diff --git a/plugins/ec2_investigations/.CHECKSUM b/plugins/ec2_investigations/.CHECKSUM deleted file mode 100644 index 0d1bd146df..0000000000 --- a/plugins/ec2_investigations/.CHECKSUM +++ /dev/null @@ -1,19 +0,0 @@ -{ - "spec": "2c4d3fec754a9c53c1b85054c85f2767", - "manifest": "230229b90f7401d13d7faaba0a507bbc", - "setup": "79504282d430015036d1963931f13d3d", - "schemas": [ - { - "identifier": "clam_av/schema.py", - "hash": "9a04b3865c53c7dd4d8fe5bbbae0b742" - }, - { - "identifier": "mount_drive/schema.py", - "hash": "2f37cf1ea462746d062b625c63424f49" - }, - { - "identifier": "connection/schema.py", - "hash": "534cb1c67de5e3a04bd8410d054203ca" - } - ] -} \ No newline at end of file diff --git a/plugins/ec2_investigations/.dockerignore b/plugins/ec2_investigations/.dockerignore deleted file mode 100644 index 93dc53fb01..0000000000 --- a/plugins/ec2_investigations/.dockerignore +++ /dev/null @@ -1,9 +0,0 @@ -unit_test/**/* -unit_test -examples/**/* -examples -tests -tests/**/* -**/*.json -**/*.tar -**/*.gz \ No newline at end of file diff --git a/plugins/ec2_investigations/Dockerfile b/plugins/ec2_investigations/Dockerfile deleted file mode 100644 index 519a7406c2..0000000000 --- a/plugins/ec2_investigations/Dockerfile +++ /dev/null @@ -1,33 +0,0 @@ -FROM komand/python-pypy3-plugin:2 -# The three supported python parent images are: -# - komand/python-2-plugin -# - komand/python-3-plugin -# - komand/python-pypy3-plugin -# -# Update the tag to a full semver version - -# Add any custom package dependencies here -# NOTE: Add pip packages to requirements.txt - -RUN pip install paramiko -RUN pip install boto -ADD ./plugin.spec.yaml /plugin.spec.yaml -ADD . /python/src -ADD ./komand_ec2_investigations/actions/known_hosts /root/.ssh/known_hosts -ADD ./komand_ec2_investigations/actions/mount.sh ./mount.sh -ADD ./komand_ec2_investigations/actions/clam_av_run.py ./clam_av_run.py - -# End package dependencies - -# Add source code -WORKDIR /python/src -ADD ./plugin.spec.yaml /plugin.spec.yaml -ADD . /python/src - -# Install pip dependencies -RUN if [ -f requirements.txt ]; then pip install -r requirements.txt; fi - -# Install plugin -RUN python setup.py build && python setup.py install - -ENTRYPOINT ["/usr/local/bin/komand_ec2_investigations"] diff --git a/plugins/ec2_investigations/Makefile b/plugins/ec2_investigations/Makefile deleted file mode 100644 index cb85f96b6c..0000000000 --- a/plugins/ec2_investigations/Makefile +++ /dev/null @@ -1,53 +0,0 @@ -# Include other Makefiles for improved functionality -INCLUDE_DIR = ../../tools/Makefiles -MAKEFILES := $(wildcard $(INCLUDE_DIR)/*.mk) -# We can't guarantee customers will have the include files -# - prefix to ignore Makefiles when not present -# https://www.gnu.org/software/make/manual/html_node/Include.html --include $(MAKEFILES) - -ifneq ($(MAKEFILES),) - $(info [$(YELLOW)*$(NORMAL)] Use ``make menu`` for available targets) - $(info [$(YELLOW)*$(NORMAL)] Including available Makefiles: $(MAKEFILES)) - $(info --) -else - $(warning Makefile includes directory not present: $(INCLUDE_DIR)) -endif - -VERSION?=$(shell grep '^version: ' plugin.spec.yaml | sed 's/version: //') -NAME?=$(shell grep '^name: ' plugin.spec.yaml | sed 's/name: //') -VENDOR?=$(shell grep '^vendor: ' plugin.spec.yaml | sed 's/vendor: //') -CWD?=$(shell basename $(PWD)) -_NAME?=$(shell echo $(NAME) | awk '{ print toupper(substr($$0,1,1)) tolower(substr($$0,2)) }') -PKG=$(VENDOR)-$(NAME)-$(VERSION).tar.gz - -# Set default target explicitly. Make's default behavior is the first target in the Makefile. -# We don't want that behavior due to includes which are read first -.DEFAULT_GOAL := default # Make >= v3.80 (make -version) - - -default: image tarball - -tarball: - $(info [$(YELLOW)*$(NORMAL)] Creating plugin tarball) - rm -rf build - rm -rf $(PKG) - tar -cvzf $(PKG) --exclude=$(PKG) --exclude=tests --exclude=run.sh * - -image: - $(info [$(YELLOW)*$(NORMAL)] Building plugin image) - docker build --pull -t $(VENDOR)/$(NAME):$(VERSION) . - docker tag $(VENDOR)/$(NAME):$(VERSION) $(VENDOR)/$(NAME):latest - -regenerate: - $(info [$(YELLOW)*$(NORMAL)] Regenerating schema from plugin.spec.yaml) - icon-plugin generate python --regenerate - -export: image - $(info [$(YELLOW)*$(NORMAL)] Exporting docker image) - @printf "\n ---> Exporting Docker image to ./$(VENDOR)_$(NAME)_$(VERSION).tar\n" - @docker save $(VENDOR)/$(NAME):$(VERSION) | gzip > $(VENDOR)_$(NAME)_$(VERSION).tar - -# Make will not run a target if a file of the same name exists unless setting phony targets -# https://www.gnu.org/software/make/manual/html_node/Phony-Targets.html -.PHONY: default tarball image regenerate diff --git a/plugins/ec2_investigations/bin/komand_ec2_investigations b/plugins/ec2_investigations/bin/komand_ec2_investigations deleted file mode 100755 index 2e2be4fa7e..0000000000 --- a/plugins/ec2_investigations/bin/komand_ec2_investigations +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env python -# GENERATED BY KOMAND SDK - DO NOT EDIT -import komand -from komand_ec2_investigations import connection, actions, triggers - - -Name = 'EC2 Investigations' -Vendor = 'rapid7' -Version = '1.0.1' -Description = 'EC2 Investigations runs security tools on the AWS EC2 platform. Using the EC2 Investigations plugin for Rapid7 InsightConnect will allow users to mount drives and scan directories with ClamAV' - - -class ICONEc2Investigations(komand.Plugin): - def __init__(self): - super(self.__class__, self).__init__( - name=Name, - vendor=Vendor, - version=Version, - description=Description, - connection=connection.Connection() - ) - self.add_action(actions.ClamAv()) - - self.add_action(actions.MountDrive()) - - -def main(): - """Run plugin""" - cli = komand.CLI(ICONEc2Investigations()) - cli.run() - - -if __name__ == "__main__": - main() diff --git a/plugins/ec2_investigations/extension.png b/plugins/ec2_investigations/extension.png deleted file mode 100644 index ffb1c63e89..0000000000 Binary files a/plugins/ec2_investigations/extension.png and /dev/null differ diff --git a/plugins/ec2_investigations/help.md b/plugins/ec2_investigations/help.md deleted file mode 100644 index fa7d421a2f..0000000000 --- a/plugins/ec2_investigations/help.md +++ /dev/null @@ -1,107 +0,0 @@ -# Description - -The EC2 Investigation plugin runs security tools on AWS instances. -In many cases, actions require the security tool to be installed on the EC2 host. - -Using the EC2 Investigations plugin for Rapid7 InsightConnect will allow users to mount drives and scan -directories with ClamAV. - -# Key Features - -* Mount drives -* Scan directories with ClamAV - -# Requirements - -* Access key -* Secret key - -# Documentation - -## Setup - -The connection configuration accepts the following parameters: - -|Name|Type|Default|Required|Description|Enum| -|----|----|-------|--------|-----------|----| -|access_key|credential_secret_key|None|True|Access Key ID|None| -|secret_key|credential_secret_key|None|True|Secret access key|None| - -## Technical Details - -### Actions - -#### Mount Drive - -This action is used to mount a drive for analysis - -#### Input - -|Name|Type|Default|Required|Description|Enum| -|----|----|-------|--------|-----------|----| -|directory|string|None|True|Directory|None| -|device|string|None|True|Device|None| -|filesystem_type|string|None|True|Filesystem Type|None| - -#### Output - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|instance_id|string|None|True|Instance ID|None| -|region|string|None|True|Region|None| -|private_key|string|None|True|Private Key|None| -|user|string|None|True|User Name|None| -|directory|string|False|Directory| -|status|string|False|Status| - -#### Clam AV - -This action is used to scan a directory with ClamAV. This action requires the host to have clamav installed. - -##### Input - -|Name|Type|Default|Required|Description|Enum| -|----|----|-------|--------|-----------|----| -|instance_id|string|None|True|Instance ID|None| -|region|string|None|True|Region|None| -|private_key|string|None|True|Private Key|None| -|user|string|None|True|User Name|None| -|directory|string|None|True|Directory|None| - -##### Output - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|file_name|string|False|File Name| -|file_location|string|False|File Location| -|hash_value|string|False|Hash Value| -|owner|string|False|Owner| -|time_created|string|False|Time Created| - -### Triggers - -This plugin does not contain any triggers. - -### Custom Output Types - -_This plugin does not contain any custom output types._ - -## Troubleshooting - -In many cases, actions require the security tool to be installed on the EC2 host. -For example, the ClamAV action requires ClamAV to be installed on the destination EC2 host. - -# Version History - -* 1.0.1 - New spec and help.md format for the Extension Library -* 1.0.0 - Update to v2 Python plugin architecture | Support web server mode | Update to new credential types -* 0.1.1 - SSL bug fix in SDK -* 0.1.0 - Initial plugin - -# Links - -## References - -[Boto](http://boto.cloudhackers.com/en/latest/ref/manage.html) -[ClamAV](https://www.clamav.net/) - diff --git a/plugins/ec2_investigations/icon.png b/plugins/ec2_investigations/icon.png deleted file mode 100644 index 5ee7e2812a..0000000000 Binary files a/plugins/ec2_investigations/icon.png and /dev/null differ diff --git a/plugins/ec2_investigations/komand_ec2_investigations/__init__.py b/plugins/ec2_investigations/komand_ec2_investigations/__init__.py deleted file mode 100755 index bace8db897..0000000000 --- a/plugins/ec2_investigations/komand_ec2_investigations/__init__.py +++ /dev/null @@ -1 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT diff --git a/plugins/ec2_investigations/komand_ec2_investigations/actions/__init__.py b/plugins/ec2_investigations/komand_ec2_investigations/actions/__init__.py deleted file mode 100755 index 339c3ddc10..0000000000 --- a/plugins/ec2_investigations/komand_ec2_investigations/actions/__init__.py +++ /dev/null @@ -1,3 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from .clam_av.action import ClamAv -from .mount_drive.action import MountDrive diff --git a/plugins/ec2_investigations/komand_ec2_investigations/actions/clam_av/__init__.py b/plugins/ec2_investigations/komand_ec2_investigations/actions/clam_av/__init__.py deleted file mode 100755 index 54f3ae1ab9..0000000000 --- a/plugins/ec2_investigations/komand_ec2_investigations/actions/clam_av/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from .action import ClamAv diff --git a/plugins/ec2_investigations/komand_ec2_investigations/actions/clam_av/action.py b/plugins/ec2_investigations/komand_ec2_investigations/actions/clam_av/action.py deleted file mode 100755 index 252bfad97b..0000000000 --- a/plugins/ec2_investigations/komand_ec2_investigations/actions/clam_av/action.py +++ /dev/null @@ -1,70 +0,0 @@ -import komand -from .schema import ClamAvInput, ClamAvOutput - -# Custom imports below -import json -from boto.manage.cmdshell import sshclient_from_instance - - -class ClamAv(komand.Action): - def __init__(self): - super(self.__class__, self).__init__( - name="clam_av", - description="Scan directory with ClamAV", - input=ClamAvInput(), - output=ClamAvOutput(), - ) - - def run(self, params={}): - """TODO: Run action""" - directory = params.get("directory") - instance_id = params.get("instance_id") - private_key = params.get("private_key") - user = params.get("user") - region = params.get("region") - empty_json_output = {} - - # Create private key file - f = open("./pk.pem", "w") - f.write(private_key) - f.close() - - # Create command from user input - command = "python clam_av_run.py " + directory - - try: - # Connect to AWS instance - reservations = self.connection.aws.get_all_instances( - filters={"instance_id": instance_id} - ) - instance = reservations[0].instances[0] - ssh_client = sshclient_from_instance(instance, "./pk.pem", user_name=user) - - # Copy the mount.sh script to the instance and make it executable - ssh_client.put_file( - "./komand_ec2_investigations/actions/clam_av_run.py", "./clam_av_run.py" - ) - # Execute the command and return the standard output - status, stdout, stderr = ssh_client.run(command) - # Remove script after running - ssh_client.run("rm ./clam_av_run.py") - - if stdout.decode("utf-8").rstrip() == "0": - results = empty_json_output - self.logger.error("Clam scan is not installed on host and is required to run") - elif stderr.decode("utf-8") != "": - results = empty_json_output - self.logger.error(stderr.decode("utf-8").rstrip()) - else: - results = json.loads(stdout.decode("utf-8").rstrip()) - - except Exception: - self.logger.error("Something went wrong, command probably failed to run") - raise - - self.logger.info(results) - return results - - def test(self): - """TODO: Test action""" - return {} diff --git a/plugins/ec2_investigations/komand_ec2_investigations/actions/clam_av/schema.py b/plugins/ec2_investigations/komand_ec2_investigations/actions/clam_av/schema.py deleted file mode 100755 index d053086fcc..0000000000 --- a/plugins/ec2_investigations/komand_ec2_investigations/actions/clam_av/schema.py +++ /dev/null @@ -1,121 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -import komand -import json - - -class Component: - DESCRIPTION = "Scan directory with ClamAV" - - -class Input: - DIRECTORY = "directory" - INSTANCE_ID = "instance_id" - PRIVATE_KEY = "private_key" - REGION = "region" - USER = "user" - - -class Output: - MALWARE = "malware" - - -class ClamAvInput(komand.Input): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "directory": { - "type": "string", - "title": "Directory", - "description": "Directory to scan", - "order": 5 - }, - "instance_id": { - "type": "string", - "title": "Instance Id", - "description": "Instance ID", - "order": 1 - }, - "private_key": { - "type": "string", - "title": "Private Key", - "description": "Private key", - "order": 3 - }, - "region": { - "type": "string", - "title": "Region", - "description": "Region", - "order": 2 - }, - "user": { - "type": "string", - "title": "User", - "description": "User name", - "order": 4 - } - }, - "required": [ - "directory", - "instance_id", - "private_key", - "region", - "user" - ] -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) - - -class ClamAvOutput(komand.Output): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "malware": { - "type": "array", - "title": "Malware", - "description": "Malware", - "items": { - "$ref": "#/definitions/malicious_files" - }, - "order": 1 - } - }, - "definitions": { - "malicious_files": { - "type": "object", - "title": "malicious_files", - "properties": { - "created_time": { - "type": "string", - "title": "Created Time", - "order": 4 - }, - "file": { - "type": "string", - "title": "File", - "order": 1 - }, - "hash_value": { - "type": "string", - "title": "Hash Value", - "order": 3 - }, - "owner": { - "type": "string", - "title": "Owner", - "order": 2 - } - } - } - } -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) diff --git a/plugins/ec2_investigations/komand_ec2_investigations/actions/clam_av_run.py b/plugins/ec2_investigations/komand_ec2_investigations/actions/clam_av_run.py deleted file mode 100644 index a6f31758eb..0000000000 --- a/plugins/ec2_investigations/komand_ec2_investigations/actions/clam_av_run.py +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/env python - -import os -import subprocess # noqa: B404 -from datetime import datetime -import json -import hashlib -import sys -from os import stat -from pwd import getpwuid - -file_paths = [] -json_output = {"malicious_files": []} -sha1 = hashlib.sha1() # noqa: B303 - -# Get output from scan result. -def open_file(s): - with open(s, "r") as f: - f.next() - f.next() - f.next() - for line in f: - if "FOUND" in line: - x = line.split(":") - file_paths.append(x[0]) - if len(file_paths) == 0: - return - for p in file_paths: - filename = p - get_time = os.path.getctime(p) - format_time = datetime.fromtimestamp(get_time).strftime("%Y-%m-%d %H:%M:%S") - hashvalue = hashlib.sha1(filename).hexdigest() # noqa: B303 - owner_name = getpwuid(stat(filename).st_uid).pw_name - json_output["malicious_files"].append( - {"file": p, "owner": owner_name, "hash_value": hashvalue, "time_created": format_time} - ) - - print(json.dumps(json_output)) - - -# Scan the directory -def get_scan(): - if (len(sys.argv)) != 2: - print("Usage: python clam_av.py ") - else: - _now = datetime.now().strftime("%Y_%m_%d_%H_%M_%S") - _file = "Result" + _now + ".txt" - s = sys.argv[1] - d = "/tmp" # noqa: B108 - try: - subprocess.check_call(["clamscan", "--quiet", "-r", s, "-l", d + "/" + _file]) # noqa: B603,B607 - except OSError as e: - # Error 0 - Clamscan is not installed on host - print("0") - return - except: # noqa: B110 - pass - open_file(d + "/" + _file) - - -get_scan() diff --git a/plugins/ec2_investigations/komand_ec2_investigations/actions/known_hosts b/plugins/ec2_investigations/komand_ec2_investigations/actions/known_hosts deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/plugins/ec2_investigations/komand_ec2_investigations/actions/mount.sh b/plugins/ec2_investigations/komand_ec2_investigations/actions/mount.sh deleted file mode 100755 index b0e1f155ac..0000000000 --- a/plugins/ec2_investigations/komand_ec2_investigations/actions/mount.sh +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/bash - -# Make is executable first: chmod +x ./mount.sh -# To run the script: ./mount.sh suspect_mount2 /dev/xvdf1 - -# Test if the first input (the directory you want the volume mount to) is valid -if [ -d $1 ] -then - # Error 1 - Unable to mount. Directory already exisits. - echo "1" - exit 1 -else - errorline=$(mkdir $1 2>&1) - length=${#errorline} - if [ $length != 0 ] - then - # Error 2 - Invalid directory - echo "2" - exit 1 - fi -fi - -# Test if the second input (the directory of the volume) is vaild -if [ ! -b $2 ] -then - # Error 0 - Unable to mount. Device does not exist. - echo "0" - # Remove the directory we created in the first part so that the directory - # can be reused if the second part return error. - rm -r $1 - exit 1 -fi - -# Test if the volume is successfully mounted -errorFormat=$(mount -o ro $2 $1 2>&1) -length1=${#errorFormat} -if [ $length1 != 0 ] -then - errorMsg3="{\"directory\":\"$2\",\"status\":\"$errorFormat\"}" - echo $errorMsg3 - # Remove the directory we created in the first part so that the directory - # can be reused if the third part return error. - rm -r $1 - exit 1 -else - # Successfully mounted - successMsg="{\"directory\":\"$1\",\"status\":\"Successfully mounted\"}" - echo $successMsg -fi - diff --git a/plugins/ec2_investigations/komand_ec2_investigations/actions/mount_drive/__init__.py b/plugins/ec2_investigations/komand_ec2_investigations/actions/mount_drive/__init__.py deleted file mode 100755 index a6c56ae539..0000000000 --- a/plugins/ec2_investigations/komand_ec2_investigations/actions/mount_drive/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from .action import MountDrive diff --git a/plugins/ec2_investigations/komand_ec2_investigations/actions/mount_drive/action.py b/plugins/ec2_investigations/komand_ec2_investigations/actions/mount_drive/action.py deleted file mode 100755 index efd9da3b46..0000000000 --- a/plugins/ec2_investigations/komand_ec2_investigations/actions/mount_drive/action.py +++ /dev/null @@ -1,80 +0,0 @@ -import komand -from .schema import MountDriveInput, MountDriveOutput - -# Custom imports below -import json -from boto.manage.cmdshell import sshclient_from_instance - - -class MountDrive(komand.Action): - def __init__(self): - super(self.__class__, self).__init__( - name="mount_drive", - description="Mount drive", - input=MountDriveInput(), - output=MountDriveOutput(), - ) - - def run(self, params={}): - """TODO: Run action""" - directory = params.get("directory") - device = params.get("device") - instance_id = params.get("instance_id") - private_key = params.get("private_key") - user = params.get("user") - region = params.get("region") - empty_json_output = {} - - # Create private key file - f = open("./pk.pem", "w") - f.write(private_key) - f.close() - - # Create command from user input - command = "sudo ./mount.sh " + directory + " " + device - - try: - # Connect to AWS instance - reservations = self.connection.aws.get_all_instances( - filters={"instance_id": instance_id} - ) - instance = reservations[0].instances[0] - ssh_client = sshclient_from_instance(instance, "./pk.pem", user_name=user) - - # Copy the mount.sh script to the instance and make it executable - ssh_client.put_file("./komand_ec2_investigations/actions/mount.sh", "./mount.sh") - ssh_client.run("chmod +x mount.sh") - - # Execute the command and return the standard output - status, stdout, stderr = ssh_client.run(command) - # Remove script after running - ssh_client.run("rm ./mount.sh") - - if stdout.decode("utf-8").rstrip() == "0": - result = empty_json_output - self.logger.error("Unable to mount device: %s. Verify volume is attached", device) - elif stdout.decode("utf-8").rstrip() == "1": - result = json.loads( - '{"directory": "%s", "status": "Directory already mounted"}' % directory - ) - self.logger.info( - "Unable to mount directory: %s. Directory already mounted", directory - ) - elif stdout.decode("utf-8").rstrip() == "2": - result = empty_json_output - self.logger.error("Unable to mount directory: %s. Invalid directory", directory) - else: - result = json.loads(stdout.decode("utf-8").rstrip()) - - except Exception: - self.logger.error( - "No address associated with hostname %s. Verify instance is running and credentials are valid", - instance_id, - ) - raise - - return result - - def test(self): - """TODO: Test action""" - return {} diff --git a/plugins/ec2_investigations/komand_ec2_investigations/actions/mount_drive/schema.py b/plugins/ec2_investigations/komand_ec2_investigations/actions/mount_drive/schema.py deleted file mode 100755 index e82bb8102e..0000000000 --- a/plugins/ec2_investigations/komand_ec2_investigations/actions/mount_drive/schema.py +++ /dev/null @@ -1,105 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -import komand -import json - - -class Component: - DESCRIPTION = "Mount drive" - - -class Input: - DEVICE = "device" - DIRECTORY = "directory" - INSTANCE_ID = "instance_id" - PRIVATE_KEY = "private_key" - REGION = "region" - USER = "user" - - -class Output: - DIRECTORY = "directory" - STATUS = "status" - - -class MountDriveInput(komand.Input): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "device": { - "type": "string", - "title": "Device", - "description": "Device", - "order": 6 - }, - "directory": { - "type": "string", - "title": "Directory", - "description": "Directory", - "order": 5 - }, - "instance_id": { - "type": "string", - "title": "Instance Id", - "description": "Instance ID", - "order": 1 - }, - "private_key": { - "type": "string", - "title": "Private Key", - "description": "Private key", - "order": 3 - }, - "region": { - "type": "string", - "title": "Region", - "description": "Region", - "order": 2 - }, - "user": { - "type": "string", - "title": "User", - "description": "User name", - "order": 4 - } - }, - "required": [ - "device", - "directory", - "instance_id", - "private_key", - "region", - "user" - ] -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) - - -class MountDriveOutput(komand.Output): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "directory": { - "type": "string", - "title": "Directory", - "description": "Directory", - "order": 1 - }, - "status": { - "type": "string", - "title": "Status", - "description": "Status", - "order": 2 - } - } -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) diff --git a/plugins/ec2_investigations/komand_ec2_investigations/connection/__init__.py b/plugins/ec2_investigations/komand_ec2_investigations/connection/__init__.py deleted file mode 100755 index a515dcf6b0..0000000000 --- a/plugins/ec2_investigations/komand_ec2_investigations/connection/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from .connection import Connection diff --git a/plugins/ec2_investigations/komand_ec2_investigations/connection/connection.py b/plugins/ec2_investigations/komand_ec2_investigations/connection/connection.py deleted file mode 100755 index 76f336062b..0000000000 --- a/plugins/ec2_investigations/komand_ec2_investigations/connection/connection.py +++ /dev/null @@ -1,18 +0,0 @@ -import komand -from .schema import ConnectionSchema - -# Custom imports below -import boto.ec2 - - -class Connection(komand.Connection): - def __init__(self): - super(self.__class__, self).__init__(input=ConnectionSchema()) - - def connect(self, params={}): - self.logger.info("Connect: Connecting..") - access_key_id = params.get("access_key").get("secretKey") - secret_access_key = params.get("secret_key").get("secretKey") - self.aws = boto.connect_ec2( - aws_access_key_id=access_key_id, aws_secret_access_key=secret_access_key - ) diff --git a/plugins/ec2_investigations/komand_ec2_investigations/connection/schema.py b/plugins/ec2_investigations/komand_ec2_investigations/connection/schema.py deleted file mode 100755 index ef915457e5..0000000000 --- a/plugins/ec2_investigations/komand_ec2_investigations/connection/schema.py +++ /dev/null @@ -1,58 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -import komand -import json - - -class Input: - ACCESS_KEY = "access_key" - SECRET_KEY = "secret_key" - - -class ConnectionSchema(komand.Input): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "access_key": { - "$ref": "#/definitions/credential_secret_key", - "title": "Access Key", - "description": "Access Key ID", - "order": 2 - }, - "secret_key": { - "$ref": "#/definitions/credential_secret_key", - "title": "Secret Key", - "description": "Secret access key", - "order": 1 - } - }, - "required": [ - "access_key", - "secret_key" - ], - "definitions": { - "credential_secret_key": { - "id": "credential_secret_key", - "type": "object", - "title": "Credential: Secret Key", - "description": "A shared secret key", - "properties": { - "secretKey": { - "type": "string", - "title": "Secret Key", - "displayType": "password", - "description": "The shared secret key", - "format": "password" - } - }, - "required": [ - "secretKey" - ] - } - } -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) diff --git a/plugins/ec2_investigations/komand_ec2_investigations/triggers/__init__.py b/plugins/ec2_investigations/komand_ec2_investigations/triggers/__init__.py deleted file mode 100755 index bace8db897..0000000000 --- a/plugins/ec2_investigations/komand_ec2_investigations/triggers/__init__.py +++ /dev/null @@ -1 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT diff --git a/plugins/ec2_investigations/komand_ec2_investigations/util/__init__.py b/plugins/ec2_investigations/komand_ec2_investigations/util/__init__.py deleted file mode 100755 index bace8db897..0000000000 --- a/plugins/ec2_investigations/komand_ec2_investigations/util/__init__.py +++ /dev/null @@ -1 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT diff --git a/plugins/ec2_investigations/plugin.spec.yaml b/plugins/ec2_investigations/plugin.spec.yaml deleted file mode 100644 index e2e0d65496..0000000000 --- a/plugins/ec2_investigations/plugin.spec.yaml +++ /dev/null @@ -1,114 +0,0 @@ -plugin_spec_version: v2 -extension: plugin -products: [insightconnect] -name: ec2_investigations -title: EC2 Investigations -vendor: rapid7 -support: community -status: [] -description: "EC2 Investigations runs security tools on the AWS EC2 platform. Using the EC2 Investigations plugin -for Rapid7 InsightConnect will allow users to mount drives and scan directories with ClamAV" -version: 1.0.1 -resources: - source_url: https://github.com/rapid7/insightconnect-plugins/tree/master/plugins/ec2_investigations - license_url: https://github.com/rapid7/insightconnect-plugins/blob/master/LICENSE - vendor_url: https://www.amazon.com -tags: -- ec2 -- aws -hub_tags: - use_cases: [devops] - keywords: [ec2, aws] - features: [] -types: - malicious_files: - file: - type: string - required: false - owner: - type: string - required: false - hash_value: - type: string - required: false - created_time: - type: string - required: false -connection: - secret_key: - title: Secret Key - description: Secret access key - type: credential_secret_key - required: true - access_key: - title: Access Key - description: Access Key ID - type: credential_secret_key - required: true -actions: - mount_drive: - title: Mount Drive - description: Mount drive - input: - instance_id: - description: Instance ID - type: string - required: true - region: - description: Region - type: string - required: true - private_key: - description: Private key - type: string - required: true - user: - description: User name - type: string - required: true - directory: - type: string - description: Directory - required: true - device: - type: string - description: Device - required: true - output: - directory: - type: string - description: Directory - required: false - status: - type: string - description: Status - required: false - clam_av: - title: Clam AV - description: Scan directory with ClamAV - input: - instance_id: - description: Instance ID - type: string - required: true - region: - description: Region - type: string - required: true - private_key: - description: Private key - type: string - required: true - user: - description: User name - type: string - required: true - directory: - type: string - description: Directory to scan - required: true - output: - malware: - type: '[]malicious_files' - description: Malware - required: false diff --git a/plugins/ec2_investigations/requirements.txt b/plugins/ec2_investigations/requirements.txt deleted file mode 100755 index d0674c75e2..0000000000 --- a/plugins/ec2_investigations/requirements.txt +++ /dev/null @@ -1,3 +0,0 @@ -# List third-party dependencies here, separated by newlines. -# All dependencies must be version-pinned, eg. requests==1.2.0 -# See: https://pip.pypa.io/en/stable/user_guide/#requirements-files \ No newline at end of file diff --git a/plugins/ec2_investigations/setup.py b/plugins/ec2_investigations/setup.py deleted file mode 100644 index 1670f9b494..0000000000 --- a/plugins/ec2_investigations/setup.py +++ /dev/null @@ -1,14 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from setuptools import setup, find_packages - - -setup(name='ec2_investigations-rapid7-plugin', - version='1.0.1', - description='EC2 Investigations runs security tools on the AWS EC2 platform. Using the EC2 Investigations plugin for Rapid7 InsightConnect will allow users to mount drives and scan directories with ClamAV', - author='rapid7', - author_email='', - url='', - packages=find_packages(), - install_requires=['komand'], # Add third-party dependencies to requirements.txt, not here! - scripts=['bin/komand_ec2_investigations'] - ) diff --git a/plugins/elastalert/.CHECKSUM b/plugins/elastalert/.CHECKSUM deleted file mode 100644 index 4f0abfd7b3..0000000000 --- a/plugins/elastalert/.CHECKSUM +++ /dev/null @@ -1,15 +0,0 @@ -{ - "spec": "37c39512906a5c65e705ca8d7db776f0", - "manifest": "36882c239657e1793eafabf50fea89b9", - "setup": "ddc5ef63a067ca980e930bd3e495895e", - "schemas": [ - { - "identifier": "connection/schema.py", - "hash": "43ce6dc5005d093e08b4bd85808ae9e8" - }, - { - "identifier": "receive/schema.py", - "hash": "598bb27456ffd421eca61d81f0d39a8c" - } - ] -} \ No newline at end of file diff --git a/plugins/elastalert/.dockerignore b/plugins/elastalert/.dockerignore deleted file mode 100644 index 93dc53fb01..0000000000 --- a/plugins/elastalert/.dockerignore +++ /dev/null @@ -1,9 +0,0 @@ -unit_test/**/* -unit_test -examples/**/* -examples -tests -tests/**/* -**/*.json -**/*.tar -**/*.gz \ No newline at end of file diff --git a/plugins/elastalert/Dockerfile b/plugins/elastalert/Dockerfile deleted file mode 100755 index 7f3c8de076..0000000000 --- a/plugins/elastalert/Dockerfile +++ /dev/null @@ -1,25 +0,0 @@ -FROM komand/python-3-plugin:2 -# The three supported python parent images are: -# - komand/python-2-plugin -# - komand/python-3-plugin -# - komand/python-pypy3-plugin -# -# Update the tag to a full semver version - -# Add any custom package dependencies here -# NOTE: Add pip packages to requirements.txt - -# End package dependencies - -# Add source code -WORKDIR /python/src -ADD ./plugin.spec.yaml /plugin.spec.yaml -ADD . /python/src - -# Install pip dependencies -RUN if [ -f requirements.txt ]; then pip install -r requirements.txt; fi - -# Install plugin -RUN python setup.py build && python setup.py install - -ENTRYPOINT ["/usr/local/bin/komand_elastalert"] \ No newline at end of file diff --git a/plugins/elastalert/Makefile b/plugins/elastalert/Makefile deleted file mode 100755 index cb85f96b6c..0000000000 --- a/plugins/elastalert/Makefile +++ /dev/null @@ -1,53 +0,0 @@ -# Include other Makefiles for improved functionality -INCLUDE_DIR = ../../tools/Makefiles -MAKEFILES := $(wildcard $(INCLUDE_DIR)/*.mk) -# We can't guarantee customers will have the include files -# - prefix to ignore Makefiles when not present -# https://www.gnu.org/software/make/manual/html_node/Include.html --include $(MAKEFILES) - -ifneq ($(MAKEFILES),) - $(info [$(YELLOW)*$(NORMAL)] Use ``make menu`` for available targets) - $(info [$(YELLOW)*$(NORMAL)] Including available Makefiles: $(MAKEFILES)) - $(info --) -else - $(warning Makefile includes directory not present: $(INCLUDE_DIR)) -endif - -VERSION?=$(shell grep '^version: ' plugin.spec.yaml | sed 's/version: //') -NAME?=$(shell grep '^name: ' plugin.spec.yaml | sed 's/name: //') -VENDOR?=$(shell grep '^vendor: ' plugin.spec.yaml | sed 's/vendor: //') -CWD?=$(shell basename $(PWD)) -_NAME?=$(shell echo $(NAME) | awk '{ print toupper(substr($$0,1,1)) tolower(substr($$0,2)) }') -PKG=$(VENDOR)-$(NAME)-$(VERSION).tar.gz - -# Set default target explicitly. Make's default behavior is the first target in the Makefile. -# We don't want that behavior due to includes which are read first -.DEFAULT_GOAL := default # Make >= v3.80 (make -version) - - -default: image tarball - -tarball: - $(info [$(YELLOW)*$(NORMAL)] Creating plugin tarball) - rm -rf build - rm -rf $(PKG) - tar -cvzf $(PKG) --exclude=$(PKG) --exclude=tests --exclude=run.sh * - -image: - $(info [$(YELLOW)*$(NORMAL)] Building plugin image) - docker build --pull -t $(VENDOR)/$(NAME):$(VERSION) . - docker tag $(VENDOR)/$(NAME):$(VERSION) $(VENDOR)/$(NAME):latest - -regenerate: - $(info [$(YELLOW)*$(NORMAL)] Regenerating schema from plugin.spec.yaml) - icon-plugin generate python --regenerate - -export: image - $(info [$(YELLOW)*$(NORMAL)] Exporting docker image) - @printf "\n ---> Exporting Docker image to ./$(VENDOR)_$(NAME)_$(VERSION).tar\n" - @docker save $(VENDOR)/$(NAME):$(VERSION) | gzip > $(VENDOR)_$(NAME)_$(VERSION).tar - -# Make will not run a target if a file of the same name exists unless setting phony targets -# https://www.gnu.org/software/make/manual/html_node/Phony-Targets.html -.PHONY: default tarball image regenerate diff --git a/plugins/elastalert/bin/komand_elastalert b/plugins/elastalert/bin/komand_elastalert deleted file mode 100755 index 38e64c9e8f..0000000000 --- a/plugins/elastalert/bin/komand_elastalert +++ /dev/null @@ -1,32 +0,0 @@ -#!/usr/bin/env python -# GENERATED BY KOMAND SDK - DO NOT EDIT -import komand -from komand_elastalert import connection, actions, triggers - - -Name = 'ElastAlert' -Vendor = 'rapid7' -Version = '1.0.1' -Description = 'ElastAlert provides easy & flexible alerting with Elasticsearch. Users of the ElastAlert plugin can monitor alerts in real-time for automation use' - - -class ICONElastalert(komand.Plugin): - def __init__(self): - super(self.__class__, self).__init__( - name=Name, - vendor=Vendor, - version=Version, - description=Description, - connection=connection.Connection() - ) - self.add_trigger(triggers.Receive()) - - -def main(): - """Run plugin""" - cli = komand.CLI(ICONElastalert()) - cli.run() - - -if __name__ == "__main__": - main() diff --git a/plugins/elastalert/extension.png b/plugins/elastalert/extension.png deleted file mode 100644 index f4bd7f5ba5..0000000000 Binary files a/plugins/elastalert/extension.png and /dev/null differ diff --git a/plugins/elastalert/help.md b/plugins/elastalert/help.md deleted file mode 100644 index fe9826da4c..0000000000 --- a/plugins/elastalert/help.md +++ /dev/null @@ -1,70 +0,0 @@ -# Description - -[ElastAlert](https://github.com/Yelp/elastalert) allows for easy & flexible alerting with ElasticSearch. Users of the -ElastAlert plugin can monitor alerts using an ElastAlert webhook in real-time for automation use. - -# Key Features - -* Monitor alerts - -# Requirements - -* Username and password - -# Documentation - -## Setup - -The connection configuration accepts the following parameters: - -|Name|Type|Default|Required|Description|Enum| -|----|----|-------|--------|-----------|----| -|credentials|credential_username_password|None|True|Basic Auth username and password|None| - -## Technical Details - -### Actions - -_This plugin does not contain any actions._ - -### Triggers - -#### Get Alerts - -This trigger is used to listen for and trigger on new alerts from a simple ElastAlert webhook. -It opens a network socket on the specified port and endpoint. ElastAlert should be configured to use the specified port and endpoint. - -##### Input - -|Name|Type|Default|Required|Description|Enum| -|----|----|-------|--------|-----------|----| -|tcp_port|integer|None|True|TCP port to listen for messages|None| -|endpoint|string|0.0.0.0|True|IP address of the Komand host to listen on. Use 0.0.0.0 to listen on the all address|None| -|interval|integer|5|False|Interval to wait before reading another message|None| - -##### Output - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|alert|string|True|None| - -### Custom Output Types - -_This plugin does not contain any custom output types._ - -## Troubleshooting - -_This plugin does not contain any troubleshooting information._ - -# Version History - -* 1.0.1 - New spec and help.md format for the Extension Library -* 1.0.0 - Support web server mode | Update to new credential types -* 0.1.0 - Initial plugin - -# Links - -## References - -* [ElastAlert](https://github.com/Yelp/elastalert) - diff --git a/plugins/elastalert/icon.png b/plugins/elastalert/icon.png deleted file mode 100644 index 6bba0b9882..0000000000 Binary files a/plugins/elastalert/icon.png and /dev/null differ diff --git a/plugins/elastalert/komand_elastalert/__init__.py b/plugins/elastalert/komand_elastalert/__init__.py deleted file mode 100755 index bace8db897..0000000000 --- a/plugins/elastalert/komand_elastalert/__init__.py +++ /dev/null @@ -1 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT diff --git a/plugins/elastalert/komand_elastalert/actions/__init__.py b/plugins/elastalert/komand_elastalert/actions/__init__.py deleted file mode 100755 index bace8db897..0000000000 --- a/plugins/elastalert/komand_elastalert/actions/__init__.py +++ /dev/null @@ -1 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT diff --git a/plugins/elastalert/komand_elastalert/connection/__init__.py b/plugins/elastalert/komand_elastalert/connection/__init__.py deleted file mode 100755 index a515dcf6b0..0000000000 --- a/plugins/elastalert/komand_elastalert/connection/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from .connection import Connection diff --git a/plugins/elastalert/komand_elastalert/connection/connection.py b/plugins/elastalert/komand_elastalert/connection/connection.py deleted file mode 100755 index 6a71806903..0000000000 --- a/plugins/elastalert/komand_elastalert/connection/connection.py +++ /dev/null @@ -1,21 +0,0 @@ -import komand -from .schema import ConnectionSchema - -# Custom imports below - - -class Connection(komand.Connection): - def __init__(self): - super(self.__class__, self).__init__(input=ConnectionSchema()) - - def connect(self, params): - self.logger.info("Listen: Listening...") - user = params.get("credentials").get("username") - passwd = params.get("credentials").get("password") - - if user is None: - user = "" - if passwd is None: - passwd = "" # noqa: B105 - - self.auth_key = "{}:{}".format(user, passwd) diff --git a/plugins/elastalert/komand_elastalert/connection/schema.py b/plugins/elastalert/komand_elastalert/connection/schema.py deleted file mode 100755 index 5a4dfa4684..0000000000 --- a/plugins/elastalert/komand_elastalert/connection/schema.py +++ /dev/null @@ -1,56 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -import komand -import json - - -class Input: - CREDENTIALS = "credentials" - - -class ConnectionSchema(komand.Input): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "credentials": { - "$ref": "#/definitions/credential_username_password", - "title": "Basic Auth Username and Password", - "description": "Basic Auth username and password", - "order": 1 - } - }, - "required": [ - "credentials" - ], - "definitions": { - "credential_username_password": { - "id": "credential_username_password", - "type": "object", - "title": "Credential: Username and Password", - "description": "A username and password combination", - "properties": { - "password": { - "type": "string", - "title": "Password", - "displayType": "password", - "description": "The password", - "format": "password" - }, - "username": { - "type": "string", - "title": "Username", - "description": "The username to log in with" - } - }, - "required": [ - "username", - "password" - ] - } - } -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) diff --git a/plugins/elastalert/komand_elastalert/triggers/__init__.py b/plugins/elastalert/komand_elastalert/triggers/__init__.py deleted file mode 100755 index a4c7dc4c59..0000000000 --- a/plugins/elastalert/komand_elastalert/triggers/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from .receive.trigger import Receive diff --git a/plugins/elastalert/komand_elastalert/triggers/receive/__init__.py b/plugins/elastalert/komand_elastalert/triggers/receive/__init__.py deleted file mode 100755 index 7bc4c67c5b..0000000000 --- a/plugins/elastalert/komand_elastalert/triggers/receive/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from .trigger import Receive diff --git a/plugins/elastalert/komand_elastalert/triggers/receive/schema.py b/plugins/elastalert/komand_elastalert/triggers/receive/schema.py deleted file mode 100755 index bf6cc7b347..0000000000 --- a/plugins/elastalert/komand_elastalert/triggers/receive/schema.py +++ /dev/null @@ -1,80 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -import komand -import json - - -class Component: - DESCRIPTION = "Listen for and trigger on new alerts from an ElastAlert webhook" - - -class Input: - - ENDPOINT = "endpoint" - INTERVAL = "interval" - TCP_PORT = "tcp_port" - - -class Output: - - ALERT = "alert" - - -class ReceiveInput(komand.Input): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "endpoint": { - "type": "string", - "title": "Endpoint", - "description": "IP address of the Komand host to listen on. 0.0.0.0 to listen on the all address", - "default": "0.0.0.0", - "order": 2 - }, - "interval": { - "type": "integer", - "title": "Interval", - "description": "Interval to wait before reading another message", - "default": 5, - "order": 3 - }, - "tcp_port": { - "type": "integer", - "title": "TCP Port", - "description": "TCP port to listen for messages", - "order": 1 - } - }, - "required": [ - "endpoint", - "tcp_port" - ] -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) - - -class ReceiveOutput(komand.Output): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "alert": { - "type": "object", - "title": "Alert", - "description": "Alert", - "order": 1 - } - }, - "required": [ - "alert" - ] -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) diff --git a/plugins/elastalert/komand_elastalert/triggers/receive/trigger.py b/plugins/elastalert/komand_elastalert/triggers/receive/trigger.py deleted file mode 100755 index d1f4921ddb..0000000000 --- a/plugins/elastalert/komand_elastalert/triggers/receive/trigger.py +++ /dev/null @@ -1,118 +0,0 @@ -import komand -import time -from .schema import ReceiveInput, ReceiveOutput - -# Custom imports below -import base64 -import json -import socket - - -class Receive(komand.Trigger): - def __init__(self): - super(self.__class__, self).__init__( - name="receive", - description="Listen for and trigger on new alerts from an ElastAlert webhook", - input=ReceiveInput(), - output=ReceiveOutput(), - ) - - def handler_data(self, recv_data): # noqa: MC0001 - # Parse headers - try: - headers, data = recv_data.split("\r\n\r\n") - self.logger.debug("Data: %s", data) - self.logger.debug("Headers: %s", headers) - headers = headers.split("\n") - req_method = headers[0].strip().split() - except: - self.logger.error("Bad HTTP request format") - return False - - if not isinstance(req_method, list): - self.logger.error("Unable to find HTTP method") - return False - - # Validate JSON - try: - data_json = json.loads(data) - except: - self.logger.error("Unable to decode JSON") - return False - - if req_method[0] == "POST": - # Search for Authorization header - try: - # Retrieve Authorization header - for header in headers: - if header.startswith("Authorization: "): - auth_header = header - except: - self.logger.error("Missing Authorization header") - return False - - # Retrieve Authorization's Basic value - try: - auth = auth_header.split()[2] - except: - self.logger.error("Authorization header is incomplete, expecting e.g.: Basic dGVzdAo=") - return False - - # Retrieve user:pass from Basic Authorization value - try: - # There's an extra newline we must strip - key = base64.b64decode(auth).decode().rstrip("\n") - self.logger.debug("Client Key: %s", key) - except: - self.logger.error("Unable to base64 decode basic authorization value") - return False - - # Verify Authorization key - if key == self.connection.auth_key: - if isinstance(data_json, dict) and len(data_json) > 0: - self.send({"alert": data_json}) - else: - self.logger.info("No data in message") - return False - else: - self.logger.debug("Server Key: %s", self.connection.auth_key) - self.logger.info("Authorization key did not match") - return False - else: - self.logger.info("Not a POST Request") - time.sleep(2) - return False - return False - - def run(self, params={}): - """Run the trigger""" - # Send a test event - - BUFF = 4096 - interval = params.get("interval") - endpoint = params.get("endpoint", "0.0.0.0") # noqa: B104 - tcp_port = params.get("tcp_port") - - host = endpoint + ":" + str(tcp_port) - self.logger.info("Listening on %s", host) - - # Open socket server to listen for messages - server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) - server.bind((endpoint, tcp_port)) - # System default backlog for sanity - server.listen(5) - - while True: - conn, addr = server.accept() - recv_data = conn.recv(BUFF) - conn.send(recv_data) - conn.close() - - # Handler receiving data - self.handler_data(recv_data.decode()) - time.sleep(interval) - - def test(self): - """TODO: Test the trigger""" - return {} diff --git a/plugins/elastalert/komand_elastalert/util/__init__.py b/plugins/elastalert/komand_elastalert/util/__init__.py deleted file mode 100755 index bace8db897..0000000000 --- a/plugins/elastalert/komand_elastalert/util/__init__.py +++ /dev/null @@ -1 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT diff --git a/plugins/elastalert/plugin.spec.yaml b/plugins/elastalert/plugin.spec.yaml deleted file mode 100644 index b862bb16e2..0000000000 --- a/plugins/elastalert/plugin.spec.yaml +++ /dev/null @@ -1,58 +0,0 @@ -plugin_spec_version: v2 -extension: plugin -products: [insightconnect] -name: elastalert -title: ElastAlert -description: "ElastAlert provides easy & flexible alerting with Elasticsearch. Users of the ElastAlert plugin can -monitor alerts in real-time for automation use" -version: 1.0.1 -vendor: rapid7 -support: community -status: ["hidden"] -resources: - source_url: https://github.com/rapid7/insightconnect-plugins/tree/master/plugins/elastalert - license_url: https://github.com/rapid7/insightconnect-plugins/blob/master/LICENSE - vendor_url: https://www.yelp.com -tags: -- elasticsearch -- elk -- alert -hub_tags: - use_cases: [alerting_and_notifications] - keywords: [elasticsearch, elk, alert] - features: [] - -connection: - credentials: - title: Basic Auth Username and Password - description: Basic Auth username and password - type: credential_username_password - required: true -triggers: - receive: - title: Get Alerts - description: Listen for and trigger on new alerts from an ElastAlert webhook - input: - tcp_port: - type: integer - title: TCP Port - description: TCP port to listen for messages - required: true - endpoint: - type: string - title: Endpoint - description: IP address of the Komand host to listen on. 0.0.0.0 to listen - on the all address - default: 0.0.0.0 - required: true - interval: - type: integer - description: Interval to wait before reading another message - default: 5 - required: false - output: - alert: - title: Alert - description: Alert - type: object - required: true diff --git a/plugins/elastalert/requirements.txt b/plugins/elastalert/requirements.txt deleted file mode 100755 index d0674c75e2..0000000000 --- a/plugins/elastalert/requirements.txt +++ /dev/null @@ -1,3 +0,0 @@ -# List third-party dependencies here, separated by newlines. -# All dependencies must be version-pinned, eg. requests==1.2.0 -# See: https://pip.pypa.io/en/stable/user_guide/#requirements-files \ No newline at end of file diff --git a/plugins/elastalert/setup.py b/plugins/elastalert/setup.py deleted file mode 100755 index eae662307d..0000000000 --- a/plugins/elastalert/setup.py +++ /dev/null @@ -1,14 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from setuptools import setup, find_packages - - -setup(name='elastalert-rapid7-plugin', - version='1.0.1', - description='ElastAlert provides easy & flexible alerting with Elasticsearch. Users of the ElastAlert plugin can monitor alerts in real-time for automation use', - author='rapid7', - author_email='', - url='', - packages=find_packages(), - install_requires=['komand'], # Add third-party dependencies to requirements.txt, not here! - scripts=['bin/komand_elastalert'] - ) diff --git a/plugins/elastalert/tests/elastpost.sh b/plugins/elastalert/tests/elastpost.sh deleted file mode 100755 index 748d4903ab..0000000000 --- a/plugins/elastalert/tests/elastpost.sh +++ /dev/null @@ -1,6 +0,0 @@ -for i in {1..10}; do - #curl -v -X POST --data '{"Authorization": "blah89d9-blah-blah-blah-blahd3d4blah", "Alert": "<44>Sep 6 21:23:55 SFO01-asasfr SFIMS: [Primary Detection Engine (ef3dbb34-c555-11e4-ba7d-98bb84d7b7c2)][Initial Passive Policy _ sfr01lax02us_corp_auction_local][1:28039:6] \"INDICATOR-COMPROMISE Suspicious .pw dns query\" [Classification: Misc Activity] User: Unknown, Application: Unknown, Client: DNS client, App Protocol: DNS, Interface Ingress: inside, Interface Egress: outside, Security Zone Ingress: N/A, Security Zone Egress: N/A, Context: unknown, [Priority: 3] {UDP} 192.1.21.79:59596 -> 8.8.8.8:53"}' http://127.0.0.1:4444 - curl -v -X POST -H 'Content-Type: application/json' -H 'Accept: application/json;charset=utf-8' -H 'Authorization: Basic dGVzdDo=' -d '{"matches": [{"search": {}, "_id": "0b#kHuAl${(N`QDM1+fW", "_index": "active-logs-000020", "num_hits": 4400, "@timestamp": "2018-02-21T18:28:25.376Z", "lyftlog": {"debug": {}, "errors": {}}, "_type": "syslog", "canary": false, "source": "/var/log/auth.log", "host": "example-staging-iad-000000", "tag": "sshd[4000]:", "asg": "example", "msg": "Did not receive identification string from 127.0.0.1", "num_matches": 4400, "az": "us-east-1a", "region": "iad"}], "rule": "Test"}' http://127.0.0.1:4444 - sleep 1 -done - diff --git a/plugins/elastalert/tests/listen.py b/plugins/elastalert/tests/listen.py deleted file mode 100755 index f820d0d7bc..0000000000 --- a/plugins/elastalert/tests/listen.py +++ /dev/null @@ -1,100 +0,0 @@ -import base64 -import logging -import time -import json -import socket - - -def handler_data(recv_data): - try: - headers, data = recv_data.split("\r\n\r\n") - headers = headers.split("\n") - req_method = headers[0].strip().split() - print("Headers: {}".format(headers)) - except: - logging.error("Bad HTTP request format") - return False - - if not isinstance(req_method, list): - logging.error("Unable to find HTTP method") - return False - - if req_method[0] == "POST": - try: - data_json = json.loads(data) - except json.decoder.JSONDecodeError: - logging.error("Unable to decode JSON") - return False - - try: - for header in headers: - if header.startswith("Authorization: "): - auth_header = header - print("Authorization: {}".format(auth_header)) - except: - logging.error("Missing Authorization header") - return False - - try: - auth = auth_header.split()[2] - print("Token: {}".format(auth)) - except: - logging.error("Authorization header is incomplete") - return False - - try: - key = base64.b64decode(auth).decode() - except: - logging.error("Unable to decode base64 auth value") - return False - - # Check Authorization - if key == "test:": - if isinstance(data_json, dict) and len(data_json) > 0: - print(data_json) - else: - logging.info("No data in message") - return False - else: - logging.info("Authorization key did not match") - return False - else: - logging.info("Not a POST Request") - time.sleep(2) - return False - return False - - -def run(): - """Run the trigger""" - # send a test event - - BUFF = 4096 - interval = 10 - protocol = "http" - endpoint = "0.0.0.0" - tcp_port = 8080 - - host = protocol + "://" + endpoint + ":" + str(tcp_port) - print("Listening on", host) - - # Open socket server to listen for messages - server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) - server.bind((endpoint, tcp_port)) - server.listen(5) - - while True: - conn, addr = server.accept() - print(conn, addr) - recv_data = conn.recv(BUFF) - print(recv_data) - conn.sendall(recv_data) - conn.close() - - # Handler receiving data - handler_data(recv_data.decode("utf-8")) - time.sleep(interval) - - -run() diff --git a/plugins/elastalert/tests/listen_count.py b/plugins/elastalert/tests/listen_count.py deleted file mode 100755 index d7e4f45fdd..0000000000 --- a/plugins/elastalert/tests/listen_count.py +++ /dev/null @@ -1,63 +0,0 @@ -import time -import json -import socket - -COUNT = 0 - - -def handler_data(recv_data): - global COUNT - headers, data = recv_data.split("\r\n\r\n") - headers = headers.split("\n") - req_method = headers[0].strip().split() - - if req_method[0] == "POST": - data_json = json.loads(data) - auth = data_json.get("Authorization") - # Check Authorization - if auth == "blah89d9-blah-blah-blah-blahd3d4blah": - COUNT += 1 - if "Alert" in data_json: - print(COUNT) - else: - return False - else: - return False - else: - time.sleep(2) - return False - return False - - -def run(): - """Run the trigger""" - # send a test event - - COUNT = 0 - BUFF = 4096 - interval = 0 - protocol = "http" - endpoint = "0.0.0.0" - tcp_port = 8080 - - host = protocol + "://" + endpoint + ":" + str(tcp_port) - print("Listening on", host) - - # Open socket server to listen for messages - server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) - server.bind((endpoint, tcp_port)) - server.listen() - - while True: - conn, addr = server.accept() - recv_data = conn.recv(BUFF) - conn.send(recv_data) - conn.close() - - # Handler receiving data - handler_data(recv_data.decode("utf-8")) - time.sleep(interval) - - -run() diff --git a/plugins/try_bro/.CHECKSUM b/plugins/try_bro/.CHECKSUM deleted file mode 100644 index 3ed50cacd9..0000000000 --- a/plugins/try_bro/.CHECKSUM +++ /dev/null @@ -1,19 +0,0 @@ -{ - "spec": "5396bace2a6b9a89c1b5f44291cd05ac", - "manifest": "a9acd3cde5aa8d2baa752854efbaeb98", - "setup": "75d5752cacbe71309bc0a9094a33387c", - "schemas": [ - { - "identifier": "files/schema.py", - "hash": "3c04ce23d115087d07ae95e9f8832300" - }, - { - "identifier": "run/schema.py", - "hash": "01523bd247e294e57afff80d94193f5a" - }, - { - "identifier": "connection/schema.py", - "hash": "84bc5fe37ed0f7c6c315c5bad7d808bd" - } - ] -} \ No newline at end of file diff --git a/plugins/try_bro/.dockerignore b/plugins/try_bro/.dockerignore deleted file mode 100644 index 93dc53fb01..0000000000 --- a/plugins/try_bro/.dockerignore +++ /dev/null @@ -1,9 +0,0 @@ -unit_test/**/* -unit_test -examples/**/* -examples -tests -tests/**/* -**/*.json -**/*.tar -**/*.gz \ No newline at end of file diff --git a/plugins/try_bro/.state/state.bst b/plugins/try_bro/.state/state.bst deleted file mode 100644 index ee8c9066c6..0000000000 Binary files a/plugins/try_bro/.state/state.bst and /dev/null differ diff --git a/plugins/try_bro/Dockerfile b/plugins/try_bro/Dockerfile deleted file mode 100755 index c44aff7d87..0000000000 --- a/plugins/try_bro/Dockerfile +++ /dev/null @@ -1,25 +0,0 @@ -FROM komand/python-2-plugin -# The three supported python parent images are: -# - komand/python-2-plugin -# - komand/python-3-plugin -# - komand/python-pypy3-plugin -# -# Update the tag to a full semver version - -# Add any custom package dependencies here -# NOTE: Add pip packages to requirements.txt - -# End package dependencies - -# Add source code -WORKDIR /python/src -ADD ./plugin.spec.yaml /plugin.spec.yaml -ADD . /python/src - -# Install pip dependencies -RUN if [ -f requirements.txt ]; then pip install -r requirements.txt; fi - -# Install plugin -RUN python setup.py build && python setup.py install - -ENTRYPOINT ["/usr/local/bin/komand_try_bro"] \ No newline at end of file diff --git a/plugins/try_bro/Makefile b/plugins/try_bro/Makefile deleted file mode 100755 index cb85f96b6c..0000000000 --- a/plugins/try_bro/Makefile +++ /dev/null @@ -1,53 +0,0 @@ -# Include other Makefiles for improved functionality -INCLUDE_DIR = ../../tools/Makefiles -MAKEFILES := $(wildcard $(INCLUDE_DIR)/*.mk) -# We can't guarantee customers will have the include files -# - prefix to ignore Makefiles when not present -# https://www.gnu.org/software/make/manual/html_node/Include.html --include $(MAKEFILES) - -ifneq ($(MAKEFILES),) - $(info [$(YELLOW)*$(NORMAL)] Use ``make menu`` for available targets) - $(info [$(YELLOW)*$(NORMAL)] Including available Makefiles: $(MAKEFILES)) - $(info --) -else - $(warning Makefile includes directory not present: $(INCLUDE_DIR)) -endif - -VERSION?=$(shell grep '^version: ' plugin.spec.yaml | sed 's/version: //') -NAME?=$(shell grep '^name: ' plugin.spec.yaml | sed 's/name: //') -VENDOR?=$(shell grep '^vendor: ' plugin.spec.yaml | sed 's/vendor: //') -CWD?=$(shell basename $(PWD)) -_NAME?=$(shell echo $(NAME) | awk '{ print toupper(substr($$0,1,1)) tolower(substr($$0,2)) }') -PKG=$(VENDOR)-$(NAME)-$(VERSION).tar.gz - -# Set default target explicitly. Make's default behavior is the first target in the Makefile. -# We don't want that behavior due to includes which are read first -.DEFAULT_GOAL := default # Make >= v3.80 (make -version) - - -default: image tarball - -tarball: - $(info [$(YELLOW)*$(NORMAL)] Creating plugin tarball) - rm -rf build - rm -rf $(PKG) - tar -cvzf $(PKG) --exclude=$(PKG) --exclude=tests --exclude=run.sh * - -image: - $(info [$(YELLOW)*$(NORMAL)] Building plugin image) - docker build --pull -t $(VENDOR)/$(NAME):$(VERSION) . - docker tag $(VENDOR)/$(NAME):$(VERSION) $(VENDOR)/$(NAME):latest - -regenerate: - $(info [$(YELLOW)*$(NORMAL)] Regenerating schema from plugin.spec.yaml) - icon-plugin generate python --regenerate - -export: image - $(info [$(YELLOW)*$(NORMAL)] Exporting docker image) - @printf "\n ---> Exporting Docker image to ./$(VENDOR)_$(NAME)_$(VERSION).tar\n" - @docker save $(VENDOR)/$(NAME):$(VERSION) | gzip > $(VENDOR)_$(NAME)_$(VERSION).tar - -# Make will not run a target if a file of the same name exists unless setting phony targets -# https://www.gnu.org/software/make/manual/html_node/Phony-Targets.html -.PHONY: default tarball image regenerate diff --git a/plugins/try_bro/bin/komand_try_bro b/plugins/try_bro/bin/komand_try_bro deleted file mode 100755 index 31e14166ee..0000000000 --- a/plugins/try_bro/bin/komand_try_bro +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env python -# GENERATED BY KOMAND SDK - DO NOT EDIT -import komand -from komand_try_bro import connection, actions, triggers - - -Name = 'Try Bro' -Vendor = 'rapid7' -Version = '1.0.2' -Description = 'Upload PCAP files to an instance of Bro Network Security Monitor for analysis and access to Bro logs' - - -class ICONTryBro(komand.Plugin): - def __init__(self): - super(self.__class__, self).__init__( - name=Name, - vendor=Vendor, - version=Version, - description=Description, - connection=connection.Connection() - ) - self.add_action(actions.Files()) - - self.add_action(actions.Run()) - - -def main(): - """Run plugin""" - cli = komand.CLI(ICONTryBro()) - cli.run() - - -if __name__ == "__main__": - main() diff --git a/plugins/try_bro/extension.png b/plugins/try_bro/extension.png deleted file mode 100644 index b4cb7c2158..0000000000 Binary files a/plugins/try_bro/extension.png and /dev/null differ diff --git a/plugins/try_bro/help.md b/plugins/try_bro/help.md deleted file mode 100644 index 94a3a43626..0000000000 --- a/plugins/try_bro/help.md +++ /dev/null @@ -1,93 +0,0 @@ -# Description - -With the [Try Bro](http://try.bro.org/) plugin for Rapid7 InsightConnect, users can use a free instance of the -Bro Network Security Monitor in the cloud. Users can upload PCAP files for analysis and get Bro logs. - -# Key Features - -* PCAP analysis -* Get Bro logs - -# Requirements - -* Try Bro server URL - -# Documentation - -## Setup - -This plugin requires a Try Bro URL. By default, the public service is used. - -The connection configuration accepts the following parameters: - -|Name|Type|Default|Required|Description|Enum| -|----|----|-------|--------|-----------|----| -|server|string|http://try.bro.org|True|Try Bro URL|None| - -## Technical Details - -### Actions - -#### Get Bro Logs - -This action is used to retrieve Bro logs from an analysis by its ID. - -##### Input - -|Name|Type|Default|Required|Description|Enum| -|----|----|-------|--------|-----------|----| -|job|string|None|False|Job Number|None| - -##### Output - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|files|files|False|Bro Log Files| - -#### Upload PCAP - -This action is used to upload a user supplied PCAP and optional Bro scripts for analysis by Bro. -The analysis URL and ID is returned. - -##### Input - -|Name|Type|Default|Required|Description|Enum| -|----|----|-------|--------|-----------|----| -|pcap|bytes|None|True|Base64 encoded PCAP file|None| -|scripts|[]bytes|None|False|Base64 encoded Bro Scripts|None| -|version|string|master|False|Bro Version|['master', '1.5', '2.1', '2.2', '2.3.1', '2.3.2', '2.4', '2.4.1', '2.5', '2.5.1']| - -##### Output - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|id|string|False|Job ID| -|url|string|False|URL| - -### Triggers - -This plugin does not contain any triggers. - -### Custom Output Types - -_This plugin does not contain any custom output types._ - -## Troubleshooting - -This plugin does not contain any troubleshooting information. - -# Version History - -* 1.0.2 - New spec and help.md format for the Extension Library -* 1.0.1 - Fix issue where run action was excluded from plugin on build -* 1.0.0 - Update to v2 Python plugin architecture | Support web server mode -* 0.1.1 - SSL bug fix in SDK -* 0.1.0 - Initial plugin - -# Links - -## References - -* [Try Bro](http://try.bro.org/) -* [Try Bro Code](https://github.com/bro/try-bro) - diff --git a/plugins/try_bro/icon.png b/plugins/try_bro/icon.png deleted file mode 100644 index 1d306b663f..0000000000 Binary files a/plugins/try_bro/icon.png and /dev/null differ diff --git a/plugins/try_bro/komand_try_bro/__init__.py b/plugins/try_bro/komand_try_bro/__init__.py deleted file mode 100755 index bace8db897..0000000000 --- a/plugins/try_bro/komand_try_bro/__init__.py +++ /dev/null @@ -1 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT diff --git a/plugins/try_bro/komand_try_bro/actions/__init__.py b/plugins/try_bro/komand_try_bro/actions/__init__.py deleted file mode 100755 index e1d29e9627..0000000000 --- a/plugins/try_bro/komand_try_bro/actions/__init__.py +++ /dev/null @@ -1,3 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from .files.action import Files -from .run.action import Run diff --git a/plugins/try_bro/komand_try_bro/actions/files/__init__.py b/plugins/try_bro/komand_try_bro/actions/files/__init__.py deleted file mode 100755 index 3c28f9d1b3..0000000000 --- a/plugins/try_bro/komand_try_bro/actions/files/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from .action import Files diff --git a/plugins/try_bro/komand_try_bro/actions/files/action.py b/plugins/try_bro/komand_try_bro/actions/files/action.py deleted file mode 100755 index a921d93927..0000000000 --- a/plugins/try_bro/komand_try_bro/actions/files/action.py +++ /dev/null @@ -1,32 +0,0 @@ -import komand -from .schema import FilesInput, FilesOutput - -# Custom imports below -import json -import requests - - -class Files(komand.Action): - def __init__(self): - super(self.__class__, self).__init__( - name="files", description="Get logs by ID", input=FilesInput(), output=FilesOutput() - ) - - def run(self, params={}): - server = self.connection.server - job = params.get("job") - files = {} - res = requests.get(server + "/files/" + job) - log = res.json() - if len(log["files"]) == 0: - raise Exception("Run: Job ID has no data") - for i in log["files"].keys(): - files[i] = log["files"][i].split("\n") - return {"files": files} - - def test(self): - server = self.connection.server - res = requests.get(server) - if res.status_code != 200: - raise Exception("Test: Unsuccessful HTTP status code returned") - return {} diff --git a/plugins/try_bro/komand_try_bro/actions/files/schema.py b/plugins/try_bro/komand_try_bro/actions/files/schema.py deleted file mode 100755 index 1f808edddb..0000000000 --- a/plugins/try_bro/komand_try_bro/actions/files/schema.py +++ /dev/null @@ -1,612 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -import komand -import json - - -class Component: - DESCRIPTION = "Get logs by ID" - - -class Input: - JOB = "job" - - -class Output: - FILES = "files" - - -class FilesInput(komand.Input): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "job": { - "type": "string", - "title": "Job Number", - "description": "Job Number", - "order": 1 - } - } -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) - - -class FilesOutput(komand.Output): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "files": { - "$ref": "#/definitions/files", - "title": "Bro Log Files", - "description": "Bro Log Files", - "order": 1 - } - }, - "definitions": { - "files": { - "type": "object", - "title": "files", - "properties": { - "app_stats.log": { - "type": "array", - "title": "App Stats", - "description": "App stats", - "items": { - "type": "string" - }, - "order": 1 - }, - "barnyard2.log": { - "type": "array", - "title": "Barnyard2", - "description": "Barnyard2", - "items": { - "type": "string" - }, - "order": 2 - }, - "capture_loss.log": { - "type": "array", - "title": "Capture Loss", - "description": "Capture loss", - "items": { - "type": "string" - }, - "order": 3 - }, - "cluster.log": { - "type": "array", - "title": "Cluster", - "description": "Cluster", - "items": { - "type": "string" - }, - "order": 4 - }, - "communication.log": { - "type": "array", - "title": "Communication", - "description": "Communication", - "items": { - "type": "string" - }, - "order": 6 - }, - "conn.log": { - "type": "array", - "title": "Conn", - "description": "Conn", - "items": { - "type": "string" - }, - "order": 5 - }, - "dce_rpc.log": { - "type": "array", - "title": "DCE RPC", - "description": "DCE RPC", - "items": { - "type": "string" - }, - "order": 7 - }, - "dhcp.log": { - "type": "array", - "title": "DHCP", - "description": "DHCP", - "items": { - "type": "string" - }, - "order": 8 - }, - "dn3p.log": { - "type": "array", - "title": "DN3P", - "description": "DN3P", - "items": { - "type": "string" - }, - "order": 10 - }, - "dns.log": { - "type": "array", - "title": "DNS", - "description": "DNS", - "items": { - "type": "string" - }, - "order": 9 - }, - "dpd.log": { - "type": "array", - "title": "DPD", - "description": "DPD", - "items": { - "type": "string" - }, - "order": 11 - }, - "files.log": { - "type": "array", - "title": "Files", - "description": "Files", - "items": { - "type": "string" - }, - "order": 12 - }, - "ftp.log": { - "type": "array", - "title": "FTP", - "description": "FTP", - "items": { - "type": "string" - }, - "order": 13 - }, - "http.log": { - "type": "array", - "title": "HTTP", - "description": "HTTP", - "items": { - "type": "string" - }, - "order": 14 - }, - "intel.log": { - "type": "array", - "title": "Intel", - "description": "Intel", - "items": { - "type": "string" - }, - "order": 15 - }, - "irc.log": { - "type": "array", - "title": "IRC", - "description": "IRC", - "items": { - "type": "string" - }, - "order": 16 - }, - "kerberos.log": { - "type": "array", - "title": "Kerberos", - "description": "Kerberos", - "items": { - "type": "string" - }, - "order": 17 - }, - "known_certs.log": { - "type": "array", - "title": "Known Certs", - "description": "Known Certs", - "items": { - "type": "string" - }, - "order": 18 - }, - "known_devices.log": { - "type": "array", - "title": "Known Devices", - "description": "Known Devices", - "items": { - "type": "string" - }, - "order": 19 - }, - "known_hosts.log": { - "type": "array", - "title": "Known Hosts", - "description": "Known Hosts", - "items": { - "type": "string" - }, - "order": 20 - }, - "known_modbus.log": { - "type": "array", - "title": "Known Modbus", - "description": "Known Modbus", - "items": { - "type": "string" - }, - "order": 21 - }, - "known_services.log": { - "type": "array", - "title": "Known Services", - "description": "Known services", - "items": { - "type": "string" - }, - "order": 22 - }, - "loaded_scripts.log": { - "type": "array", - "title": "Loaded Scripts", - "description": "Loaded scripts", - "items": { - "type": "string" - }, - "order": 23 - }, - "modbus.log": { - "type": "array", - "title": "Modbus", - "description": "Modbus", - "items": { - "type": "string" - }, - "order": 24 - }, - "modbus_register_change.log": { - "type": "array", - "title": "Modbus Register Change", - "description": "Modbus register change", - "items": { - "type": "string" - }, - "order": 25 - }, - "mysql.log": { - "type": "array", - "title": "Mysql", - "description": "Mysql", - "items": { - "type": "string" - }, - "order": 26 - }, - "netcontrol.log": { - "type": "array", - "title": "Netcontrol", - "description": "Netcontrol", - "items": { - "type": "string" - }, - "order": 27 - }, - "netcontrol_catch_release.log": { - "type": "array", - "title": "Netcontrol Catch Release", - "description": "Netcontrol catch realease", - "items": { - "type": "string" - }, - "order": 30 - }, - "netcontrol_drop.log": { - "type": "array", - "title": "Netcontrol Drop", - "description": "Netcontrol drop", - "items": { - "type": "string" - }, - "order": 28 - }, - "netcontrol_shunt.log": { - "type": "array", - "title": "Netcontrol Shunt", - "description": "Netcontrol shunt", - "items": { - "type": "string" - }, - "order": 29 - }, - "notice.log": { - "type": "array", - "title": "Notice Log", - "description": "Notice log", - "items": { - "type": "string" - }, - "order": 31 - }, - "notice_alarm.log": { - "type": "array", - "title": "Notice Alarm", - "description": "Notice alarm", - "items": { - "type": "string" - }, - "order": 32 - }, - "ntlm.log": { - "type": "array", - "title": "NTLM", - "description": "NTLM", - "items": { - "type": "string" - }, - "order": 33 - }, - "openflow.log": { - "type": "array", - "title": "Openflow", - "description": "Openflow", - "items": { - "type": "string" - }, - "order": 34 - }, - "packet_filter.log": { - "type": "array", - "title": "Packet Filter", - "description": "Packet Filter", - "items": { - "type": "string" - }, - "order": 35 - }, - "pe.log": { - "type": "array", - "title": "PE", - "description": "PE", - "items": { - "type": "string" - }, - "order": 36 - }, - "prof.log": { - "type": "array", - "title": "Prof", - "description": "Prof", - "items": { - "type": "string" - }, - "order": 37 - }, - "radius.log": { - "type": "array", - "title": "Radius", - "description": "Radius", - "items": { - "type": "string" - }, - "order": 38 - }, - "rdp.log": { - "type": "array", - "title": "RDP", - "description": "RDP", - "items": { - "type": "string" - }, - "order": 39 - }, - "reporter.log": { - "type": "array", - "title": "Reporter", - "description": "Reporter", - "items": { - "type": "string" - }, - "order": 41 - }, - "rfb.log": { - "type": "array", - "title": "RFB", - "description": "RFB", - "items": { - "type": "string" - }, - "order": 40 - }, - "signatures.log": { - "type": "array", - "title": "Signatures", - "description": "Signatures", - "items": { - "type": "string" - }, - "order": 42 - }, - "sip.log": { - "type": "array", - "title": "SIP", - "description": "SIP", - "items": { - "type": "string" - }, - "order": 43 - }, - "smb.log": { - "type": "array", - "title": "SMB", - "description": "SMB", - "items": { - "type": "string" - }, - "order": 44 - }, - "smb_cmd.log": { - "type": "array", - "title": "SMB CMD", - "description": "SMB CMD", - "items": { - "type": "string" - }, - "order": 45 - }, - "smb_files.log": { - "type": "array", - "title": "SMB Files", - "description": "SMB Files", - "items": { - "type": "string" - }, - "order": 46 - }, - "smb_mapping.log": { - "type": "array", - "title": "SMB Mapping", - "description": "SMB Mapping", - "items": { - "type": "string" - }, - "order": 47 - }, - "smtp.log": { - "type": "array", - "title": "SMTP", - "description": "SMTP", - "items": { - "type": "string" - }, - "order": 48 - }, - "snmp.log": { - "type": "array", - "title": "SNMP", - "description": "SNMP", - "items": { - "type": "string" - }, - "order": 49 - }, - "socks.log": { - "type": "array", - "title": "Socks", - "description": "Socks", - "items": { - "type": "string" - }, - "order": 50 - }, - "software.log": { - "type": "array", - "title": "Software", - "description": "Software", - "items": { - "type": "string" - }, - "order": 51 - }, - "ssl.log": { - "type": "array", - "title": "SSL", - "description": "SSL", - "items": { - "type": "string" - }, - "order": 52 - }, - "stats.log": { - "type": "array", - "title": "Stats", - "description": "Stats", - "items": { - "type": "string" - }, - "order": 53 - }, - "stderr.log": { - "type": "array", - "title": "STDErr", - "description": "STDErr", - "items": { - "type": "string" - }, - "order": 55 - }, - "stdout.log": { - "type": "array", - "title": "STDOut", - "description": "STDOut", - "items": { - "type": "string" - }, - "order": 54 - }, - "syslog.log": { - "type": "array", - "title": "Syslog", - "description": "Syslog", - "items": { - "type": "string" - }, - "order": 56 - }, - "traceroute.log": { - "type": "array", - "title": "Trace Route", - "description": "Trace Route", - "items": { - "type": "string" - }, - "order": 57 - }, - "tunnel.log": { - "type": "array", - "title": "Tunnel", - "description": "Tunnel", - "items": { - "type": "string" - }, - "order": 58 - }, - "unified.log": { - "type": "array", - "title": "Unified", - "description": "Unified", - "items": { - "type": "string" - }, - "order": 59 - }, - "weird.log": { - "type": "array", - "title": "Weird", - "description": "Weird", - "items": { - "type": "string" - }, - "order": 60 - }, - "x509.log": { - "type": "array", - "title": "x509", - "description": "x509", - "items": { - "type": "string" - }, - "order": 61 - } - } - } - } -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) diff --git a/plugins/try_bro/komand_try_bro/actions/run/__init__.py b/plugins/try_bro/komand_try_bro/actions/run/__init__.py deleted file mode 100755 index 8aadb9fa9f..0000000000 --- a/plugins/try_bro/komand_try_bro/actions/run/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from .action import Run diff --git a/plugins/try_bro/komand_try_bro/actions/run/action.py b/plugins/try_bro/komand_try_bro/actions/run/action.py deleted file mode 100644 index d51619b6b3..0000000000 --- a/plugins/try_bro/komand_try_bro/actions/run/action.py +++ /dev/null @@ -1,44 +0,0 @@ -import komand -from .schema import RunInput, RunOutput - -# Custom imports below -import json -import base64 -import requests -from komand_try_bro.util import utils - - -class Run(komand.Action): - def __init__(self): - super(self.__class__, self).__init__( - name="run", description="Upload PCAP file", input=RunInput(), output=RunOutput() - ) - - def run(self, params={}): - server = self.connection.server - pcap = base64.b64decode(params.get("pcap")) - scripts = params.get("scripts") - version = params.get("version", "master") - if pcap: - checksum = utils.maybe_upload_pcap(server, pcap, self.logger) - else: - raise Exception(cause="Error: No PCAP supplied") - sources = utils.load_scripts(scripts, self.logger) - self.logger.info("Run: Supplied Scripts: %s", sources) - req = {"sources": sources, "version": version, "pcap": checksum} - data = json.dumps(req) - headers = {"Content-type": "application/json"} - res = requests.post(server + "/run", data=data, headers=headers).json() - if res["stdout"] != "": - self.logger.info(res["stdout"]) - return { - "id": res["job"], - "url": "{server}/#/trybro/saved/{job}".format(server=server, job=res["job"]), - } - - def test(self): - server = self.connection.server - res = requests.get(server) - if res.status_code != 200: - raise Exception(cause="Test: Unsuccessful HTTP status code returned") - return {} diff --git a/plugins/try_bro/komand_try_bro/actions/run/schema.py b/plugins/try_bro/komand_try_bro/actions/run/schema.py deleted file mode 100755 index 30d5fff69d..0000000000 --- a/plugins/try_bro/komand_try_bro/actions/run/schema.py +++ /dev/null @@ -1,99 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -import komand -import json - - -class Component: - DESCRIPTION = "Upload PCAP file" - - -class Input: - PCAP = "pcap" - SCRIPTS = "scripts" - VERSION = "version" - - -class Output: - ID = "id" - URL = "url" - - -class RunInput(komand.Input): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "pcap": { - "type": "string", - "title": "PCAP File", - "displayType": "bytes", - "description": "Base64 encoded PCAP file", - "format": "bytes", - "order": 1 - }, - "scripts": { - "type": "array", - "title": "Bro Scripts", - "description": "Base64 encoded Bro Scripts", - "items": { - "type": "string", - "displayType": "bytes", - "format": "bytes" - }, - "order": 2 - }, - "version": { - "type": "string", - "title": "Bro Version", - "description": "Bro Version", - "default": "master", - "enum": [ - "master", - "1.5", - "2.1", - "2.2", - "2.3.1", - "2.3.2", - "2.4", - "2.4.1", - "2.5", - "2.5.1" - ], - "order": 3 - } - }, - "required": [ - "pcap" - ] -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) - - -class RunOutput(komand.Output): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "id": { - "type": "string", - "title": "Job ID", - "description": "Job ID", - "order": 2 - }, - "url": { - "type": "string", - "title": "URL", - "description": "URL", - "order": 1 - } - } -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) diff --git a/plugins/try_bro/komand_try_bro/connection/__init__.py b/plugins/try_bro/komand_try_bro/connection/__init__.py deleted file mode 100755 index a515dcf6b0..0000000000 --- a/plugins/try_bro/komand_try_bro/connection/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from .connection import Connection diff --git a/plugins/try_bro/komand_try_bro/connection/connection.py b/plugins/try_bro/komand_try_bro/connection/connection.py deleted file mode 100755 index 42b5bbea41..0000000000 --- a/plugins/try_bro/komand_try_bro/connection/connection.py +++ /dev/null @@ -1,13 +0,0 @@ -import komand -from .schema import ConnectionSchema - -# Custom imports below - - -class Connection(komand.Connection): - def __init__(self): - super(self.__class__, self).__init__(input=ConnectionSchema()) - self.server = None - - def connect(self, params): - self.server = params.get("server", "http://try.bro.org") diff --git a/plugins/try_bro/komand_try_bro/connection/schema.py b/plugins/try_bro/komand_try_bro/connection/schema.py deleted file mode 100755 index f6440fa71c..0000000000 --- a/plugins/try_bro/komand_try_bro/connection/schema.py +++ /dev/null @@ -1,31 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -import komand -import json - - -class Input: - SERVER = "server" - - -class ConnectionSchema(komand.Input): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "server": { - "type": "string", - "title": "Server", - "description": "Try Bro URL", - "default": "http://try.bro.org", - "order": 1 - } - }, - "required": [ - "server" - ] -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) diff --git a/plugins/try_bro/komand_try_bro/triggers/__init__.py b/plugins/try_bro/komand_try_bro/triggers/__init__.py deleted file mode 100755 index bace8db897..0000000000 --- a/plugins/try_bro/komand_try_bro/triggers/__init__.py +++ /dev/null @@ -1 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT diff --git a/plugins/try_bro/komand_try_bro/util/__init__.py b/plugins/try_bro/komand_try_bro/util/__init__.py deleted file mode 100755 index bace8db897..0000000000 --- a/plugins/try_bro/komand_try_bro/util/__init__.py +++ /dev/null @@ -1 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT diff --git a/plugins/try_bro/komand_try_bro/util/utils.py b/plugins/try_bro/komand_try_bro/util/utils.py deleted file mode 100644 index 2941686961..0000000000 --- a/plugins/try_bro/komand_try_bro/util/utils.py +++ /dev/null @@ -1,48 +0,0 @@ -import komand -import base64 -import hashlib -import requests - - -def load_scripts(scripts, log): - # main.bro is required first file name - # main.bro gets renamed to trybro.bro server side''' - sources = [] - # Remove empty strings and None types so count is correct - scripts = komand.helper.clean_list(scripts) - script_count = len(scripts) - log.info("LoadScripts: %i scripts found", script_count) - if script_count != 0: - for index, i in enumerate(scripts): - script = base64.b64decode(i) - if index == 0: - name = "main.bro" - else: - name = i[0] + str(len(script)) + ".bro" - sources.append({"name": name, "content": script}) - else: - # Default to loading local.bro if no scripts provided - log.info("LoadScripts: No scripts supplied, defaulting to local.bro") - sources = [{"name": "main.bro", "content": "@load local.bro"}] - return sources - - -def md5(s): - m = hashlib.md5() # noqa: B303 - m.update(s) - return m.hexdigest() - - -def maybe_upload_pcap(server, pcap, log): - checksum = md5(pcap) - log.info("MaybeUploadPcap: Checking for existing PCAP") - is_exists = requests.get(server + "/pcap/" + checksum).json()["status"] - if not is_exists: - files = {"pcap": ("file.pcap", pcap)} - log.info("MaybeUploadPcap: Uploading PCAP") - status = requests.post(server + "/pcap/upload/" + checksum, files=files).json()["status"] - assert status # noqa: B101 - else: - log.info("MaybeUploadPcap: PCAP already exists, not uploading") - - return checksum diff --git a/plugins/try_bro/plugin.spec.yaml b/plugins/try_bro/plugin.spec.yaml deleted file mode 100644 index 8724e261d4..0000000000 --- a/plugins/try_bro/plugin.spec.yaml +++ /dev/null @@ -1,395 +0,0 @@ -plugin_spec_version: v2 -extension: plugin -products: [insightconnect] -name: try_bro -title: Try Bro -description: Upload PCAP files to an instance of Bro Network Security Monitor for analysis and access to Bro logs -version: 1.0.2 -vendor: rapid7 -support: community -status: [] -resources: - source_url: https://github.com/rapid7/insightconnect-plugins/tree/master/plugins/try_bro - license_url: https://github.com/rapid7/insightconnect-plugins/blob/master/LICENSE - vendor_url: https://www.bro.org -tags: -- bro -- nsm -- pcap -- ids -hub_tags: - use_cases: [threat_detection_and_response] - keywords: [bro, nsm, pcap, ids] - features: [] -enable_cache: false -connection: - server: - title: Server - type: string - description: Try Bro URL - default: http://try.bro.org - required: true -types: - files: - app_stats.log: - title: App Stats - type: '[]string' - description: App stats - required: false - barnyard2.log: - title: Barnyard2 - type: '[]string' - description: Barnyard2 - required: false - capture_loss.log: - title: Capture Loss - type: '[]string' - description: Capture loss - required: false - cluster.log: - title: Cluster - type: '[]string' - description: Cluster - required: false - conn.log: - title: Conn - type: '[]string' - description: Conn - required: false - communication.log: - title: Communication - type: '[]string' - description: Communication - required: false - dce_rpc.log: - title: DCE RPC - type: '[]string' - description: DCE RPC - required: false - dhcp.log: - title: DHCP - type: '[]string' - description: DHCP - required: false - dns.log: - title: DNS - type: '[]string' - description: DNS - required: false - dn3p.log: - title: DN3P - type: '[]string' - description: DN3P - required: false - dpd.log: - title: DPD - type: '[]string' - description: DPD - required: false - files.log: - title: Files - type: '[]string' - description: Files - required: false - ftp.log: - title: FTP - type: '[]string' - description: FTP - required: false - http.log: - title: HTTP - type: '[]string' - description: HTTP - required: false - intel.log: - title: Intel - type: '[]string' - description: Intel - required: false - irc.log: - title: IRC - type: '[]string' - description: IRC - required: false - kerberos.log: - title: Kerberos - type: '[]string' - description: Kerberos - required: false - known_certs.log: - title: Known Certs - type: '[]string' - description: Known Certs - required: false - known_devices.log: - title: Known Devices - type: '[]string' - description: Known Devices - required: false - known_hosts.log: - title: Known Hosts - type: '[]string' - description: Known Hosts - required: false - known_modbus.log: - title: Known Modbus - type: '[]string' - description: Known Modbus - required: false - known_services.log: - title: Known Services - type: '[]string' - description: Known services - required: false - loaded_scripts.log: - title: Loaded Scripts - type: '[]string' - description: Loaded scripts - required: false - modbus.log: - title: Modbus - type: '[]string' - description: Modbus - modbus_register_change.log: - title: Modbus Register Change - type: '[]string' - description: Modbus register change - required: false - mysql.log: - title: Mysql - type: '[]string' - description: Mysql - required: false - netcontrol.log: - title: Netcontrol - type: '[]string' - description: Netcontrol - required: false - netcontrol_drop.log: - title: Netcontrol Drop - type: '[]string' - description: Netcontrol drop - required: false - netcontrol_shunt.log: - title: Netcontrol Shunt - type: '[]string' - description: Netcontrol shunt - required: false - netcontrol_catch_release.log: - title: Netcontrol Catch Release - type: '[]string' - description: Netcontrol catch realease - required: false - notice.log: - title: Notice Log - type: '[]string' - description: Notice log - required: false - notice_alarm.log: - title: Notice Alarm - type: '[]string' - description: Notice alarm - required: false - ntlm.log: - title: NTLM - type: '[]string' - description: NTLM - required: false - openflow.log: - title: Openflow - type: '[]string' - description: Openflow - required: false - packet_filter.log: - title: Packet Filter - type: '[]string' - description: Packet Filter - required: false - pe.log: - title: PE - type: '[]string' - description: PE - required: false - prof.log: - title: Prof - type: '[]string' - description: Prof - required: false - radius.log: - title: Radius - type: '[]string' - description: Radius - required: false - rdp.log: - title: RDP - type: '[]string' - description: RDP - required: false - rfb.log: - title: RFB - type: '[]string' - description: RFB - required: false - reporter.log: - title: Reporter - type: '[]string' - description: Reporter - required: false - signatures.log: - title: Signatures - type: '[]string' - description: Signatures - required: false - sip.log: - title: SIP - type: '[]string' - description: SIP - required: false - smb.log: - title: SMB - type: '[]string' - description: SMB - required: false - smb_cmd.log: - title: SMB CMD - type: '[]string' - description: SMB CMD - required: false - smb_files.log: - title: SMB Files - type: '[]string' - description: SMB Files - required: false - smb_mapping.log: - title: SMB Mapping - type: '[]string' - description: SMB Mapping - required: false - smtp.log: - title: SMTP - type: '[]string' - description: SMTP - required: false - snmp.log: - title: SNMP - type: '[]string' - description: SNMP - required: false - socks.log: - title: Socks - type: '[]string' - description: Socks - required: false - software.log: - title: Software - type: '[]string' - description: Software - required: false - ssl.log: - title: SSL - type: '[]string' - description: SSL - required: false - stats.log: - title: Stats - type: '[]string' - description: Stats - required: false - stdout.log: - title: STDOut - type: '[]string' - description: STDOut - required: false - stderr.log: - title: STDErr - type: '[]string' - description: STDErr - required: false - syslog.log: - title: Syslog - type: '[]string' - description: Syslog - required: false - traceroute.log: - title: Trace Route - type: '[]string' - description: Trace Route - required: false - tunnel.log: - title: Tunnel - type: '[]string' - description: Tunnel - required: false - unified.log: - title: Unified - type: '[]string' - description: Unified - required: false - weird.log: - title: Weird - type: '[]string' - description: Weird - required: false - x509.log: - title: x509 - type: '[]string' - description: x509 - required: false -actions: - run: - title: Upload PCAP - description: Upload PCAP file - input: - pcap: - title: PCAP File - description: Base64 encoded PCAP file - type: bytes - required: true - scripts: - title: Bro Scripts - description: Base64 encoded Bro Scripts - type: '[]bytes' - required: false - version: - title: Bro Version - enum: - - master - - '1.5' - - '2.1' - - '2.2' - - 2.3.1 - - 2.3.2 - - '2.4' - - 2.4.1 - - '2.5' - - 2.5.1 - default: master - description: Bro Version - type: string - required: false - output: - url: - title: URL - type: string - description: URL - required: false - id: - title: Job ID - type: string - description: Job ID - required: false - files: - title: Get Bro Logs - description: Get logs by ID - input: - job: - title: Job Number - type: string - description: Job Number - required: false - output: - files: - title: Bro Log Files - type: files - description: Bro Log Files - required: false diff --git a/plugins/try_bro/requirements.txt b/plugins/try_bro/requirements.txt deleted file mode 100755 index d0674c75e2..0000000000 --- a/plugins/try_bro/requirements.txt +++ /dev/null @@ -1,3 +0,0 @@ -# List third-party dependencies here, separated by newlines. -# All dependencies must be version-pinned, eg. requests==1.2.0 -# See: https://pip.pypa.io/en/stable/user_guide/#requirements-files \ No newline at end of file diff --git a/plugins/try_bro/setup.py b/plugins/try_bro/setup.py deleted file mode 100755 index 5f608d2d51..0000000000 --- a/plugins/try_bro/setup.py +++ /dev/null @@ -1,14 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from setuptools import setup, find_packages - - -setup(name='try_bro-rapid7-plugin', - version='1.0.2', - description='Upload PCAP files to an instance of Bro Network Security Monitor for analysis and access to Bro logs', - author='rapid7', - author_email='', - url='', - packages=find_packages(), - install_requires=['komand'], # Add third-party dependencies to requirements.txt, not here! - scripts=['bin/komand_try_bro'] - )