def run(self, params={}):
        """
        List IPS rules
        """

        # Get parameters
        self.scope = params.get(Input.SCOPE)
        self.id = params.get(Input.ID)

        ips_rules = set()
        covered_cves = set()
        hits = 0

        self.logger.info(f"Getting rules from {self.scope} {self.id}")

        # Prepare request
        # Check if the rules should be assigned to a computer or policy
        if self.scope == "computer":
            url = f"{self.connection.dsm_url}/api/computers/{self.id}/intrusionprevention/rules"
        else:
            url = f"{self.connection.dsm_url}/api/policies/{self.id}/intrusionprevention/rules"

        # Send request
        response = self.connection.session.get(
            url, verify=self.connection.dsm_verify_ssl)

        self.logger.info(f"url: {response.url}")
        self.logger.info(f"status: {response.status_code}")
        self.logger.info(f"reason: {response.reason}")

        # Check response errors
        checkResponse(response)

        # Try to convert the response data to JSON
        response_data = tryJSON(response)

        # Extract rules
        if response_data["intrusionPreventionRules"]:
            for rule in response_data["intrusionPreventionRules"]:
                ips_rules.add(rule["ID"])
                if 'CVE' in rule.keys():
                    self.logger.info(f"{rule['ID']}:\t{rule['name']} - " +
                                     ", ".join(rule['CVE']))
                    covered_cves.update(rule['CVE'])
                else:
                    self.logger.info(f"{rule['ID']}:\t{rule['name']}")
        else:
            self.logger.info(f"No rules found!")

        hits = len(response_data["intrusionPreventionRules"])
        self.logger.info(
            f"Found {hits} rules covering the following CVEs: \n" +
            ", ".join(covered_cves))

        # Return assigned rules and covered CVEs
        return {
            Output.RULES_ASSIGNED: list(ips_rules),
            Output.COVERED_CVES: list(covered_cves),
            Output.RESPONSE_JSON: response_data
        }
    def run(self, params={}):
        """
        Set IPS rules in Deep Security
        """

        # Get parameters
        self.computer_or_policy = params.get(Input.COMPUTER_OR_POLICY)
        self.id = params.get(Input.ID)
        self.rules = params.get(Input.RULES)

        self.logger.info("Setting rules: ")
        self.logger.info(self.rules)

        # Prepare request
        # Check if the rules should be assigned to a computer or policy
        if self.computer_or_policy == "computer":
            url = f"{self.connection.dsm_url}/api/computers/{self.id}/intrusionprevention/assignments"
        else:
            url = f"{self.connection.dsm_url}/api/policies/{self.id}/intrusionprevention/assignments"

        data = {"ruleIDs": self.rules}

        # Set rules
        response = self.connection.session.post(
            url, data=json.dumps(data), verify=self.connection.dsm_verify_ssl)

        self.logger.info(f"url: {response.url}")
        self.logger.info(f"status: {response.status_code}")
        self.logger.info(f"reason: {response.reason}")

        # Check response errors
        checkResponse(response)

        # Try to convert the response data to JSON
        response_data = tryJSON(response)

        # Get a list of all rules assigned to the asset or policy
        rules_assigned = response_data["assignedRuleIDs"]
        rules_not_assigned = []

        # Check if the new rules were successfully assigned
        for rule in self.rules:
            if rule not in rules_assigned:
                rules_not_assigned.append(rule)

        # Return assigned and failed rules
        return {
            Output.RULES_ASSIGNED: rules_assigned,
            Output.RULES_NOT_ASSIGNED: rules_not_assigned
        }
Example #3
0
    def run(self, params={}):
        """
        Get IPS rule details
        """

        # Get parameters
        self.id = params.get(Input.ID)

        self.logger.info(f"Getting details for rule: {self.id}")

        # Prepare request
        url = f"{self.connection.dsm_url}/api/intrusionpreventionrules/{self.id}"

        # Send request
        response = self.connection.session.get(
            url, verify=self.connection.dsm_verify_ssl)

        self.logger.info(f"url: {response.url}")
        self.logger.info(f"status: {response.status_code}")
        self.logger.info(f"reason: {response.reason}")

        # Check response errors
        checkResponse(response)

        # Try to convert the response data to JSON
        response_data = tryJSON(response)

        cves = []

        name = response_data["name"]
        description = response_data["description"]
        severity = response_data["severity"]
        rule_type = response_data["type"]
        cvss_score = response_data["CVSSScore"]
        if "CVE" in response_data.keys():
            cves = response_data["CVE"]

        # Return rule details
        return {
            Output.NAME: name,
            Output.DESCRIPTION: description,
            Output.SEVERITY: severity,
            Output.TYPE: rule_type,
            Output.CVSS_SCORE: cvss_score,
            Output.CVES: cves,
            Output.RESPONSE_JSON: response_data,
        }
Example #4
0
    def search_rule_by_cve(self, cve: str) -> Tuple[set, set, set]:
        """
        Search IPS rules for one CVE
        """

        matched_cves = set()
        missed_cves = set()
        ips_rules = set()

        # Prepare Search Criteria
        data = {
            "maxItems":
            100,
            "searchCriteria": [{
                "fieldName": "CVE",
                "stringWildcards": True,
                "stringValue": f"%{cve}%"
            }],
        }

        # Prepare request
        url = f"{self.connection.dsm_url}/api/intrusionpreventionrules/search"

        # Search for IPS rules
        response = self.connection.session.post(
            url, data=json.dumps(data), verify=self.connection.dsm_verify_ssl)

        # Check response errors
        checkResponse(response)

        # Try to convert the response data to JSON
        response_data = tryJSON(response)

        # Check if matching IPS rules were found
        if response_data["intrusionPreventionRules"]:
            hits = len(response_data["intrusionPreventionRules"])
            for rule in response_data["intrusionPreventionRules"]:
                self.logger.info(f"{cve} -> {rule['ID']}: {rule['name']}")
                ips_rules.add(rule["ID"])
                matched_cves.add(cve)
        else:
            self.logger.info(f"{cve}: No rules found!")
            missed_cves.add(cve)

        return ips_rules, matched_cves, missed_cves
Example #5
0
    def collect_all_ips_rules(self) -> list:
        """
        Receive all IPS rules from Deep Security
        """

        ips_rules = []
        ips_id = 0
        step = 5000  # <= 5000

        while True:
            # Prepare Search Criteria
            data = {
                "maxItems": step,
                "sortByObjectID": True,
                "searchCriteria": [{
                    "idTest": "greater-than",
                    "idValue": ips_id
                }],
            }

            # Send Request
            url = f"{self.connection.dsm_url}/api/intrusionpreventionrules/search"
            response = self.connection.session.post(
                url,
                data=json.dumps(data),
                verify=self.connection.dsm_verify_ssl)

            # Check response errors
            checkResponse(response)

            # Convert to JSON
            response_data = tryJSON(response)

            # Check if there are results
            if response_data["intrusionPreventionRules"]:
                hits = len(response_data["intrusionPreventionRules"])
                ips_id = response_data["intrusionPreventionRules"][-1]["ID"]
            else:
                break

            ips_rules.extend(response_data["intrusionPreventionRules"])

        self.logger.info(f"Received {len(ips_rules)} IPS rules!")
        return ips_rules
Example #6
0
    def test(self):
        """
        Test connection to the Deep Security Manager
        """

        # Prepare request
        url = f"{self.dsm_url}/api/policies"

        # Get list of policies
        response = self.session.get(url, verify=self.dsm_verify_ssl)

        # Try to convert the response data to JSON
        response_data = tryJSON(response)

        # Check response errors
        checkResponse(response)

        self.logger.info("Found " + str(len(response_data["policies"])) +
                         " policies!")
        for policy in response_data["policies"]:
            self.logger.info(policy["name"])

        return {"data": response.ok}
    def run(self, params={}):
        '''
        Searches for Computers in Deep Security
        '''

        # Get parameters
        self.information = params.get(Input.INFORMATION)
        self.max_items = params.get(Input.MAX_ITEMS)
        self.field_name = params.get(Input.FIELD_NAME)
        self.search_type = params.get(Input.SEARCH_TYPE)
        self.string_value = params.get(Input.STRING_VALUE)
        self.number_value = params.get(Input.NUMBER_VALUE)

        computer_ids = set()

        # Prepare request
        url = f"{self.connection.dsm_url}/api/computers/search?expand={self.information}"

        if self.field_name:
            if self.search_type == "string" and self.string_value:
                # Search for computers by string match
                data = {
                    "maxItems":
                    self.max_items,
                    "searchCriteria": [{
                        "fieldName": self.field_name,
                        "stringWildcards": True,
                        "stringValue": self.string_value
                    }]
                }
            elif self.search_type == "integer" and self.number_value:
                # Search for computers by number match
                data = {
                    "maxItems":
                    self.max_items,
                    "searchCriteria": [{
                        "fieldName": self.field_name,
                        "stringWildcards": True,
                        "numericValue": self.number_value
                    }]
                }
            else:
                raise PluginException(
                    cause=
                    "Scan type and matching seach value expected but not found!",
                    assistance=
                    "Please select a search type and pass the matching string/number value to search for."
                )
        else:
            # List all computers
            data = {"maxItems": self.max_items}

        # Send request
        response = self.connection.session.post(
            url, data=json.dumps(data), verify=self.connection.dsm_verify_ssl)

        self.logger.info(f"url: {response.url}")
        self.logger.info(f"status: {response.status_code}")
        self.logger.info(f"reason: {response.reason}")

        # Check response errors
        checkResponse(response)

        # Try to convert the response data to JSON
        response_data = tryJSON(response)

        # Extract computer IDs
        if response_data["computers"]:
            hits = len(response_data["computers"])
            self.logger.info(f"Found {hits} computer(s)!")
            for computer in response_data["computers"]:
                self.logger.info(f"{computer['ID']} - {computer['hostName']}")
                computer_ids.add(computer['ID'])
        else:
            self.logger.info(f"No computer found!")

        # Return matched rules
        return {
            Output.COMPUTER_IDS: list(computer_ids),
            Output.RESPONSE_JSON: response_data
        }
Example #8
0
    def run(self, params={}):
        '''
        Searches for IPS rules by CVE number in Deep Security
        '''

        # Get parameters
        self.vulnerabilities = params.get(Input.VULNERABILITIES)

        matched_cves = set()
        missed_cves = set()
        ips_rules = set()

        for cve in self.vulnerabilities:

            # Prepare request
            url = f"{self.connection.dsm_url}/api/intrusionpreventionrules/search"

            data = {
                "maxItems":
                100,
                "searchCriteria": [{
                    "fieldName": "CVE",
                    "stringWildcards": True,
                    "stringValue": f"%{cve}%"
                }]
            }

            # Search for IPS rules
            response = self.connection.session.post(url,
                                                    data=json.dumps(data),
                                                    verify=True)

            self.logger.info(cve)
            self.logger.info(f"status: {response.status_code}")
            self.logger.info(f"reason: {response.reason}")

            # Try to convert the response data to JSON
            response_data = tryJSON(response)

            # Check response errors
            checkResponse(response)

            # Check if matching IPS rules were found
            if response_data["intrusionPreventionRules"]:
                hits = len(response_data["intrusionPreventionRules"])
                self.logger.info(f"{cve}: Found {hits} rules!")
                for rule in response_data["intrusionPreventionRules"]:
                    self.logger.info(f"{rule['ID']}: {rule['name']}")
                    ips_rules.add(rule["ID"])
                    matched_cves.add(cve)
            else:
                self.logger.info(f"{cve}: No rules found!")
                missed_cves.add(cve)

        self.logger.info("Found rules for the following CVEs: " +
                         ", ".join(matched_cves))

        return {
            Output.IPS_RULES: list(ips_rules),
            Output.MATCHED_CVES: list(matched_cves),
            Output.MISSED_CVES: list(missed_cves)
        }