def _get_rule_probes(self):
"""Find the probes that could have triggered the event."""
# TODO: the whole zentral contrib app works only with sha256
# TODO: we could do a better job and try to match the policy
# with the santa event "decision" attr and remove some extra matching probes
# We build a list of sha256 that can be use to find the probes.
sha256_l = []
file_sha256 = self.payload.get('file_sha256', None)
if file_sha256:
sha256_l.append(file_sha256)
for cert_d in self.payload.get('signing_chain', []):
cert_sha256 = cert_d.get('sha256', None)
if cert_sha256:
sha256_l.append(cert_sha256)
# We look for the probes.
found_probes = []
for sha256 in sha256_l:
for probe in probes_lookup_dict.get(sha256, []):
found_probes.append(probe)
if found_probes:
found_probes_count = len(found_probes)
if found_probes_count > 1:
logger.warning("Found %d matching santa probes for sha256 %s." % (found_probes_count, sha256))
return found_probes
def _get_probe(self):
# TODO: what if we find more than one matching probe ?
# TODO: the whole zentral contrib app works only with sha256
# We build a list of sha256 that can be use to find the probe.
sha256_l = []
file_sha256 = self.payload.get("file_sha256", None)
if file_sha256:
sha256_l.append(file_sha256)
for cert_d in self.payload.get("signing_chain", []):
cert_sha256 = cert_d.get("sha256", None)
if cert_sha256:
sha256_l.append(cert_sha256)
# We look for the probe.
found_probes = []
for sha256 in sha256_l:
for probe in probes_lookup_dict.get(sha256, []):
found_probes.append(probe)
if found_probes:
found_probes_count = len(found_probes)
if found_probes_count > 1:
logger.warning("Found %d matching santa probes for sha %s." % (found_probes_count, sha256))
return found_probes[0]