-
Notifications
You must be signed in to change notification settings - Fork 1
/
joe-service.py
237 lines (194 loc) · 6.96 KB
/
joe-service.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
####
#
# JOE SANDBOX McAfee TIE integration
#
# DO NOT CHANGE
server = "https://jbxcloud.joesecurity.org/index.php/api/"
## Joe Reputation to McAfee Reputation
joeMcAfee= {"-1":"unkown","0":"not_set","1":"most_likely_malicious","2":"known_malicious"}
# Timeout for the HTTP request, in seconds
timeout = 6
# ------------------------------
import os
import sys
import time
import traceback
import logging
from dxlclient.client import DxlClient
from dxlclient.client_config import DxlClientConfig
#from dxlclient.message import Message, Request
from dxltieclient import TieClient
from dxltieclient.constants import HashType, TrustLevel, FileProvider, ReputationProp, CertProvider, CertReputationProp, CertReputationOverriddenProp
### Import Requests
try:
import requests
from requests.exceptions import ConnectionError
except ImportError:
print "Error: Please install the Python 'requests' package via pip"
sys.exit()
# Import common logging and configuration
sys.path.append(os.path.dirname(os.path.abspath(__file__)) + "/..")
# Enable logging, this will also direct built-in DXL log messages.
# See - https://docs.python.org/2/howto/logging-cookbook.html
log_formatter = logging.Formatter('%(asctime)s %(name)s - %(levelname)s - %(message)s')
console_handler = logging.StreamHandler()
console_handler.setFormatter(log_formatter)
logger = logging.getLogger()
logger.addHandler(console_handler)
logger.setLevel(logging.INFO)
## DXL Client Configuration
CONFIG_FILE_NAME = "/vagrant/dxlclient.config"
if not os.path.isfile(CONFIG_FILE_NAME):
CONFIG_FILE_NAME = os.path.dirname(os.path.abspath(__file__)) + "/dxlclient.config"
# Create DXL configuration from file
config = DxlClientConfig.create_dxl_config_from_file(CONFIG_FILE_NAME)
#CONFIG_FILE = os.path.dirname(os.path.abspath(__file__)) + "/" + CONFIG_FILE_NAME
def convertInterval(pollMins):
print "Polling set to " + str(pollMins) + " Minutes"
if pollMins != None:
pollMins = float(pollMins)
return pollMins * 60
else:
return 0.0
# Get Environment Variables for Joe Sandbox
apiKey = os.environ.get('JOE_KEY')
pollInterval = convertInterval(os.environ.get('JOE_POLL')) ## Get Joe Polling Interval and convert to floating seconds
## Check if it is a SHA1
def is_sha1(maybe_sha):
if len(maybe_sha) != 40:
return False
try:
sha_int = int(maybe_sha, 16)
except ValueError:
return False
return True
## Check if it is a SHA256
def is_sha256(maybe_sha):
if len(maybe_sha) != 64:
return False
try:
sha_int = int(maybe_sha, 16)
except ValueError:
return False
return True
## Check if it is an MD5
def is_md5(maybe_md5):
if len(maybe_md5) != 32:
return False
try:
md5_int = int(maybe_md5, 16)
except ValueError:
return False
return True
## Map McAfee Trust Level from trustlevel string provided
def getTrustLevel(trustlevelStr):
trustlevelStr = trustlevelStr.lower()
if trustlevelStr == 'known_trusted':
return TrustLevel.KNOWN_TRUSTED
elif trustlevelStr == 'known_trusted_install':
return TrustLevel.KNOWN_TRUSTED_INSTALLER
elif trustlevelStr == 'most_likely_trusted':
return TrustLevel.MOST_LIKELY_TRUSTED
elif trustlevelStr == 'might_be_trusted':
return TrustLevel.MIGHT_BE_TRUSTED
elif trustlevelStr == 'unknown':
return TrustLevel.UNKNOWN
elif trustlevelStr == 'might_be_malicious':
return TrustLevel.MIGHT_BE_MALICIOUS
elif trustlevelStr == 'most_likely_malicious':
return TrustLevel.MOST_LIKELY_MALICIOUS
elif trustlevelStr == 'known_malicious':
return TrustLevel.KNOWN_MALICIOUS
elif trustlevelStr == 'not_set':
return TrustLevel.NOT_SET
return -1
## Set the TIE reputation of a file via MD5, SHA1, or SHA256 hash
def setReputation(trustlevelStr, md5, sha1, sha256, filenameStr, commentStr, tie_client):
trustlevelInt = getTrustLevel(trustlevelStr)
if md5 == None and sha1 == None and sha256 == None:
print "no file hash"
else:
### Verify SHA1 string
if sha1 != "":
if not is_sha1(sha1):
print "invalid sha1"
### Verify SHA256 string
if sha256 != "":
if not is_sha1(sha1):
print "invalid sha256"
if md5 != "":
if not is_md5(md5):
print "invalid md5"
if trustlevelInt != -1:
# Set the Enterprise reputation for notepad.exe to Known Trusted
print "Setting TIE Enterprise reputation for file:" , filenameStr , " to trust level:" , trustlevelInt
tie_client.set_file_reputation(
trustlevelInt , {
HashType.MD5: md5,
HashType.SHA1: sha1,
HashType.SHA256: sha256
},
filename=filenameStr,
comment=commentStr)
else:
print "invalid trust level",
trustlevel = trustlevelStr
def getJoeList(tie_client):
analysisUrl = server +'analysis/list'
#deleteUrl = server +'analysis/delete'
params = {"apikey" : apiKey}
# Fetch analysis metadata
try:
result = requests.post(analysisUrl, data = params, timeout = timeout)
content = result.json()[0]
trustlevelStr = "no_set"
filenameStr = ""
md5 = ""
sha1 = ""
sha256 = ""
for key, value in content.iteritems():
## Comment about Joe
commentStr = "Reputations Score from Joe Sandbox"
## Get filename
if key == "filename":
filenameStr = value
## Get md5
if key == "md5":
md5 = value
## Get SHA1
if key == "sha1":
sha1 = value
## Get SHA256
if key == "sha256":
sha256 = value
## Get Results of Scan
if key == "detections":
detectionsList = value.split(';')
trustlevelStr = joeMcAfee[detectionsList[-2]] ## Retrieve last value in list
setReputation(trustlevelStr, md5, sha1, sha256, filenameStr, commentStr,tie_client)
print key, " : ", value
#print content['webid']
except ValueError,e:
print "API fault: " + result.text
sys.exit()
except:
print "Unable to fetch analyses: " + traceback.format_exc()
sys.exit()
def main():
if pollInterval == 0:
print "Polling Interval Needs to be set in environment variable JOE_POLL"
exit(0)
print ""
print "--- Joe Sandbox metadata script ---"
print ""
# Create the client
with DxlClient(config) as client:
# Connect to the fabric
client.connect()
# Create the McAfee Threat Intelligence Exchange (TIE) client
tie_client = TieClient(client)
while True:
getJoeList(tie_client)
time.sleep(pollInterval)
if __name__=="__main__":
main()