def block_tunnel(malware):
# Talk to BlueCat Address Manager
api_url = 'http://10.0.1.251/Services/API?wsdl'
bam = api(api_url)
bam.login('apiuser', 'bluecat')
#conf = bam.get_configuration('ACME Corp')
tg = bam._soap_client.service.getEntityByName(0, "dnstunnel-malware",
"TagGroup")
if tg.id == 0:
tg = bam._soap_client.service.addTagGroup('dnstunnel-malware', "")
try:
bam._soap_client.service.addTag(tg.id, "**." + malware, "")
e = bam._soap_client.service.getEntities(tg.id, "Tag", 0, 1000)
blacklistItems = ''
for entity in e.item:
blacklistItems += '\n' + entity.name
bam._soap_client.service.uploadResponsePolicyItems(
1651093, base64.b64encode(blacklistItems))
bam._soap_client.service.deployServerConfig(
140183, "services=DNS|forceDNSFullDeployment=true")
return 0
except:
return 1
def block_tunnel(maldomain):
# Talk to BlueCat Address Manager
api_url = 'http://' + BAMIP + '/Services/API?wsdl'
bam = api(api_url)
bam.login(APIUSER, APIPASS)
#conf = bam.get_configuration('ACME Corp')
tg = bam._soap_client.service.getEntityByName(0, TAG_TUNNEL, "TagGroup")
if tg.id == 0:
tg = bam._soap_client.service.addTagGroup(TAG_TUNNEL, "")
try:
bam._soap_client.service.addTag(tg.id, "**." + maldomain, "")
e = bam._soap_client.service.getEntities(tg.id, "Tag", 0, 1000)
blacklistItems = ''
for entity in e.item:
blacklistItems += '\n' + entity.name
bam._soap_client.service.uploadResponsePolicyItems(
OBJID_RPZ, base64.b64encode(blacklistItems))
for dds in OBJID_DDS:
bam._soap_client.service.deployServerConfig(
dds, "services=DNS|forceDNSFullDeployment=true")
return 0
except:
return 1
def init_bam(self, params=None):
user = self._identity["user"]
password = self._identity["password"]
conf = self._identity["conf"]
logger = self._identity["logger"]
viewname = self._identity["view"]
taggroupname = self._identity["taggroup"]
api_url = self._identity["api_url"]
try:
self.api = api(self._identity["api_url"])
except URLError, e:
logger.error("FAILED TO CONNECT TO BAM: " + api_url + "(" +
str(e.args) + ")")
return 1
def getObjectId(objType, objName):
bam = api('http://' + BAMIP + '/Services/API?wsdl')
bam.login(APIUSER, APIPASS)
if objType == "Configuration":
obj = bam._soap_client.service.getEntityByName(0, objName,
"Configuration")
return obj['id']
if objType == "ResponsePolicy":
obj = bam._soap_client.service.getEntityByName(OBJID_BAMCONFIG,
objName,
"ResponsePolicy")
return obj['id']
if objType == "Server":
objArr = []
for name in objName:
obj = bam._soap_client.service.getEntityByName(
OBJID_BAMCONFIG, name, "Server")
objArr.append(int(obj['id']))
return objArr
RPZPOLICY = configFile.get_ResponsePolicy()
DDSNAMES = configFile.get_DDSNames()
## DNS Tunnel Detection
## 1. Length = Minimum: 35
## 2. Count per Interval = Minimum: 8
TUN_DETECT_LENGTH = configFile.get_QueryLength()
TUN_COUNT_PER_INT = configFile.get_QueryRate()
## Mitigation and Response
actionType = configFile.get_Action()
ALERT = actionType[0]
BLOCK = actionType[1]
# Talk to BlueCat Address Manager
bam = api('http://' + BAMIP + '/Services/API?wsdl')
bam.login(APIUSER, APIPASS)
bamConfig = bam._soap_client.service.getEntityByName(0, BAMCONFIG,
"Configuration")
OBJID_BAMCONFIG = bamConfig['id']
print OBJID_BAMCONFIG
rpzPolicy = bam._soap_client.service.getEntityByName(OBJID_BAMCONFIG,
RPZPOLICY,
"ResponsePolicy")
OBJID_RPZPOLICY = rpzPolicy['id']
print OBJID_RPZPOLICY
ddsID = []
for dds in DDSNAMES:
def login_to_api(ip_address, user):
new_api = api(ip_address, sslverify=config.validate_server_cert)
message = new_api.login(user.get_username(), user.get_password())
user.add_api(new_api)
return new_api