def parse_apps(apps_xml):
obj = xmltodict.parse(apps_xml)
try:
apps = obj['response']['result']['application']['entry']
except KeyError as e:
logger.error("Unable to parse app xml from firewall")
raise e
csv_apps = []
for app in apps:
a = OrderedDict()
try:
a['app'] = app['@name']
a['app:category'] = app.get('category', "")
a['app:subcategory'] = app.get('subcategory', "")
a['app:technology'] = app.get('technology', "")
a['app:risk'] = app['risk']
a['app:evasive'] = app['evasive-behavior']
a['app:excessive_bandwidth'] = app['consume-big-bandwidth']
a['app:used_by_malware'] = app['used-by-malware']
a['app:able_to_transfer_file'] = app['able-to-transfer-file']
a['app:has_known_vulnerability'] = app['has-known-vulnerability']
a['app:tunnels_other_application'] = app[
'tunnel-other-application']
if a['app:tunnels_other_application'] != "yes" and a[
'app:tunnels_other_application'] != "no":
a['app:tunnels_other_application'] = a[
'app:tunnels_other_application']['#text']
a['app:prone_to_misuse'] = app['prone-to-misuse']
a['app:pervasive_use'] = app['pervasive-use']
a['app:is_saas'] = app.get('is-saas', "no")
a['app:default_ports'] = ""
try:
# Sometimes there are more than one default tag
# so make it a list and iterate over the default tags.
default = app['default']
if isinstance(default, list):
for d in default:
a['app:default_ports'] = d['port']['member']
break
else:
a['app:default_ports'] = default['port']['member']
except KeyError:
pass
else:
if not isinstance(a['app:default_ports'], string_types):
a['app:default_ports'] = "|".join(a['app:default_ports'])
except Exception as e:
logger.error("Error parsing app: %s" % app['@name'])
logger.error(traceback.format_exc())
common.exit_with_error(string_types(e))
# convert all out of unicode
for key in a:
a[key] = string_types(a[key])
csv_apps.append(a)
logger.info("Found %s apps" % len(csv_apps))
return csv_apps
def parse_threats(threats_xml):
obj = xmltodict.parse(threats_xml)
try:
phone_home = obj['response']['result']['threats']['phone-home'][
'entry']
vulnerability = obj['response']['result']['threats']['vulnerability'][
'entry']
threats = phone_home + vulnerability
except KeyError as e:
logger.error("Unable to parse threat xml from firewall")
raise e
csv_threats = []
for threat in threats:
a = OrderedDict()
try:
a['threat_id'] = threat['@name']
a['threat:name'] = threat['threatname']
a['threat:category'] = threat['category']
a['threat:severity'] = threat['severity']
a['threat:cve'] = threat.get('cve', None)
if a['threat:cve'] is not None:
a['threat:cve'] = threat['cve']['member']
if not isinstance(a['threat:cve'], string_types):
a['threat:cve'] = ", ".join(a['threat:cve'])
else:
a['threat:cve'] = ""
except KeyError as e:
logger.error("Error parsing app: %s" % threat['@name'])
raise e
# convert all out of unicode
for key in a:
a[key] = string_types(a[key])
csv_threats.append(a)
logger.info("Found %s threats" % len(csv_threats))
return csv_threats
def _get_fc_channel(self):
"""return :
fcInfos[uuid]
fcInfo[uuid]['display_name']
fcInfo[uuid]['display_description']
fcInfo[uuid]['hardware_address']
fcInfo[uuid]['type']
fcInfo[uuid]['speed']
fcInfo[uuid]['state']
"""
output = None
fcInfos = {}
try:
retCode, output = self.dpl.get_server_info()
if retCode == 0 and output:
fcUuids = output.get('metadata',
{}).get('storage_adapter', {}).keys()
for fcUuid in fcUuids:
fcInfo = output.get('metadata',
{}).get('storage_adapter',
{}).get(fcUuid)
if fcInfo['type'] == 'fc':
fcInfos[fcUuid] = fcInfo
except Exception as e:
msg = _("Failed to get fiber channel info from storage due "
"to %(stat)s") % {
'stat': six.string_types(e)
}
LOG.error(msg)
return fcInfos
def _get_fc_channel(self):
"""return :
fcInfos[uuid]
fcInfo[uuid]['display_name']
fcInfo[uuid]['display_description']
fcInfo[uuid]['hardware_address']
fcInfo[uuid]['type']
fcInfo[uuid]['speed']
fcInfo[uuid]['state']
"""
output = None
fcInfos = {}
try:
retCode, output = self.dpl.get_server_info()
if retCode == 0 and output:
fcUuids = output.get('metadata',
{}).get('storage_adapter', {}).keys()
for fcUuid in fcUuids:
fcInfo = output.get('metadata',
{}).get('storage_adapter',
{}).get(fcUuid)
if fcInfo['type'] == 'fc':
fcInfos[fcUuid] = fcInfo
except Exception as e:
msg = _("Failed to get fiber channel info from storage due "
"to %(stat)s") % {'stat': six.string_types(e)}
LOG.error(msg)
return fcInfos
def get_token_generator():
token_generator_class = django_settings.DJOSER.get('TOKEN_GENERATOR')
if not token_generator_class:
return PasswordResetTokenGenerator()
elif not isinstance(token_generator_class, six.string_types):
raise Exception(
"%s is not valid password reset token generator class" %
six.string_types(token_generator_class))
return import_string(token_generator_class)()
def get_token_generator():
token_generator_class = django_settings.DJOSER.get('TOKEN_GENERATOR')
if not token_generator_class:
return PasswordResetTokenGenerator()
elif not isinstance(token_generator_class, six.string_types):
raise Exception("%s is not valid password reset token generator class" %
six.string_types(token_generator_class)
)
return import_string(token_generator_class)()
def categories(self, value):
if isinstance(value, list):
self._categories.purge()
self._categories.extend([(six.string_types(
x, self._base) if not isinstance(x, six.string_types) else x)
for x in value])
elif isinstance(value, TypedList):
self._categories.purge()
self._categories = value.to_list()
elif isinstance(value, six.string_types):
self._categories.purge()
self._categories.append(value)
def events(self, value):
if isinstance(value, list):
self._events.purge()
self._events.extend([
(six.string_types(x, self._base)
if not isinstance(x, six.string_types) else x) for x in value
])
elif isinstance(value, TypedList):
self._events.purge()
self._events = value.to_list()
elif isinstance(value, six.string_types):
self._events.purge()
self._events.append(value)
def default(self, o):
if isinstance(o, float):
if o % 1 > 0:
return decimal.Decimal(o)
else:
return int(o)
elif isinstance(o, set):
return list(o)
elif isinstance(o, datetime.datetime):
return string_types(o)
elif isinstance(o, botocore.response.StreamingBody):
return str(o)
return super(DynamoDbEncoder, self).default(o)
def get(self, type_name, ref):
e = self._aliased_objects.get(type_name, {}).get(ref, None) \
or self._objects.get(type_name, {}).get(ref, None)
try:
if not e and type(ref) in [int, float]:
e = self._objects.get(type_name, {}).get(six.string_types(ref), None)
if not e and isinstance(ref, six.string_types):
e = self._objects.get(type_name, {}).get(int(ref), None)
except:
pass
return e
def token_idx_map(context, context_tokens):
acc = ''
current_token_idx = 0
token_map = dict()
for char_idx, char in enumerate(context):
if char != u' ':
acc += char
context_token = six.string_types(context_tokens[current_token_idx])
if acc == context_token:
syn_start = char_idx - len(acc) + 1
token_map[syn_start] = [acc, current_token_idx]
acc = ''
current_token_idx += 1
return token_map
def adv_query(self, getargs, url_options, session_key):
'''Issue a MORE complex KV store query. The query string is constructed
from a valid JSON object. Additional parameters such as "limit" can be
included in the query_options dictionary.
The allowable_params are: 'fields', 'limit', 'skip', 'sort', 'query'
'''
options = {}
for k, v in iter(getargs.items()):
if k == 'query':
options['query'] = json.dumps(v)
elif k == 'fields':
if isinstance(v, string_types):
options['fields'] = v
elif isinstance(v, list):
options['fields'] = ','.join(v)
else:
raise ValueError(
'Invalid value for fields parameter in KV store query.'
)
elif k in ['limit', 'skip']:
# May raise ValueError
options[k] = string_types(int(v))
elif k == 'sort':
# Since sort order can be a bit complex, we just expect the
# consumer to construct their own sort string here.
if isinstance(v, string_types):
options['sort'] = v
else:
raise ValueError(
'Invalid value for sort parameter in KV store query.')
else:
# Invalid parameter is ignored.
pass
params = urlencode(options)
uri = '/servicesNS/{owner}/{app}/storage/collections/data/{collection}?{params}'.format(
params=params, **url_options)
response, content = splunk.rest.simpleRequest(uri,
sessionKey=session_key)
return response, content
def main():
# Get arguments
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
# Enable debugging by passing 'debug=yes' as an argument of
# the command on the Splunk searchbar.
debug = common.check_debug(kwargs)
if len(args) < 2:
logger.error(
"pancontentpack: Wrong number of arguments: %s, expected 2.\n" %
len(args))
usage()
if args[1] == "apps":
logger.info(
"Getting apps from content pack on Palo Alto Networks device at %s..."
% args[0])
elif args[1] == "threats":
logger.info(
"Getting threats from content pack on Palo Alto Networks device at %s..."
% args[0])
else:
usage()
# Results contains the data from the search results and settings
# contains the sessionKey that we can use to talk to Splunk
# Ignore the results
results, unused1, settings = splunk.Intersplunk.getOrganizedResults()
# Get the sessionKey
sessionKey = settings['sessionKey']
log(debug, "Begin get API key")
# Get the API key from the Splunk store or from the device at hostname if no apikey is stored
apikey = common.apikey(sessionKey, args[0], debug)
device = pandevice.base.PanDevice(args[0], api_key=apikey)
device.refresh_system_info()
try:
if args[1] == "apps":
device.xapi.get("/config/predefined/application")
app_xml = device.xapi.xml_document
csv = parse_apps(app_xml)
else:
if device._version_info >= (8, 0, 0):
threat_xml = device.op(
'show predefined xpath "/predefined/threats"',
xml=True,
cmd_xml=True,
)
else:
device.xapi.get("/config/predefined/threats")
threat_xml = device.xapi.xml_document
csv = parse_threats(threat_xml)
except pan.xapi.PanXapiError as e:
common.exit_with_error(string_types(e))
# output results
splunk.Intersplunk.outputResults(csv)
def to_json(obj, fp=None):
default = lambda o: getmethod(o, '__json__', lambda v: six.string_types(v)
)()
kwargs = dict(default=default, indent=2, sort_keys=True)
return json.dump(obj, fp, **kwargs) if fp else json.dumps(obj, **kwargs)
def to_json(obj, fp=None):
default = lambda o: getmethod(o, "__json__", lambda v: six.string_types(v))()
kwargs = dict(default=default, indent=2, sort_keys=True)
return json.dump(obj, fp, **kwargs) if fp else json.dumps(obj, **kwargs)
def get_opened_file(output_file):
if isinstance(output_file, string_types()):
return open(output_file, 'wb')
