Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit f67c747
Showing
20 changed files
with
4,833 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
*.py[cod] | ||
|
||
# C extensions | ||
*.so | ||
|
||
# Packages | ||
*.egg | ||
*.egg-info | ||
dist | ||
build | ||
eggs | ||
parts | ||
bin | ||
var | ||
sdist | ||
develop-eggs | ||
.installed.cfg | ||
lib | ||
lib64 | ||
|
||
# Installer logs | ||
pip-log.txt | ||
|
||
# Unit test / coverage reports | ||
.coverage | ||
.tox | ||
nosetests.xml | ||
|
||
# Translations | ||
*.mo | ||
|
||
# Mr Developer | ||
.mr.developer.cfg | ||
.project | ||
.pydevproject | ||
|
||
# IDE exclusions | ||
.idea | ||
|
||
config.ini |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
The MIT License (MIT) | ||
|
||
Copyright (c) 2017 Carbon Black Inc. | ||
|
||
Permission is hereby granted, free of charge, to any person obtaining a copy | ||
of this software and associated documentation files (the "Software"), to deal | ||
in the Software without restriction, including without limitation the rights | ||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
copies of the Software, and to permit persons to whom the Software is | ||
furnished to do so, subject to the following conditions: | ||
|
||
The above copyright notice and this permission notice shall be included in all | ||
copies or substantial portions of the Software. | ||
|
||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
SOFTWARE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# file GENERATED by distutils, do NOT edit | ||
cb-virustotal-connector.spec | ||
setup.py | ||
cbopensource/__init__.py | ||
cbopensource/__init__.pyc | ||
cbopensource/connectors/__init__.py | ||
cbopensource/connectors/__init__.pyc | ||
cbopensource/connectors/virustotal/0001-Changed-Version-to-1.0.patch | ||
cbopensource/connectors/virustotal/0001-fixes-to-init.d-script.patch | ||
cbopensource/connectors/virustotal/__init__.py | ||
cbopensource/connectors/virustotal/__init__.pyc | ||
cbopensource/connectors/virustotal/apiclient_virustotal.py | ||
cbopensource/connectors/virustotal/apiclient_virustotal.pyc | ||
cbopensource/connectors/virustotal/bridge.py | ||
cbopensource/connectors/virustotal/bridge.py.backup | ||
cbopensource/connectors/virustotal/joe | ||
cbopensource/connectors/virustotal/joe-original | ||
cbopensource/connectors/virustotal/test.py | ||
cbopensource/connectors/virustotal/testing.conf | ||
root/etc/cb/integrations/virustotal/connector.conf.example | ||
root/etc/init.d/cb-virustotal-connector | ||
root/usr/share/cb/integrations/virustotal/cacert.pem | ||
root/usr/share/cb/integrations/virustotal/virustotal-logo.png | ||
scripts/cb-virustotal-connector |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
recursive-include cbopensource * | ||
recursive-include root/etc * | ||
recursive-include root/usr * | ||
recursive-include scripts | ||
|
||
include cb-virustotal-connector.spec |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
# Carbon Black - virustotal Connector | ||
|
||
The virustotal connector submits binaries collected by Carbon Black to virustotal | ||
for binary analysis. The results are collected and placed into an Intelligence | ||
Feed on your Carbon Black server. The feed will then tag any binaries executed on your | ||
endpoints identified as malware by virustotal. Only binaries submitted by the connector | ||
for analysis will be included in the generated Intelligence Feed. | ||
|
||
## Installation Quickstart | ||
|
||
As root on your Carbon Black or other RPM based 64-bit Linux distribution server: | ||
``` | ||
cd /etc/yum.repos.d | ||
curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo | ||
yum install python-cb-virustotal-connector | ||
``` | ||
|
||
Once the software is installed via YUM, copy the `/etc/cb/integrations/virustotal/connector.conf.example` file to | ||
`/etc/cb/integrations/virustotal/connector.conf`. Edit this file and place your Carbon Black API key into the | ||
`carbonblack_server_token` variable and your Carbon Black server's base URL into the `carbonblack_server_url` variable. | ||
|
||
Then you must place your credentials for virustotal into the configuration file: place API token | ||
into the `virustotal_api_token` variable in the | ||
`/etc/cb/integrations/virustotal/connector.conf` file. | ||
|
||
Any errors will be logged into `/var/log/cb/integrations/virustotal/virustotal.log`. | ||
|
||
## Troubleshooting | ||
|
||
If you suspect a problem, please first look at the virustotal connector logs found here: | ||
`/var/log/cb/integrations/virustotal/virustotal.log` | ||
(There might be multiple files as the logger "rolls over" when the log file hits a certain size). | ||
|
||
If you want to re-run the analysis across your binaries: | ||
|
||
1. Stop the service: `service cb-virustotal-connector stop` | ||
2. Remove the database file: `rm /usr/share/cb/integrations/virustotal/db/sqlite.db` | ||
3. Remove the feed from your Cb server's Threat Intelligence page | ||
4. Restart the service: `service cb-virustotal-connector start` | ||
|
||
## Contacting Carbon Black Developer Relations Support | ||
|
||
Web: https://community.carbonblack.com/groups/developer-relations | ||
E-mail: dev-support@bcarbonblack.com | ||
|
||
### Reporting Problems | ||
|
||
When you contact Carbon Black Developer Relations Technical Support with an issue, please provide the following: | ||
|
||
* Your name, company name, telephone number, and e-mail address | ||
* Product name/version, CB Server version, CB Sensor version | ||
* Hardware configuration of the Carbon Black Server or computer (processor, memory, and RAM) | ||
* For documentation issues, specify the version of the manual you are using. | ||
* Action causing the problem, error message returned, and event log output (as appropriate) | ||
* Problem severity | ||
|
||
#### Additional Configuration Options: | ||
By default, binaries which are already known by virustotal will not be resubmitted for rescanning. | ||
If this functionality is desired, the rescan_window option can be added to the configuration file | ||
to set the window of time in which binaries are to be resubmitted for scanning. | ||
|
||
``` | ||
;Window of time within which to rescan a submitted file | ||
;rescan_window=1D | ||
;FORMAT=%D%S | ||
;S=H,M,D,W = hours,minutes,days,weeks | ||
;NEVER= do not rescan binaries no matter how old the latest scan is | ||
rescan_window=365D | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# -*- mode: python -*- | ||
a = Analysis(['scripts/cb-virustotal-connector'], | ||
pathex=['.'], | ||
hiddenimports=['unicodedata'], | ||
datas=[ (HOMEPATH + '/cbapi/response/models/*', 'cbapi/response/models/'), | ||
(HOMEPATH + '/cbapi/protection/models/*', 'cbapi/protection/models/'), | ||
(HOMEPATH + '/cbapi/defense/models/*', 'cbapi/defense/models/') ], | ||
hookspath=None, | ||
runtime_hooks=None) | ||
pyz = PYZ(a.pure) | ||
exe = EXE(pyz, | ||
a.scripts, | ||
exclude_binaries=True, | ||
name='cb-virustotal-connector', | ||
debug=False, | ||
strip=None, | ||
upx=True, | ||
console=True ) | ||
coll = COLLECT(exe, | ||
a.binaries, | ||
a.zipfiles, | ||
a.datas, | ||
strip=None, | ||
upx=True, | ||
name='cb-virustotal-connector') |
Empty file.
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
__version__ = '1.0' |
60 changes: 60 additions & 0 deletions
60
cbopensource/connectors/virustotal/apiclient_virustotal.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
#!/usr/bin/env python | ||
|
||
import logging | ||
import os | ||
|
||
log = logging.getLogger(__name__) | ||
|
||
|
||
class VirusTotalAnalysisClient(object): | ||
|
||
def __init__(self, session=None, api_token=None, url=None,log_level=None): | ||
self.session = session | ||
self.api_token = api_token | ||
self.url = url if url else "https://www.virustotal.com/vtapi/v2/file/" | ||
log.setLevel(logging.INFO if not log_level else logging.DEBUG) | ||
|
||
def submit_file(self, resource_hash=None, stream=None): | ||
log.info("VTAnalysis: submit_file: hash = %s " % (resource_hash)) | ||
params = {"apikey": self.api_token} | ||
file_name = None | ||
if hasattr(stream, "name"): | ||
log.info("submitting file: fs.name: %s" % stream.name) | ||
file_name = os.path.basename(stream.name) | ||
files = {'file': (file_name, open(file_name, 'rb'))} if file_name else {'file': (resource_hash, stream)} | ||
response = self.session.post(self.url + 'scan', files=files, params=params) | ||
log.debug("submit_file: response = %s" % response) | ||
return response.json() | ||
|
||
def rescan_hash(self, resource_hash): | ||
log.info("rescan_hash: resource_hash = %s" % resource_hash) | ||
params = {"apikey": self.api_token} | ||
if resource_hash: | ||
params["resource"] = resource_hash | ||
else: | ||
raise Exception("No resources provided") | ||
headers = { | ||
"Accept-Encoding": "gzip, deflate", | ||
"User-Agent": "gzip, My Python requests library example client or username" | ||
} | ||
response = self.session.post(self.url + "rescan", params=params, headers=headers) | ||
log.debug("Rescan hash: response = %s" % response) | ||
return response.json() | ||
|
||
def get_report(self, resource_hash=None, batch=None): | ||
log.info("get_report: resource_hash = %s" % resource_hash) | ||
params = {"apikey": self.api_token} | ||
if resource_hash: | ||
params["resource"] = resource_hash | ||
elif batch: | ||
params['resource'] = ",".join(batch) | ||
else: | ||
raise Exception("No resources provided") | ||
headers = { | ||
"Accept-Encoding": "gzip, deflate", | ||
"User-Agent": "gzip, My Python requests library example client or username" | ||
} | ||
response = self.session.get(self.url + "report", | ||
params=params, headers=headers) | ||
log.debug("get_report: response = %s " % response) | ||
return response.json() |
Oops, something went wrong.