def block_tunnel(malware): # Talk to BlueCat Address Manager api_url = 'http://10.0.1.251/Services/API?wsdl' bam = api(api_url) bam.login('apiuser', 'bluecat') #conf = bam.get_configuration('ACME Corp') tg = bam._soap_client.service.getEntityByName(0, "dnstunnel-malware", "TagGroup") if tg.id == 0: tg = bam._soap_client.service.addTagGroup('dnstunnel-malware', "") try: bam._soap_client.service.addTag(tg.id, "**." + malware, "") e = bam._soap_client.service.getEntities(tg.id, "Tag", 0, 1000) blacklistItems = '' for entity in e.item: blacklistItems += '\n' + entity.name bam._soap_client.service.uploadResponsePolicyItems( 1651093, base64.b64encode(blacklistItems)) bam._soap_client.service.deployServerConfig( 140183, "services=DNS|forceDNSFullDeployment=true") return 0 except: return 1
def block_tunnel(maldomain): # Talk to BlueCat Address Manager api_url = 'http://' + BAMIP + '/Services/API?wsdl' bam = api(api_url) bam.login(APIUSER, APIPASS) #conf = bam.get_configuration('ACME Corp') tg = bam._soap_client.service.getEntityByName(0, TAG_TUNNEL, "TagGroup") if tg.id == 0: tg = bam._soap_client.service.addTagGroup(TAG_TUNNEL, "") try: bam._soap_client.service.addTag(tg.id, "**." + maldomain, "") e = bam._soap_client.service.getEntities(tg.id, "Tag", 0, 1000) blacklistItems = '' for entity in e.item: blacklistItems += '\n' + entity.name bam._soap_client.service.uploadResponsePolicyItems( OBJID_RPZ, base64.b64encode(blacklistItems)) for dds in OBJID_DDS: bam._soap_client.service.deployServerConfig( dds, "services=DNS|forceDNSFullDeployment=true") return 0 except: return 1
def init_bam(self, params=None): user = self._identity["user"] password = self._identity["password"] conf = self._identity["conf"] logger = self._identity["logger"] viewname = self._identity["view"] taggroupname = self._identity["taggroup"] api_url = self._identity["api_url"] try: self.api = api(self._identity["api_url"]) except URLError, e: logger.error("FAILED TO CONNECT TO BAM: " + api_url + "(" + str(e.args) + ")") return 1
def getObjectId(objType, objName): bam = api('http://' + BAMIP + '/Services/API?wsdl') bam.login(APIUSER, APIPASS) if objType == "Configuration": obj = bam._soap_client.service.getEntityByName(0, objName, "Configuration") return obj['id'] if objType == "ResponsePolicy": obj = bam._soap_client.service.getEntityByName(OBJID_BAMCONFIG, objName, "ResponsePolicy") return obj['id'] if objType == "Server": objArr = [] for name in objName: obj = bam._soap_client.service.getEntityByName( OBJID_BAMCONFIG, name, "Server") objArr.append(int(obj['id'])) return objArr
RPZPOLICY = configFile.get_ResponsePolicy() DDSNAMES = configFile.get_DDSNames() ## DNS Tunnel Detection ## 1. Length = Minimum: 35 ## 2. Count per Interval = Minimum: 8 TUN_DETECT_LENGTH = configFile.get_QueryLength() TUN_COUNT_PER_INT = configFile.get_QueryRate() ## Mitigation and Response actionType = configFile.get_Action() ALERT = actionType[0] BLOCK = actionType[1] # Talk to BlueCat Address Manager bam = api('http://' + BAMIP + '/Services/API?wsdl') bam.login(APIUSER, APIPASS) bamConfig = bam._soap_client.service.getEntityByName(0, BAMCONFIG, "Configuration") OBJID_BAMCONFIG = bamConfig['id'] print OBJID_BAMCONFIG rpzPolicy = bam._soap_client.service.getEntityByName(OBJID_BAMCONFIG, RPZPOLICY, "ResponsePolicy") OBJID_RPZPOLICY = rpzPolicy['id'] print OBJID_RPZPOLICY ddsID = [] for dds in DDSNAMES:
def login_to_api(ip_address, user): new_api = api(ip_address, sslverify=config.validate_server_cert) message = new_api.login(user.get_username(), user.get_password()) user.add_api(new_api) return new_api