コード例 #1
0
def get_relationship_type_dropdown(request):
    """
    Get relationship type dropdown data. Should be an AJAX POST.

    :param request: Django request object (Required)
    :type request: :class:`django.http.HttpRequest`
    :returns: :class:`django.http.HttpResponse`
    """

    if request.method == 'POST':
        if request.is_ajax():
            dd_final = {}
            for type_ in RelationshipTypes.values(sort=True):
                dd_final[type_] = type_
            result = {'types': dd_final}
            return HttpResponse(json.dumps(result), mimetype="application/json")
        else:
            error = "Expected AJAX"
            return render_to_response("error.html",
                                      {"error" : error },
                                      RequestContext(request))
    else:
        error = "Expected POST"
        return render_to_response("error.html",
                                  {"error" : error },
                                  RequestContext(request))
コード例 #2
0
ファイル: views.py プロジェクト: vsbca/crits
def add_new_relationship(request):
    """
    Add a new relationship. Should be an AJAX POST.

    :param request: Django request object (Required)
    :type request: :class:`django.http.HttpRequest`
    :returns: :class:`django.http.HttpResponse`
    """

    if request.method == 'POST' and request.is_ajax():
        form = ForgeRelationshipForm(request.POST)
        user = request.user
        choices = [(c,c) for c in RelationshipTypes.values(sort=True)]
        form.fields['forward_relationship'].choices = choices
        if form.is_valid():
            cleaned_data = form.cleaned_data
            # Get user permission to verify the user can forge relationships...
            # Should we check permission on both the forward and reverse TLO for this?
            acl = get_acl_object(cleaned_data.get('forward_type'))

            if user.has_access_to(acl.RELATIONSHIPS_ADD):
                results = forge_relationship(type_=cleaned_data.get('forward_type'),
                                             id_=cleaned_data.get('forward_value'),
                                             right_type=cleaned_data.get('reverse_type'),
                                             right_id=cleaned_data.get('dest_id'),
                                             rel_type=cleaned_data.get('forward_relationship'),
                                             rel_date=cleaned_data.get('relationship_date'),
                                             user=request.user.username,
                                             rel_reason=cleaned_data.get('rel_reason'),
                                             rel_confidence=cleaned_data.get('rel_confidence'),
                                             get_rels=True)
            else:
                results = {"success":False,
                           "message":"User does not have permission to forge relationships"}
            if results['success'] == True:
                relationship = {'type': cleaned_data.get('forward_type'),
                                'value': cleaned_data.get('forward_value')}
                message = render_to_string('relationships_listing_widget.html',
                                           {'relationship': relationship,
                                            'nohide': True,
                                            'relationships': results['relationships']},
                                           RequestContext(request))
                result = {'success': True, 'message': message}
            else:
                message = "Error adding relationship: %s" % results['message']
                result = {'success': False, 'message': message}
        else:
            message = "Invalid Form: %s" % form.errors
            form = form.as_table()
            result = {'success': False, 'form': form, 'message': message}
        return HttpResponse(json.dumps(result), content_type="application/json")
    else:
        error = "Expected AJAX POST"
        return render_to_response("error.html",
                                  {"error" : error },
                                  RequestContext(request))
コード例 #3
0
def add_new_relationship(request):
    """
    Add a new relationship. Should be an AJAX POST.

    :param request: Django request object (Required)
    :type request: :class:`django.http.HttpRequest`
    :returns: :class:`django.http.HttpResponse`
    """

    if request.method == 'POST' and request.is_ajax():
        form = ForgeRelationshipForm(request.POST)
        choices = [(c, c) for c in RelationshipTypes.values(sort=True)]
        form.fields['forward_relationship'].choices = choices
        if form.is_valid():
            cleaned_data = form.cleaned_data
            results = forge_relationship(
                type_=cleaned_data.get('forward_type'),
                id_=cleaned_data.get('forward_value'),
                right_type=cleaned_data.get('reverse_type'),
                right_id=cleaned_data.get('dest_id'),
                rel_type=cleaned_data.get('forward_relationship'),
                rel_date=cleaned_data.get('relationship_date'),
                user=request.user.username,
                rel_reason=cleaned_data.get('rel_reason'),
                rel_confidence=cleaned_data.get('rel_confidence'),
                get_rels=True)
            if results['success'] == True:
                set_releasability_flag(cleaned_data.get('forward_type'),
                                       cleaned_data.get('forward_value'),
                                       request.user.username)
                relationship = {
                    'type': cleaned_data.get('forward_type'),
                    'url_key': cleaned_data.get('forward_value')
                }
                message = render_to_string(
                    'relationships_listing_widget.html', {
                        'relationship': relationship,
                        'nohide': True,
                        'relationships': results['relationships']
                    }, RequestContext(request))
                result = {'success': True, 'message': message}
            else:
                message = "Error adding relationship: %s" % results['message']
                result = {'success': False, 'message': message}
        else:
            message = "Invalid Form: %s" % form.errors
            form = form.as_table()
            result = {'success': False, 'form': form, 'message': message}
        return HttpResponse(json.dumps(result), mimetype="application/json")
    else:
        error = "Expected AJAX POST"
        return render_to_response("error.html", {"error": error},
                                  RequestContext(request))
コード例 #4
0
ファイル: forms.py プロジェクト: Lambdanaut/crits
 def __init__(self, *args, **kwargs):
     super(ForgeRelationshipForm, self).__init__(*args, **kwargs)
     self.fields['forward_type'].choices = self.fields['reverse_type'].choices = [
         (c, c) for c in sorted(settings.CRITS_TYPES.iterkeys())
     ]
     self.fields['forward_relationship'].choices = [
         (c, c) for c in RelationshipTypes.values(sort=True)
     ]
     self.fields['rel_confidence'].choices = [('unknown', 'unknown'),
                                              ('low', 'low'),
                                              ('medium', 'medium'),
                                              ('high', 'high')]
     self.fields['rel_confidence'].initial = 'medium'
コード例 #5
0
 def __init__(self, *args, **kwargs):
     super(ForgeRelationshipForm, self).__init__(*args, **kwargs)
     self.fields['forward_type'].choices = self.fields[
         'reverse_type'].choices = [
             (c, c) for c in sorted(settings.CRITS_TYPES.iterkeys())
         ]
     self.fields['forward_relationship'].choices = [
         (c, c) for c in RelationshipTypes.values(sort=True)
     ]
     self.fields['rel_confidence'].choices = [('unknown', 'unknown'),
                                              ('low', 'low'),
                                              ('medium', 'medium'),
                                              ('high', 'high')]
     self.fields['rel_confidence'].initial = 'medium'
コード例 #6
0
ファイル: views.py プロジェクト: Lambdanaut/crits
def add_new_relationship(request):
    """
    Add a new relationship. Should be an AJAX POST.

    :param request: Django request object (Required)
    :type request: :class:`django.http.HttpRequest`
    :returns: :class:`django.http.HttpResponse`
    """

    if request.method == 'POST' and request.is_ajax():
        form = ForgeRelationshipForm(request.POST)
        choices = [(c,c) for c in RelationshipTypes.values(sort=True)]
        form.fields['forward_relationship'].choices = choices
        if form.is_valid():
            cleaned_data = form.cleaned_data;
            results = forge_relationship(type_=cleaned_data.get('forward_type'),
                                         id_=cleaned_data.get('forward_value'),
                                         right_type=cleaned_data.get('reverse_type'),
                                         right_id=cleaned_data.get('dest_id'),
                                         rel_type=cleaned_data.get('forward_relationship'),
                                         rel_date=cleaned_data.get('relationship_date'),
                                         user=request.user.username,
                                         rel_reason=cleaned_data.get('rel_reason'),
                                         rel_confidence=cleaned_data.get('rel_confidence'),
                                         get_rels=True)
            if results['success'] == True:
                relationship = {'type': cleaned_data.get('forward_type'),
                                'value': cleaned_data.get('forward_value')}
                message = render_to_string('relationships_listing_widget.html',
                                           {'relationship': relationship,
                                            'nohide': True,
                                            'relationships': results['relationships']},
                                           RequestContext(request))
                result = {'success': True, 'message': message}
            else:
                message = "Error adding relationship: %s" % results['message']
                result = {'success': False, 'message': message}
        else:
            message = "Invalid Form: %s" % form.errors
            form = form.as_table()
            result = {'success': False, 'form': form, 'message': message}
        return HttpResponse(json.dumps(result), mimetype="application/json")
    else:
        error = "Expected AJAX POST"
        return render_to_response("error.html",
                                  {"error" : error },
                                  RequestContext(request))
コード例 #7
0
ファイル: handlers.py プロジェクト: zhangjunqiang/crits
def handle_raw_data_file(data, source_name, user=None,
                         description=None, title=None, data_type=None,
                         tool_name=None, tool_version=None, tool_details=None,
                         link_id=None, method='', reference='', tlp='',
                         copy_rels=False, bucket_list=None, ticket=None,
                         related_id=None, related_type=None, relationship_type=None):
    """
    Add RawData.

    :param data: The data of the RawData.
    :type data: str
    :param source_name: The source which provided this RawData.
    :type source_name: str,
                       :class:`crits.core.crits_mongoengine.EmbeddedSource`,
                       list of :class:`crits.core.crits_mongoengine.EmbeddedSource`
    :param user: The user adding the RawData.
    :type user: str
    :param description: Description of the RawData.
    :type description: str
    :param title: Title of the RawData.
    :type title: str
    :param data_type: Datatype of the RawData.
    :type data_type: str
    :param tool_name: Name of the tool used to acquire/generate the RawData.
    :type tool_name: str
    :param tool_version: Version of the tool.
    :type tool_version: str
    :param tool_details: Details about the tool.
    :type tool_details: str
    :param link_id: LinkId to tie this to another RawData as a new version.
    :type link_id: str
    :param method: The method of acquiring this RawData.
    :type method: str
    :param reference: A reference to the source of this RawData.
    :type reference: str
    :param tlp: TLP for the source.
    :type tlp: str
    :param copy_rels: Copy relationships from the previous version to this one.
    :type copy_rels: bool
    :param bucket_list: Bucket(s) to add to this RawData
    :type bucket_list: str(comma separated) or list.
    :param ticket: Ticket(s) to add to this RawData
    :type ticket: str(comma separated) or list.
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_type: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with keys:
              'success' (boolean),
              'message' (str),
              '_id' (str) if successful.
    """

    if not data or not title or not data_type:
        status = {
            'success':   False,
            'message':  'No data object, title, or data type passed in'
        }
        return status

    if not source_name:
        return {"success" : False, "message" : "Missing source information."}

    rdt = RawDataType.objects(name=data_type).first()
    if not rdt:
        status = {
            'success':   False,
            'message':  'Invalid data type passed in'
        }
        return status

    if len(data) <= 0:
        status = {
            'success':   False,
            'message':  'Data length <= 0'
        }
        return status

    if isinstance(data, unicode):
        data=data.encode('utf-8')
    # generate md5 and timestamp
    md5 = hashlib.md5(data).hexdigest()
    timestamp = datetime.datetime.now()

    # generate raw_data
    is_rawdata_new = False
    raw_data = RawData.objects(md5=md5).first()
    if not raw_data:
        raw_data = RawData()
        raw_data.created = timestamp
        raw_data.description = description
        raw_data.md5 = md5
        # raw_data.source = [source_name]
        raw_data.data = data
        raw_data.title = title
        raw_data.data_type = data_type
        raw_data.add_tool(name=tool_name,
                          version=tool_version,
                          details=tool_details)
        is_rawdata_new = True

    # generate new source information and add to sample
    if isinstance(source_name, basestring) and len(source_name) > 0:
        if user.check_source_write(source_name):
            source = create_embedded_source(source_name,
                                       method=method,
                                       reference=reference,
                                       tlp=tlp,
                                       analyst=user.username)
            raw_data.add_source(source)

        else:
            return {"success":False,
                    "message": "User does not have permission to add object using source %s." % source_name}
        # this will handle adding a new source, or an instance automatically

    elif isinstance(source_name, EmbeddedSource):
        raw_data.add_source(source_name, method=method, reference=reference, tlp=tlp, analyst=user.usrname)
    elif isinstance(source_name, list) and len(source_name) > 0:
        for s in source_name:
            if isinstance(s, EmbeddedSource):
                raw_data.add_source(s, method=method, reference=reference, tlp=tlp, analyst=user.username)

    #XXX: need to validate this is a UUID
    if link_id:
        raw_data.link_id = link_id
        if copy_rels:
            rd2 = RawData.objects(link_id=link_id).first()
            if rd2:
                if len(rd2.relationships):
                    raw_data.save(username=user)
                    raw_data.reload()
                    for rel in rd2.relationships:
                        # Get object to relate to.
                        rel_item = class_from_id(rel.rel_type, rel.object_id)
                        if rel_item:
                            raw_data.add_relationship(rel_item,
                                                      rel.relationship,
                                                      rel_date=rel.relationship_date,
                                                      analyst=user.username)


    raw_data.version = len(RawData.objects(link_id=link_id)) + 1

    if bucket_list:
        raw_data.add_bucket_list(bucket_list, user)

    if ticket:
        raw_data.add_ticket(ticket, user);

    related_obj = None
    if related_id and related_type:
        related_obj = class_from_id(related_type, related_id)
        if not related_obj:
            retVal['success'] = False
            retVal['message'] = 'Related Object not found.'
            return retVal

    raw_data.save(username=user.username)

    if related_obj and relationship_type and raw_data:
        relationship_type=RelationshipTypes.inverse(relationship=relationship_type)
        raw_data.add_relationship(related_obj,
                              relationship_type,
                              analyst=user.username,
                              get_rels=False)
        raw_data.save(username=user.username)
        raw_data.reload()

    # save raw_data
    raw_data.save(username=user.username)

    # run raw_data triage
    if is_rawdata_new:
        raw_data.reload()
        run_triage(raw_data, user)

    status = {
        'success':      True,
        'message':      'Uploaded raw_data',
        '_id':          raw_data.id,
        'object':       raw_data
    }

    return status
コード例 #8
0
def handle_cert_file(filename,
                     data,
                     source_name,
                     user=None,
                     description=None,
                     related_md5=None,
                     method='',
                     reference='',
                     tlp=None,
                     relationship=None,
                     bucket_list=None,
                     ticket=None,
                     related_id=None,
                     related_type=None,
                     relationship_type=None):
    """
    Add a Certificate.

    :param filename: The filename of the Certificate.
    :type filename: str
    :param data: The filedata of the Certificate.
    :type data: str
    :param source_name: The source which provided this Certificate.
    :type source_name: str,
                       :class:`crits.core.crits_mongoengine.EmbeddedSource`,
                       list of :class:`crits.core.crits_mongoengine.EmbeddedSource`
    :param user: The user adding the Certificate.
    :type user: str
    :param description: Description of the Certificate.
    :type description: str
    :param related_md5: MD5 of a top-level object related to this Certificate.
    :type related_md5: str
    :param related_type: The CRITs type of the related top-level object.
    :type related_type: str
    :param method: The method of acquiring this Certificate.
    :type method: str
    :param reference: A reference to the source of this Certificate.
    :type reference: str
    :param tlp: The TLP for this certificate.
    :type tlp: str
    :param relationship: The relationship between the parent and the Certificate.
    :type relationship: str
    :param bucket_list: Bucket(s) to add to this Certificate
    :type bucket_list: str(comma separated) or list.
    :param ticket: Ticket(s) to add to this Certificate
    :type ticket: str(comma separated) or list.
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_id: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with keys:
              'success' (boolean),
              'message' (str),
              'md5' (str) if successful.
    """

    if not data:
        status = {'success': False, 'message': 'No data object passed in'}
        return status
    if len(data) <= 0:
        status = {'success': False, 'message': 'Data length <= 0'}
        return status
    if ((related_type and not (related_id or related_md5))
            or (not related_type and (related_id or related_md5))):
        status = {
            'success':
            False,
            'message':
            'Must specify both related_type and related_id or related_md5.'
        }
        return status

    related_obj = None
    if related_id or related_md5:
        if related_id:
            related_obj = class_from_id(related_type, related_id)
        else:
            related_obj = class_from_value(related_type, related_md5)
        if not related_obj:
            status = {'success': False, 'message': 'Related object not found.'}
            return status

    # generate md5 and timestamp
    md5 = hashlib.md5(data).hexdigest()
    timestamp = datetime.datetime.now()

    # generate Certificate
    cert = Certificate.objects(md5=md5).first()
    if not cert:
        cert = Certificate()
        cert.filename = filename
        cert.created = timestamp
        cert.size = len(data)
        cert.description = description
        cert.md5 = md5

    # generate source information and add to certificate
    if isinstance(source_name, basestring) and len(source_name) > 0:
        if user.check_source_write(source_name):
            s = create_embedded_source(source_name,
                                       reference=reference,
                                       method=method,
                                       tlp=tlp,
                                       analyst=user.username)
        else:
            return {
                "success":
                False,
                "message":
                "User does not have permission to add objects \
                    using source %s." % str(source_name)
            }

        cert.add_source(s)
    elif isinstance(source_name, EmbeddedSource):
        cert.add_source(source_name,
                        method=method,
                        reference=reference,
                        tlp=tlp)
    elif isinstance(source_name, list) and len(source_name) > 0:
        for s in source_name:
            if isinstance(s, EmbeddedSource):
                cert.add_source(s, method=method, reference=reference, tlp=tlp)

    if bucket_list:
        cert.add_bucket_list(bucket_list, user)

    if ticket:
        cert.add_ticket(ticket, user)

    # add file to GridFS
    if not isinstance(cert.filedata.grid_id, ObjectId):
        cert.add_file_data(data)

    # save cert
    cert.save(username=user)
    cert.reload()

    # run certificate triage
    if AnalysisResult.objects(object_id=str(cert.id)).count() < 1 and data:
        run_triage(cert, user)

    # update relationship if a related top-level object is supplied
    if related_obj and cert:
        if relationship_type:
            relationship = RelationshipTypes.inverse(
                relationship=relationship_type)
        if not relationship:
            relationship = RelationshipTypes.RELATED_TO

        cert.add_relationship(related_obj,
                              relationship,
                              analyst=user,
                              get_rels=False)
        cert.save(username=user)

    status = {
        'success': True,
        'message': 'Uploaded certificate',
        'md5': md5,
        'id': str(cert.id),
        'object': cert
    }

    return status
コード例 #9
0
ファイル: handlers.py プロジェクト: zhangjunqiang/crits
def handle_signature_file(data,
                          source_name,
                          user=None,
                          description=None,
                          title=None,
                          data_type=None,
                          data_type_min_version=None,
                          data_type_max_version=None,
                          data_type_dependency=None,
                          link_id=None,
                          source_method='',
                          source_reference='',
                          source_tlp='',
                          copy_rels=False,
                          bucket_list=None,
                          ticket=None,
                          related_id=None,
                          related_type=None,
                          relationship_type=None):
    """
    Add Signature.

    :param data: The data of the Signature.
    :type data: str
    :param source_name: The source which provided this Signature.
    :type source_name: str,
                       :class:`crits.core.crits_mongoengine.EmbeddedSource`,
                       list of :class:`crits.core.crits_mongoengine.EmbeddedSource`
    :param user: The user adding the Signature.
    :type user: str
    :param description: Description of the Signature.
    :type description: str
    :param title: Title of the Signature.
    :type title: str
    :param data_type: Datatype of the Signature.
    :type data_type: str
    :param data_type: Datatype of the Signature.
    :type data_type_min_version: str
    :param data_type_min_version: Datatype tool minimum version.
    :type data_type_max_version: str
    :param data_type_max_version: Datatype tool maximum version.
    :type data_type_dependency: list
    :param data_type_dependency: Datatype tool dependency to be run
    :param link_id: LinkId to tie this to another Signature as a new version.
    :type link_id: str
    :param method: The method of acquiring this Signature.
    :type method: str
    :param reference: A reference to the source of this Signature.
    :type reference: str
    :param copy_rels: Copy relationships from the previous version to this one.
    :type copy_rels: bool
    :param bucket_list: Bucket(s) to add to this Signature
    :type bucket_list: str(comma separated) or list.
    :param ticket: Ticket(s) to add to this Signature
    :type ticket: str(comma separated) or list.
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_type: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with keys:
              'success' (boolean),
              'message' (str),
              '_id' (str) if successful.
    """

    if not data or not title or not data_type:
        status = {
            'success': False,
            'message': 'No data object, title, or data type passed in'
        }
        return status

    if not source_name:
        return {"success": False, "message": "Missing source information."}

    rdt = SignatureType.objects(name=data_type).first()
    if not rdt:
        status = {'success': False, 'message': 'Invalid data type passed in'}
        return status

    if len(data) <= 0:
        status = {'success': False, 'message': 'Data length <= 0'}
        return status

    # generate md5 and timestamp
    md5 = hashlib.md5(data).hexdigest()
    timestamp = datetime.datetime.now()

    # generate signature
    signature = Signature()
    signature.created = timestamp
    signature.description = description
    signature.md5 = md5
    signature.data = data
    signature.title = title
    signature.data_type = data_type
    signature.data_type_min_version = data_type_min_version
    signature.data_type_max_version = data_type_max_version

    if data_type_dependency:
        if type(data_type_dependency) == unicode:
            data_type_dependency = data_type_dependency.split(",")

        for item in data_type_dependency:
            if item:
                item = item.strip()
                signature.data_type_dependency.append(str(item))
    else:
        data_type_dependency = []

    # generate new source information and add to sample
    if isinstance(source_name, basestring) and len(source_name) > 0:
        if user.check_source_write(source_name):
            source = create_embedded_source(source_name,
                                            date=timestamp,
                                            method=source_method,
                                            reference=source_reference,
                                            tlp=source_tlp,
                                            analyst=user.username)
            # this will handle adding a new source, or an instance automatically
            signature.add_source(source)
        else:
            return {
                "success":
                False,
                "message":
                "User does not have permission to add object using source %s."
                % source_name
            }
    elif isinstance(source_name, EmbeddedSource):
        signature.add_source(source_name,
                             method=source_method,
                             reference=source_reference,
                             tlp=source_tlp)
    elif isinstance(source_name, list) and len(source_name) > 0:
        for s in source_name:
            if isinstance(s, EmbeddedSource):
                signature.add_source(s,
                                     method=source_method,
                                     reference=source_reference,
                                     source_tlp=source_tlp)

    signature.version = len(Signature.objects(link_id=link_id)) + 1

    if link_id:
        signature.link_id = link_id
        if copy_rels:
            rd2 = Signature.objects(link_id=link_id).first()
            if rd2:
                if len(rd2.relationships):
                    signature.save(username=user.username)
                    signature.reload()
                    for rel in rd2.relationships:
                        # Get object to relate to.
                        rel_item = class_from_id(rel.rel_type, rel.object_id)
                        if rel_item:
                            signature.add_relationship(
                                rel_item,
                                rel.relationship,
                                rel_date=rel.relationship_date,
                                analyst=user.username)

    if bucket_list:
        signature.add_bucket_list(bucket_list, user)

    if ticket:
        signature.add_ticket(ticket, user)

    related_obj = None
    if related_id and related_type:
        related_obj = class_from_id(related_type, related_id)
        if not related_obj:
            status = {'success': False, 'message': 'Related Object not found.'}
            return status

    signature.save(username=user.username)

    if related_obj and signature and relationship_type:
        relationship_type = RelationshipTypes.inverse(
            relationship=relationship_type)
        signature.add_relationship(related_obj,
                                   relationship_type,
                                   analyst=user.username,
                                   get_rels=False)
        signature.save(username=user.username)
        signature.reload()

    # save signature
    signature.save(username=user.username)
    signature.reload()

    status = {
        'success': True,
        'message': 'Uploaded signature',
        '_id': signature.id,
        'object': signature
    }

    return status
コード例 #10
0
ファイル: handlers.py プロジェクト: armtash/crits
def handle_pcap_file(filename, data, source_name, user=None,
                     description=None, related_id=None, related_md5=None,
                     related_type=None, method='', reference='', tlp='',
                     relationship=None, bucket_list=None, ticket=None):
    """
    Add a PCAP.

    :param filename: The filename of the PCAP.
    :type filename: str
    :param data: The filedata of the PCAP.
    :type data: str
    :param source_name: The source which provided this PCAP.
    :type source_name: str,
                       :class:`crits.core.crits_mongoengine.EmbeddedSource`,
                       list of :class:`crits.core.crits_mongoengine.EmbeddedSource`
    :param user: The user adding the PCAP.
    :type user: str
    :param description: Description of the PCAP.
    :type description: str
    :param related_id: ObjectId of a top-level object related to this PCAP.
    :type related_id: str
    :param related_md5: MD5 of a top-level object related to this PCAP.
    :type related_md5: str
    :param related_type: The CRITs type of the related top-level object.
    :type related_type: str
    :param method: The method of acquiring this PCAP.
    :type method: str
    :param reference: A reference to the source of this PCAP.
    :type reference: str
    :param relationship: The relationship between the parent and the PCAP.
    :type relationship: str
    :param bucket_list: Bucket(s) to add to this PCAP.
    :type bucket_list: str(comma separated) or list.
    :param ticket: Ticket(s) to add to this PCAP.
    :type ticket: str(comma separated) or list.
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_type: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with keys:
              'success' (boolean),
              'message' (str),
              'md5' (str) if successful.
    """

    if not data:
        status = {
            'success':   False,
            'message':  'No data object passed in'
        }
        return status
    if len(data) <= 0:
        status = {
            'success':   False,
            'message':  'Data length <= 0'
        }
        return status
    if ((related_id or related_md5) and not related_type):
        status = {
            'success':   False,
            'message':  'Must specify both related_type and related_id or related_md5.'
        }
        return status

    if not source_name:
        return {"success" : False, "message" : "Missing source information."}

    related_obj = None
    if related_id or related_md5:
        if related_id:
            related_obj = class_from_id(related_type, related_id)
        else:
            related_obj = class_from_value(related_type, related_md5)
        if not related_obj:
            status = {
                'success': False,
                'message': 'Related object not found.'
            }
            return status


    # generate md5 and timestamp
    md5 = hashlib.md5(data).hexdigest()
    timestamp = datetime.datetime.now()

    # generate PCAP
    is_pcap_new = False
    pcap = PCAP.objects(md5=md5).first()
    if not pcap:
        pcap = PCAP()
        pcap.filename = filename
        pcap.created = timestamp
        pcap.length = len(data)
        pcap.description = description
        pcap.md5 = md5
        is_pcap_new = True

    # generate source information and add to pcap
    if isinstance(source_name, basestring) and len(source_name) > 0:
        if user.check_source_write(source_name):
            s = create_embedded_source(source_name,
                                       method=method,
                                       reference=reference,
                                       tlp=tlp,
                                       analyst=user.username)
        else:
            return {"success":False,
                    "message": "User does not have permission to add object \
                                using source %s." % source_name}
        pcap.add_source(s)
    elif isinstance(source_name, EmbeddedSource):
        pcap.add_source(source_name, method=method, reference=reference)
    elif isinstance(source_name, list) and len(source_name) > 0:
        for s in source_name:
            if isinstance(s, EmbeddedSource):
                pcap.add_source(s, method=method, reference=reference)

    # add file to GridFS
    if not isinstance(pcap.filedata.grid_id, ObjectId):
        pcap.add_file_data(data)

    if bucket_list:
        pcap.add_bucket_list(bucket_list, user)

    if ticket:
        pcap.add_ticket(ticket, user)

    # save pcap
    pcap.save(username=user)

    # update relationship if a related top-level object is supplied
    if related_obj and pcap:
        if relationship:
            relationship=RelationshipTypes.inverse(relationship=relationship)
        else:
            relationship = RelationshipTypes.RELATED_TO
        pcap.add_relationship(related_obj,
                              relationship,
                              analyst=user,
                              get_rels=False)
        pcap.save(username=user)

    # run pcap triage
    if is_pcap_new and data:
        pcap.reload()
        run_triage(pcap, user)

    status = {
        'success':      True,
        'message':      'Uploaded pcap',
        'md5':          md5,
        'id':           str(pcap.id),
        'object':       pcap
    }

    return status
コード例 #11
0
ファイル: handlers.py プロジェクト: vsbca/crits
def add_new_exploit(name,
                    cve=None,
                    description=None,
                    source=None,
                    source_method=None,
                    source_reference=None,
                    source_tlp=None,
                    campaign=None,
                    confidence=None,
                    user=None,
                    bucket_list=None,
                    ticket=None,
                    related_id=None,
                    related_type=None,
                    relationship_type=None):
    """
    Add an Exploit to CRITs.

    :param name: The name of the exploit.
    :type name: str
    :param cve: CVE for the exploit.
    :type cve: str
    :param description: Description of the exploit.
    :type description: str
    :param source: Name of the source which provided this information.
    :type source: str
    :param source_method: Method of acquiring this data.
    :type source_method: str
    :param source_reference: A reference to this data.
    :type source_reference: str
    :param source_tlp: TLP value for this source
    :type source_reference: str
    :param campaign: A campaign to attribute to this exploit.
    :type campaign: str
    :param confidence: Confidence level in the campaign attribution.
    :type confidence: str ("low", "medium", "high")
    :param user: The user adding this exploit.
    :type user: str
    :param bucket_list: Buckets to assign to this exploit.
    :type bucket_list: str
    :param ticket: Ticket to assign to this exploit.
    :type ticket: str
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_type: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with keys:
              "success" (boolean),
              "message" (str),
              "object" (if successful) :class:`crits.exploits.exploit.Exploit`
    """

    is_item_new = False
    retVal = {}
    exploit = Exploit.objects(name=name).first()

    if not exploit:
        exploit = Exploit()
        exploit.name = name
        if description:
            exploit.description = description.strip()
        is_item_new = True

    username = user.username

    if isinstance(source, basestring):
        if user.check_source_write(source):
            source = [
                create_embedded_source(source,
                                       reference=source_reference,
                                       method=source_method,
                                       tlp=source_tlp,
                                       analyst=username)
            ]
        else:
            return {
                "success":
                False,
                "message":
                "User does not have permission to add object \
                                using source %s." % source
            }

    elif isinstance(source, EmbeddedSource):
        source = [source]

    if isinstance(campaign, basestring):
        c = EmbeddedCampaign(name=campaign,
                             confidence=confidence,
                             analyst=username)
        campaign = [c]

    if campaign:
        for camp in campaign:
            exploit.add_campaign(camp)

    if source:
        for s in source:
            exploit.add_source(s)
    else:
        return {"success": False, "message": "Missing source information."}

    exploit.cve = cve.strip()

    if bucket_list:
        exploit.add_bucket_list(bucket_list, user)

    if ticket:
        exploit.add_ticket(ticket, user)

    related_obj = None
    if related_id:
        related_obj = class_from_id(related_type, related_id)
        if not related_obj:
            retVal['success'] = False
            retVal['message'] = 'Related Object not found.'
            return retVal

    exploit.save(username=username)

    if related_obj and exploit and relationship_type:
        relationship_type = RelationshipTypes.inverse(
            relationship=relationship_type)
        exploit.add_relationship(related_obj,
                                 relationship_type,
                                 analyst=user,
                                 get_rels=False)
        exploit.save(username=username)

    # run exploit triage
    if is_item_new:
        exploit.reload()
        run_triage(exploit, username)

    resp_url = reverse('crits.exploits.views.exploit_detail',
                       args=[exploit.id])

    retVal['message'] = ('Success! Click here to view the new Exploit: '
                         '<a href="%s">%s</a>' % (resp_url, exploit.name))

    retVal['success'] = True
    retVal['object'] = exploit
    retVal['id'] = str(exploit.id)

    return retVal
コード例 #12
0
def handle_pcap_file(filename,
                     data,
                     source_name,
                     user=None,
                     description=None,
                     related_id=None,
                     related_md5=None,
                     related_type=None,
                     method='',
                     reference='',
                     relationship=None,
                     bucket_list=None,
                     ticket=None):
    """
    Add a PCAP.

    :param filename: The filename of the PCAP.
    :type filename: str
    :param data: The filedata of the PCAP.
    :type data: str
    :param source_name: The source which provided this PCAP.
    :type source_name: str,
                       :class:`crits.core.crits_mongoengine.EmbeddedSource`,
                       list of :class:`crits.core.crits_mongoengine.EmbeddedSource`
    :param user: The user adding the PCAP.
    :type user: str
    :param description: Description of the PCAP.
    :type description: str
    :param related_id: ObjectId of a top-level object related to this PCAP.
    :type related_id: str
    :param related_md5: MD5 of a top-level object related to this PCAP.
    :type related_md5: str
    :param related_type: The CRITs type of the related top-level object.
    :type related_type: str
    :param method: The method of acquiring this PCAP.
    :type method: str
    :param reference: A reference to the source of this PCAP.
    :type reference: str
    :param relationship: The relationship between the parent and the PCAP.
    :type relationship: str
    :param bucket_list: Bucket(s) to add to this PCAP.
    :type bucket_list: str(comma separated) or list.
    :param ticket: Ticket(s) to add to this PCAP.
    :type ticket: str(comma separated) or list.
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_type: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with keys:
              'success' (boolean),
              'message' (str),
              'md5' (str) if successful.
    """

    if not data:
        status = {'success': False, 'message': 'No data object passed in'}
        return status
    if len(data) <= 0:
        status = {'success': False, 'message': 'Data length <= 0'}
        return status
    if ((related_type and not (related_id or related_md5))
            or (not related_type and (related_id or related_md5))):
        status = {
            'success':
            False,
            'message':
            'Must specify both related_type and related_id or related_md5.'
        }
        return status

    if not source_name:
        return {"success": False, "message": "Missing source information."}

    related_obj = None
    if related_id or related_md5:
        if related_id:
            related_obj = class_from_id(related_type, related_id)
        else:
            related_obj = class_from_value(related_type, related_md5)
        if not related_obj:
            status = {'success': False, 'message': 'Related object not found.'}
            return status

    # generate md5 and timestamp
    md5 = hashlib.md5(data).hexdigest()
    timestamp = datetime.datetime.now()

    # generate PCAP
    is_pcap_new = False
    pcap = PCAP.objects(md5=md5).first()
    if not pcap:
        pcap = PCAP()
        pcap.filename = filename
        pcap.created = timestamp
        pcap.length = len(data)
        pcap.description = description
        pcap.md5 = md5
        is_pcap_new = True

    # generate source information and add to pcap
    if isinstance(source_name, basestring) and len(source_name) > 0:
        s = create_embedded_source(source_name,
                                   method=method,
                                   reference=reference,
                                   analyst=user)
        pcap.add_source(s)
    elif isinstance(source_name, EmbeddedSource):
        pcap.add_source(source_name, method=method, reference=reference)
    elif isinstance(source_name, list) and len(source_name) > 0:
        for s in source_name:
            if isinstance(s, EmbeddedSource):
                pcap.add_source(s, method=method, reference=reference)

    # add file to GridFS
    if not isinstance(pcap.filedata.grid_id, ObjectId):
        pcap.add_file_data(data)

    if bucket_list:
        pcap.add_bucket_list(bucket_list, user)

    if ticket:
        pcap.add_ticket(ticket, user)

    # save pcap
    pcap.save(username=user)

    # update relationship if a related top-level object is supplied
    if related_obj and pcap:
        if relationship:
            relationship = RelationshipTypes.inverse(relationship=relationship)
        else:
            relationship = RelationshipTypes.RELATED_TO
        pcap.add_relationship(related_obj,
                              relationship,
                              analyst=user,
                              get_rels=False)
        pcap.save(username=user)

    # run pcap triage
    if is_pcap_new and data:
        pcap.reload()
        run_triage(pcap, user)

    status = {
        'success': True,
        'message': 'Uploaded pcap',
        'md5': md5,
        'id': str(pcap.id),
        'object': pcap
    }

    return status
コード例 #13
0
ファイル: handlers.py プロジェクト: ckane/crits
def add_new_event(title, description, event_type, source, method, reference,
                  date, analyst, bucket_list=None, ticket=None, related_id=None, 
                  related_type=None, relationship_type=None):
    """
    Add a new Event to CRITs.

    :param title: Event title.
    :type title: str
    :param description: Event description.
    :type description: str
    :param event_type: Event type.
    :type event_type: str
    :param source: The source which provided this information.
    :type source: str
    :param method: THe method of acquiring this information.
    :type method: str
    :param reference: Reference to this data.
    :type reference: str
    :param date: Date of acquiring this data.
    :type date: datetime.datetime
    :param analyst: The user adding this Event.
    :type analyst: str
    :param bucket_list: The bucket(s) to associate with this Event.
    :type: str
    :param ticket: Ticket to associate with this event.
    :type ticket: str
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_type: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with keys "success" (boolean) and "message" (str)
    """

    if not source:
        return {'success': False, 'message': "Missing source information."}

    event = Event()
    event.title = title
    event.description = description
    event.set_event_type(event_type)

    s = create_embedded_source(name=source,
                               reference=reference,
                               method=method,
                               analyst=analyst,
                               date=date)
    event.add_source(s)

    if bucket_list:
        event.add_bucket_list(bucket_list, analyst)

    if ticket:
        event.add_ticket(ticket, analyst)

    related_obj = None
    if related_id:
        related_obj = class_from_id(related_type, related_id)
        if not related_obj:
            retVal['success'] = False
            retVal['message'] = 'Related Object not found.'
            return retVal

    try:
        event.save(username=analyst)

        if related_obj and event and relationship_type:
            relationship_type=RelationshipTypes.inverse(relationship=relationship_type)
            event.add_relationship(related_obj,
                                  relationship_type,
                                  analyst=analyst,
                                  get_rels=False)
            event.save(username=analyst)

        # run event triage
        event.reload()
        run_triage(event, analyst)

        message = ('<div>Success! Click here to view the new event: <a href='
                   '"%s">%s</a></div>' % (reverse('crits.events.views.view_event',
                                                  args=[event.id]),
                                          title))
        result = {'success': True,
                  'message': message,
                  'id': str(event.id),
                  'object': event}

    except ValidationError, e:
        result = {'success': False,
                  'message': e}
コード例 #14
0
ファイル: handlers.py プロジェクト: 971sec/crits
def add_new_backdoor(name, version=None, aliases=None, description=None,
                     source=None, source_method=None, source_reference=None,
                     campaign=None, confidence=None, user=None,
                     bucket_list=None, ticket=None, related_id=None,
                     related_type=None, relationship_type=None):
    """
    Add an Backdoor to CRITs.

    :param name: The name of the backdoor.
    :type name: str
    :param version: Version of the backdoor.
    :type version: str
    :param aliases: Aliases for the backdoor.
    :type aliases: list or str
    :param description: Description of the backdoor.
    :type description: str
    :param source: Name of the source which provided this information.
    :type source: str
    :param source_method: Method of acquiring this data.
    :type source_method: str
    :param source_reference: A reference to this data.
    :type source_reference: str
    :param campaign: A campaign to attribute to this backdoor.
    :type campaign: str
    :param confidence: Confidence level in the campaign attribution.
    :type confidence: str ("low", "medium", "high")
    :param user: The user adding this backdoor.
    :type user: str
    :param bucket_list: Buckets to assign to this backdoor.
    :type bucket_list: str
    :param ticket: Ticket to assign to this backdoor.
    :type ticket: str
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_id: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with keys:
              "success" (boolean),
              "message" (str),
              "id" (str),
              "object" (if successful) :class:`crits.backdoors.backdoor.Backdoor`
    """

    retVal = {'success': False, 'message': ''}

    if isinstance(source, basestring):
        source = [create_embedded_source(source,
                                         reference=source_reference,
                                         method=source_method,
                                         analyst=user)]
    elif isinstance(source, EmbeddedSource):
        source = [source]

    if not source:
        retVal['message'] = "Missing source information."
        return retVal

    # When creating a backdoor object we can potentially create multiple
    # objects. If we are given a name but no version we will create an object
    # with just the name (called the "family backdoor"). If given a name and a
    # version we will create the family backdoor and the specific backdoor for
    # that given version.

    # In case we create more than one backdoor object, store the created ones
    # in this list. The list is walked later on and attributes applied to each
    # object.
    objs = []

    # First check if we have the family (name and no version).
    family = Backdoor.objects(name=name, version='').first()

    if not family:
        # Family does not exist, new object. Details are handled later.
        family = Backdoor()
        family.name = name
        family.version = ''

    objs.append(family)

    # Now check if we have the specific instance for this name + version.
    backdoor = None
    if version:
        backdoor = Backdoor.objects(name=name, version=version).first()
        if not backdoor:
            # Backdoor does not exist, new object. Details are handled later.
            backdoor = Backdoor()
            backdoor.name = name
            backdoor.version = version
        objs.append(backdoor)

    # At this point we have a family object and potentially a specific object.
    # Add the common parameters to all objects in the list and save them.
    for backdoor in objs:
        for s in source:
            backdoor.add_source(s)

        # Don't overwrite existing description.
        if description and backdoor.description == '':
            backdoor.description = description.strip()

        if isinstance(campaign, basestring):
            c = EmbeddedCampaign(name=campaign,
                                 confidence=confidence,
                                 analyst=user)
            campaign = [c]

        if campaign:
            for camp in campaign:
                backdoor.add_campaign(camp)

        if aliases:
            if isinstance(aliases, basestring):
                aliases = aliases.split(',')
            for alias in aliases:
                alias = alias.strip()
                if alias not in backdoor.aliases:
                    backdoor.aliases.append(alias)

        if bucket_list:
            backdoor.add_bucket_list(bucket_list, user)

        if ticket:
            backdoor.add_ticket(ticket, user)

        backdoor.save(username=user)

        # run backdoor triage
        backdoor.reload()
        run_triage(backdoor, user)

        # Because family objects are put in the list first we will always
        # return a link to the most specific object created. If there is only
        # one item in the list it will be the family object.
        resp_url = reverse('crits.backdoors.views.backdoor_detail',
                           args=[backdoor.id])
        retVal['message'] = 'Success: <a href="%s">%s</a>' % (resp_url,
                                                              backdoor.name)
        retVal['object'] = backdoor
        retVal['id'] = str(backdoor.id)

    # Only relate to the most specific object created. 
    related_obj = None
    if related_id and related_type:
        related_obj = class_from_id(related_type, related_id)
        if not related_obj:
            retVal['success'] = False
            retVal['message'] = 'Related Object not found.'
            return retVal

    if related_obj and relationship_type and backdoor:
        relationship_type=RelationshipTypes.inverse(relationship=relationship_type)
        backdoor.add_relationship(related_obj,
                                  relationship_type,
                                  analyst=user,
                                  get_rels=False)
        backdoor.save(username=user)
        backdoor.reload()
            
    # If we have a family and specific object, attempt to relate the two.
    if len(objs) == 2:
        objs[0].add_relationship(objs[1], RelationshipTypes.RELATED_TO)
        objs[0].save()

    retVal['success'] = True
    return retVal
コード例 #15
0
def upsert_target(data, analyst):
    """
    Add/update target information.

    :param data: The target information.
    :type data: dict
    :param analyst: The user adding the target.
    :type analyst: str
    :returns: dict with keys "success" (boolean) and "message" (str)
    """

    if 'email_address' not in data:
        return {'success': False, 'message': "No email address to look up"}

    # check for exact match first
    target = Target.objects(email_address=data['email_address']).first()

    if not target:  # if no exact match, look for case-insensitive match
        target = Target.objects(
            email_address__iexact=data['email_address']).first()
    is_new = False
    if not target:
        is_new = True
        target = Target()
        target.email_address = data['email_address'].strip().lower()

    bucket_list = False
    ticket = False
    related_id = False
    if 'department' in data:
        target.department = data['department']
    if 'division' in data:
        target.division = data['division']
    if 'organization_id' in data:
        target.organization_id = data['organization_id']
    if 'firstname' in data:
        target.firstname = data['firstname']
    if 'lastname' in data:
        target.lastname = data['lastname']
    if 'note' in data:
        target.note = data['note']
    if 'title' in data:
        target.title = data['title']
    if 'campaign' in data and 'camp_conf' in data:
        target.add_campaign(
            EmbeddedCampaign(name=data['campaign'],
                             confidence=data['camp_conf'],
                             analyst=analyst))
    if 'bucket_list' in data:
        bucket_list = data.get(form_consts.Common.BUCKET_LIST_VARIABLE_NAME)
    if 'ticket' in data:
        ticket = data.get(form_consts.Common.TICKET_VARIABLE_NAME)
    if 'related_id' in data:
        related_id = data['related_id']
    if 'related_type' in data:
        related_type = data['related_type']
    if 'relationship_type' in data:
        relationship_type = data['relationship_type']

    if bucket_list:
        target.add_bucket_list(bucket_list, analyst)

    if ticket:
        target.add_ticket(ticket, analyst)

    related_obj = None
    if related_id:
        related_obj = class_from_id(related_type, related_id)
        if not related_obj:
            retVal['success'] = False
            retVal['message'] = 'Related Object not found.'
            return retVal

    try:
        target.save(username=analyst)

        if related_obj and target:
            relationship_type = RelationshipTypes.inverse(
                relationship=relationship_type)
            target.add_relationship(related_obj,
                                    relationship_type,
                                    analyst=analyst,
                                    get_rels=False)
            target.save(username=analyst)

        target.reload()

        if is_new:
            run_triage(target, analyst)
        return {
            'success': True,
            'message': "Target saved successfully",
            'id': str(target.id)
        }
    except ValidationError, e:
        return {'success': False, 'message': "Target save failed: %s" % e}
コード例 #16
0
ファイル: handlers.py プロジェクト: 971sec/crits
def add_new_actor(name, aliases=None, description=None, source=None,
                  source_method='', source_reference='', campaign=None,
                  confidence=None, analyst=None, bucket_list=None, ticket=None, 
                  related_id=None, related_type=None, relationship_type=None):
    """
    Add an Actor to CRITs.

    :param name: The name of the Actor.
    :type name: str
    :param aliases: Aliases for the actor.
    :type aliases: list or str
    :param description: Description of the actor.
    :type description: str
    :param source: Name of the source which provided this information.
    :type source: str
    :param source_method: Method of acquiring this data.
    :type source_method: str
    :param source_reference: A reference to this data.
    :type source_reference: str
    :param campaign: A campaign to attribute to this actor.
    :type campaign: str
    :param confidence: Confidence level in the campaign attribution.
    :type confidence: str ("low", "medium", "high")
    :param analyst: The user adding this actor.
    :type analyst: str
    :param bucket_list: Buckets to assign to this actor.
    :type bucket_list: str
    :param ticket: Ticket to assign to this actor.
    :type ticket: str
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_id: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with keys:
              "success" (boolean),
              "message" (str),
              "object" (if successful) :class:`crits.actors.actor.Actor`
    """

    is_item_new = False
    retVal = {}
    actor = Actor.objects(name=name).first()

    if not actor:
        actor = Actor()
        actor.name = name
        if description:
            actor.description = description.strip()
        is_item_new = True

    if isinstance(source, basestring):
        source = [create_embedded_source(source,
                                         reference=source_reference,
                                         method=source_method,
                                         analyst=analyst)]

    if isinstance(campaign, basestring):
        c = EmbeddedCampaign(name=campaign, confidence=confidence, analyst=analyst)
        campaign = [c]

    if campaign:
        for camp in campaign:
            actor.add_campaign(camp)

    if source:
        for s in source:
            actor.add_source(s)
    else:
        return {"success" : False, "message" : "Missing source information."}

    if not isinstance(aliases, list):
        aliases = aliases.split(',')
        for alias in aliases:
            alias = alias.strip()
            if alias not in actor.aliases:
                actor.aliases.append(alias)

    if bucket_list:
        actor.add_bucket_list(bucket_list, analyst)

    if ticket:
        actor.add_ticket(ticket, analyst)

    related_obj = None
    if related_id and related_type:
        related_obj = class_from_id(related_type, related_id)
        if not related_obj:
            retVal['success'] = False
            retVal['message'] = 'Related Object not found.'
            return retVal

    actor.save(username=analyst)

    if related_obj and actor:
            relationship_type=RelationshipTypes.inverse(relationship=relationship_type)
            actor.add_relationship(related_obj,
                                  relationship_type,
                                  analyst=analyst,
                                  get_rels=False)
            actor.save(username=analyst)
            actor.reload()

    # run actor triage
    if is_item_new:
        actor.reload()
        run_triage(actor, analyst)

    resp_url = reverse('crits.actors.views.actor_detail', args=[actor.id])

    retVal['message'] = ('Success! Click here to view the new Actor: '
                         '<a href="%s">%s</a>' % (resp_url, actor.name))

    retVal['success'] = True
    retVal['object'] = actor
    retVal['id'] = str(actor.id)

    return retVal
コード例 #17
0
def add_campaign(name, description, aliases, analyst,
                 bucket_list=None, ticket=None, related_id=None,
                 related_type=None, relationship_type=None):
    """
    Add a Campaign.

    :param name: The name of the new Campaign.
    :type name: str
    :param description: Description of the new Campaign.
    :type description: str
    :param aliases: Aliases for the new Campaign.
    :type aliases: str (comma separated) or list.
    :param analyst: The user adding the Campaign.
    :type analyst: str
    :param bucket_list: Buckets to add to this Campaign.
    :type bucket_list: str (comma separated) or list.
    :param ticket: Ticket(s) to add to this Campaign.
    :type ticket: str (comma separated) or list.
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_id: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with key 'success' (boolean) and 'message' (str).
    """

    # Verify the Campaign does not exist.
    campaign = Campaign.objects(name=name).first()
    if campaign:
        return {'success': False, 'message': ['Campaign already exists.'],
                'id': str(campaign.id)}

    # Create new campaign.
    campaign = Campaign(name=name)
    campaign.edit_description(description)

    if bucket_list:
        campaign.add_bucket_list(bucket_list, analyst)
    if ticket:
        campaign.add_ticket(ticket, analyst)

    # Adjust aliases.
    if isinstance(aliases, basestring):
        alias_list = aliases.split(',')
        final_aliases = [a.strip() for a in alias_list]
    elif isinstance(aliases, list):
        final_aliases = [a.strip() for a in aliases]
    else:
        final_aliases = []
    campaign.add_alias(final_aliases)

    related_obj = None
    if related_id and related_type:
        related_obj = class_from_id(related_type, related_id)
        if not related_obj:
            retVal['success'] = False
            retVal['message'] = 'Related Object not found.'
            return retVal

    campaign.save(username=analyst)

    if related_obj and relationship_type and campaign:
        relationship_type=RelationshipTypes.inverse(relationship=relationship_type)
        campaign.add_relationship(related_obj,
                              relationship_type,
                              analyst=analyst,
                              get_rels=False)
        campaign.save(username=analyst)
        campaign.reload()

    try:
        campaign.save(username=analyst)
        campaign.reload()
        return {'success': True,
                'message': 'Campaign created successfully!',
                'id': str(campaign.id)}
    except ValidationError, e:
        return {'success': False, 'message': "Invalid value: %s" % e}
コード例 #18
0
ファイル: handlers.py プロジェクト: 971sec/crits
def handle_cert_file(filename, data, source_name, user=None,
                     description=None, related_md5=None, method='', 
                     reference='', relationship=None, bucket_list=None, 
                     ticket=None, related_id=None, related_type=None,
                     relationship_type=None):
    """
    Add a Certificate.

    :param filename: The filename of the Certificate.
    :type filename: str
    :param data: The filedata of the Certificate.
    :type data: str
    :param source_name: The source which provided this Certificate.
    :type source_name: str,
                       :class:`crits.core.crits_mongoengine.EmbeddedSource`,
                       list of :class:`crits.core.crits_mongoengine.EmbeddedSource`
    :param user: The user adding the Certificate.
    :type user: str
    :param description: Description of the Certificate.
    :type description: str
    :param related_md5: MD5 of a top-level object related to this Certificate.
    :type related_md5: str
    :param related_type: The CRITs type of the related top-level object.
    :type related_type: str
    :param method: The method of acquiring this Certificate.
    :type method: str
    :param reference: A reference to the source of this Certificate.
    :type reference: str
    :param relationship: The relationship between the parent and the Certificate.
    :type relationship: str
    :param bucket_list: Bucket(s) to add to this Certificate
    :type bucket_list: str(comma separated) or list.
    :param ticket: Ticket(s) to add to this Certificate
    :type ticket: str(comma separated) or list.
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_id: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with keys:
              'success' (boolean),
              'message' (str),
              'md5' (str) if successful.
    """

    if not data:
        status = {
            'success':   False,
            'message':  'No data object passed in'
        }
        return status
    if len(data) <= 0:
        status = {
            'success':   False,
            'message':  'Data length <= 0'
        }
        return status
    if ((related_type and not (related_id or related_md5)) or
        (not related_type and (related_id or related_md5))):
        status = {
            'success':   False,
            'message':  'Must specify both related_type and related_id or related_md5.'
        }
        return status

    related_obj = None
    if related_id or related_md5:
        if related_id:
            related_obj = class_from_id(related_type, related_id)
        else:
            related_obj = class_from_value(related_type, related_md5)
        if not related_obj:
            status = {
                'success': False,
                'message': 'Related object not found.'
            }
            return status

    # generate md5 and timestamp
    md5 = hashlib.md5(data).hexdigest()
    timestamp = datetime.datetime.now()

    # generate Certificate
    cert = Certificate.objects(md5=md5).first()
    if not cert:
        cert = Certificate()
        cert.filename = filename
        cert.created = timestamp
        cert.size = len(data)
        cert.description = description
        cert.md5 = md5

    # generate source information and add to certificate
    if isinstance(source_name, basestring) and len(source_name) > 0:
        s = create_embedded_source(source_name,
                                   method=method,
                                   reference=reference,
                                   analyst=user)
        cert.add_source(s)
    elif isinstance(source_name, EmbeddedSource):
        cert.add_source(source_name, method=method, reference=reference)
    elif isinstance(source_name, list) and len(source_name) > 0:
        for s in source_name:
            if isinstance(s, EmbeddedSource):
                cert.add_source(s, method=method, reference=reference)

    if bucket_list:
        cert.add_bucket_list(bucket_list, user)

    if ticket:
        cert.add_ticket(ticket, user)

    # add file to GridFS
    if not isinstance(cert.filedata.grid_id, ObjectId):
        cert.add_file_data(data)

    # save cert
    cert.save(username=user)
    cert.reload()

    # run certificate triage
    if len(AnalysisResult.objects(object_id=str(cert.id))) < 1 and data:
        run_triage(cert, user)

    # update relationship if a related top-level object is supplied
    if related_obj and cert:
        if relationship_type:
            relationship=RelationshipTypes.inverse(relationship=relationship_type)
        if not relationship:
            relationship = RelationshipTypes.RELATED_TO
            
        cert.add_relationship(related_obj,
                              relationship,
                              analyst=user,
                              get_rels=False)
        cert.save(username=user)

    status = {
        'success':      True,
        'message':      'Uploaded certificate',
        'md5':          md5,
        'id':           str(cert.id),
        'object':       cert
    }

    return status
コード例 #19
0
ファイル: handlers.py プロジェクト: 971sec/crits
            fqdn_domain.save(username=username)
    except Exception, e:
        return {'success': False, 'message': e}

    #Add relationships between fqdn, root
    if fqdn_domain and root_domain:
        root_domain.add_relationship(fqdn_domain,
                                     RelationshipTypes.SUPRA_DOMAIN_OF,
                                     analyst=username,
                                     get_rels=False)
        root_domain.save(username=username)
        fqdn_domain.save(username=username)

    #Add relationships from object domain is being added from
    if related_obj and relationship_type:
        relationship_type=RelationshipTypes.inverse(relationship=relationship_type)
        if fqdn_domain and (related_obj != fqdn_domain):
            fqdn_domain.add_relationship(related_obj,
                                         relationship_type,
                                         analyst=username,
                                         get_rels=False)
            fqdn_domain.save(username=username)
        if root_domain and (related_obj != root_domain):
            root_domain.add_relationship(related_obj,
                                         relationship_type,
                                         analyst=username,
                                         get_rels=False)
            root_domain.save(username=username)
    
    # run domain triage
    if is_fqdn_domain_new:
コード例 #20
0
ファイル: handlers.py プロジェクト: xtracerx/crits
def add_new_actor(name,
                  aliases=None,
                  description=None,
                  source=None,
                  source_method='',
                  source_reference='',
                  campaign=None,
                  confidence=None,
                  analyst=None,
                  bucket_list=None,
                  ticket=None,
                  related_id=None,
                  related_type=None,
                  relationship_type=None):
    """
    Add an Actor to CRITs.

    :param name: The name of the Actor.
    :type name: str
    :param aliases: Aliases for the actor.
    :type aliases: list or str
    :param description: Description of the actor.
    :type description: str
    :param source: Name of the source which provided this information.
    :type source: str
    :param source_method: Method of acquiring this data.
    :type source_method: str
    :param source_reference: A reference to this data.
    :type source_reference: str
    :param campaign: A campaign to attribute to this actor.
    :type campaign: str
    :param confidence: Confidence level in the campaign attribution.
    :type confidence: str ("low", "medium", "high")
    :param analyst: The user adding this actor.
    :type analyst: str
    :param bucket_list: Buckets to assign to this actor.
    :type bucket_list: str
    :param ticket: Ticket to assign to this actor.
    :type ticket: str
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_id: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with keys:
              "success" (boolean),
              "message" (str),
              "object" (if successful) :class:`crits.actors.actor.Actor`
    """

    is_item_new = False
    retVal = {}
    actor = Actor.objects(name=name).first()

    if not actor:
        actor = Actor()
        actor.name = name
        if description:
            actor.description = description.strip()
        is_item_new = True

    if isinstance(source, basestring):
        source = [
            create_embedded_source(source,
                                   reference=source_reference,
                                   method=source_method,
                                   analyst=analyst)
        ]

    if isinstance(campaign, basestring):
        c = EmbeddedCampaign(name=campaign,
                             confidence=confidence,
                             analyst=analyst)
        campaign = [c]

    if campaign:
        for camp in campaign:
            actor.add_campaign(camp)

    if source:
        for s in source:
            actor.add_source(s)
    else:
        return {"success": False, "message": "Missing source information."}

    if not isinstance(aliases, list):
        aliases = aliases.split(',')
        for alias in aliases:
            alias = alias.strip()
            if alias not in actor.aliases:
                actor.aliases.append(alias)

    if bucket_list:
        actor.add_bucket_list(bucket_list, analyst)

    if ticket:
        actor.add_ticket(ticket, analyst)

    related_obj = None
    if related_id and related_type:
        related_obj = class_from_id(related_type, related_id)
        if not related_obj:
            retVal['success'] = False
            retVal['message'] = 'Related Object not found.'
            return retVal

    actor.save(username=analyst)

    if related_obj and actor:
        relationship_type = RelationshipTypes.inverse(
            relationship=relationship_type)
        actor.add_relationship(related_obj,
                               relationship_type,
                               analyst=analyst,
                               get_rels=False)
        actor.save(username=analyst)
        actor.reload()

    # run actor triage
    if is_item_new:
        actor.reload()
        run_triage(actor, analyst)

    resp_url = reverse('crits.actors.views.actor_detail', args=[actor.id])

    retVal['message'] = ('Success! Click here to view the new Actor: '
                         '<a href="%s">%s</a>' % (resp_url, actor.name))

    retVal['success'] = True
    retVal['object'] = actor
    retVal['id'] = str(actor.id)

    return retVal
コード例 #21
0
ファイル: handlers.py プロジェクト: armtash/crits
def add_new_event(title, description, event_type, source_name, source_method,
                  source_reference, source_tlp, date, user,
                  bucket_list=None, ticket=None, campaign=None, campaign_confidence=None,
                  related_id=None, related_type=None, relationship_type=None):
    """
    Add a new Event to CRITs.

    :param title: Event title.
    :type title: str
    :param description: Event description.
    :type description: str
    :param event_type: Event type.
    :type event_type: str
    :param source: The source which provided this information.
    :type source: str
    :param method: THe method of acquiring this information.
    :type method: str
    :param reference: Reference to this data.
    :type reference: str
    :param date: Date of acquiring this data.
    :type date: datetime.datetime
    :param user: The user adding this Event.
    :type user: str
    :param bucket_list: The bucket(s) to associate with this Event.
    :type: str
    :param ticket: Ticket to associate with this event.
    :type ticket: str
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_type: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with keys "success" (boolean) and "message" (str)
    :param campaign: Campaign to associate with this Event
    :type campaign: str
    :param campaign_confidence: Confidence to associate with the Campaign
    :type campaign_confidence: str
    """

    if not source_name:
        return {'success': False, 'message': "Missing source information."}

    result = dict()
    event = Event()
    event.title = title
    event.description = description
    event.set_event_type(event_type)

    if user.check_source_write(source_name):
        s = create_embedded_source(source_name,
                                   reference=source_reference,
                                   method=source_method,
                                   tlp=source_tlp,
                                   analyst=user.username,
                                   date=date)
    else:
        return {"success": False,
                "message": "User does not have permission to add object \
                            using source %s." % source_name}
    event.add_source(s)

    valid_campaign_confidence = {
        'low': 'low',
        'medium': 'medium',
        'high': 'high'}
    valid_campaigns = {}
    for c in Campaign.objects(active='on'):
        valid_campaigns[c['name'].lower()] = c['name']

    if campaign:
        if isinstance(campaign, basestring) and len(campaign) > 0:
            if campaign.lower() not in valid_campaigns:
                result = {'success':False, 'message':'{} is not a valid campaign.'.format(campaign)}
            else:
                confidence = valid_campaign_confidence.get(campaign_confidence, 'low')
                campaign = EmbeddedCampaign(name=campaign,
                                                   confidence=confidence,
                                                   description="",
                                                   analyst=user.username,
                                                   date=datetime.datetime.now())
                event.add_campaign(campaign)

    if bucket_list:
        event.add_bucket_list(bucket_list, user.username)

    if ticket:
        event.add_ticket(ticket, user.username)

    related_obj = None
    if related_id:
        related_obj = class_from_id(related_type, related_id)
        if not related_obj:
            retVal['success'] = False
            retVal['message'] = 'Related Object not found.'
            return retVal

    try:
        event.save(username=user.username)

        if related_obj and event and relationship_type:
            relationship_type=RelationshipTypes.inverse(relationship=relationship_type)
            event.add_relationship(related_obj,
                                  relationship_type,
                                  analyst=user.username,
                                  get_rels=False)
            event.save(username=user.username)

        # run event triage
        event.reload()
        run_triage(event, user.username)

        message = ('<div>Success! Click here to view the new event: <a href='
                   '"%s">%s</a></div>' % (reverse('crits-events-views-view_event',
                                                  args=[event.id]),
                                          title))
        result = {'success': True,
                  'message': message,
                  'id': str(event.id),
                  'object': event}

    except ValidationError, e:
        result = {'success': False,
                  'message': e}
コード例 #22
0
            fqdn_domain.save(username=username)
    except Exception, e:
        return {'success': False, 'message': e}

    #Add relationships between fqdn, root
    if fqdn_domain and root_domain:
        root_domain.add_relationship(fqdn_domain,
                                     RelationshipTypes.SUPRA_DOMAIN_OF,
                                     analyst=username,
                                     get_rels=False)
        root_domain.save(username=username)
        fqdn_domain.save(username=username)

    #Add relationships from object domain is being added from
    if related_obj and relationship_type:
        relationship_type=RelationshipTypes.inverse(relationship=relationship_type)
        if fqdn_domain and (related_obj != fqdn_domain):
            fqdn_domain.add_relationship(related_obj,
                                         relationship_type,
                                         analyst=username,
                                         get_rels=False)
            fqdn_domain.save(username=username)
        if root_domain and (related_obj != root_domain):
            root_domain.add_relationship(related_obj,
                                         relationship_type,
                                         analyst=username,
                                         get_rels=False)
            root_domain.save(username=username)

    # run domain triage
    if is_fqdn_domain_new:
コード例 #23
0
ファイル: handlers.py プロジェクト: ckane/crits
def upsert_target(data, analyst):
    """
    Add/update target information.

    :param data: The target information.
    :type data: dict
    :param analyst: The user adding the target.
    :type analyst: str
    :returns: dict with keys "success" (boolean) and "message" (str)
    """

    if 'email_address' not in data:
        return {'success': False,
                'message': "No email address to look up"}

    # check for exact match first
    target = Target.objects(email_address=data['email_address']).first()

    if not target: # if no exact match, look for case-insensitive match
        target = Target.objects(email_address__iexact=data['email_address']).first()
    is_new = False
    if not target:
        is_new = True
        target = Target()
        target.email_address = data['email_address'].strip().lower()

    bucket_list = False
    ticket = False
    if 'department' in data:
        target.department = data['department']
    if 'division' in data:
        target.division = data['division']
    if 'organization_id' in data:
        target.organization_id = data['organization_id']
    if 'firstname' in data:
        target.firstname = data['firstname']
    if 'lastname' in data:
        target.lastname = data['lastname']
    if 'note' in data:
        target.note = data['note']
    if 'title' in data:
        target.title = data['title']
    if 'campaign' in data and 'camp_conf' in data:
        target.add_campaign(EmbeddedCampaign(name=data['campaign'],
                                             confidence=data['camp_conf'],
                                             analyst=analyst))
    if 'bucket_list' in data:
        bucket_list = data.get(form_consts.Common.BUCKET_LIST_VARIABLE_NAME)
    if 'ticket' in data:
        ticket = data.get(form_consts.Common.TICKET_VARIABLE_NAME)
    if 'related_id' in data:
        related_id = data['related_id']
    if 'related_type' in data:
        related_type = data['related_type']
    if 'relationship_type' in data:
        relationship_type = data['relationship_type']


    if bucket_list:
        target.add_bucket_list(bucket_list, analyst)

    if ticket:
        target.add_ticket(ticket, analyst)

    related_obj = None
    if related_id:
        related_obj = class_from_id(related_type, related_id)
        if not related_obj:
            retVal['success'] = False
            retVal['message'] = 'Related Object not found.'
            return retVal

    try:
        target.save(username=analyst)

        if related_obj and target:
            relationship_type=RelationshipTypes.inverse(relationship=relationship_type)
            target.add_relationship(related_obj,
                                  relationship_type,
                                  analyst=analyst,
                                  get_rels=False)
            target.save(username=analyst)

        target.reload()

        if is_new:
            run_triage(target, analyst)
        return {'success': True,
                'message': "Target saved successfully",
                'id': str(target.id)}
    except ValidationError, e:
        return {'success': False,
                'message': "Target save failed: %s" % e}
コード例 #24
0
ファイル: handlers.py プロジェクト: zhangjunqiang/crits
def add_new_backdoor(name,
                     version=None,
                     aliases=None,
                     description=None,
                     source=None,
                     source_method=None,
                     source_reference=None,
                     source_tlp=None,
                     campaign=None,
                     confidence=None,
                     user=None,
                     bucket_list=None,
                     ticket=None,
                     related_id=None,
                     related_type=None,
                     relationship_type=None):
    """
    Add an Backdoor to CRITs.

    :param name: The name of the backdoor.
    :type name: str
    :param version: Version of the backdoor.
    :type version: str
    :param aliases: Aliases for the backdoor.
    :type aliases: list or str
    :param description: Description of the backdoor.
    :type description: str
    :param source: Name of the source which provided this information.
    :type source: str
    :param source_method: Method of acquiring this data.
    :type source_method: str
    :param source_reference: A reference to this data.
    :type source_reference: str
    :param campaign: A campaign to attribute to this backdoor.
    :type campaign: str
    :param confidence: Confidence level in the campaign attribution.
    :type confidence: str ("low", "medium", "high")
    :param user: The user adding this backdoor.
    :type user: CRITsUser
    :param bucket_list: Buckets to assign to this backdoor.
    :type bucket_list: str
    :param ticket: Ticket to assign to this backdoor.
    :type ticket: str
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_id: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with keys:
              "success" (boolean),
              "message" (str),
              "id" (str),
              "object" (if successful) :class:`crits.backdoors.backdoor.Backdoor`
    """

    retVal = {'success': False, 'message': ''}
    username = user.username

    if isinstance(source, basestring):
        if user.check_source_write(source):
            source = [
                create_embedded_source(source,
                                       reference=source_reference,
                                       method=source_method,
                                       tlp=source_tlp,
                                       analyst=username)
            ]
        else:
            return {
                "success":
                False,
                "message":
                "User does not have permission to add objects \
                    using source %s." % str(source)
            }

    elif isinstance(source, EmbeddedSource):
        source = [source]

    if not source:
        retVal['message'] = "Missing source information."
        return retVal

    # When creating a backdoor object we can potentially create multiple
    # objects. If we are given a name but no version we will create an object
    # with just the name (called the "family backdoor"). If given a name and a
    # version we will create the family backdoor and the specific backdoor for
    # that given version.

    # In case we create more than one backdoor object, store the created ones
    # in this list. The list is walked later on and attributes applied to each
    # object.
    objs = []

    # First check if we have the family (name and no version).
    family = Backdoor.objects(name=name, version='').first()

    if not family:
        # Family does not exist, new object. Details are handled later.
        family = Backdoor()
        family.name = name
        family.version = ''

    objs.append(family)

    # Now check if we have the specific instance for this name + version.
    backdoor = None
    if version:
        backdoor = Backdoor.objects(name=name, version=version).first()
        if not backdoor:
            # Backdoor does not exist, new object. Details are handled later.
            backdoor = Backdoor()
            backdoor.name = name
            backdoor.version = version
        objs.append(backdoor)

    # At this point we have a family object and potentially a specific object.
    # Add the common parameters to all objects in the list and save them.
    for backdoor in objs:
        for s in source:
            backdoor.add_source(s)

        # Don't overwrite existing description.
        if description and backdoor.description == '':
            backdoor.description = description.strip()

        if isinstance(campaign, basestring):
            c = EmbeddedCampaign(name=campaign,
                                 confidence=confidence,
                                 analyst=username)
            campaign = [c]

        if campaign:
            for camp in campaign:
                backdoor.add_campaign(camp)

        if aliases:
            if isinstance(aliases, basestring):
                aliases = aliases.split(',')
            for alias in aliases:
                alias = alias.strip()
                if alias not in backdoor.aliases:
                    backdoor.aliases.append(alias)

        if bucket_list:
            backdoor.add_bucket_list(bucket_list, username)

        if ticket:
            backdoor.add_ticket(ticket, username)

        backdoor.save(username=username)

        # run backdoor triage
        backdoor.reload()
        run_triage(backdoor, username)

        # Because family objects are put in the list first we will always
        # return a link to the most specific object created. If there is only
        # one item in the list it will be the family object.
        resp_url = reverse('crits-backdoors-views-backdoor_detail',
                           args=[backdoor.id])
        retVal['message'] = 'Success: <a href="%s">%s</a>' % (resp_url,
                                                              backdoor.name)
        retVal['object'] = backdoor
        retVal['id'] = str(backdoor.id)

    # Only relate to the most specific object created.
    related_obj = None
    if related_id and related_type:
        related_obj = class_from_id(related_type, related_id)
        if not related_obj:
            retVal['success'] = False
            retVal['message'] = 'Related Object not found.'
            return retVal

    if related_obj and relationship_type and backdoor:
        relationship_type = RelationshipTypes.inverse(
            relationship=relationship_type)
        backdoor.add_relationship(related_obj,
                                  relationship_type,
                                  analyst=username,
                                  get_rels=False)
        backdoor.save(username=username)
        backdoor.reload()

    # If we have a family and specific object, attempt to relate the two.
    if len(objs) == 2:
        objs[0].add_relationship(objs[1], RelationshipTypes.RELATED_TO)
        objs[0].save()

    retVal['success'] = True
    return retVal
コード例 #25
0
ファイル: handlers.py プロジェクト: xtracerx/crits
def add_new_event(title,
                  description,
                  event_type,
                  source,
                  method,
                  reference,
                  date,
                  analyst,
                  bucket_list=None,
                  ticket=None,
                  campaign=None,
                  campaign_confidence=None,
                  related_id=None,
                  related_type=None,
                  relationship_type=None):
    """
    Add a new Event to CRITs.

    :param title: Event title.
    :type title: str
    :param description: Event description.
    :type description: str
    :param event_type: Event type.
    :type event_type: str
    :param source: The source which provided this information.
    :type source: str
    :param method: THe method of acquiring this information.
    :type method: str
    :param reference: Reference to this data.
    :type reference: str
    :param date: Date of acquiring this data.
    :type date: datetime.datetime
    :param analyst: The user adding this Event.
    :type analyst: str
    :param bucket_list: The bucket(s) to associate with this Event.
    :type: str
    :param ticket: Ticket to associate with this event.
    :type ticket: str
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_type: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with keys "success" (boolean) and "message" (str)
    :param campaign: Campaign to associate with this Event
    :type campaign: str
    :param campaign_confidence: Confidence to associate with the Campaign
    :type campaign_confidence: str
    """

    result = dict()
    if not source:
        return {'success': False, 'message': "Missing source information."}

    event = Event()
    event.title = title
    event.description = description
    event.set_event_type(event_type)

    s = create_embedded_source(name=source,
                               reference=reference,
                               method=method,
                               analyst=analyst,
                               date=date)
    event.add_source(s)

    valid_campaign_confidence = {
        'low': 'low',
        'medium': 'medium',
        'high': 'high'
    }
    valid_campaigns = {}
    for c in Campaign.objects(active='on'):
        valid_campaigns[c['name'].lower()] = c['name']

    if campaign:
        if isinstance(campaign, basestring) and len(campaign) > 0:
            if campaign.lower() not in valid_campaigns:
                result = {
                    'success': False,
                    'message': '{} is not a valid campaign.'.format(campaign)
                }
            else:
                confidence = valid_campaign_confidence.get(
                    campaign_confidence, 'low')
                campaign = EmbeddedCampaign(name=campaign,
                                            confidence=confidence,
                                            description="",
                                            analyst=analyst,
                                            date=datetime.datetime.now())
                event.add_campaign(campaign)

    if bucket_list:
        event.add_bucket_list(bucket_list, analyst)

    if ticket:
        event.add_ticket(ticket, analyst)

    related_obj = None
    if related_id:
        related_obj = class_from_id(related_type, related_id)
        if not related_obj:
            retVal['success'] = False
            retVal['message'] = 'Related Object not found.'
            return retVal

    try:
        event.save(username=analyst)

        if related_obj and event and relationship_type:
            relationship_type = RelationshipTypes.inverse(
                relationship=relationship_type)
            event.add_relationship(related_obj,
                                   relationship_type,
                                   analyst=analyst,
                                   get_rels=False)
            event.save(username=analyst)

        # run event triage
        event.reload()
        run_triage(event, analyst)

        message = (
            '<div>Success! Click here to view the new event: <a href='
            '"%s">%s</a></div>' %
            (reverse('crits.events.views.view_event', args=[event.id]), title))
        result = {
            'success': True,
            'message': message,
            'id': str(event.id),
            'object': event
        }

    except ValidationError, e:
        result = {'success': False, 'message': e}
コード例 #26
0
ファイル: handlers.py プロジェクト: armtash/crits
def add_new_exploit(name, cve=None, description=None, source=None,
                    source_method=None, source_reference=None, source_tlp=None,
                    campaign=None, confidence=None, user=None,
                    bucket_list=None, ticket=None,related_id=None,
                    related_type=None, relationship_type=None):
    """
    Add an Exploit to CRITs.

    :param name: The name of the exploit.
    :type name: str
    :param cve: CVE for the exploit.
    :type cve: str
    :param description: Description of the exploit.
    :type description: str
    :param source: Name of the source which provided this information.
    :type source: str
    :param source_method: Method of acquiring this data.
    :type source_method: str
    :param source_reference: A reference to this data.
    :type source_reference: str
    :param source_tlp: TLP value for this source
    :type source_reference: str
    :param campaign: A campaign to attribute to this exploit.
    :type campaign: str
    :param confidence: Confidence level in the campaign attribution.
    :type confidence: str ("low", "medium", "high")
    :param user: The user adding this exploit.
    :type user: str
    :param bucket_list: Buckets to assign to this exploit.
    :type bucket_list: str
    :param ticket: Ticket to assign to this exploit.
    :type ticket: str
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_type: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with keys:
              "success" (boolean),
              "message" (str),
              "object" (if successful) :class:`crits.exploits.exploit.Exploit`
    """

    is_item_new = False
    retVal = {}
    exploit = Exploit.objects(name=name).first()

    if not exploit:
        exploit = Exploit()
        exploit.name = name
        if description:
            exploit.description = description.strip()
        is_item_new = True

    username = user.username

    if isinstance(source, basestring):
        if user.check_source_write(source):
            source = [create_embedded_source(source,
                                             reference=source_reference,
                                             method=source_method,
                                             tlp=source_tlp,
                                             analyst=username)]
        else:
            return {"success": False,
                    "message": "User does not have permission to add object \
                                using source %s." % source}

    elif isinstance(source, EmbeddedSource):
        source = [source]

    if isinstance(campaign, basestring):
        c = EmbeddedCampaign(name=campaign, confidence=confidence, analyst=username)
        campaign = [c]

    if campaign:
        for camp in campaign:
            exploit.add_campaign(camp)

    if source:
        for s in source:
            exploit.add_source(s)
    else:
        return {"success" : False, "message" : "Missing source information."}

    exploit.cve = cve.strip()

    if bucket_list:
        exploit.add_bucket_list(bucket_list, user)

    if ticket:
        exploit.add_ticket(ticket, user)

    related_obj = None
    if related_id:
        related_obj = class_from_id(related_type, related_id)
        if not related_obj:
            retVal['success'] = False
            retVal['message'] = 'Related Object not found.'
            return retVal


    exploit.save(username=username)

    if related_obj and exploit and relationship_type:
        relationship_type=RelationshipTypes.inverse(relationship=relationship_type)
        exploit.add_relationship(related_obj,
                               relationship_type,
                               analyst=user,
                               get_rels=False)
        exploit.save(username=username)

    # run exploit triage
    if is_item_new:
        exploit.reload()
        run_triage(exploit, username)

    resp_url = reverse('crits-exploits-views-exploit_detail', args=[exploit.id])

    retVal['message'] = ('Success! Click here to view the new Exploit: '
                         '<a href="%s">%s</a>' % (resp_url, exploit.name))

    retVal['success'] = True
    retVal['object'] = exploit
    retVal['id'] = str(exploit.id)

    return retVal
コード例 #27
0
from django import forms
from django.forms.widgets import RadioSelect

from crits.campaigns.campaign import Campaign
from crits.core import form_consts
from crits.core.forms import add_bucketlist_to_form, add_ticket_to_form
from crits.core.handlers import get_source_names, get_item_names
from crits.backdoors.handlers import get_backdoor_names
from crits.core.user_tools import get_user_organization

from crits.vocabulary.relationships import RelationshipTypes

relationship_choices = [(c, c) for c in RelationshipTypes.values(sort=True)]

class UnzipSampleForm(forms.Form):
    """
    Django form to handle unziping a sample.
    """

    error_css_class = 'error'
    required_css_class = 'required'
    password = forms.CharField(widget=forms.TextInput, required=False)

class XORSearchForm(forms.Form):
    """
    Django form to handle performing an XOR search.
    """

    error_css_class = 'error'
    required_css_class = 'required'
    string = forms.CharField(widget=forms.TextInput, required=False)
コード例 #28
0
def ip_add_update(ip_address, ip_type, source=None, source_method='',
                  source_reference='', campaign=None, confidence='low',
                  analyst=None, is_add_indicator=False, indicator_reference='',
                  bucket_list=None, ticket=None, is_validate_only=False, cache={}, 
                  related_id=None, related_type=None, relationship_type=None):
    """
    Add/update an IP address.

    :param ip_address: The IP to add/update.
    :type ip_address: str
    :param ip_type: The type of IP this is.
    :type ip_type: str
    :param source: Name of the source which provided this information.
    :type source: str
    :param source_method: Method of acquiring this data.
    :type source_method: str
    :param source_reference: A reference to this data.
    :type source_reference: str
    :param campaign: A campaign to attribute to this IP address.
    :type campaign: str
    :param confidence: Confidence level in the campaign attribution.
    :type confidence: str ("low", "medium", "high")
    :param analyst: The user adding/updating this IP.
    :type analyst: str
    :param is_add_indicator: Also add an Indicator for this IP.
    :type is_add_indicator: bool
    :param indicator_reference: Reference for the indicator.
    :type indicator_reference: str
    :param bucket_list: Buckets to assign to this IP.
    :type bucket_list: str
    :param ticket: Ticket to assign to this IP.
    :type ticket: str
    :param is_validate_only: Only validate, do not add/update.
    :type is_validate_only: bool
    :param cache: Cached data, typically for performance enhancements
                  during bulk operations.
    :type cache: dict
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_type: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with keys:
              "success" (boolean),
              "message" (str),
              "object" (if successful) :class:`crits.ips.ip.IP`
    """

    if not source:
        return {"success" : False, "message" : "Missing source information."}

    (ip_address, error) = validate_and_normalize_ip(ip_address, ip_type)
    if error:
        return {"success": False, "message": error}

    retVal = {}
    is_item_new = False

    ip_object = None
    cached_results = cache.get(form_consts.IP.CACHED_RESULTS)

    if cached_results != None:
        ip_object = cached_results.get(ip_address)
    else:
        ip_object = IP.objects(ip=ip_address).first()

    if not ip_object:
        ip_object = IP()
        ip_object.ip = ip_address
        ip_object.ip_type = ip_type
        is_item_new = True

        if cached_results != None:
            cached_results[ip_address] = ip_object

    if isinstance(source, basestring):
        source = [create_embedded_source(source,
                                         reference=source_reference,
                                         method=source_method,
                                         analyst=analyst)]

    if isinstance(campaign, basestring):
        c = EmbeddedCampaign(name=campaign, confidence=confidence, analyst=analyst)
        campaign = [c]

    if campaign:
        for camp in campaign:
            ip_object.add_campaign(camp)

    if source:
        for s in source:
            ip_object.add_source(s)
    else:
        return {"success" : False, "message" : "Missing source information."}

    if bucket_list:
        ip_object.add_bucket_list(bucket_list, analyst)

    if ticket:
        ip_object.add_ticket(ticket, analyst)

    related_obj = None
    if related_id:
        related_obj = class_from_id(related_type, related_id)
        if not related_obj:
            retVal['success'] = False
            retVal['message'] = 'Related Object not found.'
            return retVal

    resp_url = reverse('crits.ips.views.ip_detail', args=[ip_object.ip])

    if is_validate_only == False:
        ip_object.save(username=analyst)

        #set the URL for viewing the new data
        if is_item_new == True:
            retVal['message'] = ('Success! Click here to view the new IP: '
                                 '<a href="%s">%s</a>' % (resp_url, ip_object.ip))
        else:
            message = ('Updated existing IP: '
                                 '<a href="%s">%s</a>' % (resp_url, ip_object.ip))
            retVal['message'] = message
            retVal['status'] = form_consts.Status.DUPLICATE
            retVal['warning'] = message

    elif is_validate_only == True:
        if ip_object.id != None and is_item_new == False:
            message = ('Warning: IP already exists: '
                                 '<a href="%s">%s</a>' % (resp_url, ip_object.ip))
            retVal['message'] = message
            retVal['status'] = form_consts.Status.DUPLICATE
            retVal['warning'] = message

    if is_add_indicator:
        from crits.indicators.handlers import handle_indicator_ind
        handle_indicator_ind(ip_address,
                             source,
                             ip_type,
                             IndicatorThreatTypes.UNKNOWN,
                             IndicatorAttackTypes.UNKNOWN,
                             analyst,
                             source_method,
                             indicator_reference,
                             add_domain=False,
                             add_relationship=True,
                             bucket_list=bucket_list,
                             ticket=ticket,
                             cache=cache)

    if related_obj and ip_object and relationship_type:
        relationship_type=RelationshipTypes.inverse(relationship=relationship_type)
        ip_object.add_relationship(related_obj,
                              relationship_type,
                              analyst=analyst,
                              get_rels=False)
        ip_object.save(username=analyst)

    # run ip triage
    if is_item_new and is_validate_only == False:
        ip_object.reload()
        run_triage(ip_object, analyst)

    retVal['success'] = True
    retVal['object'] = ip_object

    return retVal
コード例 #29
0
ファイル: forms.py プロジェクト: armtash/crits
from django import forms
from django.forms.utils import ErrorList

from crits.campaigns.campaign import Campaign
from crits.core import form_consts
from crits.core.forms import add_bucketlist_to_form, add_ticket_to_form
from crits.core.handlers import get_item_names
from crits.vocabulary.relationships import RelationshipTypes
from crits.vocabulary.acls import Common, TargetACL


relationship_choices = [(c, c) for c in RelationshipTypes.values(sort=True)]

class TargetInfoForm(forms.Form):
    """
    Django form for adding/updating target information.
    """

    error_css_class = 'error'
    required_css_class = 'required'
    firstname = forms.CharField(widget=forms.TextInput(attrs={'size': '50'}),
                                required=False)
    lastname = forms.CharField(widget=forms.TextInput(attrs={'size': '50'}),
                               required=False)
    division = forms.CharField(widget=forms.TextInput(attrs={'size': '50'}),
                               required=False)
    department = forms.CharField(widget=forms.TextInput(attrs={'size': '50'}),
                                 required=False)
    email_address = forms.CharField(widget=forms.TextInput(attrs={'size': '50'}),
                                    required=True)
    organization_id = forms.CharField(widget=forms.TextInput(attrs={'size': '50'}),
コード例 #30
0
ファイル: handlers.py プロジェクト: robertsjw/crits
def handle_signature_file(
    data,
    source_name,
    user=None,
    description=None,
    title=None,
    data_type=None,
    data_type_min_version=None,
    data_type_max_version=None,
    data_type_dependency=None,
    link_id=None,
    method="",
    reference="",
    copy_rels=False,
    bucket_list=None,
    ticket=None,
    related_id=None,
    related_type=None,
    relationship_type=None,
):
    """
    Add Signature.

    :param data: The data of the Signature.
    :type data: str
    :param source_name: The source which provided this Signature.
    :type source_name: str,
                       :class:`crits.core.crits_mongoengine.EmbeddedSource`,
                       list of :class:`crits.core.crits_mongoengine.EmbeddedSource`
    :param user: The user adding the Signature.
    :type user: str
    :param description: Description of the Signature.
    :type description: str
    :param title: Title of the Signature.
    :type title: str
    :param data_type: Datatype of the Signature.
    :type data_type: str
    :param data_type: Datatype of the Signature.
    :type data_type_min_version: str
    :param data_type_min_version: Datatype tool minimum version.
    :type data_type_max_version: str
    :param data_type_max_version: Datatype tool maximum version.
    :type data_type_dependency: list
    :param data_type_dependency: Datatype tool dependency to be run
    :param link_id: LinkId to tie this to another Signature as a new version.
    :type link_id: str
    :param method: The method of acquiring this Signature.
    :type method: str
    :param reference: A reference to the source of this Signature.
    :type reference: str
    :param copy_rels: Copy relationships from the previous version to this one.
    :type copy_rels: bool
    :param bucket_list: Bucket(s) to add to this Signature
    :type bucket_list: str(comma separated) or list.
    :param ticket: Ticket(s) to add to this Signature
    :type ticket: str(comma separated) or list.
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_type: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :returns: dict with keys:
              'success' (boolean),
              'message' (str),
              '_id' (str) if successful.
    """

    if not data or not title or not data_type:
        status = {"success": False, "message": "No data object, title, or data type passed in"}
        return status

    if not source_name:
        return {"success": False, "message": "Missing source information."}

    rdt = SignatureType.objects(name=data_type).first()
    if not rdt:
        status = {"success": False, "message": "Invalid data type passed in"}
        return status

    if len(data) <= 0:
        status = {"success": False, "message": "Data length <= 0"}
        return status

    # generate md5 and timestamp
    md5 = hashlib.md5(data).hexdigest()
    timestamp = datetime.datetime.now()

    # generate signature
    signature = Signature()
    signature.created = timestamp
    signature.description = description
    signature.md5 = md5
    signature.data = data
    signature.title = title
    signature.data_type = data_type
    signature.data_type_min_version = data_type_min_version
    signature.data_type_max_version = data_type_max_version

    if data_type_dependency:
        if type(data_type_dependency) == unicode:
            data_type_dependency = data_type_dependency.split(",")

        for item in data_type_dependency:
            if item:
                item = item.strip()
                signature.data_type_dependency.append(str(item))
    else:
        data_type_dependency = []

    # generate new source information and add to sample
    if isinstance(source_name, basestring) and len(source_name) > 0:
        source = create_embedded_source(source_name, date=timestamp, method=method, reference=reference, analyst=user)
        # this will handle adding a new source, or an instance automatically
        signature.add_source(source)
    elif isinstance(source_name, EmbeddedSource):
        signature.add_source(source_name, method=method, reference=reference)
    elif isinstance(source_name, list) and len(source_name) > 0:
        for s in source_name:
            if isinstance(s, EmbeddedSource):
                signature.add_source(s, method=method, reference=reference)

    signature.version = len(Signature.objects(link_id=link_id)) + 1

    if link_id:
        signature.link_id = link_id
        if copy_rels:
            rd2 = Signature.objects(link_id=link_id).first()
            if rd2:
                if len(rd2.relationships):
                    signature.save(username=user)
                    signature.reload()
                    for rel in rd2.relationships:
                        # Get object to relate to.
                        rel_item = class_from_id(rel.rel_type, rel.object_id)
                        if rel_item:
                            signature.add_relationship(
                                rel_item, rel.relationship, rel_date=rel.relationship_date, analyst=user
                            )

    if bucket_list:
        signature.add_bucket_list(bucket_list, user)

    if ticket:
        signature.add_ticket(ticket, user)

    related_obj = None
    if related_id and related_type:
        related_obj = class_from_id(related_type, related_id)
        if not related_obj:
            retVal["success"] = False
            retVal["message"] = "Related Object not found."
            return retVal

    signature.save(username=user)

    if related_obj and signature and relationship_type:
        relationship_type = RelationshipTypes.inverse(relationship=relationship_type)
        signature.add_relationship(related_obj, relationship_type, analyst=user, get_rels=False)
        signature.save(username=user)
        signature.reload()

    # save signature
    signature.save(username=user)
    signature.reload()

    status = {"success": True, "message": "Uploaded signature", "_id": signature.id, "object": signature}

    return status
コード例 #31
0
ファイル: handlers.py プロジェクト: brlogan/crits
def ip_add_update(ip_address, ip_type, source=None, source_method='',
                  source_reference='', source_tlp=None, campaign=None,
                  confidence='low', user=None, is_add_indicator=False,
                  indicator_reference='', bucket_list=None, ticket=None,
                  is_validate_only=False, cache={}, related_id=None,
                  related_type=None, relationship_type=None, description=''):

    """
    Add/update an IP address.

    :param ip_address: The IP to add/update.
    :type ip_address: str
    :param ip_type: The type of IP this is.
    :type ip_type: str
    :param source: Name of the source which provided this information.
    :type source: str
    :param source_method: Method of acquiring this data.
    :type source_method: str
    :param source_reference: A reference to this data.
    :type source_reference: str
    :param campaign: A campaign to attribute to this IP address.
    :type campaign: str
    :param confidence: Confidence level in the campaign attribution.
    :type confidence: str ("low", "medium", "high")
    :param user: The user adding/updating this IP.
    :type user: str
    :param is_add_indicator: Also add an Indicator for this IP.
    :type is_add_indicator: bool
    :param indicator_reference: Reference for the indicator.
    :type indicator_reference: str
    :param bucket_list: Buckets to assign to this IP.
    :type bucket_list: str
    :param ticket: Ticket to assign to this IP.
    :type ticket: str
    :param is_validate_only: Only validate, do not add/update.
    :type is_validate_only: bool
    :param cache: Cached data, typically for performance enhancements
                  during bulk operations.
    :type cache: dict
    :param related_id: ID of object to create relationship with
    :type related_id: str
    :param related_type: Type of object to create relationship with
    :type related_type: str
    :param relationship_type: Type of relationship to create.
    :type relationship_type: str
    :param description: A description for this IP
    :type description: str
    :returns: dict with keys:
              "success" (boolean),
              "message" (str),
              "object" (if successful) :class:`crits.ips.ip.IP`
    """

    if not source:
        return {"success" : False, "message" : "Missing source information."}

    source_name = source

    (ip_address, error) = validate_and_normalize_ip(ip_address, ip_type)
    if error:
        return {"success": False, "message": error}

    retVal = {}
    is_item_new = False

    ip_object = None
    cached_results = cache.get(form_consts.IP.CACHED_RESULTS)

    if cached_results != None:
        ip_object = cached_results.get(ip_address)
    else:
        ip_object = IP.objects(ip=ip_address).first()

    if not ip_object:
        ip_object = IP()
        ip_object.ip = ip_address
        ip_object.ip_type = ip_type
        is_item_new = True

        if cached_results != None:
            cached_results[ip_address] = ip_object

    if not ip_object.description:
        ip_object.description = description or ''
    elif ip_object.description != description:
        ip_object.description += "\n" + (description or '')

    if isinstance(source_name, basestring):
        if user.check_source_write(source):
            source = [create_embedded_source(source,
                                             reference=source_reference,
                                             method=source_method,
                                             tlp=source_tlp,
                                             analyst=user.username)]
        else:
            return {"success":False,
                    "message": "User does not have permission to add object \
                                using source %s." % source}

    if isinstance(campaign, basestring):
        c = EmbeddedCampaign(name=campaign, confidence=confidence, analyst=user.username)
        campaign = [c]

    if campaign:
        for camp in campaign:
            ip_object.add_campaign(camp)

    if source:
        for s in source:
            ip_object.add_source(s)
    else:
        return {"success" : False, "message" : "Missing source information."}

    if bucket_list:
        ip_object.add_bucket_list(bucket_list, user.username)

    if ticket:
        ip_object.add_ticket(ticket, user.username)

    related_obj = None
    if related_id:
        related_obj = class_from_id(related_type, related_id)
        if not related_obj:
            retVal['success'] = False
            retVal['message'] = 'Related Object not found.'
            return retVal

    resp_url = reverse('crits.ips.views.ip_detail', args=[ip_object.ip])


    if is_validate_only == False:
        ip_object.save(username=user.username)

        #set the URL for viewing the new data
        if is_item_new == True:
            retVal['message'] = ('Success! Click here to view the new IP: '
                                 '<a href="%s">%s</a>' % (resp_url, ip_object.ip))
        else:
            message = ('Updated existing IP: '
                                 '<a href="%s">%s</a>' % (resp_url, ip_object.ip))
            retVal['message'] = message
            retVal['status'] = form_consts.Status.DUPLICATE
            retVal['warning'] = message

    elif is_validate_only == True:
        if ip_object.id != None and is_item_new == False:
            message = ('Warning: IP already exists: '
                                 '<a href="%s">%s</a>' % (resp_url, ip_object.ip))
            retVal['message'] = message
            retVal['status'] = form_consts.Status.DUPLICATE
            retVal['warning'] = message

    if is_add_indicator:
        from crits.indicators.handlers import handle_indicator_ind
        result = handle_indicator_ind(ip_address,
                             source_name,
                             ip_type,
                             IndicatorThreatTypes.UNKNOWN,
                             IndicatorAttackTypes.UNKNOWN,
                             user,
                             source_method=source_method,
                             source_reference = indicator_reference,
                             source_tlp = source_tlp,
                             add_domain=False,
                             add_relationship=True,
                             bucket_list=bucket_list,
                             ticket=ticket,
                             cache=cache)

    if related_obj and ip_object and relationship_type:
        relationship_type=RelationshipTypes.inverse(relationship=relationship_type)
        ip_object.add_relationship(related_obj,
                              relationship_type,
                              analyst=user.username,
                              get_rels=False)
        ip_object.save(username=user.username)

    # run ip triage
    if is_item_new and is_validate_only == False:
        ip_object.reload()
        run_triage(ip_object, user)

    retVal['success'] = True
    retVal['object'] = ip_object

    return retVal
コード例 #32
0
ファイル: handlers.py プロジェクト: TheDr1ver/crits_services
def gather_relationships(obj_type, obj_id, user, depth, types):
    objects = {}
    nodes = []
    links = []
    tlos = {
        'Actor': [],
        'Backdoor': [],
        'Campaign': [],
        'Certificate': [],
        'Comment': [],
        'Domain': [],
        'Email': [],
        'Event': [],
        'Exploit': [],
        'Indicator': [],
        'IP': [],
        'PCAP': [],
        'RawData': [],
        'Sample': [],
        'Target': []
    }
    # These would be used if we move to force labels
    #labelAnchors = []
    #labelAnchorLinks = []

    sources = user_sources(user)
    if not sources:
        return { 'nodes': nodes, 'links': links }

    field_dict = {
        'Actor': 'name',
        'Backdoor': 'name',
        'Campaign': 'name',
        'Certificate': 'md5',
        'Comment': 'object_id',
        'Domain': 'domain',
        'Email': 'date',
        'Event': 'title',
        'Exploit': 'name',
        'Indicator': 'value',
        'IP': 'ip',
        'PCAP': 'md5',
        'RawData': 'title',
        'Sample': 'md5',
        'Target': 'email_address'
    }

    # Define the styles for each of the data types. Absent these, the vis.js library will
    # auto-select sensible defaults
    tlo_styles_dict = {
        'Actor': {
            'shape': 'dot',
            'size': 25,
            'color': '#900C0C',
            'color_border': '#700C0C',
            'color_highlight': '#90FCFC',
            'color_highlight_border': '#900C0C'
        },
        'Backdoor': {
            'shape': 'dot',
            'size': 10,
            'color': '#5A2C75',
            'color_border': '#3A1C55',
            'color_highlight': '#7040B0',
            'color_highlight_border': '#5A2C75'
        },
        'Campaign': {
            'shape': 'dot',
            'size': 40,
            'color': '#FF3737',
            'color_border': '#D72020',
            'color_highlight': '#FF6868',
            'color_highlight_border': '#FF3737'
        },
        'Certificate': {
            'shape': 'dot',
            'size': 10,
            'color': '#FFA837',
            'color_border': '#D08020',
            'color_highlight': '#FFC060',
            'color_highlight_border': '#FFA837'
        },
        'Domain': {
            'shape': 'dot',
            'size': 20,
            'color': '#33EB33',
            'color_border': '#25C025',
            'color_highlight': '#55FF55',
            'color_highlight_border': '#33EB33'
        },
        'Email': {
            'shape': 'dot',
            'size': 25,
            'color': '#FF8989',
            'color_border': '#CF7070',
            'color_highlight': '#FFB0B0',
            'color_highlight_border': '#FF8989'
        },
        'Event': {
            'shape': 'dot',
            'size': 35,
            'color': '#B05151',
            'color_border': '#904040',
            'color_highlight': '#D07171',
            'color_highlight_border': '#B05151'
        },
        'Exploit': {
            'shape': 'dot',
            'size': 10,
            'color': '#8CA336',
            'color_border': '#709020',
            'color_highlight': '#A8CC60',
            'color_highlight_border': '#8CA336'
        },
        'Indicator': {
            'shape': 'dot',
            'size': 10,
            'color': '#B08751',
            'color_border': '#907050',
            'color_highlight': '#CCA075',
            'color_highlight_border': '#B08751'
        },
        'IP': {
            'shape': 'dot',
            'size': 20,
            'color': '#90570C',
            'color_border': '#77400C',
            'color_highlight': '#B06037',
            'color_highlight_border': '#90570C'
        },
        'PCAP': {
            'shape': 'dot',
            'size': 10,
            'color': '#FFCC89',
            'color_border': '#D0A860',
            'color_highlight': '#FFE0B0',
            'color_highlight_border': '#FFCC89'
        },
        'Raw Data': {
            'shape': 'dot',
            'size': 10,
            'color': '#4A7797',
            'color_border': '#306080',
            'color_highlight': '#6090B8',
            'color_highlight_border': '#4A7797'
        },
        'Sample': {
            'shape': 'dot',
            'size': 25,
            'color': '#8CCBF8',
            'color_border': '#70AADC',
            'color_highlight': '#A0D0FF',
            'color_highlight_border': '#8CCBF8'
        },
        'Target': {
            'shape': 'dot',
            'size': 10,
            'color': '#4AA24A',
            'color_border': '#308030',
            'color_highlight': '#60C860',
            'color_highlight_border': '#4AA24A'
        }
    }

    def inner_collect(obj_type, obj_id, sources, depth):
        # Don't keep going if we've already processed this object
        if obj_id in objects:
            return

        klass = class_from_type(obj_type)
        if not klass:
            return

        if hasattr(klass, 'source'):
            obj = klass.objects(id=obj_id, source__name__in=sources).first()
        else:
            obj = klass.objects(id=obj_id).first()
        if not obj:
            return

        objects[obj_id] = obj

        if depth == 0:
            return

        depth -= 1
        for r in obj.relationships:
            inner_collect(r.rel_type, str(r.object_id), sources, depth)

        # If we traverse into a Campaign object, walk everything tagged
        # with that campaign along with related objects.
        if obj_type == 'Campaign':
            for c in field_dict.keys():
                klass = class_from_type(c)
                # Not every object in field_dict can be tagged with a campaign.
                # For example, comments.
                if not hasattr(klass, 'campaign'):
                    continue
                tagged_objs = klass.objects(campaign__name=obj.name)
                for tobj in tagged_objs:
                    inner_collect(tobj._meta['crits_type'],
                                  str(tobj.id),
                                  sources,
                                  depth)
        # END OF INNER COLLECT

    try:
        depth = int(depth)
    except ValueError:
        depth = 3


    inner_collect(obj_type, str(obj_id), sources, depth)

    # This dictionary is used to describe the position of each object
    # in the nodes list. The key is an object ID and the value is a
    # tuple where the first item is the position in the node list and
    # the second is a list of object IDs related to this object.
    #
    # Once all the nodes are created and this dictionary is populated
    # it is used to create the links.
    #
    # Here is a simple obj_graph for three objects (A, B and C) that
    # are related such that they form a triangle (A<->B, B<->C, C<->A):
    #
    # {
    #   'A': (0, ['B', 'C']),
    #   'B': (1, ['A', 'C']),
    #   'C': (2, ['B', 'A'])
    # }
    #
    # The integers are the position in the node array and are used as
    # the target. The items in the list are used as lookups back into
    # the dictionary for the source.
    obj_graph = {}

    campaign_cache = {}
    node_position = 0
    tlo_labels = {}
    tlo_relationships = {}
    for (obj_id, obj) in objects.iteritems():
        if obj_id in obj_graph:
            continue

        obj_type = obj._meta['crits_type']

        #import pprint
        
        obj_master = obj._meta
        
        
        klass = class_from_type(obj_type)
        obj = klass.objects(id=obj_id).first()
        
        # YES! THIS WORKS!
        '''
        if obj_type=="Sample":
            sample = obj.filename
        else:
            sample = vars(obj)
        '''
        # Add the obj_id and label to the tlo_labels dict
        # e.g. tlo_labels={'<md5>': '<obj_id>'}
        label = str(obj_type+" | "+getattr(obj, field_dict[obj_type], ''))
        tlo_labels[label]=str(obj.id)
        tlos[obj_type].append(obj)

        
        ### Get TLO Relationships
        tlo_relationships[str(obj_id)]={}
        
        all_relationships = obj.relationships
        for rel in all_relationships:
            tlo_relationships[str(obj_id)][str(rel.object_id)]=str(rel.relationship)

        ### A bunch of the stuff below here can probably go...

        value = getattr(obj, field_dict[obj_type], '')
        if obj_type == 'Backdoor':
            # Append a version or family
            if obj.version == '':
                value += " (family)"
            else:
                value += " (v:%s)" % obj.version
        href = reverse('crits.core.views.details', args=(obj_type, obj_id))

        if len(types) != 0 and obj_type not in types:
            continue

        # For every campaign on this object, make a new node in the list.
        if 'Campaign' in types and hasattr(obj, 'campaign'):
            for i, campaign in enumerate(obj.campaign):
                name = "%s" % obj.campaign[i].name
                if name not in campaign_cache:
                    campaign_cache[name] = get_campaign_details(name, user)
                (x, campaign_details) = campaign_cache[name]
                if 'error' in campaign_details:
                    continue
                campaign_id = str(campaign_details['campaign_detail'].id)
                # If this campaign already exists as a node then
                # add a relationship to the current object
                if campaign_id in obj_graph:
                    (tnode, source_ids) = obj_graph[campaign_id]
                    source_ids.append(obj_id)
                else:
                    total = 0
                    for count in campaign_details['counts'].values():
                        total += count
                    campaign = name + " (" + str(total) + ")"
                    campaign_href = reverse('crits.core.views.details', args=('Campaign', campaign_id))

                    n = dict(tlo_styles_dict['Campaign'])

                    n['label'] = campaign
                    n['url'] = campaign_href
                    n['type'] = n['group'] = 'Campaign'
                    n['crits_status'] = 'Analyzed'
                    n['id'] = campaign_id
                    nodes.append(n)
                    obj_graph[campaign_id] = (node_position, [obj_id])
                    node_position += 1

        # n will contain the vis.js-schema data  to load into the graph
        n = {}
        if obj_type in tlo_styles_dict:
            n = dict(tlo_styles_dict[obj_type])

            n['label'] = '%s' % value
        else:
            n = {
                'label': '%s' % value,
                'shape': 'dot'
            }

        n['url'] = href
        n['crits_status'] = obj['status'];
        n['id'] = obj_id
        n['type'] = n['group'] = obj_type
        n['visible'] = True

        nodes.append(n)
        obj_graph[obj_id] = (node_position, [str(r.object_id) for r in obj.relationships])
        node_position += 1

    #### PROCESS DATA FOR MISP DISPLAY ####
    
    step1 = {}
    # This should be tlos.items() if Python 3
    for obj_type, objs in tlos.iteritems():
        for obj in objs:
            if obj_type not in step1:
                step1[str(obj_type)]={}

            '''
            Changing this up so it's {'Sample': 
                                               {'58dabfca97553032a1f7f0c5': 
                                                                           {'label': '098f6bcd4621d373cade4e832627b4f6',
                                                                            'md5': '098f6bcd4621d373cade4e832627b4f6',
                                                                            'filename': 'whatever'}
                                               }
                                       }
            '''
            if str(obj.id) not in step1[str(obj_type)]:
                step1[str(obj_type)][str(obj.id)]={}
            # Set the label as the first key
            step1[str(obj_type)][str(obj.id)]['label']=str(getattr(obj, field_dict[obj_type], ''))
            # Proces objects according to type
            if str(obj_type)=="Sample":
                # Grab the Sample attributes
                step1[str(obj_type)][str(obj.id)]['filename']=str(obj.filename)
                step1[str(obj_type)][str(obj.id)]['filetype']=str(obj.filetype)
                step1[str(obj_type)][str(obj.id)]['md5']=str(obj.md5)
                step1[str(obj_type)][str(obj.id)]['mimetype']=str(obj.mimetype)
                step1[str(obj_type)][str(obj.id)]['sha1']=str(obj.sha1)
                step1[str(obj_type)][str(obj.id)]['sha256']=str(obj.sha256)
                step1[str(obj_type)][str(obj.id)]['size']=str(obj.size)
                step1[str(obj_type)][str(obj.id)]['ssdeep']=str(obj.ssdeep)
                step1[str(obj_type)][str(obj.id)]['impfuzzy']=str(obj.impfuzzy)
            elif str(obj_type)=="Email":
                # Grab the Email attributes
                step1[str(obj_type)][str(obj.id)]['email_cc']=str(obj.cc)
                step1[str(obj_type)][str(obj.id)]['email_date']=str(obj.date)
                step1[str(obj_type)][str(obj.id)]['email_from_address']=str(obj.from_address)
                step1[str(obj_type)][str(obj.id)]['email_helo']=str(obj.helo)
                step1[str(obj_type)][str(obj.id)]['email_isodate']=str(obj.isodate)
                step1[str(obj_type)][str(obj.id)]['email_message_id']=str(obj.message_id)
                step1[str(obj_type)][str(obj.id)]['email_originating_ip']=str(obj.originating_ip)
                step1[str(obj_type)][str(obj.id)]['email_reply_to']=str(obj.reply_to)
                step1[str(obj_type)][str(obj.id)]['email_sender']=str(obj.sender)
                step1[str(obj_type)][str(obj.id)]['email_subject']=str(obj.subject)
                step1[str(obj_type)][str(obj.id)]['email_to']=str(obj.to)
                step1[str(obj_type)][str(obj.id)]['email_x_originating_ip']=str(obj.x_originating_ip)
                step1[str(obj_type)][str(obj.id)]['email_x_mailer']=str(obj.x_mailer)
            elif str(obj_type)=="Domain":
                step1[str(obj_type)][str(obj.id)]['domain']=str(obj.domain)
            elif str(obj_type)=="Indicator":
                step1[str(obj_type)][str(obj.id)]['type']=str(obj.ind_type)
            elif str(obj_type)=="Event":
                step1[str(obj_type)][str(obj.id)]['event_title']=str(obj.title)
                step1[str(obj_type)][str(obj.id)]['event_type']=str(obj.event_type)
            elif str(obj_type)=="IP":
                step1[str(obj_type)][str(obj.id)]['ip']=str(obj.ip)
                #step1[str(obj_type)][str(obj.id)]['ip_type']=str(obj.ip_type)

    
    n['tlo_labels']=tlo_labels
    n['step1']=step1
    n['tlo_relationships']=tlo_relationships
    
    
    '''
    n['tlo_labels']=pprint.pformat(tlo_labels)
    n['step1']=pprint.pformat(step1)
    n['tlo_relationships']=pprint.pformat(tlo_relationships)
    '''
    
    
    
    #### END NMD Debug
        
    # This dictionary is used to track the links that have been created.
    # When a new link is created the inverse is added to this dictionary as
    # a key. This is because the link between A->B is the same as B->A. When
    # the link for A->B is made, we insert it into this dictionary and then
    # lookup the inverse when creating any new relationships. This ensures
    # that when B->A is handled it will be ignored.
    link_dict = {}

    for (tid, (tnode, source_ids)) in obj_graph.iteritems():
        for sid in source_ids:
            # If the graph is cut off the related object may not have been
            # collected. If the inverse relationship is already done, no
            # need to do this one too.
            if sid not in obj_graph or (tid + sid) in link_dict:
                continue
            link = {
                     'from': sid,
                     'to': tid
                   }
            links.append(link)
            link_dict[sid + tid] = True
        #labelAnchors.append({'node': n,
        #                     'url': href})
        #labelAnchors.append({'node': n,
        #                     'url': href})
        #alink = {
        #         'source': (len(nodes) - 1) * 2,
        #         'target': (len(nodes) - 1) * 2 + 1,
        #         'weight': 1,
        #}
        #labelAnchorLinks.append(alink)
        
    # Get all CRITs relationship types
    from crits.vocabulary.relationships import RelationshipTypes
    rel_types=[c for c in RelationshipTypes.values(sort=True)]
    
    # Get all MISP Categories and Types
    misp_obj=MISPEvent()
    misp_cats = misp_obj.categories
    misp_types = misp_obj.category_type_mapping
    
    
    '''
    from crits.services.service import CRITsService
    svc_obj = CRITsService.objects(name='misp_service')
    misp_config = svc_obj.config.to_dict()
    '''
    
    return {
            'nodes': nodes,
            'links': links,
            'rel_types': rel_types,
            'misp_cats': misp_cats,
            'misp_types': misp_types,
            #'misp_config': misp_config,
            #'tlos': tlos,
            #'tlo_labels': tlo_labels,
            #'tlo_relationships': tlo_relationships,
            #'labelAnchors': labelAnchors,
            #'labelAnchorLinks': labelAnchorLinks,
           }