def __init__(self, opts): """constructor provides access to the configuration options""" super(FunctionComponent, self).__init__(opts) try: self.opts = opts self.config = opts.get(PACKAGE_NAME).get(self.config_file) if self.config is None: log.error( self.config_file + " is not set. You must set this path to run this function") raise ValueError( self.config_file + " is not set. You must set this path to run this function") # Create configuration from file for DxlClient config = DxlClientConfig.create_dxl_config_from_file(self.config) # Create client self.client = DxlClient(config) self.client.connect() except AttributeError: log.error( "There is no [fn_mcafee_opendxl] section in the config file," "please set that by running resilient-circuits config -u") raise AttributeError( "[fn_mcafee_opendxl] section is not set in the config file")
class TIEOutputBot(Bot): def init(self): if DxlClient is None: raise ValueError( "Could not import 'dxlclient'. Please install it.") self.config = DxlClientConfig.create_dxl_config_from_file( self.parameters.dxl_config_file) self.dxlclient = DxlClient(self.config) def process(self): event = self.receive_message() payload = json.dumps(event) self.dxlclient.connect() tie_client = TieClient(self.dxlclient) tie_client.set_file_reputation( TrustLevel.MOST_LIKELY_MALICIOUS, { HashType.SHA256: event.get("malware.hash.sha256"), HashType.SHA1: event.get("malware.hash.sha1"), HashType.MD5: event.get("malware.hash.md5") }, filename=event.get("malware.name"), comment=self.parameters.comment) self.dxlclient.disconnect() self.logger.info("Event successfully sent.") self.acknowledge_message()
def _dxl_connect(self): """ Attempts to connect to the DXL fabric """ # Connect to fabric config = DxlClientConfig.create_dxl_config_from_file( self._dxlclient_config_path) config.incoming_message_thread_pool_size = self._incoming_thread_count config.incoming_message_queue_size = self._incoming_queue_size logger.info( "Incoming message configuration: queueSize={0}, threadCount={1}". format(config.incoming_message_queue_size, config.incoming_message_thread_pool_size)) logger.info( "Message callback configuration: queueSize={0}, threadCount={1}". format(self._callbacks_queue_size, self._callbacks_thread_count)) self._dxl_client = DxlClient(config) logger.info("Attempting to connect to DXL fabric ...") self._dxl_client.connect() logger.info("Connected to DXL fabric.") self.on_register_event_handlers() self.on_register_services() self.on_dxl_connect()
def init(self): if DxlClient is None: raise ValueError( "Could not import 'dxlclient'. Please install it.") self.config = DxlClientConfig.create_dxl_config_from_file( self.parameters.dxl_config_file) self.dxlclient = DxlClient(self.config)
class CuckooDXLClient(object): """ Wrapper class for the OpenDXL Python Client. """ def __init__(self): """ Constructor. """ self.client = None self.config = None self.enabled = None def init(self): """ Initialization method to determine if the OpenDXL Cuckoo Reporting Module is enabled and to get the OpenDXL Python Client config file location from the dxl_client_config_file setting under the [dxleventreporting] section of the reporting.conf file. :return: A boolean indicating if the OpenDXL Cuckoo Reporting Module is enabled or not. """ self.enabled = config("reporting:dxleventreporting:enabled") dxl_client_config_file = config( "reporting:dxleventreporting:dxl_client_config_file") if dxl_client_config_file is None: raise CuckooOperationalError( "Missing dxl_client_config_file setting under the " "[dxleventreporting] section in the report.conf file.") self.config = DxlClientConfig.create_dxl_config_from_file( dxl_client_config_file) return self.enabled def connect(self): """ A method to have the OpenDXL Python Client connect to a DXL Broker listed in the OpenDXL Python Client configuration client. """ if not self.enabled: return try: log.info("Creating DXL Client") if not self.client: self.client = DxlClient(self.config) self.client.connect() elif not self.client.connected: self.client.connect() log.info("Connected to a broker") except Exception as ex: log.exception( "Error creating DXL Client and connecting to a DXL Broker.") raise CuckooOperationalError( "Error creating DXL Client and connecting to a DXL Broker: %s" % ex)
def _create_client_for_connection(self, client_id): """ Creates a DxlClient and stores it for the give client_id :param client_id: the client_id for the DxlClient """ client = DxlClient(self.client_config) client.connect() logger.info("Initializing new dxl client for client_id: %s", client_id) with self._client_dict_lock: self._client_dict[client_id] = (client, datetime.datetime.now())
def __init__(self, opts): super(DxlComponentSubscriber, self).__init__(opts) self.config = verify_config(opts) add_methods_to_global() # Create and connect DXL client config_client_file = self.config.get("config_client") dxl_config = DxlClientConfig.create_dxl_config_from_file( config_client_file) self.client = DxlClient(dxl_config) self.client.connect() # This gets run once to tell the subscriber to listen on defined topics self.main()
def setReputation(trustlevelStr, md5, sha1, sha256, filenameStr, commentStr): # File Hashes #mySetHashes = {HashType.MD5: "", HashType.SHA1: "", HashType.SHA256: ""} trustlevelInt = getTrustLevel(trustlevelStr) mySetHashes = hashMe(md5, sha1, sha256) print("mySetHashes:") print(mySetHashes) # Create the client with DxlClient(config) as client: # Connect to the fabric client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) print(trustlevelInt) print(mySetHashes) print(filenameStr) print(commentStr) if trustlevelInt != -1: # Set the Enterprise reputation for notepad.exe to Known Trusted tie_client.set_file_reputation(trustlevelInt, mySetHashes, filename=filenameStr, comment=commentStr) else: return jsonify(error="invalid trust level", trustlevel=trustlevelStr) client.disconnect()
def getEvents(self): """ Get Events off the DXL fabric """ ## Create Web API request queue SERVICE_TYPE = "/opendxl/webapi" REQUEST_TOPIC = SERVICE_TYPE + "/requests" class MyRequestCallback(RequestCallback): def on_request(self, request): # Extract print("Service recieved request payload: " + request.payload.decode()) # Create the client with DxlClient(config) as client: # Connect to the fabric client.connect() ## Register with ePO and add the request topic info = ServiceRegistrationInfo(client, SERVICE_TYPE) client.register_service_sync(info, 10) info.add_topic(REQUEST_TOPIC, MyRequestCallback()) ## Get list of vendorIDs and subscribe to each topic #vendorList = getVendorList() #for vendor in vendorList: # client.add_event_callback(vendorsDict[vendor]['topic'], ChgRepCallback()) client.disconnect() ## Listent to Events print("Listening for Events") while not thread_stop_event.isSet(): time.sleep(self.delay)
def __init__(self, params: Dict): with open(self.broker_ca_bundle, "w") as text_file: text_file.write(params['broker_ca_bundle']) with open(self.cert_file, "w") as text_file: text_file.write(params['cert_file']) with open(self.private_key, "w") as text_file: text_file.write(params['private_key']) if 'broker_urls' in params: self.broker_urls = params['broker_urls'].split(',') self.push_ip_topic = params.get('push_ip_topic') self.push_url_topic = params.get('push_url_topic') self.push_domain_topic = params.get('push_domain_topic') self.push_hash_topic = params.get('push_hash_topic') self.client = DxlClient(self.get_client_config()) self.client.connect()
def set_rep(self, filename, level, md5, sha1, sha256, sandbox): try: with DxlClient(self.config) as client: client.connect() tie_client = TieClient(client) # multi-sandbox support: merge results if some are already available existing_reputation = tie_client.get_file_reputation( {HashType.SHA256: sha256}) if existing_reputation and FileProvider.EXTERNAL in existing_reputation: logging.info( "A external reputation verdict has been already present for the sample, will merge the results" ) if (level != 0 and level < existing_reputation[ FileProvider.EXTERNAL]["trustLevel"]): self._set_reputation(tie_client, filename, level, md5, sha1, sha256, sandbox) else: logging.info( "New reputation level was higher than what is already present" ) else: self._set_reputation(tie_client, filename, level, md5, sha1, sha256, sandbox) except Exception as e: logging.error( "ERROR setting the reputation in TIE for SHA256 %s using sandbox %s: %s", str(sha256), sandbox, e, )
def action(md5): CONFIG_FILE = "path to the config file" config = DxlClientConfig.create_dxl_config_from_file(CONFIG_FILE) with DxlClient(config) as client: client.connect() marclient = MarClient(client) results_context = \ marclient.search( projections=[{ "name": "HostInfo", "outputs": ["hostname","ip_address"] }, { "name": "Files", "outputs": ["md5","status"] }], conditions={ "or": [{ "and": [{ "name": "Files", "output": "md5", "op": "EQUALS", "value": md5 }] }] } ) if results_context.has_results: results = results_context.get_results() return results else: pass
def run(self, params={}): topic = params.get('topic') number_of_messages = params.get('number_of_messages') if number_of_messages < 1: raise Exception('Number of messages must be 1 or more') def _send(message_string): try: self.message_list.append(message_string) if len(self.message_list) >= number_of_messages: self.send({'messages': self.message_list}) self.message_list = [] except Exception as e: self.logger.error('Message string: {}'.format(message_string)) self.logger.error('Message list: {}'.format(self.message_list)) raise Exception( 'An unknown error occurred. Dumping buffer to log. Error: {}' .format(e)) event_count_condition = Condition() # Create the DXL client with DxlClient(self.connection.config) as dxl_client: # Connect to the fabric dxl_client.connect() class _TriggerEventCallback(EventCallback): def on_event(self, event): with event_count_condition: _send(event.payload.decode()) event_count_condition.notify_all() dxl_client.add_event_callback(topic, _TriggerEventCallback()) with event_count_condition: while True: event_count_condition.wait()
def file_references(hash): config = get_client_config() with DxlClient(config) as client: client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) hash_type = get_hash_type(hash) hash_type_key = HASH_TYPE_KEYS.get(hash_type) if not hash_type_key: return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters) or md5(32 charecters)') hash_param = {} hash_param[hash_type_key] = hash references = tie_client.get_file_first_references(hash_param) table = references_to_table(references) # creaet context context_file = {} hash_type_uppercase = hash_type.upper() context_file[hash_type_uppercase] = hash context_file['References'] = table ec = {} ec[outputPaths['file']] = context_file return { 'Type': entryTypes['note'], 'ContentsFormat': formats['json'], 'Contents': references, 'ReadableContentsFormat': formats['markdown'], 'HumanReadable': tableToMarkdown('References for hash %s' % (hash,), table), 'EntryContext': ec }
def MAR_Query(self, mar_search_str): # Create the client with DxlClient(self.config) as client: # Connect to the fabric client.connect() # Create the McAfee Active Response (MAR) client marclient = MarClient(client) marclient.response_timeout = 30 # Start the search results_context = marclient.search( projections=[{ "name": "HostInfo", "outputs": ["hostname", "ip_address"] }], conditions={"or": [{ "and": mar_search_str }]}) # Iterate the results of the search if results_context.has_results: results = results_context.get_results() for item in results[ResultConstants.ITEMS]: yield (item['output']['HostInfo|ip_address'])
def set_file_reputation(hash, trust_level, filename, comment): config = get_client_config() # find trust_level key trust_level_key = None for k, v in TRUST_LEVELS.iteritems(): if v == trust_level: trust_level_key = k if not trust_level_key: return create_error_entry('illigale argument trust_level %s. Choose value from predefined values' % (trust_level, )) with DxlClient(config) as client: client.connect() tie_client = TieClient(client) hash_type = get_hash_type(hash) hash_type_key = HASH_TYPE_KEYS.get(hash_type) if not hash_type_key: return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters) or md5(32 charecters)') hash_param = {} hash_param[hash_type_key] = hash try: tie_client.set_file_reputation(trust_level_key, hash_param, filename, comment) return 'Successfully set file repuation' except Exception as ex: return create_error_entry(str(ex))
def file(hash_inputs): hash_list = [] for hash_value in hash_inputs: config = get_client_config() with DxlClient(config) as client: client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) hash_type = get_hash_type(hash_value) hash_type_key = HASH_TYPE_KEYS.get(hash_type) if not hash_type_key: return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters)' ' or md5(32 charecters)') hash_param = {} reputations = {} context_file = {} hash_param[hash_type_key] = hash_value hash_type_uppercase = hash_type.upper() res = safe_get_file_reputation(tie_client, hash_param) if not res: dbot_score = [{'Indicator': hash_value, 'Type': 'hash', 'Vendor': VENDOR_NAME, 'Score': 0}, {'Indicator': hash_value, 'Type': 'file', 'Vendor': VENDOR_NAME, 'Score': 0}] context_file[hash_type_uppercase] = hash_value context_file['TrustLevel'] = 0 context_file['Vendor'] = VENDOR_NAME else: reputations = res.values() # create context tl_score = get_thrust_level_and_score(reputations) context_file[hash_type_uppercase] = hash_value context_file['TrustLevel'] = tl_score['trust_level'] context_file['Vendor'] = tl_score['vendor'] dbot_score = [{'Indicator': hash_value, 'Type': 'hash', 'Vendor': tl_score['vendor'], 'Score': tl_score['score']}, {'Indicator': hash_value, 'Type': 'file', 'Vendor': tl_score['vendor'], 'Score': tl_score['score']}] if tl_score['score'] >= 2: context_file['Malicious'] = { 'Vendor': tl_score['vendor'], 'Score': tl_score['score'], 'Description': 'Trust level is ' + str(tl_score['trust_level']) } ec = {'DBotScore': dbot_score, outputPaths['file']: context_file} table = reputations_to_table(reputations) hash_list.append({ 'Type': entryTypes['note'], 'ContentsFormat': formats['json'], 'Contents': reputations, 'ReadableContentsFormat': formats['markdown'], 'HumanReadable': tableToMarkdown('McAfee TIE Hash Reputations For %s:' % (hash_value,), table), 'EntryContext': ec }) return hash_list
def subscriber(self): with DxlClient(self.config) as client: client.connect() class MyEventCallback(EventCallback): def on_event(self, event): try: query = event.payload.decode() print("STATUS: McAfee ATD Event received. Adding to MISP.") query = query[:query.rfind('}') + 1] query = json.loads(query) # Push data into MISP misp = MISP(query) misp.main() except Exception as e: exc_type, exc_obj, exc_tb = sys.exc_info() print("Error in {location}.{funct_name}() - line {line_no} : {error}" .format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno, error=str(e))) @staticmethod def worker_thread(req): client.sync_request(req) # Register the callback with the client client.add_event_callback('#', MyEventCallback(), subscribe_to_topic=False) client.subscribe("/mcafee/event/atd/file/report") # Wait forever while True: time.sleep(60)
def tierep(md5, sha1): if not is_hex(md5): return "MD5 Value should be hex" if not is_hex(sha1) and not sha1 == "": return "SHA1 Value should be hex" md5_hex = md5 sha1_hex = sha1 if (md5_hex) or (sha1_hex): with DxlClient(config) as client: # Connect to the fabric client.connect() # # Request and display reputation for Putty # response_dict = get_tie_file_reputation(client=client, md5_hex=md5_hex, sha1_hex=sha1_hex) filename = "putty.exe" myReturnVal = json.dumps(response_dict, sort_keys=True, indent=4, separators=(',', ': ')) fileProps = json.loads(myReturnVal) print fileProps['props'] propList = [] for provider in fileProps['reputations']: propDict = {} providerID = int(provider['providerId']) trustLevel = int(provider['trustLevel']) print "Create Date: " + str(provider['createDate']) if (providerID in providerMap): print "Provider: " + str(providerMap[providerID]) propDict['provider'] = str(providerMap[providerID]) else: print "Provider: Not Available" propDict['provider'] = "Not Available" if (trustLevel in tiescoreMap): print "Reputation: " + str(tiescoreMap[trustLevel]) propDict['reputation'] = str(tiescoreMap[trustLevel]) else: print "Reputation: Not Available" propDict['reputation'] = "Not Available" print "" propList.append(propDict) return render_template('reputation.html', md5=md5, sha1=sha1, filename=filename, propList=propList, myReturnVal=myReturnVal) else: myReturnVal = "Sorry Nobody Home" return myReturnVal
def connect(self, config_file="./dxlclient.config"): if self.isConnected(): raise DxlJythonException(1100, "Already connected to the OpenDXL broker") try: logger.info("Reading configuration file from '%s'", config_file) config = DxlClientConfig.create_dxl_config_from_file(config_file) # Initialize DXL client using our configuration self.client = DxlClient(config) # Connect to DXL Broker self.client.connect() return except Exception as e: logger.info("Exception: " + e.message) raise DxlJythonException(1000, "Unable to establish a connection with the DXL broker")
def test(self): try: with DxlClient(self.config) as dxl_client: # Connect to the fabric dxl_client.connect() return True except: raise ConnectionTestException( preset=ConnectionTestException.Preset.SERVICE_UNAVAILABLE)
def __init__(self, app): super(MonitorModule, self).__init__(app, "monitor", "Fabric Monitor", "/public/images/monitor.png", "monitor_layout") # dictionary to store DXL Client instances unique to each "session" self._client_dict = {} # dictionary to store web sockets for each "session" self._web_socket_dict = {} # dictionary to store incoming messages for each "session" self._pending_messages = {} # dictionary to cache service state self._services = {} self._message_id_topics = {} self._client_config = DxlClientConfig.create_dxl_config_from_file( self.app.bootstrap_app.client_config_path) # DXL Client to perform operations that are the same for all users(svc registry queries) self._dxl_service_client = DxlClient(self._client_config) self._dxl_service_client.connect() self._dxl_service_client.add_event_callback( MonitorModule.SERVICE_REGISTRY_REGISTER_EVENT_TOPIC, _ServiceEventCallback(self)) self._dxl_service_client.add_event_callback( MonitorModule.SERVICE_REGISTRY_UNREGISTER_EVENT_TOPIC, _ServiceEventCallback(self)) self._refresh_all_services() self._service_updater_thread = threading.Thread( target=self._service_updater) self._service_updater_thread.daemon = True self._service_updater_thread.start() self._dxl_client_cleanup_thread = threading.Thread( target=self._cleanup_dxl_clients) self._dxl_client_cleanup_thread.daemon = True self._dxl_client_cleanup_thread.start()
def test(): config = get_client_config() demisto.info('######## config created ########') with DxlClient(config) as client: client.connect() demisto.info('######## client connected ########') client.disconnect() demisto.info('######## client disconnected ########') MarClient(client) demisto.info('######## client MAR client created ########')
def __init__(self, opts): super(McAfeeTieSearcher, self).__init__(opts) try: config = opts.get("mcafee").get(self.config_file) if config is None: LOG.error(self.config_file + " is not set. You must set this path to run this threat service") raise ValueError(self.config_file + " is not set. You must set this path to run this threat service") # Create configuration from file for DxlClient self.config = DxlClientConfig.create_dxl_config_from_file(config) except AttributeError: LOG.error("There is no [mcafee] section in the config file," "please set that by running resilient-circuits config -u") raise AttributeError("[mcafee] section is not set in the config file") # Create client self.client = DxlClient(self.config) self.client.connect()
def __init__(self, device): self.logger = logging.getLogger("Plugin.DXLBroker") self.deviceID = device.id address = device.pluginProps.get(u'address', "") port = device.pluginProps.get(u'port', "") ca_bundle = indigo.server.getInstallFolderPath( ) + '/' + device.pluginProps.get(u'ca_bundle', "") cert_file = indigo.server.getInstallFolderPath( ) + '/' + device.pluginProps.get(u'cert_file', "") private_key = indigo.server.getInstallFolderPath( ) + '/' + device.pluginProps.get(u'private_key', "") self.logger.debug( f"{device.name}: Broker __init__ address = {address}, ca_bundle = {ca_bundle}, cert_file = {cert_file}, private_key = {private_key}" ) device.updateStateOnServer(key="status", value="Not Connected") device.updateStateImageOnServer(indigo.kStateImageSel.SensorOff) # Create the client configuration broker = Broker.parse(f"ssl://{address}:{port}") config = DxlClientConfig(broker_ca_bundle=ca_bundle, cert_file=cert_file, private_key=private_key, brokers=[broker]) # Create the DXL client self.dxl_client = DxlClient(config) # Connect to the fabric self.dxl_client.connect() device.updateStateOnServer(key="status", value="Connected") device.updateStateImageOnServer(indigo.kStateImageSel.SensorOn) subs = device.pluginProps.get(u'subscriptions', None) if subs: for topic in subs: self.dxl_client.add_event_callback(topic, self.MyEventCallback(self)) self.logger.info(u"{}: Subscribing to: {}".format( device.name, topic))
def main(argv): TOPIC_DESTINATION = '' TYPE_PAYLOAD = '' PAYLOAD = '' help = 'python ' + sys.argv[0] + ' -t <topic destination> -p <payload>' try: opts, args = getopt.getopt(argv, "ht:p:", ["topic=", "payload="]) except getopt.GetoptError: print help sys.exit(1) for opt, arg in opts: if opt == '-h': print help sys.exit(1) elif opt in ("-t", "--topic"): TOPIC_DESTINATION = arg elif opt in ("-p", "--payload"): PAYLOAD = arg if (TOPIC_DESTINATION != '' and PAYLOAD != ''): DXL_MESSAGE['SRC_HOST'] = IP DXL_MESSAGE['PAYLOAD'] = PAYLOAD # Create the client with DxlClient(config) as client: # Connect to the fabric client.connect() # # Invoke the service (send a request) # # Create the request req = Request(TOPIC_DESTINATION) # Populate the request payload req.payload = str(json.dumps(DXL_MESSAGE)).encode() # Send the request and wait for a response (synchronous) res = client.sync_request(req) # Extract information from the response (if an error did not occur) if res.message_type != Message.MESSAGE_TYPE_ERROR: print "result is coming:" print res.payload else: logger.error("Error: " + res.error_message + " (" + str(res.error_code) + ")") else: print help sys.exit(1)
def __init__(self, opts): """constructor provides access to the configuration options""" super(FunctionComponent, self).__init__(opts) try: config = opts.get("fn_mcafee_tie").get(self.config_file) if config is None: LOG.error(self.config_file + " is not set. You must set this path to run this function") raise ValueError(self.config_file + " is not set. You must set this path to run this function") LOG.info("Using %s to create configuration for DxlClient", config) # Create configuration from file for DxlClient self.config = DxlClientConfig.create_dxl_config_from_file(config) except AttributeError: LOG.error("There is no [fn_mcafee_tie] section in the config file, " "please set that by running resilient-circuits config -u") raise AttributeError("[fn_mcafee_tie] section is not set in the config file") self.client = DxlClient(self.config) self._connect_client()
def run(self, params={}): topic = params.get('topic') event_message = params.get('event_message') event = Event(topic) event.payload = event_message.encode() with DxlClient(self.connection.config) as dxl_client: # Connect to the fabric dxl_client.connect() dxl_client.send_event(event) return {'success': True}
def getTieRep(md5, sha1, sha256): with DxlClient(config) as client: # Connect to the fabric client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) myGetHashes = hashMe(md5, sha1, sha256) reputations_dict = tie_client.get_file_reputation(myGetHashes) client.disconnect() #myReturnVal = json.dumps(reputations_dict, sort_keys=True, indent=4, separators=(',', ': ')) + "\n" return reputations_dict
def selftest_function(opts): options = opts.get(CONFIG_DATA_SECTION, {}) try: try: config_file = options.get("dxlclient_config") if config_file is None: log.error( "dxlclient_config is not set. You must set this path to run this function" ) raise ValueError( "dxlclient_config is not set. You must set this path to run this function" ) # Create configuration from file for DxlClient dxlclient_config = DxlClientConfig.create_dxl_config_from_file( config_file) except AttributeError: log.error( "There is no [fn_mcafee_tie] section in the config file, " "please set that by running resilient-circuits config -u") raise AttributeError( "[fn_mcafee_tie] section is not set in the config file") dxlclient = DxlClient(dxlclient_config) dxlclient.connect() tie_client = TieClient(dxlclient) if dxlclient.connected and tie_client: state = 'success' reason = None else: state = 'failure' reason = 'authorization failure' return {'state': state, 'reason': reason} except Exception as exc: return {'state': 'failure', 'reason': exc}