def send_event(self, topic, payload):
if not topic:
raise Exception(f'Error in {demisto.command()} topic field is required')
event = Event(topic)
event.payload = str(payload).encode()
self.client.send_event(event)
def lookupIP(ip, dxlif):
try:
v = IP(ip).version()
except:
return
if v == 4 or v == 6:
try:
print("Looking up: %s" % ip)
d = pynfdump.Dumper("/data/nfsen/profiles-data",
profile='live',
sources=['local'])
d.set_where(start=time.strftime("%Y-%m-%d"),
end=time.strftime("%Y-%m-%d %H:%M"))
records = d.search("src ip %s" % ip, aggregate=['dstip'])
tgt = []
for r in records:
if r['dstip'] not in tgt:
tgt.append(r['dstip'])
if len(tgt) > 0:
for t in tgt:
evtstr = '/feed/compromised/ipv' + str(IP(t).version())
evt = Event(evtstr)
evt.payload = str(t).encode()
dxlif.send_event(evt)
print("Event emitted topic: %s content: %s" %
(evtstr, str(t)))
except Exception as e:
print("Exception while processing %s: %s" % (ip, str(e)))
return
def _process_zeromq_misp_messages(self):
"""
Poll for MISP ZeroMQ notifications. On receipt of a notification,
send a corresponding event to the DXL fabric.
"""
while not self.__destroyed:
try:
socks = dict(self._zeromq_poller.poll(timeout=None))
# A ZMQError could be raised if the socket is shut down while
# blocked in a poll.
except zmq.ZMQError:
socks = {}
if self._zeromq_misp_sub_socket in socks and \
socks[self._zeromq_misp_sub_socket] == zmq.POLLIN:
message = self._zeromq_misp_sub_socket.recv_string()
topic, _, payload = message.partition(" ")
logger.debug("Received notification for %s", topic)
full_event_topic = "{}{}/{}".format(
self._ZEROMQ_NOTIFICATIONS_EVENT_TOPIC,
"/{}".format(self._service_unique_id)
if self._service_unique_id else "", topic)
event = Event(full_event_topic)
logger.debug("Forwarding notification to %s ...",
full_event_topic)
event.payload = payload
self.client.send_event(event)
def post_receive(self, alert: 'Alert') -> Optional['Alert']:
try:
event = Event(DXL_PUB_TOPIC)
event.payload = json.dumps(alert.get_body(history=False))
LOG.info('broadcasting alert %s', alert.id)
self.dxl_client.send_event(event)
except BaseException as e:
LOG.exception('failed to broadcast alert: %s', str(e))
raise RuntimeError('failed to broadcast alert: ' + str(e))
def run(self, params={}):
topic = params.get('topic')
event_message = params.get('event_message')
event = Event(topic)
event.payload = event_message.encode()
with DxlClient(self.connection.config) as dxl_client:
# Connect to the fabric
dxl_client.connect()
dxl_client.send_event(event)
return {'success': True}
def sendData(data):
try:
v = IP(data).version()
except Exception as e:
print("Error in '%s': %s" % (data, str(e)))
return
if v == 4:
evt = Event('/feed/bad/ipv4')
if v == 6:
evt = Event('/feed/bad/ipv6')
evt.payload = str(data).encode()
client.send_event(evt)
def main(argv): TOPIC_DESTINATION = '/events/syslog' TYPE_PAYLOAD = 'syslog' PAYLOAD = sys.argv[1] DXL_MESSAGE['SRC_HOST'] = IP DXL_MESSAGE['TYPE_PAYLOAD'] = TYPE_PAYLOAD DXL_MESSAGE['PAYLOAD'] = PAYLOAD with DxlClient(config) as client: client.connect() event = Event(TOPIC_DESTINATION) event.payload = str(json.dumps(DXL_MESSAGE)).encode() client.send_event(event)
def sendMessage(msgType=1):
# Record the start time
start = int(time.time())
# Create the event
event = Event(eventTopic)
if msgType == 1:
# Set the payload
event_dict = {}
#event type 1 is a standard chat message
event_dict['type'] = 1
event_dict['message'] = chatWin.getEntry("qcMessage")
event_dict['time'] = str(int(time.time()))
event_dict['user'] = username
event_dict['UID'] = UID
#cleanup the form
chatWin.clearEntry("qcMessage")
elif msgType == 2:
logger.info("Sending Ping")
# set the payload
event_dict = {}
#event type 2 is a user notification message
event_dict['type'] = 2
event_dict['time'] = str(int(time.time()))
event_dict['user'] = username
event_dict['UID'] = UID
elif msgType == 3:
logger.info("Sending Ping Request")
# set the payload
event_dict = {}
#event type 3 is a broadcast ping request
event_dict['type'] = 3
elif msgType == 4:
logger.info("Sending bye")
# set the payload
event_dict = {}
#event type 4 is a user GoodBye message
event_dict['type'] = 4
event_dict['time'] = str(int(time.time()))
event_dict['user'] = username
event_dict['UID'] = UID
event.payload = json.dumps(event_dict).encode()
# Send the event
client.send_event(event)
def sendMessage(self,
topic="/dsa/dxl/test/event2",
message="Default message"):
if not self.isConnected():
raise DxlJythonException(1200, "Not connected to a OpenDXL broker")
try:
event = Event(topic)
# Encode string payload as UTF-8
event.payload = message.encode()
# Send event on DXL
logger.info("Sending '" + message + "' to '" + topic + "'")
self.client.send_event(event)
return "Event successfully posted to topic '%s'" % topic
except Exception as e:
logger.info("Exception: " + e.message)
raise DxlJythonException(
1010, "Unable to communicate with a DXL broker")
def main(argv):
TOPIC_DESTINATION = ''
TYPE_PAYLOAD = ''
PAYLOAD = ''
help = 'python ' + sys.argv[
0] + ' -t <topic destination> -k <type of payload> -p <payload>'
try:
opts, args = getopt.getopt(argv, "ht:k:p:",
["topic=", "typepayload=", "payload="])
except getopt.GetoptError:
print help
sys.exit(1)
for opt, arg in opts:
if opt == '-h':
print help
sys.exit(1)
elif opt in ("-t", "--topic"):
TOPIC_DESTINATION = arg
elif opt in ("-k", "--typepayload"):
TYPE_PAYLOAD = arg
elif opt in ("-p", "--payload"):
PAYLOAD = arg
if (TOPIC_DESTINATION != '' and PAYLOAD != ''):
DXL_MESSAGE['SRC_HOST'] = IP
DXL_MESSAGE['TYPE_PAYLOAD'] = TYPE_PAYLOAD
DXL_MESSAGE['PAYLOAD'] = PAYLOAD
with DxlClient(config) as client:
client.connect()
event = Event(TOPIC_DESTINATION)
event.payload = str(json.dumps(DXL_MESSAGE)).encode()
client.send_event(event)
else:
print help
sys.exit(1)
def _process_zeromq_misp_messages(self):
"""
Poll for MISP ZeroMQ notifications. On receipt of a notification,
send a corresponding event to the DXL fabric.
"""
while not self.__destroyed:
try:
socks = dict(self._zeromq_poller.poll(timeout=None))
# A ZMQError could be raised if the socket is shut down while
# blocked in a poll.
except zmq.ZMQError:
socks = {}
if self._zeromq_misp_sub_socket in socks and \
socks[self._zeromq_misp_sub_socket] == zmq.POLLIN:
message = self._zeromq_misp_sub_socket.recv_string()
topic, _, payload = message.partition(" ")
logger.debug("Received notification for %s", topic)
# ZeroMQ will deliver notifications for any topic which starts
# with the subscribed topic name. Events should only be
# forwarded only to the DXL fabric for messages whose topic
# exactly matches an entry in the DXL service configuration
# file. For example, if the DXL service configuration file
# includes only the topic "misp_json", the ZeroMQ socket would
# provide messages with a topic of either "misp_json" or
# "misp_json_self" to the ZeroMQ subscriber. Only messages with
# a topic of "misp_json" (not "misp_json_self") should be
# forwarded to the DXL fabric.
if topic in self._zeromq_notification_topics:
full_event_topic = "{}{}/{}".format(
self._ZEROMQ_NOTIFICATIONS_EVENT_TOPIC,
"/{}".format(self._service_unique_id)
if self._service_unique_id else "", topic)
event = Event(full_event_topic)
logger.debug("Forwarding notification to %s ...",
full_event_topic)
event.payload = payload
self.client.send_event(event)
def on_dxl_connect(self):
"""
Invoked after the client associated with the application has connected
to the DXL fabric.
"""
logger.info("On 'DXL connect' callback.")
fileRead = open(self._log_location, 'r')
stResults = os.stat(self._log_location)
stSize = stResults[6]
fileRead.seek(stSize)
event = Event(self.VOR_TOPIC)
while 1:
where = fileRead.tell()
line = fileRead.readline()
if not line:
time.sleep(self._log_check_interval)
fileRead.seek(where)
else:
if line.find("vee-fs:") != -1 and line.find("[ALARM]") != -1:
#print("Line: |{}|".format(line.strip()))
parsedLog = self._parse_vor_log(line)
#line_parsed = {"Policy": parsedLog[0], "User": parsedLog[1], "Process": parsedLog[2], "Action": parsedLog[3], "Res": parsedLog[4]}
line_parsed = '{ "Policy":"' + parsedLog[
0] + '", "User":"******", "Process":"' + parsedLog[
2] + '", "Action":"' + parsedLog[
3] + '", "Resource":"' + parsedLog[4] + '"}'
#line_parsed = '{Policy: ' + parsedLog[0] + ',' + 'User: '******','
print("Line Parsed: {}".format(line_parsed))
event.payload = (line_parsed)
self.client.send_event(event)
event_count[0] += 1
# Notify that the count was increment
event_count_condition.notify_all()
# Register the callback with the client
client.add_event_callback(EVENT_TOPIC, MyEventCallback())
#
# Send events
#
# Record the start time
start = time.time()
# Loop and send the events
for event_id in range(TOTAL_EVENTS):
# Create the event
event = Event(EVENT_TOPIC)
# Set the payload
event.payload = str(event_id).encode()
# Send the event
client.send_event(event)
# Wait until all events have been received
print "Waiting for events to be received..."
with event_count_condition:
while event_count[0] < TOTAL_EVENTS:
event_count_condition.wait()
# Print the elapsed time
print "Elapsed time (ms): " + str((time.time() - start) * 1000)
brokerString = "ssl://{}".format(aws_machine.ip)
action = "publish_event"
topic = "/mcafee/client/controlevent"
config = DxlClientConfig(broker_ca_bundle=brokerCaBundle,
cert_file=certFile,
private_key=privateKey,
brokers=[Broker.parse(brokerString)])
with DxlClient(config) as dxl_client:
# Connect to the fabric
dxl_client.connect()
if dxl_client.connected:
print "Connected ... \n"
else:
print "Not Connected ... \n"
sleepTime = 1
rb = os.urandom(100)
event = Event(str(topic))
event.payload = rb
print "payload={}".format(rb)
topic.encode('ascii', 'ignore')
dxl_client.send_event(event)
# Connect to the fabric
dxl_client.disconnect()
if dxl_client.connected:
print "Connected ... \n"
else:
print "Not Connected ... \n"
logger.info("PCE received payload: %s", request.payload.decode())
collection_requests.append(request)
# Prepare service registration information
info = ServiceRegistrationInfo(client, "/scap/pce" + PCE_ID)
info.add_topic(SERVICE_PCE_REQUEST_TOPIC, PCERequestCallback())
# Connect to the message fabric and add a listener for registration events
client.connect()
client.register_service_sync(info, 10)
# Register PCE by sending registration event to the collector/PCX
event = Event(EVENT_PCE_REGISTRATION_TOPIC)
rm = RegistrationMessage(PCE_ID, "", "", ASSET, MAKE, MODEL, "", "", "",
"", "", SUPPORTED_CHECK_TYPES)
event.payload = (rm.to_json()).encode()
logger.info("Sending registration event: %s", rm.to_s())
client.send_event(event)
# Wait forever
while True:
# Process all collection requests that were received
while collection_requests:
request = collection_requests.pop()
response = Response(request)
# Cancel assessment if a cancel request. Otherwise,
# perform the assessment
if re.search("cancel_.*", request.payload.decode()):
transaction_id = request.payload.decode().split("_")[1]
logger.info("Canceling assessment " + transaction_id)
def main(argv):
# parse the args
arg_parser = create_arg_parser()
args = arg_parser.parse_args()
# set logging level
set_logging_level(logger, args.loglevel)
# configure local logger for requests (Urllib3) and set its level
set_logging_level(logging.getLogger("urllib3"), args.loglevel)
# read cfg file
try:
config = ConfigObj(args.configfile, raise_errors=True, file_error=True)
except:
# TODO - enhance error handling here
logger.error("Could not parse config file!")
exit(1)
#
# get token
#
# TODO - handle HTTPS nicely
urllib3.disable_warnings()
token = get_staxx_token(config['STAXX']['Address'],
config['STAXX']['Port'], config['STAXX']['User'],
config['STAXX']['Password'])
if not token:
logger.error("Exiting...")
exit(1)
#
# DXL initialization
#
# TODO - enhance error handling here
if not args.dryrun:
# DxlClientConfig from DXL configuration file
logger.info("Loading DXL config from: %s", config['DXL']['Config'])
dxl_config = DxlClientConfig.create_dxl_config_from_file(
config['DXL']['Config'])
#
# build the topics
#
obs_types = config['Observable Types']
logger.debug("Observable types: %s", obs_types)
obs_topics = config['Observable Topics']
#
# timed loop (synchronous "obs export / msg publish")
#
while True:
#
# export observables into JSON object
#
req_error, json_obs = get_staxx_observables(config['STAXX']['Address'],
config['STAXX']['Port'],
token, args.filter_query)
if req_error:
logger.error("Failure exporting observables.")
if not args.singleshot:
logger.info("Sleeping until next polling cycle...\n")
time.sleep(args.time)
logger.info("New polling cycle.")
continue
if json_obs:
logger.info(
"{0} observable(s) exported from Anomali STAXX.".format(
len(json_obs)))
if args.pprint:
logger.info("Printing observables to STDOUT...")
print json.dumps(json_obs, indent=2, sort_keys=False)
if not args.dryrun:
#
# Connect to DXL and publish the observables as events
#
try:
with DxlClient(dxl_config) as dxl_client:
# Connect to DXL Broker
logger.info("Connecting to DXL broker...")
dxl_client.connect()
# TODO - handle possible connection errors
logger.info(
"Filtering observables and publishing events...")
count = 0
for ob in json_obs:
key = is_observable_type_listed(
obs_types, ob['itype'])
if key:
count += 1
logger.debug(
"Publishing message for observable (itype: %s, topic: %s).",
ob['itype'], obs_topics[key])
dxl_event = Event(obs_topics[key])
payload_str = json.dumps(ob)
logger.debug("Msg payload: %s", payload_str)
dxl_event.payload = str(payload_str).encode()
dxl_client.send_event(dxl_event)
else:
logger.info(
"Observable not published (itype: %s not listed).",
ob['itype'])
logger.info("%s event(s) published to DXL fabric.",
count)
except Exception as e:
logger.error(
"Could not initialize OpenDXL client ({0}).".format(
e.message))
exit(1)
else:
logger.info("No observable exported from Anomali STAXX.")
# wait for next cycle (if not single shot mode)
if args.singleshot:
logger.info("Exiting (single shot mode).")
exit(0)
else:
logger.info("Sleeping until next polling cycle...\n")
time.sleep(float(args.time))
logger.info("New polling cycle.")
#[CONFIG OPTIONS]#
CONFIG_FILE = "/usr/local/etc/opendxl/dxlclient.config"
CABINET = "LV|R9"
button = mraa.Gpio(3)
EVENT_TOPIC = "/open/threat/physical/DC/cabinets"
config = DxlClientConfig.create_dxl_config_from_file(CONFIG_FILE)
previousstate = ''
messagepayload = {}
with DxlClient(config) as client:
client.connect()
event = Event(EVENT_TOPIC)
while True:
if (button.read() == 0):
currentstate = 0
else:
currentstate = 1
if (currentstate != previousstate):
messagepayload['timestamp'] = datetime.datetime.fromtimestamp(time.time()).strftime('%Y-%m-%d %H:%M:%S')
messagepayload['location'] = CABINET
if (currentstate == 0):
messagepayload['alert'] = "Cabinet Opened!"
event.payload = messagepayload
else:
messagepayload['alert'] = "Cabinet Closed!"
event.payload = messagepayload
client.send_event(event)
previousstate = currentstate
time.sleep(1) #will wait 1 second between evaluating state changes.
def publish(self, topic, payload=None, qos=0, retain=False):
event = Event(topic)
event.payload = payload
self.dxl_client.send_event(event)
import os
import sys
from dxlclient.client import DxlClient
from dxlclient.client_config import DxlClientConfig
from dxlclient.message import Event
EVENT_TOPIC = str(msg['topic']).encode()
CONFIG_FILE = "../dxlclient.config"
config = DxlClientConfig.create_dxl_config_from_file(CONFIG_FILE)
with DxlClient(config) as client:
client.connect()
event = Event(EVENT_TOPIC)
event.payload = str(msg['payload']).encode()
client.send_event(event)
# node.send(msg)
return msg
def sendMessage(self, payload):
event = Event(self.topic)
event.payload = str(payload).encode()
self.client.send_event(event)
print " Enter 9 to quit"
input = raw_input(" Enter value: ")
try:
option = int(input)
except:
option = input
# Option: DXL Event
if option == 1:
# Create the Event
logger.info("Event Publisher - Creating Event for Topic %s", EVENT_TOPIC)
event = Event(EVENT_TOPIC)
# Encode string payload as UTF-8
event.payload = "Sample Event Payload".encode()
# Publish the Event to the DXL Fabric on the Topic
logger.info("Event Publisher - Publishing Event to %s", EVENT_TOPIC)
client.send_event(event)
# Option: Exit the loop
elif option == 9:
break
# Invalid input
else:
logger.info("Event Publisher - Invalid input: %s", option)
# End Prompt Loop
except Exception as e:
def send_event(topic, m):
event = Event(topic)
event.payload = m.encode()
client.send_event(event)
def run(self, results):
"""
Sends Cuckoo report as a DXL event on a DXL Fabric.
@param results: Cuckoo results dict.
@raise CuckooReportError: if fails to send Cuckoo report as a DXL event.
"""
try:
# Diction of data to send out as the report on DXL
report_dict = {}
if self.options.get("send_compressed_event", False):
# Convert results to JSON string
report_json_string = json.dumps(
results,
default=serialize_datetime_objects,
indent=self.options.indent,
encoding="UTF-8")
# Compress the Cuckoo results
zlib_obj = zlib.compressobj(-1, zlib.DEFLATED, 31)
compressed_report_data = zlib_obj.compress(
report_json_string) + zlib_obj.flush()
# Create the DXL Event for zipped data
zipped_event = Event(CUCKOO_ZIP_EVENT_TOPIC)
# Set the payload to be the compressed Cuckoo report analysis
zipped_event.payload = compressed_report_data
# Publish the full zipped reported if the payload size is smaller than the maximum configured size.
if sys.getsizeof(zipped_event.payload) <= self.options.get(
"compressed_event_max_size", 512000):
log.info(
"Publishing full zipped report to DXL on topic %s",
CUCKOO_ZIP_EVENT_TOPIC)
cuckoo_dxl_client.client.send_event(zipped_event)
else:
log.info(
"Report too large. Not publishing zipped report to DXL."
)
# Add the info and target entries from the Cuckoo results
report_dict[INFO_REPORT_KEY] = results.get(INFO_REPORT_KEY, {})
report_dict[TARGET_REPORT_KEY] = results.get(TARGET_REPORT_KEY, {})
# Add items listed from the "items_to_include_in_report" setting in the report.conf to the report
items_to_include_in_report = self.options.get(
"items_to_include_in_report")
if items_to_include_in_report is not None:
# Get rid of any white space characters in the items_to_include_in_report string
items_to_include_in_report = re.sub(
r"\s+", "", items_to_include_in_report)
# Loop over list of items to include
for report_include_item in items_to_include_in_report.split(
","):
if not report_include_item:
log.warn(
"items_to_include_in_report includes an emtpy item."
)
continue
# Separate report_include_item in to sub items
sub_sections_list = report_include_item.split(".")
# Find the value in the Cuckoo results dictionary
sub_section_value = reduce(sub_level_getter,
sub_sections_list, results)
if sub_section_value is NOT_FOUND_OBJ:
log.warn(report_include_item +
" is not found in the Cuckoo report.")
continue
# Create all of the sub item levels in the results reports dictionary
result_sub_section = reduce(create_and_get_sub_level,
sub_sections_list[0:-1],
report_dict)
# Add the value found in the Cuckoo results
result_sub_section.update(
{sub_sections_list[-1]: sub_section_value})
# Create the DXL Event
report_event = Event(CUCKOO_REPORT_EVENT_TOPIC)
# Set event payload to be the JSON of the results report dictionary
report_event.payload = json.dumps(
report_dict,
default=serialize_datetime_objects).encode("UTF-8")
# Publish the Event to the DXL Fabric
log.info("Publishing Cuckoo report to DXL on topic %s",
CUCKOO_REPORT_EVENT_TOPIC)
cuckoo_dxl_client.client.send_event(report_event)
except Exception as ex:
log.exception("Error sending Cuckoo report out as a DXL event.")
raise CuckooReportError(
"Failed to send Cuckoo report as a DXL event: %s" % ex)