def __init__(self, username, *args, **kwargs):
super(AddDomainForm, self).__init__(*args, **kwargs)
self.fields['domain_source'].choices = self.fields['ip_source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)]
self.fields['domain_source'].initial = get_user_organization(username)
self.fields['ip_source'].initial = get_user_organization(username)
self.fields['campaign'].choices = [('', '')] + [(c.name, c.name) for c in get_item_names(Campaign, True)]
self.fields['confidence'].choices = [('',''),
('low', 'low'),
('medium', 'medium'),
('high', 'high')]
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs):
super(UploadFileForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [(c.name,
c.name) for c in get_source_names(True,
True,
username)]
self.fields['source'].initial = get_user_organization(username)
self.fields['campaign'].choices = [('', '')] + [
(c.name, c.name) for c in get_item_names(Campaign, True)]
self.fields['confidence'].choices = [('', ''),
('low', 'low'),
('medium', 'medium'),
('high', 'high')]
self.fields['backdoor'].choices = [('', '')]
self.fields['relationship_type'].choices = relationship_choices
self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO
for (name, version) in get_backdoor_names(username):
display = name
value = name + '|||' + version
if version:
display += ' (Version: ' + version + ')'
self.fields['backdoor'].choices.append((value, display))
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs):
super(AddDomainForm, self).__init__(username, *args, **kwargs)
self.fields['ip_source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)
]
self.fields['ip_source'].initial = get_user_organization(username)
self.fields['ip_tlp'].choices = [
(t, t) for t in ('red', 'amber', 'green', 'white')
]
self.fields['ip_tlp'].initial = 'red'
if username.has_access_to(Common.CAMPAIGN_READ):
self.fields['campaign'].choices = [('', '')] + [
(c.name, c.name) for c in get_item_names(Campaign, True)
]
self.fields['confidence'].choices = [('', ''), ('low', 'low'),
('medium', 'medium'),
('high', 'high')]
self.fields['ip_type'].choices = ip_choices
self.fields['ip_type'].initial = IPTypes.IPV4_ADDRESS
self.fields['relationship_type'].choices = relationship_choices
self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs):
super(SourceForm, self).__init__(*args, **kwargs)
self.fields['name'].choices = [(c.name,
c.name) for c in get_source_names(True,
True,
username)]
self.fields['name'].initial = get_user_organization(username)
def __init__(self, username, *args, **kwargs):
super(UploadIndicatorCSVForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [(c.name,
c.name) for c in get_source_names(True,
True,
username)]
self.fields['source'].initial = get_user_organization(username)
def __init__(self, username, *args, **kwargs):
super(UploadPcapForm, self).__init__(*args, **kwargs)
self.fields["source"].choices = [(c.name, c.name) for c in get_source_names(True, True, username)]
self.fields["source"].initial = get_user_organization(username)
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs):
super(AddDomainForm, self).__init__(*args, **kwargs)
self.fields['domain_source'].choices = self.fields['ip_source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)]
self.fields['domain_source'].initial = get_user_organization(username)
self.fields['ip_source'].initial = get_user_organization(username)
self.fields['campaign'].choices = [('', '')] + [(c.name, c.name) for c in get_item_names(Campaign, True)]
self.fields['confidence'].choices = [('',''),
('low', 'low'),
('medium', 'medium'),
('high', 'high')]
self.fields['ip_type'].choices = ip_choices
self.fields['ip_type'].initial = "Address - ipv4-addr"
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs):
super(UploadIndicatorTextForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)]
self.fields['source'].initial = get_user_organization(username)
dt = "Indicator, Type, Threat Type, Attack Type, Campaign, Campaign Confidence, Confidence, Impact, Bucket List, Ticket, Action, Status\n"
self.fields['data'].initial = dt
def __init__(self, username, *args, **kwargs):
kwargs.setdefault('label_suffix', ':')
super(UploadStandardsForm, self).__init__(*args, **kwargs)
srcs = get_source_names(True, True, username)
self.fields['source'].choices = [(c.name, c.name) for c in srcs]
self.fields['source'].initial = get_user_organization(username)
def process_screenshots(self, screenshots):
archive = zipfile.ZipFile(io.BytesIO(screenshots))
names = archive.namelist()
for name in names:
screenshot = archive.read(name)
ret = add_screenshot(description='Screenshot from Joe Sandbox',
tags=[],
source=get_user_organization(self.current_task.user),
method=self.name,
reference=self.obj.filename,
tlp=self.obj.tlp,
analyst=str(self.current_task.user),
screenshot=io.BytesIO(screenshot),
screenshot_ids=[],
oid=str(self.obj.id),
otype=self.obj._meta['crits_type'])
if ret['success']:
md5 = hashlib.md5(screenshot).hexdigest()
self._add_result("Screenshots", "Screenshot", {'md5': md5})
else:
self._warning(ret["message"])
self._notify()
def process_sandbox_infos(self, incident_report, html_report):
errors = [e.text for e in incident_report.findall("./errors/error")]
for error in errors:
self._error(error)
info = {
"Report Id": incident_report.find("./id").text,
"Joe Sandbox Version": incident_report.find("./version").text,
"Architecture": incident_report.find("./arch").text,
"System": incident_report.find("./system").text,
"File Type": incident_report.find("./filetype").text,
}
# upload HTML report
fp = io.BytesIO(html_report)
fp.name = "report.html"
ret = add_object(self.obj._meta['crits_type'], self.obj.id,
object_type=ObjectTypes.FILE_UPLOAD,
source=get_user_organization(self.current_task.user),
method=self.name,
reference=None,
file_=fp,
tlp=self.obj.tlp,
user=str(self.current_task.user))
if ret['success']:
md5 = hashlib.md5(html_report).hexdigest()
info["md5"] = md5
else:
self._warning(ret["message"])
self._add_result("Joe Sandbox Infos", "Report", info)
self._notify()
def __init__(self, username, *args, **kwargs):
kwargs.setdefault('label_suffix', ':')
super(UploadStandardsForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)
]
self.fields['source'].initial = get_user_organization(username)
def __init__(self, username, *args, **kwargs):
super(UploadIndicatorTextForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)]
self.fields['source'].initial = get_user_organization(username)
dt = "Indicator, Type, Campaign, Campaign Confidence, Confidence, Impact, Bucket List, Ticket, Action\n"
self.fields['data'].initial = dt
def __init__(self, username, *args, **kwargs):
super(UploadIndicatorCSVForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)
]
self.fields['source'].initial = get_user_organization(username)
self.fields['relationship_type'].choices = relationship_choices
self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO
def __init__(self, username, *args, **kwargs):
super(AddActorIdentifierForm, self).__init__(*args, **kwargs)
self.fields['identifier_type'].choices = [
(c.name, c.name) for c in get_item_names(ActorThreatIdentifier, True)]
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)]
self.fields['source'].initial = get_user_organization(username)
def __init__(self, username, *args, **kwargs):
super(UploadRawDataFileForm, self).__init__(*args, **kwargs)
self.fields["source"].choices = [(c.name, c.name) for c in get_source_names(True, True, username)]
self.fields["source"].initial = get_user_organization(username)
self.fields["data_type"].choices = [(c.name, c.name) for c in get_item_names(RawDataType, True)]
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs):
super(SourceInForm, self).__init__(*args, **kwargs)
self.fields['source_name'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)]
self.fields['source_name'].initial = get_user_organization(username)
self.fields['source_tlp'].choices = [
(t, t) for t in ('red', 'amber', 'green', 'white')]
self.fields['source_tlp'].initial = 'red'
def __init__(self, username, *args, **kwargs):
super(UploadPcapForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)]
self.fields['source'].initial = get_user_organization(username)
self.fields['relationship_type'].choices = relationship_choices
self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs):
super(UploadIndicatorTextForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)]
self.fields['source'].initial = get_user_organization(username)
dt = "Indicator, Type, Threat Type, Attack Type, Description, Campaign, Campaign Confidence, Confidence, Impact, Bucket List, Ticket, Action, Status\n"
self.fields['data'].initial = dt
self.fields['relationship_type'].choices = relationship_choices
self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO
def __init__(self, username, *args, **kwargs):
super(UploadPcapForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)
]
self.fields['source'].initial = get_user_organization(username)
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def comment_add(cleaned_data, obj_type, obj_id, method, subscr, analyst):
"""
Add a new comment.
:param cleaned_data: Cleaned data from the Django form submission.
:type cleaned_data: dict
:param obj_type: The top-level object type to add the comment to.
:type obj_type: str
:param obj_id: The top-level ObjectId to add the comment to.
:type obj_id: str
:param method: If this is a reply or not (set method to "reply").
:type method: str
:param subscr: The subscription information for the top-level object.
:type subscr: dict
:param analyst: The user adding the comment.
:type analyst: str
:returns: dict with keys:
'success' (boolean),
'message': (str),
'html' (str) if successful.
"""
comment = Comment()
comment.comment = cleaned_data['comment']
comment.parse_comment()
comment.set_parent_object(obj_type, obj_id)
if method == "reply":
comment.set_parent_comment(cleaned_data['parent_date'],
cleaned_data['parent_analyst'])
comment.analyst = analyst
comment.set_url_key(cleaned_data['url_key'])
source = create_embedded_source(name=get_user_organization(analyst),
analyst=analyst,
needs_tlp=False)
comment.source = [source]
try:
comment.save(username=analyst)
# this is silly :( in the comment object the dates are still
# accurate to .###### seconds, but in the database are only
# accurate to .### seconds. This messes with the template's ability
# to compare creation and edit times.
comment.reload()
comment.comment_to_html()
html = render_to_string(
'comments_row_widget.html', {
'comment': comment,
'user': {
'username': analyst
},
'subscription': subscr
})
message = "Comment added successfully!"
result = {'success': True, 'html': html, 'message': message}
except ValidationError, e:
result = {'success': False, 'message': e}
def __init__(self, username, *args, **kwargs):
super(AddObjectForm, self).__init__(*args, **kwargs)
self.fields['object_type'].choices = [
(c, c) for c in ObjectTypes.values(sort=True)
]
self.fields['object_type'].widget.attrs = {'class': 'object-types'}
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)
]
self.fields['source'].initial = get_user_organization(username)
def __init__(self, username, *args, **kwargs):
super(SourceInForm, self).__init__(*args, **kwargs)
self.fields['source_name'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)
]
self.fields['source_name'].initial = get_user_organization(username)
self.fields['source_tlp'].choices = [
(t, t) for t in ('red', 'amber', 'green', 'white')
]
self.fields['source_tlp'].initial = 'red'
def __init__(self, username, *args, **kwargs):
super(AddActorIdentifierForm, self).__init__(*args, **kwargs)
self.fields['identifier_type'].choices = [
(c.name, c.name)
for c in get_item_names(ActorThreatIdentifier, True)
]
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)
]
self.fields['source'].initial = get_user_organization(username)
def __init__(self, username, *args, **kwargs):
super(AddObjectForm, self).__init__(*args, **kwargs)
self.fields['object_type'].choices = [
(c,c) for c in ObjectTypes.values(sort=True)
]
self.fields['object_type'].widget.attrs = {'class':'object-types'}
self.fields['source'].choices = [(c.name,
c.name) for c in get_source_names(True,
True,
username)]
self.fields['source'].initial = get_user_organization(username)
def __init__(self, username, *args, **kwargs):
super(UploadRawDataFileForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)
]
self.fields['source'].initial = get_user_organization(username)
self.fields['data_type'].choices = [
(c.name, c.name) for c in get_item_names(RawDataType, True)
]
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs):
super(EventForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [(c.name,
c.name) for c in get_source_names(True,
True,
username)]
self.fields['source'].initial = get_user_organization(username)
self.fields['event_type'].choices = [
(c,c) for c in EventTypes.values(sort=True)
]
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def _process_pcap(self, pcap):
self._debug("Processing PCAP.")
self._notify()
org = get_user_organization(self.current_task.username)
h = md5(pcap).hexdigest()
result = handle_pcap_file("%s.pcap" % h,
pcap,
org,
user=self.current_task.username,
related_id=str(self.obj.id),
related_type=self.obj._meta['crits_type'],
method=self.name)
self._add_result("pcap_added", h, {'md5': h})
def __init__(self, username, choices, *args, **kwargs):
super(AddObjectForm, self).__init__(*args, **kwargs)
if not choices:
choices = [(c[0], c[0],
{'datatype':c[1].keys()[0],
'datatype_value':c[1].values()[0]}) for c in get_object_types(True)]
self.fields['object_type'].choices = choices
self.fields['object_type'].widget.attrs = {'class':'object-types'}
self.fields['source'].choices = [(c.name,
c.name) for c in get_source_names(True,
True,
username)]
self.fields['source'].initial = get_user_organization(username)
def __init__(self, username, *args, **kwargs):
kwargs.setdefault('label_suffix', ':')
super(TAXIIFeedConfigForm, self).__init__(*args, **kwargs)
srcs = get_source_names(True, True, username)
self.fields['source'].choices = [(c.name, c.name) for c in srcs]
self.fields['source'].initial = get_user_organization(username)
ind_ci = IndicatorCI.values()
self.fields['def_conf'].choices = [(c, c.title()) for c in ind_ci]
self.fields['def_conf'].initial = 'unknown'
self.fields['def_impact'].choices = [(c, c.title()) for c in ind_ci]
self.fields['def_impact'].initial = 'unknown'
def __init__(self, username, *args, **kwargs):
super(EventForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [(c.name,
c.name) for c in get_source_names(True,
True,
username)]
self.fields['source'].initial = get_user_organization(username)
self.fields['event_type'].choices = [(c.name,
c.name) for c in get_item_names(EventType,
True)]
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs):
super(EmailYAMLForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)
]
self.fields['source'].initial = get_user_organization(username)
self.fields['campaign'].choices = [("", "")]
self.fields['campaign'].choices += [
(c.name, c.name) for c in get_item_names(Campaign, True)
]
self.fields['campaign_confidence'].choices = [("", ""), ("low", "low"),
("medium", "medium"),
("high", "high")]
def _process_pcap(self, pcap):
self._debug("Processing PCAP.")
self._notify()
org = get_user_organization(self.current_task.username)
h = md5(pcap).hexdigest()
result = handle_pcap_file("%s.pcap" % h,
pcap,
org,
user=self.current_task.username,
parent_id=str(self.obj.id),
parent_type="PCAP",
method=self.name)
self._add_result("pcap_added", h, {'md5': h})
def __init__(self, username, *args, **kwargs):
super(EmailOutlookForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)]
self.fields['source'].initial = get_user_organization(username)
self.fields['campaign'].choices = [("","")]
self.fields['campaign'].choices += [(c.name,
c.name
) for c in get_item_names(Campaign,
True)]
self.fields['campaign_confidence'].choices = [("", ""),
("low", "low"),
("medium", "medium"),
("high", "high")]
def attribute_identifier(self, identifier_type=None, identifier=None,
confidence='low', analyst=None):
"""
Attribute an identifier.
:param identifier_type: The type of Identifier.
:type identifier_type: str
:param identifier: The identifier value.
:type identifier: str
:param confidence: The confidence level of the attribution.
:type confidence: str
:param analyst: The analyst attributing this identifier.
:type analyst: str
"""
if analyst and identifier_type and identifier:
# We don't use source restriction because if they are adding this on
# their own, we would just append their org as a new source
identifier = ActorIdentifier.objects(name=identifier).first()
if not identifier:
identifier = ActorIdentifier()
identifier.identifier_type = identifier_type
identifier.name = identifier
# Add the source if it doesn't already exist
org = get_user_organization(analyst)
found = False
for source in identifier.source:
if source.name == org:
found = True
break
if not found:
identifier.add_source(source=org, analyst=analyst)
identifier.save()
identifier.reload()
found = False
for ident in self.identifiers:
if str(identifier.id) == str(ident.identifier_id):
found = True
break
# Only add if it's not already there
if not found:
e = EmbeddedActorIdentifier()
e.analyst = analyst
e.confidence = confidence
e.identifier_id = str(identifier.id)
self.identifiers.append(e)
def comment_add(cleaned_data, obj_type, obj_id, method, subscr, analyst):
"""
Add a new comment.
:param cleaned_data: Cleaned data from the Django form submission.
:type cleaned_data: dict
:param obj_type: The top-level object type to add the comment to.
:type obj_type: str
:param obj_id: The top-level ObjectId to add the comment to.
:type obj_id: str
:param method: If this is a reply or not (set method to "reply").
:type method: str
:param subscr: The subscription information for the top-level object.
:type subscr: dict
:param analyst: The user adding the comment.
:type analyst: str
:returns: dict with keys:
'success' (boolean),
'message': (str),
'html' (str) if successful.
"""
comment = Comment()
comment.comment = cleaned_data['comment']
comment.parse_comment()
comment.set_parent_object(obj_type, obj_id)
if method == "reply":
comment.set_parent_comment(cleaned_data['parent_date'],
cleaned_data['parent_analyst'])
comment.analyst = analyst
comment.set_url_key(cleaned_data['url_key'])
source = create_embedded_source(name=get_user_organization(analyst),
analyst=analyst, needs_tlp=False)
comment.source = [source]
try:
comment.save(username=analyst)
# this is silly :( in the comment object the dates are still
# accurate to .###### seconds, but in the database are only
# accurate to .### seconds. This messes with the template's ability
# to compare creation and edit times.
comment.reload()
comment.comment_to_html()
html = render_to_string('comments_row_widget.html',
{'comment': comment,
'user': {'username': analyst},
'subscription': subscr})
message = "Comment added successfully!"
result = {'success': True, 'html': html, 'message': message}
except ValidationError, e:
result = {'success': False, 'message': e}
def __init__(self, username, *args, **kwargs):
super(EmailAttachForm, self).__init__(*args, **kwargs)
self.fields['campaign'].choices = [('', '')] + [
(c.name, c.name) for c in get_item_names(Campaign, True)]
self.fields['confidence'].choices = [('', ''),
('low', 'low'),
('medium', 'medium'),
('high', 'high')]
self.fields['source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)]
self.fields['source'].initial = get_user_organization(username)
self.fields['source_date'].value = datetime.now()
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs):
super(UploadSignatureForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)
]
self.fields['source'].initial = get_user_organization(username)
self.fields['data_type'].choices = [
(c.name, c.name) for c in get_item_names(SignatureType, True)
]
self.fields['relationship_type'].choices = relationship_choices
self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs):
super(UploadFileForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)
]
self.fields['source'].initial = get_user_organization(username)
self.fields['campaign'].choices = [('', '')] + [
(c.name, c.name) for c in get_item_names(Campaign, True)
]
self.fields['confidence'].choices = [('', ''), ('low', 'low'),
('medium', 'medium'),
('high', 'high')]
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, choices, *args, **kwargs):
super(AddIPForm, self).__init__(*args, **kwargs)
if choices is None:
self.fields["ip_type"].choices = ip_choices
else:
self.fields["ip_type"].choices = choices
self.fields["campaign"].choices = [("", "")] + [(c.name, c.name) for c in get_item_names(Campaign, True)]
self.fields["confidence"].choices = [("", ""), ("low", "low"), ("medium", "medium"), ("high", "high")]
self.fields["source"].choices = [(c.name, c.name) for c in get_source_names(True, True, username)]
self.fields["source"].initial = get_user_organization(username)
self.fields["analyst"].initial = username
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs):
super(UploadIndicatorForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)]
self.fields['source'].initial = get_user_organization(username)
self.fields['status'].choices = [
(c,c) for c in Status.values()
]
self.fields['indicator_type'].choices = [
(c,c) for c in IndicatorTypes.values(sort=True)
]
self.fields['threat_type'].choices = [
(c,c) for c in IndicatorThreatTypes.values(sort=True)
]
self.fields['threat_type'].initial = IndicatorThreatTypes.UNKNOWN
self.fields['attack_type'].choices = [
(c,c) for c in IndicatorAttackTypes.values(sort=True)
]
self.fields['attack_type'].initial = IndicatorAttackTypes.UNKNOWN
self.fields['indicator_type'].widget.attrs = {'class': 'object-types'}
self.fields['campaign'].choices = [("", "")]
self.fields['campaign'].choices += [
(c.name, c.name) for c in get_item_names(Campaign, True)]
self.fields['campaign_confidence'].choices = [
("", ""),
("low", "low"),
("medium", "medium"),
("high", "high")]
self.fields['confidence'].choices = [
("unknown", "unknown"),
("benign", "benign"),
("low", "low"),
("medium", "medium"),
("high", "high")]
self.fields['impact'].choices = [
("unknown", "unknown"),
("benign", "benign"),
("low", "low"),
("medium", "medium"),
("high", "high")]
self.fields['relationship_type'].choices = relationship_choices
self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs):
super(EmailYAMLForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)
]
self.fields['source'].initial = get_user_organization(username)
self.fields['campaign'].choices = [("", "")]
self.fields['campaign'].choices += [
(c.name, c.name) for c in get_item_names(Campaign, True)
]
self.fields['campaign_confidence'].choices = [("", ""), ("low", "low"),
("medium", "medium"),
("high", "high")]
self.fields['relationship_type'].choices = relationship_choices
self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs):
super(EmailYAMLForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)]
self.fields['source'].initial = get_user_organization(username)
self.fields['campaign'].choices = [("","")]
self.fields['campaign'].choices += [(c.name,
c.name
) for c in get_item_names(Campaign,
True)]
self.fields['campaign_confidence'].choices = [("", ""),
("low", "low"),
("medium", "medium"),
("high", "high")]
self.fields['relationship_type'].choices = relationship_choices
self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def process_domains(self, incident_report):
domains = incident_report.findall("./contacted/domains/domain")
for domain in domains:
ret = upsert_domain(domain.text,
source=get_user_organization(self.current_task.user),
username=str(self.current_task.user),
related_id=str(self.obj.id),
related_type=self.obj._meta['crits_type'],
relationship_type=RelationshipTypes.CONNECTED_TO)
if ret['success']:
malicious = domain.get('malicious', 'unknown')
self._add_result("Domains", domain.text, {'malicious': malicious})
else:
self._warning(ret["message"])
self._notify()
def remove_sample(request, md5):
"""
Remove a sample from CRITs.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:param md5: The MD5 of the sample to remove.
:type md5: str
:returns: :class:`django.http.HttpResponse`
"""
result = delete_sample(md5, '%s' % request.user.username)
if result:
org = get_user_organization(request.user.username)
return HttpResponseRedirect(reverse('crits-samples-views-samples_listing')
+'?source=%s' % org)
else:
return render(request, 'error.html', {'error': "Could not delete sample"})
def __init__(self, username, *args, **kwargs):
super(AddBackdoorForm, self).__init__(*args, **kwargs)
self.fields['campaign'].choices = [('', '')] + [
(c.name, c.name) for c in get_item_names(Campaign, True)]
self.fields['confidence'].choices = [
('', ''),
('low', 'low'),
('medium', 'medium'),
('high', 'high')]
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)]
self.fields['source'].initial = get_user_organization(username)
self.fields['relationship_type'].choices = relationship_choices
self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs):
super(AddExploitForm, self).__init__(*args, **kwargs)
self.fields['campaign'].choices = [('', '')] + [
(c.name, c.name) for c in get_item_names(Campaign, True)]
self.fields['confidence'].choices = [
('', ''),
('low', 'low'),
('medium', 'medium'),
('high', 'high')]
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)]
self.fields['source'].initial = get_user_organization(username)
self.fields['relationship_type'].choices = relationship_choices
self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def process_ips(self, incident_report):
ips = incident_report.findall("./contacted/ips/ip")
for ip in ips:
ret = ip_add_update(ip.text, self._ip_type(ip.text),
source=get_user_organization(self.current_task.user),
source_method=self.name,
source_tlp=self.obj.tlp,
user=self.current_task.user,
related_id=str(self.obj.id),
related_type=self.obj._meta['crits_type'],
relationship_type=RelationshipTypes.CONNECTED_TO)
if ret['success']:
malicious = ip.get('malicious', 'unknown')
self._add_result("IPs", ip.text, {'malicious': malicious})
else:
self._warning(ret["message"])
self._notify()
def _process_pcap(self, pcap):
self._debug("Processing PCAP.")
self._notify()
org = get_user_organization(self.current_task.user)
user = self.current_task.user
if not user.has_access_to(PCAPACL.WRITE):
self._info("User does not have permission to add PCAP to CRITs")
self._add_result("PCAP Processing Canceled", "User does not have permission to add PCAP to CRITs")
return
h = md5(pcap).hexdigest()
result = handle_pcap_file("%s.pcap" % h,
pcap,
org,
user=self.current_task.user,
related_id=str(self.obj.id),
related_type=self.obj._meta['crits_type'],
method=self.name)
self._add_result("pcap_added", h, {'md5': h})
def __init__(self, username, choices=None, *args, **kwargs):
super(UploadIndicatorForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [
(c.name, c.name) for c in get_source_names(True, True, username)
]
self.fields['source'].initial = get_user_organization(username)
if not choices:
#only valid types for indicators are those which don't require file upload
choices = [(c[0], c[0], {
'datatype': c[1].keys()[0],
'datatype_value': c[1].values()[0]
}) for c in get_object_types(active=True,
query={
'datatype.file': {
'$exists': 0
},
'datatype.enum': {
'$exists': 0
}
})]
self.fields['indicator_type'].choices = choices
self.fields['indicator_type'].widget.attrs = {'class': 'object-types'}
self.fields['campaign'].choices = [("", "")]
self.fields['campaign'].choices += [
(c.name, c.name) for c in get_item_names(Campaign, True)
]
self.fields['campaign_confidence'].choices = [("", ""), ("low", "low"),
("medium", "medium"),
("high", "high")]
self.fields['confidence'].choices = [("unknown", "unknown"),
("benign", "benign"),
("low", "low"),
("medium", "medium"),
("high", "high")]
self.fields['impact'].choices = [("unknown", "unknown"),
("benign", "benign"), ("low", "low"),
("medium", "medium"),
("high", "high")]
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def __init__(self, username, choices, *args, **kwargs):
super(AddIPForm, self).__init__(*args, **kwargs)
if choices is None:
self.fields['ip_type'].choices = ip_choices
else:
self.fields['ip_type'].choices = choices
self.fields['campaign'].choices = [('', '')] + [
(c.name, c.name) for c in get_item_names(Campaign, True)]
self.fields['confidence'].choices = [('', ''),
('low', 'low'),
('medium', 'medium'),
('high', 'high')]
self.fields['source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)]
self.fields['source'].initial = get_user_organization(username)
self.fields['analyst'].initial = username
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def remove_sample(request, md5):
"""
Remove a sample from CRITs.
:param request: Django request object (Required)
:type request: :class:`django.http.HttpRequest`
:param md5: The MD5 of the sample to remove.
:type md5: str
:returns: :class:`django.http.HttpResponse`
"""
result = delete_sample(md5, '%s' % request.user.username)
if result:
org = get_user_organization(request.user.username)
return HttpResponseRedirect(
reverse('crits-samples-views-samples_listing') +
'?source=%s' % org)
else:
return render(request, 'error.html',
{'error': "Could not delete sample"})
def __init__(self, username, choices=None, *args, **kwargs):
super(UploadIndicatorForm, self).__init__(*args, **kwargs)
self.fields['source'].choices = [(c.name,
c.name) for c in get_source_names(True,
True,
username)]
self.fields['source'].initial = get_user_organization(username)
if not choices:
#only valid types for indicators are those which don't require file upload
choices = [(c[0],
c[0],
{'datatype':c[1].keys()[0],
'datatype_value':c[1].values()[0]}
) for c in get_object_types(active=True,
query={'datatype.file':{'$exists':0}})]
self.fields['indicator_type'].choices = choices
self.fields['indicator_type'].widget.attrs = {'class':'object-types'}
self.fields['campaign'].choices = [("","")]
self.fields['campaign'].choices += [(c.name,
c.name
) for c in get_item_names(Campaign,
True)]
self.fields['campaign_confidence'].choices = [("", ""),
("low", "low"),
("medium", "medium"),
("high", "high")]
self.fields['confidence'].choices = [("unknown", "unknown"),
("benign", "benign"),
("low", "low"),
("medium", "medium"),
("high", "high")]
self.fields['impact'].choices = [("unknown", "unknown"),
("benign", "benign"),
("low", "low"),
("medium", "medium"),
("high", "high")]
add_bucketlist_to_form(self)
add_ticket_to_form(self)
def pcap_tcpdump(pcap_md5, form, analyst):
flag_list = []
cleaned_data = form.cleaned_data
# Make sure we can find tcpdump
sc = get_config("MetaCap")
tcpdump_bin = str(sc["tcpdump"])
if not os.path.exists(tcpdump_bin):
tcpdump_output = "Could not find tcpdump!"
return tcpdump_output
# Make sure we have a PCAP to work with
pcap = PCAP.objects(md5=pcap_md5).first()
if not pcap:
return "No PCAP found"
pcap_data = pcap.filedata.read()
if not pcap_data:
return "Could not get PCAP from GridFS: %s" % pcap_md5
# Use the filename if it's there, otherwise the md5.
# This is used for the description of the carved sample.
if pcap.filename:
pcap_filename = pcap.filename
else:
pcap_filename = pcap_md5
# Setup tcpdump arguments
if cleaned_data["sequence"]:
flag_list.append("-S")
if cleaned_data["timestamp"]:
flag_list.append("%s" % cleaned_data["timestamp"])
if cleaned_data["verbose"]:
flag_list.append("%s" % cleaned_data["verbose"])
if cleaned_data["data"]:
flag_list.append("%s" % cleaned_data["data"])
# force -nN
flag_list.append("-nN")
# if we need to carve
if cleaned_data["carve"]:
if not cleaned_data["bpf"]:
return "Must supply a BPF filter to carve."
new_pcap = tempfile.NamedTemporaryFile(delete=False)
flag_list.append("-w")
flag_list.append(new_pcap.name)
if cleaned_data["bpf"]:
flag_list.append("%s" % str(cleaned_data["bpf"].replace('"', "")))
# write PCAP to disk
# temp_out collects stdout and stderr
# temp_pcap is the pcap to read
# new_pcap is the pcap being written if carving
temp_out = tempfile.NamedTemporaryFile(delete=False)
temp_pcap = tempfile.NamedTemporaryFile(delete=False)
pcap_name = temp_pcap.name
temp_pcap.write(pcap_data)
temp_pcap.close()
args = [tcpdump_bin, "-r", temp_pcap.name] + flag_list
tcpdump = Popen(args, stdout=temp_out, stderr=STDOUT)
tcpdump.communicate()
out_name = temp_out.name
temp_out.seek(0)
tcpdump_output = ""
for line in iter(temp_out):
tcpdump_output += "%s" % line
temp_out.close()
# delete temp files
os.unlink(pcap_name)
os.unlink(out_name)
if cleaned_data["carve"]:
new_pcap_data = new_pcap.read()
if len(new_pcap_data) > 24: # pcap-ng will change this.
m = hashlib.md5()
m.update(new_pcap_data)
md5 = m.hexdigest()
org = get_user_organization(analyst)
result = handle_pcap_file(
"%s.pcap" % md5,
new_pcap_data,
org,
user=analyst,
description="%s of %s" % (cleaned_data["bpf"], pcap_filename),
parent_id=pcap.id,
parent_type="PCAP",
method="MetaCap Tcpdumper",
)
if result["success"]:
tcpdump_output = '<a href="%s">View new pcap.</a>' % reverse(
"crits.pcaps.views.pcap_details", args=[result["md5"]]
)
else:
tcpdump_output = result["message"]
else:
tcpdump_output = "No packets matched the filter."
os.unlink(new_pcap.name)
return tcpdump_output
def pcap_pdml_html(pcap_md5, analyst):
# check to see if there is a File object with the source reference of
# 'tshark_pdml.html'. If there is, return it.
# If not, generate it, save it, and return it.
pcap = PCAP.objects(md5=pcap_md5).first()
if not pcap:
return "No PCAP found"
else:
coll = settings.COL_OBJECTS
pdml_obj = None
pdml_html = None
for obj in pcap.obj:
for source in obj.source:
for instance in source.instances:
if instance.reference == "tshark_pdml.html":
pdml_obj = obj
if not pdml_obj:
sc = get_config("MetaCap")
tshark_bin = str(sc["tshark"])
if not os.path.exists(tshark_bin):
pdml_html = "Could not find tshark!"
return {"html": pdml_html}
pcap_data = pcap.filedata.read()
if not pcap_data:
pdml_html = "Could not get PCAP from GridFS: %s" % pcap_md5
return {"html": pdml_html}
# write PCAP to disk
temp_pcap = tempfile.NamedTemporaryFile(delete=False)
pcap_name = temp_pcap.name
temp_pcap.write(pcap_data)
temp_pcap.close()
# use tshark to generate a pdml file
temp_pdml = tempfile.NamedTemporaryFile(delete=False)
args = [tshark_bin, "-n", "-r", pcap_name, "-T", "pdml"]
tshark = Popen(args, stdout=temp_pdml, stderr=PIPE)
tshark_out, tshark_err = tshark.communicate()
if tshark.returncode != 0:
return {"html": "%s, %s" % (tshark_out, tshark_err)}
pdml_name = temp_pdml.name
temp_pdml.seek(0)
# transform PDML into HTML
xsl_file = None
for d in settings.SERVICE_DIRS:
try:
file_dir = "%s/metacap_service" % d
xsl_file = open("%s/pdml2html.xsl" % file_dir, "r")
except IOError:
pass
if not xsl_file:
return {"html": "Could not find XSL."}
parser = etree.XMLParser()
parser.resolvers.add(FileResolver())
save_pdml = False
try:
xml_input = etree.parse(temp_pdml, parser)
xslt_root = etree.parse(xsl_file, parser)
transform = etree.XSLT(xslt_root)
pdml_html = str(transform(xml_input))
save_pdml = True
except Exception:
temp_pdml.close()
# delete PDML file
os.unlink(pdml_name)
os.unlink(pcap_name)
return {"html": "Could not parse/transform PDML output!"}
temp_pdml.close()
# delete PDML file
os.unlink(pdml_name)
os.unlink(pcap_name)
# save pdml_html as an object for this PCAP
if save_pdml:
fn = put_file_gridfs("tshark_pdml.html", pdml_html, collection=coll)
if fn:
m = hashlib.md5()
m.update(pdml_html)
md5 = m.hexdigest()
pcap.add_object(
ObjectTypes.FILE_UPLOAD,
md5,
get_user_organization(analyst),
"MetaCap",
"tshark_pdml.html",
analyst,
)
pcap.save()
else:
# get file from gridfs and return it
obj_md5 = pdml_obj.value
pdml_html = get_file_gridfs(obj_md5, collection=coll)
if not pdml_html:
return {"html": "No file found in GridFS"}
if not pdml_obj:
pcap_objects = pcap.sort_objects()
return {"html": pdml_html, "objects": pcap_objects, "id": pcap.id}
else:
return {"html": pdml_html}
