Esempio n. 1
def populate_actions(drop):
    Populate default set of Actions into the system.

    :param drop: Drop the existing collection before trying to populate.
    :type: boolean

    # define your Actions here
    actions = ['Blocked Outbound At Firewall', 'Blocked Outbound At Desktop Firewall']
    if drop:
    if Action.objects().count() < 1:
        for action in actions:
            ia = Action()
   = action
        print "Actions: added %s actions!" % len(actions)
        print "Actions: existing documents detected. skipping!"
Esempio n. 2
def populate_actions(drop):
    Populate default set of Actions into the system.

    :param drop: Drop the existing collection before trying to populate.
    :type: boolean

    # define your Actions here
    actions = ['Blocked Outbound At Firewall', 'Blocked Outbound At Desktop Firewall']
    if drop:
    if len(Action.objects()) < 1:
        for action in actions:
            ia = Action()
   = action
        print "Actions: added %s actions!" % len(actions)
        print "Actions: existing documents detected. skipping!"
Esempio n. 3
def class_from_id(type_, _id):
    Return an instantiated class object.

    :param type_: The CRITs top-level object type.
    :type type_: str
    :param _id: The ObjectId to search for.
    :type _id: str
    :returns: class which inherits from

    # doing this to avoid circular imports
    from import ActorThreatIdentifier, Actor
    from crits.backdoors.backdoor import Backdoor
    from crits.campaigns.campaign import Campaign
    from crits.certificates.certificate import Certificate
    from crits.comments.comment import Comment
    from crits.core.crits_mongoengine import Action
    from crits.core.source_access import SourceAccess
    from crits.core.user_role import UserRole
    from import Domain
    from import Email
    from import Event
    from crits.exploits.exploit import Exploit
    from crits.indicators.indicator import Indicator
    from crits.ips.ip import IP
    from crits.pcaps.pcap import PCAP
    from crits.raw_data.raw_data import RawData, RawDataType
    from crits.samples.sample import Sample
    from crits.screenshots.screenshot import Screenshot
    from crits.signatures.signature import Signature, SignatureType, SignatureDependency
    from import Target

    if not _id:
        return None

    # make sure it's a string
    _id = str(_id)

    # Use bson.ObjectId to make sure this is a valid ObjectId, otherwise
    # the queries below will raise a ValidationError exception.
    if not ObjectId.is_valid(_id.decode('utf8')):
        return None

    if type_ == 'Actor':
        return Actor.objects(id=_id).first()
    elif type_ == 'Backdoor':
        return Backdoor.objects(id=_id).first()
    elif type_ == 'ActorThreatIdentifier':
        return ActorThreatIdentifier.objects(id=_id).first()
    elif type_ == 'Campaign':
        return Campaign.objects(id=_id).first()
    elif type_ == 'Certificate':
        return Certificate.objects(id=_id).first()
    elif type_ == 'Comment':
        return Comment.objects(id=_id).first()
    elif type_ == 'Domain':
        return Domain.objects(id=_id).first()
    elif type_ == 'Email':
        return Email.objects(id=_id).first()
    elif type_ == 'Event':
        return Event.objects(id=_id).first()
    elif type_ == 'Exploit':
        return Exploit.objects(id=_id).first()
    elif type_ == 'Indicator':
        return Indicator.objects(id=_id).first()
    elif type_ == 'Action':
        return Action.objects(id=_id).first()
    elif type_ == 'IP':
        return IP.objects(id=_id).first()
    elif type_ == 'PCAP':
        return PCAP.objects(id=_id).first()
    elif type_ == 'RawData':
        return RawData.objects(id=_id).first()
    elif type_ == 'RawDataType':
        return RawDataType.objects(id=_id).first()
    elif type_ == 'Sample':
        return Sample.objects(id=_id).first()
    elif type_ == 'Signature':
        return Signature.objects(id=_id).first()
    elif type_ == 'SignatureType':
        return SignatureType.objects(id=_id).first()
    elif type_ == 'SignatureDependency':
        return SignatureDependency.objects(id=_id).first()
    elif type_ == 'SourceAccess':
        return SourceAccess.objects(id=_id).first()
    elif type_ == 'Screenshot':
        return Screenshot.objects(id=_id).first()
    elif type_ == 'Target':
        return Target.objects(id=_id).first()
    elif type_ == 'UserRole':
        return UserRole.objects(id=_id).first()
        return None
Esempio n. 4
def class_from_id(type_, _id):
    Return an instantiated class object.

    :param type_: The CRITs top-level object type.
    :type type_: str
    :param _id: The ObjectId to search for.
    :type _id: str
    :returns: class which inherits from

    # doing this to avoid circular imports
    from import ActorThreatIdentifier, Actor
    from crits.backdoors.backdoor import Backdoor
    from crits.campaigns.campaign import Campaign
    from crits.certificates.certificate import Certificate
    from crits.comments.comment import Comment
    from crits.core.crits_mongoengine import Action
    from crits.core.source_access import SourceAccess
    from crits.core.user_role import UserRole
    from import Domain
    from import Email
    from import Event
    from crits.exploits.exploit import Exploit
    from crits.indicators.indicator import Indicator
    from crits.ips.ip import IP
    from crits.pcaps.pcap import PCAP
    from crits.raw_data.raw_data import RawData, RawDataType
    from crits.samples.sample import Sample
    from crits.screenshots.screenshot import Screenshot
    from crits.signatures.signature import Signature, SignatureType, SignatureDependency
    from import Target

    if not _id:
        return None

    # make sure it's a string
    _id = str(_id)

    # Use bson.ObjectId to make sure this is a valid ObjectId, otherwise
    # the queries below will raise a ValidationError exception.
    if not ObjectId.is_valid(_id.decode('utf8')):
        return None

    if type_ == 'Actor':
        return Actor.objects(id=_id).first()
    elif type_ == 'Backdoor':
        return Backdoor.objects(id=_id).first()
    elif type_ == 'ActorThreatIdentifier':
        return ActorThreatIdentifier.objects(id=_id).first()
    elif type_ == 'Campaign':
        return Campaign.objects(id=_id).first()
    elif type_ == 'Certificate':
        return Certificate.objects(id=_id).first()
    elif type_ == 'Comment':
        return Comment.objects(id=_id).first()
    elif type_ == 'Domain':
        return Domain.objects(id=_id).first()
    elif type_ == 'Email':
        return Email.objects(id=_id).first()
    elif type_ == 'Event':
        return Event.objects(id=_id).first()
    elif type_ == 'Exploit':
        return Exploit.objects(id=_id).first()
    elif type_ == 'Indicator':
        return Indicator.objects(id=_id).first()
    elif type_ == 'Action':
        return Action.objects(id=_id).first()
    elif type_ == 'IP':
        return IP.objects(id=_id).first()
    elif type_ == 'PCAP':
        return PCAP.objects(id=_id).first()
    elif type_ == 'RawData':
        return RawData.objects(id=_id).first()
    elif type_ == 'RawDataType':
        return RawDataType.objects(id=_id).first()
    elif type_ == 'Sample':
        return Sample.objects(id=_id).first()
    elif type_ == 'Signature':
        return Signature.objects(id=_id).first()
    elif type_ == 'SignatureType':
        return SignatureType.objects(id=_id).first()
    elif type_ == 'SignatureDependency':
        return SignatureDependency.objects(id=_id).first()
    elif type_ == 'SourceAccess':
        return SourceAccess.objects(id=_id).first()
    elif type_ == 'Screenshot':
        return Screenshot.objects(id=_id).first()
    elif type_ == 'Target':
        return Target.objects(id=_id).first()
    elif type_ == 'UserRole':
        return UserRole.objects(id=_id).first()
        return None
Esempio n. 5
def handle_indicator_csv(csv_data, source, method, reference, ctype, username, add_domain=False):
    Handle adding Indicators in CSV format (file or blob).

    :param csv_data: The CSV data.
    :type csv_data: str or file handle
    :param source: The name of the source for these indicators.
    :type source: str
    :param method: The method of acquisition of this indicator.
    :type method: str
    :param reference: The reference to this data.
    :type reference: str
    :param ctype: The CSV type.
    :type ctype: str ("file" or "blob")
    :param username: The user adding these indicators.
    :type username: str
    :param add_domain: If the indicators being added are also other top-level
                       objects, add those too.
    :type add_domain: boolean
    :returns: dict with keys "success" (boolean) and "message" (str)

    if ctype == "file":
        cdata =
        cdata = csv_data.encode("ascii")
    data = csv.DictReader(BytesIO(cdata), skipinitialspace=True)
    result = {"success": True}
    result_message = ""
    # Compute permitted values in CSV
    valid_ratings = {"unknown": "unknown", "benign": "benign", "low": "low", "medium": "medium", "high": "high"}
    valid_campaign_confidence = {"low": "low", "medium": "medium", "high": "high"}
    valid_campaigns = {}
    for c in Campaign.objects(active="on"):
        valid_campaigns[c["name"].lower().replace(" - ", "-")] = c["name"]
    valid_actions = {}
    for a in Action.objects(active="on"):
        valid_actions[a["name"].lower().replace(" - ", "-")] = a["name"]
    valid_ind_types = {}
    for obj in IndicatorTypes.values(sort=True):
        valid_ind_types[obj.lower().replace(" - ", "-")] = obj

    # Start line-by-line import
    added = 0
    for processed, d in enumerate(data, 1):
        ind = {}
        ind["value"] = d.get("Indicator", "").strip()
        ind["lower"] = d.get("Indicator", "").lower().strip()
        ind["description"] = d.get("Description", "").strip()
        ind["type"] = get_verified_field(d, valid_ind_types, "Type")
        ind["threat_type"] = d.get("Threat Type", IndicatorThreatTypes.UNKNOWN)
        ind["attack_type"] = d.get("Attack Type", IndicatorAttackTypes.UNKNOWN)

        if len(ind["threat_type"]) < 1:
            ind["threat_type"] = IndicatorThreatTypes.UNKNOWN
        if ind["threat_type"] not in IndicatorThreatTypes.values():
            result["success"] = False
            result_message += "Cannot process row %s: Invalid Threat Type<br />" % processed

        if len(ind["attack_type"]) < 1:
            ind["attack_type"] = IndicatorAttackTypes.UNKNOWN
        if ind["attack_type"] not in IndicatorAttackTypes.values():
            result["success"] = False
            result_message += "Cannot process row %s: Invalid Attack Type<br />" % processed

        ind["status"] = d.get("Status", Status.NEW)
        if not ind["value"] or not ind["type"]:
            # Mandatory value missing or malformed, cannot process csv row
            i = ""
            result["success"] = False
            if not ind["value"]:
                i += "No valid Indicator value "
            if not ind["type"]:
                i += "No valid Indicator type "
            result_message += "Cannot process row %s: %s<br />" % (processed, i)
        campaign = get_verified_field(d, valid_campaigns, "Campaign")
        if campaign:
            ind["campaign"] = campaign
            ind["campaign_confidence"] = get_verified_field(
                d, valid_campaign_confidence, "Campaign Confidence", default="low"
        actions = d.get("Action", "")
        if actions:
            actions = get_verified_field(actions.split(","), valid_actions)
            if not actions:
                result["success"] = False
                result_message += "Cannot process row %s: Invalid Action<br />" % processed
        ind["confidence"] = get_verified_field(d, valid_ratings, "Confidence", default="unknown")
        ind["impact"] = get_verified_field(d, valid_ratings, "Impact", default="unknown")
        ind[form_consts.Common.BUCKET_LIST_VARIABLE_NAME] = d.get(form_consts.Common.BUCKET_LIST, "")
        ind[form_consts.Common.TICKET_VARIABLE_NAME] = d.get(form_consts.Common.TICKET, "")
            response = handle_indicator_insert(
                ind, source, reference, analyst=username, method=method, add_domain=add_domain
        except Exception, e:
            result["success"] = False
            result_message += "Failure processing row %s: %s<br />" % (processed, str(e))
        if response["success"]:
            if actions:
                action = {
                    "active": "on",
                    "analyst": username,
                    "begin_date": "",
                    "end_date": "",
                    "performed_date": "",
                    "reason": "",
                for action_type in actions:
                    action["action_type"] = action_type
                    action_add("Indicator", response.get("objectid"), action, user=username)
            result["success"] = False
            result_message += "Failure processing row %s: %s<br />" % (processed, response["message"])
        added += 1