def set_rep(self, filename, level, md5, sha1, sha256, sandbox):
try:
with DxlClient(self.config) as client:
client.connect()
tie_client = TieClient(client)
# multi-sandbox support: merge results if some are already available
existing_reputation = tie_client.get_file_reputation(
{HashType.SHA256: sha256})
if existing_reputation and FileProvider.EXTERNAL in existing_reputation:
logging.info(
"A external reputation verdict has been already present for the sample, will merge the results"
)
if (level != 0 and level < existing_reputation[
FileProvider.EXTERNAL]["trustLevel"]):
self._set_reputation(tie_client, filename, level, md5,
sha1, sha256, sandbox)
else:
logging.info(
"New reputation level was higher than what is already present"
)
else:
self._set_reputation(tie_client, filename, level, md5,
sha1, sha256, sandbox)
except Exception as e:
logging.error(
"ERROR setting the reputation in TIE for SHA256 %s using sandbox %s: %s",
str(sha256),
sandbox,
e,
)
def _lookup_hash(self, event, *args, **kwargs):
artifact_type = event.artifact["type"]
artifact_value = event.artifact["value"]
LOG.debug("_lookup_hash started for Artifact Type {0} - Artifact Value {1}".format(
artifact_type, artifact_value))
tie_client = TieClient(self.client)
if artifact_type == "hash.md5":
resilient_hash = {HashType.MD5: artifact_value}
elif artifact_type == "hash.sha1":
resilient_hash = {HashType.SHA1: artifact_value}
elif artifact_type == "hash.sha256":
resilient_hash = {HashType.SHA256: artifact_value}
else:
raise ValueError("Something went wrong setting the hash value")
reputations_dict = \
tie_client.get_file_reputation(
resilient_hash
)
hits = self._query_mcafee_tie(reputations_dict)
yield hits
def setTieReputation(self, payload):
tie_client = TieClient(self.client)
hashes = {
HashType.MD5: payload['fileMD5'],
HashType.SHA1: payload['fileSHA1'],
HashType.SHA256: payload['fileSHA256']
}
reputations_dict = tie_client.get_file_reputation(hashes)
has_definitive_reputation = \
any([rep[ReputationProp.TRUST_LEVEL] != TrustLevel.NOT_SET
and rep[ReputationProp.TRUST_LEVEL] != TrustLevel.UNKNOWN
and rep[ReputationProp.PROVIDER_ID] != FileProvider.EXTERNAL
for rep in reputations_dict.values()])
if not has_definitive_reputation:
try:
tie_client.set_external_file_reputation(
TrustLevel.MIGHT_BE_TRUSTED,
hashes,
file_type=payload['filetype'],
filename=payload['filename'],
comment=payload['comment']
)
except ValueError as e:
pass
def getTieRep(md5, sha1, sha256):
with DxlClient(config) as client:
# Connect to the fabric
client.connect()
# Create the McAfee Threat Intelligence Exchange (TIE) client
tie_client = TieClient(client)
myGetHashes = hashMe(md5, sha1, sha256)
reputations_dict = tie_client.get_file_reputation(myGetHashes)
client.disconnect()
#myReturnVal = json.dumps(reputations_dict, sort_keys=True, indent=4, separators=(',', ': ')) + "\n"
return reputations_dict
def file(hash):
config = get_client_config()
with DxlClient(config) as client:
client.connect()
# Create the McAfee Threat Intelligence Exchange (TIE) client
tie_client = TieClient(client)
hash_type = get_hash_type(hash)
hash_type_key = HASH_TYPE_KEYS.get(hash_type)
if not hash_type_key:
return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters) or md5(32 charecters)')
hash_param = {}
hash_param[hash_type_key] = hash
res = tie_client.get_file_reputation(hash_param)
reputations = res.values()
table = reputations_to_table(reputations)
# creaet context
context_file = {}
hash_type_uppercase = hash_type.upper()
tl_score = get_thrust_level_and_score(reputations)
context_file[hash_type_uppercase] = hash
context_file['TrustLevel'] = tl_score['trust_level']
context_file['Vendor'] = tl_score['vendor']
dbot_score = {'Indicator': hash, 'Type': 'hash', 'Vendor': tl_score['vendor'], 'Score': tl_score['score']}
if tl_score['score'] >= 2:
context_file['Malicious'] = {
'Vendor': tl_score['vendor'],
'Score': tl_score['score'],
'Description': 'Trust level is ' + str(tl_score['trust_level'])
}
ec = {
'DBotScore': dbot_score
}
ec[outputPaths['file']] = context_file
return {
'Type': entryTypes['note'],
'ContentsFormat': formats['json'],
'Contents': reputations,
'ReadableContentsFormat': formats['markdown'],
'HumanReadable': tableToMarkdown('McAfee TIE Hash Reputations For %s:' % (hash,), table),
'EntryContext': ec
}
def doReputation(btn):
global hashType
strHash = str(chatWin.getEntry("TIE_Hash"))
logger.info("Getting reputation data for {0}.".format(str(strHash)))
#Get all TIE based reputation data associated with a given hash
tie_client = TieClient(client)
reputations_dict = {}
#Request raw json reputation results
if hashType == "md5":
reputations_dict = tie_client.get_file_reputation(
{HashType.MD5: strHash})
elif hashType == "sha1":
reputations_dict = tie_client.get_file_reputation(
{HashType.SHA1: strHash})
elif hashType == "sha256":
reputations_dict = tie_client.get_file_reputation(
{HashType.SHA256: strHash})
#debug
logger.info(
"Raw TIE results for hash type " + hashType + ": " + json.dumps(
reputations_dict, sort_keys=True, indent=4, separators=(',',
': ')))
#Start building repputation output for writing to the results TextArea
strResults = parseTIEResults(reputations_dict)
#chatWin.setTextArea("TIEResults", json.dumps(reputations_dict, sort_keys=True, indent=4, separators= (',', ': ')), False)
chatWin.setTextArea("HashResults", strResults, False)
return True
# Create the client
with DxlClient(config) as client:
# Connect to the fabric
client.connect()
# Create the McAfee Threat Intelligence Exchange (TIE) client
tie_client = TieClient(client)
#
# Perform the file reputation query
#
reputations_dict = \
tie_client.get_file_reputation({
HashType.MD5: FILE_MD5,
HashType.SHA1: FILE_SHA1,
HashType.SHA256: FILE_SHA256
})
print("File reputation response:")
# Display the Global Threat Intelligence (GTI) trust level for the file
if FileProvider.GTI in reputations_dict:
gti_rep = reputations_dict[FileProvider.GTI]
print("\tGlobal Threat Intelligence (GTI) trust level: " + \
str(gti_rep[ReputationProp.TRUST_LEVEL]))
# Display the Enterprise reputation information
if FileProvider.ENTERPRISE in reputations_dict:
ent_rep = reputations_dict[FileProvider.ENTERPRISE]
def set_reputation(dxl_config_file, ioc_list, force):
# Create DXL configuration from file
config = DxlClientConfig.create_dxl_config_from_file(dxl_config_file)
# Create the client
with DxlClient(config) as client:
# Connect to the fabric
client.connect()
# Create the McAfee Threat Intelligence Exchange (TIE) client
tie_client = TieClient(client)
#
# Hashes for the file whose reputation will be set.
#
# Replace the random values for the actual file hashes.
#
ioc_set = 0
ioc_error = 0
ioc_exist = 0
ioc_total = 0
for ioc in ioc_list:
fileSHA1 = ioc["sha1"]
fileSHA256 = ioc["sha256"]
fileMD5 = ioc["md5"]
hashes = {
HashType.MD5: fileMD5,
HashType.SHA1: fileSHA1,
HashType.SHA256: fileSHA256
}
file_name = ioc["file_name"]
file_comment = ioc["file_comment"]
try:
reputation = REPUTATION_VALUES[ioc["reputation"]]
except Exception as er:
logger.error(
"Error getting reputation value, for entry %s check spelling"
% file_name)
continue
#
# Request reputation for the file
#
reputations_dict = tie_client.get_file_reputation(hashes)
#
# Check if there's any definitive reputation (different to Not Set [0] and Unknown [50])
#
has_definitive_reputation = \
any([rep[ReputationProp.TRUST_LEVEL] != TrustLevel.NOT_SET
and rep[ReputationProp.TRUST_LEVEL] != TrustLevel.UNKNOWN
for rep in reputations_dict.values()])
#
# If there's a definitive reputation and we are not forcing the reputation aplication
# Skip the application
#
if has_definitive_reputation and force == False:
logger.info(
"Information: There is a reputation from another provider for the file %s, External Reputation is not necessary."
% file_name)
ioc_exist = ioc_exist + 1
else:
#
# Set the External reputation
#
try:
logger.debug("Reputation %s" % reputation)
logger.debug("hashes %s" % hashes)
logger.debug("filename %s" % file_name)
logger.debug("comment %s" % file_comment)
tie_client.set_file_reputation(
reputation,
hashes,
#FileType.PEEXE,
filename=file_name,
comment=file_comment)
logger.info(
"Information: IoC %s sent to Threat Intelligence Exchange Database"
% file_name)
ioc_set = ioc_set + 1
except ValueError as e:
logger.error(
"Error sending IoC %s to Threat Intelligence Exchange Database"
% file_name)
ioc_error = ioc_error + 1
ioc_total = ioc_total + 1
ioc_procesed = {
"total_ioc_processed": ioc_total,
"ioc_set": ioc_set,
"ioc_exist": ioc_exist,
"ioc_error": ioc_error
}
return (ioc_procesed)
def run(self, results):
"""Writes report.
@param results: Cuckoo results dict.
@raise CuckooReportError: if fails to write report.
"""
try:
currentMD5 = results["target"]["file"]["md5"]
currentSHA1 = results["target"]["file"]["sha1"]
currentSHA256 = results["target"]["file"]["sha256"]
currentFilename = results["target"]["file"]["name"]
currentTrustLevel = results["info"]["score"]
print currentMD5
print currentSHA1
print currentSHA256
print currentFilename
print currentTrustLevel
if float(currentTrustLevel) < 4.0:
print "Trust Level is " + str(
currentTrustLevel) + ". No update required."
return
print "Opening DXL connection"
with DxlClient(config) as client:
#Connect to DXL fabric
print "Connecting to DXL fabric."
client.connect()
#Create TIE Client
print "Connecting to TIE."
tie_client = TieClient(client)
print "Trust Level is " + str(
currentTrustLevel) + ". Updating TIE."
reputations_dict = \
tie_client.get_file_reputation({
HashType.MD5: currentMD5,
HashType.SHA1: currentSHA1,
HashType.SHA256: currentSHA256
})
print reputations_dict
#Check if there is an enterprise (custom set) reputation
if (reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.NOT_SET or \
reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.UNKNOWN or \
reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MIGHT_BE_TRUSTED or \
reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MOST_LIKELY_TRUSTED):
print "Current Trust Level is" + str(reputations_dict[
FileProvider.ENTERPRISE]["trustLevel"])
#also, let's make sure GTI trustLevels are either not being queried, or set to Unknown
#we are nesting for clarity
if (FileProvider.GTI not in reputations_dict.keys()
or reputations_dict[FileProvider.GTI]
== TrustLevel.UNKNOWN):
print "GTI either does not exist or set to UNKNOWN"
# If not set, go ahead and set it
tie_client.set_file_reputation(
TrustLevel.MOST_LIKELY_MALICIOUS, {
HashType.MD5: currentMD5,
HashType.SHA1: currentSHA1,
HashType.SHA256: currentSHA256
},
filename=currentFilename,
comment=
"Reputation set via OpenDXL Cuckoo Integration. Cuckoo scored this sample a "
+ str(currentTrustLevel) + " out of 10.")
print "Reputation set for: " + str(
currentFilename) + ": " + currentMD5
except (TypeError, IOError) as e:
raise CuckooReportError("Failed to update TIE with results: %s" %
e)
for fileKey in WFResult:
#unset reusables
reputations_dict = None
currentMD5 = None
currentSHA256 = None
currentFilename = None
currentTrustLevel = None
currentMD5= WFResult[fileKey]['md5']
currentSHA256=WFResult[fileKey]['sha256']
currentFilename=WFResult[fileKey]['filename']
currentTrustLevel=WFResult[fileKey]['trustlevel']
reputations_dict = \
tie_client.get_file_reputation({
HashType.MD5: currentMD5,
HashType.SHA256: currentSHA256
})
#Check if there is an enterprise (custom set) reputation
if (reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.NOT_SET and \
reputations_dict[FileProvider.GTI]["trustLevel"]==TrustLevel.NOT_SET) or \
reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.UNKNOWN or \
reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MIGHT_BE_TRUSTED or \
reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MOST_LIKELY_TRUSTED:
# If not set, go ahead and set it
tie_client.set_file_reputation(
currentTrustLevel, {
HashType.MD5: currentMD5,
HashType.SHA256: currentSHA256},
filename=currentFilename,
class FunctionComponent(ResilientComponent):
"""Component that implements Resilient function 'mcafee_tie_search_hash"""
config_file = "dxlclient_config"
def __init__(self, opts):
"""constructor provides access to the configuration options"""
super(FunctionComponent, self).__init__(opts)
try:
config = opts.get("fn_mcafee_tie").get(self.config_file)
if config is None:
LOG.error(self.config_file + " is not set. You must set this path to run this function")
raise ValueError(self.config_file + " is not set. You must set this path to run this function")
LOG.info("Using %s to create configuration for DxlClient", config)
# Create configuration from file for DxlClient
self.config = DxlClientConfig.create_dxl_config_from_file(config)
except AttributeError:
LOG.error("There is no [fn_mcafee_tie] section in the config file, "
"please set that by running resilient-circuits config -u")
raise AttributeError("[fn_mcafee_tie] section is not set in the config file")
self.client = DxlClient(self.config)
self._connect_client()
def _connect_client(self):
# Connect client
if not self.client.connected:
self.client.connect()
self.tie_client = TieClient(self.client)
@handler("reload")
def _reload(self, event, opts):
"""Configuration options have changed, save new values"""
self.options = opts.get("fn_mcafee_tie", {})
@function("mcafee_tie_search_hash")
def _mcafee_tie_search_hash_function(self, event, *args, **kwargs):
"""Function: """
yield StatusMessage("Searching Hash...")
try:
response_dict = {}
# Get the function parameters:
mcafee_tie_hash_type = kwargs.get("mcafee_tie_hash_type") # text
if not mcafee_tie_hash_type:
yield FunctionError("mcafee_tie_hash_type is required")
mcafee_tie_hash = kwargs.get("mcafee_tie_hash") # text
if not mcafee_tie_hash:
yield FunctionError("mcafee_tie_hash is required")
LOG.debug("_lookup_hash started for Artifact Type {0} - Artifact Value {1}".format(
mcafee_tie_hash_type, mcafee_tie_hash))
if mcafee_tie_hash_type == "md5":
resilient_hash = {HashType.MD5: mcafee_tie_hash}
elif mcafee_tie_hash_type == "sha1":
resilient_hash = {HashType.SHA1: mcafee_tie_hash}
elif mcafee_tie_hash_type == "sha256":
resilient_hash = {HashType.SHA256: mcafee_tie_hash}
else:
yield FunctionError("Something went wrong setting the hash value")
# Make sure client is connected
self._connect_client()
reputations_dict = \
self.tie_client.get_file_reputation(
resilient_hash
)
system_list = self.tie_client.get_file_first_references(
resilient_hash
)
response_dict["Enterprise"] = self._get_enterprise_info(reputations_dict)
response_dict["GTI"] = self._get_gti_info(reputations_dict)
response_dict["ATD"] = self._get_atd_info(reputations_dict)
response_dict["MWG"] = self._get_mwg_info(reputations_dict)
response_dict["system_list"] = system_list
yield StatusMessage("Done...")
# Produce a FunctionResult with the return value
yield FunctionResult(response_dict)
except Exception as err:
yield FunctionError(err)
def _get_enterprise_info(self, reputations_dict):
ent_dict = {}
# Information for Enterprise file provider
if FileProvider.ENTERPRISE in reputations_dict:
ent_rep = reputations_dict[FileProvider.ENTERPRISE]
ent_dict["File Provider"] = "Enterprise"
ent_dict["Create Date"] = EpochMixin.to_localtime_string(ent_rep[ReputationProp.CREATE_DATE])
trust_level = self._get_trust_level(ent_rep[ReputationProp.TRUST_LEVEL])
if trust_level:
ent_dict["Trust Level"] = trust_level
# Retrieve the enterprise reputation attributes
if ReputationProp.ATTRIBUTES in ent_rep:
ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES]
attribs_dict = {}
if FileEnterpriseAttrib.PREVALENCE in ent_rep_attribs:
attribs_dict["Prevalence"] = ent_rep_attribs[FileEnterpriseAttrib.PREVALENCE]
if FileEnterpriseAttrib.ENTERPRISE_SIZE in ent_rep_attribs:
attribs_dict["Enterprise Size"] = ent_rep_attribs[FileEnterpriseAttrib.ENTERPRISE_SIZE]
if FileEnterpriseAttrib.FIRST_CONTACT in ent_rep_attribs:
attribs_dict["First Contact"] = FileEnterpriseAttrib.to_localtime_string(
ent_rep_attribs[FileEnterpriseAttrib.FIRST_CONTACT])
if FileEnterpriseAttrib.PARENT_AVG_LOCAL_REP in ent_rep_attribs:
attribs_dict["Parent Avg Local Rep"] = self._get_trust_level(int(ent_rep_attribs[
FileEnterpriseAttrib.PARENT_AVG_LOCAL_REP]))
if FileEnterpriseAttrib.PARENT_FILE_REPS in ent_rep_attribs:
attribs_dict["Parent File Reps"] = FileEnterpriseAttrib.to_aggregate_tuple(ent_rep_attribs[
FileEnterpriseAttrib.PARENT_FILE_REPS])
if FileEnterpriseAttrib.CHILD_FILE_REPS in ent_rep_attribs:
attribs_dict["Child File Reps"] = FileEnterpriseAttrib.to_aggregate_tuple(ent_rep_attribs[
FileEnterpriseAttrib.CHILD_FILE_REPS])
if FileEnterpriseAttrib.AVG_LOCAL_REP in ent_rep_attribs:
attribs_dict["Average Local Rep"] = self._get_trust_level(int(ent_rep_attribs[
FileEnterpriseAttrib.AVG_LOCAL_REP]))
if FileEnterpriseAttrib.MAX_LOCAL_REP in ent_rep_attribs:
attribs_dict["Max Local Rep"] = self._get_trust_level(int(ent_rep_attribs[
FileEnterpriseAttrib.MAX_LOCAL_REP]))
if FileEnterpriseAttrib.MIN_LOCAL_REP in ent_rep_attribs:
attribs_dict["Min Local Rep"] = self._get_trust_level(int(ent_rep_attribs[
FileEnterpriseAttrib.MIN_LOCAL_REP]))
if FileEnterpriseAttrib.DETECTION_COUNT in ent_rep_attribs:
attribs_dict["Detection Count"] = ent_rep_attribs[FileEnterpriseAttrib.DETECTION_COUNT]
if FileEnterpriseAttrib.FILE_NAME_COUNT in ent_rep_attribs:
attribs_dict["File Name Count"] = ent_rep_attribs[FileEnterpriseAttrib.FILE_NAME_COUNT]
if FileEnterpriseAttrib.LAST_DETECTION_TIME in ent_rep_attribs:
attribs_dict["Last Detection Time"] = FileEnterpriseAttrib.to_localtime_string(
ent_rep_attribs[FileEnterpriseAttrib.FIRST_CONTACT])
if FileEnterpriseAttrib.IS_PREVALENT in ent_rep_attribs:
attribs_dict["Is Prevalent"] = ent_rep_attribs[FileEnterpriseAttrib.IS_PREVALENT]
if FileEnterpriseAttrib.PARENT_MIN_LOCAL_REP in ent_rep_attribs:
attribs_dict["Parent Min Local Rep"] = self._get_trust_level(int(ent_rep_attribs[
FileEnterpriseAttrib.PARENT_MIN_LOCAL_REP]))
if FileEnterpriseAttrib.PARENT_MAX_LOCAL_REP in ent_rep_attribs:
attribs_dict["Parent Max Local Rep"] = self._get_trust_level(int(ent_rep_attribs[
FileEnterpriseAttrib.PARENT_MAX_LOCAL_REP]))
ent_dict["Attributes"] = attribs_dict
return ent_dict
def _get_gti_info(self, reputations_dict):
gti_dict = {}
# Information for GTI file provider
if FileProvider.GTI in reputations_dict:
gti_rep = reputations_dict[FileProvider.GTI]
gti_dict["File Provider"] = "GTI"
gti_dict["Create Date"] = EpochMixin.to_localtime_string(gti_rep[ReputationProp.CREATE_DATE])
trust_level = self._get_trust_level(gti_rep[ReputationProp.TRUST_LEVEL])
if trust_level:
gti_dict["Trust Level"] = trust_level
# Retrieve the GTI reputation attributes
if ReputationProp.ATTRIBUTES in gti_rep:
gti_rep_attribs = gti_rep[ReputationProp.ATTRIBUTES]
attribs_dict = {}
# Get prevalence (if it exists)
if FileGtiAttrib.PREVALENCE in gti_rep_attribs:
attribs_dict["Prevalence"] = gti_rep_attribs[FileGtiAttrib.PREVALENCE]
# Get First Contact Date (if it exists)
if FileGtiAttrib.FIRST_CONTACT in gti_rep_attribs:
attribs_dict["First Contact"] = EpochMixin.to_localtime_string(gti_rep_attribs[
FileGtiAttrib.FIRST_CONTACT])
gti_dict["Attributes"] = attribs_dict
return gti_dict
def _get_atd_info(self, reputations_dict):
atd_dict = {}
# Information for Advanced Threat Defense file provider
if FileProvider.ATD in reputations_dict:
atd_rep = reputations_dict[FileProvider.ATD]
atd_dict["File Provider"] = "ATD"
atd_dict["Create Date"] = EpochMixin.to_localtime_string(atd_rep[ReputationProp.CREATE_DATE])
trust_level = self._get_trust_level(atd_rep[ReputationProp.TRUST_LEVEL])
if trust_level:
atd_dict["Trust Level"] = trust_level
# Retrieve the ATD reputation attributes
if ReputationProp.ATTRIBUTES in atd_rep:
atd_rep_attribs = atd_rep[ReputationProp.ATTRIBUTES]
attribs_dict = {}
# Get Trust scores
if AtdAttrib.GAM_SCORE in atd_rep_attribs:
attribs_dict["GAM Score"] = self._get_atd_trust_level(atd_rep, AtdAttrib.GAM_SCORE)
if AtdAttrib.AV_ENGINE_SCORE in atd_rep_attribs:
attribs_dict["AV Engine Score"] = self._get_atd_trust_level(atd_rep, AtdAttrib.AV_ENGINE_SCORE)
if AtdAttrib.GAM_SCORE in atd_rep_attribs:
attribs_dict["Sandbox Score"] = self._get_atd_trust_level(atd_rep, AtdAttrib.SANDBOX_SCORE)
if AtdAttrib.GAM_SCORE in atd_rep_attribs:
attribs_dict["Verdict"] = self._get_atd_trust_level(atd_rep, AtdAttrib.VERDICT)
if AtdAttrib.BEHAVIORS in atd_rep_attribs:
attribs_dict["Behaviors"] = atd_rep_attribs[AtdAttrib.BEHAVIORS]
atd_dict["Attributes"] = attribs_dict
return atd_dict
def _get_mwg_info(self, reputations_dict):
mwg_dict = {}
# Information for file provider
if FileProvider.MWG in reputations_dict:
mwg_rep = reputations_dict[FileProvider.MWG]
mwg_dict["File Provider"] = "MWG"
mwg_dict["Create Date"] = EpochMixin.to_localtime_string(mwg_rep[ReputationProp.CREATE_DATE])
trust_level = self._get_trust_level(mwg_rep[ReputationProp.TRUST_LEVEL])
if trust_level:
mwg_dict["Trust Level"] = trust_level
return mwg_dict
@staticmethod
def _get_trust_level(trust_level_number):
trust_level = ""
if TrustLevel.KNOWN_TRUSTED_INSTALLER is trust_level_number:
trust_level = "Known Trusted Installer"
elif TrustLevel.KNOWN_TRUSTED is trust_level_number:
trust_level = "Known Trusted"
elif TrustLevel.MOST_LIKELY_TRUSTED is trust_level_number:
trust_level = "Most Likely Trusted"
elif TrustLevel.MIGHT_BE_TRUSTED is trust_level_number:
trust_level = "Might Be Trusted"
elif TrustLevel.UNKNOWN is trust_level_number:
trust_level = "Unknown"
elif TrustLevel.MIGHT_BE_MALICIOUS is trust_level_number:
trust_level = "Might be Malicious"
elif TrustLevel.MOST_LIKELY_MALICIOUS is trust_level_number:
trust_level = "Most Likely Malicious"
elif TrustLevel.KNOWN_MALICIOUS is trust_level_number:
trust_level = "Known Malicious"
elif TrustLevel.NOT_SET is trust_level_number:
trust_level = "Not Set"
return trust_level
@staticmethod
def _get_atd_trust_level(atd_rep, rep_provider):
trust_level = ""
if AtdTrustLevel.KNOWN_TRUSTED is atd_rep[rep_provider]:
trust_level = "Known Trusted"
elif AtdTrustLevel.MOST_LIKELY_TRUSTED is atd_rep[rep_provider]:
trust_level = "Most Likely Trusted"
elif AtdTrustLevel.MIGHT_BE_TRUSTED is atd_rep[rep_provider]:
trust_level = "Might Be Trusted"
elif AtdTrustLevel.UNKNOWN is atd_rep[rep_provider]:
trust_level = "Unknown"
elif AtdTrustLevel.MIGHT_BE_MALICIOUS is atd_rep[rep_provider]:
trust_level = "Might be Malicious"
elif AtdTrustLevel.MOST_LIKELY_MALICIOUS is atd_rep[rep_provider]:
trust_level = "Most Likely Malicious"
elif AtdTrustLevel.KNOWN_MALICIOUS is atd_rep[rep_provider]:
trust_level = "Known Malicious"
elif AtdTrustLevel.NOT_SET is atd_rep[rep_provider]:
trust_level = "Not Set"
return trust_level
tie_client = TieClient(client)
#
# Hashes for the file whose reputation will be set.
#
# Replace the random values for the actual file hashes.
#
hashes = {
HashType.MD5: fileMD5,
HashType.SHA1: fileSHA1,
HashType.SHA256: fileSHA256
}
#
# Request reputation for the file
#
reputations_dict = tie_client.get_file_reputation(hashes)
#
# Check if there's any definitive reputation (different to Not Set [0] and Unknown [50])
# for any provider except for External Provider (providerId=15)
#
has_definitive_reputation = \
any([rep[ReputationProp.TRUST_LEVEL] != TrustLevel.NOT_SET
and rep[ReputationProp.TRUST_LEVEL] != TrustLevel.UNKNOWN
and rep[ReputationProp.PROVIDER_ID] != FileProvider.EXTERNAL
for rep in reputations_dict.values()])
if has_definitive_reputation:
print("Abort: There is a reputation from another provider for the file, "
"External Reputation is not necessary.")
else:
#
# Create the client
with DxlClient(config) as client:
# Connect to the fabric
client.connect()
# Create the McAfee Threat Intelligence Exchange (TIE) client
tie_client = TieClient(client)
#
# Request and display reputation for notepad.exe
#
reputations_dict = \
tie_client.get_file_reputation({
HashType.MD5: "f2c7bb8acc97f92e987a2d4087d021b1",
HashType.SHA1: "7eb0139d2175739b3ccb0d1110067820be6abd29",
HashType.SHA256: "142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2"
})
print("Notepad.exe reputations:")
print(MessageUtils.dict_to_json(reputations_dict, True) + "\n")
#
# Request and display reputation for EICAR
#
reputations_dict = \
tie_client.get_file_reputation({
HashType.MD5: "44d88612fea8a8f36de82e1278abb02f",
HashType.SHA1: "3395856ce81f2b7382dee72602f798b642f14140",
HashType.SHA256: "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
})
print("EICAR reputations:")
class TieSample():
def __init__(self, options, dxlclient, reputation_lookup_dict=None):
# Create the McAfee Threat Intelligence Exchange (TIE) client
self.tie_client = TieClient(dxlclient)
# TODO:Refactor this
self.reputation_lookup_dict = reputation_lookup_dict
if self.reputation_lookup_dict:
try:
self.filehash = reputation_lookup_dict['md5']
except:
try:
self.filehash = reputation_lookup_dict['sha1']
except:
self.filehash = "unknown"
self.reputations_dict = self._getFileRep()
else:
self.filehash = options.filehash
if self.filehash == None:
return "no file hash"
self.reputations_dict = self._getFileRep()
self.content = self._getFileProps()
@property
def reputations_dict(self):
return self._reputations_dict
def _getFileRep(self):
#TODO: Refactor this
if self.reputation_lookup_dict:
reputations_dict = self.tie_client.get_file_reputation(
self.reputation_lookup_dict)
else:
if utils.is_sha1(self.filehash):
reputations_dict = self.tie_client.get_file_reputation(
{HashType.SHA1: self.filehash})
elif utils.is_sha256(self.filehash):
reputations_dict = self.tie_client.get_file_reputation(
{HashType.SHA256: self.filehash})
elif utils.is_md5(self.filehash):
reputations_dict = self.tie_client.get_file_reputation(
{HashType.MD5: self.filehash})
else:
return "not a valid file hash"
return reputations_dict
def _getFileProps(self):
# Get File Properties and Map with Providers and TIE Score
propList = []
fileProps = self.reputations_dict
if FileProvider.GTI in fileProps:
propDict = {}
propDict['provider'] = providerMap[fileProps[FileProvider.GTI]
['providerId']]
propDict['reputation'] = tiescoreMap[fileProps[FileProvider.GTI]
['trustLevel']]
propDict['createDate'] = fileProps[FileProvider.GTI]['createDate']
propList.append(propDict)
if FileProvider.ENTERPRISE in fileProps:
propDict = {}
propDict['provider'] = providerMap[fileProps[
FileProvider.ENTERPRISE]['providerId']]
propDict['reputation'] = tiescoreMap[fileProps[
FileProvider.ENTERPRISE]['trustLevel']]
propDict['createDate'] = fileProps[
FileProvider.ENTERPRISE]['createDate']
propList.append(propDict)
if FileProvider.ATD in fileProps:
propDict = {}
propDict['provider'] = providerMap[fileProps[FileProvider.ATD]
['providerId']]
propDict['reputation'] = tiescoreMap[fileProps[FileProvider.ATD]
['trustLevel']]
propDict['createDate'] = fileProps[FileProvider.ATD]['createDate']
propList.append(propDict)
if FileProvider.MWG in fileProps:
propDict = {}
propDict['provider'] = providerMap[fileProps[FileProvider.MWG]
['providerId']]
propDict['reputation'] = tiescoreMap[fileProps[FileProvider.MWG]
['trustLevel']]
propDict['createDate'] = fileProps[FileProvider.MWG]['createDate']
propList.append(propDict)
return propList
#TODO: stupid name.. rename it combined_reputation
#INFO: this returns an array 0 is the val 1 is the str
def calcRep(self):
# Return a Summary Cascade 0-100 Value for Reputation.
# OOP: Enterprise -> ATD -> MWG -> GTI
#TODO: create property sample.combined_reputation_str
#TODO: create property sample.combined_reputation
reputations_dict = self.reputations_dict
# If there is TIE ENTERPRISE rep, use it, then look at ATD, then GTI.
if FileProvider.ENTERPRISE in reputations_dict:
ent_rep = reputations_dict[FileProvider.ENTERPRISE]
rep = ent_rep[ReputationProp.TRUST_LEVEL]
warning_provider = FileProvider.ENTERPRISE
if rep == 0:
if FileProvider.ATD in reputations_dict:
atd_rep = reputations_dict[FileProvider.ATD]
rep = atd_rep[ReputationProp.TRUST_LEVEL]
warning_provider = FileProvider.ATD
if rep == 0:
if FileProvider.MWG in reputations_dict:
mwg_rep = reputations_dict[FileProvider.MWG]
rep = atd_rep[ReputationProp.TRUST_LEVEL]
warning_provider = FileProvider.MWG
if rep == 0:
if FileProvider.GTI in reputations_dict:
gti_rep = reputations_dict[FileProvider.GTI]
rep = gti_rep[ReputationProp.TRUST_LEVEL]
warning_provider = FileProvider.GTI
else:
if FileProvider.GTI in reputations_dict:
gti_rep = reputations_dict[FileProvider.GTI]
rep = gti_rep[ReputationProp.TRUST_LEVEL]
warning_provider = FileProvider.GTI
if rep <= TrustLevel.MOST_LIKELY_TRUSTED:
if rep <= TrustLevel.MOST_LIKELY_MALICIOUS:
rep_str = "bad"
else:
if FileProvider.ATD in reputations_dict:
rep_str = "medium"
else:
rep_str = "unknown"
else:
rep_str = "good"
return [rep, rep_str, warning_provider]
def tieResponse(self):
rtv_string = "File Hash " + self.filehash + " Reputation\n\n"
# Format a String Response
i = 1
for key in self.content:
rtv_string = rtv_string + "Provider: " + key['provider'] + "\n"
rtv_string = rtv_string + "Creation Date: " + utils.time_to_str(
key['createDate']) + "\n"
rtv_string = rtv_string + "Reputation: " + key['reputation'] + "\n"
rtv_string += "\n"
i += 1
return rtv_string
def run(self):
"""Runs TIE processing
@return: TIE results
"""
log.info("Processing TIE reputation analysis.")
self.key = "tie"
timeout = int(self.options.get("timeout", 60))
scan = int(self.options.get("scan", 0))
# Evaluate the original sample against TIE reputation
if self.task["category"] == "file":
# Create the client
with DxlClient(config) as client:
# Connect to the fabric
client.connect()
tie_client = TieClient(client)
#Generate relevant hash information
md5_hex = File(self.file_path).get_md5()
sha1_hex = File(self.file_path).get_sha1()
sha256_hex = File(self.file_path).get_sha256()
#Request raw json reputation results
reputations_dict = \
tie_client.get_file_reputation({
HashType.MD5: md5_hex,
HashType.SHA1: sha1_hex,
HashType.SHA256: sha256_hex
})
#debug
log.info("Raw TIE results: " +
json.dumps(reputations_dict,
sort_keys=True,
indent=4,
separators=(',', ': ')))
#initialize result array and tiekey counter for each result
proc_result = {}
tiekey = 0
strtiekey = str(tiekey)
# Display the Global Threat Intelligence
if FileProvider.GTI in reputations_dict:
gti_rep = reputations_dict[FileProvider.GTI]
proc_result[strtiekey] = {}
proc_result[strtiekey][
'title'] = "Global Threat Intelligence (GTI) Test Date:"
proc_result[strtiekey][
'value'] = EpochMixin.to_localtime_string(
gti_rep[ReputationProp.CREATE_DATE])
tiekey += 1
strtiekey = str(tiekey)
#Set GTI Trust Level
proc_result[strtiekey] = {}
proc_result[strtiekey][
'title'] = "Global Threat Intelligence (GTI) trust level:"
trustValue = gti_rep[ReputationProp.TRUST_LEVEL]
proc_result[strtiekey]['value'] = self.trustLevel(
trustValue)
tiekey += 1
strtiekey = str(tiekey)
# Display the Enterprise reputation information
if FileProvider.ENTERPRISE in reputations_dict:
ent_rep = reputations_dict[FileProvider.ENTERPRISE]
# Retrieve the enterprise reputation attributes
ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES]
# Display prevalence (if it exists)
if FileEnterpriseAttrib.PREVALENCE in ent_rep_attribs:
proc_result[strtiekey] = {}
proc_result[strtiekey][
'title'] = "Enterprise prevalence:"
proc_result[strtiekey]['value'] = ent_rep_attribs[
FileEnterpriseAttrib.PREVALENCE]
tiekey += 1
strtiekey = str(tiekey)
# Display first contact date (if it exists)
if FileEnterpriseAttrib.FIRST_CONTACT in ent_rep_attribs:
proc_result[strtiekey] = {}
proc_result[strtiekey]['title'] = "First contact: "
proc_result[strtiekey][
'value'] = FileEnterpriseAttrib.to_localtime_string(
ent_rep_attribs[
FileEnterpriseAttrib.FIRST_CONTACT])
tiekey += 1
strtiekey = str(tiekey)
#These are lookup conversions for the ATD trust_score
valueDict = {}
valueDict['-1'] = "Known Trusted"
valueDict['0'] = "Most Likely Trusted"
valueDict['1'] = "Might Be Trusted"
valueDict['2'] = "Unknown"
valueDict['3'] = "Might Be Malicious"
valueDict['4'] = "Most Likely Malicious"
valueDict['5'] = "Known Malicious"
valueDict['-2'] = "Not Set"
# Display the ATD reputation information
if FileProvider.ATD in reputations_dict:
atd_rep = reputations_dict[FileProvider.ATD]
# Retrieve the ATD reputation attributes
atd_rep_attribs = atd_rep[ReputationProp.ATTRIBUTES]
proc_result[strtiekey] = {}
proc_result[strtiekey]['title'] = "ATD Test Date: "
proc_result[strtiekey][
'value'] = EpochMixin.to_localtime_string(
atd_rep[ReputationProp.CREATE_DATE])
tiekey += 1
strtiekey = str(tiekey)
# Display GAM Score (if it exists)
if AtdAttrib.GAM_SCORE in atd_rep_attribs:
proc_result[strtiekey] = {}
proc_result[strtiekey][
'title'] = "ATD Gateway AntiMalware Score: "
proc_result[strtiekey]['value'] = valueDict[
atd_rep_attribs[AtdAttrib.GAM_SCORE]]
tiekey += 1
strtiekey = str(tiekey)
# Display AV Engine Score (if it exists)
if AtdAttrib.AV_ENGINE_SCORE in atd_rep_attribs:
proc_result[strtiekey] = {}
proc_result[strtiekey][
'title'] = "ATD AV Engine Score: "
proc_result[strtiekey]['value'] = valueDict[
atd_rep_attribs[AtdAttrib.AV_ENGINE_SCORE]]
tiekey += 1
strtiekey = str(tiekey)
# Display Sandbox Score (if it exists)
if AtdAttrib.SANDBOX_SCORE in atd_rep_attribs:
proc_result[strtiekey] = {}
proc_result[strtiekey]['title'] = "ATD Sandbox Score: "
proc_result[strtiekey]['value'] = valueDict[
atd_rep_attribs[AtdAttrib.SANDBOX_SCORE]]
tiekey += 1
strtiekey = str(tiekey)
# Display Verdict (if it exists)
if AtdAttrib.VERDICT in atd_rep_attribs:
proc_result[strtiekey] = {}
proc_result[strtiekey]['title'] = "ATD Verdict: "
proc_result[strtiekey]['value'] = valueDict[
atd_rep_attribs[AtdAttrib.VERDICT]]
tiekey += 1
strtiekey = str(tiekey)
results = proc_result
elif self.task["category"] == "url":
return
elif self.task["category"] == "baseline":
return
elif self.task["category"] == "service":
return
else:
raise CuckooProcessingError("Unsupported task category: %s" %
self.task["category"])
log.info("Finished processing TIE reputation analysis.")
return results
for fileKey in MSResult:
#unset reusables
reputations_dict = None
#MalShare provides only MD5's
currentMD5 = None
currentFilename = None
currentTrustLevel = None
currentMD5 = MSResult[fileKey]['md5']
currentFilename = MSResult[fileKey]['filename']
currentTrustLevel = MSResult[fileKey]['trustlevel']
reputations_dict = \
tie_client.get_file_reputation({
HashType.MD5: currentMD5
})
#Check if there is an enterprise (custom set) reputation
if (reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.NOT_SET and \
reputations_dict[FileProvider.GTI]["trustLevel"]==TrustLevel.NOT_SET) or \
reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.UNKNOWN or \
reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MIGHT_BE_TRUSTED or \
reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MOST_LIKELY_TRUSTED:
# If not set, go ahead and set it
tie_client.set_file_reputation(
currentTrustLevel, {HashType.MD5: currentMD5},
filename=currentFilename,
comment="Reputation set via OpenDXL MalShare Integration")
print "Reputation set for: " + str(fileKey) + ": " + currentMD5
