def load_user_settings(user):
default_settings = get_default_user_settings(user)
settings = STORAGE.user_settings.get(user['uname'], as_obj=False)
srv_list = [
x for x in STORAGE.list_all_services(as_obj=False, full=True)
if x['enabled']
]
if not settings:
def_srv_list = None
settings = default_settings
else:
# Make sure all defaults are there
for key, item in default_settings.items():
if key not in settings:
settings[key] = item
# Remove all obsolete keys
for key in list(settings.keys()):
if key not in default_settings:
del settings[key]
def_srv_list = settings.get('services', {}).get('selected', None)
settings['service_spec'] = get_default_service_spec(srv_list)
settings['services'] = get_default_service_list(srv_list, def_srv_list)
# Normalize the user's classification
settings['classification'] = Classification.normalize_classification(
settings['classification'])
return settings
def get_or_create_summary(sid, results, user_classification, completed):
user_classification = CLASSIFICATION.normalize_classification(user_classification, long_format=False)
cache_key = f"{sid}_{user_classification}_with_sections"
for illegal_char in [" ", ":", "/"]:
cache_key = cache_key.replace(illegal_char, "")
summary_cache = STORAGE.submission_summary.get_if_exists(cache_key, as_obj=False)
if not summary_cache:
summary = STORAGE.get_summary_from_keys(
results, cl_engine=CLASSIFICATION, user_classification=user_classification,
keep_heuristic_sections=True)
expiry = now_as_iso(config.datastore.ilm.days_until_archive * 24 * 60 * 60)
partial = not completed or "missing_results" in summary or "missing_files" in summary
# Do not cache partial summary
if not partial:
summary_cache = {
"attack_matrix": json.dumps(summary['attack_matrix']),
"tags": json.dumps(summary['tags']),
"expiry_ts": expiry,
"heuristics": json.dumps(summary['heuristics']),
"classification": summary['classification'],
"filtered": summary["filtered"],
"heuristic_sections": json.dumps(summary['heuristic_sections']),
"heuristic_name_map": json.dumps(summary['heuristic_name_map'])
}
STORAGE.submission_summary.save(cache_key, summary_cache)
return {
"attack_matrix": summary['attack_matrix'],
"tags": summary['tags'],
"expiry_ts": expiry,
"heuristics": summary['heuristics'],
"classification": summary['classification'],
"filtered": summary["filtered"],
"partial": partial,
"heuristic_sections": summary['heuristic_sections'],
"heuristic_name_map": summary['heuristic_name_map']
}
return {
"attack_matrix": json.loads(summary_cache['attack_matrix']),
"tags": json.loads(summary_cache['tags']),
"expiry_ts": summary_cache["expiry_ts"],
"heuristics": json.loads(summary_cache['heuristics']),
"classification": summary_cache['classification'],
"filtered": summary_cache["filtered"],
"partial": False,
"heuristic_sections": json.loads(summary_cache['heuristic_sections']),
"heuristic_name_map": json.loads(summary_cache['heuristic_name_map'])
}
def check_for_source_change(delta_list, source):
change_list = {}
for delta in delta_list:
if delta['name'] == source['name']:
# Classification update
if delta['default_classification'] != source[
'default_classification']:
class_norm = Classification.normalize_classification(
delta['default_classification'])
change_list[
'default_classification'] = STORAGE.signature.update_by_query(
query=f'source:"{source["name"]}"',
operations=[("SET", "classification", class_norm)])
return change_list
def update_signature_source(service, name, **_):
"""
Update a signature source by name for a given service
Variables:
service => Service to which we want to update the source
name => Name of the source you want update
Arguments:
None
Data Block:
{
"uri": "http://somesite/file_to_get", # URI to fetch for parsing the rules
"name": "signature_file.yar", # Name of the file we will parse the rules as
"username": null, # Username used to get to the URI
"password": null, # Password used to get to the URI
"header": { # Header sent during the request to the URI
"X_TOKEN": "SOME RANDOM TOKEN" # Exemple of header
},
"private_key": null, # Private key used to get to the URI
"pattern": "^*.yar$" # Regex pattern use to get appropriate files from the URI
}
Result example:
{"success": True/False} # if the operation succeeded of not
"""
data = request.json
service_data = STORAGE.get_service_with_delta(service, as_obj=False)
current_sources = service_data.get('update_config', {}).get('sources', [])
# Ensure private_key (if any) ends with a \n
if data.get('private_key',
None) and not data['private_key'].endswith("\n"):
data['private_key'] += "\n"
if name != data['name']:
return make_api_response(
{"success": False},
err="You are not allowed to change the source name.",
status_code=400)
if not service_data.get('update_config', {}).get('generates_signatures',
False):
return make_api_response(
{"success": False},
err=
"This service does not generate alerts therefor you cannot update its sources.",
status_code=400)
if len(current_sources) == 0:
return make_api_response(
{"success": False},
err=
"This service does not have any sources therefor you cannot update any source.",
status_code=400)
new_sources = []
found = False
classification_changed = False
for source in current_sources:
if data['name'] == source['name']:
new_sources.append(data)
found = True
classification_changed = data['default_classification'] != source[
'default_classification']
else:
new_sources.append(source)
if not found:
return make_api_response(
{"success": False},
err=f"Could not found source '{data.name}' in service {service}.",
status_code=404)
service_delta = STORAGE.service_delta.get(service, as_obj=False)
if service_delta.get('update_config') is None:
service_delta['update_config'] = {"sources": new_sources}
else:
service_delta['update_config']['sources'] = new_sources
# Has the classification changed?
if classification_changed:
class_norm = Classification.normalize_classification(
data['default_classification'])
STORAGE.signature.update_by_query(query=f'source:"{data["name"]}"',
operations=[("SET", "classification",
class_norm)])
_reset_service_updates(service)
# Save the signature
success = STORAGE.service_delta.save(service, service_delta)
service_event_sender.send(service, {
'operation': Operation.Modified,
'name': service
})
return make_api_response({"success": success})
