Пример #1
0
def setReputation(trustlevelStr, md5, sha1, sha256, filenameStr, commentStr):
    # File Hashes
    #mySetHashes = {HashType.MD5: "", HashType.SHA1: "", HashType.SHA256: ""}

    trustlevelInt = getTrustLevel(trustlevelStr)

    mySetHashes = hashMe(md5, sha1, sha256)

    print("mySetHashes:")
    print(mySetHashes)

    # Create the client
    with DxlClient(config) as client:

        # Connect to the fabric
        client.connect()

        # Create the McAfee Threat Intelligence Exchange (TIE) client
        tie_client = TieClient(client)

        print(trustlevelInt)
        print(mySetHashes)
        print(filenameStr)
        print(commentStr)
        if trustlevelInt != -1:
            # Set the Enterprise reputation for notepad.exe to Known Trusted
            tie_client.set_file_reputation(trustlevelInt,
                                           mySetHashes,
                                           filename=filenameStr,
                                           comment=commentStr)
        else:
            return jsonify(error="invalid trust level",
                           trustlevel=trustlevelStr)
        client.disconnect()
Пример #2
0
    def setTieReputation(self, payload):
        tie_client = TieClient(self.client)

        hashes = {
            HashType.MD5: payload['fileMD5'],
            HashType.SHA1: payload['fileSHA1'],
            HashType.SHA256: payload['fileSHA256']
        }
        reputations_dict = tie_client.get_file_reputation(hashes)

        has_definitive_reputation = \
            any([rep[ReputationProp.TRUST_LEVEL] != TrustLevel.NOT_SET
                 and rep[ReputationProp.TRUST_LEVEL] != TrustLevel.UNKNOWN
                 and rep[ReputationProp.PROVIDER_ID] != FileProvider.EXTERNAL
                 for rep in reputations_dict.values()])

        if not has_definitive_reputation:
            try:
                tie_client.set_external_file_reputation(
                    TrustLevel.MIGHT_BE_TRUSTED,
                    hashes,
                    file_type=payload['filetype'],
                    filename=payload['filename'],
                    comment=payload['comment']
                )
            except ValueError as e:
                pass
    def set_rep(self, filename, level, md5, sha1, sha256, sandbox):
        try:
            with DxlClient(self.config) as client:
                client.connect()
                tie_client = TieClient(client)

                # multi-sandbox support: merge results if some are already available
                existing_reputation = tie_client.get_file_reputation(
                    {HashType.SHA256: sha256})
                if existing_reputation and FileProvider.EXTERNAL in existing_reputation:
                    logging.info(
                        "A external reputation verdict has been already present for the sample, will merge the results"
                    )
                    if (level != 0 and level < existing_reputation[
                            FileProvider.EXTERNAL]["trustLevel"]):
                        self._set_reputation(tie_client, filename, level, md5,
                                             sha1, sha256, sandbox)
                    else:
                        logging.info(
                            "New reputation level was higher than what is already present"
                        )
                else:
                    self._set_reputation(tie_client, filename, level, md5,
                                         sha1, sha256, sandbox)

        except Exception as e:
            logging.error(
                "ERROR setting the reputation in TIE for SHA256 %s using sandbox %s: %s",
                str(sha256),
                sandbox,
                e,
            )
Пример #4
0
def set_file_reputation(hash, trust_level, filename, comment):
    config = get_client_config()

    # find trust_level key
    trust_level_key = None
    for k, v in TRUST_LEVELS.iteritems():
        if v == trust_level:
            trust_level_key = k

    if not trust_level_key:
        return create_error_entry('illigale argument trust_level %s. Choose value from predefined values' % (trust_level, ))

    with DxlClient(config) as client:
        client.connect()
        tie_client = TieClient(client)

        hash_type = get_hash_type(hash)
        hash_type_key = HASH_TYPE_KEYS.get(hash_type)
        if not hash_type_key:
            return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters) or md5(32 charecters)')

        hash_param = {}
        hash_param[hash_type_key] = hash

        try:
            tie_client.set_file_reputation(trust_level_key, hash_param, filename, comment)
            return 'Successfully set file repuation'
        except Exception as ex:
            return create_error_entry(str(ex))
Пример #5
0
    def _lookup_hash(self, event, *args, **kwargs):
        artifact_type = event.artifact["type"]
        artifact_value = event.artifact["value"]
        LOG.debug("_lookup_hash started for Artifact Type {0} - Artifact Value {1}".format(
            artifact_type, artifact_value))

        tie_client = TieClient(self.client)

        if artifact_type == "hash.md5":
            resilient_hash = {HashType.MD5: artifact_value}
        elif artifact_type == "hash.sha1":
            resilient_hash = {HashType.SHA1: artifact_value}
        elif artifact_type == "hash.sha256":
            resilient_hash = {HashType.SHA256: artifact_value}
        else:
            raise ValueError("Something went wrong setting the hash value")

        reputations_dict = \
            tie_client.get_file_reputation(
                    resilient_hash
            )

        hits = self._query_mcafee_tie(reputations_dict)

        yield hits
Пример #6
0
def file_references(hash):
    config = get_client_config()
    with DxlClient(config) as client:
        client.connect()
        # Create the McAfee Threat Intelligence Exchange (TIE) client
        tie_client = TieClient(client)

        hash_type = get_hash_type(hash)
        hash_type_key = HASH_TYPE_KEYS.get(hash_type)
        if not hash_type_key:
            return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters) or md5(32 charecters)')

        hash_param = {}
        hash_param[hash_type_key] = hash

        references = tie_client.get_file_first_references(hash_param)

        table = references_to_table(references)

        # creaet context
        context_file = {}
        hash_type_uppercase = hash_type.upper()

        context_file[hash_type_uppercase] = hash
        context_file['References'] = table
        ec = {}
        ec[outputPaths['file']] = context_file
        return {
            'Type': entryTypes['note'],
            'ContentsFormat': formats['json'],
            'Contents': references,
            'ReadableContentsFormat': formats['markdown'],
            'HumanReadable': tableToMarkdown('References for hash %s' % (hash,), table),
            'EntryContext': ec
        }
Пример #7
0
def getTieRep(md5, sha1, sha256):
    with DxlClient(config) as client:
        # Connect to the fabric
        client.connect()

        # Create the McAfee Threat Intelligence Exchange (TIE) client
        tie_client = TieClient(client)
        myGetHashes = hashMe(md5, sha1, sha256)
        reputations_dict = tie_client.get_file_reputation(myGetHashes)
        client.disconnect()

        #myReturnVal = json.dumps(reputations_dict, sort_keys=True, indent=4, separators=(',', ': ')) + "\n"
    return reputations_dict
Пример #8
0
def file(hash):
    config = get_client_config()
    with DxlClient(config) as client:
        client.connect()
        # Create the McAfee Threat Intelligence Exchange (TIE) client
        tie_client = TieClient(client)

        hash_type = get_hash_type(hash)
        hash_type_key = HASH_TYPE_KEYS.get(hash_type)
        if not hash_type_key:
            return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters) or md5(32 charecters)')

        hash_param = {}
        hash_param[hash_type_key] = hash

        res = tie_client.get_file_reputation(hash_param)
        reputations = res.values()

        table = reputations_to_table(reputations)

        # creaet context
        context_file = {}
        hash_type_uppercase = hash_type.upper()
        tl_score = get_thrust_level_and_score(reputations)

        context_file[hash_type_uppercase] = hash
        context_file['TrustLevel'] = tl_score['trust_level']
        context_file['Vendor'] = tl_score['vendor']

        dbot_score = {'Indicator': hash, 'Type': 'hash', 'Vendor': tl_score['vendor'], 'Score': tl_score['score']}
        if tl_score['score'] >= 2:
            context_file['Malicious'] = {
                'Vendor': tl_score['vendor'],
                'Score': tl_score['score'],
                'Description': 'Trust level is ' + str(tl_score['trust_level'])
            }
        ec = {
            'DBotScore': dbot_score
        }
        ec[outputPaths['file']] = context_file

        return {
            'Type': entryTypes['note'],
            'ContentsFormat': formats['json'],
            'Contents': reputations,
            'ReadableContentsFormat': formats['markdown'],
            'HumanReadable': tableToMarkdown('McAfee TIE Hash Reputations For %s:' % (hash,), table),
            'EntryContext': ec
        }
Пример #9
0
def file(hash_inputs):
    hash_list = []

    for hash_value in hash_inputs:
        config = get_client_config()
        with DxlClient(config) as client:
            client.connect()
            # Create the McAfee Threat Intelligence Exchange (TIE) client
            tie_client = TieClient(client)

            hash_type = get_hash_type(hash_value)
            hash_type_key = HASH_TYPE_KEYS.get(hash_type)
            if not hash_type_key:
                return create_error_entry('file argument must be sha1(40 charecters) or sha256(64 charecters)'
                                          ' or md5(32 charecters)')

            hash_param = {}
            reputations = {}
            context_file = {}
            hash_param[hash_type_key] = hash_value
            hash_type_uppercase = hash_type.upper()
            res = safe_get_file_reputation(tie_client, hash_param)
            if not res:
                dbot_score = [{'Indicator': hash_value, 'Type': 'hash', 'Vendor': VENDOR_NAME, 'Score': 0},
                              {'Indicator': hash_value, 'Type': 'file', 'Vendor': VENDOR_NAME, 'Score': 0}]
                context_file[hash_type_uppercase] = hash_value
                context_file['TrustLevel'] = 0
                context_file['Vendor'] = VENDOR_NAME
            else:
                reputations = res.values()

                # create context
                tl_score = get_thrust_level_and_score(reputations)

                context_file[hash_type_uppercase] = hash_value
                context_file['TrustLevel'] = tl_score['trust_level']
                context_file['Vendor'] = tl_score['vendor']

                dbot_score = [{'Indicator': hash_value, 'Type': 'hash', 'Vendor': tl_score['vendor'],
                               'Score': tl_score['score']},
                              {'Indicator': hash_value, 'Type': 'file', 'Vendor': tl_score['vendor'],
                               'Score': tl_score['score']}]
                if tl_score['score'] >= 2:
                    context_file['Malicious'] = {
                        'Vendor': tl_score['vendor'],
                        'Score': tl_score['score'],
                        'Description': 'Trust level is ' + str(tl_score['trust_level'])
                    }
            ec = {'DBotScore': dbot_score, outputPaths['file']: context_file}

        table = reputations_to_table(reputations)
        hash_list.append({
            'Type': entryTypes['note'],
            'ContentsFormat': formats['json'],
            'Contents': reputations,
            'ReadableContentsFormat': formats['markdown'],
            'HumanReadable': tableToMarkdown('McAfee TIE Hash Reputations For %s:' % (hash_value,), table),
            'EntryContext': ec
        })
    return hash_list
Пример #10
0
    def set_rep(self, eventid, hash):
        try:
            with DxlClient(self.config) as client:
                client.connect()
                tie_client = TieClient(client)

                tie_client.set_external_file_reputation(
                    self.tie_rep,
                    {'md5': hash},
                    filename='MISP Hash {0}'.format(str(eventid)),
                    comment='External Reputation set via OpenDXL')

                print('SUCCESS: Successfully pushed MD5 {0} to TIE.'.format(str(hash)))

        except Exception as e:
            exc_type, exc_obj, exc_tb = sys.exc_info()
            print('ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}'
                  .format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno,
                          error=str(e)))
Пример #11
0
class TIE_Plugin(PluginBase) :
    def __init__(self):
        logger.info("Plugin " + _plugin_name + " initializing...")
        #
        # Init and connect DXL client
        # 
        # DxlClientConfig from DXL configuration file
        logger.debug(_plugin_name + " : Loading DXL config from: %s", cfg['ExportPlugins']['TIE_Plugin']['DXLConfig'])
        self.dxl_config = DxlClientConfig.create_dxl_config_from_file(cfg['ExportPlugins']['TIE_Plugin']['DXLConfig'])
        self.tie_client = None

    def export(self, results_array):
        #logger.debug(results_array)
        #logger.debug(json.dumps(results_array, indent=4, sort_keys=True))

        for event in results_array:
            logger.debug(_plugin_name + " processing event: (Event ID: " + event['Event']['id'] + ", Event Info: " + event['Event']['info'] + ", Event Date: " + event['Event']['date'] + ")")
            with DxlClient(self.dxl_config) as client:
                # Connect to the DXL fabric
                logger.debug(_plugin_name + " : Connecting OpenDXL client...")                
                client.connect()
                # Create the McAfee Threat Intelligence Exchange (TIE) client
                self.tie_client = TieClient(client)                
                for attribute in event['Event']['Attribute']:
                    if attribute['type'] == 'md5' or attribute['type'] == 'sha1' or attribute['type'] == 'sha256':                     
                        logger.debug("Found attribute type {0} = {1} in MISP event {2}.".format(str(attribute['type']),str(attribute['value']),str(event['Event']['id'])))
                        self.set_tie_reputation(TIE_REPUTATION, attribute['type'], attribute['value'], "MISP (Event ID {0}, Info: {1})".format(str(event['Event']['id']), str(event['Event']['info'])))

                for obj in event['Event']['Object']:
                    for attribute in obj['Attribute']:
                        if attribute['type'] == 'md5' or attribute['type'] == 'sha1' or attribute['type'] == 'sha256':                     
                            logger.debug("Found object attribute type {0} = {1} in MISP event {2}.".format(str(attribute['type']),str(attribute['value']),str(event['Event']['id'])))
                            self.set_tie_reputation(TIE_REPUTATION, attribute['type'], attribute['value'], "MISP (Event ID {0}, Info: {1})".format(str(event['Event']['id']), str(event['Event']['info'])))                            
        self.tie_client = None

    def set_tie_reputation(self, trust_level, hash_type, hash_value, comment_str):
        if self.tie_client :
            try:
                self.tie_client.set_external_file_reputation(TIE_REPUTATION, {hash_type: hash_value}, filename=comment_str, comment=comment_str)
                logger.debug(_plugin_name + " : Reputation set (%s)", comment_str)
            except ValueError as e:
                logger.error(_plugin_name + " : Error while trying to set TIE reputation (%s)", str(e))
Пример #12
0
    def set_reputation(self, list_hash, type_hash):
        try:
            with DxlClient(self.config) as client:
                client.connect()
                tie_client = TieClient(client)
    
                for new_threat in list_hash:
                    #set new reputation with hash string and trustlevel is KNOWN_MALICIOUS
                    tie_client.set_external_file_reputation(
                        TrustLevel.KNOWN_MALICIOUS,
                        {type_hash: new_threat.hash_string},
                        filename='MISP Hash {0}'.format(str(new_threat.name)),
                        comment='External Reputation set via OpenDXL')

                    print('SUCCESS: Successfully pushed {0} {1} to TIE.'.format(type_hash, str(new_threat.hash_string)))

        except Exception as e:
            exc_tb = sys.exc_info()
            print('ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}'
                  .format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno,
                          error=str(e)))
Пример #13
0
    def process(self):
        event = self.receive_message()

        payload = json.dumps(event)

        self.dxlclient.connect()
        tie_client = TieClient(self.dxlclient)

        tie_client.set_file_reputation(
            TrustLevel.MOST_LIKELY_MALICIOUS, {
                HashType.SHA256: event.get("malware.hash.sha256"),
                HashType.SHA1: event.get("malware.hash.sha1"),
                HashType.MD5: event.get("malware.hash.md5")
            },
            filename=event.get("malware.name"),
            comment=self.parameters.comment)

        self.dxlclient.disconnect()

        self.logger.info("Event successfully sent.")

        self.acknowledge_message()
Пример #14
0
    def export(self, results_array):
        #logger.debug(results_array)
        #logger.debug(json.dumps(results_array, indent=4, sort_keys=True))

        for event in results_array:
            logger.debug(_plugin_name + " processing event: (Event ID: " + event['Event']['id'] + ", Event Info: " + event['Event']['info'] + ", Event Date: " + event['Event']['date'] + ")")
            with DxlClient(self.dxl_config) as client:
                # Connect to the DXL fabric
                logger.debug(_plugin_name + " : Connecting OpenDXL client...")                
                client.connect()
                # Create the McAfee Threat Intelligence Exchange (TIE) client
                self.tie_client = TieClient(client)                
                for attribute in event['Event']['Attribute']:
                    if attribute['type'] == 'md5' or attribute['type'] == 'sha1' or attribute['type'] == 'sha256':                     
                        logger.debug("Found attribute type {0} = {1} in MISP event {2}.".format(str(attribute['type']),str(attribute['value']),str(event['Event']['id'])))
                        self.set_tie_reputation(TIE_REPUTATION, attribute['type'], attribute['value'], "MISP (Event ID {0}, Info: {1})".format(str(event['Event']['id']), str(event['Event']['info'])))

                for obj in event['Event']['Object']:
                    for attribute in obj['Attribute']:
                        if attribute['type'] == 'md5' or attribute['type'] == 'sha1' or attribute['type'] == 'sha256':                     
                            logger.debug("Found object attribute type {0} = {1} in MISP event {2}.".format(str(attribute['type']),str(attribute['value']),str(event['Event']['id'])))
                            self.set_tie_reputation(TIE_REPUTATION, attribute['type'], attribute['value'], "MISP (Event ID {0}, Info: {1})".format(str(event['Event']['id']), str(event['Event']['info'])))                            
        self.tie_client = None
Пример #15
0
    def __init__(self, options, dxlclient, reputation_lookup_dict=None):
        # Create the McAfee Threat Intelligence Exchange (TIE) client
        self.tie_client = TieClient(dxlclient)

        # TODO:Refactor this
        self.reputation_lookup_dict = reputation_lookup_dict
        if self.reputation_lookup_dict:
            try:
                self.filehash = reputation_lookup_dict['md5']
            except:
                try:
                    self.filehash = reputation_lookup_dict['sha1']
                except:
                    self.filehash = "unknown"

            self.reputations_dict = self._getFileRep()
        else:
            self.filehash = options.filehash
            if self.filehash == None:
                return "no file hash"
            self.reputations_dict = self._getFileRep()

        self.content = self._getFileProps()
Пример #16
0
def doReputation(btn):

    global hashType

    strHash = str(chatWin.getEntry("TIE_Hash"))
    logger.info("Getting reputation data for {0}.".format(str(strHash)))

    #Get all TIE based reputation data associated with a given hash
    tie_client = TieClient(client)

    reputations_dict = {}

    #Request raw json reputation results
    if hashType == "md5":
        reputations_dict = tie_client.get_file_reputation(
            {HashType.MD5: strHash})
    elif hashType == "sha1":
        reputations_dict = tie_client.get_file_reputation(
            {HashType.SHA1: strHash})
    elif hashType == "sha256":
        reputations_dict = tie_client.get_file_reputation(
            {HashType.SHA256: strHash})

    #debug
    logger.info(
        "Raw TIE results for hash type " + hashType + ": " + json.dumps(
            reputations_dict, sort_keys=True, indent=4, separators=(',',
                                                                    ': ')))

    #Start building repputation output for writing to the results TextArea

    strResults = parseTIEResults(reputations_dict)

    #chatWin.setTextArea("TIEResults", json.dumps(reputations_dict, sort_keys=True, indent=4, separators=    (',', ': ')), False)
    chatWin.setTextArea("HashResults", strResults, False)
    return True
Пример #17
0
def test_safe_get_file_reputation_returned_exception(mocker):
    """
    Given:
        - tie client and hash parameter
    When:
        - The tie client returns some exception
    Then:
        - Print to log and return empty dict
    """
    mcafee_tie = importlib.import_module("McAfee-TIE")
    tie_client = TieClient(None)
    hash_param = {'test': 'test'}

    mocker.patch.object(tie_client,
                        "get_file_reputation",
                        side_effect=Exception())
    assert not mcafee_tie.safe_get_file_reputation(tie_client, hash_param)
Пример #18
0
def test_safe_get_file_reputation_returned_rep(mocker):
    """
    Given:
        - tie client and hash parameter
    When:
        - The tie client returns reputation
    Then:
        - return the reputation
    """
    mcafee_tie = importlib.import_module("McAfee-TIE")
    tie_client = TieClient(None)
    hash_param = {'test': 'test'}

    mocker.patch.object(tie_client,
                        "get_file_reputation",
                        return_value='test_value')
    assert mcafee_tie.safe_get_file_reputation(tie_client, hash_param)
Пример #19
0
    def on_event(self, event):
        """
        Invoked when a DXL event has been received.

        NOTE: This method should not be overridden (it performs transformations to simplify TIE usage).
        Instead, the :func:`on_reputation_change` method must be overridden.

        :param event: The original DXL event message that was received
        """
        # Decode the event payload
        rep_change_dict = json.loads(event.payload.decode(encoding="UTF-8"))

        # Transform hashes
        if RepChangeEventProp.HASHES in rep_change_dict:
            rep_change_dict[RepChangeEventProp.HASHES] = \
                TieClient._transform_hashes(rep_change_dict[RepChangeEventProp.HASHES])

        # Transform new reputations
        if RepChangeEventProp.NEW_REPUTATIONS in rep_change_dict:
            if "reputations" in rep_change_dict[
                    RepChangeEventProp.NEW_REPUTATIONS]:
                rep_change_dict[RepChangeEventProp.NEW_REPUTATIONS] = \
                    TieClient._transform_reputations(
                        rep_change_dict[RepChangeEventProp.NEW_REPUTATIONS]["reputations"])

        # Transform old reputations
        if RepChangeEventProp.OLD_REPUTATIONS in rep_change_dict:
            if "reputations" in rep_change_dict[
                    RepChangeEventProp.OLD_REPUTATIONS]:
                rep_change_dict[RepChangeEventProp.OLD_REPUTATIONS] = \
                    TieClient._transform_reputations(
                        rep_change_dict[RepChangeEventProp.OLD_REPUTATIONS]["reputations"])

        # Transform relationships
        if FileRepChangeEventProp.RELATIONSHIPS in rep_change_dict:
            relationships_dict = rep_change_dict[
                FileRepChangeEventProp.RELATIONSHIPS]
            if "certificate" in relationships_dict:
                cert_dict = relationships_dict["certificate"]
                if "hashes" in cert_dict:
                    cert_dict["hashes"] = \
                        TieClient._transform_hashes(cert_dict["hashes"])
                if "publicKeySha1" in cert_dict:
                    cert_dict["publicKeySha1"] = \
                        TieClient._base64_to_hex(cert_dict["publicKeySha1"])

        # Transform certificate public-key SHA-1 (if applicable)
        if CertRepChangeEventProp.PUBLIC_KEY_SHA1 in rep_change_dict:
            rep_change_dict[CertRepChangeEventProp.PUBLIC_KEY_SHA1] = \
                TieClient._base64_to_hex(rep_change_dict[CertRepChangeEventProp.PUBLIC_KEY_SHA1])

        # Invoke the reputation change method
        self.on_reputation_change(rep_change_dict, event)
Пример #20
0
    def on_event(self, event):
        """
        Invoked when a DXL event has been received.

        NOTE: This method should not be overridden (it performs transformations to simplify TIE usage).
        Instead, the :func:`on_detection` method must be overridden.

        :param event: The original DXL event message that was received
        """
        # Decode the event payload
        detection_dict = json.loads(event.payload.decode(encoding="UTF-8"))

        # Transform hashes
        if DetectionEventProp.HASHES in detection_dict:
            detection_dict[RepChangeEventProp.HASHES] = \
                TieClient._transform_hashes(detection_dict[DetectionEventProp.HASHES])

        # Invoke the detection method
        self.on_detection(detection_dict, event)
Пример #21
0
    def set_rep(self, hash, type, level, prov):
        with DxlClient(DXL_CONFIG) as client:
            client.connect()
            tie_client = TieClient(client)

            if prov == 'enterprise':
                tie_client.set_file_reputation(
                    int(level), {type: hash},
                    filename=hash,
                    comment="Reputation Update from McAfee Bulk Importer")
            elif prov == 'external':
                tie_client.set_external_file_reputation(
                    int(level), {type: hash},
                    filename=hash,
                    comment="Reputation Update from McAfee Bulk Importer")
def main():

    if pollInterval == 0:
        print "Polling Interval Needs to be set in environment variable JOE_POLL"
        exit(0)

    print ""
    print "--- Joe Sandbox metadata script ---"
    print ""

    # Create the client
    with DxlClient(config) as client:

        # Connect to the fabric
        client.connect()

        # Create the McAfee Threat Intelligence Exchange (TIE) client
        tie_client = TieClient(client)
        while True:
            getJoeList(tie_client)
            time.sleep(pollInterval)
Пример #23
0
def selftest_function(opts):

    options = opts.get(CONFIG_DATA_SECTION, {})

    try:
        try:
            config_file = options.get("dxlclient_config")
            if config_file is None:
                log.error(
                    "dxlclient_config is not set. You must set this path to run this function"
                )
                raise ValueError(
                    "dxlclient_config is not set. You must set this path to run this function"
                )

            # Create configuration from file for DxlClient
            dxlclient_config = DxlClientConfig.create_dxl_config_from_file(
                config_file)
        except AttributeError:
            log.error(
                "There is no [fn_mcafee_tie] section in the config file, "
                "please set that by running resilient-circuits config -u")
            raise AttributeError(
                "[fn_mcafee_tie] section is not set in the config file")

        dxlclient = DxlClient(dxlclient_config)
        dxlclient.connect()
        tie_client = TieClient(dxlclient)
        if dxlclient.connected and tie_client:
            state = 'success'
            reason = None
        else:
            state = 'failure'
            reason = 'authorization failure'

        return {'state': state, 'reason': reason}

    except Exception as exc:
        return {'state': 'failure', 'reason': exc}
FILE_SHA256 = "142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2"

# Hashes for the certificate to look up
# These can be replaced by a certificate which is known to have run within the
# enterprise for better results
CERTIFICATE_BODY_SHA1 = "6EAE26DB8C13182A7947982991B4321732CC3DE2"
CERTIFICATE_PUBLIC_KEY_SHA1 = "3B87A2D6F39770160364B79A152FCC73BAE27ADF"

# Create the client
with DxlClient(config) as client:

    # Connect to the fabric
    client.connect()

    # Create the McAfee Threat Intelligence Exchange (TIE) client
    tie_client = TieClient(client)

    #
    # Perform the file reputation query
    #
    reputations_dict = \
        tie_client.get_file_reputation({
            HashType.MD5: FILE_MD5,
            HashType.SHA1: FILE_SHA1,
            HashType.SHA256: FILE_SHA256
        })

    print("File reputation response:")

    # Display the Global Threat Intelligence (GTI) trust level for the file
    if FileProvider.GTI in reputations_dict:
Пример #25
0
        def tie_set_rep(self, filedict):

            tie_client = TieClient(client)
            #Should consider use case... and whether or not a lookup should be made for FP mitigation before setting a rep
            else:
 def _connect_client(self):
     # Connect client
     if not self.client.connected:
         self.client.connect()
         self.tie_client = TieClient(self.client)
Пример #27
0
        
        childcounter+=1



# Loop through each file and check with the TIE Server to determine if
# it already exists.


with DxlClient(config) as client:

    #Connect to DXL fabric
    client.connect()

    #Create TIE Client
    tie_client=TieClient(client)

    
    for fileKey in WFResult:
        #unset reusables
        reputations_dict = None
        currentMD5 = None
        currentSHA256 = None
        currentFilename = None
        currentTrustLevel = None        

        currentMD5= WFResult[fileKey]['md5']
        currentSHA256=WFResult[fileKey]['sha256']
        currentFilename=WFResult[fileKey]['filename']
        currentTrustLevel=WFResult[fileKey]['trustlevel']
Пример #28
0
def set_reputation(dxl_config_file, ioc_list, force):
    # Create DXL configuration from file
    config = DxlClientConfig.create_dxl_config_from_file(dxl_config_file)

    # Create the client
    with DxlClient(config) as client:
        # Connect to the fabric
        client.connect()

        # Create the McAfee Threat Intelligence Exchange (TIE) client
        tie_client = TieClient(client)

        #
        # Hashes for the file whose reputation will be set.
        #
        # Replace the random values for the actual file hashes.
        #
        ioc_set = 0
        ioc_error = 0
        ioc_exist = 0
        ioc_total = 0

        for ioc in ioc_list:

            fileSHA1 = ioc["sha1"]
            fileSHA256 = ioc["sha256"]
            fileMD5 = ioc["md5"]

            hashes = {
                HashType.MD5: fileMD5,
                HashType.SHA1: fileSHA1,
                HashType.SHA256: fileSHA256
            }
            file_name = ioc["file_name"]
            file_comment = ioc["file_comment"]

            try:
                reputation = REPUTATION_VALUES[ioc["reputation"]]

            except Exception as er:
                logger.error(
                    "Error getting reputation value, for entry %s check spelling"
                    % file_name)
                continue

            #
            # Request reputation for the file
            #
            reputations_dict = tie_client.get_file_reputation(hashes)
            #
            # Check if there's any definitive reputation (different to Not Set [0] and Unknown [50])
            #
            has_definitive_reputation = \
                any([rep[ReputationProp.TRUST_LEVEL] != TrustLevel.NOT_SET
                     and rep[ReputationProp.TRUST_LEVEL] != TrustLevel.UNKNOWN
                     for rep in reputations_dict.values()])

            #
            # If there's a definitive reputation and we are not forcing the reputation aplication
            # Skip the application
            #
            if has_definitive_reputation and force == False:
                logger.info(
                    "Information: There is a reputation from another provider for the file %s, External Reputation is not necessary."
                    % file_name)
                ioc_exist = ioc_exist + 1
            else:
                #
                # Set the External reputation
                #
                try:
                    logger.debug("Reputation %s" % reputation)
                    logger.debug("hashes %s" % hashes)
                    logger.debug("filename %s" % file_name)
                    logger.debug("comment %s" % file_comment)

                    tie_client.set_file_reputation(
                        reputation,
                        hashes,
                        #FileType.PEEXE,
                        filename=file_name,
                        comment=file_comment)

                    logger.info(
                        "Information: IoC %s sent to Threat Intelligence Exchange Database"
                        % file_name)
                    ioc_set = ioc_set + 1
                except ValueError as e:
                    logger.error(
                        "Error sending IoC %s to Threat Intelligence Exchange Database"
                        % file_name)
                    ioc_error = ioc_error + 1

            ioc_total = ioc_total + 1

        ioc_procesed = {
            "total_ioc_processed": ioc_total,
            "ioc_set": ioc_set,
            "ioc_exist": ioc_exist,
            "ioc_error": ioc_error
        }

        return (ioc_procesed)
Пример #29
0
    def run(self, results):
        """Writes report.
        @param results: Cuckoo results dict.
        @raise CuckooReportError: if fails to write report.
        """
        try:
            currentMD5 = results["target"]["file"]["md5"]
            currentSHA1 = results["target"]["file"]["sha1"]
            currentSHA256 = results["target"]["file"]["sha256"]
            currentFilename = results["target"]["file"]["name"]
            currentTrustLevel = results["info"]["score"]

            print currentMD5
            print currentSHA1
            print currentSHA256
            print currentFilename
            print currentTrustLevel

            if float(currentTrustLevel) < 4.0:
                print "Trust Level is " + str(
                    currentTrustLevel) + ". No update required."
                return

            print "Opening DXL connection"
            with DxlClient(config) as client:

                #Connect to DXL fabric
                print "Connecting to DXL fabric."
                client.connect()

                #Create TIE Client
                print "Connecting to TIE."
                tie_client = TieClient(client)

                print "Trust Level is " + str(
                    currentTrustLevel) + ". Updating TIE."

                reputations_dict = \
                tie_client.get_file_reputation({
                    HashType.MD5: currentMD5,
                    HashType.SHA1: currentSHA1,
                    HashType.SHA256: currentSHA256
                    })

                print reputations_dict

                #Check if there is an enterprise (custom set) reputation
                if (reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.NOT_SET or \
                    reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.UNKNOWN or \
                    reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MIGHT_BE_TRUSTED or \
                    reputations_dict[FileProvider.ENTERPRISE]["trustLevel"]==TrustLevel.MOST_LIKELY_TRUSTED):

                    print "Current Trust Level is" + str(reputations_dict[
                        FileProvider.ENTERPRISE]["trustLevel"])

                    #also, let's make sure GTI trustLevels are either not being queried, or set to Unknown
                    #we are nesting for clarity
                    if (FileProvider.GTI not in reputations_dict.keys()
                            or reputations_dict[FileProvider.GTI]
                            == TrustLevel.UNKNOWN):

                        print "GTI either does not exist or set to UNKNOWN"

                        # If not set, go ahead and set it
                        tie_client.set_file_reputation(
                            TrustLevel.MOST_LIKELY_MALICIOUS, {
                                HashType.MD5: currentMD5,
                                HashType.SHA1: currentSHA1,
                                HashType.SHA256: currentSHA256
                            },
                            filename=currentFilename,
                            comment=
                            "Reputation set via OpenDXL Cuckoo Integration. Cuckoo scored this sample a "
                            + str(currentTrustLevel) + " out of 10.")

                        print "Reputation set for: " + str(
                            currentFilename) + ": " + currentMD5

        except (TypeError, IOError) as e:
            raise CuckooReportError("Failed to update TIE with results: %s" %
                                    e)
Пример #30
0
def get_tie_client(client):
    # get TIE Connect client
    if not client.connected:
        client.connect()

    return TieClient(client)