def get_malware_subject_from_report(**kwargs):
hash = kwargs.get('hash', None)
if 'report' in kwargs:
if hasattr(kwargs['report'], 'read'):
report = lxml.etree.parse(kwargs['report']).getroot()
else:
f = open(kwargs['report'], 'rb')
report = lxml.etree.parse(f).getroot()
f.close()
if hash is None:
hash = report.xpath('file_info/sha256/text()')
if len(hash) != 0:
hash = hash[0].strip()
else:
hash = None
elif 'hash' in kwargs and \
'tag' in kwargs:
import pan.wfapi
# retrieve wildfire report
wfapi = pan.wfapi.PanWFapi(tag=kwargs['tag'])
wfapi.report(hash=kwargs['hash'])
if (wfapi.response_body is None):
raise PanWfReportError('no report from wildfire')
report = lxml.etree.fromstring(wfapi.response_body.encode('utf-8'))
else:
raise PanWfReportError(
'wrong set of arguments to get_malware_subject_from_report'
)
if report.tag != 'wildfire':
raise PanWfReportError('invalid root tag in wildfire report: %s' %
report.tag)
if 'pcap' in kwargs:
p = kwargs['pcap']
if p == 'network':
if 'tag' not in kwargs:
raise PanWfReportError('pcap from network, '
'but no tag specified')
pcap = __get_wfpcap_network_funcgenerator(kwargs['tag'], hash)
elif isinstance(p, basestring):
pcap = __get_wfpcap_file_funcgenerator(p, hash)
else:
pcap = None
else:
pcap = None
return __create_malware_subject_from_report(
report,
pcap=pcap,
evidence=kwargs.get('evidence', None)
)
def get_malware_subject_from_report(**kwargs):
hash = kwargs.get('hash', None)
if 'report' in kwargs:
if hasattr(kwargs['report'], 'read'):
report = lxml.etree.parse(kwargs['report']).getroot()
else:
f = open(kwargs['report'], 'rb')
report = lxml.etree.parse(f).getroot()
f.close()
if hash is None:
hash = report.xpath('file_info/sha256/text()')
if len(hash) != 0:
hash = hash[0].strip()
else:
hash = None
elif 'hash' in kwargs and \
'tag' in kwargs:
import pan.wfapi
# retrieve wildfire report
wfapi = pan.wfapi.PanWFapi(tag=kwargs['tag'])
wfapi.report(hash=kwargs['hash'])
if (wfapi.response_body is None):
raise PanWfReportError('no report from wildfire')
report = lxml.etree.fromstring(wfapi.response_body.encode('utf-8'))
else:
raise PanWfReportError(
'wrong set of arguments to get_malware_subject_from_report')
if report.tag != 'wildfire':
raise PanWfReportError('invalid root tag in wildfire report: %s' %
report.tag)
if 'pcap' in kwargs:
p = kwargs['pcap']
if p == 'network':
if 'tag' not in kwargs:
raise PanWfReportError('pcap from network, '
'but no tag specified')
pcap = __get_wfpcap_network_funcgenerator(kwargs['tag'], hash)
elif isinstance(p, basestring):
pcap = __get_wfpcap_file_funcgenerator(p, hash)
else:
pcap = None
else:
pcap = None
return __create_malware_subject_from_report(report,
pcap=pcap,
evidence=kwargs.get(
'evidence', None))
def get_malware_subject_from_report(**kwargs):
hash = kwargs.get("hash", None)
if "report" in kwargs:
if hasattr(kwargs["report"], "read"):
report = lxml.etree.parse(kwargs["report"]).getroot()
else:
f = open(kwargs["report"], "rb")
report = lxml.etree.parse(f).getroot()
f.close()
if hash is None:
hash = report.xpath("file_info/sha256/text()")
if len(hash) != 0:
hash = hash[0].strip()
else:
hash = None
elif "hash" in kwargs and "tag" in kwargs:
import pan.wfapi
# retrieve wildfire report
wfapi = pan.wfapi.PanWFapi(tag=kwargs["tag"])
wfapi.report(hash=kwargs["hash"])
if wfapi.response_body is None:
raise PanWfReportError("no report from wildfire")
report = lxml.etree.fromstring(wfapi.response_body.encode("utf-8"))
else:
raise PanWfReportError("wrong set of arguments to get_malware_subject_from_report")
if report.tag != "wildfire":
raise PanWfReportError("invalid root tag in wildfire report: %s" % report.tag)
if "pcap" in kwargs:
p = kwargs["pcap"]
if p == "network":
if "tag" not in kwargs:
raise PanWfReportError("pcap from network, " "but no tag specified")
pcap = __get_wfpcap_network_funcgenerator(kwargs["tag"], hash)
elif isinstance(p, basestring):
pcap = __get_wfpcap_file_funcgenerator(p, hash)
else:
pcap = None
else:
pcap = None
return __create_malware_subject_from_report(report, pcap=pcap, evidence=kwargs.get("evidence", None))
def main():
try:
signal.signal(signal.SIGPIPE, signal.SIG_DFL)
except AttributeError:
# Windows
pass
# set_encoding()
options = parse_opts()
if options['debug']:
logger = logging.getLogger()
if options['debug'] == 3:
logger.setLevel(pan.wfapi.DEBUG3)
elif options['debug'] == 2:
logger.setLevel(pan.wfapi.DEBUG2)
elif options['debug'] == 1:
logger.setLevel(pan.wfapi.DEBUG1)
# log_format = '%(levelname)s %(name)s %(message)s'
log_format = '%(message)s'
handler = logging.StreamHandler()
formatter = logging.Formatter(log_format)
handler.setFormatter(formatter)
logger.addHandler(handler)
try:
wfapi = pan.wfapi.PanWFapi(tag=options['tag'],
api_key=options['api_key'],
hostname=options['hostname'],
timeout=options['timeout'],
http=options['http'],
cacloud=options['cacloud'],
cafile=options['cafile'],
capath=options['capath'])
except pan.wfapi.PanWFapiError as msg:
print('pan.wfapi.PanWFapi:', msg, file=sys.stderr)
sys.exit(1)
if options['debug'] > 2:
print('wfapi.__str__()===>\n', wfapi, '\n<===',
sep='', file=sys.stderr)
try:
hashes = process_hashes(options['hash'])
if options['submit'] is not None:
action = 'submit'
kwargs = {}
if os.path.isfile(options['submit']):
kwargs['file'] = options['submit']
else:
o = urlparse(options['submit'])
if options['debug']:
print(o, file=sys.stderr)
if o.scheme == 'file':
if o.path and os.path.isfile(o.path):
kwargs['file'] = o.path
else:
print('Invalid URL: file not found:',
options['submit'], file=sys.stderr)
sys.exit(1)
else:
if o.scheme in ['http', 'https', 'ftp']:
kwargs['url'] = options['submit']
else:
print('Invalid file or URL:',
options['submit'], file=sys.stderr)
sys.exit(1)
wfapi.submit(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
if options['submit-link'] is not None:
action = 'submit'
kwargs = {}
kwargs['links'] = process_arg(options['submit-link'], list=True)
wfapi.submit(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
if options['change-request']:
action = 'change-request'
kwargs = {}
if len(hashes) > 1:
print('Only 1 hash allowed for %s' % action, file=sys.stderr)
sys.exit(1)
if len(hashes) == 1:
kwargs['hash'] = hashes[0]
if options['new-verdict'] is not None:
kwargs['verdict'] = process_verdict(options['new-verdict'])
if options['email'] is not None:
kwargs['email'] = options['email']
if options['comment'] is not None:
kwargs['comment'] = process_arg(options['comment'])
wfapi.change_request(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
if options['report']:
action = 'report'
kwargs = {}
if len(hashes) > 1:
print('Only 1 hash allowed for %s' % action, file=sys.stderr)
sys.exit(1)
if len(hashes) == 1:
kwargs['hash'] = hashes[0]
if options['format'] is not None:
kwargs['format'] = options['format']
wfapi.report(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
if options['verdict']:
kwargs = {}
if len(hashes) == 1:
action = 'verdict'
kwargs['hash'] = hashes[0]
wfapi.verdict(**kwargs)
elif len(hashes) > 1:
action = 'verdicts'
kwargs['hashes'] = hashes
wfapi.verdicts(**kwargs)
else:
action = 'verdict'
wfapi.verdict(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
if options['sample']:
action = 'sample'
kwargs = {}
if len(hashes) > 1:
print('Only 1 hash allowed for %s' % action, file=sys.stderr)
sys.exit(1)
if len(hashes) == 1:
kwargs['hash'] = hashes[0]
wfapi.sample(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
if options['pcap']:
action = 'pcap'
kwargs = {}
if len(hashes) > 1:
print('Only 1 hash allowed for %s' % action, file=sys.stderr)
sys.exit(1)
if len(hashes) == 1:
kwargs['hash'] = hashes[0]
if options['platform'] is not None:
kwargs['platform'] = options['platform']
wfapi.pcap(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
if options['changed']:
action = 'verdicts_changed'
kwargs = {}
if options['date'] is not None:
kwargs['date'] = options['date']
try:
x = int(options['date'])
except ValueError:
pass
else:
if x < 1:
d = date.today()
d = d - timedelta(-x)
kwargs['date'] = d.isoformat()
if options['debug']:
print('relative date(%d): %s' % (x, kwargs['date']),
file=sys.stderr)
wfapi.verdicts_changed(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
if options['testfile']:
action = 'testfile'
wfapi.testfile()
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
except pan.wfapi.PanWFapiError as msg:
print_status(wfapi, action, msg)
print_response(wfapi, options)
sys.exit(1)
sys.exit(0)
return bio.getvalue()
if __name__ == '__main__':
# python -m pan.wfapi [tag] [sha256]
import pan.wfapi
tag = None
sha256 = '5f31d8658a41aa138ada548b7fb2fc758219d40b557aaeab80681d314f739f92'
if len(sys.argv) > 1 and sys.argv[1]:
tag = sys.argv[1]
if len(sys.argv) > 2:
hash = sys.argv[2]
try:
wfapi = pan.wfapi.PanWFapi(tag=tag)
except pan.wfapi.PanWFapiError as msg:
print('pan.wfapi.PanWFapi:', msg, file=sys.stderr)
sys.exit(1)
try:
wfapi.report(hash=sha256)
except pan.wfapi.PanWFapiError as msg:
print('report: %s' % msg, file=sys.stderr)
sys.exit(1)
if (wfapi.response_body is not None):
print(wfapi.response_body)
def main():
try:
signal.signal(signal.SIGPIPE, signal.SIG_DFL)
except AttributeError:
# Windows
pass
# set_encoding()
options = parse_opts()
if options['debug']:
logger = logging.getLogger()
if options['debug'] == 3:
logger.setLevel(pan.wfapi.DEBUG3)
elif options['debug'] == 2:
logger.setLevel(pan.wfapi.DEBUG2)
elif options['debug'] == 1:
logger.setLevel(pan.wfapi.DEBUG1)
# log_format = '%(levelname)s %(name)s %(message)s'
log_format = '%(message)s'
handler = logging.StreamHandler()
formatter = logging.Formatter(log_format)
handler.setFormatter(formatter)
logger.addHandler(handler)
if options['cafile'] or options['capath'] or options['ssl']:
ssl_context = create_ssl_context(options['cafile'],
options['capath'],
options['ssl'])
else:
ssl_context = None
try:
wfapi = pan.wfapi.PanWFapi(tag=options['tag'],
api_key=options['api_key'],
hostname=options['hostname'],
timeout=options['timeout'],
http=options['http'],
ssl_context=ssl_context)
except pan.wfapi.PanWFapiError as msg:
print('pan.wfapi.PanWFapi:', msg, file=sys.stderr)
sys.exit(1)
if options['debug'] > 2:
print('wfapi.__str__()===>\n', wfapi, '\n<===',
sep='', file=sys.stderr)
try:
hashes = process_hashes(options['hash'])
if options['submit'] is not None:
action = 'submit'
kwargs = {}
if os.path.isfile(options['submit']):
kwargs['file'] = options['submit']
else:
o = urlparse(options['submit'])
if options['debug']:
print(o, file=sys.stderr)
if o.scheme == 'file':
if o.path and os.path.isfile(o.path):
kwargs['file'] = o.path
else:
print('Invalid URL: file not found:',
options['submit'], file=sys.stderr)
sys.exit(1)
else:
if o.scheme in ['http', 'https', 'ftp']:
kwargs['url'] = options['submit']
else:
print('Invalid file or URL:',
options['submit'], file=sys.stderr)
sys.exit(1)
wfapi.submit(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
if options['submit-link'] is not None:
action = 'submit'
kwargs = {}
kwargs['links'] = process_arg(options['submit-link'], list=True)
wfapi.submit(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
if options['change-request']:
action = 'change-request'
kwargs = {}
if len(hashes) > 1:
print('Only 1 hash allowed for %s' % action, file=sys.stderr)
sys.exit(1)
if len(hashes) == 1:
kwargs['hash'] = hashes[0]
if options['new-verdict'] is not None:
kwargs['verdict'] = process_verdict(options['new-verdict'])
if options['email'] is not None:
kwargs['email'] = options['email']
if options['comment'] is not None:
kwargs['comment'] = process_arg(options['comment'])
wfapi.change_request(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
if options['report']:
action = 'report'
kwargs = {}
if len(hashes) > 1:
print('Only 1 hash allowed for %s' % action, file=sys.stderr)
sys.exit(1)
if len(hashes) == 1:
kwargs['hash'] = hashes[0]
if options['format'] is not None:
kwargs['format'] = options['format']
wfapi.report(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
if options['verdict']:
kwargs = {}
if len(hashes) == 1:
action = 'verdict'
kwargs['hash'] = hashes[0]
wfapi.verdict(**kwargs)
elif len(hashes) > 1:
action = 'verdicts'
kwargs['hashes'] = hashes
wfapi.verdicts(**kwargs)
else:
action = 'verdict'
wfapi.verdict(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
if options['sample']:
action = 'sample'
kwargs = {}
if len(hashes) > 1:
print('Only 1 hash allowed for %s' % action, file=sys.stderr)
sys.exit(1)
if len(hashes) == 1:
kwargs['hash'] = hashes[0]
wfapi.sample(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
if options['pcap']:
action = 'pcap'
kwargs = {}
if len(hashes) > 1:
print('Only 1 hash allowed for %s' % action, file=sys.stderr)
sys.exit(1)
if len(hashes) == 1:
kwargs['hash'] = hashes[0]
if options['platform'] is not None:
kwargs['platform'] = options['platform']
wfapi.pcap(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
if options['changed']:
action = 'verdicts_changed'
kwargs = {}
if options['date'] is not None:
kwargs['date'] = options['date']
try:
x = int(options['date'])
except ValueError:
pass
else:
if x < 1:
d = date.today()
d = d - timedelta(-x)
kwargs['date'] = d.isoformat()
if options['debug']:
print('relative date(%d): %s' %
(x, kwargs['date']), file=sys.stderr)
wfapi.verdicts_changed(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
if options['testfile']:
action = 'testfile'
wfapi.testfile(options['type'])
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
except pan.wfapi.PanWFapiError as msg:
print_status(wfapi, action, msg)
print_response(wfapi, options)
sys.exit(1)
sys.exit(0)
if __name__ == '__main__':
# python -m pan.wfapi [tag] [sha256] [0-3]
import pan.wfapi
tag = None
sha256 = '5f31d8658a41aa138ada548b7fb2fc758219d40b557aaeab80681d314f739f92'
debug = 0
if len(sys.argv) > 1 and sys.argv[1]:
tag = sys.argv[1]
if len(sys.argv) > 2:
hash = sys.argv[2]
if len(sys.argv) > 3 and int(sys.argv[3]):
debug = int(sys.argv[3])
try:
wfapi = pan.wfapi.PanWFapi(debug=debug, tag=tag)
except pan.wfapi.PanWFapiError as msg:
print('pan.wfapi.PanWFapi:', msg, file=sys.stderr)
sys.exit(1)
try:
wfapi.report(hash=sha256)
except pan.wfapi.PanWFapiError as msg:
print('report: %s' % msg, file=sys.stderr)
sys.exit(1)
if (wfapi.response_body is not None):
print(wfapi.response_body)
def main():
signal.signal(signal.SIGPIPE, signal.SIG_DFL)
# set_encoding()
options = parse_opts()
try:
wfapi = pan.wfapi.PanWFapi(debug=options['debug'],
tag=options['tag'],
api_key=options['api_key'],
hostname=options['hostname'],
timeout=options['timeout'],
http=options['http'],
cacloud=options['cacloud'],
cafile=options['cafile'],
capath=options['capath'])
except pan.wfapi.PanWFapiError as msg:
print('pan.wfapi.PanWFapi:', msg, file=sys.stderr)
sys.exit(1)
if options['debug'] > 2:
print('wfapi.__str__()===>\n', wfapi, '\n<===',
sep='', file=sys.stderr)
try:
if options['submit'] is not None:
action = 'submit'
kwargs = {}
if os.path.isfile(options['submit']):
kwargs['file'] = options['submit']
else:
o = urlparse(options['submit'])
if options['debug']:
print(o, file=sys.stderr)
if o.scheme == 'file':
if o.path and os.path.isfile(o.path):
kwargs['file'] = o.path
else:
print('Invalid URL: file not found:',
options['submit'], file=sys.stderr)
sys.exit(1)
else:
if o.scheme in ['http', 'https', 'ftp']:
kwargs['url'] = options['submit']
else:
print('Invalid file or URL:',
options['submit'], file=sys.stderr)
sys.exit(1)
wfapi.submit(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
if options['report']:
action = 'report'
kwargs = {}
if options['hash'] is not None:
validate_hash(options['hash'])
kwargs['hash'] = options['hash']
if options['format'] is not None:
kwargs['format'] = options['format']
wfapi.report(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
if options['sample']:
action = 'sample'
kwargs = {}
if options['hash'] is not None:
validate_hash(options['hash'])
kwargs['hash'] = options['hash']
wfapi.sample(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
if options['pcap']:
action = 'pcap'
kwargs = {}
if options['hash'] is not None:
validate_hash(options['hash'])
kwargs['hash'] = options['hash']
if options['platform'] is not None:
kwargs['platform'] = options['platform']
wfapi.pcap(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
if options['testfile']:
action = 'testfile'
wfapi.testfile()
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
except pan.wfapi.PanWFapiError as msg:
print_status(wfapi, action, msg)
print_response(wfapi, options)
sys.exit(1)
sys.exit(0)
def retrieveWildFireData(apikey, file_digest):
wfapi = pan.wfapi.PanWFapi(api_key=apikey)
wfapi.report(file_digest)
return wfapi.response_body
def retrieveWildFireData(apikey, file_digest):
wfapi = pan.wfapi.PanWFapi(api_key=apikey)
wfapi.report(file_digest)
return wfapi.response_body
def main():
signal.signal(signal.SIGPIPE, signal.SIG_DFL)
# set_encoding()
options = parse_opts()
try:
wfapi = pan.wfapi.PanWFapi(debug=options['debug'],
tag=options['tag'],
api_key=options['api_key'],
hostname=options['hostname'],
timeout=options['timeout'],
http=options['http'],
cacloud=options['cacloud'],
cafile=options['cafile'],
capath=options['capath'])
except pan.wfapi.PanWFapiError as msg:
print('pan.wfapi.PanWFapi:', msg, file=sys.stderr)
sys.exit(1)
if options['debug'] > 2:
print('wfapi.__str__()===>\n',
wfapi,
'\n<===',
sep='',
file=sys.stderr)
try:
if options['submit'] is not None:
action = 'submit'
kwargs = {}
if os.path.isfile(options['submit']):
kwargs['file'] = options['submit']
else:
o = urlparse(options['submit'])
if options['debug']:
print(o, file=sys.stderr)
if o.scheme == 'file':
if o.path and os.path.isfile(o.path):
kwargs['file'] = o.path
else:
print('Invalid URL: file not found:',
options['submit'],
file=sys.stderr)
sys.exit(1)
else:
if o.scheme in ['http', 'https', 'ftp']:
kwargs['url'] = options['submit']
else:
print('Invalid file or URL:',
options['submit'],
file=sys.stderr)
sys.exit(1)
wfapi.submit(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
if options['report']:
action = 'report'
kwargs = {}
if options['hash'] is not None:
validate_hash(options['hash'])
kwargs['hash'] = options['hash']
if options['format'] is not None:
kwargs['format'] = options['format']
wfapi.report(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
if options['sample']:
action = 'sample'
kwargs = {}
if options['hash'] is not None:
validate_hash(options['hash'])
kwargs['hash'] = options['hash']
wfapi.sample(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
if options['pcap']:
action = 'pcap'
kwargs = {}
if options['hash'] is not None:
validate_hash(options['hash'])
kwargs['hash'] = options['hash']
if options['platform'] is not None:
kwargs['platform'] = options['platform']
wfapi.pcap(**kwargs)
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
if options['testfile']:
action = 'testfile'
wfapi.testfile()
print_status(wfapi, action)
print_response(wfapi, options)
save_file(wfapi, options)
except pan.wfapi.PanWFapiError as msg:
print_status(wfapi, action, msg)
print_response(wfapi, options)
sys.exit(1)
sys.exit(0)
