def setReputation(trustlevelStr, md5, sha1, sha256, filenameStr, commentStr): # File Hashes #mySetHashes = {HashType.MD5: "", HashType.SHA1: "", HashType.SHA256: ""} trustlevelInt = getTrustLevel(trustlevelStr) mySetHashes = hashMe(md5, sha1, sha256) print("mySetHashes:") print(mySetHashes) # Create the client with DxlClient(config) as client: # Connect to the fabric client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) print(trustlevelInt) print(mySetHashes) print(filenameStr) print(commentStr) if trustlevelInt != -1: # Set the Enterprise reputation for notepad.exe to Known Trusted tie_client.set_file_reputation(trustlevelInt, mySetHashes, filename=filenameStr, comment=commentStr) else: return jsonify(error="invalid trust level", trustlevel=trustlevelStr) client.disconnect()
def set_file_reputation(hash, trust_level, filename, comment): config = get_client_config() # find trust_level key trust_level_key = None for k, v in TRUST_LEVELS.iteritems(): if v == trust_level: trust_level_key = k if not trust_level_key: return create_error_entry('illigale argument trust_level %s. Choose value from predefined values' % (trust_level, )) with DxlClient(config) as client: client.connect() tie_client = TieClient(client) hash_type = get_hash_type(hash) hash_type_key = HASH_TYPE_KEYS.get(hash_type) if not hash_type_key: return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters) or md5(32 charecters)') hash_param = {} hash_param[hash_type_key] = hash try: tie_client.set_file_reputation(trust_level_key, hash_param, filename, comment) return 'Successfully set file repuation' except Exception as ex: return create_error_entry(str(ex))
def set_rep(self, hash, type, level, prov): with DxlClient(DXL_CONFIG) as client: client.connect() tie_client = TieClient(client) if prov == 'enterprise': tie_client.set_file_reputation( int(level), {type: hash}, filename=hash, comment="Reputation Update from McAfee Bulk Importer") elif prov == 'external': tie_client.set_external_file_reputation( int(level), {type: hash}, filename=hash, comment="Reputation Update from McAfee Bulk Importer")
def process(self): event = self.receive_message() payload = json.dumps(event) self.dxlclient.connect() tie_client = TieClient(self.dxlclient) tie_client.set_file_reputation( TrustLevel.MOST_LIKELY_MALICIOUS, { HashType.SHA256: event.get("malware.hash.sha256"), HashType.SHA1: event.get("malware.hash.sha1"), HashType.MD5: event.get("malware.hash.md5") }, filename=event.get("malware.name"), comment=self.parameters.comment) self.dxlclient.disconnect() self.logger.info("Event successfully sent.") self.acknowledge_message()
def set_reputation(dxl_config_file, ioc_list, force): # Create DXL configuration from file config = DxlClientConfig.create_dxl_config_from_file(dxl_config_file) # Create the client with DxlClient(config) as client: # Connect to the fabric client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) # # Hashes for the file whose reputation will be set. # # Replace the random values for the actual file hashes. # ioc_set = 0 ioc_error = 0 ioc_exist = 0 ioc_total = 0 for ioc in ioc_list: fileSHA1 = ioc["sha1"] fileSHA256 = ioc["sha256"] fileMD5 = ioc["md5"] hashes = { HashType.MD5: fileMD5, HashType.SHA1: fileSHA1, HashType.SHA256: fileSHA256 } file_name = ioc["file_name"] file_comment = ioc["file_comment"] try: reputation = REPUTATION_VALUES[ioc["reputation"]] except Exception as er: logger.error( "Error getting reputation value, for entry %s check spelling" % file_name) continue # # Request reputation for the file # reputations_dict = tie_client.get_file_reputation(hashes) # # Check if there's any definitive reputation (different to Not Set [0] and Unknown [50]) # has_definitive_reputation = \ any([rep[ReputationProp.TRUST_LEVEL] != TrustLevel.NOT_SET and rep[ReputationProp.TRUST_LEVEL] != TrustLevel.UNKNOWN for rep in reputations_dict.values()]) # # If there's a definitive reputation and we are not forcing the reputation aplication # Skip the application # if has_definitive_reputation and force == False: logger.info( "Information: There is a reputation from another provider for the file %s, External Reputation is not necessary." % file_name) ioc_exist = ioc_exist + 1 else: # # Set the External reputation # try: logger.debug("Reputation %s" % reputation) logger.debug("hashes %s" % hashes) logger.debug("filename %s" % file_name) logger.debug("comment %s" % file_comment) tie_client.set_file_reputation( reputation, hashes, #FileType.PEEXE, filename=file_name, comment=file_comment) logger.info( "Information: IoC %s sent to Threat Intelligence Exchange Database" % file_name) ioc_set = ioc_set + 1 except ValueError as e: logger.error( "Error sending IoC %s to Threat Intelligence Exchange Database" % file_name) ioc_error = ioc_error + 1 ioc_total = ioc_total + 1 ioc_procesed = { "total_ioc_processed": ioc_total, "ioc_set": ioc_set, "ioc_exist": ioc_exist, "ioc_error": ioc_error } return (ioc_procesed)
def run(self, results): """Writes report. @param results: Cuckoo results dict. @raise CuckooReportError: if fails to write report. """ try: currentMD5 = results["target"]["file"]["md5"] currentSHA1 = results["target"]["file"]["sha1"] currentSHA256 = results["target"]["file"]["sha256"] currentFilename = results["target"]["file"]["name"] currentTrustLevel = results["info"]["score"] print currentMD5 print currentSHA1 print currentSHA256 print currentFilename print currentTrustLevel if float(currentTrustLevel) < 4.0: print "Trust Level is " + str( currentTrustLevel) + ". No update required." return print "Opening DXL connection" with DxlClient(config) as client: #Connect to DXL fabric print "Connecting to DXL fabric." client.connect() #Create TIE Client print "Connecting to TIE." tie_client = TieClient(client) print "Trust Level is " + str( currentTrustLevel) + ". Updating TIE." reputations_dict = \ tie_client.get_file_reputation({ HashType.MD5: currentMD5, HashType.SHA1: currentSHA1, HashType.SHA256: currentSHA256 }) print reputations_dict #Check if there is an enterprise (custom set) reputation if (reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.NOT_SET or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.UNKNOWN or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MIGHT_BE_TRUSTED or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MOST_LIKELY_TRUSTED): print "Current Trust Level is" + str(reputations_dict[ FileProvider.ENTERPRISE]["trustLevel"]) #also, let's make sure GTI trustLevels are either not being queried, or set to Unknown #we are nesting for clarity if (FileProvider.GTI not in reputations_dict.keys() or reputations_dict[FileProvider.GTI] == TrustLevel.UNKNOWN): print "GTI either does not exist or set to UNKNOWN" # If not set, go ahead and set it tie_client.set_file_reputation( TrustLevel.MOST_LIKELY_MALICIOUS, { HashType.MD5: currentMD5, HashType.SHA1: currentSHA1, HashType.SHA256: currentSHA256 }, filename=currentFilename, comment= "Reputation set via OpenDXL Cuckoo Integration. Cuckoo scored this sample a " + str(currentTrustLevel) + " out of 10.") print "Reputation set for: " + str( currentFilename) + ": " + currentMD5 except (TypeError, IOError) as e: raise CuckooReportError("Failed to update TIE with results: %s" % e)
currentMD5= WFResult[fileKey]['md5'] currentSHA256=WFResult[fileKey]['sha256'] currentFilename=WFResult[fileKey]['filename'] currentTrustLevel=WFResult[fileKey]['trustlevel'] reputations_dict = \ tie_client.get_file_reputation({ HashType.MD5: currentMD5, HashType.SHA256: currentSHA256 }) #Check if there is an enterprise (custom set) reputation if (reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.NOT_SET and \ reputations_dict[FileProvider.GTI]["trustLevel"]==TrustLevel.NOT_SET) or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.UNKNOWN or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MIGHT_BE_TRUSTED or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MOST_LIKELY_TRUSTED: # If not set, go ahead and set it tie_client.set_file_reputation( currentTrustLevel, { HashType.MD5: currentMD5, HashType.SHA256: currentSHA256}, filename=currentFilename, comment="Reputation set via OpenDXL WildFire Integration") print("Reputation set for: " + str(fileKey) + ": " + currentMD5) else: print("Skipping: " + str(fileKey) + ": " + currentMD5)
sys.path.append(os.path.dirname(os.path.abspath(__file__)) + "/..") from common import * # Configure local logger logging.getLogger().setLevel(logging.ERROR) logger = logging.getLogger(__name__) # Create DXL configuration from file config = DxlClientConfig.create_dxl_config_from_file(CONFIG_FILE) # Create the client with DxlClient(config) as client: # Connect to the fabric client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) # Set the Enterprise reputation for notepad.exe to Known Trusted tie_client.set_file_reputation( TrustLevel.KNOWN_TRUSTED, { HashType.MD5: "f2c7bb8acc97f92e987a2d4087d021b1", HashType.SHA1: "7eb0139d2175739b3ccb0d1110067820be6abd29", HashType.SHA256: "142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2" }, filename="notepad.exe", comment="Reputation set via OpenDXL") print "Succeeded."
reputations_dict = None #MalShare provides only MD5's currentMD5 = None currentFilename = None currentTrustLevel = None currentMD5 = MSResult[fileKey]['md5'] currentFilename = MSResult[fileKey]['filename'] currentTrustLevel = MSResult[fileKey]['trustlevel'] reputations_dict = \ tie_client.get_file_reputation({ HashType.MD5: currentMD5 }) #Check if there is an enterprise (custom set) reputation if (reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.NOT_SET and \ reputations_dict[FileProvider.GTI]["trustLevel"]==TrustLevel.NOT_SET) or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.UNKNOWN or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MIGHT_BE_TRUSTED or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MOST_LIKELY_TRUSTED: # If not set, go ahead and set it tie_client.set_file_reputation( currentTrustLevel, {HashType.MD5: currentMD5}, filename=currentFilename, comment="Reputation set via OpenDXL MalShare Integration") print "Reputation set for: " + str(fileKey) + ": " + currentMD5 else: print "Skipping: " + str(fileKey) + ": " + currentMD5