def __init__(self, username, *args, **kwargs): super(AddDomainForm, self).__init__(*args, **kwargs) self.fields['domain_source'].choices = self.fields['ip_source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)] self.fields['domain_source'].initial = get_user_organization(username) self.fields['ip_source'].initial = get_user_organization(username) self.fields['campaign'].choices = [('', '')] + [(c.name, c.name) for c in get_item_names(Campaign, True)] self.fields['confidence'].choices = [('',''), ('low', 'low'), ('medium', 'medium'), ('high', 'high')] add_bucketlist_to_form(self) add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs): super(UploadFileForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username) self.fields['campaign'].choices = [('', '')] + [ (c.name, c.name) for c in get_item_names(Campaign, True)] self.fields['confidence'].choices = [('', ''), ('low', 'low'), ('medium', 'medium'), ('high', 'high')] self.fields['backdoor'].choices = [('', '')] self.fields['relationship_type'].choices = relationship_choices self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO for (name, version) in get_backdoor_names(username): display = name value = name + '|||' + version if version: display += ' (Version: ' + version + ')' self.fields['backdoor'].choices.append((value, display)) add_bucketlist_to_form(self) add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs): super(AddDomainForm, self).__init__(username, *args, **kwargs) self.fields['ip_source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username) ] self.fields['ip_source'].initial = get_user_organization(username) self.fields['ip_tlp'].choices = [ (t, t) for t in ('red', 'amber', 'green', 'white') ] self.fields['ip_tlp'].initial = 'red' if username.has_access_to(Common.CAMPAIGN_READ): self.fields['campaign'].choices = [('', '')] + [ (c.name, c.name) for c in get_item_names(Campaign, True) ] self.fields['confidence'].choices = [('', ''), ('low', 'low'), ('medium', 'medium'), ('high', 'high')] self.fields['ip_type'].choices = ip_choices self.fields['ip_type'].initial = IPTypes.IPV4_ADDRESS self.fields['relationship_type'].choices = relationship_choices self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO add_bucketlist_to_form(self) add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs): super(SourceForm, self).__init__(*args, **kwargs) self.fields['name'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)] self.fields['name'].initial = get_user_organization(username)
def __init__(self, username, *args, **kwargs): super(UploadIndicatorCSVForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username)
def __init__(self, username, *args, **kwargs): super(UploadPcapForm, self).__init__(*args, **kwargs) self.fields["source"].choices = [(c.name, c.name) for c in get_source_names(True, True, username)] self.fields["source"].initial = get_user_organization(username) add_bucketlist_to_form(self) add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs): super(AddDomainForm, self).__init__(*args, **kwargs) self.fields['domain_source'].choices = self.fields['ip_source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)] self.fields['domain_source'].initial = get_user_organization(username) self.fields['ip_source'].initial = get_user_organization(username) self.fields['campaign'].choices = [('', '')] + [(c.name, c.name) for c in get_item_names(Campaign, True)] self.fields['confidence'].choices = [('',''), ('low', 'low'), ('medium', 'medium'), ('high', 'high')] self.fields['ip_type'].choices = ip_choices self.fields['ip_type'].initial = "Address - ipv4-addr" add_bucketlist_to_form(self) add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs): super(UploadIndicatorTextForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username) dt = "Indicator, Type, Threat Type, Attack Type, Campaign, Campaign Confidence, Confidence, Impact, Bucket List, Ticket, Action, Status\n" self.fields['data'].initial = dt
def __init__(self, username, *args, **kwargs): kwargs.setdefault('label_suffix', ':') super(UploadStandardsForm, self).__init__(*args, **kwargs) srcs = get_source_names(True, True, username) self.fields['source'].choices = [(c.name, c.name) for c in srcs] self.fields['source'].initial = get_user_organization(username)
def process_screenshots(self, screenshots): archive = zipfile.ZipFile(io.BytesIO(screenshots)) names = archive.namelist() for name in names: screenshot = archive.read(name) ret = add_screenshot(description='Screenshot from Joe Sandbox', tags=[], source=get_user_organization(self.current_task.user), method=self.name, reference=self.obj.filename, tlp=self.obj.tlp, analyst=str(self.current_task.user), screenshot=io.BytesIO(screenshot), screenshot_ids=[], oid=str(self.obj.id), otype=self.obj._meta['crits_type']) if ret['success']: md5 = hashlib.md5(screenshot).hexdigest() self._add_result("Screenshots", "Screenshot", {'md5': md5}) else: self._warning(ret["message"]) self._notify()
def process_sandbox_infos(self, incident_report, html_report): errors = [e.text for e in incident_report.findall("./errors/error")] for error in errors: self._error(error) info = { "Report Id": incident_report.find("./id").text, "Joe Sandbox Version": incident_report.find("./version").text, "Architecture": incident_report.find("./arch").text, "System": incident_report.find("./system").text, "File Type": incident_report.find("./filetype").text, } # upload HTML report fp = io.BytesIO(html_report) fp.name = "report.html" ret = add_object(self.obj._meta['crits_type'], self.obj.id, object_type=ObjectTypes.FILE_UPLOAD, source=get_user_organization(self.current_task.user), method=self.name, reference=None, file_=fp, tlp=self.obj.tlp, user=str(self.current_task.user)) if ret['success']: md5 = hashlib.md5(html_report).hexdigest() info["md5"] = md5 else: self._warning(ret["message"]) self._add_result("Joe Sandbox Infos", "Report", info) self._notify()
def __init__(self, username, *args, **kwargs): kwargs.setdefault('label_suffix', ':') super(UploadStandardsForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username) ] self.fields['source'].initial = get_user_organization(username)
def __init__(self, username, *args, **kwargs): super(UploadIndicatorTextForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username) dt = "Indicator, Type, Campaign, Campaign Confidence, Confidence, Impact, Bucket List, Ticket, Action\n" self.fields['data'].initial = dt
def __init__(self, username, *args, **kwargs): super(UploadIndicatorCSVForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username) ] self.fields['source'].initial = get_user_organization(username) self.fields['relationship_type'].choices = relationship_choices self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO
def __init__(self, username, *args, **kwargs): super(AddActorIdentifierForm, self).__init__(*args, **kwargs) self.fields['identifier_type'].choices = [ (c.name, c.name) for c in get_item_names(ActorThreatIdentifier, True)] self.fields['source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username)
def __init__(self, username, *args, **kwargs): super(UploadRawDataFileForm, self).__init__(*args, **kwargs) self.fields["source"].choices = [(c.name, c.name) for c in get_source_names(True, True, username)] self.fields["source"].initial = get_user_organization(username) self.fields["data_type"].choices = [(c.name, c.name) for c in get_item_names(RawDataType, True)] add_bucketlist_to_form(self) add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs): super(SourceInForm, self).__init__(*args, **kwargs) self.fields['source_name'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source_name'].initial = get_user_organization(username) self.fields['source_tlp'].choices = [ (t, t) for t in ('red', 'amber', 'green', 'white')] self.fields['source_tlp'].initial = 'red'
def __init__(self, username, *args, **kwargs): super(UploadPcapForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username) self.fields['relationship_type'].choices = relationship_choices self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO add_bucketlist_to_form(self) add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs): super(UploadIndicatorTextForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username) dt = "Indicator, Type, Threat Type, Attack Type, Description, Campaign, Campaign Confidence, Confidence, Impact, Bucket List, Ticket, Action, Status\n" self.fields['data'].initial = dt self.fields['relationship_type'].choices = relationship_choices self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO
def __init__(self, username, *args, **kwargs): super(UploadPcapForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username) ] self.fields['source'].initial = get_user_organization(username) add_bucketlist_to_form(self) add_ticket_to_form(self)
def comment_add(cleaned_data, obj_type, obj_id, method, subscr, analyst): """ Add a new comment. :param cleaned_data: Cleaned data from the Django form submission. :type cleaned_data: dict :param obj_type: The top-level object type to add the comment to. :type obj_type: str :param obj_id: The top-level ObjectId to add the comment to. :type obj_id: str :param method: If this is a reply or not (set method to "reply"). :type method: str :param subscr: The subscription information for the top-level object. :type subscr: dict :param analyst: The user adding the comment. :type analyst: str :returns: dict with keys: 'success' (boolean), 'message': (str), 'html' (str) if successful. """ comment = Comment() comment.comment = cleaned_data['comment'] comment.parse_comment() comment.set_parent_object(obj_type, obj_id) if method == "reply": comment.set_parent_comment(cleaned_data['parent_date'], cleaned_data['parent_analyst']) comment.analyst = analyst comment.set_url_key(cleaned_data['url_key']) source = create_embedded_source(name=get_user_organization(analyst), analyst=analyst, needs_tlp=False) comment.source = [source] try: comment.save(username=analyst) # this is silly :( in the comment object the dates are still # accurate to .###### seconds, but in the database are only # accurate to .### seconds. This messes with the template's ability # to compare creation and edit times. comment.reload() comment.comment_to_html() html = render_to_string( 'comments_row_widget.html', { 'comment': comment, 'user': { 'username': analyst }, 'subscription': subscr }) message = "Comment added successfully!" result = {'success': True, 'html': html, 'message': message} except ValidationError, e: result = {'success': False, 'message': e}
def __init__(self, username, *args, **kwargs): super(AddObjectForm, self).__init__(*args, **kwargs) self.fields['object_type'].choices = [ (c, c) for c in ObjectTypes.values(sort=True) ] self.fields['object_type'].widget.attrs = {'class': 'object-types'} self.fields['source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username) ] self.fields['source'].initial = get_user_organization(username)
def __init__(self, username, *args, **kwargs): super(SourceInForm, self).__init__(*args, **kwargs) self.fields['source_name'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username) ] self.fields['source_name'].initial = get_user_organization(username) self.fields['source_tlp'].choices = [ (t, t) for t in ('red', 'amber', 'green', 'white') ] self.fields['source_tlp'].initial = 'red'
def __init__(self, username, *args, **kwargs): super(AddActorIdentifierForm, self).__init__(*args, **kwargs) self.fields['identifier_type'].choices = [ (c.name, c.name) for c in get_item_names(ActorThreatIdentifier, True) ] self.fields['source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username) ] self.fields['source'].initial = get_user_organization(username)
def __init__(self, username, *args, **kwargs): super(AddObjectForm, self).__init__(*args, **kwargs) self.fields['object_type'].choices = [ (c,c) for c in ObjectTypes.values(sort=True) ] self.fields['object_type'].widget.attrs = {'class':'object-types'} self.fields['source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username)
def __init__(self, username, *args, **kwargs): super(UploadRawDataFileForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username) ] self.fields['source'].initial = get_user_organization(username) self.fields['data_type'].choices = [ (c.name, c.name) for c in get_item_names(RawDataType, True) ] add_bucketlist_to_form(self) add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs): super(EventForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username) self.fields['event_type'].choices = [ (c,c) for c in EventTypes.values(sort=True) ] add_bucketlist_to_form(self) add_ticket_to_form(self)
def _process_pcap(self, pcap): self._debug("Processing PCAP.") self._notify() org = get_user_organization(self.current_task.username) h = md5(pcap).hexdigest() result = handle_pcap_file("%s.pcap" % h, pcap, org, user=self.current_task.username, related_id=str(self.obj.id), related_type=self.obj._meta['crits_type'], method=self.name) self._add_result("pcap_added", h, {'md5': h})
def __init__(self, username, choices, *args, **kwargs): super(AddObjectForm, self).__init__(*args, **kwargs) if not choices: choices = [(c[0], c[0], {'datatype':c[1].keys()[0], 'datatype_value':c[1].values()[0]}) for c in get_object_types(True)] self.fields['object_type'].choices = choices self.fields['object_type'].widget.attrs = {'class':'object-types'} self.fields['source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username)
def __init__(self, username, *args, **kwargs): kwargs.setdefault('label_suffix', ':') super(TAXIIFeedConfigForm, self).__init__(*args, **kwargs) srcs = get_source_names(True, True, username) self.fields['source'].choices = [(c.name, c.name) for c in srcs] self.fields['source'].initial = get_user_organization(username) ind_ci = IndicatorCI.values() self.fields['def_conf'].choices = [(c, c.title()) for c in ind_ci] self.fields['def_conf'].initial = 'unknown' self.fields['def_impact'].choices = [(c, c.title()) for c in ind_ci] self.fields['def_impact'].initial = 'unknown'
def __init__(self, username, *args, **kwargs): super(EventForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username) self.fields['event_type'].choices = [(c.name, c.name) for c in get_item_names(EventType, True)] add_bucketlist_to_form(self) add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs): super(EmailYAMLForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username) ] self.fields['source'].initial = get_user_organization(username) self.fields['campaign'].choices = [("", "")] self.fields['campaign'].choices += [ (c.name, c.name) for c in get_item_names(Campaign, True) ] self.fields['campaign_confidence'].choices = [("", ""), ("low", "low"), ("medium", "medium"), ("high", "high")]
def _process_pcap(self, pcap): self._debug("Processing PCAP.") self._notify() org = get_user_organization(self.current_task.username) h = md5(pcap).hexdigest() result = handle_pcap_file("%s.pcap" % h, pcap, org, user=self.current_task.username, parent_id=str(self.obj.id), parent_type="PCAP", method=self.name) self._add_result("pcap_added", h, {'md5': h})
def __init__(self, username, *args, **kwargs): super(EmailOutlookForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username) self.fields['campaign'].choices = [("","")] self.fields['campaign'].choices += [(c.name, c.name ) for c in get_item_names(Campaign, True)] self.fields['campaign_confidence'].choices = [("", ""), ("low", "low"), ("medium", "medium"), ("high", "high")]
def attribute_identifier(self, identifier_type=None, identifier=None, confidence='low', analyst=None): """ Attribute an identifier. :param identifier_type: The type of Identifier. :type identifier_type: str :param identifier: The identifier value. :type identifier: str :param confidence: The confidence level of the attribution. :type confidence: str :param analyst: The analyst attributing this identifier. :type analyst: str """ if analyst and identifier_type and identifier: # We don't use source restriction because if they are adding this on # their own, we would just append their org as a new source identifier = ActorIdentifier.objects(name=identifier).first() if not identifier: identifier = ActorIdentifier() identifier.identifier_type = identifier_type identifier.name = identifier # Add the source if it doesn't already exist org = get_user_organization(analyst) found = False for source in identifier.source: if source.name == org: found = True break if not found: identifier.add_source(source=org, analyst=analyst) identifier.save() identifier.reload() found = False for ident in self.identifiers: if str(identifier.id) == str(ident.identifier_id): found = True break # Only add if it's not already there if not found: e = EmbeddedActorIdentifier() e.analyst = analyst e.confidence = confidence e.identifier_id = str(identifier.id) self.identifiers.append(e)
def comment_add(cleaned_data, obj_type, obj_id, method, subscr, analyst): """ Add a new comment. :param cleaned_data: Cleaned data from the Django form submission. :type cleaned_data: dict :param obj_type: The top-level object type to add the comment to. :type obj_type: str :param obj_id: The top-level ObjectId to add the comment to. :type obj_id: str :param method: If this is a reply or not (set method to "reply"). :type method: str :param subscr: The subscription information for the top-level object. :type subscr: dict :param analyst: The user adding the comment. :type analyst: str :returns: dict with keys: 'success' (boolean), 'message': (str), 'html' (str) if successful. """ comment = Comment() comment.comment = cleaned_data['comment'] comment.parse_comment() comment.set_parent_object(obj_type, obj_id) if method == "reply": comment.set_parent_comment(cleaned_data['parent_date'], cleaned_data['parent_analyst']) comment.analyst = analyst comment.set_url_key(cleaned_data['url_key']) source = create_embedded_source(name=get_user_organization(analyst), analyst=analyst, needs_tlp=False) comment.source = [source] try: comment.save(username=analyst) # this is silly :( in the comment object the dates are still # accurate to .###### seconds, but in the database are only # accurate to .### seconds. This messes with the template's ability # to compare creation and edit times. comment.reload() comment.comment_to_html() html = render_to_string('comments_row_widget.html', {'comment': comment, 'user': {'username': analyst}, 'subscription': subscr}) message = "Comment added successfully!" result = {'success': True, 'html': html, 'message': message} except ValidationError, e: result = {'success': False, 'message': e}
def __init__(self, username, *args, **kwargs): super(EmailAttachForm, self).__init__(*args, **kwargs) self.fields['campaign'].choices = [('', '')] + [ (c.name, c.name) for c in get_item_names(Campaign, True)] self.fields['confidence'].choices = [('', ''), ('low', 'low'), ('medium', 'medium'), ('high', 'high')] self.fields['source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username) self.fields['source_date'].value = datetime.now() add_bucketlist_to_form(self) add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs): super(UploadSignatureForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username) ] self.fields['source'].initial = get_user_organization(username) self.fields['data_type'].choices = [ (c.name, c.name) for c in get_item_names(SignatureType, True) ] self.fields['relationship_type'].choices = relationship_choices self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO add_bucketlist_to_form(self) add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs): super(UploadFileForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username) ] self.fields['source'].initial = get_user_organization(username) self.fields['campaign'].choices = [('', '')] + [ (c.name, c.name) for c in get_item_names(Campaign, True) ] self.fields['confidence'].choices = [('', ''), ('low', 'low'), ('medium', 'medium'), ('high', 'high')] add_bucketlist_to_form(self) add_ticket_to_form(self)
def __init__(self, username, choices, *args, **kwargs): super(AddIPForm, self).__init__(*args, **kwargs) if choices is None: self.fields["ip_type"].choices = ip_choices else: self.fields["ip_type"].choices = choices self.fields["campaign"].choices = [("", "")] + [(c.name, c.name) for c in get_item_names(Campaign, True)] self.fields["confidence"].choices = [("", ""), ("low", "low"), ("medium", "medium"), ("high", "high")] self.fields["source"].choices = [(c.name, c.name) for c in get_source_names(True, True, username)] self.fields["source"].initial = get_user_organization(username) self.fields["analyst"].initial = username add_bucketlist_to_form(self) add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs): super(UploadIndicatorForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username) self.fields['status'].choices = [ (c,c) for c in Status.values() ] self.fields['indicator_type'].choices = [ (c,c) for c in IndicatorTypes.values(sort=True) ] self.fields['threat_type'].choices = [ (c,c) for c in IndicatorThreatTypes.values(sort=True) ] self.fields['threat_type'].initial = IndicatorThreatTypes.UNKNOWN self.fields['attack_type'].choices = [ (c,c) for c in IndicatorAttackTypes.values(sort=True) ] self.fields['attack_type'].initial = IndicatorAttackTypes.UNKNOWN self.fields['indicator_type'].widget.attrs = {'class': 'object-types'} self.fields['campaign'].choices = [("", "")] self.fields['campaign'].choices += [ (c.name, c.name) for c in get_item_names(Campaign, True)] self.fields['campaign_confidence'].choices = [ ("", ""), ("low", "low"), ("medium", "medium"), ("high", "high")] self.fields['confidence'].choices = [ ("unknown", "unknown"), ("benign", "benign"), ("low", "low"), ("medium", "medium"), ("high", "high")] self.fields['impact'].choices = [ ("unknown", "unknown"), ("benign", "benign"), ("low", "low"), ("medium", "medium"), ("high", "high")] self.fields['relationship_type'].choices = relationship_choices self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO add_bucketlist_to_form(self) add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs): super(EmailYAMLForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username) ] self.fields['source'].initial = get_user_organization(username) self.fields['campaign'].choices = [("", "")] self.fields['campaign'].choices += [ (c.name, c.name) for c in get_item_names(Campaign, True) ] self.fields['campaign_confidence'].choices = [("", ""), ("low", "low"), ("medium", "medium"), ("high", "high")] self.fields['relationship_type'].choices = relationship_choices self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO add_bucketlist_to_form(self) add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs): super(EmailYAMLForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username) self.fields['campaign'].choices = [("","")] self.fields['campaign'].choices += [(c.name, c.name ) for c in get_item_names(Campaign, True)] self.fields['campaign_confidence'].choices = [("", ""), ("low", "low"), ("medium", "medium"), ("high", "high")] self.fields['relationship_type'].choices = relationship_choices self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO add_bucketlist_to_form(self) add_ticket_to_form(self)
def process_domains(self, incident_report): domains = incident_report.findall("./contacted/domains/domain") for domain in domains: ret = upsert_domain(domain.text, source=get_user_organization(self.current_task.user), username=str(self.current_task.user), related_id=str(self.obj.id), related_type=self.obj._meta['crits_type'], relationship_type=RelationshipTypes.CONNECTED_TO) if ret['success']: malicious = domain.get('malicious', 'unknown') self._add_result("Domains", domain.text, {'malicious': malicious}) else: self._warning(ret["message"]) self._notify()
def remove_sample(request, md5): """ Remove a sample from CRITs. :param request: Django request object (Required) :type request: :class:`django.http.HttpRequest` :param md5: The MD5 of the sample to remove. :type md5: str :returns: :class:`django.http.HttpResponse` """ result = delete_sample(md5, '%s' % request.user.username) if result: org = get_user_organization(request.user.username) return HttpResponseRedirect(reverse('crits-samples-views-samples_listing') +'?source=%s' % org) else: return render(request, 'error.html', {'error': "Could not delete sample"})
def __init__(self, username, *args, **kwargs): super(AddBackdoorForm, self).__init__(*args, **kwargs) self.fields['campaign'].choices = [('', '')] + [ (c.name, c.name) for c in get_item_names(Campaign, True)] self.fields['confidence'].choices = [ ('', ''), ('low', 'low'), ('medium', 'medium'), ('high', 'high')] self.fields['source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username) self.fields['relationship_type'].choices = relationship_choices self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO add_bucketlist_to_form(self) add_ticket_to_form(self)
def __init__(self, username, *args, **kwargs): super(AddExploitForm, self).__init__(*args, **kwargs) self.fields['campaign'].choices = [('', '')] + [ (c.name, c.name) for c in get_item_names(Campaign, True)] self.fields['confidence'].choices = [ ('', ''), ('low', 'low'), ('medium', 'medium'), ('high', 'high')] self.fields['source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username) self.fields['relationship_type'].choices = relationship_choices self.fields['relationship_type'].initial = RelationshipTypes.RELATED_TO add_bucketlist_to_form(self) add_ticket_to_form(self)
def process_ips(self, incident_report): ips = incident_report.findall("./contacted/ips/ip") for ip in ips: ret = ip_add_update(ip.text, self._ip_type(ip.text), source=get_user_organization(self.current_task.user), source_method=self.name, source_tlp=self.obj.tlp, user=self.current_task.user, related_id=str(self.obj.id), related_type=self.obj._meta['crits_type'], relationship_type=RelationshipTypes.CONNECTED_TO) if ret['success']: malicious = ip.get('malicious', 'unknown') self._add_result("IPs", ip.text, {'malicious': malicious}) else: self._warning(ret["message"]) self._notify()
def _process_pcap(self, pcap): self._debug("Processing PCAP.") self._notify() org = get_user_organization(self.current_task.user) user = self.current_task.user if not user.has_access_to(PCAPACL.WRITE): self._info("User does not have permission to add PCAP to CRITs") self._add_result("PCAP Processing Canceled", "User does not have permission to add PCAP to CRITs") return h = md5(pcap).hexdigest() result = handle_pcap_file("%s.pcap" % h, pcap, org, user=self.current_task.user, related_id=str(self.obj.id), related_type=self.obj._meta['crits_type'], method=self.name) self._add_result("pcap_added", h, {'md5': h})
def __init__(self, username, choices=None, *args, **kwargs): super(UploadIndicatorForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [ (c.name, c.name) for c in get_source_names(True, True, username) ] self.fields['source'].initial = get_user_organization(username) if not choices: #only valid types for indicators are those which don't require file upload choices = [(c[0], c[0], { 'datatype': c[1].keys()[0], 'datatype_value': c[1].values()[0] }) for c in get_object_types(active=True, query={ 'datatype.file': { '$exists': 0 }, 'datatype.enum': { '$exists': 0 } })] self.fields['indicator_type'].choices = choices self.fields['indicator_type'].widget.attrs = {'class': 'object-types'} self.fields['campaign'].choices = [("", "")] self.fields['campaign'].choices += [ (c.name, c.name) for c in get_item_names(Campaign, True) ] self.fields['campaign_confidence'].choices = [("", ""), ("low", "low"), ("medium", "medium"), ("high", "high")] self.fields['confidence'].choices = [("unknown", "unknown"), ("benign", "benign"), ("low", "low"), ("medium", "medium"), ("high", "high")] self.fields['impact'].choices = [("unknown", "unknown"), ("benign", "benign"), ("low", "low"), ("medium", "medium"), ("high", "high")] add_bucketlist_to_form(self) add_ticket_to_form(self)
def __init__(self, username, choices, *args, **kwargs): super(AddIPForm, self).__init__(*args, **kwargs) if choices is None: self.fields['ip_type'].choices = ip_choices else: self.fields['ip_type'].choices = choices self.fields['campaign'].choices = [('', '')] + [ (c.name, c.name) for c in get_item_names(Campaign, True)] self.fields['confidence'].choices = [('', ''), ('low', 'low'), ('medium', 'medium'), ('high', 'high')] self.fields['source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username) self.fields['analyst'].initial = username add_bucketlist_to_form(self) add_ticket_to_form(self)
def remove_sample(request, md5): """ Remove a sample from CRITs. :param request: Django request object (Required) :type request: :class:`django.http.HttpRequest` :param md5: The MD5 of the sample to remove. :type md5: str :returns: :class:`django.http.HttpResponse` """ result = delete_sample(md5, '%s' % request.user.username) if result: org = get_user_organization(request.user.username) return HttpResponseRedirect( reverse('crits-samples-views-samples_listing') + '?source=%s' % org) else: return render(request, 'error.html', {'error': "Could not delete sample"})
def __init__(self, username, choices=None, *args, **kwargs): super(UploadIndicatorForm, self).__init__(*args, **kwargs) self.fields['source'].choices = [(c.name, c.name) for c in get_source_names(True, True, username)] self.fields['source'].initial = get_user_organization(username) if not choices: #only valid types for indicators are those which don't require file upload choices = [(c[0], c[0], {'datatype':c[1].keys()[0], 'datatype_value':c[1].values()[0]} ) for c in get_object_types(active=True, query={'datatype.file':{'$exists':0}})] self.fields['indicator_type'].choices = choices self.fields['indicator_type'].widget.attrs = {'class':'object-types'} self.fields['campaign'].choices = [("","")] self.fields['campaign'].choices += [(c.name, c.name ) for c in get_item_names(Campaign, True)] self.fields['campaign_confidence'].choices = [("", ""), ("low", "low"), ("medium", "medium"), ("high", "high")] self.fields['confidence'].choices = [("unknown", "unknown"), ("benign", "benign"), ("low", "low"), ("medium", "medium"), ("high", "high")] self.fields['impact'].choices = [("unknown", "unknown"), ("benign", "benign"), ("low", "low"), ("medium", "medium"), ("high", "high")] add_bucketlist_to_form(self) add_ticket_to_form(self)
def pcap_tcpdump(pcap_md5, form, analyst): flag_list = [] cleaned_data = form.cleaned_data # Make sure we can find tcpdump sc = get_config("MetaCap") tcpdump_bin = str(sc["tcpdump"]) if not os.path.exists(tcpdump_bin): tcpdump_output = "Could not find tcpdump!" return tcpdump_output # Make sure we have a PCAP to work with pcap = PCAP.objects(md5=pcap_md5).first() if not pcap: return "No PCAP found" pcap_data = pcap.filedata.read() if not pcap_data: return "Could not get PCAP from GridFS: %s" % pcap_md5 # Use the filename if it's there, otherwise the md5. # This is used for the description of the carved sample. if pcap.filename: pcap_filename = pcap.filename else: pcap_filename = pcap_md5 # Setup tcpdump arguments if cleaned_data["sequence"]: flag_list.append("-S") if cleaned_data["timestamp"]: flag_list.append("%s" % cleaned_data["timestamp"]) if cleaned_data["verbose"]: flag_list.append("%s" % cleaned_data["verbose"]) if cleaned_data["data"]: flag_list.append("%s" % cleaned_data["data"]) # force -nN flag_list.append("-nN") # if we need to carve if cleaned_data["carve"]: if not cleaned_data["bpf"]: return "Must supply a BPF filter to carve." new_pcap = tempfile.NamedTemporaryFile(delete=False) flag_list.append("-w") flag_list.append(new_pcap.name) if cleaned_data["bpf"]: flag_list.append("%s" % str(cleaned_data["bpf"].replace('"', ""))) # write PCAP to disk # temp_out collects stdout and stderr # temp_pcap is the pcap to read # new_pcap is the pcap being written if carving temp_out = tempfile.NamedTemporaryFile(delete=False) temp_pcap = tempfile.NamedTemporaryFile(delete=False) pcap_name = temp_pcap.name temp_pcap.write(pcap_data) temp_pcap.close() args = [tcpdump_bin, "-r", temp_pcap.name] + flag_list tcpdump = Popen(args, stdout=temp_out, stderr=STDOUT) tcpdump.communicate() out_name = temp_out.name temp_out.seek(0) tcpdump_output = "" for line in iter(temp_out): tcpdump_output += "%s" % line temp_out.close() # delete temp files os.unlink(pcap_name) os.unlink(out_name) if cleaned_data["carve"]: new_pcap_data = new_pcap.read() if len(new_pcap_data) > 24: # pcap-ng will change this. m = hashlib.md5() m.update(new_pcap_data) md5 = m.hexdigest() org = get_user_organization(analyst) result = handle_pcap_file( "%s.pcap" % md5, new_pcap_data, org, user=analyst, description="%s of %s" % (cleaned_data["bpf"], pcap_filename), parent_id=pcap.id, parent_type="PCAP", method="MetaCap Tcpdumper", ) if result["success"]: tcpdump_output = '<a href="%s">View new pcap.</a>' % reverse( "crits.pcaps.views.pcap_details", args=[result["md5"]] ) else: tcpdump_output = result["message"] else: tcpdump_output = "No packets matched the filter." os.unlink(new_pcap.name) return tcpdump_output
def pcap_pdml_html(pcap_md5, analyst): # check to see if there is a File object with the source reference of # 'tshark_pdml.html'. If there is, return it. # If not, generate it, save it, and return it. pcap = PCAP.objects(md5=pcap_md5).first() if not pcap: return "No PCAP found" else: coll = settings.COL_OBJECTS pdml_obj = None pdml_html = None for obj in pcap.obj: for source in obj.source: for instance in source.instances: if instance.reference == "tshark_pdml.html": pdml_obj = obj if not pdml_obj: sc = get_config("MetaCap") tshark_bin = str(sc["tshark"]) if not os.path.exists(tshark_bin): pdml_html = "Could not find tshark!" return {"html": pdml_html} pcap_data = pcap.filedata.read() if not pcap_data: pdml_html = "Could not get PCAP from GridFS: %s" % pcap_md5 return {"html": pdml_html} # write PCAP to disk temp_pcap = tempfile.NamedTemporaryFile(delete=False) pcap_name = temp_pcap.name temp_pcap.write(pcap_data) temp_pcap.close() # use tshark to generate a pdml file temp_pdml = tempfile.NamedTemporaryFile(delete=False) args = [tshark_bin, "-n", "-r", pcap_name, "-T", "pdml"] tshark = Popen(args, stdout=temp_pdml, stderr=PIPE) tshark_out, tshark_err = tshark.communicate() if tshark.returncode != 0: return {"html": "%s, %s" % (tshark_out, tshark_err)} pdml_name = temp_pdml.name temp_pdml.seek(0) # transform PDML into HTML xsl_file = None for d in settings.SERVICE_DIRS: try: file_dir = "%s/metacap_service" % d xsl_file = open("%s/pdml2html.xsl" % file_dir, "r") except IOError: pass if not xsl_file: return {"html": "Could not find XSL."} parser = etree.XMLParser() parser.resolvers.add(FileResolver()) save_pdml = False try: xml_input = etree.parse(temp_pdml, parser) xslt_root = etree.parse(xsl_file, parser) transform = etree.XSLT(xslt_root) pdml_html = str(transform(xml_input)) save_pdml = True except Exception: temp_pdml.close() # delete PDML file os.unlink(pdml_name) os.unlink(pcap_name) return {"html": "Could not parse/transform PDML output!"} temp_pdml.close() # delete PDML file os.unlink(pdml_name) os.unlink(pcap_name) # save pdml_html as an object for this PCAP if save_pdml: fn = put_file_gridfs("tshark_pdml.html", pdml_html, collection=coll) if fn: m = hashlib.md5() m.update(pdml_html) md5 = m.hexdigest() pcap.add_object( ObjectTypes.FILE_UPLOAD, md5, get_user_organization(analyst), "MetaCap", "tshark_pdml.html", analyst, ) pcap.save() else: # get file from gridfs and return it obj_md5 = pdml_obj.value pdml_html = get_file_gridfs(obj_md5, collection=coll) if not pdml_html: return {"html": "No file found in GridFS"} if not pdml_obj: pcap_objects = pcap.sort_objects() return {"html": pdml_html, "objects": pcap_objects, "id": pcap.id} else: return {"html": pdml_html}