def populate_actions(drop):
"""
Populate default set of Actions into the system.
:param drop: Drop the existing collection before trying to populate.
:type: boolean
"""
# define your Actions here
actions = ['Blocked Outbound At Firewall', 'Blocked Outbound At Desktop Firewall']
if drop:
Action.drop_collection()
if Action.objects().count() < 1:
for action in actions:
ia = Action()
ia.name = action
ia.save()
print "Actions: added %s actions!" % len(actions)
else:
print "Actions: existing documents detected. skipping!"
def populate_actions(drop):
"""
Populate default set of Actions into the system.
:param drop: Drop the existing collection before trying to populate.
:type: boolean
"""
# define your Actions here
actions = ['Blocked Outbound At Firewall', 'Blocked Outbound At Desktop Firewall']
if drop:
Action.drop_collection()
if len(Action.objects()) < 1:
for action in actions:
ia = Action()
ia.name = action
ia.save()
print "Actions: added %s actions!" % len(actions)
else:
print "Actions: existing documents detected. skipping!"
def class_from_id(type_, _id):
"""
Return an instantiated class object.
:param type_: The CRITs top-level object type.
:type type_: str
:param _id: The ObjectId to search for.
:type _id: str
:returns: class which inherits from
:class:`crits.core.crits_mongoengine.CritsBaseAttributes`
"""
# doing this to avoid circular imports
from crits.actors.actor import ActorThreatIdentifier, Actor
from crits.backdoors.backdoor import Backdoor
from crits.campaigns.campaign import Campaign
from crits.certificates.certificate import Certificate
from crits.comments.comment import Comment
from crits.core.crits_mongoengine import Action
from crits.core.source_access import SourceAccess
from crits.core.user_role import UserRole
from crits.domains.domain import Domain
from crits.emails.email import Email
from crits.events.event import Event
from crits.exploits.exploit import Exploit
from crits.indicators.indicator import Indicator
from crits.ips.ip import IP
from crits.pcaps.pcap import PCAP
from crits.raw_data.raw_data import RawData, RawDataType
from crits.samples.sample import Sample
from crits.screenshots.screenshot import Screenshot
from crits.signatures.signature import Signature, SignatureType, SignatureDependency
from crits.targets.target import Target
if not _id:
return None
# make sure it's a string
_id = str(_id)
# Use bson.ObjectId to make sure this is a valid ObjectId, otherwise
# the queries below will raise a ValidationError exception.
if not ObjectId.is_valid(_id.decode('utf8')):
return None
if type_ == 'Actor':
return Actor.objects(id=_id).first()
elif type_ == 'Backdoor':
return Backdoor.objects(id=_id).first()
elif type_ == 'ActorThreatIdentifier':
return ActorThreatIdentifier.objects(id=_id).first()
elif type_ == 'Campaign':
return Campaign.objects(id=_id).first()
elif type_ == 'Certificate':
return Certificate.objects(id=_id).first()
elif type_ == 'Comment':
return Comment.objects(id=_id).first()
elif type_ == 'Domain':
return Domain.objects(id=_id).first()
elif type_ == 'Email':
return Email.objects(id=_id).first()
elif type_ == 'Event':
return Event.objects(id=_id).first()
elif type_ == 'Exploit':
return Exploit.objects(id=_id).first()
elif type_ == 'Indicator':
return Indicator.objects(id=_id).first()
elif type_ == 'Action':
return Action.objects(id=_id).first()
elif type_ == 'IP':
return IP.objects(id=_id).first()
elif type_ == 'PCAP':
return PCAP.objects(id=_id).first()
elif type_ == 'RawData':
return RawData.objects(id=_id).first()
elif type_ == 'RawDataType':
return RawDataType.objects(id=_id).first()
elif type_ == 'Sample':
return Sample.objects(id=_id).first()
elif type_ == 'Signature':
return Signature.objects(id=_id).first()
elif type_ == 'SignatureType':
return SignatureType.objects(id=_id).first()
elif type_ == 'SignatureDependency':
return SignatureDependency.objects(id=_id).first()
elif type_ == 'SourceAccess':
return SourceAccess.objects(id=_id).first()
elif type_ == 'Screenshot':
return Screenshot.objects(id=_id).first()
elif type_ == 'Target':
return Target.objects(id=_id).first()
elif type_ == 'UserRole':
return UserRole.objects(id=_id).first()
else:
return None
def class_from_id(type_, _id):
"""
Return an instantiated class object.
:param type_: The CRITs top-level object type.
:type type_: str
:param _id: The ObjectId to search for.
:type _id: str
:returns: class which inherits from
:class:`crits.core.crits_mongoengine.CritsBaseAttributes`
"""
# doing this to avoid circular imports
from crits.actors.actor import ActorThreatIdentifier, Actor
from crits.backdoors.backdoor import Backdoor
from crits.campaigns.campaign import Campaign
from crits.certificates.certificate import Certificate
from crits.comments.comment import Comment
from crits.core.crits_mongoengine import Action
from crits.core.source_access import SourceAccess
from crits.core.user_role import UserRole
from crits.domains.domain import Domain
from crits.emails.email import Email
from crits.events.event import Event
from crits.exploits.exploit import Exploit
from crits.indicators.indicator import Indicator
from crits.ips.ip import IP
from crits.pcaps.pcap import PCAP
from crits.raw_data.raw_data import RawData, RawDataType
from crits.samples.sample import Sample
from crits.screenshots.screenshot import Screenshot
from crits.signatures.signature import Signature, SignatureType, SignatureDependency
from crits.targets.target import Target
if not _id:
return None
# make sure it's a string
_id = str(_id)
# Use bson.ObjectId to make sure this is a valid ObjectId, otherwise
# the queries below will raise a ValidationError exception.
if not ObjectId.is_valid(_id.decode('utf8')):
return None
if type_ == 'Actor':
return Actor.objects(id=_id).first()
elif type_ == 'Backdoor':
return Backdoor.objects(id=_id).first()
elif type_ == 'ActorThreatIdentifier':
return ActorThreatIdentifier.objects(id=_id).first()
elif type_ == 'Campaign':
return Campaign.objects(id=_id).first()
elif type_ == 'Certificate':
return Certificate.objects(id=_id).first()
elif type_ == 'Comment':
return Comment.objects(id=_id).first()
elif type_ == 'Domain':
return Domain.objects(id=_id).first()
elif type_ == 'Email':
return Email.objects(id=_id).first()
elif type_ == 'Event':
return Event.objects(id=_id).first()
elif type_ == 'Exploit':
return Exploit.objects(id=_id).first()
elif type_ == 'Indicator':
return Indicator.objects(id=_id).first()
elif type_ == 'Action':
return Action.objects(id=_id).first()
elif type_ == 'IP':
return IP.objects(id=_id).first()
elif type_ == 'PCAP':
return PCAP.objects(id=_id).first()
elif type_ == 'RawData':
return RawData.objects(id=_id).first()
elif type_ == 'RawDataType':
return RawDataType.objects(id=_id).first()
elif type_ == 'Sample':
return Sample.objects(id=_id).first()
elif type_ == 'Signature':
return Signature.objects(id=_id).first()
elif type_ == 'SignatureType':
return SignatureType.objects(id=_id).first()
elif type_ == 'SignatureDependency':
return SignatureDependency.objects(id=_id).first()
elif type_ == 'SourceAccess':
return SourceAccess.objects(id=_id).first()
elif type_ == 'Screenshot':
return Screenshot.objects(id=_id).first()
elif type_ == 'Target':
return Target.objects(id=_id).first()
elif type_ == 'UserRole':
return UserRole.objects(id=_id).first()
else:
return None
def handle_indicator_csv(csv_data, source, method, reference, ctype, username, add_domain=False):
"""
Handle adding Indicators in CSV format (file or blob).
:param csv_data: The CSV data.
:type csv_data: str or file handle
:param source: The name of the source for these indicators.
:type source: str
:param method: The method of acquisition of this indicator.
:type method: str
:param reference: The reference to this data.
:type reference: str
:param ctype: The CSV type.
:type ctype: str ("file" or "blob")
:param username: The user adding these indicators.
:type username: str
:param add_domain: If the indicators being added are also other top-level
objects, add those too.
:type add_domain: boolean
:returns: dict with keys "success" (boolean) and "message" (str)
"""
if ctype == "file":
cdata = csv_data.read()
else:
cdata = csv_data.encode("ascii")
data = csv.DictReader(BytesIO(cdata), skipinitialspace=True)
result = {"success": True}
result_message = ""
# Compute permitted values in CSV
valid_ratings = {"unknown": "unknown", "benign": "benign", "low": "low", "medium": "medium", "high": "high"}
valid_campaign_confidence = {"low": "low", "medium": "medium", "high": "high"}
valid_campaigns = {}
for c in Campaign.objects(active="on"):
valid_campaigns[c["name"].lower().replace(" - ", "-")] = c["name"]
valid_actions = {}
for a in Action.objects(active="on"):
valid_actions[a["name"].lower().replace(" - ", "-")] = a["name"]
valid_ind_types = {}
for obj in IndicatorTypes.values(sort=True):
valid_ind_types[obj.lower().replace(" - ", "-")] = obj
# Start line-by-line import
added = 0
for processed, d in enumerate(data, 1):
ind = {}
ind["value"] = d.get("Indicator", "").strip()
ind["lower"] = d.get("Indicator", "").lower().strip()
ind["description"] = d.get("Description", "").strip()
ind["type"] = get_verified_field(d, valid_ind_types, "Type")
ind["threat_type"] = d.get("Threat Type", IndicatorThreatTypes.UNKNOWN)
ind["attack_type"] = d.get("Attack Type", IndicatorAttackTypes.UNKNOWN)
if len(ind["threat_type"]) < 1:
ind["threat_type"] = IndicatorThreatTypes.UNKNOWN
if ind["threat_type"] not in IndicatorThreatTypes.values():
result["success"] = False
result_message += "Cannot process row %s: Invalid Threat Type<br />" % processed
continue
if len(ind["attack_type"]) < 1:
ind["attack_type"] = IndicatorAttackTypes.UNKNOWN
if ind["attack_type"] not in IndicatorAttackTypes.values():
result["success"] = False
result_message += "Cannot process row %s: Invalid Attack Type<br />" % processed
continue
ind["status"] = d.get("Status", Status.NEW)
if not ind["value"] or not ind["type"]:
# Mandatory value missing or malformed, cannot process csv row
i = ""
result["success"] = False
if not ind["value"]:
i += "No valid Indicator value "
if not ind["type"]:
i += "No valid Indicator type "
result_message += "Cannot process row %s: %s<br />" % (processed, i)
continue
campaign = get_verified_field(d, valid_campaigns, "Campaign")
if campaign:
ind["campaign"] = campaign
ind["campaign_confidence"] = get_verified_field(
d, valid_campaign_confidence, "Campaign Confidence", default="low"
)
actions = d.get("Action", "")
if actions:
actions = get_verified_field(actions.split(","), valid_actions)
if not actions:
result["success"] = False
result_message += "Cannot process row %s: Invalid Action<br />" % processed
continue
ind["confidence"] = get_verified_field(d, valid_ratings, "Confidence", default="unknown")
ind["impact"] = get_verified_field(d, valid_ratings, "Impact", default="unknown")
ind[form_consts.Common.BUCKET_LIST_VARIABLE_NAME] = d.get(form_consts.Common.BUCKET_LIST, "")
ind[form_consts.Common.TICKET_VARIABLE_NAME] = d.get(form_consts.Common.TICKET, "")
try:
response = handle_indicator_insert(
ind, source, reference, analyst=username, method=method, add_domain=add_domain
)
except Exception, e:
result["success"] = False
result_message += "Failure processing row %s: %s<br />" % (processed, str(e))
continue
if response["success"]:
if actions:
action = {
"active": "on",
"analyst": username,
"begin_date": "",
"end_date": "",
"performed_date": "",
"reason": "",
"date": datetime.datetime.now(),
}
for action_type in actions:
action["action_type"] = action_type
action_add("Indicator", response.get("objectid"), action, user=username)
else:
result["success"] = False
result_message += "Failure processing row %s: %s<br />" % (processed, response["message"])
continue
added += 1
