def create_google_client(config): """ :param: config { "proxy_url": xxx, "proxy_port": xxx, "proxy_username": xxx, "proxy_password": xxx, "proxy_rdns": xxx, "proxy_type": xxx, "google_credentials": xxx, "google_project": xxx, "google_subscription": xxx, "scopes": xxx, "service_name": xxx, "version": xxx, } """ if config.get("google_credentials"): credentials = oc.get_application_credential_from_json( config["google_credentials"]) else: credentials = oc.GoogleCredentials.get_application_default() if credentials.create_scoped_required(): credentials = credentials.create_scoped(config["scopes"]) http = sr.build_http_connection( config, timeout=config.get("pulling_interval", 30)) client = discovery.build( config["service_name"], config["version"], http=http, credentials=credentials) return client
def _build_http_connection(self): """ Build connection based on rest.py """ enabled = is_true(self.config.get("proxy_enabled", "")) if not enabled: if self.config.get("proxy_url"): del self.config['proxy_url'] if self.config.get("proxy_port"): del self.config['proxy_port'] return build_http_connection(self.config, timeout=30)
def handleEdit(self, confInfo): user, app = self.user_app() proxy_info = self.getProxyInfo( splunkdMgmtUri=rest.makeSplunkdUri(), sessionKey=self.getSessionKey(), user=user, app=app, ) proxy_enabled = proxy_info.get("proxy_enabled", False) http = build_http_connection(proxy_info if proxy_enabled else {}) try: url = self.callerArgs.data["splunk_poster_url"][0] for regex in self.allowedURLs: if re.match(regex, url): break else: RH_Err.ctl(1104, msgx="Unsupported url to be posted") method = self.callerArgs.data["splunk_poster_method"][0] if method not in self.allowedMethods: RH_Err.ctl(1104, msgx="Unsupported method to be posted") payload = { key: val[0] for key, val in self.callerArgs.data.items() if key in self.retransmittedArgs } headers = { "Content-Type": "application/x-www-form-urlencoded", } resp, content = http.request( url, method=method, headers=headers, body=urllib.parse.urlencode(payload), ) content = json.loads(content) if resp.status not in (200, 201, "200", "201"): RH_Err.ctl(resp.status, msgx=content) for key, val in content.items(): confInfo[self.callerArgs.id][key] = val except Exception as exc: RH_Err.ctl(1104, msgx=exc)
def perform_request(self, method, path, data=None): # build headers headers = {'Content-Type': 'application/json'} if self._token is not None: headers['X-SecurityCenter'] = self._token if self._cookie is not None: headers['Cookie'] = self._cookie # Only convert the data to JSON if there is data. if data is not None: data = json.dumps(data) # make a request if self._proxy_config: http = sr.build_http_connection( config=self._proxy_config, timeout=self._timeout, disable_ssl_validation=self._disable_ssl_certificate_validation ) else: http = httplib2.Http(timeout=self._timeout, disable_ssl_certificate_validation=self. _disable_ssl_certificate_validation) response, content = http.request(self._uri(path), method, data, headers) if path.find('download') != -1: return content result = json.loads(content) self._error_check(response, result) set_cookie = response.get('set-cookie') if set_cookie: self._cookie = set_cookie[set_cookie.find(',') + 1:].strip() stulog.logger.debug('{} set-cookie={}'.format( self._logger_prefix, set_cookie)) stulog.logger.debug('{} self._cookie={}'.format( self._logger_prefix, self._cookie)) return result['response']
def __init__(self, config): """ :params config: dict { "token": required, "hec_server_uri": required, "proxy_hostname": yyy, "proxy_url": zz, "proxy_port": aa, "proxy_username": bb, "proxy_password": cc, "proxy_type": http,http_no_tunnel,sock4,sock5, "proxy_rdns": 0 or 1, } """ self._config = config self._http = sr.build_http_connection( config, disable_ssl_validation=True) self._compose_uri_headers(config)
def write_events(self, events, retry=3): """ :params: events a list of json dict which meets HEC event schema { "event": xx, "index": yy, "host": yy, "source": yy, "sourcetype": yy, "time": yy, } Clients should consider batching, since when batching here, upper layer may have data loss """ last_ex = None events = self._prepare_events(events) for _ in range(retry): try: response, content = self._http.request( self._uri, method="POST", headers=self._headers, body=events) if response.status in (200, 201): return else: msg = ("Failed to post events to HEC_URI={}, " "error_code={}, reason={}").format( self._uri, response.status, content) logger.error(msg) # We raise here to commonly use the below code block raise Exception(msg) except Exception as e: last_ex = e logger.error("Failed to post events to HEC_URI=%s, error=%s", self._uri, traceback.format_exc()) self._http = sr.build_http_connection( self._config, disable_ssl_validation=True) time.sleep(2) raise last_ex
def create_google_client(config): """ :param: config { "proxy_url": xxx, "proxy_port": xxx, "proxy_username": xxx, "proxy_password": xxx, "proxy_rdns": xxx, "proxy_type": xxx, "google_credentials": xxx, "google_project": xxx, "google_subscriptions": xxx, "scopes": xxx, "service_name": xxx, "version": xxx, } """ scopes = config.get("scopes") if config.get("google_credentials") and bool(config["google_credentials"]): credentials = service_account.Credentials.from_service_account_info( config["google_credentials"] ) if scopes: credentials = credentials.with_scopes(scopes) else: if scopes: credentials, project = google.auth.default(scopes=scopes) else: credentials, project = google.auth.default() http = sr.build_http_connection(config, timeout=config.get("pulling_interval", 30)) http = AuthorizedHttp(credentials, http=http) client = discovery.build(config["service_name"], config["version"], http=http, cache_discovery=False) return client
def run(): logger.info("Script input start.") logger.info("Start reading session key") if sys.stdin.closed: return session_key = sys.stdin.read() logger.info("End reading session key") splunkd_uri = "https://localhost:8089/" server_info = sc.ServerInfo(splunkd_uri, session_key) if not server_info.is_shc_member() or server_info.is_captain(): logger.info( "This is a single instance or cluster captain. Run the malare_category_update." ) app_name = "Splunk_TA_symantec-ep" conf_name = "symantec_ep" stanza = "symantec_ep_proxy" base_url = "http://www.symantec.com/xml/rss/azlistings.jsp" encrypted = "******" conf_manager = conf.ConfManager(splunkd_uri=splunkd_uri, session_key=session_key, owner='-', app_name=app_name) conf_manager.reload_conf(conf_name) stanza_obj = conf_manager.get_conf(conf_name, stanza) config = { "username": "", "password": "", "proxy_url": "", "proxy_port": "", "proxy_username": "", "proxy_password": "", } if stanza_obj["proxy_enabled"] == '1': config["proxy_url"] = stanza_obj["proxy_url"] config["proxy_port"] = int(stanza_obj["proxy_port"]) is_encrypted = all( stanza_obj.get(k, None) == "******" for k in ("proxy_username", "proxy_password")) if is_encrypted: logger.info("Decrypting") cred_mgr = cred.CredentialManager(session_key=session_key, app=app_name, splunkd_uri=splunkd_uri) user_creds = cred_mgr.get_clear_password("symantec_ep_proxy") proxy_username = user_creds["symantec_ep_proxy"][ "proxy_username"] proxy_password = user_creds["symantec_ep_proxy"][ "proxy_password"] config["proxy_username"] = proxy_username config["proxy_password"] = proxy_password else: if stanza_obj["proxy_username"] is not None and stanza_obj[ "proxy_password"] is not None: logger.info("Encrypting") config["proxy_username"] = stanza_obj["proxy_username"] config["proxy_password"] = stanza_obj["proxy_password"] cred_mgr = cred.CredentialManager(session_key=session_key, app=app_name, splunkd_uri=splunkd_uri) try: new_stanza = {} proxy = { 'proxy_username': config["proxy_username"], 'proxy_password': config["proxy_password"] } new_stanza['symantec_ep_proxy'] = proxy result = cred_mgr.update(new_stanza) logger.info("Update result:" + str(result)) proxy_stanza = config.copy() proxy_stanza['proxy_username'] = encrypted proxy_stanza['proxy_password'] = encrypted success = conf_manager.update_stanza( 'symantec_ep', 'symantec_ep_proxy', proxy_stanza) if not success: logger.error( "ERROR in writing symantec_ep conf file.") except Exception: logger.error("ERROR in updating cred stanza") logger.error(traceback.format_exc()) try: try: http = rest.build_http_connection(config, timeout=60) except Exception: logger.error("ERROR in building connection") return if http is not None: url_list = construct_url(base_url) item_list = extract_xml(http, url_list) file_name = os.path.join(os.environ['SPLUNK_HOME'], 'etc', 'apps', app_name, 'lookups', 'symantec_ep_malware_categories.csv') save_lookup_file(file_name, item_list) logger.info("Start the SPL") request_url = splunkd_uri + "services/search/jobs/export" logger.info("Start the SPL") args = { "search": "|inputlookup symantec_ep_malware_category_lookup|outputlookup symantec_ep_malware_category_lookup", "output_mode": "raw" } response, _ = rest.splunkd_request(splunkd_uri=request_url, data=args, session_key=session_key, method='POST') if response.status not in (200, 201): logger.error("The SPL is not executed corretcly.") else: logger.info("The SPL is executed correctly.") else: logger.error("Failed to create http object.") except Exception: logger.error("ERROR in updating malware category lookup table.") else: logger.info( "This is not the cluster captain. Do not run the malare_category_update." )