Merge branch 'master' of git-server:ace

unixfreak0037 · Oct 15, 2019 · 9d8e9da · 9d8e9da
2 parents f276f69 + 4b77e4f
commit 9d8e9da
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 14 deletions.
diff --git a/app/analysis/views.py b/app/analysis/views.py
@@ -31,6 +31,7 @@
 from operator import attrgetter
 from subprocess import Popen, PIPE, DEVNULL
 from urllib.parse import urlparse
+from sandboxapi.falcon import FalconAPI
 
 import businesstime
 import pandas as pd
@@ -42,7 +43,6 @@
 import saq.intel
 import saq.remediation
 import virustotal
-import vxstreamlib
 import splunklib
 
 from saq import SAQ_HOME
@@ -429,17 +429,27 @@ def download_file():
         return redirect(url_for('analysis.index'))
 
     if request.method == "POST" and mode == "vxstream":
-        baseuri = saq.CONFIG.get("vxstream", "baseuri")
+        baseuri = saq.CONFIG.get("vxstream", "baseuri_v2")
         gui_baseuri = saq.CONFIG.get('vxstream', 'gui_baseuri')
         if baseuri[-1] == "/":
             baseuri = baseuri[:-1]
         environmentid = saq.CONFIG.get("vxstream", "environmentid")
         apikey = saq.CONFIG.get("vxstream", "apikey")
         secret = saq.CONFIG.get("vxstream", "secret")
-        server = vxstreamlib.VxStreamServer(baseuri, apikey, secret)
-        submission = server.submit(full_path, environmentid)
-
-        url = gui_baseuri + "/sample/" + submission.sha256 + "?environmentId=" + environmentid
+        proxies = saq.PROXIES if saq.CONFIG.getboolean('vxstream', 'use_proxy') else {}
+        logging.debug("Uploading file to falcon sandbox")
+        falcon = FalconAPI(apikey, url=baseuri, proxies=proxies, env=environmentid)
+        job_id = None
+        with open(full_path, 'rb') as fp:
+            job_id = falcon.analyze(fp, file_observable.value)
+        if job_id is None:
+            logging.error("submission of {} failed".format(full_path))
+            return False
+        if file_observable.sha256_hash is None:
+            if not file_observable.compute_hashes():
+                return "unable to compute file hash of {}".format(file_observable.value), 404
+        url = gui_baseuri + "/sample/" + file_observable.sha256_hash + "?environmentId=" + environmentid
+        logging.debug("Got vxstream url: {}".format(url))
         return url
 
     if request.method == "POST" and mode == "virustotal":

diff --git a/etc/saq.default.ini b/etc/saq.default.ini
@@ -896,6 +896,8 @@ apikey = OVERRIDE
 secret = OVERRIDE
 ; the baseuri to use from the GUI
 gui_baseuri = OVERRIDE
+; use proxies
+use_proxy = OVERRIDE
 
 [carbon_black]
 ; carbon black server API location and authentication

diff --git a/lib/saq/database/__init__.py b/lib/saq/database/__init__.py
@@ -1584,7 +1584,11 @@ def set_dispositions(alert_uuids, disposition, user_id, user_comment=None):
         email_subject = email_subject.replace('[POTENTIAL_PHISH]_', '').replace('[POTENTIAL PHISH] ', '')
 
         try:
-            submit_response(email_from, email_subject, disposition, user_comment)
+            # Has this alert already been dispositioned? Try not to spam users when an event is updated. 
+            if alert.disposition == disposition:
+                logging.warning(f"Not sending phishme response to {email_from} for subject:'{email_subject}' because the disposition was not updated.")
+            else:
+                submit_response(email_from, email_subject, disposition, user_comment)
         except Exception as e:
             logging.error(f"unable to submit response to phishme report to {email_from}: {e}")
             report_exception()

diff --git a/lib/saq/modules/vx.py b/lib/saq/modules/vx.py
@@ -805,7 +805,7 @@ def targets(self):
                 logging.debug("{} missing key: {}".format(self, e))
 
         except Exception as e:
-            logging.error("unable to parse vxstream json at {}: {}".format(self.json_path, e))
+            logging.error("unable to parse Falcon json at {}: {}".format(self.json_path, e))
             #report_exception()
 
 
@@ -1125,7 +1125,7 @@ def execute_vxstream_analysis(self, target, analysis):
             return True
 
         if analysis.status != VXSTREAM_STATUS_SUCCESS:
-            logging.error("unknown vxstream status {} for sample {}".format(analysis.status, target))
+            logging.error("unknown falcon status {} for sample {}".format(analysis.status, target))
             return False
 
         # the analysis is assumed to be complete here
@@ -1188,7 +1188,7 @@ def execute_vxstream_analysis(self, target, analysis):
                     if ((analysis.vxstream_threat_score and int(analysis.vxstream_threat_score) >= self.threat_score_threshold)
                         and (analysis.vxstream_threat_level and int(analysis.vxstream_threat_level) >= self.threat_level_threshold)):
                         target.add_tag('malicious')
-                        analysis.add_detection_point("sample has vxstream threat score of {} and threat level of {}".format(
+                        analysis.add_detection_point("sample has falcon threat score of {} and threat level of {}".format(
                                                      analysis.vxstream_threat_score, analysis.vxstream_threat_level))
 
                     for host in results['hosts']:
@@ -1204,7 +1204,7 @@ def execute_vxstream_analysis(self, target, analysis):
                         if ((analysis.vxstream_threat_score and int(analysis.vxstream_threat_score) >= self.threat_score_threshold)
                             and (analysis.vxstream_threat_level and int(analysis.vxstream_threat_level) >= self.threat_level_threshold)):
                             target.add_tag('malicious')
-                            analysis.add_detection_point("sample has vxstream threat score of {} and threat level of {}".format(
+                            analysis.add_detection_point("sample has falcon threat score of {} and threat level of {}".format(
                                                          analysis.vxstream_threat_score, analysis.vxstream_threat_level))
 
                     # NOTE for these results if there is only one result then vxstream uses a single dict
@@ -1230,7 +1230,7 @@ def execute_vxstream_analysis(self, target, analysis):
                             analysis.add_observable(F_URL, http_request['request_url'])
 
         except KeyError as e:
-            logging.warning("vxstream report for {} missing or incomplete: {}".format(analysis.sha256, e))
+            logging.warning("falcon report for {} missing or incomplete: {}".format(analysis.sha256, e))
         except Exception as e:
             logging.error("unable to load json from {}: {}".format(analysis.json_path, e))
 
@@ -1327,7 +1327,8 @@ def execute_analysis(self, target):
             target = target.redirection
 
         analysis = target.get_analysis(FalconFileAnalysis)
-        if analysis is None:
+        # XXX I'm not sure why get_analysis returns False instead of None if the observable has already been analyze
+        if analysis is None or analysis is False:
             # let vxstream analyze the hash of the file before we decide to submit it
             hash_analysis = self.wait_for_analysis(target, FileHashAnalysis)
 
@@ -1384,7 +1385,7 @@ def execute_analysis(self, target):
             analysis.submit_date = datetime.datetime.now()
 
         else:
-            logging.debug("FalconFileAnalysis exists with status {} for target: {}".format(analysis.status, target))
+            logging.info("FalconFileAnalysis exists with status {} for target: {}".format(analysis.status, target))
 
         # at this point we have analysis for a file that has been submitted
         return self.execute_vxstream_analysis(target, analysis)