def ip_add_update(ip_address, ip_type, source=None, source_method='',
source_reference='', source_tlp=None, campaign=None,
confidence='low', user=None, is_add_indicator=False,
indicator_reference='', bucket_list=None, ticket=None,
is_validate_only=False, cache={}, related_id=None,
related_type=None, relationship_type=None, description=''):
"""
Add/update an IP address.
:param ip_address: The IP to add/update.
:type ip_address: str
:param ip_type: The type of IP this is.
:type ip_type: str
:param source: Name of the source which provided this information.
:type source: str
:param source_method: Method of acquiring this data.
:type source_method: str
:param source_reference: A reference to this data.
:type source_reference: str
:param campaign: A campaign to attribute to this IP address.
:type campaign: str
:param confidence: Confidence level in the campaign attribution.
:type confidence: str ("low", "medium", "high")
:param user: The user adding/updating this IP.
:type user: str
:param is_add_indicator: Also add an Indicator for this IP.
:type is_add_indicator: bool
:param indicator_reference: Reference for the indicator.
:type indicator_reference: str
:param bucket_list: Buckets to assign to this IP.
:type bucket_list: str
:param ticket: Ticket to assign to this IP.
:type ticket: str
:param is_validate_only: Only validate, do not add/update.
:type is_validate_only: bool
:param cache: Cached data, typically for performance enhancements
during bulk operations.
:type cache: dict
:param related_id: ID of object to create relationship with
:type related_id: str
:param related_type: Type of object to create relationship with
:type related_type: str
:param relationship_type: Type of relationship to create.
:type relationship_type: str
:param description: A description for this IP
:type description: str
:returns: dict with keys:
"success" (boolean),
"message" (str),
"object" (if successful) :class:`crits.ips.ip.IP`
"""
if not source:
return {"success" : False, "message" : "Missing source information."}
source_name = source
(ip_address, error) = validate_and_normalize_ip(ip_address, ip_type)
if error:
return {"success": False, "message": error}
retVal = {}
is_item_new = False
ip_object = None
cached_results = cache.get(form_consts.IP.CACHED_RESULTS)
if cached_results != None:
ip_object = cached_results.get(ip_address)
else:
ip_object = IP.objects(ip=ip_address).first()
if not ip_object:
ip_object = IP()
ip_object.ip = ip_address
ip_object.ip_type = ip_type
is_item_new = True
if cached_results != None:
cached_results[ip_address] = ip_object
if not ip_object.description:
ip_object.description = description or ''
elif ip_object.description != description:
ip_object.description += "\n" + (description or '')
if isinstance(source_name, basestring):
if user.check_source_write(source):
source = [create_embedded_source(source,
reference=source_reference,
method=source_method,
tlp=source_tlp,
analyst=user.username)]
else:
return {"success":False,
"message": "User does not have permission to add object \
using source %s." % source}
if isinstance(campaign, basestring):
c = EmbeddedCampaign(name=campaign, confidence=confidence, analyst=user.username)
campaign = [c]
if campaign:
for camp in campaign:
ip_object.add_campaign(camp)
if source:
for s in source:
ip_object.add_source(s)
else:
return {"success" : False, "message" : "Missing source information."}
if bucket_list:
ip_object.add_bucket_list(bucket_list, user.username)
if ticket:
ip_object.add_ticket(ticket, user.username)
related_obj = None
if related_id:
related_obj = class_from_id(related_type, related_id)
if not related_obj:
retVal['success'] = False
retVal['message'] = 'Related Object not found.'
return retVal
resp_url = reverse('crits.ips.views.ip_detail', args=[ip_object.ip])
if is_validate_only == False:
ip_object.save(username=user.username)
#set the URL for viewing the new data
if is_item_new == True:
retVal['message'] = ('Success! Click here to view the new IP: '
'<a href="%s">%s</a>' % (resp_url, ip_object.ip))
else:
message = ('Updated existing IP: '
'<a href="%s">%s</a>' % (resp_url, ip_object.ip))
retVal['message'] = message
retVal['status'] = form_consts.Status.DUPLICATE
retVal['warning'] = message
elif is_validate_only == True:
if ip_object.id != None and is_item_new == False:
message = ('Warning: IP already exists: '
'<a href="%s">%s</a>' % (resp_url, ip_object.ip))
retVal['message'] = message
retVal['status'] = form_consts.Status.DUPLICATE
retVal['warning'] = message
if is_add_indicator:
from crits.indicators.handlers import handle_indicator_ind
result = handle_indicator_ind(ip_address,
source_name,
ip_type,
IndicatorThreatTypes.UNKNOWN,
IndicatorAttackTypes.UNKNOWN,
user,
source_method=source_method,
source_reference = indicator_reference,
source_tlp = source_tlp,
add_domain=False,
add_relationship=True,
bucket_list=bucket_list,
ticket=ticket,
cache=cache)
if related_obj and ip_object and relationship_type:
relationship_type=RelationshipTypes.inverse(relationship=relationship_type)
ip_object.add_relationship(related_obj,
relationship_type,
analyst=user.username,
get_rels=False)
ip_object.save(username=user.username)
# run ip triage
if is_item_new and is_validate_only == False:
ip_object.reload()
run_triage(ip_object, user)
retVal['success'] = True
retVal['object'] = ip_object
return retVal
def create_indicator_and_ip(type_, id_, ip, analyst):
"""
Add indicators for an IP address.
:param type_: The CRITs top-level object we are getting this IP from.
:type type_: class which inherits from
:class:`crits.core.crits_mongoengine.CritsBaseAttributes`
:param id_: The ObjectId of the top-level object to search for.
:type id_: str
:param ip: The IP address to generate an indicator out of.
:type ip: str
:param analyst: The user adding this indicator.
:type analyst: str
:returns: dict with keys:
"success" (boolean),
"message" (str),
"value" (str)
"""
obj_class = class_from_id(type_, id_)
if obj_class:
ip_class = IP.objects(ip=ip).first()
ind_type = "Address - ipv4-addr"
ind_class = Indicator.objects(ind_type=ind_type, value=ip).first()
# setup IP
if ip_class:
ip_class.add_relationship(rel_item=obj_class,
rel_type="Related_To",
analyst=analyst)
else:
ip_class = IP()
ip_class.ip = ip
ip_class.source = obj_class.source
ip_class.save(username=analyst)
ip_class.add_relationship(rel_item=obj_class,
rel_type="Related_To",
analyst=analyst)
# setup Indicator
message = ""
if ind_class:
message = ind_class.add_relationship(rel_item=obj_class,
rel_type="Related_To",
analyst=analyst)
ind_class.add_relationship(rel_item=ip_class,
rel_type="Related_To",
analyst=analyst)
else:
ind_class = Indicator()
ind_class.source = obj_class.source
ind_class.ind_type = ind_type
ind_class.value = ip
ind_class.save(username=analyst)
message = ind_class.add_relationship(rel_item=obj_class,
rel_type="Related_To",
analyst=analyst)
ind_class.add_relationship(rel_item=ip_class,
rel_type="Related_To",
analyst=analyst)
# save
try:
obj_class.save(username=analyst)
ip_class.save(username=analyst)
ind_class.save(username=analyst)
if message['success']:
rels = obj_class.sort_relationships("%s" % analyst, meta=True)
return {'success': True, 'message': rels, 'value': obj_class.id}
else:
return {'success': False, 'message': message['message']}
except Exception, e:
return {'success': False, 'message': e}
def ip_add_update(ip_address, ip_type, source=None, source_method=None,
source_reference=None, campaign=None, confidence='low', analyst=None,
is_add_indicator=False, indicator_reference=None,
bucket_list=None, ticket=None, is_validate_only=False, cache={}):
"""
Add/update an IP address.
:param ip_address: The IP to add/update.
:type ip_address: str
:param ip_type: The type of IP this is.
:type ip_type: str
:param source: Name of the source which provided this information.
:type source: str
:param source_method: Method of acquiring this data.
:type source_method: str
:param source_reference: A reference to this data.
:type source_reference: str
:param campaign: A campaign to attribute to this IP address.
:type campaign: str
:param confidence: Confidence level in the campaign attribution.
:type confidence: str ("low", "medium", "high")
:param analyst: The user adding/updating this IP.
:type analyst: str
:param is_add_indicator: Also add an Indicator for this IP.
:type is_add_indicator: bool
:param indicator_reference: Reference for the indicator.
:type indicator_reference: str
:param bucket_list: Buckets to assign to this IP.
:type bucket_list: str
:param ticket: Ticket to assign to this IP.
:type ticket: str
:param is_validate_only: Only validate, do not add/update.
:type is_validate_only: bool
:param cache: Cached data, typically for performance enhancements
during bulk operations.
:type cache: dict
:returns: dict with keys:
"success" (boolean),
"message" (str),
"object" (if successful) :class:`crits.ips.ip.IP`
"""
retVal = {}
is_item_new = False
ip_object = None
cached_results = cache.get(form_consts.IP.CACHED_RESULTS)
if cached_results != None:
ip_object = cached_results.get(ip_address)
else:
ip_object = IP.objects(ip=ip_address).first()
if not ip_object:
ip_object = IP()
ip_object.ip = ip_address
ip_object.ip_type = ip_type
is_item_new = True
if cached_results != None:
cached_results[ip_address] = ip_object
if isinstance(source, basestring):
source = [create_embedded_source(source,
reference=source_reference,
method=source_method,
analyst=analyst)]
if isinstance(campaign, basestring):
c = EmbeddedCampaign(name=campaign, confidence=confidence, analyst=analyst)
campaign = [c]
if campaign:
for camp in campaign:
ip_object.add_campaign(camp)
if source:
for s in source:
ip_object.add_source(s)
if bucket_list:
ip_object.add_bucket_list(bucket_list, analyst)
if ticket:
ip_object.add_ticket(ticket, analyst)
resp_url = reverse('crits.ips.views.ip_detail', args=[ip_object.ip])
if is_validate_only == False:
ip_object.save(username=analyst)
#set the URL for viewing the new data
if is_item_new == True:
retVal['message'] = ('Success! Click here to view the new IP: '
'<a href="%s">%s</a>' % (resp_url, ip_object.ip))
else:
message = ('Updated existing IP: '
'<a href="%s">%s</a>' % (resp_url, ip_object.ip))
retVal['message'] = message
retVal['status'] = form_consts.Status.DUPLICATE
retVal['warning'] = message
elif is_validate_only == True:
if ip_object.id != None and is_item_new == False:
message = ('Warning: IP already exists: '
'<a href="%s">%s</a>' % (resp_url, ip_object.ip))
retVal['message'] = message
retVal['status'] = form_consts.Status.DUPLICATE
retVal['warning'] = message
if is_add_indicator:
from crits.indicators.handlers import handle_indicator_ind
handle_indicator_ind(ip_address,
source,
indicator_reference,
ip_type,
analyst,
source_method,
add_domain=False,
add_relationship=True,
bucket_list=bucket_list,
ticket=ticket,
cache=cache)
# run ip triage
if is_item_new and is_validate_only == False:
ip_object.reload()
run_triage(None, ip_object, analyst)
retVal['success'] = True
retVal['object'] = ip_object
return retVal
def create_indicator_and_ip(type_, id_, ip, analyst):
"""
Add indicators for an IP address.
:param type_: The CRITs top-level object we are getting this IP from.
:type type_: class which inherits from
:class:`crits.core.crits_mongoengine.CritsBaseAttributes`
:param id_: The ObjectId of the top-level object to search for.
:type id_: str
:param ip: The IP address to generate an indicator out of.
:type ip: str
:param analyst: The user adding this indicator.
:type analyst: str
:returns: dict with keys:
"success" (boolean),
"message" (str),
"value" (str)
"""
obj_class = class_from_id(type_, id_)
if obj_class:
ip_class = IP.objects(ip=ip).first()
ind_type = "Address - ipv4-addr"
ind_class = Indicator.objects(ind_type=ind_type, value=ip).first()
# setup IP
if ip_class:
ip_class.add_relationship(rel_item=obj_class,
rel_type="Related_To",
analyst=analyst)
else:
ip_class = IP()
ip_class.ip = ip
ip_class.source = obj_class.source
ip_class.save(username=analyst)
ip_class.add_relationship(rel_item=obj_class,
rel_type="Related_To",
analyst=analyst)
# setup Indicator
message = ""
if ind_class:
message = ind_class.add_relationship(rel_item=obj_class,
rel_type="Related_To",
analyst=analyst)
ind_class.add_relationship(rel_item=ip_class,
rel_type="Related_To",
analyst=analyst)
else:
ind_class = Indicator()
ind_class.source = obj_class.source
ind_class.ind_type = ind_type
ind_class.value = ip
ind_class.save(username=analyst)
message = ind_class.add_relationship(rel_item=obj_class,
rel_type="Related_To",
analyst=analyst)
ind_class.add_relationship(rel_item=ip_class,
rel_type="Related_To",
analyst=analyst)
# save
try:
obj_class.save(username=analyst)
ip_class.save(username=analyst)
ind_class.save(username=analyst)
if message['success']:
rels = obj_class.sort_relationships("%s" % analyst, meta=True)
return {
'success': True,
'message': rels,
'value': obj_class.id
}
else:
return {'success': False, 'message': message['message']}
except Exception, e:
return {'success': False, 'message': e}
def ip_add_update(ip_address,
ip_type,
source=None,
source_method='',
source_reference='',
source_tlp=None,
campaign=None,
confidence='low',
user=None,
is_add_indicator=False,
indicator_reference='',
bucket_list=None,
ticket=None,
is_validate_only=False,
cache={},
related_id=None,
related_type=None,
relationship_type=None,
description=''):
"""
Add/update an IP address.
:param ip_address: The IP to add/update.
:type ip_address: str
:param ip_type: The type of IP this is.
:type ip_type: str
:param source: Name of the source which provided this information.
:type source: str
:param source_method: Method of acquiring this data.
:type source_method: str
:param source_reference: A reference to this data.
:type source_reference: str
:param campaign: A campaign to attribute to this IP address.
:type campaign: str
:param confidence: Confidence level in the campaign attribution.
:type confidence: str ("low", "medium", "high")
:param user: The user adding/updating this IP.
:type user: str
:param is_add_indicator: Also add an Indicator for this IP.
:type is_add_indicator: bool
:param indicator_reference: Reference for the indicator.
:type indicator_reference: str
:param bucket_list: Buckets to assign to this IP.
:type bucket_list: str
:param ticket: Ticket to assign to this IP.
:type ticket: str
:param is_validate_only: Only validate, do not add/update.
:type is_validate_only: bool
:param cache: Cached data, typically for performance enhancements
during bulk operations.
:type cache: dict
:param related_id: ID of object to create relationship with
:type related_id: str
:param related_type: Type of object to create relationship with
:type related_type: str
:param relationship_type: Type of relationship to create.
:type relationship_type: str
:param description: A description for this IP
:type description: str
:returns: dict with keys:
"success" (boolean),
"message" (str),
"object" (if successful) :class:`crits.ips.ip.IP`
"""
if not source:
return {"success": False, "message": "Missing source information."}
source_name = source
(ip_address, error) = validate_and_normalize_ip(ip_address, ip_type)
if error:
return {"success": False, "message": error}
retVal = {}
is_item_new = False
ip_object = None
cached_results = cache.get(form_consts.IP.CACHED_RESULTS)
if cached_results != None:
ip_object = cached_results.get(ip_address)
else:
ip_object = IP.objects(ip=ip_address).first()
if not ip_object:
ip_object = IP()
ip_object.ip = ip_address
ip_object.ip_type = ip_type
is_item_new = True
if cached_results != None:
cached_results[ip_address] = ip_object
if not ip_object.description:
ip_object.description = description or ''
elif ip_object.description != description:
ip_object.description += "\n" + (description or '')
if isinstance(source_name, basestring):
if user.check_source_write(source):
source = [
create_embedded_source(source,
reference=source_reference,
method=source_method,
tlp=source_tlp,
analyst=user.username)
]
else:
return {
"success":
False,
"message":
"User does not have permission to add object \
using source %s." % source
}
if isinstance(campaign, basestring):
c = EmbeddedCampaign(name=campaign,
confidence=confidence,
analyst=user.username)
campaign = [c]
if campaign:
for camp in campaign:
ip_object.add_campaign(camp)
if source:
for s in source:
ip_object.add_source(s)
else:
return {"success": False, "message": "Missing source information."}
if bucket_list:
ip_object.add_bucket_list(bucket_list, user.username)
if ticket:
ip_object.add_ticket(ticket, user.username)
related_obj = None
if related_id:
related_obj = class_from_id(related_type, related_id)
if not related_obj:
retVal['success'] = False
retVal['message'] = 'Related Object not found.'
return retVal
resp_url = reverse('crits.ips.views.ip_detail', args=[ip_object.ip])
if is_validate_only == False:
ip_object.save(username=user.username)
#set the URL for viewing the new data
if is_item_new == True:
retVal['message'] = ('Success! Click here to view the new IP: '
'<a href="%s">%s</a>' %
(resp_url, ip_object.ip))
else:
message = ('Updated existing IP: '
'<a href="%s">%s</a>' % (resp_url, ip_object.ip))
retVal['message'] = message
retVal['status'] = form_consts.Status.DUPLICATE
retVal['warning'] = message
elif is_validate_only == True:
if ip_object.id != None and is_item_new == False:
message = ('Warning: IP already exists: '
'<a href="%s">%s</a>' % (resp_url, ip_object.ip))
retVal['message'] = message
retVal['status'] = form_consts.Status.DUPLICATE
retVal['warning'] = message
if is_add_indicator:
from crits.indicators.handlers import handle_indicator_ind
result = handle_indicator_ind(ip_address,
source_name,
ip_type,
IndicatorThreatTypes.UNKNOWN,
IndicatorAttackTypes.UNKNOWN,
user,
source_method=source_method,
source_reference=indicator_reference,
source_tlp=source_tlp,
add_domain=False,
add_relationship=True,
bucket_list=bucket_list,
ticket=ticket,
cache=cache)
if related_obj and ip_object and relationship_type:
relationship_type = RelationshipTypes.inverse(
relationship=relationship_type)
ip_object.add_relationship(related_obj,
relationship_type,
analyst=user.username,
get_rels=False)
ip_object.save(username=user.username)
# run ip triage
if is_item_new and is_validate_only == False:
ip_object.reload()
run_triage(ip_object, user)
retVal['success'] = True
retVal['object'] = ip_object
return retVal