def _sync_request(dxl_client, request, response_timeout, payload_dict): """ Performs a synchronous DXL request and returns the payload :param dxl_client: The DXL client with which to perform the request :param request: The DXL request to send :param response_timeout: The maximum amount of time to wait for a response :param payload_dict: The dictionary (``dict``) to use as the payload of the DXL request :return: The result of the remote command execution (resulting payload) """ # Set the payload MessageUtils.dict_to_json_payload(request, payload_dict) # Display the request that is going to be sent logger.debug( "Request:\n%s", MessageUtils.dict_to_json(payload_dict, pretty_print=True)) # Send the request and wait for a response (synchronous) res = dxl_client.sync_request(request, timeout=response_timeout) if res.message_type == Message.MESSAGE_TYPE_ERROR: raise Exception("Error: " + res.error_message + " (" + str(res.error_code) + ")") # Return a dictionary corresponding to the response payload ret_val = MessageUtils.decode_payload(res) # Display the response logger.debug("Response:\n%s", ret_val) return ret_val
def unknown_call(path): return MessageUtils.dict_to_json( { "unit_test_error_unknown_api": path }, pretty_print=False )
def system_find_command(self, request): # Create the response response = Response(request) response.payload = MessageUtils.dict_to_json(SYSTEM_FIND_PAYLOAD) self._client.send_response(response)
def ip_rep_cmd(parsed_url): ip_param = \ urlparse.parse_qs(parsed_url.query)[ApiVoidCallback.PARAM_IP][0] if ip_param == SAMPLE_IP: return MessageUtils.dict_to_json(SAMPLE_IP_REP, pretty_print=False) return MockApiVoidServerRequestHandler.bad_param( ApiVoidCallback.PARAM_IP, ip_param)
def file_rescan(self, req_dict): rules = [ VirusTotalApiClient._PARAM_RESOURCE in req_dict, req_dict[VirusTotalApiClient._PARAM_RESOURCE] == SAMPLE_FILE ] if not all(rules): return self.STATUS_FAILED_MESSAGE res_payload = copy.deepcopy(SAMPLE_FILE_RESCAN) received_params = {} if VirusTotalApiClient._PARAM_DATE in req_dict: received_params[VirusTotalApiClient._PARAM_DATE] = \ req_dict[VirusTotalApiClient._PARAM_DATE] if VirusTotalApiClient._PARAM_PERIOD in req_dict: received_params[VirusTotalApiClient._PARAM_PERIOD] = \ req_dict[VirusTotalApiClient._PARAM_PERIOD] if VirusTotalApiClient._PARAM_REPEAT in req_dict: received_params[VirusTotalApiClient._PARAM_REPEAT] = \ req_dict[VirusTotalApiClient._PARAM_REPEAT] if VirusTotalApiClient._PARAM_NOTIFY_URL in req_dict: received_params[VirusTotalApiClient._PARAM_NOTIFY_URL] = \ req_dict[VirusTotalApiClient._PARAM_NOTIFY_URL] if VirusTotalApiClient._PARAM_NOTIFY_CHANGES_ONLY in req_dict: received_params[VirusTotalApiClient._PARAM_NOTIFY_CHANGES_ONLY] = \ req_dict[VirusTotalApiClient._PARAM_NOTIFY_CHANGES_ONLY] res_payload[RECEIVED_PARAMS_KEY] = received_params return MessageUtils.dict_to_json(res_payload, True)
def bad_param(param_name, param_val): return MessageUtils.dict_to_json( { "unit_test_bad_param_name": param_name, "unit_test_bad_param_val": param_val }, pretty_print=False)
def bad_param(param_name, param_val, expected_val='unknown'): return MessageUtils.dict_to_json( { "bad_param_name": param_name, "bad_param_val": param_val, "exp_param_val": expected_val }, pretty_print=False)
def threatlog_cmd(parsed_url): host = \ urlparse.parse_qs(parsed_url.query)[ApiVoidCallback.PARAM_HOST][0] if host == SAMPLE_HOST: return MessageUtils.dict_to_json(SAMPLE_THREATLOG, pretty_print=False) return MockApiVoidServerRequestHandler.bad_param( ApiVoidCallback.PARAM_HOST, host)
def parked_domain_cmd(parsed_url): host = \ urlparse.parse_qs(parsed_url.query)[ApiVoidCallback.PARAM_HOST][0] if host == SAMPLE_HOST: return MessageUtils.dict_to_json(SAMPLE_PARKED_DOMAIN, pretty_print=False) return MockApiVoidServerRequestHandler.bad_param( ApiVoidCallback.PARAM_HOST, host)
def email_verify_cmd(parsed_url): host = \ urlparse.parse_qs(parsed_url.query)[ApiVoidCallback.PARAM_HOST][0] if host == SAMPLE_HOST: return MessageUtils.dict_to_json(SAMPLE_EMAIL_VERIFY, pretty_print=False) return MockApiVoidServerRequestHandler.bad_param( ApiVoidCallback.PARAM_HOST, host)
def system_find_command(self, request, params): # Create the response response = Response(request) response.payload = MessageUtils.dict_to_json( SYSTEM_FIND_PAYLOAD if params == {"searchText": SYSTEM_FIND_OSTYPE_LINUX} else []) self._client.send_response(response)
def domain_report(self, req_dict): rules = [ VirusTotalApiClient._PARAM_DOMAIN in req_dict, req_dict[VirusTotalApiClient._PARAM_DOMAIN] == SAMPLE_DOMAIN ] if not all(rules): return self.STATUS_FAILED_MESSAGE return MessageUtils.dict_to_json(SAMPLE_DOMAIN_REPORT, True)
def ip_report(self, req_dict): rules = [ VirusTotalApiClient._PARAM_IP in req_dict, req_dict[VirusTotalApiClient._PARAM_IP] == SAMPLE_IP ] if not all(rules): return self.STATUS_FAILED_MESSAGE return MessageUtils.dict_to_json(SAMPLE_IP_ADDRESS_REPORT, True)
def url_scan(self, req_dict): rules = [ VirusTotalApiClient._PARAM_URL in req_dict, req_dict[VirusTotalApiClient._PARAM_URL] == SAMPLE_URL ] if not all(rules): return self.STATUS_FAILED_MESSAGE return MessageUtils.dict_to_json(SAMPLE_URL_SCAN, True)
def on_event(self, event): event_payload_dict = MessageUtils.json_payload_to_dict(event) # Check the event payload to see if the OpenDXL event was triggered # by the new MISP event that the sample created. if "Event" in event_payload_dict and \ "info" in event_payload_dict["Event"] and \ event_payload_dict["Event"]["info"] == \ "OpenDXL MISP event notification example": # Print the payload for the received event print("Received event:\n{}".format( MessageUtils.dict_to_json(event_payload_dict, pretty_print=True)))
def dns_lookup_cmd(parsed_url): action = \ urlparse.parse_qs(parsed_url.query)[ApiVoidCallback.PARAM_ACTION][0] host = \ urlparse.parse_qs(parsed_url.query)[ApiVoidCallback.PARAM_HOST][0] if action == SAMPLE_ACTION: if host == SAMPLE_HOST: return MessageUtils.dict_to_json(SAMPLE_DNS_LOOKUP, pretty_print=False) return MockApiVoidServerRequestHandler.bad_param( ApiVoidCallback.PARAM_HOST, host) return MockApiVoidServerRequestHandler.bad_param( ApiVoidCallback.PARAM_ACTION, action)
def file_report(self, req_dict): rules = [ VirusTotalApiClient._PARAM_RESOURCE in req_dict, req_dict[VirusTotalApiClient._PARAM_RESOURCE] == SAMPLE_FILE ] if not all(rules): return self.STATUS_FAILED_MESSAGE res_payload = copy.deepcopy(SAMPLE_FILE_REPORT) received_params = {} if VirusTotalApiClient._PARAM_ALLINFO in req_dict: received_params[VirusTotalApiClient._PARAM_ALLINFO] = \ req_dict[VirusTotalApiClient._PARAM_ALLINFO] res_payload[RECEIVED_PARAMS_KEY] = received_params return MessageUtils.dict_to_json(res_payload, True)
def help_command(self, request): # Create the response response = Response(request) cmd_array = [] for cmd in self.KNOWN_COMMANDS: cmd_string = cmd["name"] + " " for param in cmd["parameters"]: cmd_string += "[" + param + "] " cmd_string += "- " + cmd["description"] cmd_array.append(cmd_string) response.payload = MessageUtils.dict_to_json(cmd_array) self._client.send_response(response)
def _sync_request(dxl_client, request, response_timeout, payload_dict): """ Performs a synchronous DXL request and returns the payload :param dxl_client: The DXL client with which to perform the request :param request: The DXL request to send :param response_timeout: The maximum amount of time to wait for a response :param payload_dict: The dictionary (``dict``) to use as the payload of the DXL request :return: The result of the remote command execution (resulting payload) """ # Set the payload MessageUtils.dict_to_json_payload(request, payload_dict) # Display the request that is going to be sent logger.debug("Request:\n%s", MessageUtils.dict_to_json(payload_dict, pretty_print=True)) # Send the request and wait for a response (synchronous) return dxl_client.sync_request(request, timeout=response_timeout)
def url_report_cmd(self, parsed_url): url = \ urlparse.parse_qs(parsed_url.query)[VirusTotalApiRequestCallback.PARAM_RESOURCE][0] if url == SAMPLE_URL: return MessageUtils.dict_to_json(SAMPLE_URL_REPORT, pretty_print=False) return self.bad_param(VirusTotalApiRequestCallback.PARAM_RESOURCE, url)
def stats_remained_cmd(): return MessageUtils.dict_to_json(SAMPLE_STATS_REMAINED, pretty_print=False)
# Create DXL configuration from file config = DxlClientConfig.create_dxl_config_from_file(CONFIG_FILE) # IP address of the endpoint for which to clear the policy HOST_IP = "<SPECIFY_IP_ADDRESS>" # Create the client with DxlClient(config) as dxl_client: # Connect to the fabric dxl_client.connect() logger.info("Connected to DXL fabric.") # Create client wrapper client = CiscoPxGridClient(dxl_client) try: # Invoke 'clear endpoint policy by IP' method on service resp_dict = client.anc.clear_endpoint_policy_by_ip(HOST_IP) # Print out the response (convert dictionary to JSON for pretty # printing) print("Response:\n{0}".format( MessageUtils.dict_to_json(resp_dict, pretty_print=True))) except Exception as ex: # An exception should be raised if a policy has not already been # associated with the endpoint. print(str(ex))
ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES] # Display prevalence (if it exists) if FileEnterpriseAttrib.PREVALENCE in ent_rep_attribs: print("\tEnterprise prevalence: " + \ ent_rep_attribs[FileEnterpriseAttrib.PREVALENCE]) # Display first contact date (if it exists) if FileEnterpriseAttrib.FIRST_CONTACT in ent_rep_attribs: print("\tFirst contact: " + \ FileEnterpriseAttrib.to_localtime_string( ent_rep_attribs[FileEnterpriseAttrib.FIRST_CONTACT])) # Display the full file reputation response print("\nFull file reputation response:\n" + \ MessageUtils.dict_to_json(reputations_dict, True)) # # Perform the certificate reputation query # reputations_dict = tie_client.get_certificate_reputation( CERTIFICATE_BODY_SHA1, CERTIFICATE_PUBLIC_KEY_SHA1) print("\nCertificate reputation response:") # Display the Global Threat Intelligence(GTI) trust level for the certificate if CertProvider.GTI in reputations_dict: gti_rep = reputations_dict[CertProvider.GTI] print("\tGlobal Threat Intelligence (GTI) trust level: " \ + str(gti_rep[ReputationProp.TRUST_LEVEL]))
MessageUtils.dict_to_json_payload(req, { "query": { "_string": "title:(OpenDXL AND Observable)" }, "range": "0-1" }) # Set the payload for the search case request case_search_response = client.sync_request(req, timeout=30) if case_search_response.message_type is not Message.MESSAGE_TYPE_ERROR: # Display results for the search case request case_search_response_dict = MessageUtils.json_payload_to_dict( case_search_response) print("Response for the search case request: '{0}'".format( MessageUtils.dict_to_json(case_search_response_dict, pretty_print=True))) else: print("Error invoking service with topic '{0}': {1} ({2})".format( request_topic, case_search_response.error_message, case_search_response.error_code)) exit(1) if case_search_response_dict: # Extract the id of the case from the results of the search case request case_id = case_search_response_dict[0]["id"] # Create the search case observable request request_topic = "/opendxl-thehive/service/thehive-api/case/observable/search" req = Request(request_topic) # Set the payload for the search case observable request. The query
new_event_request, { "distribution": 3, "info": "OpenDXL MISP new event example", "analysis": 1, "threat_level_id": 3 }) # Send the new event request new_event_response = client.sync_request(new_event_request, timeout=30) if new_event_response.message_type != Message.MESSAGE_TYPE_ERROR: # Display results for the new event request new_event_response_dict = MessageUtils.json_payload_to_dict( new_event_response) print("Response to the new event request:\n{}".format( MessageUtils.dict_to_json(new_event_response_dict, pretty_print=True))) else: print("Error invoking service with topic '{}': {} ({})".format( request_topic, new_event_response.error_message, new_event_response.error_code)) exit(1) # Create the new search request request_topic = "/opendxl-misp/service/misp-api/search" search_request = Request(request_topic) # Set the payload for the search request MessageUtils.dict_to_json_payload( search_request, { "eventid": new_event_response_dict["Event"]["id"], })
def ip_report_cmd(self, parsed_url): ip_address = \ urlparse.parse_qs(parsed_url.query)[VirusTotalApiRequestCallback.PARAM_IP][0] if ip_address == SAMPLE_IP: return MessageUtils.dict_to_json(SAMPLE_IP_ADDRESS_REPORT, pretty_print=False) return self.bad_param(VirusTotalApiRequestCallback.PARAM_IP, ip_address)
def domain_report_cmd(self, parsed_url): domain = \ urlparse.parse_qs(parsed_url.query)[VirusTotalApiRequestCallback.PARAM_DOMAIN][0] if domain == SAMPLE_DOMAIN: return MessageUtils.dict_to_json(SAMPLE_DOMAIN_REPORT, pretty_print=False) return self.bad_param(VirusTotalApiRequestCallback.PARAM_DOMAIN, domain)
def on_update_policy(self, update_dict): print("on_update_policy\n" + MessageUtils.dict_to_json(update_dict, pretty_print=True))
def file_rescan_cmd(self, parsed_url): resource = \ urlparse.parse_qs(parsed_url.query)[VirusTotalApiRequestCallback.PARAM_RESOURCE][0] if resource == SAMPLE_FILE: return MessageUtils.dict_to_json(SAMPLE_FILE_RESCAN, pretty_print=False) return self.bad_param(VirusTotalApiRequestCallback.PARAM_RESOURCE, resource)
def url_scan_cmd(self, parsed_url): url = \ urlparse.parse_qs(parsed_url.query)[VirusTotalApiRequestCallback.PARAM_URL][0] if url == SAMPLE_URL: return MessageUtils.dict_to_json(SAMPLE_URL_SCAN, pretty_print=False) return self.bad_param(VirusTotalApiRequestCallback.PARAM_URL, url)