {'success': True}
def update_backdoor_aliases(id_, aliases, user, **kwargs):
"""
Update aliases for a Backdoor.
:param id_: The ObjectId of the Backdoor to update.
:type id_: str
:param aliases: The aliases we are setting.
:type aliases: list
:param user: The user updating the aliases.
:type user: str
:returns: dict
"""
sources = user_sources(user)
backdoor = Backdoor.objects(id=id_, source__name__in=sources).first()
if not backdoor:
return {'success': False,
'message': 'No backdoor could be found.'}
else:
backdoor.update_aliases(aliases)
backdoor.save(username=user)
return {'success': True}
def add_new_backdoor(name, version=None, aliases=None, description=None,
source=None, source_method=None, source_reference=None,
campaign=None, confidence=None, user=None,
bucket_list=None, ticket=None):
"""
Add an Backdoor to CRITs.
:param name: The name of the backdoor.
:type name: str
:param version: Version of the backdoor.
:type version: str
:param aliases: Aliases for the backdoor.
:type aliases: list or str
:param description: Description of the backdoor.
:type description: str
:param source: Name of the source which provided this information.
:type source: str
:param source_method: Method of acquiring this data.
:type source_method: str
:param source_reference: A reference to this data.
:type source_reference: str
:param campaign: A campaign to attribute to this backdoor.
:type campaign: str
:param confidence: Confidence level in the campaign attribution.
:type confidence: str ("low", "medium", "high")
:param user: The user adding this backdoor.
:type user: str
:param bucket_list: Buckets to assign to this backdoor.
:type bucket_list: str
:param ticket: Ticket to assign to this backdoor.
:type ticket: str
:returns: dict with keys:
"success" (boolean),
"message" (str),
"id" (str),
"object" (if successful) :class:`crits.backdoors.backdoor.Backdoor`
"""
retVal = {'success': False, 'message': ''}
if isinstance(source, basestring):
source = [create_embedded_source(source,
reference=source_reference,
method=source_method,
analyst=user)]
elif isinstance(source, EmbeddedSource):
source = [source]
if not source:
retVal['message'] = "Missing source information."
return retVal
# When creating a backdoor object we can potentially create multiple
# objects. If we are given a name but no version we will create an object
# with just the name (called the "family backdoor"). If given a name and a
# version we will create the family backdoor and the specific backdoor for
# that given version.
# In case we create more than one backdoor object, store the created ones
# in this list. The list is walked later on and attributes applied to each
# object.
objs = []
# First check if we have the family (name and no version).
family = Backdoor.objects(name=name, version='').first()
if not family:
# Family does not exist, new object. Details are handled later.
family = Backdoor()
family.name = name
family.version = ''
objs.append(family)
# Now check if we have the specific instance for this name + version.
backdoor = None
if version:
backdoor = Backdoor.objects(name=name, version=version).first()
if not backdoor:
# Backdoor does not exist, new object. Details are handled later.
backdoor = Backdoor()
backdoor.name = name
backdoor.version = version
objs.append(backdoor)
# At this point we have a family object and potentially a specific object.
# Add the common parameters to all objects in the list and save them.
for backdoor in objs:
for s in source:
backdoor.add_source(s)
# Don't overwrite existing description.
if description and backdoor.description == '':
backdoor.description = description.strip()
if isinstance(campaign, basestring):
c = EmbeddedCampaign(name=campaign,
confidence=confidence,
analyst=user)
campaign = [c]
if campaign:
for camp in campaign:
backdoor.add_campaign(camp)
if aliases:
if isinstance(aliases, basestring):
aliases = aliases.split(',')
for alias in aliases:
alias = alias.strip()
if alias not in backdoor.aliases:
backdoor.aliases.append(alias)
if bucket_list:
backdoor.add_bucket_list(bucket_list, user)
if ticket:
backdoor.add_ticket(ticket, user)
backdoor.save(username=user)
# run backdoor triage
backdoor.reload()
run_triage(backdoor, user)
# Because family objects are put in the list first we will always
# return a link to the most specific object created. If there is only
# one item in the list it will be the family object.
resp_url = reverse('crits.backdoors.views.backdoor_detail',
args=[backdoor.id])
retVal['message'] = 'Success: <a href="%s">%s</a>' % (resp_url,
backdoor.name)
retVal['object'] = backdoor
retVal['id'] = str(backdoor.id)
# If we have a family and specific object, attempt to relate the two.
if len(objs) == 2:
objs[0].add_relationship(objs[1], RelationshipTypes.RELATED_TO)
objs[0].save()
retVal['success'] = True
return retVal
def get_backdoor_details(id_, user):
"""
Generate the data to render the Backdoor details template.
:param id_: The Backdoor ObjectId to get details for.
:type id_: str
:param user: The user requesting this information.
:type user: str
:returns: template (str), arguments (dict)
"""
allowed_sources = user_sources(user)
backdoor = Backdoor.objects(id=id_, source__name__in=allowed_sources).first()
template = None
args = {}
if not backdoor:
template = "error.html"
error = ('Either no data exists for this Backdoor or you do not have'
' permission to view it.')
args = {'error': error}
else:
backdoor.sanitize("%s" % user)
# remove pending notifications for user
remove_user_from_notification("%s" % user, backdoor.id, 'Backdoor')
# subscription
subscription = {
'type': 'Backdoor',
'id': backdoor.id,
'subscribed': is_user_subscribed("%s" % user,
'Backdoor',
backdoor.id),
}
#objects
objects = backdoor.sort_objects()
#relationships
relationships = backdoor.sort_relationships("%s" % user, meta=True)
# relationship
relationship = {
'type': 'Backdoor',
'value': backdoor.id
}
#comments
comments = {'comments': backdoor.get_comments(),
'url_key': backdoor.id}
#screenshots
screenshots = backdoor.get_screenshots(user)
# favorites
favorite = is_user_favorite("%s" % user, 'Backdoor', backdoor.id)
# services
service_list = get_supported_services('Backdoor')
# analysis results
service_results = backdoor.get_analysis_results()
args = {'objects': objects,
'relationships': relationships,
'relationship': relationship,
'subscription': subscription,
'favorite': favorite,
'service_list': service_list,
'service_results': service_results,
'screenshots': screenshots,
'backdoor': backdoor,
'backdoor_id': id_,
'comments': comments}
return template, args
def class_from_id(type_, _id):
"""
Return an instantiated class object.
:param type_: The CRITs top-level object type.
:type type_: str
:param _id: The ObjectId to search for.
:type _id: str
:returns: class which inherits from
:class:`crits.core.crits_mongoengine.CritsBaseAttributes`
"""
# doing this to avoid circular imports
from crits.actors.actor import ActorThreatIdentifier, Actor
from crits.backdoors.backdoor import Backdoor
from crits.campaigns.campaign import Campaign
from crits.certificates.certificate import Certificate
from crits.comments.comment import Comment
from crits.core.crits_mongoengine import Action
from crits.core.source_access import SourceAccess
from crits.core.user_role import UserRole
from crits.domains.domain import Domain
from crits.emails.email import Email
from crits.events.event import Event
from crits.exploits.exploit import Exploit
from crits.indicators.indicator import Indicator
from crits.ips.ip import IP
from crits.pcaps.pcap import PCAP
from crits.raw_data.raw_data import RawData, RawDataType
from crits.samples.sample import Sample
from crits.screenshots.screenshot import Screenshot
from crits.signatures.signature import Signature, SignatureType, SignatureDependency
from crits.targets.target import Target
if not _id:
return None
# make sure it's a string
_id = str(_id)
# Use bson.ObjectId to make sure this is a valid ObjectId, otherwise
# the queries below will raise a ValidationError exception.
if not ObjectId.is_valid(_id.decode('utf8')):
return None
if type_ == 'Actor':
return Actor.objects(id=_id).first()
elif type_ == 'Backdoor':
return Backdoor.objects(id=_id).first()
elif type_ == 'ActorThreatIdentifier':
return ActorThreatIdentifier.objects(id=_id).first()
elif type_ == 'Campaign':
return Campaign.objects(id=_id).first()
elif type_ == 'Certificate':
return Certificate.objects(id=_id).first()
elif type_ == 'Comment':
return Comment.objects(id=_id).first()
elif type_ == 'Domain':
return Domain.objects(id=_id).first()
elif type_ == 'Email':
return Email.objects(id=_id).first()
elif type_ == 'Event':
return Event.objects(id=_id).first()
elif type_ == 'Exploit':
return Exploit.objects(id=_id).first()
elif type_ == 'Indicator':
return Indicator.objects(id=_id).first()
elif type_ == 'Action':
return Action.objects(id=_id).first()
elif type_ == 'IP':
return IP.objects(id=_id).first()
elif type_ == 'PCAP':
return PCAP.objects(id=_id).first()
elif type_ == 'RawData':
return RawData.objects(id=_id).first()
elif type_ == 'RawDataType':
return RawDataType.objects(id=_id).first()
elif type_ == 'Sample':
return Sample.objects(id=_id).first()
elif type_ == 'Signature':
return Signature.objects(id=_id).first()
elif type_ == 'SignatureType':
return SignatureType.objects(id=_id).first()
elif type_ == 'SignatureDependency':
return SignatureDependency.objects(id=_id).first()
elif type_ == 'SourceAccess':
return SourceAccess.objects(id=_id).first()
elif type_ == 'Screenshot':
return Screenshot.objects(id=_id).first()
elif type_ == 'Target':
return Target.objects(id=_id).first()
elif type_ == 'UserRole':
return UserRole.objects(id=_id).first()
else:
return None
def class_from_id(type_, _id):
"""
Return an instantiated class object.
:param type_: The CRITs top-level object type.
:type type_: str
:param _id: The ObjectId to search for.
:type _id: str
:returns: class which inherits from
:class:`crits.core.crits_mongoengine.CritsBaseAttributes`
"""
# doing this to avoid circular imports
from crits.actors.actor import ActorThreatIdentifier, Actor
from crits.backdoors.backdoor import Backdoor
from crits.campaigns.campaign import Campaign
from crits.certificates.certificate import Certificate
from crits.comments.comment import Comment
from crits.core.source_access import SourceAccess
from crits.core.user_role import UserRole
from crits.domains.domain import Domain
from crits.emails.email import Email
from crits.events.event import Event
from crits.exploits.exploit import Exploit
from crits.indicators.indicator import Indicator, IndicatorAction
from crits.ips.ip import IP
from crits.pcaps.pcap import PCAP
from crits.raw_data.raw_data import RawData, RawDataType
from crits.samples.sample import Sample
from crits.screenshots.screenshot import Screenshot
from crits.targets.target import Target
if not _id:
return None
# make sure it's a string
_id = str(_id)
# Use bson.ObjectId to make sure this is a valid ObjectId, otherwise
# the queries below will raise a ValidationError exception.
if not ObjectId.is_valid(_id.decode('utf8')):
return None
if type_ == 'Actor':
return Actor.objects(id=_id).first()
elif type_ == 'Backdoor':
return Backdoor.objects(id=_id).first()
elif type_ == 'ActorThreatIdentifier':
return ActorThreatIdentifier.objects(id=_id).first()
elif type_ == 'Campaign':
return Campaign.objects(id=_id).first()
elif type_ == 'Certificate':
return Certificate.objects(id=_id).first()
elif type_ == 'Comment':
return Comment.objects(id=_id).first()
elif type_ == 'Domain':
return Domain.objects(id=_id).first()
elif type_ == 'Email':
return Email.objects(id=_id).first()
elif type_ == 'Event':
return Event.objects(id=_id).first()
elif type_ == 'Exploit':
return Exploit.objects(id=_id).first()
elif type_ == 'Indicator':
return Indicator.objects(id=_id).first()
elif type_ == 'IndicatorAction':
return IndicatorAction.objects(id=_id).first()
elif type_ == 'IP':
return IP.objects(id=_id).first()
elif type_ == 'PCAP':
return PCAP.objects(id=_id).first()
elif type_ == 'RawData':
return RawData.objects(id=_id).first()
elif type_ == 'RawDataType':
return RawDataType.objects(id=_id).first()
elif type_ == 'Sample':
return Sample.objects(id=_id).first()
elif type_ == 'SourceAccess':
return SourceAccess.objects(id=_id).first()
elif type_ == 'Screenshot':
return Screenshot.objects(id=_id).first()
elif type_ == 'Target':
return Target.objects(id=_id).first()
elif type_ == 'UserRole':
return UserRole.objects(id=_id).first()
else:
return None
def class_from_value(type_, value):
"""
Return an instantiated class object.
:param type_: The CRITs top-level object type.
:type type_: str
:param value: The value to search for.
:type value: str
:returns: class which inherits from
:class:`crits.core.crits_mongoengine.CritsBaseAttributes`
"""
# doing this to avoid circular imports
from crits.actors.actor import ActorThreatIdentifier, Actor
from crits.backdoors.backdoor import Backdoor
from crits.campaigns.campaign import Campaign
from crits.certificates.certificate import Certificate
from crits.comments.comment import Comment
from crits.domains.domain import Domain
from crits.emails.email import Email
from crits.events.event import Event
from crits.exploits.exploit import Exploit
from crits.indicators.indicator import Indicator
from crits.ips.ip import IP
from crits.pcaps.pcap import PCAP
from crits.raw_data.raw_data import RawData
from crits.samples.sample import Sample
from crits.screenshots.screenshot import Screenshot
from crits.targets.target import Target
# Make sure value is a string...
value = str(value)
# Use bson.ObjectId to make sure this is a valid ObjectId, otherwise
# the queries below will raise a ValidationError exception.
if (type_ in ['Backdoor', 'Comment', 'Email', 'Event', 'Exploit',
'Indicator', 'Screenshot'] and
not ObjectId.is_valid(value.decode('utf8'))):
return None
if type_ == 'Actor':
return Actor.objects(name=value).first()
if type_ == 'Backdoor':
return Backdoor.objects(id=value).first()
elif type_ == 'ActorThreatIdentifier':
return ActorThreatIdentifier.objects(name=value).first()
elif type_ == 'Campaign':
return Campaign.objects(name=value).first()
elif type_ == 'Certificate':
return Certificate.objects(md5=value).first()
elif type_ == 'Comment':
return Comment.objects(id=value).first()
elif type_ == 'Domain':
return Domain.objects(domain=value).first()
elif type_ == 'Email':
return Email.objects(id=value).first()
elif type_ == 'Event':
return Event.objects(id=value).first()
elif type_ == 'Exploit':
return Exploit.objects(id=value).first()
elif type_ == 'Indicator':
return Indicator.objects(id=value).first()
elif type_ == 'IP':
return IP.objects(ip=value).first()
elif type_ == 'PCAP':
return PCAP.objects(md5=value).first()
elif type_ == 'RawData':
return RawData.objects(md5=value).first()
elif type_ == 'Sample':
return Sample.objects(md5=value).first()
elif type_ == 'Screenshot':
return Screenshot.objects(id=value).first()
elif type_ == 'Target':
target = Target.objects(email_address=value).first()
if target:
return target
else:
return Target.objects(email_address__iexact=value).first()
else:
return None
def generate_anb_event_data(type_, cid, data, sources):
types = ['Email', 'Sample', 'Indicator', 'IP', 'Domain', 'Event']
related_objects = collect_objects(type_,
cid,
1, # Depth limit
250, # Total limit
100, # Rel limit
types,
sources,
need_filedata=False)
for (obj_id, (obj_type, obj)) in related_objects.iteritems():
if obj_type == 'Email':
data['emails'] += "%s,%s,%s,%s,%s,%s,%s\r\n" % (
cid,
obj_id,
obj.isodate,
obj.sender,
obj.subject,
obj.x_originating_ip,
obj.x_mailer)
elif obj_type == 'Sample':
# Walk the relationships on this sample, see if it is related to
# a backdoor. Take the first backdoor that comes up, it may or
# may not be the versioned one.
backdoor_name = "None"
for rel in obj.relationships:
if rel.rel_type == 'Backdoor':
backdoor = Backdoor.objects(id=rel.object_id).first()
if backdoor and source_match(backdoor.source, sources):
backdoor_name = backdoor.name
break
data['samples'] += "%s,%s,%s,%s,%s,%s\r\n" % (
cid,
obj_id,
obj.md5,
obj.mimetype,
obj.filename,
backdoor_name)
for inner_obj in obj.obj:
data['objects'] += "%s,%s,%s\r\n" % (
obj_id,
inner_obj.object_type,
inner_obj.value)
elif obj_type == 'Indicator':
data['indicators'] += "%s,%s,%s,%s\r\n" % (
cid,
obj_id,
obj.ind_type,
obj.value)
elif obj_type == 'IP':
data['ips'] += "%s,%s,%s,%s\r\n" % (
cid,
obj_id,
obj.ip_type,
obj.ip)
elif obj_type == 'Domain':
data['domains'] += "%s,%s,%s,%s\r\n" % (
cid,
obj_id,
obj.record_type,
obj.domain)
elif obj_type == 'Event':
data['events'] += "%s,%s,%s\r\n" % (
cid,
obj_id,
obj.title)
return data
def class_from_value(type_, value):
"""
Return an instantiated class object.
:param type_: The CRITs top-level object type.
:type type_: str
:param value: The value to search for.
:type value: str
:returns: class which inherits from
:class:`crits.core.crits_mongoengine.CritsBaseAttributes`
"""
# doing this to avoid circular imports
from crits.actors.actor import ActorThreatIdentifier, Actor
from crits.backdoors.backdoor import Backdoor
from crits.campaigns.campaign import Campaign
from crits.certificates.certificate import Certificate
from crits.comments.comment import Comment
from crits.domains.domain import Domain
from crits.emails.email import Email
from crits.events.event import Event
from crits.exploits.exploit import Exploit
from crits.indicators.indicator import Indicator
from crits.ips.ip import IP
from crits.pcaps.pcap import PCAP
from crits.raw_data.raw_data import RawData
from crits.samples.sample import Sample
from crits.screenshots.screenshot import Screenshot
from crits.signatures.signature import Signature
from crits.targets.target import Target
# Make sure value is a string...
value = str(value)
# Use bson.ObjectId to make sure this is a valid ObjectId, otherwise
# the queries below will raise a ValidationError exception.
if (type_ in [
'Backdoor', 'Comment', 'Event', 'Exploit', 'Indicator',
'Screenshot'
] and not ObjectId.is_valid(value.decode('utf8'))):
return None
if type_ == 'Actor':
return Actor.objects(name=value).first()
if type_ == 'Backdoor':
return Backdoor.objects(id=value).first()
elif type_ == 'ActorThreatIdentifier':
return ActorThreatIdentifier.objects(name=value).first()
elif type_ == 'Campaign':
return Campaign.objects(name=value).first()
elif type_ == 'Certificate':
return Certificate.objects(md5=value).first()
elif type_ == 'Comment':
return Comment.objects(id=value).first()
elif type_ == 'Domain':
return Domain.objects(domain=value).first()
elif type_ == 'Email':
return Email.objects(message_id=value).first()
elif type_ == 'Event':
return Event.objects(id=value).first()
elif type_ == 'Exploit':
return Exploit.objects(id=value).first()
elif type_ == 'Indicator':
return Indicator.objects(id=value).first()
elif type_ == 'IP':
return IP.objects(ip=value).first()
elif type_ == 'PCAP':
return PCAP.objects(md5=value).first()
elif type_ == 'RawData':
return RawData.objects(md5=value).first()
elif type_ == 'Sample':
return Sample.objects(md5=value).first()
elif type_ == 'Screenshot':
return Screenshot.objects(id=value).first()
elif type_ == 'Signature':
return Signature.objects(md5=value).first()
elif type_ == 'Target':
target = Target.objects(email_address=value).first()
if target:
return target
else:
return Target.objects(email_address__iexact=value).first()
else:
return None
def class_from_id(type_, _id):
"""
Return an instantiated class object.
:param type_: The CRITs top-level object type.
:type type_: str
:param _id: The ObjectId to search for.
:type _id: str
:returns: class which inherits from
:class:`crits.core.crits_mongoengine.CritsBaseAttributes`
"""
# Quick fail
if not _id or not type_:
return None
# doing this to avoid circular imports
from crits.actors.actor import ActorThreatIdentifier, Actor
from crits.backdoors.backdoor import Backdoor
from crits.campaigns.campaign import Campaign
from crits.certificates.certificate import Certificate
from crits.comments.comment import Comment
from crits.core.crits_mongoengine import Action
from crits.core.source_access import SourceAccess
from crits.core.user_role import UserRole
from crits.domains.domain import Domain
from crits.emails.email import Email
from crits.events.event import Event
from crits.exploits.exploit import Exploit
from crits.indicators.indicator import Indicator
from crits.ips.ip import IP
from crits.pcaps.pcap import PCAP
from crits.raw_data.raw_data import RawData, RawDataType
from crits.samples.sample import Sample
from crits.screenshots.screenshot import Screenshot
from crits.signatures.signature import Signature, SignatureType, SignatureDependency
from crits.targets.target import Target
# make sure it's a string
_id = str(_id)
# Use bson.ObjectId to make sure this is a valid ObjectId, otherwise
# the queries below will raise a ValidationError exception.
if not ObjectId.is_valid(_id.decode("utf8")):
return None
if type_ == "Actor":
return Actor.objects(id=_id).first()
elif type_ == "Backdoor":
return Backdoor.objects(id=_id).first()
elif type_ == "ActorThreatIdentifier":
return ActorThreatIdentifier.objects(id=_id).first()
elif type_ == "Campaign":
return Campaign.objects(id=_id).first()
elif type_ == "Certificate":
return Certificate.objects(id=_id).first()
elif type_ == "Comment":
return Comment.objects(id=_id).first()
elif type_ == "Domain":
return Domain.objects(id=_id).first()
elif type_ == "Email":
return Email.objects(id=_id).first()
elif type_ == "Event":
return Event.objects(id=_id).first()
elif type_ == "Exploit":
return Exploit.objects(id=_id).first()
elif type_ == "Indicator":
return Indicator.objects(id=_id).first()
elif type_ == "Action":
return Action.objects(id=_id).first()
elif type_ == "IP":
return IP.objects(id=_id).first()
elif type_ == "PCAP":
return PCAP.objects(id=_id).first()
elif type_ == "RawData":
return RawData.objects(id=_id).first()
elif type_ == "RawDataType":
return RawDataType.objects(id=_id).first()
elif type_ == "Sample":
return Sample.objects(id=_id).first()
elif type_ == "Signature":
return Signature.objects(id=_id).first()
elif type_ == "SignatureType":
return SignatureType.objects(id=_id).first()
elif type_ == "SignatureDependency":
return SignatureDependency.objects(id=_id).first()
elif type_ == "SourceAccess":
return SourceAccess.objects(id=_id).first()
elif type_ == "Screenshot":
return Screenshot.objects(id=_id).first()
elif type_ == "Target":
return Target.objects(id=_id).first()
elif type_ == "UserRole":
return UserRole.objects(id=_id).first()
else:
return None
