def setReputation(trustlevelStr, md5, sha1, sha256, filenameStr, commentStr): # File Hashes #mySetHashes = {HashType.MD5: "", HashType.SHA1: "", HashType.SHA256: ""} trustlevelInt = getTrustLevel(trustlevelStr) mySetHashes = hashMe(md5, sha1, sha256) print("mySetHashes:") print(mySetHashes) # Create the client with DxlClient(config) as client: # Connect to the fabric client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) print(trustlevelInt) print(mySetHashes) print(filenameStr) print(commentStr) if trustlevelInt != -1: # Set the Enterprise reputation for notepad.exe to Known Trusted tie_client.set_file_reputation(trustlevelInt, mySetHashes, filename=filenameStr, comment=commentStr) else: return jsonify(error="invalid trust level", trustlevel=trustlevelStr) client.disconnect()
def setTieReputation(self, payload): tie_client = TieClient(self.client) hashes = { HashType.MD5: payload['fileMD5'], HashType.SHA1: payload['fileSHA1'], HashType.SHA256: payload['fileSHA256'] } reputations_dict = tie_client.get_file_reputation(hashes) has_definitive_reputation = \ any([rep[ReputationProp.TRUST_LEVEL] != TrustLevel.NOT_SET and rep[ReputationProp.TRUST_LEVEL] != TrustLevel.UNKNOWN and rep[ReputationProp.PROVIDER_ID] != FileProvider.EXTERNAL for rep in reputations_dict.values()]) if not has_definitive_reputation: try: tie_client.set_external_file_reputation( TrustLevel.MIGHT_BE_TRUSTED, hashes, file_type=payload['filetype'], filename=payload['filename'], comment=payload['comment'] ) except ValueError as e: pass
def set_rep(self, filename, level, md5, sha1, sha256, sandbox): try: with DxlClient(self.config) as client: client.connect() tie_client = TieClient(client) # multi-sandbox support: merge results if some are already available existing_reputation = tie_client.get_file_reputation( {HashType.SHA256: sha256}) if existing_reputation and FileProvider.EXTERNAL in existing_reputation: logging.info( "A external reputation verdict has been already present for the sample, will merge the results" ) if (level != 0 and level < existing_reputation[ FileProvider.EXTERNAL]["trustLevel"]): self._set_reputation(tie_client, filename, level, md5, sha1, sha256, sandbox) else: logging.info( "New reputation level was higher than what is already present" ) else: self._set_reputation(tie_client, filename, level, md5, sha1, sha256, sandbox) except Exception as e: logging.error( "ERROR setting the reputation in TIE for SHA256 %s using sandbox %s: %s", str(sha256), sandbox, e, )
def set_file_reputation(hash, trust_level, filename, comment): config = get_client_config() # find trust_level key trust_level_key = None for k, v in TRUST_LEVELS.iteritems(): if v == trust_level: trust_level_key = k if not trust_level_key: return create_error_entry('illigale argument trust_level %s. Choose value from predefined values' % (trust_level, )) with DxlClient(config) as client: client.connect() tie_client = TieClient(client) hash_type = get_hash_type(hash) hash_type_key = HASH_TYPE_KEYS.get(hash_type) if not hash_type_key: return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters) or md5(32 charecters)') hash_param = {} hash_param[hash_type_key] = hash try: tie_client.set_file_reputation(trust_level_key, hash_param, filename, comment) return 'Successfully set file repuation' except Exception as ex: return create_error_entry(str(ex))
def _lookup_hash(self, event, *args, **kwargs): artifact_type = event.artifact["type"] artifact_value = event.artifact["value"] LOG.debug("_lookup_hash started for Artifact Type {0} - Artifact Value {1}".format( artifact_type, artifact_value)) tie_client = TieClient(self.client) if artifact_type == "hash.md5": resilient_hash = {HashType.MD5: artifact_value} elif artifact_type == "hash.sha1": resilient_hash = {HashType.SHA1: artifact_value} elif artifact_type == "hash.sha256": resilient_hash = {HashType.SHA256: artifact_value} else: raise ValueError("Something went wrong setting the hash value") reputations_dict = \ tie_client.get_file_reputation( resilient_hash ) hits = self._query_mcafee_tie(reputations_dict) yield hits
def file_references(hash): config = get_client_config() with DxlClient(config) as client: client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) hash_type = get_hash_type(hash) hash_type_key = HASH_TYPE_KEYS.get(hash_type) if not hash_type_key: return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters) or md5(32 charecters)') hash_param = {} hash_param[hash_type_key] = hash references = tie_client.get_file_first_references(hash_param) table = references_to_table(references) # creaet context context_file = {} hash_type_uppercase = hash_type.upper() context_file[hash_type_uppercase] = hash context_file['References'] = table ec = {} ec[outputPaths['file']] = context_file return { 'Type': entryTypes['note'], 'ContentsFormat': formats['json'], 'Contents': references, 'ReadableContentsFormat': formats['markdown'], 'HumanReadable': tableToMarkdown('References for hash %s' % (hash,), table), 'EntryContext': ec }
def getTieRep(md5, sha1, sha256): with DxlClient(config) as client: # Connect to the fabric client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) myGetHashes = hashMe(md5, sha1, sha256) reputations_dict = tie_client.get_file_reputation(myGetHashes) client.disconnect() #myReturnVal = json.dumps(reputations_dict, sort_keys=True, indent=4, separators=(',', ': ')) + "\n" return reputations_dict
def file(hash): config = get_client_config() with DxlClient(config) as client: client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) hash_type = get_hash_type(hash) hash_type_key = HASH_TYPE_KEYS.get(hash_type) if not hash_type_key: return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters) or md5(32 charecters)') hash_param = {} hash_param[hash_type_key] = hash res = tie_client.get_file_reputation(hash_param) reputations = res.values() table = reputations_to_table(reputations) # creaet context context_file = {} hash_type_uppercase = hash_type.upper() tl_score = get_thrust_level_and_score(reputations) context_file[hash_type_uppercase] = hash context_file['TrustLevel'] = tl_score['trust_level'] context_file['Vendor'] = tl_score['vendor'] dbot_score = {'Indicator': hash, 'Type': 'hash', 'Vendor': tl_score['vendor'], 'Score': tl_score['score']} if tl_score['score'] >= 2: context_file['Malicious'] = { 'Vendor': tl_score['vendor'], 'Score': tl_score['score'], 'Description': 'Trust level is ' + str(tl_score['trust_level']) } ec = { 'DBotScore': dbot_score } ec[outputPaths['file']] = context_file return { 'Type': entryTypes['note'], 'ContentsFormat': formats['json'], 'Contents': reputations, 'ReadableContentsFormat': formats['markdown'], 'HumanReadable': tableToMarkdown('McAfee TIE Hash Reputations For %s:' % (hash,), table), 'EntryContext': ec }
def file(hash_inputs): hash_list = [] for hash_value in hash_inputs: config = get_client_config() with DxlClient(config) as client: client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) hash_type = get_hash_type(hash_value) hash_type_key = HASH_TYPE_KEYS.get(hash_type) if not hash_type_key: return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters)' ' or md5(32 charecters)') hash_param = {} reputations = {} context_file = {} hash_param[hash_type_key] = hash_value hash_type_uppercase = hash_type.upper() res = safe_get_file_reputation(tie_client, hash_param) if not res: dbot_score = [{'Indicator': hash_value, 'Type': 'hash', 'Vendor': VENDOR_NAME, 'Score': 0}, {'Indicator': hash_value, 'Type': 'file', 'Vendor': VENDOR_NAME, 'Score': 0}] context_file[hash_type_uppercase] = hash_value context_file['TrustLevel'] = 0 context_file['Vendor'] = VENDOR_NAME else: reputations = res.values() # create context tl_score = get_thrust_level_and_score(reputations) context_file[hash_type_uppercase] = hash_value context_file['TrustLevel'] = tl_score['trust_level'] context_file['Vendor'] = tl_score['vendor'] dbot_score = [{'Indicator': hash_value, 'Type': 'hash', 'Vendor': tl_score['vendor'], 'Score': tl_score['score']}, {'Indicator': hash_value, 'Type': 'file', 'Vendor': tl_score['vendor'], 'Score': tl_score['score']}] if tl_score['score'] >= 2: context_file['Malicious'] = { 'Vendor': tl_score['vendor'], 'Score': tl_score['score'], 'Description': 'Trust level is ' + str(tl_score['trust_level']) } ec = {'DBotScore': dbot_score, outputPaths['file']: context_file} table = reputations_to_table(reputations) hash_list.append({ 'Type': entryTypes['note'], 'ContentsFormat': formats['json'], 'Contents': reputations, 'ReadableContentsFormat': formats['markdown'], 'HumanReadable': tableToMarkdown('McAfee TIE Hash Reputations For %s:' % (hash_value,), table), 'EntryContext': ec }) return hash_list
def set_rep(self, eventid, hash): try: with DxlClient(self.config) as client: client.connect() tie_client = TieClient(client) tie_client.set_external_file_reputation( self.tie_rep, {'md5': hash}, filename='MISP Hash {0}'.format(str(eventid)), comment='External Reputation set via OpenDXL') print('SUCCESS: Successfully pushed MD5 {0} to TIE.'.format(str(hash))) except Exception as e: exc_type, exc_obj, exc_tb = sys.exc_info() print('ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}' .format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno, error=str(e)))
class TIE_Plugin(PluginBase) : def __init__(self): logger.info("Plugin " + _plugin_name + " initializing...") # # Init and connect DXL client # # DxlClientConfig from DXL configuration file logger.debug(_plugin_name + " : Loading DXL config from: %s", cfg['ExportPlugins']['TIE_Plugin']['DXLConfig']) self.dxl_config = DxlClientConfig.create_dxl_config_from_file(cfg['ExportPlugins']['TIE_Plugin']['DXLConfig']) self.tie_client = None def export(self, results_array): #logger.debug(results_array) #logger.debug(json.dumps(results_array, indent=4, sort_keys=True)) for event in results_array: logger.debug(_plugin_name + " processing event: (Event ID: " + event['Event']['id'] + ", Event Info: " + event['Event']['info'] + ", Event Date: " + event['Event']['date'] + ")") with DxlClient(self.dxl_config) as client: # Connect to the DXL fabric logger.debug(_plugin_name + " : Connecting OpenDXL client...") client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client self.tie_client = TieClient(client) for attribute in event['Event']['Attribute']: if attribute['type'] == 'md5' or attribute['type'] == 'sha1' or attribute['type'] == 'sha256': logger.debug("Found attribute type {0} = {1} in MISP event {2}.".format(str(attribute['type']),str(attribute['value']),str(event['Event']['id']))) self.set_tie_reputation(TIE_REPUTATION, attribute['type'], attribute['value'], "MISP (Event ID {0}, Info: {1})".format(str(event['Event']['id']), str(event['Event']['info']))) for obj in event['Event']['Object']: for attribute in obj['Attribute']: if attribute['type'] == 'md5' or attribute['type'] == 'sha1' or attribute['type'] == 'sha256': logger.debug("Found object attribute type {0} = {1} in MISP event {2}.".format(str(attribute['type']),str(attribute['value']),str(event['Event']['id']))) self.set_tie_reputation(TIE_REPUTATION, attribute['type'], attribute['value'], "MISP (Event ID {0}, Info: {1})".format(str(event['Event']['id']), str(event['Event']['info']))) self.tie_client = None def set_tie_reputation(self, trust_level, hash_type, hash_value, comment_str): if self.tie_client : try: self.tie_client.set_external_file_reputation(TIE_REPUTATION, {hash_type: hash_value}, filename=comment_str, comment=comment_str) logger.debug(_plugin_name + " : Reputation set (%s)", comment_str) except ValueError as e: logger.error(_plugin_name + " : Error while trying to set TIE reputation (%s)", str(e))
def set_reputation(self, list_hash, type_hash): try: with DxlClient(self.config) as client: client.connect() tie_client = TieClient(client) for new_threat in list_hash: #set new reputation with hash string and trustlevel is KNOWN_MALICIOUS tie_client.set_external_file_reputation( TrustLevel.KNOWN_MALICIOUS, {type_hash: new_threat.hash_string}, filename='MISP Hash {0}'.format(str(new_threat.name)), comment='External Reputation set via OpenDXL') print('SUCCESS: Successfully pushed {0} {1} to TIE.'.format(type_hash, str(new_threat.hash_string))) except Exception as e: exc_tb = sys.exc_info() print('ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}' .format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno, error=str(e)))
def process(self): event = self.receive_message() payload = json.dumps(event) self.dxlclient.connect() tie_client = TieClient(self.dxlclient) tie_client.set_file_reputation( TrustLevel.MOST_LIKELY_MALICIOUS, { HashType.SHA256: event.get("malware.hash.sha256"), HashType.SHA1: event.get("malware.hash.sha1"), HashType.MD5: event.get("malware.hash.md5") }, filename=event.get("malware.name"), comment=self.parameters.comment) self.dxlclient.disconnect() self.logger.info("Event successfully sent.") self.acknowledge_message()
def export(self, results_array): #logger.debug(results_array) #logger.debug(json.dumps(results_array, indent=4, sort_keys=True)) for event in results_array: logger.debug(_plugin_name + " processing event: (Event ID: " + event['Event']['id'] + ", Event Info: " + event['Event']['info'] + ", Event Date: " + event['Event']['date'] + ")") with DxlClient(self.dxl_config) as client: # Connect to the DXL fabric logger.debug(_plugin_name + " : Connecting OpenDXL client...") client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client self.tie_client = TieClient(client) for attribute in event['Event']['Attribute']: if attribute['type'] == 'md5' or attribute['type'] == 'sha1' or attribute['type'] == 'sha256': logger.debug("Found attribute type {0} = {1} in MISP event {2}.".format(str(attribute['type']),str(attribute['value']),str(event['Event']['id']))) self.set_tie_reputation(TIE_REPUTATION, attribute['type'], attribute['value'], "MISP (Event ID {0}, Info: {1})".format(str(event['Event']['id']), str(event['Event']['info']))) for obj in event['Event']['Object']: for attribute in obj['Attribute']: if attribute['type'] == 'md5' or attribute['type'] == 'sha1' or attribute['type'] == 'sha256': logger.debug("Found object attribute type {0} = {1} in MISP event {2}.".format(str(attribute['type']),str(attribute['value']),str(event['Event']['id']))) self.set_tie_reputation(TIE_REPUTATION, attribute['type'], attribute['value'], "MISP (Event ID {0}, Info: {1})".format(str(event['Event']['id']), str(event['Event']['info']))) self.tie_client = None
def __init__(self, options, dxlclient, reputation_lookup_dict=None): # Create the McAfee Threat Intelligence Exchange (TIE) client self.tie_client = TieClient(dxlclient) # TODO:Refactor this self.reputation_lookup_dict = reputation_lookup_dict if self.reputation_lookup_dict: try: self.filehash = reputation_lookup_dict['md5'] except: try: self.filehash = reputation_lookup_dict['sha1'] except: self.filehash = "unknown" self.reputations_dict = self._getFileRep() else: self.filehash = options.filehash if self.filehash == None: return "no file hash" self.reputations_dict = self._getFileRep() self.content = self._getFileProps()
def doReputation(btn): global hashType strHash = str(chatWin.getEntry("TIE_Hash")) logger.info("Getting reputation data for {0}.".format(str(strHash))) #Get all TIE based reputation data associated with a given hash tie_client = TieClient(client) reputations_dict = {} #Request raw json reputation results if hashType == "md5": reputations_dict = tie_client.get_file_reputation( {HashType.MD5: strHash}) elif hashType == "sha1": reputations_dict = tie_client.get_file_reputation( {HashType.SHA1: strHash}) elif hashType == "sha256": reputations_dict = tie_client.get_file_reputation( {HashType.SHA256: strHash}) #debug logger.info( "Raw TIE results for hash type " + hashType + ": " + json.dumps( reputations_dict, sort_keys=True, indent=4, separators=(',', ': '))) #Start building repputation output for writing to the results TextArea strResults = parseTIEResults(reputations_dict) #chatWin.setTextArea("TIEResults", json.dumps(reputations_dict, sort_keys=True, indent=4, separators= (',', ': ')), False) chatWin.setTextArea("HashResults", strResults, False) return True
def test_safe_get_file_reputation_returned_exception(mocker): """ Given: - tie client and hash parameter When: - The tie client returns some exception Then: - Print to log and return empty dict """ mcafee_tie = importlib.import_module("McAfee-TIE") tie_client = TieClient(None) hash_param = {'test': 'test'} mocker.patch.object(tie_client, "get_file_reputation", side_effect=Exception()) assert not mcafee_tie.safe_get_file_reputation(tie_client, hash_param)
def test_safe_get_file_reputation_returned_rep(mocker): """ Given: - tie client and hash parameter When: - The tie client returns reputation Then: - return the reputation """ mcafee_tie = importlib.import_module("McAfee-TIE") tie_client = TieClient(None) hash_param = {'test': 'test'} mocker.patch.object(tie_client, "get_file_reputation", return_value='test_value') assert mcafee_tie.safe_get_file_reputation(tie_client, hash_param)
def on_event(self, event): """ Invoked when a DXL event has been received. NOTE: This method should not be overridden (it performs transformations to simplify TIE usage). Instead, the :func:`on_reputation_change` method must be overridden. :param event: The original DXL event message that was received """ # Decode the event payload rep_change_dict = json.loads(event.payload.decode(encoding="UTF-8")) # Transform hashes if RepChangeEventProp.HASHES in rep_change_dict: rep_change_dict[RepChangeEventProp.HASHES] = \ TieClient._transform_hashes(rep_change_dict[RepChangeEventProp.HASHES]) # Transform new reputations if RepChangeEventProp.NEW_REPUTATIONS in rep_change_dict: if "reputations" in rep_change_dict[ RepChangeEventProp.NEW_REPUTATIONS]: rep_change_dict[RepChangeEventProp.NEW_REPUTATIONS] = \ TieClient._transform_reputations( rep_change_dict[RepChangeEventProp.NEW_REPUTATIONS]["reputations"]) # Transform old reputations if RepChangeEventProp.OLD_REPUTATIONS in rep_change_dict: if "reputations" in rep_change_dict[ RepChangeEventProp.OLD_REPUTATIONS]: rep_change_dict[RepChangeEventProp.OLD_REPUTATIONS] = \ TieClient._transform_reputations( rep_change_dict[RepChangeEventProp.OLD_REPUTATIONS]["reputations"]) # Transform relationships if FileRepChangeEventProp.RELATIONSHIPS in rep_change_dict: relationships_dict = rep_change_dict[ FileRepChangeEventProp.RELATIONSHIPS] if "certificate" in relationships_dict: cert_dict = relationships_dict["certificate"] if "hashes" in cert_dict: cert_dict["hashes"] = \ TieClient._transform_hashes(cert_dict["hashes"]) if "publicKeySha1" in cert_dict: cert_dict["publicKeySha1"] = \ TieClient._base64_to_hex(cert_dict["publicKeySha1"]) # Transform certificate public-key SHA-1 (if applicable) if CertRepChangeEventProp.PUBLIC_KEY_SHA1 in rep_change_dict: rep_change_dict[CertRepChangeEventProp.PUBLIC_KEY_SHA1] = \ TieClient._base64_to_hex(rep_change_dict[CertRepChangeEventProp.PUBLIC_KEY_SHA1]) # Invoke the reputation change method self.on_reputation_change(rep_change_dict, event)
def on_event(self, event): """ Invoked when a DXL event has been received. NOTE: This method should not be overridden (it performs transformations to simplify TIE usage). Instead, the :func:`on_detection` method must be overridden. :param event: The original DXL event message that was received """ # Decode the event payload detection_dict = json.loads(event.payload.decode(encoding="UTF-8")) # Transform hashes if DetectionEventProp.HASHES in detection_dict: detection_dict[RepChangeEventProp.HASHES] = \ TieClient._transform_hashes(detection_dict[DetectionEventProp.HASHES]) # Invoke the detection method self.on_detection(detection_dict, event)
def set_rep(self, hash, type, level, prov): with DxlClient(DXL_CONFIG) as client: client.connect() tie_client = TieClient(client) if prov == 'enterprise': tie_client.set_file_reputation( int(level), {type: hash}, filename=hash, comment="Reputation Update from McAfee Bulk Importer") elif prov == 'external': tie_client.set_external_file_reputation( int(level), {type: hash}, filename=hash, comment="Reputation Update from McAfee Bulk Importer")
def main(): if pollInterval == 0: print "Polling Interval Needs to be set in environment variable JOE_POLL" exit(0) print "" print "--- Joe Sandbox metadata script ---" print "" # Create the client with DxlClient(config) as client: # Connect to the fabric client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) while True: getJoeList(tie_client) time.sleep(pollInterval)
def selftest_function(opts): options = opts.get(CONFIG_DATA_SECTION, {}) try: try: config_file = options.get("dxlclient_config") if config_file is None: log.error( "dxlclient_config is not set. You must set this path to run this function" ) raise ValueError( "dxlclient_config is not set. You must set this path to run this function" ) # Create configuration from file for DxlClient dxlclient_config = DxlClientConfig.create_dxl_config_from_file( config_file) except AttributeError: log.error( "There is no [fn_mcafee_tie] section in the config file, " "please set that by running resilient-circuits config -u") raise AttributeError( "[fn_mcafee_tie] section is not set in the config file") dxlclient = DxlClient(dxlclient_config) dxlclient.connect() tie_client = TieClient(dxlclient) if dxlclient.connected and tie_client: state = 'success' reason = None else: state = 'failure' reason = 'authorization failure' return {'state': state, 'reason': reason} except Exception as exc: return {'state': 'failure', 'reason': exc}
FILE_SHA256 = "142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2" # Hashes for the certificate to look up # These can be replaced by a certificate which is known to have run within the # enterprise for better results CERTIFICATE_BODY_SHA1 = "6EAE26DB8C13182A7947982991B4321732CC3DE2" CERTIFICATE_PUBLIC_KEY_SHA1 = "3B87A2D6F39770160364B79A152FCC73BAE27ADF" # Create the client with DxlClient(config) as client: # Connect to the fabric client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) # # Perform the file reputation query # reputations_dict = \ tie_client.get_file_reputation({ HashType.MD5: FILE_MD5, HashType.SHA1: FILE_SHA1, HashType.SHA256: FILE_SHA256 }) print("File reputation response:") # Display the Global Threat Intelligence (GTI) trust level for the file if FileProvider.GTI in reputations_dict:
def tie_set_rep(self, filedict): tie_client = TieClient(client) #Should consider use case... and whether or not a lookup should be made for FP mitigation before setting a rep else:
def _connect_client(self): # Connect client if not self.client.connected: self.client.connect() self.tie_client = TieClient(self.client)
childcounter+=1 # Loop through each file and check with the TIE Server to determine if # it already exists. with DxlClient(config) as client: #Connect to DXL fabric client.connect() #Create TIE Client tie_client=TieClient(client) for fileKey in WFResult: #unset reusables reputations_dict = None currentMD5 = None currentSHA256 = None currentFilename = None currentTrustLevel = None currentMD5= WFResult[fileKey]['md5'] currentSHA256=WFResult[fileKey]['sha256'] currentFilename=WFResult[fileKey]['filename'] currentTrustLevel=WFResult[fileKey]['trustlevel']
def set_reputation(dxl_config_file, ioc_list, force): # Create DXL configuration from file config = DxlClientConfig.create_dxl_config_from_file(dxl_config_file) # Create the client with DxlClient(config) as client: # Connect to the fabric client.connect() # Create the McAfee Threat Intelligence Exchange (TIE) client tie_client = TieClient(client) # # Hashes for the file whose reputation will be set. # # Replace the random values for the actual file hashes. # ioc_set = 0 ioc_error = 0 ioc_exist = 0 ioc_total = 0 for ioc in ioc_list: fileSHA1 = ioc["sha1"] fileSHA256 = ioc["sha256"] fileMD5 = ioc["md5"] hashes = { HashType.MD5: fileMD5, HashType.SHA1: fileSHA1, HashType.SHA256: fileSHA256 } file_name = ioc["file_name"] file_comment = ioc["file_comment"] try: reputation = REPUTATION_VALUES[ioc["reputation"]] except Exception as er: logger.error( "Error getting reputation value, for entry %s check spelling" % file_name) continue # # Request reputation for the file # reputations_dict = tie_client.get_file_reputation(hashes) # # Check if there's any definitive reputation (different to Not Set [0] and Unknown [50]) # has_definitive_reputation = \ any([rep[ReputationProp.TRUST_LEVEL] != TrustLevel.NOT_SET and rep[ReputationProp.TRUST_LEVEL] != TrustLevel.UNKNOWN for rep in reputations_dict.values()]) # # If there's a definitive reputation and we are not forcing the reputation aplication # Skip the application # if has_definitive_reputation and force == False: logger.info( "Information: There is a reputation from another provider for the file %s, External Reputation is not necessary." % file_name) ioc_exist = ioc_exist + 1 else: # # Set the External reputation # try: logger.debug("Reputation %s" % reputation) logger.debug("hashes %s" % hashes) logger.debug("filename %s" % file_name) logger.debug("comment %s" % file_comment) tie_client.set_file_reputation( reputation, hashes, #FileType.PEEXE, filename=file_name, comment=file_comment) logger.info( "Information: IoC %s sent to Threat Intelligence Exchange Database" % file_name) ioc_set = ioc_set + 1 except ValueError as e: logger.error( "Error sending IoC %s to Threat Intelligence Exchange Database" % file_name) ioc_error = ioc_error + 1 ioc_total = ioc_total + 1 ioc_procesed = { "total_ioc_processed": ioc_total, "ioc_set": ioc_set, "ioc_exist": ioc_exist, "ioc_error": ioc_error } return (ioc_procesed)
def run(self, results): """Writes report. @param results: Cuckoo results dict. @raise CuckooReportError: if fails to write report. """ try: currentMD5 = results["target"]["file"]["md5"] currentSHA1 = results["target"]["file"]["sha1"] currentSHA256 = results["target"]["file"]["sha256"] currentFilename = results["target"]["file"]["name"] currentTrustLevel = results["info"]["score"] print currentMD5 print currentSHA1 print currentSHA256 print currentFilename print currentTrustLevel if float(currentTrustLevel) < 4.0: print "Trust Level is " + str( currentTrustLevel) + ". No update required." return print "Opening DXL connection" with DxlClient(config) as client: #Connect to DXL fabric print "Connecting to DXL fabric." client.connect() #Create TIE Client print "Connecting to TIE." tie_client = TieClient(client) print "Trust Level is " + str( currentTrustLevel) + ". Updating TIE." reputations_dict = \ tie_client.get_file_reputation({ HashType.MD5: currentMD5, HashType.SHA1: currentSHA1, HashType.SHA256: currentSHA256 }) print reputations_dict #Check if there is an enterprise (custom set) reputation if (reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.NOT_SET or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.UNKNOWN or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MIGHT_BE_TRUSTED or \ reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MOST_LIKELY_TRUSTED): print "Current Trust Level is" + str(reputations_dict[ FileProvider.ENTERPRISE]["trustLevel"]) #also, let's make sure GTI trustLevels are either not being queried, or set to Unknown #we are nesting for clarity if (FileProvider.GTI not in reputations_dict.keys() or reputations_dict[FileProvider.GTI] == TrustLevel.UNKNOWN): print "GTI either does not exist or set to UNKNOWN" # If not set, go ahead and set it tie_client.set_file_reputation( TrustLevel.MOST_LIKELY_MALICIOUS, { HashType.MD5: currentMD5, HashType.SHA1: currentSHA1, HashType.SHA256: currentSHA256 }, filename=currentFilename, comment= "Reputation set via OpenDXL Cuckoo Integration. Cuckoo scored this sample a " + str(currentTrustLevel) + " out of 10.") print "Reputation set for: " + str( currentFilename) + ": " + currentMD5 except (TypeError, IOError) as e: raise CuckooReportError("Failed to update TIE with results: %s" % e)
def get_tie_client(client): # get TIE Connect client if not client.connected: client.connect() return TieClient(client)