def setReputation(trustlevelStr, md5, sha1, sha256, filenameStr, commentStr):
# File Hashes
#mySetHashes = {HashType.MD5: "", HashType.SHA1: "", HashType.SHA256: ""}
trustlevelInt = getTrustLevel(trustlevelStr)
mySetHashes = hashMe(md5, sha1, sha256)
print("mySetHashes:")
print(mySetHashes)
# Create the client
with DxlClient(config) as client:
# Connect to the fabric
client.connect()
# Create the McAfee Threat Intelligence Exchange (TIE) client
tie_client = TieClient(client)
print(trustlevelInt)
print(mySetHashes)
print(filenameStr)
print(commentStr)
if trustlevelInt != -1:
# Set the Enterprise reputation for notepad.exe to Known Trusted
tie_client.set_file_reputation(trustlevelInt,
mySetHashes,
filename=filenameStr,
comment=commentStr)
else:
return jsonify(error="invalid trust level",
trustlevel=trustlevelStr)
client.disconnect()
def setTieReputation(self, payload):
tie_client = TieClient(self.client)
hashes = {
HashType.MD5: payload['fileMD5'],
HashType.SHA1: payload['fileSHA1'],
HashType.SHA256: payload['fileSHA256']
}
reputations_dict = tie_client.get_file_reputation(hashes)
has_definitive_reputation = \
any([rep[ReputationProp.TRUST_LEVEL] != TrustLevel.NOT_SET
and rep[ReputationProp.TRUST_LEVEL] != TrustLevel.UNKNOWN
and rep[ReputationProp.PROVIDER_ID] != FileProvider.EXTERNAL
for rep in reputations_dict.values()])
if not has_definitive_reputation:
try:
tie_client.set_external_file_reputation(
TrustLevel.MIGHT_BE_TRUSTED,
hashes,
file_type=payload['filetype'],
filename=payload['filename'],
comment=payload['comment']
)
except ValueError as e:
pass
def set_rep(self, filename, level, md5, sha1, sha256, sandbox):
try:
with DxlClient(self.config) as client:
client.connect()
tie_client = TieClient(client)
# multi-sandbox support: merge results if some are already available
existing_reputation = tie_client.get_file_reputation(
{HashType.SHA256: sha256})
if existing_reputation and FileProvider.EXTERNAL in existing_reputation:
logging.info(
"A external reputation verdict has been already present for the sample, will merge the results"
)
if (level != 0 and level < existing_reputation[
FileProvider.EXTERNAL]["trustLevel"]):
self._set_reputation(tie_client, filename, level, md5,
sha1, sha256, sandbox)
else:
logging.info(
"New reputation level was higher than what is already present"
)
else:
self._set_reputation(tie_client, filename, level, md5,
sha1, sha256, sandbox)
except Exception as e:
logging.error(
"ERROR setting the reputation in TIE for SHA256 %s using sandbox %s: %s",
str(sha256),
sandbox,
e,
)
def set_file_reputation(hash, trust_level, filename, comment):
config = get_client_config()
# find trust_level key
trust_level_key = None
for k, v in TRUST_LEVELS.iteritems():
if v == trust_level:
trust_level_key = k
if not trust_level_key:
return create_error_entry('illigale argument trust_level %s. Choose value from predefined values' % (trust_level, ))
with DxlClient(config) as client:
client.connect()
tie_client = TieClient(client)
hash_type = get_hash_type(hash)
hash_type_key = HASH_TYPE_KEYS.get(hash_type)
if not hash_type_key:
return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters) or md5(32 charecters)')
hash_param = {}
hash_param[hash_type_key] = hash
try:
tie_client.set_file_reputation(trust_level_key, hash_param, filename, comment)
return 'Successfully set file repuation'
except Exception as ex:
return create_error_entry(str(ex))
def _lookup_hash(self, event, *args, **kwargs):
artifact_type = event.artifact["type"]
artifact_value = event.artifact["value"]
LOG.debug("_lookup_hash started for Artifact Type {0} - Artifact Value {1}".format(
artifact_type, artifact_value))
tie_client = TieClient(self.client)
if artifact_type == "hash.md5":
resilient_hash = {HashType.MD5: artifact_value}
elif artifact_type == "hash.sha1":
resilient_hash = {HashType.SHA1: artifact_value}
elif artifact_type == "hash.sha256":
resilient_hash = {HashType.SHA256: artifact_value}
else:
raise ValueError("Something went wrong setting the hash value")
reputations_dict = \
tie_client.get_file_reputation(
resilient_hash
)
hits = self._query_mcafee_tie(reputations_dict)
yield hits
def file_references(hash):
config = get_client_config()
with DxlClient(config) as client:
client.connect()
# Create the McAfee Threat Intelligence Exchange (TIE) client
tie_client = TieClient(client)
hash_type = get_hash_type(hash)
hash_type_key = HASH_TYPE_KEYS.get(hash_type)
if not hash_type_key:
return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters) or md5(32 charecters)')
hash_param = {}
hash_param[hash_type_key] = hash
references = tie_client.get_file_first_references(hash_param)
table = references_to_table(references)
# creaet context
context_file = {}
hash_type_uppercase = hash_type.upper()
context_file[hash_type_uppercase] = hash
context_file['References'] = table
ec = {}
ec[outputPaths['file']] = context_file
return {
'Type': entryTypes['note'],
'ContentsFormat': formats['json'],
'Contents': references,
'ReadableContentsFormat': formats['markdown'],
'HumanReadable': tableToMarkdown('References for hash %s' % (hash,), table),
'EntryContext': ec
}
def getTieRep(md5, sha1, sha256):
with DxlClient(config) as client:
# Connect to the fabric
client.connect()
# Create the McAfee Threat Intelligence Exchange (TIE) client
tie_client = TieClient(client)
myGetHashes = hashMe(md5, sha1, sha256)
reputations_dict = tie_client.get_file_reputation(myGetHashes)
client.disconnect()
#myReturnVal = json.dumps(reputations_dict, sort_keys=True, indent=4, separators=(',', ': ')) + "\n"
return reputations_dict
def file(hash):
config = get_client_config()
with DxlClient(config) as client:
client.connect()
# Create the McAfee Threat Intelligence Exchange (TIE) client
tie_client = TieClient(client)
hash_type = get_hash_type(hash)
hash_type_key = HASH_TYPE_KEYS.get(hash_type)
if not hash_type_key:
return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters) or md5(32 charecters)')
hash_param = {}
hash_param[hash_type_key] = hash
res = tie_client.get_file_reputation(hash_param)
reputations = res.values()
table = reputations_to_table(reputations)
# creaet context
context_file = {}
hash_type_uppercase = hash_type.upper()
tl_score = get_thrust_level_and_score(reputations)
context_file[hash_type_uppercase] = hash
context_file['TrustLevel'] = tl_score['trust_level']
context_file['Vendor'] = tl_score['vendor']
dbot_score = {'Indicator': hash, 'Type': 'hash', 'Vendor': tl_score['vendor'], 'Score': tl_score['score']}
if tl_score['score'] >= 2:
context_file['Malicious'] = {
'Vendor': tl_score['vendor'],
'Score': tl_score['score'],
'Description': 'Trust level is ' + str(tl_score['trust_level'])
}
ec = {
'DBotScore': dbot_score
}
ec[outputPaths['file']] = context_file
return {
'Type': entryTypes['note'],
'ContentsFormat': formats['json'],
'Contents': reputations,
'ReadableContentsFormat': formats['markdown'],
'HumanReadable': tableToMarkdown('McAfee TIE Hash Reputations For %s:' % (hash,), table),
'EntryContext': ec
}
def file(hash_inputs):
hash_list = []
for hash_value in hash_inputs:
config = get_client_config()
with DxlClient(config) as client:
client.connect()
# Create the McAfee Threat Intelligence Exchange (TIE) client
tie_client = TieClient(client)
hash_type = get_hash_type(hash_value)
hash_type_key = HASH_TYPE_KEYS.get(hash_type)
if not hash_type_key:
return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters)'
' or md5(32 charecters)')
hash_param = {}
reputations = {}
context_file = {}
hash_param[hash_type_key] = hash_value
hash_type_uppercase = hash_type.upper()
res = safe_get_file_reputation(tie_client, hash_param)
if not res:
dbot_score = [{'Indicator': hash_value, 'Type': 'hash', 'Vendor': VENDOR_NAME, 'Score': 0},
{'Indicator': hash_value, 'Type': 'file', 'Vendor': VENDOR_NAME, 'Score': 0}]
context_file[hash_type_uppercase] = hash_value
context_file['TrustLevel'] = 0
context_file['Vendor'] = VENDOR_NAME
else:
reputations = res.values()
# create context
tl_score = get_thrust_level_and_score(reputations)
context_file[hash_type_uppercase] = hash_value
context_file['TrustLevel'] = tl_score['trust_level']
context_file['Vendor'] = tl_score['vendor']
dbot_score = [{'Indicator': hash_value, 'Type': 'hash', 'Vendor': tl_score['vendor'],
'Score': tl_score['score']},
{'Indicator': hash_value, 'Type': 'file', 'Vendor': tl_score['vendor'],
'Score': tl_score['score']}]
if tl_score['score'] >= 2:
context_file['Malicious'] = {
'Vendor': tl_score['vendor'],
'Score': tl_score['score'],
'Description': 'Trust level is ' + str(tl_score['trust_level'])
}
ec = {'DBotScore': dbot_score, outputPaths['file']: context_file}
table = reputations_to_table(reputations)
hash_list.append({
'Type': entryTypes['note'],
'ContentsFormat': formats['json'],
'Contents': reputations,
'ReadableContentsFormat': formats['markdown'],
'HumanReadable': tableToMarkdown('McAfee TIE Hash Reputations For %s:' % (hash_value,), table),
'EntryContext': ec
})
return hash_list
def set_rep(self, eventid, hash):
try:
with DxlClient(self.config) as client:
client.connect()
tie_client = TieClient(client)
tie_client.set_external_file_reputation(
self.tie_rep,
{'md5': hash},
filename='MISP Hash {0}'.format(str(eventid)),
comment='External Reputation set via OpenDXL')
print('SUCCESS: Successfully pushed MD5 {0} to TIE.'.format(str(hash)))
except Exception as e:
exc_type, exc_obj, exc_tb = sys.exc_info()
print('ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}'
.format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno,
error=str(e)))
class TIE_Plugin(PluginBase) :
def __init__(self):
logger.info("Plugin " + _plugin_name + " initializing...")
#
# Init and connect DXL client
#
# DxlClientConfig from DXL configuration file
logger.debug(_plugin_name + " : Loading DXL config from: %s", cfg['ExportPlugins']['TIE_Plugin']['DXLConfig'])
self.dxl_config = DxlClientConfig.create_dxl_config_from_file(cfg['ExportPlugins']['TIE_Plugin']['DXLConfig'])
self.tie_client = None
def export(self, results_array):
#logger.debug(results_array)
#logger.debug(json.dumps(results_array, indent=4, sort_keys=True))
for event in results_array:
logger.debug(_plugin_name + " processing event: (Event ID: " + event['Event']['id'] + ", Event Info: " + event['Event']['info'] + ", Event Date: " + event['Event']['date'] + ")")
with DxlClient(self.dxl_config) as client:
# Connect to the DXL fabric
logger.debug(_plugin_name + " : Connecting OpenDXL client...")
client.connect()
# Create the McAfee Threat Intelligence Exchange (TIE) client
self.tie_client = TieClient(client)
for attribute in event['Event']['Attribute']:
if attribute['type'] == 'md5' or attribute['type'] == 'sha1' or attribute['type'] == 'sha256':
logger.debug("Found attribute type {0} = {1} in MISP event {2}.".format(str(attribute['type']),str(attribute['value']),str(event['Event']['id'])))
self.set_tie_reputation(TIE_REPUTATION, attribute['type'], attribute['value'], "MISP (Event ID {0}, Info: {1})".format(str(event['Event']['id']), str(event['Event']['info'])))
for obj in event['Event']['Object']:
for attribute in obj['Attribute']:
if attribute['type'] == 'md5' or attribute['type'] == 'sha1' or attribute['type'] == 'sha256':
logger.debug("Found object attribute type {0} = {1} in MISP event {2}.".format(str(attribute['type']),str(attribute['value']),str(event['Event']['id'])))
self.set_tie_reputation(TIE_REPUTATION, attribute['type'], attribute['value'], "MISP (Event ID {0}, Info: {1})".format(str(event['Event']['id']), str(event['Event']['info'])))
self.tie_client = None
def set_tie_reputation(self, trust_level, hash_type, hash_value, comment_str):
if self.tie_client :
try:
self.tie_client.set_external_file_reputation(TIE_REPUTATION, {hash_type: hash_value}, filename=comment_str, comment=comment_str)
logger.debug(_plugin_name + " : Reputation set (%s)", comment_str)
except ValueError as e:
logger.error(_plugin_name + " : Error while trying to set TIE reputation (%s)", str(e))
def set_reputation(self, list_hash, type_hash):
try:
with DxlClient(self.config) as client:
client.connect()
tie_client = TieClient(client)
for new_threat in list_hash:
#set new reputation with hash string and trustlevel is KNOWN_MALICIOUS
tie_client.set_external_file_reputation(
TrustLevel.KNOWN_MALICIOUS,
{type_hash: new_threat.hash_string},
filename='MISP Hash {0}'.format(str(new_threat.name)),
comment='External Reputation set via OpenDXL')
print('SUCCESS: Successfully pushed {0} {1} to TIE.'.format(type_hash, str(new_threat.hash_string)))
except Exception as e:
exc_tb = sys.exc_info()
print('ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}'
.format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno,
error=str(e)))
def process(self):
event = self.receive_message()
payload = json.dumps(event)
self.dxlclient.connect()
tie_client = TieClient(self.dxlclient)
tie_client.set_file_reputation(
TrustLevel.MOST_LIKELY_MALICIOUS, {
HashType.SHA256: event.get("malware.hash.sha256"),
HashType.SHA1: event.get("malware.hash.sha1"),
HashType.MD5: event.get("malware.hash.md5")
},
filename=event.get("malware.name"),
comment=self.parameters.comment)
self.dxlclient.disconnect()
self.logger.info("Event successfully sent.")
self.acknowledge_message()
def export(self, results_array):
#logger.debug(results_array)
#logger.debug(json.dumps(results_array, indent=4, sort_keys=True))
for event in results_array:
logger.debug(_plugin_name + " processing event: (Event ID: " + event['Event']['id'] + ", Event Info: " + event['Event']['info'] + ", Event Date: " + event['Event']['date'] + ")")
with DxlClient(self.dxl_config) as client:
# Connect to the DXL fabric
logger.debug(_plugin_name + " : Connecting OpenDXL client...")
client.connect()
# Create the McAfee Threat Intelligence Exchange (TIE) client
self.tie_client = TieClient(client)
for attribute in event['Event']['Attribute']:
if attribute['type'] == 'md5' or attribute['type'] == 'sha1' or attribute['type'] == 'sha256':
logger.debug("Found attribute type {0} = {1} in MISP event {2}.".format(str(attribute['type']),str(attribute['value']),str(event['Event']['id'])))
self.set_tie_reputation(TIE_REPUTATION, attribute['type'], attribute['value'], "MISP (Event ID {0}, Info: {1})".format(str(event['Event']['id']), str(event['Event']['info'])))
for obj in event['Event']['Object']:
for attribute in obj['Attribute']:
if attribute['type'] == 'md5' or attribute['type'] == 'sha1' or attribute['type'] == 'sha256':
logger.debug("Found object attribute type {0} = {1} in MISP event {2}.".format(str(attribute['type']),str(attribute['value']),str(event['Event']['id'])))
self.set_tie_reputation(TIE_REPUTATION, attribute['type'], attribute['value'], "MISP (Event ID {0}, Info: {1})".format(str(event['Event']['id']), str(event['Event']['info'])))
self.tie_client = None
def __init__(self, options, dxlclient, reputation_lookup_dict=None):
# Create the McAfee Threat Intelligence Exchange (TIE) client
self.tie_client = TieClient(dxlclient)
# TODO:Refactor this
self.reputation_lookup_dict = reputation_lookup_dict
if self.reputation_lookup_dict:
try:
self.filehash = reputation_lookup_dict['md5']
except:
try:
self.filehash = reputation_lookup_dict['sha1']
except:
self.filehash = "unknown"
self.reputations_dict = self._getFileRep()
else:
self.filehash = options.filehash
if self.filehash == None:
return "no file hash"
self.reputations_dict = self._getFileRep()
self.content = self._getFileProps()
def doReputation(btn):
global hashType
strHash = str(chatWin.getEntry("TIE_Hash"))
logger.info("Getting reputation data for {0}.".format(str(strHash)))
#Get all TIE based reputation data associated with a given hash
tie_client = TieClient(client)
reputations_dict = {}
#Request raw json reputation results
if hashType == "md5":
reputations_dict = tie_client.get_file_reputation(
{HashType.MD5: strHash})
elif hashType == "sha1":
reputations_dict = tie_client.get_file_reputation(
{HashType.SHA1: strHash})
elif hashType == "sha256":
reputations_dict = tie_client.get_file_reputation(
{HashType.SHA256: strHash})
#debug
logger.info(
"Raw TIE results for hash type " + hashType + ": " + json.dumps(
reputations_dict, sort_keys=True, indent=4, separators=(',',
': ')))
#Start building repputation output for writing to the results TextArea
strResults = parseTIEResults(reputations_dict)
#chatWin.setTextArea("TIEResults", json.dumps(reputations_dict, sort_keys=True, indent=4, separators= (',', ': ')), False)
chatWin.setTextArea("HashResults", strResults, False)
return True
def test_safe_get_file_reputation_returned_exception(mocker):
"""
Given:
- tie client and hash parameter
When:
- The tie client returns some exception
Then:
- Print to log and return empty dict
"""
mcafee_tie = importlib.import_module("McAfee-TIE")
tie_client = TieClient(None)
hash_param = {'test': 'test'}
mocker.patch.object(tie_client,
"get_file_reputation",
side_effect=Exception())
assert not mcafee_tie.safe_get_file_reputation(tie_client, hash_param)
def test_safe_get_file_reputation_returned_rep(mocker):
"""
Given:
- tie client and hash parameter
When:
- The tie client returns reputation
Then:
- return the reputation
"""
mcafee_tie = importlib.import_module("McAfee-TIE")
tie_client = TieClient(None)
hash_param = {'test': 'test'}
mocker.patch.object(tie_client,
"get_file_reputation",
return_value='test_value')
assert mcafee_tie.safe_get_file_reputation(tie_client, hash_param)
def on_event(self, event):
"""
Invoked when a DXL event has been received.
NOTE: This method should not be overridden (it performs transformations to simplify TIE usage).
Instead, the :func:`on_reputation_change` method must be overridden.
:param event: The original DXL event message that was received
"""
# Decode the event payload
rep_change_dict = json.loads(event.payload.decode(encoding="UTF-8"))
# Transform hashes
if RepChangeEventProp.HASHES in rep_change_dict:
rep_change_dict[RepChangeEventProp.HASHES] = \
TieClient._transform_hashes(rep_change_dict[RepChangeEventProp.HASHES])
# Transform new reputations
if RepChangeEventProp.NEW_REPUTATIONS in rep_change_dict:
if "reputations" in rep_change_dict[
RepChangeEventProp.NEW_REPUTATIONS]:
rep_change_dict[RepChangeEventProp.NEW_REPUTATIONS] = \
TieClient._transform_reputations(
rep_change_dict[RepChangeEventProp.NEW_REPUTATIONS]["reputations"])
# Transform old reputations
if RepChangeEventProp.OLD_REPUTATIONS in rep_change_dict:
if "reputations" in rep_change_dict[
RepChangeEventProp.OLD_REPUTATIONS]:
rep_change_dict[RepChangeEventProp.OLD_REPUTATIONS] = \
TieClient._transform_reputations(
rep_change_dict[RepChangeEventProp.OLD_REPUTATIONS]["reputations"])
# Transform relationships
if FileRepChangeEventProp.RELATIONSHIPS in rep_change_dict:
relationships_dict = rep_change_dict[
FileRepChangeEventProp.RELATIONSHIPS]
if "certificate" in relationships_dict:
cert_dict = relationships_dict["certificate"]
if "hashes" in cert_dict:
cert_dict["hashes"] = \
TieClient._transform_hashes(cert_dict["hashes"])
if "publicKeySha1" in cert_dict:
cert_dict["publicKeySha1"] = \
TieClient._base64_to_hex(cert_dict["publicKeySha1"])
# Transform certificate public-key SHA-1 (if applicable)
if CertRepChangeEventProp.PUBLIC_KEY_SHA1 in rep_change_dict:
rep_change_dict[CertRepChangeEventProp.PUBLIC_KEY_SHA1] = \
TieClient._base64_to_hex(rep_change_dict[CertRepChangeEventProp.PUBLIC_KEY_SHA1])
# Invoke the reputation change method
self.on_reputation_change(rep_change_dict, event)
def on_event(self, event):
"""
Invoked when a DXL event has been received.
NOTE: This method should not be overridden (it performs transformations to simplify TIE usage).
Instead, the :func:`on_detection` method must be overridden.
:param event: The original DXL event message that was received
"""
# Decode the event payload
detection_dict = json.loads(event.payload.decode(encoding="UTF-8"))
# Transform hashes
if DetectionEventProp.HASHES in detection_dict:
detection_dict[RepChangeEventProp.HASHES] = \
TieClient._transform_hashes(detection_dict[DetectionEventProp.HASHES])
# Invoke the detection method
self.on_detection(detection_dict, event)
def set_rep(self, hash, type, level, prov):
with DxlClient(DXL_CONFIG) as client:
client.connect()
tie_client = TieClient(client)
if prov == 'enterprise':
tie_client.set_file_reputation(
int(level), {type: hash},
filename=hash,
comment="Reputation Update from McAfee Bulk Importer")
elif prov == 'external':
tie_client.set_external_file_reputation(
int(level), {type: hash},
filename=hash,
comment="Reputation Update from McAfee Bulk Importer")
def main():
if pollInterval == 0:
print "Polling Interval Needs to be set in environment variable JOE_POLL"
exit(0)
print ""
print "--- Joe Sandbox metadata script ---"
print ""
# Create the client
with DxlClient(config) as client:
# Connect to the fabric
client.connect()
# Create the McAfee Threat Intelligence Exchange (TIE) client
tie_client = TieClient(client)
while True:
getJoeList(tie_client)
time.sleep(pollInterval)
def selftest_function(opts):
options = opts.get(CONFIG_DATA_SECTION, {})
try:
try:
config_file = options.get("dxlclient_config")
if config_file is None:
log.error(
"dxlclient_config is not set. You must set this path to run this function"
)
raise ValueError(
"dxlclient_config is not set. You must set this path to run this function"
)
# Create configuration from file for DxlClient
dxlclient_config = DxlClientConfig.create_dxl_config_from_file(
config_file)
except AttributeError:
log.error(
"There is no [fn_mcafee_tie] section in the config file, "
"please set that by running resilient-circuits config -u")
raise AttributeError(
"[fn_mcafee_tie] section is not set in the config file")
dxlclient = DxlClient(dxlclient_config)
dxlclient.connect()
tie_client = TieClient(dxlclient)
if dxlclient.connected and tie_client:
state = 'success'
reason = None
else:
state = 'failure'
reason = 'authorization failure'
return {'state': state, 'reason': reason}
except Exception as exc:
return {'state': 'failure', 'reason': exc}
FILE_SHA256 = "142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2"
# Hashes for the certificate to look up
# These can be replaced by a certificate which is known to have run within the
# enterprise for better results
CERTIFICATE_BODY_SHA1 = "6EAE26DB8C13182A7947982991B4321732CC3DE2"
CERTIFICATE_PUBLIC_KEY_SHA1 = "3B87A2D6F39770160364B79A152FCC73BAE27ADF"
# Create the client
with DxlClient(config) as client:
# Connect to the fabric
client.connect()
# Create the McAfee Threat Intelligence Exchange (TIE) client
tie_client = TieClient(client)
#
# Perform the file reputation query
#
reputations_dict = \
tie_client.get_file_reputation({
HashType.MD5: FILE_MD5,
HashType.SHA1: FILE_SHA1,
HashType.SHA256: FILE_SHA256
})
print("File reputation response:")
# Display the Global Threat Intelligence (GTI) trust level for the file
if FileProvider.GTI in reputations_dict:
def tie_set_rep(self, filedict):
tie_client = TieClient(client)
#Should consider use case... and whether or not a lookup should be made for FP mitigation before setting a rep
else:
def _connect_client(self):
# Connect client
if not self.client.connected:
self.client.connect()
self.tie_client = TieClient(self.client)
childcounter+=1
# Loop through each file and check with the TIE Server to determine if
# it already exists.
with DxlClient(config) as client:
#Connect to DXL fabric
client.connect()
#Create TIE Client
tie_client=TieClient(client)
for fileKey in WFResult:
#unset reusables
reputations_dict = None
currentMD5 = None
currentSHA256 = None
currentFilename = None
currentTrustLevel = None
currentMD5= WFResult[fileKey]['md5']
currentSHA256=WFResult[fileKey]['sha256']
currentFilename=WFResult[fileKey]['filename']
currentTrustLevel=WFResult[fileKey]['trustlevel']
def set_reputation(dxl_config_file, ioc_list, force):
# Create DXL configuration from file
config = DxlClientConfig.create_dxl_config_from_file(dxl_config_file)
# Create the client
with DxlClient(config) as client:
# Connect to the fabric
client.connect()
# Create the McAfee Threat Intelligence Exchange (TIE) client
tie_client = TieClient(client)
#
# Hashes for the file whose reputation will be set.
#
# Replace the random values for the actual file hashes.
#
ioc_set = 0
ioc_error = 0
ioc_exist = 0
ioc_total = 0
for ioc in ioc_list:
fileSHA1 = ioc["sha1"]
fileSHA256 = ioc["sha256"]
fileMD5 = ioc["md5"]
hashes = {
HashType.MD5: fileMD5,
HashType.SHA1: fileSHA1,
HashType.SHA256: fileSHA256
}
file_name = ioc["file_name"]
file_comment = ioc["file_comment"]
try:
reputation = REPUTATION_VALUES[ioc["reputation"]]
except Exception as er:
logger.error(
"Error getting reputation value, for entry %s check spelling"
% file_name)
continue
#
# Request reputation for the file
#
reputations_dict = tie_client.get_file_reputation(hashes)
#
# Check if there's any definitive reputation (different to Not Set [0] and Unknown [50])
#
has_definitive_reputation = \
any([rep[ReputationProp.TRUST_LEVEL] != TrustLevel.NOT_SET
and rep[ReputationProp.TRUST_LEVEL] != TrustLevel.UNKNOWN
for rep in reputations_dict.values()])
#
# If there's a definitive reputation and we are not forcing the reputation aplication
# Skip the application
#
if has_definitive_reputation and force == False:
logger.info(
"Information: There is a reputation from another provider for the file %s, External Reputation is not necessary."
% file_name)
ioc_exist = ioc_exist + 1
else:
#
# Set the External reputation
#
try:
logger.debug("Reputation %s" % reputation)
logger.debug("hashes %s" % hashes)
logger.debug("filename %s" % file_name)
logger.debug("comment %s" % file_comment)
tie_client.set_file_reputation(
reputation,
hashes,
#FileType.PEEXE,
filename=file_name,
comment=file_comment)
logger.info(
"Information: IoC %s sent to Threat Intelligence Exchange Database"
% file_name)
ioc_set = ioc_set + 1
except ValueError as e:
logger.error(
"Error sending IoC %s to Threat Intelligence Exchange Database"
% file_name)
ioc_error = ioc_error + 1
ioc_total = ioc_total + 1
ioc_procesed = {
"total_ioc_processed": ioc_total,
"ioc_set": ioc_set,
"ioc_exist": ioc_exist,
"ioc_error": ioc_error
}
return (ioc_procesed)
def run(self, results):
"""Writes report.
@param results: Cuckoo results dict.
@raise CuckooReportError: if fails to write report.
"""
try:
currentMD5 = results["target"]["file"]["md5"]
currentSHA1 = results["target"]["file"]["sha1"]
currentSHA256 = results["target"]["file"]["sha256"]
currentFilename = results["target"]["file"]["name"]
currentTrustLevel = results["info"]["score"]
print currentMD5
print currentSHA1
print currentSHA256
print currentFilename
print currentTrustLevel
if float(currentTrustLevel) < 4.0:
print "Trust Level is " + str(
currentTrustLevel) + ". No update required."
return
print "Opening DXL connection"
with DxlClient(config) as client:
#Connect to DXL fabric
print "Connecting to DXL fabric."
client.connect()
#Create TIE Client
print "Connecting to TIE."
tie_client = TieClient(client)
print "Trust Level is " + str(
currentTrustLevel) + ". Updating TIE."
reputations_dict = \
tie_client.get_file_reputation({
HashType.MD5: currentMD5,
HashType.SHA1: currentSHA1,
HashType.SHA256: currentSHA256
})
print reputations_dict
#Check if there is an enterprise (custom set) reputation
if (reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.NOT_SET or \
reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.UNKNOWN or \
reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MIGHT_BE_TRUSTED or \
reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MOST_LIKELY_TRUSTED):
print "Current Trust Level is" + str(reputations_dict[
FileProvider.ENTERPRISE]["trustLevel"])
#also, let's make sure GTI trustLevels are either not being queried, or set to Unknown
#we are nesting for clarity
if (FileProvider.GTI not in reputations_dict.keys()
or reputations_dict[FileProvider.GTI]
== TrustLevel.UNKNOWN):
print "GTI either does not exist or set to UNKNOWN"
# If not set, go ahead and set it
tie_client.set_file_reputation(
TrustLevel.MOST_LIKELY_MALICIOUS, {
HashType.MD5: currentMD5,
HashType.SHA1: currentSHA1,
HashType.SHA256: currentSHA256
},
filename=currentFilename,
comment=
"Reputation set via OpenDXL Cuckoo Integration. Cuckoo scored this sample a "
+ str(currentTrustLevel) + " out of 10.")
print "Reputation set for: " + str(
currentFilename) + ": " + currentMD5
except (TypeError, IOError) as e:
raise CuckooReportError("Failed to update TIE with results: %s" %
e)
def get_tie_client(client):
# get TIE Connect client
if not client.connected:
client.connect()
return TieClient(client)
