-
Notifications
You must be signed in to change notification settings - Fork 95
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
155 changed files
with
10,779 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
include README.md | ||
include fn_bluecoat_site_review/util/* | ||
include fn_bluecoat_site_review/LICENSE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,203 @@ | ||
# Bluecoat Site Review | ||
## Introduction | ||
This function provides data enrichment on DNS Names and URLs available from Symantec [WebPulse (formally Bluecoat) Site Review](https://sitereview.bluecoat.com) to enrich | ||
artifact values. | ||
|
||
## Installation | ||
|
||
Install the function package by first unpacking the .zip file exposing the .tar.gz file. | ||
|
||
To install in "development mode" | ||
|
||
[sudo] pip install -e ./fn_bluecoat_site_review/ | ||
|
||
or to the python libraries | ||
|
||
[sudo] pip install fn_bluecoat_site_review-1.0.0.tar.gz | ||
|
||
To configure `app.conf`, run | ||
|
||
resilient-circuits config [-c or -u] -l fn-bluecoat-site-review | ||
|
||
To load Resilient with all the object definitions needed for use, run | ||
|
||
resilient-circuits customize -l fn-bluecoat-site-review | ||
|
||
After installation, the package will be loaded and executed with `resilient-circuits run`. | ||
|
||
To uninstall: | ||
|
||
[sudo] pip uninstall fn-bluecoat-site-review | ||
|
||
## Components | ||
The following components are loaded into Resilient | ||
|
||
+ Function: Bluecoat Site Review Lookup | ||
+ Workflow: Example: Bluecoat Site Review Search | ||
+ Rule: Example: Bluecoat Site Review | ||
|
||
The sample rule is enabled for DNS and URL type artifacts | ||
|
||
## Results | ||
The resulting data is appended in the artifact's description field. Your process may parse | ||
and process the data differently. A sample note in the description field is: | ||
|
||
``` | ||
Bluecoat Categorization: Suspicious, Spam | ||
``` | ||
|
||
This is produced by the following post-processing script: | ||
|
||
``` | ||
if isinstance(results.content['CategorizationResult']['categorization']['categorization'],list): | ||
categorization_list = [categorization['name'] for categorization in results.content['CategorizationResult']['categorization']['categorization']] | ||
categorization_name = u", ".join(categorization_list) | ||
else: | ||
categorization_name = results.content['CategorizationResult']['categorization']['categorization']['name'] | ||
existing_description = artifact.description.content+'\n' if artifact.description else "" | ||
artifact.description = u"{}Bluecoat Categorization: {}".format(existing_description, categorization_name) | ||
``` | ||
|
||
Below is a sample result from the function returning multiple categorizations: | ||
|
||
### Sample results | ||
``` | ||
{ | ||
'inputs': { | ||
u'incident_id': 2104, | ||
u'artifact_value': u'http://avts.vn/hejxjrzjys/3978861743009/OCRjH-YuO_VcE-MgR/' | ||
}, | ||
'metrics': { | ||
'package': 'fn-bluecoat-site-review', | ||
'timestamp': '2019-03-25 19:28:28', | ||
'package_version': '1.0.0', | ||
'host': 'marks-mbp.cambridge.ibm.com', | ||
'version': '1.0', | ||
'execution_time_ms': 139 | ||
}, | ||
'success': True, | ||
'content': { | ||
u'CategorizationResult': { | ||
u'categorization': { | ||
u'categorization': [ | ||
{ | ||
u'num': u'92', | ||
u'name': u'Suspicious' | ||
}, | ||
{ | ||
u'num': u'101', | ||
u'name': u'Spam' | ||
} | ||
] | ||
}, | ||
u'locked': u'false', | ||
u'translatedCategories': { | ||
u'fr': [ | ||
{ | ||
u'num': u'92', | ||
u'name': u'Suspect (Suspicious)' | ||
}, | ||
{ | ||
u'num': u'101', | ||
u'name': u'Spam (Spam)' | ||
} | ||
], | ||
u'de': [ | ||
{ | ||
u'num': u'92', | ||
u'name': u'Verd\xe4chtig (Suspicious)' | ||
}, | ||
{ | ||
u'num': u'101', | ||
u'name': u'Spam (Spam)' | ||
} | ||
], | ||
u'zh': [ | ||
{ | ||
u'num': u'92', | ||
u'name': u'\u53ef\u7591 (Suspicious)' | ||
}, | ||
{ | ||
u'num': u'101', | ||
u'name': u'\u5783\u573e\u90ae\u4ef6 (Spam)' | ||
} | ||
], | ||
u'zh_TW': [ | ||
{ | ||
u'num': u'92', | ||
u'name': u'\u53ef\u7591 (Suspicious)' | ||
}, | ||
{ | ||
u'num': u'101', | ||
u'name': u'\u5783\u573e\u90f5\u4ef6 (Spam)' | ||
} | ||
], | ||
u'en': [ | ||
{ | ||
u'num': u'92', | ||
u'name': u'Suspicious' | ||
}, | ||
{ | ||
u'num': u'101', | ||
u'name': u'Spam' | ||
} | ||
], | ||
u'ja': [ | ||
{ | ||
u'num': u'92', | ||
u'name': u'\u7591\u308f\u3057\u3044 (Suspicious)' | ||
}, | ||
{ | ||
u'num': u'101', | ||
u'name': u'\u30b9\u30d1\u30e0 (Spam)' | ||
} | ||
], | ||
u'es': [ | ||
{ | ||
u'num': u'92', | ||
u'name': u'Sospechoso (Suspicious)' | ||
}, | ||
{ | ||
u'num': u'101', | ||
u'name': u'Spam (Spam)' | ||
} | ||
] | ||
}, | ||
u'url': u'http://avts.vn/hejxjrzjys/3978861743009/OCRjH-YuO_VcE-MgR/', | ||
u'rateDate': u"Last Time Rated/Reviewed: > {{days}} days {{legacy}}The URL submitted for review was rated more than {{days}} days ago. The default setting for Symantec SG clients to download rating changes is once a day. There is no need to show ratings older than this. Since Symantec's desktop client K9 and certain OEM partners update differently, ratings may differ from those of a Symantec SG as well as those present on the Site Review Tool.", | ||
u'followedUrl': None, | ||
u'lockedSpecialNote': None, | ||
u'threatriskLevelEn': None, | ||
u'linkable': u'false', | ||
u'resolvedDetail': { | ||
u'resolveEnabled': u'true', | ||
u'ipAddress': u'103.28.36.58' | ||
}, | ||
u'securityCategoryIds': { | ||
u'securityCategoryIds': [ | ||
u'43', | ||
u'102', | ||
u'44', | ||
u'92', | ||
u'18' | ||
] | ||
}, | ||
u'multipleMessage': None, | ||
u'suggestion': None, | ||
u'securityCategory': u'true', | ||
u'ratingDtsCutoff': u'7', | ||
u'multiple': u'false', | ||
u'unrated': u'false', | ||
u'curTrackingId': u'478710', | ||
u'ratingDts': u'OLDER', | ||
u'lockedMessage': None, | ||
u'threatriskLevel': None | ||
} | ||
}, | ||
'raw': '{"CategorizationResult": {"categorization": {"categorization": [{"num": "92", "name": "Suspicious"}, {"num": "101", "name": "Spam"}]}, "locked": "false", "translatedCategories": {"fr": [{"num": "92", "name": "Suspect (Suspicious)"}, {"num": "101", "name": "Spam (Spam)"}], "de": [{"num": "92", "name": "Verd\\u00e4chtig (Suspicious)"}, {"num": "101", "name": "Spam (Spam)"}], "zh": [{"num": "92", "name": "\\u53ef\\u7591 (Suspicious)"}, {"num": "101", "name": "\\u5783\\u573e\\u90ae\\u4ef6 (Spam)"}], "zh_TW": [{"num": "92", "name": "\\u53ef\\u7591 (Suspicious)"}, {"num": "101", "name": "\\u5783\\u573e\\u90f5\\u4ef6 (Spam)"}], "en": [{"num": "92", "name": "Suspicious"}, {"num": "101", "name": "Spam"}], "ja": [{"num": "92", "name": "\\u7591\\u308f\\u3057\\u3044 (Suspicious)"}, {"num": "101", "name": "\\u30b9\\u30d1\\u30e0 (Spam)"}], "es": [{"num": "92", "name": "Sospechoso (Suspicious)"}, {"num": "101", "name": "Spam (Spam)"}]}, "url": "http://avts.vn/hejxjrzjys/3978861743009/OCRjH-YuO_VcE-MgR/", "rateDate": "Last Time Rated/Reviewed: > {{days}} days {{legacy}}The URL submitted for review was rated more than {{days}} days ago. The default setting for Symantec SG clients to download rating changes is once a day. There is no need to show ratings older than this. Since Symantec\'s desktop client K9 and certain OEM partners update differently, ratings may differ from those of a Symantec SG as well as those present on the Site Review Tool.", "followedUrl": null, "lockedSpecialNote": null, "threatriskLevelEn": null, "linkable": "false", "resolvedDetail": {"resolveEnabled": "true", "ipAddress": "103.28.36.58"}, "securityCategoryIds": {"securityCategoryIds": ["43", "102", "44", "92", "18"]}, "multipleMessage": null, "suggestion": null, "securityCategory": "true", "ratingDtsCutoff": "7", "multiple": "false", "unrated": "false", "curTrackingId": "478710", "ratingDts": "OLDER", "lockedMessage": null, "threatriskLevel": null}}', | ||
'reason': None, | ||
'version': '1.0' | ||
} | ||
``` |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
Copyright © IBM Corporation 2010, 2019 | ||
|
||
Permission is hereby granted, free of charge, to any person obtaining a copy | ||
of this software and associated documentation files (the "Software"), to | ||
deal in the Software without restriction, including without limitation the | ||
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or | ||
sell copies of the Software, and to permit persons to whom the Software is | ||
furnished to do so, subject to the following conditions: | ||
|
||
The above copyright notice and this permission notice shall be included in | ||
all copies or substantial portions of the Software. | ||
|
||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING | ||
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS | ||
IN THE SOFTWARE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
import pkg_resources | ||
try: | ||
__version__ = pkg_resources.get_distribution(__name__).version | ||
except pkg_resources.DistributionNotFound: | ||
pass |
1 change: 1 addition & 0 deletions
1
fn_bluecoat_site_review/fn_bluecoat_site_review/components/__init__.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
# |
79 changes: 79 additions & 0 deletions
79
fn_bluecoat_site_review/fn_bluecoat_site_review/components/bluecoat_site_review_lookup.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
# -*- coding: utf-8 -*- | ||
# (c) Copyright IBM Corporation 2010, 2019. All Rights Reserved. | ||
# pragma pylint: disable=unused-argument, no-self-use | ||
"""Function implementation""" | ||
|
||
import logging | ||
import json | ||
import xmltodict | ||
from resilient_lib import RequestsCommon, ResultPayload | ||
from resilient_circuits import ResilientComponent, function, handler, StatusMessage, FunctionResult, FunctionError | ||
|
||
|
||
PACKAGE = "fn_bluecoat_site_review" | ||
HEADERS = {"User-Agent": "Mozilla/5.0", "Content-Type": "application/json"} | ||
|
||
|
||
class FunctionComponent(ResilientComponent): | ||
"""Component that implements Resilient function 'bluecoat_site_review_lookup""" | ||
|
||
def __init__(self, opts): | ||
"""constructor provides access to the configuration options""" | ||
super(FunctionComponent, self).__init__(opts) | ||
self.opts = opts | ||
self.options = opts.get(PACKAGE, {}) | ||
|
||
@handler("reload") | ||
def _reload(self, event, opts): | ||
"""Configuration options have changed, save new values""" | ||
self.opts = opts | ||
self.options = opts.get(PACKAGE, {}) | ||
|
||
@function("bluecoat_site_review_lookup") | ||
def _bluecoat_site_review_lookup_function(self, event, *args, **kwargs): | ||
"""Function: This function takes an artifact of type URL or DNS name and returns those results as a json object.""" | ||
|
||
try: | ||
# Get the function parameters: | ||
artifact_value = kwargs.get("artifact_value") # text | ||
|
||
log = logging.getLogger(__name__) | ||
log.info("artifact_value: %s", artifact_value) | ||
|
||
fr = ResultPayload(PACKAGE, **kwargs) | ||
# Assignment for successful completion of the code | ||
results_flag = True | ||
|
||
yield StatusMessage("starting...") | ||
|
||
response_json = self.sitereview(self.options['url'], artifact_value) | ||
|
||
# handles if there is no result in the JSON Return Object: | ||
msg = None | ||
if response_json is None: | ||
msg = "There were no results..." | ||
log.debug(msg) | ||
results_flag = False | ||
else: | ||
# This handles if the categorizaton is a list in the JSON object that needs to be traversed/isolated or not | ||
if response_json.get('FailedResult'): | ||
results_flag = False | ||
msg = response_json.get('FailedResult') | ||
|
||
yield StatusMessage("done...") | ||
|
||
results_payload = fr.done(results_flag, response_json, msg) | ||
# Produce a FunctionResult with the results | ||
yield FunctionResult(results_payload) | ||
except Exception: | ||
yield FunctionError() | ||
|
||
def sitereview(self, url, value): | ||
payload = {"url": value, "captcha":""} | ||
|
||
rc = RequestsCommon(self.opts, self.options) | ||
|
||
result = rc.execute_call('post', url, payload=payload, headers=HEADERS, resp_type='text') | ||
|
||
dict_to_str = json.dumps(xmltodict.parse(result)) | ||
return json.loads(dict_to_str) |
1 change: 1 addition & 0 deletions
1
fn_bluecoat_site_review/fn_bluecoat_site_review/util/__init__.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
# |
17 changes: 17 additions & 0 deletions
17
fn_bluecoat_site_review/fn_bluecoat_site_review/util/config.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# -*- coding: utf-8 -*- | ||
# (c) Copyright IBM Corporation 2010, 2019. All Rights Reserved. | ||
|
||
"""Generate a default configuration-file section for fn_bluecoat_site_review""" | ||
|
||
from __future__ import print_function | ||
|
||
|
||
def config_section_data(): | ||
"""Produce the default configuration section for app.config, | ||
when called by `resilient-circuits config [-c|-u]` | ||
""" | ||
config_data = u"""[fn_bluecoat_site_review] | ||
url=https://sitereview.bluecoat.com/resource/lookup | ||
""" | ||
return config_data | ||
|
Oops, something went wrong.