def set_rep(self, eventid, hash):
try:
with DxlClient(self.config) as client:
client.connect()
tie_client = TieClient(client)
tie_client.set_external_file_reputation(
self.tie_rep,
{'md5': hash},
filename='MISP Hash {0}'.format(str(eventid)),
comment='External Reputation set via OpenDXL')
print('SUCCESS: Successfully pushed MD5 {0} to TIE.'.format(str(hash)))
except Exception as e:
exc_type, exc_obj, exc_tb = sys.exc_info()
print('ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}'
.format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno,
error=str(e)))
class TIE_Plugin(PluginBase) :
def __init__(self):
logger.info("Plugin " + _plugin_name + " initializing...")
#
# Init and connect DXL client
#
# DxlClientConfig from DXL configuration file
logger.debug(_plugin_name + " : Loading DXL config from: %s", cfg['ExportPlugins']['TIE_Plugin']['DXLConfig'])
self.dxl_config = DxlClientConfig.create_dxl_config_from_file(cfg['ExportPlugins']['TIE_Plugin']['DXLConfig'])
self.tie_client = None
def export(self, results_array):
#logger.debug(results_array)
#logger.debug(json.dumps(results_array, indent=4, sort_keys=True))
for event in results_array:
logger.debug(_plugin_name + " processing event: (Event ID: " + event['Event']['id'] + ", Event Info: " + event['Event']['info'] + ", Event Date: " + event['Event']['date'] + ")")
with DxlClient(self.dxl_config) as client:
# Connect to the DXL fabric
logger.debug(_plugin_name + " : Connecting OpenDXL client...")
client.connect()
# Create the McAfee Threat Intelligence Exchange (TIE) client
self.tie_client = TieClient(client)
for attribute in event['Event']['Attribute']:
if attribute['type'] == 'md5' or attribute['type'] == 'sha1' or attribute['type'] == 'sha256':
logger.debug("Found attribute type {0} = {1} in MISP event {2}.".format(str(attribute['type']),str(attribute['value']),str(event['Event']['id'])))
self.set_tie_reputation(TIE_REPUTATION, attribute['type'], attribute['value'], "MISP (Event ID {0}, Info: {1})".format(str(event['Event']['id']), str(event['Event']['info'])))
for obj in event['Event']['Object']:
for attribute in obj['Attribute']:
if attribute['type'] == 'md5' or attribute['type'] == 'sha1' or attribute['type'] == 'sha256':
logger.debug("Found object attribute type {0} = {1} in MISP event {2}.".format(str(attribute['type']),str(attribute['value']),str(event['Event']['id'])))
self.set_tie_reputation(TIE_REPUTATION, attribute['type'], attribute['value'], "MISP (Event ID {0}, Info: {1})".format(str(event['Event']['id']), str(event['Event']['info'])))
self.tie_client = None
def set_tie_reputation(self, trust_level, hash_type, hash_value, comment_str):
if self.tie_client :
try:
self.tie_client.set_external_file_reputation(TIE_REPUTATION, {hash_type: hash_value}, filename=comment_str, comment=comment_str)
logger.debug(_plugin_name + " : Reputation set (%s)", comment_str)
except ValueError as e:
logger.error(_plugin_name + " : Error while trying to set TIE reputation (%s)", str(e))
def set_reputation(self, list_hash, type_hash):
try:
with DxlClient(self.config) as client:
client.connect()
tie_client = TieClient(client)
for new_threat in list_hash:
#set new reputation with hash string and trustlevel is KNOWN_MALICIOUS
tie_client.set_external_file_reputation(
TrustLevel.KNOWN_MALICIOUS,
{type_hash: new_threat.hash_string},
filename='MISP Hash {0}'.format(str(new_threat.name)),
comment='External Reputation set via OpenDXL')
print('SUCCESS: Successfully pushed {0} {1} to TIE.'.format(type_hash, str(new_threat.hash_string)))
except Exception as e:
exc_tb = sys.exc_info()
print('ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}'
.format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno,
error=str(e)))
# Request reputation for the file
#
reputations_dict = tie_client.get_file_reputation(hashes)
#
# Check if there's any definitive reputation (different to Not Set [0] and Unknown [50])
# for any provider except for External Provider (providerId=15)
#
has_definitive_reputation = \
any([rep[ReputationProp.TRUST_LEVEL] != TrustLevel.NOT_SET
and rep[ReputationProp.TRUST_LEVEL] != TrustLevel.UNKNOWN
and rep[ReputationProp.PROVIDER_ID] != FileProvider.EXTERNAL
for rep in reputations_dict.values()])
if has_definitive_reputation:
print("Abort: There is a reputation from another provider for the file, "
"External Reputation is not necessary.")
else:
#
# Set the External reputation for a the file "random.exe" to Might Be Trusted
#
try:
tie_client.set_external_file_reputation(
TrustLevel.MIGHT_BE_TRUSTED,
hashes,
FileType.PEEXE,
filename="random.exe",
comment="External Reputation set via OpenDXL")
print("Event Sent")
except ValueError as e:
print("Error: " + str(e))
