def set_rep(self, eventid, hash): try: with DxlClient(self.config) as client: client.connect() tie_client = TieClient(client) tie_client.set_external_file_reputation( self.tie_rep, {'md5': hash}, filename='MISP Hash {0}'.format(str(eventid)), comment='External Reputation set via OpenDXL') print('SUCCESS: Successfully pushed MD5 {0} to TIE.'.format(str(hash))) except Exception as e: exc_type, exc_obj, exc_tb = sys.exc_info() print('ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}' .format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno, error=str(e)))
class TIE_Plugin(PluginBase) : def __init__(self): logger.info("Plugin " + _plugin_name + " initializing...") # # Init and connect DXL client # # DxlClientConfig from DXL configuration file logger.debug(_plugin_name + " : Loading DXL config from: %s", cfg['ExportPlugins']['TIE_Plugin']['DXLConfig']) self.dxl_config = DxlClientConfig.create_dxl_config_from_file(cfg['ExportPlugins']['TIE_Plugin']['DXLConfig']) self.tie_client = None def export(self, results_array): #logger.debug(results_array) #logger.debug(json.dumps(results_array, indent=4, sort_keys=True)) for event in results_array: logger.debug(_plugin_name + " processing event: (Event ID: " + event['Event']['id'] + ", Event Info: " + event['Event']['info'] + ", Event Date: " + event['Event']['date'] + ")") with DxlClient(self.dxl_config) as client: # Connect to the DXL fabric logger.debug(_plugin_name + " : Connecting OpenDXL client...") client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client self.tie_client = TieClient(client) for attribute in event['Event']['Attribute']: if attribute['type'] == 'md5' or attribute['type'] == 'sha1' or attribute['type'] == 'sha256': logger.debug("Found attribute type {0} = {1} in MISP event {2}.".format(str(attribute['type']),str(attribute['value']),str(event['Event']['id']))) self.set_tie_reputation(TIE_REPUTATION, attribute['type'], attribute['value'], "MISP (Event ID {0}, Info: {1})".format(str(event['Event']['id']), str(event['Event']['info']))) for obj in event['Event']['Object']: for attribute in obj['Attribute']: if attribute['type'] == 'md5' or attribute['type'] == 'sha1' or attribute['type'] == 'sha256': logger.debug("Found object attribute type {0} = {1} in MISP event {2}.".format(str(attribute['type']),str(attribute['value']),str(event['Event']['id']))) self.set_tie_reputation(TIE_REPUTATION, attribute['type'], attribute['value'], "MISP (Event ID {0}, Info: {1})".format(str(event['Event']['id']), str(event['Event']['info']))) self.tie_client = None def set_tie_reputation(self, trust_level, hash_type, hash_value, comment_str): if self.tie_client : try: self.tie_client.set_external_file_reputation(TIE_REPUTATION, {hash_type: hash_value}, filename=comment_str, comment=comment_str) logger.debug(_plugin_name + " : Reputation set (%s)", comment_str) except ValueError as e: logger.error(_plugin_name + " : Error while trying to set TIE reputation (%s)", str(e))
def set_reputation(self, list_hash, type_hash): try: with DxlClient(self.config) as client: client.connect() tie_client = TieClient(client) for new_threat in list_hash: #set new reputation with hash string and trustlevel is KNOWN_MALICIOUS tie_client.set_external_file_reputation( TrustLevel.KNOWN_MALICIOUS, {type_hash: new_threat.hash_string}, filename='MISP Hash {0}'.format(str(new_threat.name)), comment='External Reputation set via OpenDXL') print('SUCCESS: Successfully pushed {0} {1} to TIE.'.format(type_hash, str(new_threat.hash_string))) except Exception as e: exc_tb = sys.exc_info() print('ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}' .format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno, error=str(e)))
# Request reputation for the file # reputations_dict = tie_client.get_file_reputation(hashes) # # Check if there's any definitive reputation (different to Not Set [0] and Unknown [50]) # for any provider except for External Provider (providerId=15) # has_definitive_reputation = \ any([rep[ReputationProp.TRUST_LEVEL] != TrustLevel.NOT_SET and rep[ReputationProp.TRUST_LEVEL] != TrustLevel.UNKNOWN and rep[ReputationProp.PROVIDER_ID] != FileProvider.EXTERNAL for rep in reputations_dict.values()]) if has_definitive_reputation: print("Abort: There is a reputation from another provider for the file, " "External Reputation is not necessary.") else: # # Set the External reputation for a the file "random.exe" to Might Be Trusted # try: tie_client.set_external_file_reputation( TrustLevel.MIGHT_BE_TRUSTED, hashes, FileType.PEEXE, filename="random.exe", comment="External Reputation set via OpenDXL") print("Event Sent") except ValueError as e: print("Error: " + str(e))