def set_rep(self, filename, level, md5, sha1, sha256, sandbox): try: with DxlClient(self.config) as client: client.connect() tie_client = TieClient(client) # multi-sandbox support: merge results if some are already available existing_reputation = tie_client.get_file_reputation( {HashType.SHA256: sha256}) if existing_reputation and FileProvider.EXTERNAL in existing_reputation: logging.info( "A external reputation verdict has been already present for the sample, will merge the results" ) if (level != 0 and level < existing_reputation[ FileProvider.EXTERNAL]["trustLevel"]): self._set_reputation(tie_client, filename, level, md5, sha1, sha256, sandbox) else: logging.info( "New reputation level was higher than what is already present" ) else: self._set_reputation(tie_client, filename, level, md5, sha1, sha256, sandbox) except Exception as e: logging.error( "ERROR setting the reputation in TIE for SHA256 %s using sandbox %s: %s", str(sha256), sandbox, e, )
def _lookup_hash(self, event, *args, **kwargs): artifact_type = event.artifact["type"] artifact_value = event.artifact["value"] LOG.debug("_lookup_hash started for Artifact Type {0} - Artifact Value {1}".format( artifact_type, artifact_value)) tie_client = TieClient(self.client) if artifact_type == "hash.md5": resilient_hash = {HashType.MD5: artifact_value} elif artifact_type == "hash.sha1": resilient_hash = {HashType.SHA1: artifact_value} elif artifact_type == "hash.sha256": resilient_hash = {HashType.SHA256: artifact_value} else: raise ValueError("Something went wrong setting the hash value") reputations_dict = \ tie_client.get_file_reputation( resilient_hash ) hits = self._query_mcafee_tie(reputations_dict) yield hits
def setTieReputation(self, payload): tie_client = TieClient(self.client) hashes = { HashType.MD5: payload['fileMD5'], HashType.SHA1: payload['fileSHA1'], HashType.SHA256: payload['fileSHA256'] } reputations_dict = tie_client.get_file_reputation(hashes) has_definitive_reputation = \ any([rep[ReputationProp.TRUST_LEVEL] != TrustLevel.NOT_SET and rep[ReputationProp.TRUST_LEVEL] != TrustLevel.UNKNOWN and rep[ReputationProp.PROVIDER_ID] != FileProvider.EXTERNAL for rep in reputations_dict.values()]) if not has_definitive_reputation: try: tie_client.set_external_file_reputation( TrustLevel.MIGHT_BE_TRUSTED, hashes, file_type=payload['filetype'], filename=payload['filename'], comment=payload['comment'] ) except ValueError as e: pass
def getTieRep(md5, sha1, sha256): with DxlClient(config) as client: # Connect to the fabric client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) myGetHashes = hashMe(md5, sha1, sha256) reputations_dict = tie_client.get_file_reputation(myGetHashes) client.disconnect() #myReturnVal = json.dumps(reputations_dict, sort_keys=True, indent=4, separators=(',', ': ')) + "\n" return reputations_dict
def file(hash): config = get_client_config() with DxlClient(config) as client: client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) hash_type = get_hash_type(hash) hash_type_key = HASH_TYPE_KEYS.get(hash_type) if not hash_type_key: return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters) or md5(32 charecters)') hash_param = {} hash_param[hash_type_key] = hash res = tie_client.get_file_reputation(hash_param) reputations = res.values() table = reputations_to_table(reputations) # creaet context context_file = {} hash_type_uppercase = hash_type.upper() tl_score = get_thrust_level_and_score(reputations) context_file[hash_type_uppercase] = hash context_file['TrustLevel'] = tl_score['trust_level'] context_file['Vendor'] = tl_score['vendor'] dbot_score = {'Indicator': hash, 'Type': 'hash', 'Vendor': tl_score['vendor'], 'Score': tl_score['score']} if tl_score['score'] >= 2: context_file['Malicious'] = { 'Vendor': tl_score['vendor'], 'Score': tl_score['score'], 'Description': 'Trust level is ' + str(tl_score['trust_level']) } ec = { 'DBotScore': dbot_score } ec[outputPaths['file']] = context_file return { 'Type': entryTypes['note'], 'ContentsFormat': formats['json'], 'Contents': reputations, 'ReadableContentsFormat': formats['markdown'], 'HumanReadable': tableToMarkdown('McAfee TIE Hash Reputations For %s:' % (hash,), table), 'EntryContext': ec }
def doReputation(btn): global hashType strHash = str(chatWin.getEntry("TIE_Hash")) logger.info("Getting reputation data for {0}.".format(str(strHash))) #Get all TIE based reputation data associated with a given hash tie_client = TieClient(client) reputations_dict = {} #Request raw json reputation results if hashType == "md5": reputations_dict = tie_client.get_file_reputation( {HashType.MD5: strHash}) elif hashType == "sha1": reputations_dict = tie_client.get_file_reputation( {HashType.SHA1: strHash}) elif hashType == "sha256": reputations_dict = tie_client.get_file_reputation( {HashType.SHA256: strHash}) #debug logger.info( "Raw TIE results for hash type " + hashType + ": " + json.dumps( reputations_dict, sort_keys=True, indent=4, separators=(',', ': '))) #Start building repputation output for writing to the results TextArea strResults = parseTIEResults(reputations_dict) #chatWin.setTextArea("TIEResults", json.dumps(reputations_dict, sort_keys=True, indent=4, separators= (',', ': ')), False) chatWin.setTextArea("HashResults", strResults, False) return True
# Create the client with DxlClient(config) as client: # Connect to the fabric client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) # # Perform the file reputation query # reputations_dict = \ tie_client.get_file_reputation({ HashType.MD5: FILE_MD5, HashType.SHA1: FILE_SHA1, HashType.SHA256: FILE_SHA256 }) print("File reputation response:") # Display the Global Threat Intelligence (GTI) trust level for the file if FileProvider.GTI in reputations_dict: gti_rep = reputations_dict[FileProvider.GTI] print("\tGlobal Threat Intelligence (GTI) trust level: " + \ str(gti_rep[ReputationProp.TRUST_LEVEL])) # Display the Enterprise reputation information if FileProvider.ENTERPRISE in reputations_dict: ent_rep = reputations_dict[FileProvider.ENTERPRISE]
def set_reputation(dxl_config_file, ioc_list, force): # Create DXL configuration from file config = DxlClientConfig.create_dxl_config_from_file(dxl_config_file) # Create the client with DxlClient(config) as client: # Connect to the fabric client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) # # Hashes for the file whose reputation will be set. # # Replace the random values for the actual file hashes. # ioc_set = 0 ioc_error = 0 ioc_exist = 0 ioc_total = 0 for ioc in ioc_list: fileSHA1 = ioc["sha1"] fileSHA256 = ioc["sha256"] fileMD5 = ioc["md5"] hashes = { HashType.MD5: fileMD5, HashType.SHA1: fileSHA1, HashType.SHA256: fileSHA256 } file_name = ioc["file_name"] file_comment = ioc["file_comment"] try: reputation = REPUTATION_VALUES[ioc["reputation"]] except Exception as er: logger.error( "Error getting reputation value, for entry %s check spelling" % file_name) continue # # Request reputation for the file # reputations_dict = tie_client.get_file_reputation(hashes) # # Check if there's any definitive reputation (different to Not Set [0] and Unknown [50]) # has_definitive_reputation = \ any([rep[ReputationProp.TRUST_LEVEL] != TrustLevel.NOT_SET and rep[ReputationProp.TRUST_LEVEL] != TrustLevel.UNKNOWN for rep in reputations_dict.values()]) # # If there's a definitive reputation and we are not forcing the reputation aplication # Skip the application # if has_definitive_reputation and force == False: logger.info( "Information: There is a reputation from another provider for the file %s, External Reputation is not necessary." % file_name) ioc_exist = ioc_exist + 1 else: # # Set the External reputation # try: logger.debug("Reputation %s" % reputation) logger.debug("hashes %s" % hashes) logger.debug("filename %s" % file_name) logger.debug("comment %s" % file_comment) tie_client.set_file_reputation( reputation, hashes, #FileType.PEEXE, filename=file_name, comment=file_comment) logger.info( "Information: IoC %s sent to Threat Intelligence Exchange Database" % file_name) ioc_set = ioc_set + 1 except ValueError as e: logger.error( "Error sending IoC %s to Threat Intelligence Exchange Database" % file_name) ioc_error = ioc_error + 1 ioc_total = ioc_total + 1 ioc_procesed = { "total_ioc_processed": ioc_total, "ioc_set": ioc_set, "ioc_exist": ioc_exist, "ioc_error": ioc_error } return (ioc_procesed)
def run(self, results): """Writes report. @param results: Cuckoo results dict. @raise CuckooReportError: if fails to write report. """ try: currentMD5 = results["target"]["file"]["md5"] currentSHA1 = results["target"]["file"]["sha1"] currentSHA256 = results["target"]["file"]["sha256"] currentFilename = results["target"]["file"]["name"] currentTrustLevel = results["info"]["score"] print currentMD5 print currentSHA1 print currentSHA256 print currentFilename print currentTrustLevel if float(currentTrustLevel) < 4.0: print "Trust Level is " + str( currentTrustLevel) + ". No update required." return print "Opening DXL connection" with DxlClient(config) as client: #Connect to DXL fabric print "Connecting to DXL fabric." client.connect() #Create TIE Client print "Connecting to TIE." tie_client = TieClient(client) print "Trust Level is " + str( currentTrustLevel) + ". Updating TIE." reputations_dict = \ tie_client.get_file_reputation({ HashType.MD5: currentMD5, HashType.SHA1: currentSHA1, HashType.SHA256: currentSHA256 }) print reputations_dict #Check if there is an enterprise (custom set) reputation if (reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.NOT_SET or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.UNKNOWN or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MIGHT_BE_TRUSTED or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MOST_LIKELY_TRUSTED): print "Current Trust Level is" + str(reputations_dict[ FileProvider.ENTERPRISE]["trustLevel"]) #also, let's make sure GTI trustLevels are either not being queried, or set to Unknown #we are nesting for clarity if (FileProvider.GTI not in reputations_dict.keys() or reputations_dict[FileProvider.GTI] == TrustLevel.UNKNOWN): print "GTI either does not exist or set to UNKNOWN" # If not set, go ahead and set it tie_client.set_file_reputation( TrustLevel.MOST_LIKELY_MALICIOUS, { HashType.MD5: currentMD5, HashType.SHA1: currentSHA1, HashType.SHA256: currentSHA256 }, filename=currentFilename, comment= "Reputation set via OpenDXL Cuckoo Integration. Cuckoo scored this sample a " + str(currentTrustLevel) + " out of 10.") print "Reputation set for: " + str( currentFilename) + ": " + currentMD5 except (TypeError, IOError) as e: raise CuckooReportError("Failed to update TIE with results: %s" % e)
for fileKey in WFResult: #unset reusables reputations_dict = None currentMD5 = None currentSHA256 = None currentFilename = None currentTrustLevel = None currentMD5= WFResult[fileKey]['md5'] currentSHA256=WFResult[fileKey]['sha256'] currentFilename=WFResult[fileKey]['filename'] currentTrustLevel=WFResult[fileKey]['trustlevel'] reputations_dict = \ tie_client.get_file_reputation({ HashType.MD5: currentMD5, HashType.SHA256: currentSHA256 }) #Check if there is an enterprise (custom set) reputation if (reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.NOT_SET and \ reputations_dict[FileProvider.GTI]["trustLevel"]==TrustLevel.NOT_SET) or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.UNKNOWN or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MIGHT_BE_TRUSTED or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MOST_LIKELY_TRUSTED: # If not set, go ahead and set it tie_client.set_file_reputation( currentTrustLevel, { HashType.MD5: currentMD5, HashType.SHA256: currentSHA256}, filename=currentFilename,
class FunctionComponent(ResilientComponent): """Component that implements Resilient function 'mcafee_tie_search_hash""" config_file = "dxlclient_config" def __init__(self, opts): """constructor provides access to the configuration options""" super(FunctionComponent, self).__init__(opts) try: config = opts.get("fn_mcafee_tie").get(self.config_file) if config is None: LOG.error(self.config_file + " is not set. You must set this path to run this function") raise ValueError(self.config_file + " is not set. You must set this path to run this function") LOG.info("Using %s to create configuration for DxlClient", config) # Create configuration from file for DxlClient self.config = DxlClientConfig.create_dxl_config_from_file(config) except AttributeError: LOG.error("There is no [fn_mcafee_tie] section in the config file, " "please set that by running resilient-circuits config -u") raise AttributeError("[fn_mcafee_tie] section is not set in the config file") self.client = DxlClient(self.config) self._connect_client() def _connect_client(self): # Connect client if not self.client.connected: self.client.connect() self.tie_client = TieClient(self.client) @handler("reload") def _reload(self, event, opts): """Configuration options have changed, save new values""" self.options = opts.get("fn_mcafee_tie", {}) @function("mcafee_tie_search_hash") def _mcafee_tie_search_hash_function(self, event, *args, **kwargs): """Function: """ yield StatusMessage("Searching Hash...") try: response_dict = {} # Get the function parameters: mcafee_tie_hash_type = kwargs.get("mcafee_tie_hash_type") # text if not mcafee_tie_hash_type: yield FunctionError("mcafee_tie_hash_type is required") mcafee_tie_hash = kwargs.get("mcafee_tie_hash") # text if not mcafee_tie_hash: yield FunctionError("mcafee_tie_hash is required") LOG.debug("_lookup_hash started for Artifact Type {0} - Artifact Value {1}".format( mcafee_tie_hash_type, mcafee_tie_hash)) if mcafee_tie_hash_type == "md5": resilient_hash = {HashType.MD5: mcafee_tie_hash} elif mcafee_tie_hash_type == "sha1": resilient_hash = {HashType.SHA1: mcafee_tie_hash} elif mcafee_tie_hash_type == "sha256": resilient_hash = {HashType.SHA256: mcafee_tie_hash} else: yield FunctionError("Something went wrong setting the hash value") # Make sure client is connected self._connect_client() reputations_dict = \ self.tie_client.get_file_reputation( resilient_hash ) system_list = self.tie_client.get_file_first_references( resilient_hash ) response_dict["Enterprise"] = self._get_enterprise_info(reputations_dict) response_dict["GTI"] = self._get_gti_info(reputations_dict) response_dict["ATD"] = self._get_atd_info(reputations_dict) response_dict["MWG"] = self._get_mwg_info(reputations_dict) response_dict["system_list"] = system_list yield StatusMessage("Done...") # Produce a FunctionResult with the return value yield FunctionResult(response_dict) except Exception as err: yield FunctionError(err) def _get_enterprise_info(self, reputations_dict): ent_dict = {} # Information for Enterprise file provider if FileProvider.ENTERPRISE in reputations_dict: ent_rep = reputations_dict[FileProvider.ENTERPRISE] ent_dict["File Provider"] = "Enterprise" ent_dict["Create Date"] = EpochMixin.to_localtime_string(ent_rep[ReputationProp.CREATE_DATE]) trust_level = self._get_trust_level(ent_rep[ReputationProp.TRUST_LEVEL]) if trust_level: ent_dict["Trust Level"] = trust_level # Retrieve the enterprise reputation attributes if ReputationProp.ATTRIBUTES in ent_rep: ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES] attribs_dict = {} if FileEnterpriseAttrib.PREVALENCE in ent_rep_attribs: attribs_dict["Prevalence"] = ent_rep_attribs[FileEnterpriseAttrib.PREVALENCE] if FileEnterpriseAttrib.ENTERPRISE_SIZE in ent_rep_attribs: attribs_dict["Enterprise Size"] = ent_rep_attribs[FileEnterpriseAttrib.ENTERPRISE_SIZE] if FileEnterpriseAttrib.FIRST_CONTACT in ent_rep_attribs: attribs_dict["First Contact"] = FileEnterpriseAttrib.to_localtime_string( ent_rep_attribs[FileEnterpriseAttrib.FIRST_CONTACT]) if FileEnterpriseAttrib.PARENT_AVG_LOCAL_REP in ent_rep_attribs: attribs_dict["Parent Avg Local Rep"] = self._get_trust_level(int(ent_rep_attribs[ FileEnterpriseAttrib.PARENT_AVG_LOCAL_REP])) if FileEnterpriseAttrib.PARENT_FILE_REPS in ent_rep_attribs: attribs_dict["Parent File Reps"] = FileEnterpriseAttrib.to_aggregate_tuple(ent_rep_attribs[ FileEnterpriseAttrib.PARENT_FILE_REPS]) if FileEnterpriseAttrib.CHILD_FILE_REPS in ent_rep_attribs: attribs_dict["Child File Reps"] = FileEnterpriseAttrib.to_aggregate_tuple(ent_rep_attribs[ FileEnterpriseAttrib.CHILD_FILE_REPS]) if FileEnterpriseAttrib.AVG_LOCAL_REP in ent_rep_attribs: attribs_dict["Average Local Rep"] = self._get_trust_level(int(ent_rep_attribs[ FileEnterpriseAttrib.AVG_LOCAL_REP])) if FileEnterpriseAttrib.MAX_LOCAL_REP in ent_rep_attribs: attribs_dict["Max Local Rep"] = self._get_trust_level(int(ent_rep_attribs[ FileEnterpriseAttrib.MAX_LOCAL_REP])) if FileEnterpriseAttrib.MIN_LOCAL_REP in ent_rep_attribs: attribs_dict["Min Local Rep"] = self._get_trust_level(int(ent_rep_attribs[ FileEnterpriseAttrib.MIN_LOCAL_REP])) if FileEnterpriseAttrib.DETECTION_COUNT in ent_rep_attribs: attribs_dict["Detection Count"] = ent_rep_attribs[FileEnterpriseAttrib.DETECTION_COUNT] if FileEnterpriseAttrib.FILE_NAME_COUNT in ent_rep_attribs: attribs_dict["File Name Count"] = ent_rep_attribs[FileEnterpriseAttrib.FILE_NAME_COUNT] if FileEnterpriseAttrib.LAST_DETECTION_TIME in ent_rep_attribs: attribs_dict["Last Detection Time"] = FileEnterpriseAttrib.to_localtime_string( ent_rep_attribs[FileEnterpriseAttrib.FIRST_CONTACT]) if FileEnterpriseAttrib.IS_PREVALENT in ent_rep_attribs: attribs_dict["Is Prevalent"] = ent_rep_attribs[FileEnterpriseAttrib.IS_PREVALENT] if FileEnterpriseAttrib.PARENT_MIN_LOCAL_REP in ent_rep_attribs: attribs_dict["Parent Min Local Rep"] = self._get_trust_level(int(ent_rep_attribs[ FileEnterpriseAttrib.PARENT_MIN_LOCAL_REP])) if FileEnterpriseAttrib.PARENT_MAX_LOCAL_REP in ent_rep_attribs: attribs_dict["Parent Max Local Rep"] = self._get_trust_level(int(ent_rep_attribs[ FileEnterpriseAttrib.PARENT_MAX_LOCAL_REP])) ent_dict["Attributes"] = attribs_dict return ent_dict def _get_gti_info(self, reputations_dict): gti_dict = {} # Information for GTI file provider if FileProvider.GTI in reputations_dict: gti_rep = reputations_dict[FileProvider.GTI] gti_dict["File Provider"] = "GTI" gti_dict["Create Date"] = EpochMixin.to_localtime_string(gti_rep[ReputationProp.CREATE_DATE]) trust_level = self._get_trust_level(gti_rep[ReputationProp.TRUST_LEVEL]) if trust_level: gti_dict["Trust Level"] = trust_level # Retrieve the GTI reputation attributes if ReputationProp.ATTRIBUTES in gti_rep: gti_rep_attribs = gti_rep[ReputationProp.ATTRIBUTES] attribs_dict = {} # Get prevalence (if it exists) if FileGtiAttrib.PREVALENCE in gti_rep_attribs: attribs_dict["Prevalence"] = gti_rep_attribs[FileGtiAttrib.PREVALENCE] # Get First Contact Date (if it exists) if FileGtiAttrib.FIRST_CONTACT in gti_rep_attribs: attribs_dict["First Contact"] = EpochMixin.to_localtime_string(gti_rep_attribs[ FileGtiAttrib.FIRST_CONTACT]) gti_dict["Attributes"] = attribs_dict return gti_dict def _get_atd_info(self, reputations_dict): atd_dict = {} # Information for Advanced Threat Defense file provider if FileProvider.ATD in reputations_dict: atd_rep = reputations_dict[FileProvider.ATD] atd_dict["File Provider"] = "ATD" atd_dict["Create Date"] = EpochMixin.to_localtime_string(atd_rep[ReputationProp.CREATE_DATE]) trust_level = self._get_trust_level(atd_rep[ReputationProp.TRUST_LEVEL]) if trust_level: atd_dict["Trust Level"] = trust_level # Retrieve the ATD reputation attributes if ReputationProp.ATTRIBUTES in atd_rep: atd_rep_attribs = atd_rep[ReputationProp.ATTRIBUTES] attribs_dict = {} # Get Trust scores if AtdAttrib.GAM_SCORE in atd_rep_attribs: attribs_dict["GAM Score"] = self._get_atd_trust_level(atd_rep, AtdAttrib.GAM_SCORE) if AtdAttrib.AV_ENGINE_SCORE in atd_rep_attribs: attribs_dict["AV Engine Score"] = self._get_atd_trust_level(atd_rep, AtdAttrib.AV_ENGINE_SCORE) if AtdAttrib.GAM_SCORE in atd_rep_attribs: attribs_dict["Sandbox Score"] = self._get_atd_trust_level(atd_rep, AtdAttrib.SANDBOX_SCORE) if AtdAttrib.GAM_SCORE in atd_rep_attribs: attribs_dict["Verdict"] = self._get_atd_trust_level(atd_rep, AtdAttrib.VERDICT) if AtdAttrib.BEHAVIORS in atd_rep_attribs: attribs_dict["Behaviors"] = atd_rep_attribs[AtdAttrib.BEHAVIORS] atd_dict["Attributes"] = attribs_dict return atd_dict def _get_mwg_info(self, reputations_dict): mwg_dict = {} # Information for file provider if FileProvider.MWG in reputations_dict: mwg_rep = reputations_dict[FileProvider.MWG] mwg_dict["File Provider"] = "MWG" mwg_dict["Create Date"] = EpochMixin.to_localtime_string(mwg_rep[ReputationProp.CREATE_DATE]) trust_level = self._get_trust_level(mwg_rep[ReputationProp.TRUST_LEVEL]) if trust_level: mwg_dict["Trust Level"] = trust_level return mwg_dict @staticmethod def _get_trust_level(trust_level_number): trust_level = "" if TrustLevel.KNOWN_TRUSTED_INSTALLER is trust_level_number: trust_level = "Known Trusted Installer" elif TrustLevel.KNOWN_TRUSTED is trust_level_number: trust_level = "Known Trusted" elif TrustLevel.MOST_LIKELY_TRUSTED is trust_level_number: trust_level = "Most Likely Trusted" elif TrustLevel.MIGHT_BE_TRUSTED is trust_level_number: trust_level = "Might Be Trusted" elif TrustLevel.UNKNOWN is trust_level_number: trust_level = "Unknown" elif TrustLevel.MIGHT_BE_MALICIOUS is trust_level_number: trust_level = "Might be Malicious" elif TrustLevel.MOST_LIKELY_MALICIOUS is trust_level_number: trust_level = "Most Likely Malicious" elif TrustLevel.KNOWN_MALICIOUS is trust_level_number: trust_level = "Known Malicious" elif TrustLevel.NOT_SET is trust_level_number: trust_level = "Not Set" return trust_level @staticmethod def _get_atd_trust_level(atd_rep, rep_provider): trust_level = "" if AtdTrustLevel.KNOWN_TRUSTED is atd_rep[rep_provider]: trust_level = "Known Trusted" elif AtdTrustLevel.MOST_LIKELY_TRUSTED is atd_rep[rep_provider]: trust_level = "Most Likely Trusted" elif AtdTrustLevel.MIGHT_BE_TRUSTED is atd_rep[rep_provider]: trust_level = "Might Be Trusted" elif AtdTrustLevel.UNKNOWN is atd_rep[rep_provider]: trust_level = "Unknown" elif AtdTrustLevel.MIGHT_BE_MALICIOUS is atd_rep[rep_provider]: trust_level = "Might be Malicious" elif AtdTrustLevel.MOST_LIKELY_MALICIOUS is atd_rep[rep_provider]: trust_level = "Most Likely Malicious" elif AtdTrustLevel.KNOWN_MALICIOUS is atd_rep[rep_provider]: trust_level = "Known Malicious" elif AtdTrustLevel.NOT_SET is atd_rep[rep_provider]: trust_level = "Not Set" return trust_level
tie_client = TieClient(client) # # Hashes for the file whose reputation will be set. # # Replace the random values for the actual file hashes. # hashes = { HashType.MD5: fileMD5, HashType.SHA1: fileSHA1, HashType.SHA256: fileSHA256 } # # Request reputation for the file # reputations_dict = tie_client.get_file_reputation(hashes) # # Check if there's any definitive reputation (different to Not Set [0] and Unknown [50]) # for any provider except for External Provider (providerId=15) # has_definitive_reputation = \ any([rep[ReputationProp.TRUST_LEVEL] != TrustLevel.NOT_SET and rep[ReputationProp.TRUST_LEVEL] != TrustLevel.UNKNOWN and rep[ReputationProp.PROVIDER_ID] != FileProvider.EXTERNAL for rep in reputations_dict.values()]) if has_definitive_reputation: print("Abort: There is a reputation from another provider for the file, " "External Reputation is not necessary.") else: #
# Create the client with DxlClient(config) as client: # Connect to the fabric client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) # # Request and display reputation for notepad.exe # reputations_dict = \ tie_client.get_file_reputation({ HashType.MD5: "f2c7bb8acc97f92e987a2d4087d021b1", HashType.SHA1: "7eb0139d2175739b3ccb0d1110067820be6abd29", HashType.SHA256: "142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2" }) print("Notepad.exe reputations:") print(MessageUtils.dict_to_json(reputations_dict, True) + "\n") # # Request and display reputation for EICAR # reputations_dict = \ tie_client.get_file_reputation({ HashType.MD5: "44d88612fea8a8f36de82e1278abb02f", HashType.SHA1: "3395856ce81f2b7382dee72602f798b642f14140", HashType.SHA256: "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" }) print("EICAR reputations:")
class TieSample(): def __init__(self, options, dxlclient, reputation_lookup_dict=None): # Create the McAfee Threat Intelligence Exchange (TIE) client self.tie_client = TieClient(dxlclient) # TODO:Refactor this self.reputation_lookup_dict = reputation_lookup_dict if self.reputation_lookup_dict: try: self.filehash = reputation_lookup_dict['md5'] except: try: self.filehash = reputation_lookup_dict['sha1'] except: self.filehash = "unknown" self.reputations_dict = self._getFileRep() else: self.filehash = options.filehash if self.filehash == None: return "no file hash" self.reputations_dict = self._getFileRep() self.content = self._getFileProps() @property def reputations_dict(self): return self._reputations_dict def _getFileRep(self): #TODO: Refactor this if self.reputation_lookup_dict: reputations_dict = self.tie_client.get_file_reputation( self.reputation_lookup_dict) else: if utils.is_sha1(self.filehash): reputations_dict = self.tie_client.get_file_reputation( {HashType.SHA1: self.filehash}) elif utils.is_sha256(self.filehash): reputations_dict = self.tie_client.get_file_reputation( {HashType.SHA256: self.filehash}) elif utils.is_md5(self.filehash): reputations_dict = self.tie_client.get_file_reputation( {HashType.MD5: self.filehash}) else: return "not a valid file hash" return reputations_dict def _getFileProps(self): # Get File Properties and Map with Providers and TIE Score propList = [] fileProps = self.reputations_dict if FileProvider.GTI in fileProps: propDict = {} propDict['provider'] = providerMap[fileProps[FileProvider.GTI] ['providerId']] propDict['reputation'] = tiescoreMap[fileProps[FileProvider.GTI] ['trustLevel']] propDict['createDate'] = fileProps[FileProvider.GTI]['createDate'] propList.append(propDict) if FileProvider.ENTERPRISE in fileProps: propDict = {} propDict['provider'] = providerMap[fileProps[ FileProvider.ENTERPRISE]['providerId']] propDict['reputation'] = tiescoreMap[fileProps[ FileProvider.ENTERPRISE]['trustLevel']] propDict['createDate'] = fileProps[ FileProvider.ENTERPRISE]['createDate'] propList.append(propDict) if FileProvider.ATD in fileProps: propDict = {} propDict['provider'] = providerMap[fileProps[FileProvider.ATD] ['providerId']] propDict['reputation'] = tiescoreMap[fileProps[FileProvider.ATD] ['trustLevel']] propDict['createDate'] = fileProps[FileProvider.ATD]['createDate'] propList.append(propDict) if FileProvider.MWG in fileProps: propDict = {} propDict['provider'] = providerMap[fileProps[FileProvider.MWG] ['providerId']] propDict['reputation'] = tiescoreMap[fileProps[FileProvider.MWG] ['trustLevel']] propDict['createDate'] = fileProps[FileProvider.MWG]['createDate'] propList.append(propDict) return propList #TODO: stupid name.. rename it combined_reputation #INFO: this returns an array 0 is the val 1 is the str def calcRep(self): # Return a Summary Cascade 0-100 Value for Reputation. # OOP: Enterprise -> ATD -> MWG -> GTI #TODO: create property sample.combined_reputation_str #TODO: create property sample.combined_reputation reputations_dict = self.reputations_dict # If there is TIE ENTERPRISE rep, use it, then look at ATD, then GTI. if FileProvider.ENTERPRISE in reputations_dict: ent_rep = reputations_dict[FileProvider.ENTERPRISE] rep = ent_rep[ReputationProp.TRUST_LEVEL] warning_provider = FileProvider.ENTERPRISE if rep == 0: if FileProvider.ATD in reputations_dict: atd_rep = reputations_dict[FileProvider.ATD] rep = atd_rep[ReputationProp.TRUST_LEVEL] warning_provider = FileProvider.ATD if rep == 0: if FileProvider.MWG in reputations_dict: mwg_rep = reputations_dict[FileProvider.MWG] rep = atd_rep[ReputationProp.TRUST_LEVEL] warning_provider = FileProvider.MWG if rep == 0: if FileProvider.GTI in reputations_dict: gti_rep = reputations_dict[FileProvider.GTI] rep = gti_rep[ReputationProp.TRUST_LEVEL] warning_provider = FileProvider.GTI else: if FileProvider.GTI in reputations_dict: gti_rep = reputations_dict[FileProvider.GTI] rep = gti_rep[ReputationProp.TRUST_LEVEL] warning_provider = FileProvider.GTI if rep <= TrustLevel.MOST_LIKELY_TRUSTED: if rep <= TrustLevel.MOST_LIKELY_MALICIOUS: rep_str = "bad" else: if FileProvider.ATD in reputations_dict: rep_str = "medium" else: rep_str = "unknown" else: rep_str = "good" return [rep, rep_str, warning_provider] def tieResponse(self): rtv_string = "File Hash " + self.filehash + " Reputation\n\n" # Format a String Response i = 1 for key in self.content: rtv_string = rtv_string + "Provider: " + key['provider'] + "\n" rtv_string = rtv_string + "Creation Date: " + utils.time_to_str( key['createDate']) + "\n" rtv_string = rtv_string + "Reputation: " + key['reputation'] + "\n" rtv_string += "\n" i += 1 return rtv_string
def run(self): """Runs TIE processing @return: TIE results """ log.info("Processing TIE reputation analysis.") self.key = "tie" timeout = int(self.options.get("timeout", 60)) scan = int(self.options.get("scan", 0)) # Evaluate the original sample against TIE reputation if self.task["category"] == "file": # Create the client with DxlClient(config) as client: # Connect to the fabric client.connect() tie_client = TieClient(client) #Generate relevant hash information md5_hex = File(self.file_path).get_md5() sha1_hex = File(self.file_path).get_sha1() sha256_hex = File(self.file_path).get_sha256() #Request raw json reputation results reputations_dict = \ tie_client.get_file_reputation({ HashType.MD5: md5_hex, HashType.SHA1: sha1_hex, HashType.SHA256: sha256_hex }) #debug log.info("Raw TIE results: " + json.dumps(reputations_dict, sort_keys=True, indent=4, separators=(',', ': '))) #initialize result array and tiekey counter for each result proc_result = {} tiekey = 0 strtiekey = str(tiekey) # Display the Global Threat Intelligence if FileProvider.GTI in reputations_dict: gti_rep = reputations_dict[FileProvider.GTI] proc_result[strtiekey] = {} proc_result[strtiekey][ 'title'] = "Global Threat Intelligence (GTI) Test Date:" proc_result[strtiekey][ 'value'] = EpochMixin.to_localtime_string( gti_rep[ReputationProp.CREATE_DATE]) tiekey += 1 strtiekey = str(tiekey) #Set GTI Trust Level proc_result[strtiekey] = {} proc_result[strtiekey][ 'title'] = "Global Threat Intelligence (GTI) trust level:" trustValue = gti_rep[ReputationProp.TRUST_LEVEL] proc_result[strtiekey]['value'] = self.trustLevel( trustValue) tiekey += 1 strtiekey = str(tiekey) # Display the Enterprise reputation information if FileProvider.ENTERPRISE in reputations_dict: ent_rep = reputations_dict[FileProvider.ENTERPRISE] # Retrieve the enterprise reputation attributes ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES] # Display prevalence (if it exists) if FileEnterpriseAttrib.PREVALENCE in ent_rep_attribs: proc_result[strtiekey] = {} proc_result[strtiekey][ 'title'] = "Enterprise prevalence:" proc_result[strtiekey]['value'] = ent_rep_attribs[ FileEnterpriseAttrib.PREVALENCE] tiekey += 1 strtiekey = str(tiekey) # Display first contact date (if it exists) if FileEnterpriseAttrib.FIRST_CONTACT in ent_rep_attribs: proc_result[strtiekey] = {} proc_result[strtiekey]['title'] = "First contact: " proc_result[strtiekey][ 'value'] = FileEnterpriseAttrib.to_localtime_string( ent_rep_attribs[ FileEnterpriseAttrib.FIRST_CONTACT]) tiekey += 1 strtiekey = str(tiekey) #These are lookup conversions for the ATD trust_score valueDict = {} valueDict['-1'] = "Known Trusted" valueDict['0'] = "Most Likely Trusted" valueDict['1'] = "Might Be Trusted" valueDict['2'] = "Unknown" valueDict['3'] = "Might Be Malicious" valueDict['4'] = "Most Likely Malicious" valueDict['5'] = "Known Malicious" valueDict['-2'] = "Not Set" # Display the ATD reputation information if FileProvider.ATD in reputations_dict: atd_rep = reputations_dict[FileProvider.ATD] # Retrieve the ATD reputation attributes atd_rep_attribs = atd_rep[ReputationProp.ATTRIBUTES] proc_result[strtiekey] = {} proc_result[strtiekey]['title'] = "ATD Test Date: " proc_result[strtiekey][ 'value'] = EpochMixin.to_localtime_string( atd_rep[ReputationProp.CREATE_DATE]) tiekey += 1 strtiekey = str(tiekey) # Display GAM Score (if it exists) if AtdAttrib.GAM_SCORE in atd_rep_attribs: proc_result[strtiekey] = {} proc_result[strtiekey][ 'title'] = "ATD Gateway AntiMalware Score: " proc_result[strtiekey]['value'] = valueDict[ atd_rep_attribs[AtdAttrib.GAM_SCORE]] tiekey += 1 strtiekey = str(tiekey) # Display AV Engine Score (if it exists) if AtdAttrib.AV_ENGINE_SCORE in atd_rep_attribs: proc_result[strtiekey] = {} proc_result[strtiekey][ 'title'] = "ATD AV Engine Score: " proc_result[strtiekey]['value'] = valueDict[ atd_rep_attribs[AtdAttrib.AV_ENGINE_SCORE]] tiekey += 1 strtiekey = str(tiekey) # Display Sandbox Score (if it exists) if AtdAttrib.SANDBOX_SCORE in atd_rep_attribs: proc_result[strtiekey] = {} proc_result[strtiekey]['title'] = "ATD Sandbox Score: " proc_result[strtiekey]['value'] = valueDict[ atd_rep_attribs[AtdAttrib.SANDBOX_SCORE]] tiekey += 1 strtiekey = str(tiekey) # Display Verdict (if it exists) if AtdAttrib.VERDICT in atd_rep_attribs: proc_result[strtiekey] = {} proc_result[strtiekey]['title'] = "ATD Verdict: " proc_result[strtiekey]['value'] = valueDict[ atd_rep_attribs[AtdAttrib.VERDICT]] tiekey += 1 strtiekey = str(tiekey) results = proc_result elif self.task["category"] == "url": return elif self.task["category"] == "baseline": return elif self.task["category"] == "service": return else: raise CuckooProcessingError("Unsupported task category: %s" % self.task["category"]) log.info("Finished processing TIE reputation analysis.") return results
for fileKey in MSResult: #unset reusables reputations_dict = None #MalShare provides only MD5's currentMD5 = None currentFilename = None currentTrustLevel = None currentMD5 = MSResult[fileKey]['md5'] currentFilename = MSResult[fileKey]['filename'] currentTrustLevel = MSResult[fileKey]['trustlevel'] reputations_dict = \ tie_client.get_file_reputation({ HashType.MD5: currentMD5 }) #Check if there is an enterprise (custom set) reputation if (reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.NOT_SET and \ reputations_dict[FileProvider.GTI]["trustLevel"]==TrustLevel.NOT_SET) or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.UNKNOWN or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MIGHT_BE_TRUSTED or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MOST_LIKELY_TRUSTED: # If not set, go ahead and set it tie_client.set_file_reputation( currentTrustLevel, {HashType.MD5: currentMD5}, filename=currentFilename, comment="Reputation set via OpenDXL MalShare Integration") print "Reputation set for: " + str(fileKey) + ": " + currentMD5