def get_malware_subject_from_report(**kwargs): hash = kwargs.get('hash', None) if 'report' in kwargs: if hasattr(kwargs['report'], 'read'): report = lxml.etree.parse(kwargs['report']).getroot() else: f = open(kwargs['report'], 'rb') report = lxml.etree.parse(f).getroot() f.close() if hash is None: hash = report.xpath('file_info/sha256/text()') if len(hash) != 0: hash = hash[0].strip() else: hash = None elif 'hash' in kwargs and \ 'tag' in kwargs: import pan.wfapi # retrieve wildfire report wfapi = pan.wfapi.PanWFapi(tag=kwargs['tag']) wfapi.report(hash=kwargs['hash']) if (wfapi.response_body is None): raise PanWfReportError('no report from wildfire') report = lxml.etree.fromstring(wfapi.response_body.encode('utf-8')) else: raise PanWfReportError( 'wrong set of arguments to get_malware_subject_from_report' ) if report.tag != 'wildfire': raise PanWfReportError('invalid root tag in wildfire report: %s' % report.tag) if 'pcap' in kwargs: p = kwargs['pcap'] if p == 'network': if 'tag' not in kwargs: raise PanWfReportError('pcap from network, ' 'but no tag specified') pcap = __get_wfpcap_network_funcgenerator(kwargs['tag'], hash) elif isinstance(p, basestring): pcap = __get_wfpcap_file_funcgenerator(p, hash) else: pcap = None else: pcap = None return __create_malware_subject_from_report( report, pcap=pcap, evidence=kwargs.get('evidence', None) )
def get_malware_subject_from_report(**kwargs): hash = kwargs.get('hash', None) if 'report' in kwargs: if hasattr(kwargs['report'], 'read'): report = lxml.etree.parse(kwargs['report']).getroot() else: f = open(kwargs['report'], 'rb') report = lxml.etree.parse(f).getroot() f.close() if hash is None: hash = report.xpath('file_info/sha256/text()') if len(hash) != 0: hash = hash[0].strip() else: hash = None elif 'hash' in kwargs and \ 'tag' in kwargs: import pan.wfapi # retrieve wildfire report wfapi = pan.wfapi.PanWFapi(tag=kwargs['tag']) wfapi.report(hash=kwargs['hash']) if (wfapi.response_body is None): raise PanWfReportError('no report from wildfire') report = lxml.etree.fromstring(wfapi.response_body.encode('utf-8')) else: raise PanWfReportError( 'wrong set of arguments to get_malware_subject_from_report') if report.tag != 'wildfire': raise PanWfReportError('invalid root tag in wildfire report: %s' % report.tag) if 'pcap' in kwargs: p = kwargs['pcap'] if p == 'network': if 'tag' not in kwargs: raise PanWfReportError('pcap from network, ' 'but no tag specified') pcap = __get_wfpcap_network_funcgenerator(kwargs['tag'], hash) elif isinstance(p, basestring): pcap = __get_wfpcap_file_funcgenerator(p, hash) else: pcap = None else: pcap = None return __create_malware_subject_from_report(report, pcap=pcap, evidence=kwargs.get( 'evidence', None))
def get_malware_subject_from_report(**kwargs): hash = kwargs.get("hash", None) if "report" in kwargs: if hasattr(kwargs["report"], "read"): report = lxml.etree.parse(kwargs["report"]).getroot() else: f = open(kwargs["report"], "rb") report = lxml.etree.parse(f).getroot() f.close() if hash is None: hash = report.xpath("file_info/sha256/text()") if len(hash) != 0: hash = hash[0].strip() else: hash = None elif "hash" in kwargs and "tag" in kwargs: import pan.wfapi # retrieve wildfire report wfapi = pan.wfapi.PanWFapi(tag=kwargs["tag"]) wfapi.report(hash=kwargs["hash"]) if wfapi.response_body is None: raise PanWfReportError("no report from wildfire") report = lxml.etree.fromstring(wfapi.response_body.encode("utf-8")) else: raise PanWfReportError("wrong set of arguments to get_malware_subject_from_report") if report.tag != "wildfire": raise PanWfReportError("invalid root tag in wildfire report: %s" % report.tag) if "pcap" in kwargs: p = kwargs["pcap"] if p == "network": if "tag" not in kwargs: raise PanWfReportError("pcap from network, " "but no tag specified") pcap = __get_wfpcap_network_funcgenerator(kwargs["tag"], hash) elif isinstance(p, basestring): pcap = __get_wfpcap_file_funcgenerator(p, hash) else: pcap = None else: pcap = None return __create_malware_subject_from_report(report, pcap=pcap, evidence=kwargs.get("evidence", None))
def main(): try: signal.signal(signal.SIGPIPE, signal.SIG_DFL) except AttributeError: # Windows pass # set_encoding() options = parse_opts() if options['debug']: logger = logging.getLogger() if options['debug'] == 3: logger.setLevel(pan.wfapi.DEBUG3) elif options['debug'] == 2: logger.setLevel(pan.wfapi.DEBUG2) elif options['debug'] == 1: logger.setLevel(pan.wfapi.DEBUG1) # log_format = '%(levelname)s %(name)s %(message)s' log_format = '%(message)s' handler = logging.StreamHandler() formatter = logging.Formatter(log_format) handler.setFormatter(formatter) logger.addHandler(handler) try: wfapi = pan.wfapi.PanWFapi(tag=options['tag'], api_key=options['api_key'], hostname=options['hostname'], timeout=options['timeout'], http=options['http'], cacloud=options['cacloud'], cafile=options['cafile'], capath=options['capath']) except pan.wfapi.PanWFapiError as msg: print('pan.wfapi.PanWFapi:', msg, file=sys.stderr) sys.exit(1) if options['debug'] > 2: print('wfapi.__str__()===>\n', wfapi, '\n<===', sep='', file=sys.stderr) try: hashes = process_hashes(options['hash']) if options['submit'] is not None: action = 'submit' kwargs = {} if os.path.isfile(options['submit']): kwargs['file'] = options['submit'] else: o = urlparse(options['submit']) if options['debug']: print(o, file=sys.stderr) if o.scheme == 'file': if o.path and os.path.isfile(o.path): kwargs['file'] = o.path else: print('Invalid URL: file not found:', options['submit'], file=sys.stderr) sys.exit(1) else: if o.scheme in ['http', 'https', 'ftp']: kwargs['url'] = options['submit'] else: print('Invalid file or URL:', options['submit'], file=sys.stderr) sys.exit(1) wfapi.submit(**kwargs) print_status(wfapi, action) print_response(wfapi, options) if options['submit-link'] is not None: action = 'submit' kwargs = {} kwargs['links'] = process_arg(options['submit-link'], list=True) wfapi.submit(**kwargs) print_status(wfapi, action) print_response(wfapi, options) if options['change-request']: action = 'change-request' kwargs = {} if len(hashes) > 1: print('Only 1 hash allowed for %s' % action, file=sys.stderr) sys.exit(1) if len(hashes) == 1: kwargs['hash'] = hashes[0] if options['new-verdict'] is not None: kwargs['verdict'] = process_verdict(options['new-verdict']) if options['email'] is not None: kwargs['email'] = options['email'] if options['comment'] is not None: kwargs['comment'] = process_arg(options['comment']) wfapi.change_request(**kwargs) print_status(wfapi, action) print_response(wfapi, options) if options['report']: action = 'report' kwargs = {} if len(hashes) > 1: print('Only 1 hash allowed for %s' % action, file=sys.stderr) sys.exit(1) if len(hashes) == 1: kwargs['hash'] = hashes[0] if options['format'] is not None: kwargs['format'] = options['format'] wfapi.report(**kwargs) print_status(wfapi, action) print_response(wfapi, options) save_file(wfapi, options) if options['verdict']: kwargs = {} if len(hashes) == 1: action = 'verdict' kwargs['hash'] = hashes[0] wfapi.verdict(**kwargs) elif len(hashes) > 1: action = 'verdicts' kwargs['hashes'] = hashes wfapi.verdicts(**kwargs) else: action = 'verdict' wfapi.verdict(**kwargs) print_status(wfapi, action) print_response(wfapi, options) save_file(wfapi, options) if options['sample']: action = 'sample' kwargs = {} if len(hashes) > 1: print('Only 1 hash allowed for %s' % action, file=sys.stderr) sys.exit(1) if len(hashes) == 1: kwargs['hash'] = hashes[0] wfapi.sample(**kwargs) print_status(wfapi, action) print_response(wfapi, options) save_file(wfapi, options) if options['pcap']: action = 'pcap' kwargs = {} if len(hashes) > 1: print('Only 1 hash allowed for %s' % action, file=sys.stderr) sys.exit(1) if len(hashes) == 1: kwargs['hash'] = hashes[0] if options['platform'] is not None: kwargs['platform'] = options['platform'] wfapi.pcap(**kwargs) print_status(wfapi, action) print_response(wfapi, options) save_file(wfapi, options) if options['changed']: action = 'verdicts_changed' kwargs = {} if options['date'] is not None: kwargs['date'] = options['date'] try: x = int(options['date']) except ValueError: pass else: if x < 1: d = date.today() d = d - timedelta(-x) kwargs['date'] = d.isoformat() if options['debug']: print('relative date(%d): %s' % (x, kwargs['date']), file=sys.stderr) wfapi.verdicts_changed(**kwargs) print_status(wfapi, action) print_response(wfapi, options) save_file(wfapi, options) if options['testfile']: action = 'testfile' wfapi.testfile() print_status(wfapi, action) print_response(wfapi, options) save_file(wfapi, options) except pan.wfapi.PanWFapiError as msg: print_status(wfapi, action, msg) print_response(wfapi, options) sys.exit(1) sys.exit(0)
return bio.getvalue() if __name__ == '__main__': # python -m pan.wfapi [tag] [sha256] import pan.wfapi tag = None sha256 = '5f31d8658a41aa138ada548b7fb2fc758219d40b557aaeab80681d314f739f92' if len(sys.argv) > 1 and sys.argv[1]: tag = sys.argv[1] if len(sys.argv) > 2: hash = sys.argv[2] try: wfapi = pan.wfapi.PanWFapi(tag=tag) except pan.wfapi.PanWFapiError as msg: print('pan.wfapi.PanWFapi:', msg, file=sys.stderr) sys.exit(1) try: wfapi.report(hash=sha256) except pan.wfapi.PanWFapiError as msg: print('report: %s' % msg, file=sys.stderr) sys.exit(1) if (wfapi.response_body is not None): print(wfapi.response_body)
def main(): try: signal.signal(signal.SIGPIPE, signal.SIG_DFL) except AttributeError: # Windows pass # set_encoding() options = parse_opts() if options['debug']: logger = logging.getLogger() if options['debug'] == 3: logger.setLevel(pan.wfapi.DEBUG3) elif options['debug'] == 2: logger.setLevel(pan.wfapi.DEBUG2) elif options['debug'] == 1: logger.setLevel(pan.wfapi.DEBUG1) # log_format = '%(levelname)s %(name)s %(message)s' log_format = '%(message)s' handler = logging.StreamHandler() formatter = logging.Formatter(log_format) handler.setFormatter(formatter) logger.addHandler(handler) if options['cafile'] or options['capath'] or options['ssl']: ssl_context = create_ssl_context(options['cafile'], options['capath'], options['ssl']) else: ssl_context = None try: wfapi = pan.wfapi.PanWFapi(tag=options['tag'], api_key=options['api_key'], hostname=options['hostname'], timeout=options['timeout'], http=options['http'], ssl_context=ssl_context) except pan.wfapi.PanWFapiError as msg: print('pan.wfapi.PanWFapi:', msg, file=sys.stderr) sys.exit(1) if options['debug'] > 2: print('wfapi.__str__()===>\n', wfapi, '\n<===', sep='', file=sys.stderr) try: hashes = process_hashes(options['hash']) if options['submit'] is not None: action = 'submit' kwargs = {} if os.path.isfile(options['submit']): kwargs['file'] = options['submit'] else: o = urlparse(options['submit']) if options['debug']: print(o, file=sys.stderr) if o.scheme == 'file': if o.path and os.path.isfile(o.path): kwargs['file'] = o.path else: print('Invalid URL: file not found:', options['submit'], file=sys.stderr) sys.exit(1) else: if o.scheme in ['http', 'https', 'ftp']: kwargs['url'] = options['submit'] else: print('Invalid file or URL:', options['submit'], file=sys.stderr) sys.exit(1) wfapi.submit(**kwargs) print_status(wfapi, action) print_response(wfapi, options) if options['submit-link'] is not None: action = 'submit' kwargs = {} kwargs['links'] = process_arg(options['submit-link'], list=True) wfapi.submit(**kwargs) print_status(wfapi, action) print_response(wfapi, options) if options['change-request']: action = 'change-request' kwargs = {} if len(hashes) > 1: print('Only 1 hash allowed for %s' % action, file=sys.stderr) sys.exit(1) if len(hashes) == 1: kwargs['hash'] = hashes[0] if options['new-verdict'] is not None: kwargs['verdict'] = process_verdict(options['new-verdict']) if options['email'] is not None: kwargs['email'] = options['email'] if options['comment'] is not None: kwargs['comment'] = process_arg(options['comment']) wfapi.change_request(**kwargs) print_status(wfapi, action) print_response(wfapi, options) if options['report']: action = 'report' kwargs = {} if len(hashes) > 1: print('Only 1 hash allowed for %s' % action, file=sys.stderr) sys.exit(1) if len(hashes) == 1: kwargs['hash'] = hashes[0] if options['format'] is not None: kwargs['format'] = options['format'] wfapi.report(**kwargs) print_status(wfapi, action) print_response(wfapi, options) save_file(wfapi, options) if options['verdict']: kwargs = {} if len(hashes) == 1: action = 'verdict' kwargs['hash'] = hashes[0] wfapi.verdict(**kwargs) elif len(hashes) > 1: action = 'verdicts' kwargs['hashes'] = hashes wfapi.verdicts(**kwargs) else: action = 'verdict' wfapi.verdict(**kwargs) print_status(wfapi, action) print_response(wfapi, options) save_file(wfapi, options) if options['sample']: action = 'sample' kwargs = {} if len(hashes) > 1: print('Only 1 hash allowed for %s' % action, file=sys.stderr) sys.exit(1) if len(hashes) == 1: kwargs['hash'] = hashes[0] wfapi.sample(**kwargs) print_status(wfapi, action) print_response(wfapi, options) save_file(wfapi, options) if options['pcap']: action = 'pcap' kwargs = {} if len(hashes) > 1: print('Only 1 hash allowed for %s' % action, file=sys.stderr) sys.exit(1) if len(hashes) == 1: kwargs['hash'] = hashes[0] if options['platform'] is not None: kwargs['platform'] = options['platform'] wfapi.pcap(**kwargs) print_status(wfapi, action) print_response(wfapi, options) save_file(wfapi, options) if options['changed']: action = 'verdicts_changed' kwargs = {} if options['date'] is not None: kwargs['date'] = options['date'] try: x = int(options['date']) except ValueError: pass else: if x < 1: d = date.today() d = d - timedelta(-x) kwargs['date'] = d.isoformat() if options['debug']: print('relative date(%d): %s' % (x, kwargs['date']), file=sys.stderr) wfapi.verdicts_changed(**kwargs) print_status(wfapi, action) print_response(wfapi, options) save_file(wfapi, options) if options['testfile']: action = 'testfile' wfapi.testfile(options['type']) print_status(wfapi, action) print_response(wfapi, options) save_file(wfapi, options) except pan.wfapi.PanWFapiError as msg: print_status(wfapi, action, msg) print_response(wfapi, options) sys.exit(1) sys.exit(0)
if __name__ == '__main__': # python -m pan.wfapi [tag] [sha256] [0-3] import pan.wfapi tag = None sha256 = '5f31d8658a41aa138ada548b7fb2fc758219d40b557aaeab80681d314f739f92' debug = 0 if len(sys.argv) > 1 and sys.argv[1]: tag = sys.argv[1] if len(sys.argv) > 2: hash = sys.argv[2] if len(sys.argv) > 3 and int(sys.argv[3]): debug = int(sys.argv[3]) try: wfapi = pan.wfapi.PanWFapi(debug=debug, tag=tag) except pan.wfapi.PanWFapiError as msg: print('pan.wfapi.PanWFapi:', msg, file=sys.stderr) sys.exit(1) try: wfapi.report(hash=sha256) except pan.wfapi.PanWFapiError as msg: print('report: %s' % msg, file=sys.stderr) sys.exit(1) if (wfapi.response_body is not None): print(wfapi.response_body)
def main(): signal.signal(signal.SIGPIPE, signal.SIG_DFL) # set_encoding() options = parse_opts() try: wfapi = pan.wfapi.PanWFapi(debug=options['debug'], tag=options['tag'], api_key=options['api_key'], hostname=options['hostname'], timeout=options['timeout'], http=options['http'], cacloud=options['cacloud'], cafile=options['cafile'], capath=options['capath']) except pan.wfapi.PanWFapiError as msg: print('pan.wfapi.PanWFapi:', msg, file=sys.stderr) sys.exit(1) if options['debug'] > 2: print('wfapi.__str__()===>\n', wfapi, '\n<===', sep='', file=sys.stderr) try: if options['submit'] is not None: action = 'submit' kwargs = {} if os.path.isfile(options['submit']): kwargs['file'] = options['submit'] else: o = urlparse(options['submit']) if options['debug']: print(o, file=sys.stderr) if o.scheme == 'file': if o.path and os.path.isfile(o.path): kwargs['file'] = o.path else: print('Invalid URL: file not found:', options['submit'], file=sys.stderr) sys.exit(1) else: if o.scheme in ['http', 'https', 'ftp']: kwargs['url'] = options['submit'] else: print('Invalid file or URL:', options['submit'], file=sys.stderr) sys.exit(1) wfapi.submit(**kwargs) print_status(wfapi, action) print_response(wfapi, options) if options['report']: action = 'report' kwargs = {} if options['hash'] is not None: validate_hash(options['hash']) kwargs['hash'] = options['hash'] if options['format'] is not None: kwargs['format'] = options['format'] wfapi.report(**kwargs) print_status(wfapi, action) print_response(wfapi, options) save_file(wfapi, options) if options['sample']: action = 'sample' kwargs = {} if options['hash'] is not None: validate_hash(options['hash']) kwargs['hash'] = options['hash'] wfapi.sample(**kwargs) print_status(wfapi, action) print_response(wfapi, options) save_file(wfapi, options) if options['pcap']: action = 'pcap' kwargs = {} if options['hash'] is not None: validate_hash(options['hash']) kwargs['hash'] = options['hash'] if options['platform'] is not None: kwargs['platform'] = options['platform'] wfapi.pcap(**kwargs) print_status(wfapi, action) print_response(wfapi, options) save_file(wfapi, options) if options['testfile']: action = 'testfile' wfapi.testfile() print_status(wfapi, action) print_response(wfapi, options) save_file(wfapi, options) except pan.wfapi.PanWFapiError as msg: print_status(wfapi, action, msg) print_response(wfapi, options) sys.exit(1) sys.exit(0)
def retrieveWildFireData(apikey, file_digest): wfapi = pan.wfapi.PanWFapi(api_key=apikey) wfapi.report(file_digest) return wfapi.response_body