def handle_pcap_file(filename, data, source_name, user=None, description=None, related_id=None, related_md5=None, related_type=None, method='', reference='', relationship=None, bucket_list=None, ticket=None): """ Add a PCAP. :param filename: The filename of the PCAP. :type filename: str :param data: The filedata of the PCAP. :type data: str :param source_name: The source which provided this PCAP. :type source_name: str, :class:`crits.core.crits_mongoengine.EmbeddedSource`, list of :class:`crits.core.crits_mongoengine.EmbeddedSource` :param user: The user adding the PCAP. :type user: str :param description: Description of the PCAP. :type description: str :param related_id: ObjectId of a top-level object related to this PCAP. :type related_id: str :param related_md5: MD5 of a top-level object related to this PCAP. :type related_md5: str :param related_type: The CRITs type of the related top-level object. :type related_type: str :param method: The method of acquiring this PCAP. :type method: str :param reference: A reference to the source of this PCAP. :type reference: str :param relationship: The relationship between the parent and the PCAP. :type relationship: str :param bucket_list: Bucket(s) to add to this PCAP. :type bucket_list: str(comma separated) or list. :param ticket: Ticket(s) to add to this PCAP. :type ticket: str(comma separated) or list. :returns: dict with keys: 'success' (boolean), 'message' (str), 'md5' (str) if successful. """ if not data: status = {'success': False, 'message': 'No data object passed in'} return status if len(data) <= 0: status = {'success': False, 'message': 'Data length <= 0'} return status if ((related_type and not (related_id or related_md5)) or (not related_type and (related_id or related_md5))): status = { 'success': False, 'message': 'Must specify both related_type and related_id or related_md5.' } return status if not source_name: return {"success": False, "message": "Missing source information."} related_obj = None if related_id or related_md5: if related_id: related_obj = class_from_id(related_type, related_id) else: related_obj = class_from_value(related_type, related_md5) if not related_obj: status = {'success': False, 'message': 'Related object not found.'} return status # generate md5 and timestamp md5 = hashlib.md5(data).hexdigest() timestamp = datetime.datetime.now() # generate PCAP is_pcap_new = False pcap = PCAP.objects(md5=md5).first() if not pcap: pcap = PCAP() pcap.filename = filename pcap.created = timestamp pcap.length = len(data) pcap.description = description pcap.md5 = md5 is_pcap_new = True # generate source information and add to pcap if isinstance(source_name, basestring) and len(source_name) > 0: s = create_embedded_source(source_name, method=method, reference=reference, analyst=user) pcap.add_source(s) elif isinstance(source_name, EmbeddedSource): pcap.add_source(source_name, method=method, reference=reference) elif isinstance(source_name, list) and len(source_name) > 0: for s in source_name: if isinstance(s, EmbeddedSource): pcap.add_source(s, method=method, reference=reference) # add file to GridFS if not isinstance(pcap.filedata.grid_id, ObjectId): pcap.add_file_data(data) if bucket_list: pcap.add_bucket_list(bucket_list, user) if ticket: pcap.add_ticket(ticket, user) # save pcap pcap.save(username=user) # update relationship if a related top-level object is supplied if related_obj and pcap: if not relationship: relationship = "Related_To" pcap.add_relationship(rel_item=related_obj, rel_type=relationship, analyst=user, get_rels=False) related_obj.save(username=user) pcap.save(username=user) # run pcap triage if is_pcap_new and data: pcap.reload() run_triage(pcap, user) status = { 'success': True, 'message': 'Uploaded pcap', 'md5': md5, 'id': str(pcap.id), 'object': pcap } return status
def handle_pcap_file(filename, data, source_name, user=None, description=None, related_id=None, related_md5=None, related_type=None, method=None, reference=None, relationship=None, bucket_list=None, ticket=None): """ Add a PCAP. :param filename: The filename of the PCAP. :type filename: str :param data: The filedata of the PCAP. :type data: str :param source_name: The source which provided this PCAP. :type source_name: str, :class:`crits.core.crits_mongoengine.EmbeddedSource`, list of :class:`crits.core.crits_mongoengine.EmbeddedSource` :param user: The user adding the PCAP. :type user: str :param description: Description of the PCAP. :type description: str :param related_id: ObjectId of a top-level object related to this PCAP. :type related_id: str :param related_md5: MD5 of a top-level object related to this PCAP. :type related_md5: str :param related_type: The CRITs type of the related top-level object. :type related_type: str :param method: The method of acquiring this PCAP. :type method: str :param reference: A reference to the source of this PCAP. :type reference: str :param relationship: The relationship between the parent and the PCAP. :type relationship: str :param bucket_list: Bucket(s) to add to this PCAP. :type bucket_list: str(comma separated) or list. :param ticket: Ticket(s) to add to this PCAP. :type ticket: str(comma separated) or list. :returns: dict with keys: 'success' (boolean), 'message' (str), 'md5' (str) if successful. """ if not data: status = { 'success': False, 'message': 'No data object passed in' } return status if len(data) <= 0: status = { 'success': False, 'message': 'Data length <= 0' } return status if ((related_type and not (related_id or related_md5)) or (not related_type and (related_id or related_md5))): status = { 'success': False, 'message': 'Must specify both related_type and related_id or related_md5.' } return status if not source_name: return {"success" : False, "message" : "Missing source information."} related_obj = None if related_id or related_md5: if related_id: related_obj = class_from_id(related_type, related_id) else: related_obj = class_from_value(related_type, related_md5) if not related_obj: status = { 'success': False, 'message': 'Related object not found.' } return status # generate md5 and timestamp md5 = hashlib.md5(data).hexdigest() timestamp = datetime.datetime.now() # generate PCAP is_pcap_new = False pcap = PCAP.objects(md5=md5).first() if not pcap: pcap = PCAP() pcap.filename = filename pcap.created = timestamp pcap.length = len(data) pcap.description = description pcap.md5 = md5 is_pcap_new = True # generate source information and add to pcap if isinstance(source_name, basestring) and len(source_name) > 0: s = create_embedded_source(source_name, method=method, reference=reference, analyst=user) pcap.add_source(s) elif isinstance(source_name, EmbeddedSource): pcap.add_source(source_name, method=method, reference=reference) elif isinstance(source_name, list) and len(source_name) > 0: for s in source_name: if isinstance(s, EmbeddedSource): pcap.add_source(s, method=method, reference=reference) # add file to GridFS if not isinstance(pcap.filedata.grid_id, ObjectId): pcap.add_file_data(data) if bucket_list: pcap.add_bucket_list(bucket_list, user) if ticket: pcap.add_ticket(ticket, user) # save pcap pcap.save(username=user) # update relationship if a related top-level object is supplied if related_obj and pcap: if not relationship: relationship = "Related_To" pcap.add_relationship(rel_item=related_obj, rel_type=relationship, analyst=user, get_rels=False) related_obj.save(username=user) pcap.save(username=user) # run pcap triage if is_pcap_new and data: pcap.reload() run_triage(pcap, user) status = { 'success': True, 'message': 'Uploaded pcap', 'md5': md5, 'id': str(pcap.id), } return status