Esempio n. 1
0
def setReputation(trustlevelStr, md5, sha1, sha256, filenameStr, commentStr):
    # File Hashes
    #mySetHashes = {HashType.MD5: "", HashType.SHA1: "", HashType.SHA256: ""}

    trustlevelInt = getTrustLevel(trustlevelStr)

    mySetHashes = hashMe(md5, sha1, sha256)

    print("mySetHashes:")
    print(mySetHashes)

    # Create the client
    with DxlClient(config) as client:

        # Connect to the fabric
        client.connect()

        # Create the McAfee Threat Intelligence Exchange (TIE) client
        tie_client = TieClient(client)

        print(trustlevelInt)
        print(mySetHashes)
        print(filenameStr)
        print(commentStr)
        if trustlevelInt != -1:
            # Set the Enterprise reputation for notepad.exe to Known Trusted
            tie_client.set_file_reputation(trustlevelInt,
                                           mySetHashes,
                                           filename=filenameStr,
                                           comment=commentStr)
        else:
            return jsonify(error="invalid trust level",
                           trustlevel=trustlevelStr)
        client.disconnect()
Esempio n. 2
0
def set_file_reputation(hash, trust_level, filename, comment):
    config = get_client_config()

    # find trust_level key
    trust_level_key = None
    for k, v in TRUST_LEVELS.iteritems():
        if v == trust_level:
            trust_level_key = k

    if not trust_level_key:
        return create_error_entry('illigale argument trust_level %s. Choose value from predefined values' % (trust_level, ))

    with DxlClient(config) as client:
        client.connect()
        tie_client = TieClient(client)

        hash_type = get_hash_type(hash)
        hash_type_key = HASH_TYPE_KEYS.get(hash_type)
        if not hash_type_key:
            return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters) or md5(32 charecters)')

        hash_param = {}
        hash_param[hash_type_key] = hash

        try:
            tie_client.set_file_reputation(trust_level_key, hash_param, filename, comment)
            return 'Successfully set file repuation'
        except Exception as ex:
            return create_error_entry(str(ex))
Esempio n. 3
0
    def set_rep(self, hash, type, level, prov):
        with DxlClient(DXL_CONFIG) as client:
            client.connect()
            tie_client = TieClient(client)

            if prov == 'enterprise':
                tie_client.set_file_reputation(
                    int(level), {type: hash},
                    filename=hash,
                    comment="Reputation Update from McAfee Bulk Importer")
            elif prov == 'external':
                tie_client.set_external_file_reputation(
                    int(level), {type: hash},
                    filename=hash,
                    comment="Reputation Update from McAfee Bulk Importer")
Esempio n. 4
0
    def process(self):
        event = self.receive_message()

        payload = json.dumps(event)

        self.dxlclient.connect()
        tie_client = TieClient(self.dxlclient)

        tie_client.set_file_reputation(
            TrustLevel.MOST_LIKELY_MALICIOUS, {
                HashType.SHA256: event.get("malware.hash.sha256"),
                HashType.SHA1: event.get("malware.hash.sha1"),
                HashType.MD5: event.get("malware.hash.md5")
            },
            filename=event.get("malware.name"),
            comment=self.parameters.comment)

        self.dxlclient.disconnect()

        self.logger.info("Event successfully sent.")

        self.acknowledge_message()
Esempio n. 5
0
def set_reputation(dxl_config_file, ioc_list, force):
    # Create DXL configuration from file
    config = DxlClientConfig.create_dxl_config_from_file(dxl_config_file)

    # Create the client
    with DxlClient(config) as client:
        # Connect to the fabric
        client.connect()

        # Create the McAfee Threat Intelligence Exchange (TIE) client
        tie_client = TieClient(client)

        #
        # Hashes for the file whose reputation will be set.
        #
        # Replace the random values for the actual file hashes.
        #
        ioc_set = 0
        ioc_error = 0
        ioc_exist = 0
        ioc_total = 0

        for ioc in ioc_list:

            fileSHA1 = ioc["sha1"]
            fileSHA256 = ioc["sha256"]
            fileMD5 = ioc["md5"]

            hashes = {
                HashType.MD5: fileMD5,
                HashType.SHA1: fileSHA1,
                HashType.SHA256: fileSHA256
            }
            file_name = ioc["file_name"]
            file_comment = ioc["file_comment"]

            try:
                reputation = REPUTATION_VALUES[ioc["reputation"]]

            except Exception as er:
                logger.error(
                    "Error getting reputation value, for entry %s check spelling"
                    % file_name)
                continue

            #
            # Request reputation for the file
            #
            reputations_dict = tie_client.get_file_reputation(hashes)
            #
            # Check if there's any definitive reputation (different to Not Set [0] and Unknown [50])
            #
            has_definitive_reputation = \
                any([rep[ReputationProp.TRUST_LEVEL] != TrustLevel.NOT_SET
                     and rep[ReputationProp.TRUST_LEVEL] != TrustLevel.UNKNOWN
                     for rep in reputations_dict.values()])

            #
            # If there's a definitive reputation and we are not forcing the reputation aplication
            # Skip the application
            #
            if has_definitive_reputation and force == False:
                logger.info(
                    "Information: There is a reputation from another provider for the file %s, External Reputation is not necessary."
                    % file_name)
                ioc_exist = ioc_exist + 1
            else:
                #
                # Set the External reputation
                #
                try:
                    logger.debug("Reputation %s" % reputation)
                    logger.debug("hashes %s" % hashes)
                    logger.debug("filename %s" % file_name)
                    logger.debug("comment %s" % file_comment)

                    tie_client.set_file_reputation(
                        reputation,
                        hashes,
                        #FileType.PEEXE,
                        filename=file_name,
                        comment=file_comment)

                    logger.info(
                        "Information: IoC %s sent to Threat Intelligence Exchange Database"
                        % file_name)
                    ioc_set = ioc_set + 1
                except ValueError as e:
                    logger.error(
                        "Error sending IoC %s to Threat Intelligence Exchange Database"
                        % file_name)
                    ioc_error = ioc_error + 1

            ioc_total = ioc_total + 1

        ioc_procesed = {
            "total_ioc_processed": ioc_total,
            "ioc_set": ioc_set,
            "ioc_exist": ioc_exist,
            "ioc_error": ioc_error
        }

        return (ioc_procesed)
Esempio n. 6
0
    def run(self, results):
        """Writes report.
        @param results: Cuckoo results dict.
        @raise CuckooReportError: if fails to write report.
        """
        try:
            currentMD5 = results["target"]["file"]["md5"]
            currentSHA1 = results["target"]["file"]["sha1"]
            currentSHA256 = results["target"]["file"]["sha256"]
            currentFilename = results["target"]["file"]["name"]
            currentTrustLevel = results["info"]["score"]

            print currentMD5
            print currentSHA1
            print currentSHA256
            print currentFilename
            print currentTrustLevel

            if float(currentTrustLevel) < 4.0:
                print "Trust Level is " + str(
                    currentTrustLevel) + ". No update required."
                return

            print "Opening DXL connection"
            with DxlClient(config) as client:

                #Connect to DXL fabric
                print "Connecting to DXL fabric."
                client.connect()

                #Create TIE Client
                print "Connecting to TIE."
                tie_client = TieClient(client)

                print "Trust Level is " + str(
                    currentTrustLevel) + ". Updating TIE."

                reputations_dict = \
                tie_client.get_file_reputation({
                    HashType.MD5: currentMD5,
                    HashType.SHA1: currentSHA1,
                    HashType.SHA256: currentSHA256
                    })

                print reputations_dict

                #Check if there is an enterprise (custom set) reputation
                if (reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.NOT_SET or \
                    reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.UNKNOWN or \
                    reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MIGHT_BE_TRUSTED or \
                    reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MOST_LIKELY_TRUSTED):

                    print "Current Trust Level is" + str(reputations_dict[
                        FileProvider.ENTERPRISE]["trustLevel"])

                    #also, let's make sure GTI trustLevels are either not being queried, or set to Unknown
                    #we are nesting for clarity
                    if (FileProvider.GTI not in reputations_dict.keys()
                            or reputations_dict[FileProvider.GTI]
                            == TrustLevel.UNKNOWN):

                        print "GTI either does not exist or set to UNKNOWN"

                        # If not set, go ahead and set it
                        tie_client.set_file_reputation(
                            TrustLevel.MOST_LIKELY_MALICIOUS, {
                                HashType.MD5: currentMD5,
                                HashType.SHA1: currentSHA1,
                                HashType.SHA256: currentSHA256
                            },
                            filename=currentFilename,
                            comment=
                            "Reputation set via OpenDXL Cuckoo Integration. Cuckoo scored this sample a "
                            + str(currentTrustLevel) + " out of 10.")

                        print "Reputation set for: " + str(
                            currentFilename) + ": " + currentMD5

        except (TypeError, IOError) as e:
            raise CuckooReportError("Failed to update TIE with results: %s" %
                                    e)
Esempio n. 7
0
        currentMD5= WFResult[fileKey]['md5']
        currentSHA256=WFResult[fileKey]['sha256']
        currentFilename=WFResult[fileKey]['filename']
        currentTrustLevel=WFResult[fileKey]['trustlevel']

        reputations_dict = \
                tie_client.get_file_reputation({
                    HashType.MD5: currentMD5,
                    HashType.SHA256: currentSHA256
                    })

        
        #Check if there is an enterprise (custom set) reputation
        if (reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.NOT_SET and \
            reputations_dict[FileProvider.GTI]["trustLevel"]==TrustLevel.NOT_SET) or \
            reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.UNKNOWN or \
            reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MIGHT_BE_TRUSTED or \
            reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MOST_LIKELY_TRUSTED:
            # If not set, go ahead and set it
            tie_client.set_file_reputation(
                currentTrustLevel, {
                    HashType.MD5: currentMD5,
                    HashType.SHA256: currentSHA256},
                filename=currentFilename,
                comment="Reputation set via OpenDXL WildFire Integration")
            print("Reputation set for: " + str(fileKey) + ": " + currentMD5)

        else:
            print("Skipping: " + str(fileKey) + ": " + currentMD5)
Esempio n. 8
0
sys.path.append(os.path.dirname(os.path.abspath(__file__)) + "/..")
from common import *

# Configure local logger
logging.getLogger().setLevel(logging.ERROR)
logger = logging.getLogger(__name__)

# Create DXL configuration from file
config = DxlClientConfig.create_dxl_config_from_file(CONFIG_FILE)

# Create the client
with DxlClient(config) as client:

    # Connect to the fabric
    client.connect()

    # Create the McAfee Threat Intelligence Exchange (TIE) client
    tie_client = TieClient(client)

    # Set the Enterprise reputation for notepad.exe to Known Trusted
    tie_client.set_file_reputation(
        TrustLevel.KNOWN_TRUSTED, {
            HashType.MD5: "f2c7bb8acc97f92e987a2d4087d021b1",
            HashType.SHA1: "7eb0139d2175739b3ccb0d1110067820be6abd29",
            HashType.SHA256: "142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2"
        },
        filename="notepad.exe",
        comment="Reputation set via OpenDXL")

    print "Succeeded."
Esempio n. 9
0
        reputations_dict = None
        #MalShare provides only MD5's
        currentMD5 = None
        currentFilename = None
        currentTrustLevel = None

        currentMD5 = MSResult[fileKey]['md5']
        currentFilename = MSResult[fileKey]['filename']
        currentTrustLevel = MSResult[fileKey]['trustlevel']

        reputations_dict = \
                tie_client.get_file_reputation({
                    HashType.MD5: currentMD5
                    })

        #Check if there is an enterprise (custom set) reputation
        if (reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.NOT_SET and \
            reputations_dict[FileProvider.GTI]["trustLevel"]==TrustLevel.NOT_SET) or \
            reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.UNKNOWN or \
            reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MIGHT_BE_TRUSTED or \
            reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MOST_LIKELY_TRUSTED:
            # If not set, go ahead and set it
            tie_client.set_file_reputation(
                currentTrustLevel, {HashType.MD5: currentMD5},
                filename=currentFilename,
                comment="Reputation set via OpenDXL MalShare Integration")
            print "Reputation set for: " + str(fileKey) + ": " + currentMD5

        else:
            print "Skipping: " + str(fileKey) + ": " + currentMD5