Inicio Explorar Ayuda
Iniciar sesión
tum
/
soc
Seguir 1
Destacar 0
Fork 0
Código Incidencias 0 Pull Requests 0 Commits 35 Releases 0 Wiki

Sin descripción

Rama: main
Ramas Etiquetas
soc
/
iris-web
/
source
/
app
/
business
/
iocs.py

iocs.py 6.3KB
Permalink Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171 
  1. #  IRIS Source Code
    2. 

  2. #  Copyright (C) 2024 - DFIR-IRIS
    3. 

  3. #  contact@dfir-iris.org
    4. 

  4. #
    5. 

  5. #  This program is free software; you can redistribute it and/or
    6. 

  6. #  modify it under the terms of the GNU Lesser General Public
    7. 

  7. #  License as published by the Free Software Foundation; either
    8. 

  8. #  version 3 of the License, or (at your option) any later version.
    9. 

  9. #
    10. 

  10. #  This program is distributed in the hope that it will be useful,
    11. 

  11. #  but WITHOUT ANY WARRANTY; without even the implied warranty of
    12. 

  12. #  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    13. 

  13. #  Lesser General Public License for more details.
    14. 

  14. #
    15. 

  15. #  You should have received a copy of the GNU Lesser General Public License
    16. 

  16. #  along with this program; if not, write to the Free Software Foundation,
    17. 

  17. #  Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
    18. 

  18. 

  19. from flask_login import current_user
    20. 

  20. from marshmallow.exceptions import ValidationError
    21. 

  21. 

  22. from app import db
    23. 

  23. from app.models.models import Ioc
    24. 

  24. from app.datamgmt.case.case_iocs_db import add_ioc
    25. 

  25. from app.datamgmt.case.case_iocs_db import case_iocs_db_exists
    26. 

  26. from app.datamgmt.case.case_iocs_db import check_ioc_type_id
    27. 

  27. from app.datamgmt.case.case_iocs_db import get_iocs
    28. 

  28. from app.datamgmt.case.case_iocs_db import delete_ioc
    29. 

  29. from app.datamgmt.states import update_ioc_state
    30. 

  30. from app.schema.marshables import IocSchema
    31. 

  31. from app.iris_engine.module_handler.module_handler import call_modules_hook
    32. 

  32. from app.iris_engine.utils.tracker import track_activity
    33. 

  33. from app.business.errors import BusinessProcessingError
    34. 

  34. from app.business.errors import ObjectNotFoundError
    35. 

  35. from app.datamgmt.case.case_iocs_db import get_ioc
    36. 

  36. 

  37. 

  38. def _load(request_data):
    39. 

  39.     try:
    40. 

  40.         add_ioc_schema = IocSchema()
    41. 

  41.         return add_ioc_schema.load(request_data)
    42. 

  42.     except ValidationError as e:
    43. 

  43.         raise BusinessProcessingError('Data error', e.messages)
    44. 

  44. 

  45. 

  46. def iocs_get(ioc_identifier) -> Ioc:
    47. 

  47.     ioc = get_ioc(ioc_identifier)
    48. 

  48.     if not ioc:
    49. 

  49.         raise ObjectNotFoundError()
    50. 

  50.     return ioc
    51. 

  51. 

  52. 

  53. def iocs_create(request_json, case_identifier):
    54. 

  54. 

  55.     # TODO ideally schema validation should be done before, outside the business logic in the REST API
    56. 

  56.     #      for that the hook should be called after schema validation
    57. 

  57.     request_data = call_modules_hook('on_preload_ioc_create', data=request_json, caseid=case_identifier)
    58. 

  58.     ioc = _load({**request_data, 'case_id': case_identifier})
    59. 

  59. 

  60.     if not ioc:
    61. 

  61.         raise BusinessProcessingError('Unable to create IOC for internal reasons')
    62. 

  62. 

  63.     if not check_ioc_type_id(type_id=ioc.ioc_type_id):
    64. 

  64.         raise BusinessProcessingError('Not a valid IOC type')
    65. 

  65. 

  66.     if case_iocs_db_exists(ioc):
    67. 

  67.         raise BusinessProcessingError('IOC with same value and type already exists')
    68. 

  68. 

  69.     add_ioc(ioc, current_user.id, case_identifier)
    70. 

  70. 

  71.     ioc = call_modules_hook('on_postload_ioc_create', data=ioc, caseid=case_identifier)
    72. 

  72. 

  73.     if ioc:
    74. 

  74.         track_activity(f'added ioc "{ioc.ioc_value}"', caseid=case_identifier)
    75. 

  75. 

  76.         msg = 'IOC added'
    77. 

  77.         return ioc, msg
    78. 

  78. 

  79.     raise BusinessProcessingError('Unable to create IOC for internal reasons')
    80. 

  80. 

  81. 

  82. def iocs_update(ioc: Ioc, request_json: dict) -> (Ioc, str):
    83. 

  83.     """
    84. 

  84.     Identifier: the IOC identifier
    85. 

  85.     Request JSON: the Request
    86. 

  86.     """
    87. 

  87.     try:
    88. 

  88.         # TODO ideally schema validation should be done before, outside the business logic in the REST API
    89. 

  89.         #      for that the hook should be called after schema validation
    90. 

  90.         request_data = call_modules_hook('on_preload_ioc_update', data=request_json, caseid=ioc.case_id)
    91. 

  91. 

  92.         # validate before saving
    93. 

  93.         ioc_schema = IocSchema()
    94. 

  94.         request_data['ioc_id'] = ioc.ioc_id
    95. 

  95.         request_data['case_id'] = ioc.case_id
    96. 

  96.         ioc_sc = ioc_schema.load(request_data, instance=ioc, partial=True)
    97. 

  97.         ioc_sc.user_id = current_user.id
    98. 

  98. 

  99.         if not check_ioc_type_id(type_id=ioc_sc.ioc_type_id):
    100. 

  100.             raise BusinessProcessingError('Not a valid IOC type')
    101. 

  101. 

  102.         update_ioc_state(ioc.case_id)
    103. 

  103.         db.session.commit()
    104. 

  104. 

  105.         ioc_sc = call_modules_hook('on_postload_ioc_update', data=ioc_sc, caseid=ioc.case_id)
    106. 

  106. 

  107.         if ioc_sc:
    108. 

  108.             track_activity(f'updated ioc "{ioc_sc.ioc_value}"', caseid=ioc.case_id)
    109. 

  109.             return ioc, f'Updated ioc "{ioc_sc.ioc_value}"'
    110. 

  110. 

  111.         raise BusinessProcessingError('Unable to update ioc for internal reasons')
    112. 

  112. 

  113.     # TODO most probably the scope of this try catch could be reduced, this exception is probably raised only on load
    114. 

  114.     except ValidationError as e:
    115. 

  115.         raise BusinessProcessingError('Data error', e.messages)
    116. 

  116. 

  117.     except Exception as e:
    118. 

  118.         raise BusinessProcessingError('Unexpected error server-side', e)
    119. 

  119. 

  120. 

  121. def iocs_delete(ioc: Ioc):
    122. 

  122.     call_modules_hook('on_preload_ioc_delete', data=ioc.ioc_id)
    123. 

  123. 

  124.     delete_ioc(ioc)
    125. 

  125. 

  126.     call_modules_hook('on_postload_ioc_delete', data=ioc.ioc_id, caseid=ioc.case_id)
    127. 

  127. 

  128.     track_activity(f'deleted IOC "{ioc.ioc_value}"', caseid=ioc.case_id)
    129. 

  129.     return f'IOC {ioc.ioc_id} deleted'
    130. 

  130. 

  131. 

  132. def iocs_exports_to_json(case_id):
    133. 

  133.     iocs = get_iocs(case_id)
    134. 

  134. 

  135.     return IocSchema().dump(iocs, many=True)
    136. 

  136. 

  137. 

  138. def iocs_build_filter_query(ioc_id: int = None,
    139. 

  139.                             ioc_uuid: str = None,
    140. 

  140.                             ioc_value: str = None,
    141. 

  141.                             ioc_type_id: int = None,
    142. 

  142.                             ioc_description: str = None,
    143. 

  143.                             ioc_tlp_id: int = None,
    144. 

  144.                             ioc_tags: str = None,
    145. 

  145.                             ioc_misp: str = None,
    146. 

  146.                             user_id: float = None):
    147. 

  147.     """
    148. 

  148.     Get a list of iocs from the database, filtered by the given parameters
    149. 

  149.     """
    150. 

  150.     conditions = []
    151. 

  151.     if ioc_id is not None:
    152. 

  152.         conditions.append(Ioc.ioc_id == ioc_id)
    153. 

  153.     if ioc_uuid is not None:
    154. 

  154.         conditions.append(Ioc.ioc_uuid == ioc_uuid)
    155. 

  155.     if ioc_value is not None:
    156. 

  156.         conditions.append(Ioc.ioc_value == ioc_value)
    157. 

  157.     if ioc_type_id is not None:
    158. 

  158.         conditions.append(Ioc.ioc_type_id == ioc_type_id)
    159. 

  159.     if ioc_description is not None:
    160. 

  160.         conditions.append(Ioc.ioc_description == ioc_description)
    161. 

  161.     if ioc_tlp_id is not None:
    162. 

  162.         conditions.append(Ioc.ioc_tlp_id == ioc_tlp_id)
    163. 

  163.     if ioc_tags is not None:
    164. 

  164.         conditions.append(Ioc.ioc_tags == ioc_tags)
    165. 

  165.     if ioc_misp is not None:
    166. 

  166.         conditions.append(Ioc.ioc_misp == ioc_misp)
    167. 

  167.     if user_id is not None:
    168. 

  168.         conditions.append(Ioc.user_id == user_id)
    169. 

  169. 

  170.     return Ioc.query.filter(*conditions)
    171. 

  171.