def run(self, data, persistentData, actionResult): indicator = helpers.evalString(self.indicator, {"data": data}) otxType = helpers.evalString(self.otxType, {"data": data}) if re.search('(\.|\\|\/)', otxType): actionResult["result"] = False actionResult["rc"] = 255 return actionResult actionResult["data"]["otxIndicators"] = [] if os.path.isfile(Path( "plugins/otx/cache/ioc_{0}.csv".format(otxType))): f = csv.reader(open(Path( "plugins/otx/cache/ioc_{0}.csv".format(otxType)), "rt", encoding='utf-8'), quoting=csv.QUOTE_ALL, dialect='excel') for line in f: if indicator == line[12]: actionResult["data"]["otxIndicators"].append(line) if len(actionResult["data"]["otxIndicators"]) > 0: actionResult["result"] = True actionResult["rc"] = 0 else: actionResult["result"] = False actionResult["rc"] = 404 return actionResult
def run(self,data,persistentData,actionResult): ip = helpers.evalString(self.ip,{"data" : data}) domain = helpers.evalString(self.domain,{"data" : data}) scanName = helpers.evalString(self.scanName,{"data" : data}) scanResult = inga._inga().getAsClass(query={ "scanName" : scanName, "ip" : ip },fields=["scanName","ip","domains"]) if len(scanResult) == 1: scanResult = scanResult[0] domainFound = False for domainKey,domainItem in scanResult.domains.items(): if domainItem["domain"] == domain: domainFound = True break if not domainFound: scanResult._dbCollection.update_one({ "scanName" : scanName, "ip" : ip },{ "$push" : { "domains" : { "domain" : domain, "ip" : ip, "lastSeen" : time.time() } } }) actionResult["result"] = True actionResult["rc"] = 0 elif len(scanResult) == 0: newId = inga._inga().new(self.acl,scanName,str(ip),False) scanResult = inga._inga().getAsClass(id=str(newId.inserted_id),fields=["scanName","ip","domains"]) scanResult.domains.append({ "domain" : domain, "ip" : ip, "lastSeen" : time.time() }) scanResult.update(["domains"]) actionResult["result"] = True actionResult["rc"] = 201 else: actionResult["result"] = False actionResult["rc"] = 502 return actionResult
def run(self, data, persistentData, actionResult): ip = helpers.evalString(self.ip, {"data": data}) mask = helpers.evalString(self.mask, {"data": data}) asn = helpers.evalString(self.asn, {"data": data}) apiToken = auth.getPasswordFromENC(self.apiToken) result = None if asn: result = whoisxmlapi._whoisxmlapi(apiToken).netblock(asn=asn) elif ip and mask: result = whoisxmlapi._whoisxmlapi(apiToken).netblock(ip=ip, mask=mask) elif ip: result = whoisxmlapi._whoisxmlapi(apiToken).netblock(ip=ip) if result: actionResult["result"] = True actionResult["rc"] = 0 actionResult["apiResult"] = result else: actionResult["result"] = False actionResult["rc"] = 404 actionResult[ "msg"] = "Failed to get a valid response from whoisxmlapi API" return actionResult
def run(self, data, persistentData, actionResult): headers = {"Content-Type": "application/json; charset=UTF-8"} url = helpers.evalString(self.url, {"data": data}) body = helpers.evalString(self.body, {"data": data}) timeout = 60 if self.timeout > 0: timeout = self.timeout kwargs = {} kwargs["headers"] = headers kwargs["timeout"] = timeout kwargs["data"] = json.dumps({"text": body}) if self.ca: kwargs["verify"] == Path(self.ca) if self.proxy: kwargs["proxies"] = self.proxy response = requests.post(url, **kwargs) actionResult["result"] = True actionResult["rc"] = response.status_code actionResult["data"] = { "headers": response.headers, "text": response.text } return actionResult
def run(self, data, persistentData, actionResult): ip = helpers.evalString(self.ip, {"data": data}) domain = helpers.evalString(self.domain, {"data": data}) scanName = helpers.evalString(self.scanName, {"data": data}) scanResult = inga._inga().getAsClass( query={ "scanName": scanName, "ip": ip, "domains.domain": domain }, fields=["scanName", "ip", "domains"]) if len(scanResult) == 1: scanResult = scanResult[0] scanResult._dbCollection.update_one( { "scanName": scanName, "ip": ip, "domains.domain": domain }, {"$pull": { "domains": { "domain": domain } }}) actionResult["result"] = True actionResult["rc"] = 200 else: actionResult["result"] = False actionResult["rc"] = 502 return actionResult
def doAction(self, data): host = helpers.evalString(self.host, {"data": data["flowData"]}) port = helpers.evalString(self.port, {"data": data["flowData"]}) deviceHostname = helpers.evalString(self.deviceHostname, {"data": data["flowData"]}) user = helpers.evalString(self.user, {"data": data["flowData"]}) if self.password.startswith("ENC"): password = auth.getPasswordFromENC(self.password) else: password = "" client = fortigate.fortigate(host, deviceHostname, user, password=password, port=port, maxRecvTime=self.maxRecvTime) if client.client != None: data["eventData"]["remote"] = {"client": client} return {"result": True, "rc": 0, "msg": "Connection successful"} else: return { "result": False, "rc": 403, "msg": "Connection failed - {0}".format(client.error) }
def run(self, data, persistentData, actionResult): from email.mime.text import MIMEText body = helpers.evalString(self.body, {"data": data}) subject = helpers.evalString(self.subject, {"data": data}) if self.password.startswith("ENC") and self.password != "": password = auth.getPasswordFromENC(self.password) elif "%%" in self.password: password = helpers.evalString(self.password, {"data": data["flowData"]}) else: password = "" if self.html: msg = MIMEText(body, "html") else: msg = MIMEText(body) msg['Subject'] = subject msg['From'] = self.sender msg['To'] = self.to if password != "": self.sendEmailAuth(msg, smtplib.SMTP(self.host, self.port), self.sender, password) else: self.sendEmail(msg, smtplib.SMTP(self.host, self.port)) actionResult["result"] = True actionResult["rc"] = 0 return actionResult
def run(self, data, persistentData, actionResult): relationshipData = helpers.evalDict(self.relationshipData, {"data": data}) fromAsset = helpers.evalString(self.fromAsset, {"data": data}) toAsset = helpers.evalString(self.toAsset, {"data": data}) timespan = 3600 if self.timespan > 0: timespan = self.timespan timespan = helpers.roundTime(roundTo=timespan).timestamp() match = "{0}={1}->{2}".format(timespan, fromAsset, toAsset) # This will cause a memory leak overtime as globalCache is not cleared down --- this needs to be fixed relationship = cache.globalCache.get("assetRelationshipCache", match, getAssetRelationshipObject, timespan, fromAsset, toAsset, extendCacheTime=True) if not relationship: relationshipItem = _assetRelationship().bulkNew( self.acl, timespan, fromAsset, toAsset, relationshipData, self.bulkClass) if relationshipItem: cache.globalCache.insert("assetRelationshipCache", match, [relationshipItem]) actionResult["result"] = True actionResult["rc"] = 0 return actionResult
def doAction(self, data): activityData = helpers.evalDict(self.activityData, {"data": data["flowData"]}) conversationId = helpers.evalString(self.conversationId, {"data": data["flowData"]}) activityId = helpers.evalString(self.activityId, {"data": data["flowData"]}) if not self.client_id: azureBotTrigger = data["persistentData"]["system"]["trigger"] if not hasattr(azureBotTrigger, "azurebotservice"): azureBotTrigger.azurebotservice = azurebotservice._azurebotservice( clientId=azureBotTrigger.client_id, clientSecret=jimi.auth.getPasswordFromENC( azureBotTrigger.client_secret), serviceUrl=data["flowData"]["event"]["serviceUrl"]) else: azureBotTrigger.azurebotservice = azurebotservice._azurebotservice( clientId=self.client_id, clientSecret=jimi.auth.getPasswordFromENC(self.client_secret), serviceUrl=self.service_url) result = azureBotTrigger.azurebotservice.updateActivity( activityData, conversationId, activityId) if result: return {"result": True, "rc": 0, "msg": "Activity updated."} else: return { "result": False, "rc": 400, "msg": "Invalid response from web service, check your url." }
def run(self, data, persistentData, actionResult): endpointID = helpers.evalString(self.endpointID, {"data": data}) tenant = helpers.evalString(self.tenant, {"data": data}) client_secret = auth.getPasswordFromENC(self.client_secret) actionResult["data"] = "Not yet implemented" actionResult["result"] = False actionResult["rc"] = 0 return actionResult
def doAction(self, data): host = helpers.evalString(self.host, {"data": data["flowData"]}) user = helpers.evalString(self.user, {"data": data["flowData"]}) port = helpers.evalString(self.port_forward, {"data": data["flowData"]}) if self.password.startswith("ENC"): password = auth.getPasswordFromENC(self.password) elif "%%" in self.password: password = helpers.evalString(self.password, {"data": data["flowData"]}) else: password = "" keyfile = helpers.evalString(self.keyfile, {"data": data["flowData"]}) if self.isPortForward: if keyfile != "": if password: client = linux.linux( host, user, keyFile=keyfile, password=password, port_forward=True, port=port, ) else: client = linux.linux(host, user, keyFile=keyfile, port_forward=True, port=port) else: client = linux.linux(host, user, password=password) else: if keyfile != "": if password != "": client = linux.linux(host, user, keyFile=keyfile, password=password) else: client = linux.linux(host, user, keyFile=keyfile) else: client = linux.linux(host, user, password=password) if client.client != None: data["eventData"]["remote"] = {} data["eventData"]["remote"]["client"] = client if self.isPortForward: data["eventData"]["remote"]["port"] = client.tunnelPort return {"result": True, "rc": 0, "msg": "Connection successful"} else: return { "result": False, "rc": 403, "msg": "Connection failed - {0}".format(client.error), }
def run(self, data, persistentData, actionResult): host = helpers.evalString(self.host, {"data": data}) user = helpers.evalString(self.user, {"data": data}) port = helpers.evalString(self.port_forward, {"data": data}) if self.password.startswith("ENC"): password = auth.getPasswordFromENC(self.password) else: password = "" keyfile = helpers.evalString(self.keyfile, {"data": data}) if self.isPortForward: if keyfile != "": if password: client = linux.linux(host, user, keyFile=keyfile, password=password, port_forward=True, port=port) else: client = linux.linux(host, user, keyFile=keyfile, port_forward=True, port=port) else: client = linux.linux(host, user, password=password) else: if keyfile != "": if password != "": client = linux.linux(host, user, keyFile=keyfile, password=password) else: client = linux.linux(host, user, keyFile=keyfile) else: client = linux.linux(host, user, password=password) if client.client != None: persistentData["remote"] = {} persistentData["remote"]["client"] = client if self.isPortForward: # print(f"MAIN port is {client.tunnelPort}") persistentData["remote"]["port"] = client.tunnelPort actionResult["result"] = True actionResult["rc"] = 0 actionResult["msg"] = "Connection successful" return actionResult else: actionResult["result"] = False actionResult["rc"] = 403 actionResult["msg"] = "Connection failed - {0}".format( client.error) return actionResult
def run(self,data,persistentData,actionResult): apiAddress = helpers.evalString(self.apiAddress,{"data" : data}) user = helpers.evalString(self.user,{"data" : data}) sensors = cache.globalCache.get("philipshueList","sensors",getPhilipshueList,apiAddress,user,forceUpdate=True) actionResult["result"] = True actionResult["data"]["sensors"] = sensors actionResult["rc"] = 0 return actionResult
def doAction(self,data): actionResult = {} ip = helpers.evalString(self.ip,{"data" : data["flowData"]}) port = helpers.evalString(self.port,{"data" : data["flowData"]}) scanName = helpers.evalString(self.scanName,{"data" : data["flowData"]}) domainName = helpers.evalString(self.domainName,{"data" : data["flowData"]}) result = [] protocols = ["http", "https"] for protocol in protocols: timeout = 5 if self.timeout != 0: timeout = self.timeout response = remoteHelpers.runRemoteFunction(self.runRemote,data["eventData"],webserverConnect,{"protocol" : protocol, "ip" : ip, "port" : port, "timeout" : timeout, "domainName" : domainName},False) if "error" not in response: headers = helpers.lower_dict(response["headers"]) for excludeHeader in self.excludeHeaders: if excludeHeader in headers: del headers[excludeHeader] # Update scan if updateScan mapping was provided if len(scanName) > 0: if domainName == "": inga._inga()._dbCollection.update_one({ "scanName": scanName, "ip": ip, "ports.tcp.port" : port },{ "$set" : { "ports.tcp.$.data.webServerDetect" : { "protocol" : protocol, "headers" : headers, "lastSeen" : time.time() } } }) url = "{0}://{1}:{2}".format(protocol,ip,port) else: inga._inga()._dbCollection.update_one({ "scanName": scanName, "ip": ip, "domains.domain" : domainName },{ "$set" : { "domains.$.data.webServerDetect.{0}".format(protocol) : { "protocol" : protocol, "headers" : headers, "lastSeen" : time.time() } } }) url = "{0}://{1}".format(protocol,domainName) # Detect HTTP -> HTTPS redirect upgrade insecureUpgrade = None try: if protocol == "http" and "https://" in headers["location"]: insecureUpgrade = True except KeyError: if protocol == "http": insecureUpgrade = False result.append({ "protocol" : protocol, "headers" : headers, "url" : url, "insecureUpgrade" : insecureUpgrade }) else: actionResult["result"] = False actionResult["rc"] = 500 actionResult["msg"] = response["error"] actionResult["stderr"] = response["stderr"] actionResult["stdout"] = response["stdout"] return actionResult if result: actionResult["result"] = True actionResult["rc"] = 0 actionResult["serverDetails"] = result else: actionResult["result"] = False actionResult["rc"] = 404 return actionResult
def run(self,data,persistentData,actionResult): apiAddress = helpers.evalString(self.apiAddress,{"data" : data}) user = helpers.evalString(self.user,{"data" : data}) groupName = helpers.evalString(self.groupName,{"data" : data}) hueApi = hue.hue(apiAddress,user) groups = hueApi.getGroups() result = hueApi.groupOff(groups[groupName]) actionResult["result"] = result actionResult["rc"] = 0 return actionResult
def run(self,data,persistentData,actionResult): apiAddress = helpers.evalString(self.apiAddress,{"data" : data}) user = helpers.evalString(self.user,{"data" : data}) lightName = helpers.evalString(self.lightName,{"data" : data}) hueApi = hue.hue(apiAddress,user) lights = hueApi.getLights() result = hueApi.lightOff(lights[lightName]) actionResult["result"] = result actionResult["rc"] = 0 return actionResult
def run(self,data,persistentData,actionResult): apiAddress = helpers.evalString(self.apiAddress,{"data" : data}) user = helpers.evalString(self.user,{"data" : data}) lightName = helpers.evalString(self.lightName,{"data" : data}) lights = cache.globalCache.get("philipshueList","lights",getPhilipshueList,apiAddress,user,dontCheck=self.refreshLight) if self.refreshLight: hueApi = hue.hue(apiAddress,user) lights[lightName] = hueApi.refreshLight(lights[lightName]) actionResult["result"] = True actionResult["data"]["light"] = lights[lightName] actionResult["rc"] = 0 return actionResult
def run(self,data,persistentData,actionResult): ip = helpers.evalString(self.ip,{"data" : data}) scanName = helpers.evalString(self.scanName,{"data" : data}) scanResult = inga._inga().getAsClass(query={ "scanName" : scanName, "ip" : ip },fields=["scanName","ip"]) if len(scanResult) == 1: scanResult = scanResult[0] scanResult.delete() actionResult["result"] = True actionResult["rc"] = 0 else: actionResult["result"] = False actionResult["rc"] = 502 return actionResult
def run(self,data,persistentData,actionResult): headers = helpers.evalDict(self.headers,{"data" : data}) url = helpers.evalString(self.url,{"data" : data}) method = helpers.evalString(self.method,{"data" : data}).upper() postData = helpers.evalString(self.postData,{"data" : data}) kwargs={} kwargs["headers"] = headers if self.timeout == 0: kwargs["timeout"] = 5 else: kwargs["timeout"] = self.timeout if self.ca: kwargs["verify"] = Path(self.ca) if self.proxy: kwargs["proxies"] = self.proxy else: kwargs["proxies"] = { "http": None, "https": None } if self.cookies: cookies = helpers.evalDict(self.cookies,{"data" : data}) kwargs["cookies"] = cookies try: if method == "GET": response = requests.get(url,**kwargs) elif method == "POST": kwargs["data"] = postData response = requests.post(url,**kwargs) elif method == "PUT": kwargs["data"] = postData response = requests.put(url,**kwargs) elif method == "DELETE": response = requests.delete(url,**kwargs) text = response.text if self.returnsJson: try: text = response.json() except: text = response.text actionResult["result"] = True actionResult["rc"] = response.status_code actionResult["data"] = { "headers" : dict(response.headers), "text" : text } except: actionResult["result"] = False actionResult["rc"] = 404 return actionResult
def run(self, data, persistentData, actionResult): endpointID = helpers.evalString(self.endpointID, {"data": data}) tenant = helpers.evalString(self.tenant, {"data": data}) client_secret = auth.getPasswordFromENC(self.client_secret) sophos = sophosApi.sophos(None, self.client_id, client_secret, self.XOrganizationID) sophos.setTenant(tenant) res = sophos.getTamperProtection(endpointID) if res["result"]: actionResult["result"] = True actionResult["rc"] = 0 actionResult["data"] = res["data"] return actionResult
def run(self,data,persistentData,actionResult): apiAddress = helpers.evalString(self.apiAddress,{"data" : data}) user = helpers.evalString(self.user,{"data" : data}) sensorName = helpers.evalString(self.sensorName,{"data" : data}) sensors = cache.globalCache.get("philipshueList","sensors",getPhilipshueList,apiAddress,user,dontCheck=self.refreshSensor) if self.refreshSensor: hueApi = hue.hue(apiAddress,user) sensors[sensorName] = hueApi.refreshSensor(sensors[sensorName]) actionResult["result"] = True actionResult["data"]["sensor"] = sensors[sensorName] actionResult["rc"] = 0 return actionResult
def doAction(self, data): host = helpers.evalString(self.host, {"data": data["flowData"]}) user = helpers.evalString(self.user, {"data": data["flowData"]}) password = auth.getPasswordFromENC(self.password) client = windows.windows(host, user, password) if client.client != None: data["eventData"]["remote"] = {"client": client} return {"result": True, "rc": 0, "msg": "Connection successful"} else: return { "result": False, "rc": 403, "msg": "Connection failed - {0}".format(client.error) }
def run(self,data,persistentData,actionResult): apiAddress = helpers.evalString(self.apiAddress,{"data" : data}) user = helpers.evalString(self.user,{"data" : data}) sensorName = helpers.evalString(self.sensorName,{"data" : data}) hueApi = hue.hue(apiAddress,user) sensors = cache.globalCache.get("philipshueList","sensors",getPhilipshueList,apiAddress,user,dontCheck=self.refreshSensor) detectionPause = 1 if self.detectionPause > 0: detectionPause = self.detectionPause motionDetected = hueApi.sensorMotion(sensors[sensorName],pause=detectionPause,autoUpdate=self.refreshSensor) actionResult["result"] = motionDetected actionResult["rc"] = 0 return actionResult
def doAction(self, data): remoteFile = helpers.evalString(self.remoteFile, {"data": data["flowData"]}) localFile = helpers.evalString(self.localFile, {"data": data["flowData"]}) if self.useStorage: try: localFileClass = jimi.storage._storage().getAsClass( query={ "fileData": localFile, "systemStorage": True, "source": "remoteDownload" })[0] except: localFileClass = jimi.storage._storage() localFileClass.new(self.acl, "remoteDownload", localFile, True) localFile = localFileClass.getFullFilePath() client = None if "remote" in data["eventData"]: if "client" in data["eventData"]["remote"]: client = data["eventData"]["remote"]["client"] if client: if client.download(remoteFile, localFile, self.createMissingFolders): if self.useStorage: localFileClass.calculateHash() return { "result": True, "rc": 0, "msg": "File transfered successful", "storage": { "fileHash": localFileClass.fileHash, "_id": localFileClass._id } } return { "result": True, "rc": 0, "msg": "File transfered successful" } return { "result": False, "rc": 403, "msg": "File transfer failed - {0}".format(client.error) }
def run(self, data, persistentData, actionResult): relationshipData = helpers.evalDict(self.relationshipData, {"data": data}) events = helpers.evalString(self.eventField, {"data": data}) timespan = 3600 if self.timespan > 0: timespan = self.timespan timespan = helpers.roundTime(roundTo=timespan).timestamp() matches = {} for event in events: matches["{0}->{1}".format(event[self.fromAssetField], event[self.toAssetField])] = event results = _assetRelationship().query(query={"timespan": timespan}, fields=["fromAsset", "toAsset"])["results"] for result in results: match = "{0}->{1}".format(result["fromAsset"], result["toAsset"]) if match in matches: del matches[match] for match in matches: _assetRelationship().bulkNew(self.acl, timespan, matches[match][self.fromAssetField], matches[match][self.toAssetField], relationshipData, self.bulkClass) actionResult["result"] = True actionResult["rc"] = 0 return actionResult
def run(self,data,persistentData,actionResult): correlationID = helpers.evalString(self.correlationID,{"data" : data}) correlatedRelationship = event._eventCorrelation().query(id=correlationID)["results"][0] actionResult["result"] = True actionResult["rc"] = 0 actionResult["correlation"] = correlatedRelationship return actionResult
def run(self,data,persistentData,actionResult): eventIndex = helpers.evalString(self.eventIndex,{"data" : data}) try: currentEvent = persistentData["plugin"]["event"][eventIndex] if self.zeroUpdate: currentEvent.layer = self.layer currentEvent.accuracy = self.accuracy currentEvent.impact = self.impact currentEvent.benign = self.benign else: if self.layer > 0: currentEvent.layer = self.layer if self.accuracy > 0: currentEvent.accuracy = self.accuracy if self.impact > 0: currentEvent.impact = self.impact if self.benign > 0: currentEvent.benign = self.benign try: score = ((currentEvent.accuracy*(currentEvent.impact*currentEvent.layer))/currentEvent.benign) except ZeroDivisionError: score = 0 currentEvent.score = score currentEvent.update(["layer","accuracy","impact","benign","score"]) actionResult["result"] = True actionResult["rc"] = 0 actionResult["score"] = score except KeyError: actionResult["result"] = False actionResult["rc"] = 404 actionResult["msg"] = "No event found within current flow" return actionResult
def doAction(self, data): command = helpers.evalString(self.command, {"data": data["flowData"]}) try: client = data["eventData"]["remote"]["client"] except KeyError: client = None if client: exitCode, output, errors = client.command(command, elevate=self.elevate, runAs=self.runAs, timeout=self.timeout) if exitCode != None: return { "result": True, "rc": exitCode, "msg": "Command succesfull", "data": output, "errors": errors } else: return { "result": False, "rc": 255, "msg": client.error, "data": "", "errors": "" } else: return {"result": False, "rc": 403, "msg": "No connection found"}
def run(self, data, persistentData, actionResult): eventIndex = helpers.evalString(self.eventIndex, {"data": data}) eventValues = helpers.evalDict(self.eventValues, {"data": data}) try: currentEvent = persistentData["plugin"]["event"][eventIndex] if self.updateMode == 0: for key, value in eventValues.items(): currentEvent.eventValues[key] = value elif self.updateMode == 1: currentEvent.eventValues = eventValues elif self.updateMode == 2: for key, value in eventValues.items(): if value: if key in currentEvent.eventValues: if type(currentEvent.eventValues[key]) != list: currentEvent.eventValues[key] = [ currentEvent.eventValues[key] ] if type(value) is list: currentEvent.eventValues[key] += value else: currentEvent.eventValues[key].append(value) else: currentEvent.eventValues[key] = value currentEvent.eventFields = list(currentEvent.eventValues.keys()) currentEvent.update(["eventValues", "eventFields"]) actionResult["result"] = True actionResult["rc"] = 0 except KeyError: actionResult["result"] = False actionResult["rc"] = 404 actionResult["msg"] = "No event found within current flow" return actionResult
def doAction(self, data): actionResult = {} scanName = helpers.evalString(self.scanName, {"data": data["flowData"]}) customSearch = helpers.evalDict(self.customSearch, {"data": data["flowData"]}) if scanName != "": search = {"scanName": scanName} else: search = {} if customSearch: for key, value in customSearch.items(): search[key] = value actionResult["result"] = True actionResult["rc"] = 0 if self.limit > 0: actionResult["events"] = inga._inga().query( query=search, limit=self.limit, sort=[("ports.scanDetails.lastPortScan", 1)])["results"] else: actionResult["events"] = inga._inga().query( query=search, sort=[("ports.scanDetails.lastPortScan", 1)])["results"] return actionResult