def setUp(self):
if use_golden:
#
# We don't want to connect to a cbserver so using bogus values
#
self.c = CbEnterpriseResponseAPI(url="http://localhost", token="N/A", ssl_verify=False)
else:
self.c = CbEnterpriseResponseAPI()
self.sensor = self.c.select(Sensor, 1)
self.lr_session = self.sensor.lr_session()
def setUp(self):
global c
if use_golden:
#
# We don't want to connect to a cbserver so using bogus values
#
c = CbEnterpriseResponseAPI(url="http://localhost",
token="N/A",
ssl_verify=False)
else:
c = CbEnterpriseResponseAPI()
def setUp(self):
if use_golden:
#
# We don't want to connect to a cbserver so using bogus values
#
self.c = CbEnterpriseResponseAPI(url="http://localhost",
token="N/A",
ssl_verify=False)
else:
self.c = CbEnterpriseResponseAPI()
self.sensor = self.c.select(Sensor, 1)
self.lr_session = self.sensor.lr_session()
def main():
""" Main loop, should probably compose better"""
parser = build_cli_parser("Download event logs from host")
parser.add_argument('-i', '--ip', action='store', help="Select the Sensor based on its IP")
parser.add_argument('-n', '--hostname', action='store',
help="Select the Sensor based on its hostname")
parser.add_argument('-s', '--sensorid', action='store',
help="Select the Sensor based on its sensor_id")
parser.add_argument('-p', '--path', action='store', dest='path',
help='Specify a local path to store files')
args = parser.parse_args()
if args.path and os.path.isdir(args.path):
path = args.path
else:
path = os.getcwd()
# Disable requests insecure warnings
disable_insecure_warnings()
apiconn = CbEnterpriseResponseAPI()
# If a sensor id is provided, preclude others, if IP pref over hostname
if args.sensorid:
live = apiconn.select(Sensor, unique_id=args.sensorid)
elif args.ip:
query = "ip:" + args.ip
live = apiconn.select(Sensor).where(query).one()
elif args.hostname:
query = "hostname:" + args.hostname.upper()
live = apiconn.select(Sensor).where(query).one()
else:
parser.print_usage()
sys.exit(-1)
lrsess = live.lr_session()
# add some error handling
# Look for the files in C:\\windows\system32\winevt\logs\ and make a list of contents
winlogpath = r"C:\windows\system32\winevt\logs\\"
# add check to break if path doesn't work
logcontent = lrsess.list_directory(winlogpath)
# loop over the new list and go getfile for each one greater than threshold
# cribbed shutil bits from cblr_cli.py
for fileob in (fileob for fileob in logcontent if fileob['size'] > 200000):
fullpath = os.path.join(path, fileob['filename'])
print "Downloading file %s now" % fileob['filename']
with open(fullpath, "wb") as fout:
shutil.copyfileobj(lrsess.get_raw_file(
os.path.join(winlogpath, fileob['filename'])), fout)
def main():
parser = argparse.ArgumentParser()
parser.add_argument("--hostname",
type=str,
action="store",
help="Target a specific hostname.")
parser.add_argument("--process-name",
type=str,
action="store",
help="Name of the process to kill.")
args = parser.parse_args()
# Connect to Cb Response
cb = CbEnterpriseResponseAPI()
# Target hostname and process
sensor = cb.select(Sensor).where("hostname:{0}".format(args.hostname))[0]
target_process = args.process_name
# Isolate sensor
sensor.network_isolation_enabled = True
sensor.save()
# Initiate Live Response session
cblr = cb.live_response.request_session(sensor.id)
# Find processes by name, then kill them.
process_list = cblr.list_processes()
target_pids = [
proc['pid'] for proc in process_list if target_process in proc['path']
]
for pid in target_pids:
cblr.kill_process(pid)
# Ban the hash
process_list = cb.select(Process).where("process_name:{0}".format(
args.process_name))
target_md5s = set()
for process in process_list:
target_md5s.add(process.process_md5)
for md5 in target_md5s:
banned_hash = cb.create(BannedHash)
banned_hash.md5hash = md5
banned_hash.text = "Banned by Joe Dirt"
banned_hash.enabled = True
banned_hash.save()
def main():
parser = argparse.ArgumentParser(description='Check status of CBR sensor')
parser.add_argument("-c", type=str, action="store", help="Computer to query.", required=True)
args = parser.parse_args()
#Connect to CB Response
cb = CbEnterpriseResponseAPI()
#Select hostname
sensor = cb.select(Sensor).where("hostname:{0}".format(args.c))[0]
print("\n Sensor Status : ",sensor.status)
print("Is sensor isolated? : " ,sensor.is_isolating)
print("Last Checkin : " ,sensor.last_checkin_time)
print("Is sensor isolated : " ,sensor.uptime)
print("Operating System : " ,sensor.os_environment_display_string)
print("IP/MAC Address : " ,sensor.network_adapters)
print("Group ID : " ,sensor.group_id)
def main(argv):
parser = build_cli_parser()
opts, args = parser.parse_args(argv)
if not opts.cache_name:
parser.print_help()
sys.exit(-1)
global cache_file_name
cache_file_name = opts.cache_name
requests_cache.install_cache(cache_file_name,
allowable_methods=('GET', 'POST'))
global cb
cb = CbEnterpriseResponseAPI()
large_process_search()
large_binary_search()
sensor_search()
watchlist_search()
feed_search()
class TestCbResponse(unittest.TestCase):
def setUp(self):
if use_golden:
#
# We don't want to connect to a cbserver so using bogus values
#
self.c = CbEnterpriseResponseAPI(url="http://localhost", token="N/A", ssl_verify=False)
else:
self.c = CbEnterpriseResponseAPI()
self.sensor = self.c.select(Sensor, 1)
self.lr_session = self.sensor.lr_session()
def test_all_binary(self):
binary_query = self.c.select(Binary).where('')
if use_golden:
test_result = getTestResult('test_all_binary')[0]
assert_equal(len(binary_query),
test_result,
"Number of Binaries returned should be {0}, but received {1}".format(
test_result, len(binary_query)))
else:
insertResult('test_all_binary', str(len(binary_query)))
def test_read_binary(self):
data = self.c.select(Binary).where('').first().file.read(2)
if use_golden:
assert_equal(data, b'MZ')
def test_all_process(self):
process_query = self.c.select(Process).where('')
if use_golden:
test_result = getTestResult('test_all_process')[0]
assert_equal(len(process_query),
test_result,
"Number of Processes returned should be {0}, but received {1}".format(
test_result, len(process_query)))
else:
insertResult('test_all_process', str(len(process_query)))
def test_cblr_ps(self):
processes = self.lr_session.list_processes()
if use_golden:
test_result = len(processes)
assert_equal(len(processes),
test_result,
"Number of Binaries returned should be {0}, but received {1}".format(
test_result, len(processes)))
else:
insertResult('test_cblr_ps', str(len(processes)))
def test_cblr_get(self):
self.lr_session.get_raw_file(r"C:\test.txt")
def test_cber_watchlists(self):
watchlists = self.c.select(Watchlist)
if use_golden:
test_result = getTestResult('test_cber_watchlists')[0]
assert_equal(len(watchlists),
test_result,
"Number of Watchlists returned should be {0}, but received {1}".format(
test_result, len(watchlists)))
else:
insertResult('test_cber_watchlists', str(len(watchlists)))
def test_cber_feeds(self):
feeds = self.c.select(Feed)
if use_golden:
test_result = getTestResult('test_cber_feeds')[0]
assert_equal(len(feeds),
test_result,
"Number of Feeds returned should be {0}, but received {1}".format(
test_result, len(feeds)))
else:
insertResult('test_cber_feeds', str(len(feeds)))
def setUp(self):
global cb
cb = CbEnterpriseResponseAPI()
requests_cache.install_cache(cache_file_name, allowable_methods=('GET', 'POST'), deny_outbound=True)
class TestCbResponse(unittest.TestCase):
def setUp(self):
if use_golden:
#
# We don't want to connect to a cbserver so using bogus values
#
self.c = CbEnterpriseResponseAPI(url="http://localhost",
token="N/A",
ssl_verify=False)
else:
self.c = CbEnterpriseResponseAPI()
self.sensor = self.c.select(Sensor, 1)
self.lr_session = self.sensor.lr_session()
def test_all_binary(self):
binary_query = self.c.select(Binary).where('')
if use_golden:
test_result = getTestResult('test_all_binary')[0]
assert_equal(
len(binary_query), test_result,
"Number of Binaries returned should be {0}, but received {1}".
format(test_result, len(binary_query)))
else:
insertResult('test_all_binary', str(len(binary_query)))
def test_read_binary(self):
data = self.c.select(Binary).where('').first().file.read(2)
if use_golden:
assert_equal(data, b'MZ')
def test_all_process(self):
process_query = self.c.select(Process).where('')
if use_golden:
test_result = getTestResult('test_all_process')[0]
assert_equal(
len(process_query), test_result,
"Number of Processes returned should be {0}, but received {1}".
format(test_result, len(process_query)))
else:
insertResult('test_all_process', str(len(process_query)))
def test_cblr_ps(self):
processes = self.lr_session.list_processes()
if use_golden:
test_result = len(processes)
assert_equal(
len(processes), test_result,
"Number of Binaries returned should be {0}, but received {1}".
format(test_result, len(processes)))
else:
insertResult('test_cblr_ps', str(len(processes)))
def test_cblr_get(self):
self.lr_session.get_raw_file(r"C:\test.txt")
def test_cber_watchlists(self):
watchlists = self.c.select(Watchlist)
if use_golden:
test_result = getTestResult('test_cber_watchlists')[0]
assert_equal(
len(watchlists), test_result,
"Number of Watchlists returned should be {0}, but received {1}"
.format(test_result, len(watchlists)))
else:
insertResult('test_cber_watchlists', str(len(watchlists)))
def test_cber_feeds(self):
feeds = self.c.select(Feed)
if use_golden:
test_result = getTestResult('test_cber_feeds')[0]
assert_equal(
len(feeds), test_result,
"Number of Feeds returned should be {0}, but received {1}".
format(test_result, len(feeds)))
else:
insertResult('test_cber_feeds', str(len(feeds)))
#!/usr/bin/python
from cbapi.response.models import Sensor
from cbapi.response.rest_api import CbEnterpriseResponseAPI
from datetime import date
import operator
import smtplib
from email.mime.text import MIMEText
import email.utils
import datetime
import consts
import logging
logging.basicConfig(level=logging.DEBUG)
c = CbEnterpriseResponseAPI()
sender = consts.SENDER
receivers = consts.RECEIVERS
smtp_serv = consts.SMTP
def main():
health_dict = {}
obj = c.select(Sensor)
print date.today()
for sens in obj:
last_up = sens.last_update.split(' ')[0]
diff = diff_days(str(date.today()), last_up)
if diff < 8:
split_str = sens.computer_name.split('.')[0]