def test_convert_to_nw_time(self): expected_nw_time = "2018-Dec-18 13:28:45" nw_time = datetime.datetime.strptime(convert_to_nw_time(1545157725000),\ '%Y-%b-%d %H:%M:%S') nw_time_timezone = nw_time.astimezone(pytz.timezone("America/New_York"))\ .strftime('%Y-%b-%d %H:%M:%S') assert nw_time_timezone == expected_nw_time
def _netwitness_retrieve_log_data(self, event, *args, **kwargs): """Function: Returns back either a log file from Netwitness.""" try: # Get the function parameters: nw_data_format = self.get_select_param( kwargs.get("nw_data_format")) # select yield StatusMessage("Retrieving {} logs...".format(nw_data_format)) nw_start_time = kwargs.get("nw_start_time") # int if nw_start_time is None: raise FunctionError( "nw_start_time must be set in order to run this function.") nw_end_time = kwargs.get("nw_end_time") # int if nw_end_time is None: raise FunctionError( "nw_end_time must be set in order to run this function.") incident_id = kwargs.get("incident_id") # number # Initialize resilient_lib objects (handles the select input) results_payload = ResultPayload("fn_rsa_netwitness", **kwargs) req_common = RequestsCommon(self.opts) log.info("nw_data_format: %s", nw_data_format) log.info("nw_start_time: %s", nw_start_time) log.info("nw_end_time: %s", nw_end_time) data_file = {} start_time = convert_to_nw_time(nw_start_time) end_time = convert_to_nw_time(nw_end_time) # Get all common variables from app.config url = self.options.get("nw_log_server_url") username = self.options.get("nw_log_server_user") password = self.options.get("nw_log_server_password") nw_verify = self.options.get("nw_log_server_verify") # Dict lookup for render format render_format_dict = { "logs_text": "logs", "logs_csv": "text/csv", "logs_xml": "text/xml", "logs_json": "application/json" } # Make sure format is a supported case if nw_data_format not in render_format_dict: raise FunctionError("{} is not a supported format to retrieve logs"\ .format(nw_data_format)) # Return log data in json format if nw_data_format == "logs_json": data_file = get_nw_session_logs_file(url, username, password, nw_verify, \ start_time, end_time, req_common, render_format=render_format_dict[nw_data_format], resp_type="json") # Return log data in text format else: data_file = get_nw_session_logs_file(url, username, password, nw_verify, \ start_time, end_time, req_common, render_format=render_format_dict[nw_data_format]) log.debug("data_file: %s", data_file) results = results_payload.done(True, data_file) log.debug("RESULTS: %s", results) # Check for empty log files # (if empty, no log file will be attached and a note will # be added in the workflow post-process) if results["content"]: yield StatusMessage("Logs found, creating attachment...") # Get client, attachment name, and content of log files from netwitness rest_client = self.rest_client() # Determine the proper extension for the attachment name if nw_data_format == "logs_text": ext = "txt" else: ext = nw_data_format[5:] # for csv, xml, json attachment_name = u"Log file for {} - {}.{}".format( nw_start_time, nw_end_time, ext) if nw_data_format == "logs_json": datastream = BytesIO( json.dumps(results['content'], indent=4).encode('utf-8')) elif sys.version_info.major < 3: datastream = StringIO(results["content"]) else: datastream = BytesIO(results["content"].encode("utf-8")) write_file_attachment(rest_client, attachment_name,\ datastream, incident_id, None) yield StatusMessage("Done...") # Produce a FunctionResult with the results yield FunctionResult(results) except Exception as error: yield FunctionError(error)
def _netwitness_retrieve_pcap_data(self, event, *args, **kwargs): """Function: Returns back either a pcap file from Netwitness, and attaches it to an incident.""" try: yield StatusMessage("Starting...") # Get the function parameters: nw_event_session_ids = kwargs.get("nw_event_session_ids") # text nw_start_time = kwargs.get("nw_start_time") # text nw_end_time = kwargs.get("nw_end_time") # text incident_id = str(kwargs.get("incident_id")) # number # Initialize resilient_lib objects (handles the select input) results_payload = ResultPayload("fn_rsa_netwitness", **{"nw_event_session_ids":\ nw_event_session_ids, "incident_id": incident_id}) req_common = RequestsCommon(self.opts) # Verify inputs are set correctly if nw_event_session_ids is None: if nw_start_time is None or nw_end_time is None: raise FunctionError("Either nw_event_session_ids or nw_start_time and "\ "nw_end_time must be set for this function to run correctly.") log.info("nw_event_session_ids: %s", nw_event_session_ids) log.info("nw_start_time: %s", nw_start_time) log.info("nw_end_time: %s", nw_end_time) log.info("incident_id: %s", incident_id) # Get all common variables from app.config url = self.options.get("nw_packet_server_url") username = self.options.get("nw_packet_server_user") password = self.options.get("nw_packet_server_password") nw_verify = self.options.get("nw_packet_server_verify") # User session id if avaiable if nw_event_session_ids: pcap_file = get_nw_session_pcap_file(url, username, password, nw_verify,\ nw_event_session_ids, req_common) file_name = "PCAP file for session IDs: {}.pcap".format( nw_event_session_ids) else: nw_start = convert_to_nw_time(nw_start_time) nw_end = convert_to_nw_time(nw_end_time) pcap_file = get_nw_session_pcap_file_time(url, username, password, nw_verify,\ nw_start, nw_end, req_common) file_name = "PCAP file between {} and {}.pcap".format( nw_start, nw_end) rest_client = self.rest_client() results = results_payload.done(True, {}) if sys.version_info.major < 3: datastream = StringIO(pcap_file) else: datastream = BytesIO(pcap_file) log.debug("pcap_file: %s", pcap_file[1000:]) write_file_attachment(rest_client, file_name, datastream, incident_id, None) yield StatusMessage("PCAP file added as attachment to Incident {}"\ .format(str(incident_id))) yield StatusMessage("Done...") log.debug("RESULTS: %s", results) # Produce a FunctionResult with the results yield FunctionResult(results) except Exception as error: yield FunctionError(error)
def _netwitness_retrieve_log_data(self, event, *args, **kwargs): """Function: Returns back either a log file from Netwitness.""" try: yield StatusMessage("Retrieving logs...") # Get the function parameters: nw_data_format = self.get_select_param(kwargs.get("nw_data_format")) # select nw_start_time = kwargs.get("nw_start_time") # int if nw_start_time is None: raise FunctionError("nw_start_time must be set in order to run this function.") nw_end_time = kwargs.get("nw_end_time") # int if nw_end_time is None: raise FunctionError("nw_end_time must be set in order to run this function.") # Initialize resilient_lib objects (handles the select input) rp = ResultPayload("fn_rsa_netwitness", **kwargs) req_common = RequestsCommon(self.opts) log.info("nw_data_format: %s", nw_data_format) log.info("nw_start_time: %s", nw_start_time) log.info("nw_end_time: %s", nw_end_time) data_file = {} start_time = convert_to_nw_time(nw_start_time) end_time = convert_to_nw_time(nw_end_time) # Get all common variables from app.config url = self.options.get("nw_log_server_url") username = self.options.get("nw_log_server_user") password = self.options.get("nw_log_server_password") nw_verify = self.options.get("nw_log_server_verify") # Dict lookup for render format render_format_dict = { "logs_text": "logs", "logs_csv": "text/csv", "logs_xml": "text/xml", "logs_json": "application/json" } # Make sure format is a supported case if nw_data_format not in render_format_dict: raise FunctionError("{} is not a supported format to retrieve logs".format(nw_data_format)) # Return log data in json format if nw_data_format == "logs_json": data_file = get_nw_session_logs_file(url, username, password, nw_verify, start_time, end_time, req_common, render_format=render_format_dict.get("nw_data_format"), resp_type="json") # Return log data in text format else: data_file = get_nw_session_logs_file(url, username, password, nw_verify, start_time, end_time, req_common, render_format=render_format_dict.get("nw_data_format")) log.debug("data_file: {}".format(data_file)) results = rp.done(True, data_file) log.debug("RESULTS: %s", results) yield StatusMessage("Done...") # Produce a FunctionResult with the results yield FunctionResult(results) except Exception as e: yield FunctionError(e)
def test_convert_to_nw_time(self): expected_nw_time = "2018-Dec-18 13:28:45" nw_time = convert_to_nw_time(int("1545157725000")) assert nw_time == expected_nw_time