def run(self, params={}):
"""
List IPS rules
"""
# Get parameters
self.scope = params.get(Input.SCOPE)
self.id = params.get(Input.ID)
ips_rules = set()
covered_cves = set()
hits = 0
self.logger.info(f"Getting rules from {self.scope} {self.id}")
# Prepare request
# Check if the rules should be assigned to a computer or policy
if self.scope == "computer":
url = f"{self.connection.dsm_url}/api/computers/{self.id}/intrusionprevention/rules"
else:
url = f"{self.connection.dsm_url}/api/policies/{self.id}/intrusionprevention/rules"
# Send request
response = self.connection.session.get(
url, verify=self.connection.dsm_verify_ssl)
self.logger.info(f"url: {response.url}")
self.logger.info(f"status: {response.status_code}")
self.logger.info(f"reason: {response.reason}")
# Check response errors
checkResponse(response)
# Try to convert the response data to JSON
response_data = tryJSON(response)
# Extract rules
if response_data["intrusionPreventionRules"]:
for rule in response_data["intrusionPreventionRules"]:
ips_rules.add(rule["ID"])
if 'CVE' in rule.keys():
self.logger.info(f"{rule['ID']}:\t{rule['name']} - " +
", ".join(rule['CVE']))
covered_cves.update(rule['CVE'])
else:
self.logger.info(f"{rule['ID']}:\t{rule['name']}")
else:
self.logger.info(f"No rules found!")
hits = len(response_data["intrusionPreventionRules"])
self.logger.info(
f"Found {hits} rules covering the following CVEs: \n" +
", ".join(covered_cves))
# Return assigned rules and covered CVEs
return {
Output.RULES_ASSIGNED: list(ips_rules),
Output.COVERED_CVES: list(covered_cves),
Output.RESPONSE_JSON: response_data
}
def run(self, params={}):
"""
Set IPS rules in Deep Security
"""
# Get parameters
self.computer_or_policy = params.get(Input.COMPUTER_OR_POLICY)
self.id = params.get(Input.ID)
self.rules = params.get(Input.RULES)
self.logger.info("Setting rules: ")
self.logger.info(self.rules)
# Prepare request
# Check if the rules should be assigned to a computer or policy
if self.computer_or_policy == "computer":
url = f"{self.connection.dsm_url}/api/computers/{self.id}/intrusionprevention/assignments"
else:
url = f"{self.connection.dsm_url}/api/policies/{self.id}/intrusionprevention/assignments"
data = {"ruleIDs": self.rules}
# Set rules
response = self.connection.session.post(
url, data=json.dumps(data), verify=self.connection.dsm_verify_ssl)
self.logger.info(f"url: {response.url}")
self.logger.info(f"status: {response.status_code}")
self.logger.info(f"reason: {response.reason}")
# Check response errors
checkResponse(response)
# Try to convert the response data to JSON
response_data = tryJSON(response)
# Get a list of all rules assigned to the asset or policy
rules_assigned = response_data["assignedRuleIDs"]
rules_not_assigned = []
# Check if the new rules were successfully assigned
for rule in self.rules:
if rule not in rules_assigned:
rules_not_assigned.append(rule)
# Return assigned and failed rules
return {
Output.RULES_ASSIGNED: rules_assigned,
Output.RULES_NOT_ASSIGNED: rules_not_assigned
}
def run(self, params={}):
"""
Get IPS rule details
"""
# Get parameters
self.id = params.get(Input.ID)
self.logger.info(f"Getting details for rule: {self.id}")
# Prepare request
url = f"{self.connection.dsm_url}/api/intrusionpreventionrules/{self.id}"
# Send request
response = self.connection.session.get(
url, verify=self.connection.dsm_verify_ssl)
self.logger.info(f"url: {response.url}")
self.logger.info(f"status: {response.status_code}")
self.logger.info(f"reason: {response.reason}")
# Check response errors
checkResponse(response)
# Try to convert the response data to JSON
response_data = tryJSON(response)
cves = []
name = response_data["name"]
description = response_data["description"]
severity = response_data["severity"]
rule_type = response_data["type"]
cvss_score = response_data["CVSSScore"]
if "CVE" in response_data.keys():
cves = response_data["CVE"]
# Return rule details
return {
Output.NAME: name,
Output.DESCRIPTION: description,
Output.SEVERITY: severity,
Output.TYPE: rule_type,
Output.CVSS_SCORE: cvss_score,
Output.CVES: cves,
Output.RESPONSE_JSON: response_data,
}
def search_rule_by_cve(self, cve: str) -> Tuple[set, set, set]:
"""
Search IPS rules for one CVE
"""
matched_cves = set()
missed_cves = set()
ips_rules = set()
# Prepare Search Criteria
data = {
"maxItems":
100,
"searchCriteria": [{
"fieldName": "CVE",
"stringWildcards": True,
"stringValue": f"%{cve}%"
}],
}
# Prepare request
url = f"{self.connection.dsm_url}/api/intrusionpreventionrules/search"
# Search for IPS rules
response = self.connection.session.post(
url, data=json.dumps(data), verify=self.connection.dsm_verify_ssl)
# Check response errors
checkResponse(response)
# Try to convert the response data to JSON
response_data = tryJSON(response)
# Check if matching IPS rules were found
if response_data["intrusionPreventionRules"]:
hits = len(response_data["intrusionPreventionRules"])
for rule in response_data["intrusionPreventionRules"]:
self.logger.info(f"{cve} -> {rule['ID']}: {rule['name']}")
ips_rules.add(rule["ID"])
matched_cves.add(cve)
else:
self.logger.info(f"{cve}: No rules found!")
missed_cves.add(cve)
return ips_rules, matched_cves, missed_cves
def collect_all_ips_rules(self) -> list:
"""
Receive all IPS rules from Deep Security
"""
ips_rules = []
ips_id = 0
step = 5000 # <= 5000
while True:
# Prepare Search Criteria
data = {
"maxItems": step,
"sortByObjectID": True,
"searchCriteria": [{
"idTest": "greater-than",
"idValue": ips_id
}],
}
# Send Request
url = f"{self.connection.dsm_url}/api/intrusionpreventionrules/search"
response = self.connection.session.post(
url,
data=json.dumps(data),
verify=self.connection.dsm_verify_ssl)
# Check response errors
checkResponse(response)
# Convert to JSON
response_data = tryJSON(response)
# Check if there are results
if response_data["intrusionPreventionRules"]:
hits = len(response_data["intrusionPreventionRules"])
ips_id = response_data["intrusionPreventionRules"][-1]["ID"]
else:
break
ips_rules.extend(response_data["intrusionPreventionRules"])
self.logger.info(f"Received {len(ips_rules)} IPS rules!")
return ips_rules
def test(self):
"""
Test connection to the Deep Security Manager
"""
# Prepare request
url = f"{self.dsm_url}/api/policies"
# Get list of policies
response = self.session.get(url, verify=self.dsm_verify_ssl)
# Try to convert the response data to JSON
response_data = tryJSON(response)
# Check response errors
checkResponse(response)
self.logger.info("Found " + str(len(response_data["policies"])) +
" policies!")
for policy in response_data["policies"]:
self.logger.info(policy["name"])
return {"data": response.ok}
def run(self, params={}):
'''
Searches for Computers in Deep Security
'''
# Get parameters
self.information = params.get(Input.INFORMATION)
self.max_items = params.get(Input.MAX_ITEMS)
self.field_name = params.get(Input.FIELD_NAME)
self.search_type = params.get(Input.SEARCH_TYPE)
self.string_value = params.get(Input.STRING_VALUE)
self.number_value = params.get(Input.NUMBER_VALUE)
computer_ids = set()
# Prepare request
url = f"{self.connection.dsm_url}/api/computers/search?expand={self.information}"
if self.field_name:
if self.search_type == "string" and self.string_value:
# Search for computers by string match
data = {
"maxItems":
self.max_items,
"searchCriteria": [{
"fieldName": self.field_name,
"stringWildcards": True,
"stringValue": self.string_value
}]
}
elif self.search_type == "integer" and self.number_value:
# Search for computers by number match
data = {
"maxItems":
self.max_items,
"searchCriteria": [{
"fieldName": self.field_name,
"stringWildcards": True,
"numericValue": self.number_value
}]
}
else:
raise PluginException(
cause=
"Scan type and matching seach value expected but not found!",
assistance=
"Please select a search type and pass the matching string/number value to search for."
)
else:
# List all computers
data = {"maxItems": self.max_items}
# Send request
response = self.connection.session.post(
url, data=json.dumps(data), verify=self.connection.dsm_verify_ssl)
self.logger.info(f"url: {response.url}")
self.logger.info(f"status: {response.status_code}")
self.logger.info(f"reason: {response.reason}")
# Check response errors
checkResponse(response)
# Try to convert the response data to JSON
response_data = tryJSON(response)
# Extract computer IDs
if response_data["computers"]:
hits = len(response_data["computers"])
self.logger.info(f"Found {hits} computer(s)!")
for computer in response_data["computers"]:
self.logger.info(f"{computer['ID']} - {computer['hostName']}")
computer_ids.add(computer['ID'])
else:
self.logger.info(f"No computer found!")
# Return matched rules
return {
Output.COMPUTER_IDS: list(computer_ids),
Output.RESPONSE_JSON: response_data
}
def run(self, params={}):
'''
Searches for IPS rules by CVE number in Deep Security
'''
# Get parameters
self.vulnerabilities = params.get(Input.VULNERABILITIES)
matched_cves = set()
missed_cves = set()
ips_rules = set()
for cve in self.vulnerabilities:
# Prepare request
url = f"{self.connection.dsm_url}/api/intrusionpreventionrules/search"
data = {
"maxItems":
100,
"searchCriteria": [{
"fieldName": "CVE",
"stringWildcards": True,
"stringValue": f"%{cve}%"
}]
}
# Search for IPS rules
response = self.connection.session.post(url,
data=json.dumps(data),
verify=True)
self.logger.info(cve)
self.logger.info(f"status: {response.status_code}")
self.logger.info(f"reason: {response.reason}")
# Try to convert the response data to JSON
response_data = tryJSON(response)
# Check response errors
checkResponse(response)
# Check if matching IPS rules were found
if response_data["intrusionPreventionRules"]:
hits = len(response_data["intrusionPreventionRules"])
self.logger.info(f"{cve}: Found {hits} rules!")
for rule in response_data["intrusionPreventionRules"]:
self.logger.info(f"{rule['ID']}: {rule['name']}")
ips_rules.add(rule["ID"])
matched_cves.add(cve)
else:
self.logger.info(f"{cve}: No rules found!")
missed_cves.add(cve)
self.logger.info("Found rules for the following CVEs: " +
", ".join(matched_cves))
return {
Output.IPS_RULES: list(ips_rules),
Output.MATCHED_CVES: list(matched_cves),
Output.MISSED_CVES: list(missed_cves)
}