deepsecurity 0.0.13hf1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.gitignore +25 -0
- data/.yardopts +4 -0
- data/Gemfile +4 -0
- data/LICENSE +22 -0
- data/README.md +29 -0
- data/Rakefile +2 -0
- data/bin/dsc +186 -0
- data/deepsecurity.gemspec +30 -0
- data/lib/deepsecurity/ds_object.rb +37 -0
- data/lib/deepsecurity/enums.rb +539 -0
- data/lib/deepsecurity/exceptions/authentication_failed_exception.rb +7 -0
- data/lib/deepsecurity/exceptions/authentication_required_exception.rb +6 -0
- data/lib/deepsecurity/manager.rb +223 -0
- data/lib/deepsecurity/screenscraping.rb +149 -0
- data/lib/deepsecurity/transport_object.rb +21 -0
- data/lib/deepsecurity/transport_objects/anti_malware_event.rb +106 -0
- data/lib/deepsecurity/transport_objects/anti_malware_spyware_item.rb +32 -0
- data/lib/deepsecurity/transport_objects/application_type.rb +58 -0
- data/lib/deepsecurity/transport_objects/dpi_rule.rb +113 -0
- data/lib/deepsecurity/transport_objects/host.rb +171 -0
- data/lib/deepsecurity/transport_objects/host_detail.rb +167 -0
- data/lib/deepsecurity/transport_objects/host_filter.rb +62 -0
- data/lib/deepsecurity/transport_objects/host_group.rb +41 -0
- data/lib/deepsecurity/transport_objects/host_interface.rb +42 -0
- data/lib/deepsecurity/transport_objects/id_filter.rb +37 -0
- data/lib/deepsecurity/transport_objects/private/vulnerability.rb +52 -0
- data/lib/deepsecurity/transport_objects/protocol_icmp.rb +13 -0
- data/lib/deepsecurity/transport_objects/protocol_port_based.rb +11 -0
- data/lib/deepsecurity/transport_objects/security_profile.rb +90 -0
- data/lib/deepsecurity/transport_objects/system_event.rb +45 -0
- data/lib/deepsecurity/transport_objects/time_filter.rb +55 -0
- data/lib/deepsecurity/version.rb +3 -0
- data/lib/deepsecurity.rb +58 -0
- data/lib/dsc/anti_malware_event.rb +101 -0
- data/lib/dsc/dsc_object.rb +41 -0
- data/lib/dsc/helper.rb +48 -0
- data/lib/dsc/host_detail.rb +62 -0
- data/lib/dsc.rb +6 -0
- data/lib/dsc_version.rb +3 -0
- data/lib/savon_helper/caching_object.rb +48 -0
- data/lib/savon_helper/mapping_object.rb +421 -0
- data/lib/savon_helper/missing_type_mapping_exception.rb +11 -0
- data/lib/savon_helper/soap_exception.rb +7 -0
- data/lib/savon_helper/type_mappings.rb +218 -0
- data/lib/savon_helper.rb +7 -0
- metadata +188 -0
@@ -0,0 +1,223 @@
|
|
1
|
+
# @author Udo Schneider <Udo.Schneider@homeaddress.de>
|
2
|
+
|
3
|
+
require "savon"
|
4
|
+
require "cache"
|
5
|
+
# require "httpi"
|
6
|
+
require "logger"
|
7
|
+
# require "yaml"
|
8
|
+
|
9
|
+
module DeepSecurity
|
10
|
+
|
11
|
+
LOG_MAPPING = {
|
12
|
+
:debug => Logger::DEBUG,
|
13
|
+
:info => Logger::INFO,
|
14
|
+
:warn => Logger::WARN,
|
15
|
+
:error => Logger::ERROR,
|
16
|
+
:fatal => Logger::FATAL
|
17
|
+
}
|
18
|
+
|
19
|
+
# This class represents the DeepSecurity Manager. It's the entry point for all further actions
|
20
|
+
class Manager <DSObject
|
21
|
+
|
22
|
+
@@current = nil
|
23
|
+
|
24
|
+
def self.current
|
25
|
+
@@current
|
26
|
+
end
|
27
|
+
|
28
|
+
def reset
|
29
|
+
@@current = nil
|
30
|
+
end
|
31
|
+
|
32
|
+
# Obtain a new wrapper around the DeepSecurity Manager SOAP API.
|
33
|
+
def initialize(hostname, port=4119, log_level)
|
34
|
+
@hostname = hostname
|
35
|
+
@port = port
|
36
|
+
super()
|
37
|
+
@client = Savon.client(:wsdl => "https://#{hostname}:#{port}/webservice/Manager?WSDL",
|
38
|
+
:convert_request_keys_to => :none, # or one of [:lower_camelcase, :upcase, :none]
|
39
|
+
:ssl_verify_mode => :none,
|
40
|
+
:logger => logger,
|
41
|
+
:log_level => log_level,
|
42
|
+
:log => (!log_level.nil?))
|
43
|
+
end
|
44
|
+
|
45
|
+
# @!group Request Helper
|
46
|
+
|
47
|
+
# Send an authenticated WebUI Request to the Server for URL +url and return the response body
|
48
|
+
def send_authenticated_http_get(path)
|
49
|
+
logger.debug { "#{self.class}\##{__method__}(#{path.inspect})" }
|
50
|
+
url = "https://#{@hostname}:#{@port}#{path}"
|
51
|
+
request = HTTPI::Request.new(url)
|
52
|
+
request.auth.ssl.verify_mode = :none
|
53
|
+
request.headers = {
|
54
|
+
"Cookie" => "sID=#{@sID}"
|
55
|
+
}
|
56
|
+
request.gzip
|
57
|
+
response = HTTPI.get request
|
58
|
+
response.body
|
59
|
+
end
|
60
|
+
|
61
|
+
# Send an authenticated WebUI Request to the Server for URL +url and return the response body
|
62
|
+
def send_authenticated_http_post(path, body)
|
63
|
+
logger.debug { "#{self.class}\##{__method__}(#{path.inspect})" }
|
64
|
+
url = "https://#{@hostname}:#{@port}#{path}"
|
65
|
+
request = HTTPI::Request.new(url)
|
66
|
+
request.auth.ssl.verify_mode = :none
|
67
|
+
request.headers = {
|
68
|
+
"Cookie" => "sID=#{@sID}",
|
69
|
+
"Content-Type" => "application/x-www-form-urlencoded"
|
70
|
+
}
|
71
|
+
request.gzip
|
72
|
+
request.body = body
|
73
|
+
response = HTTPI.post request
|
74
|
+
response.body
|
75
|
+
end
|
76
|
+
|
77
|
+
# @!endgroup
|
78
|
+
|
79
|
+
# @!group Caching
|
80
|
+
|
81
|
+
def cache
|
82
|
+
@cache ||= Cache.new(nil, nil, 10000, 5*60)
|
83
|
+
end
|
84
|
+
|
85
|
+
# @!endgroup
|
86
|
+
|
87
|
+
public
|
88
|
+
|
89
|
+
# @!group High-Level SOAP Wrapper
|
90
|
+
|
91
|
+
# Retrieves the Manager Web Service API version. Not the same as the Manager version.
|
92
|
+
# @return [Integer] The Web Service API version.
|
93
|
+
def api_version
|
94
|
+
dsm.getApiVersion()
|
95
|
+
end
|
96
|
+
|
97
|
+
# Retrieve the Manager Web Service API version. Not the same as the Manager version.
|
98
|
+
# @return [Time] Manager time as a language localized object.
|
99
|
+
def manager_time
|
100
|
+
dsm.getManagerTime()
|
101
|
+
end
|
102
|
+
|
103
|
+
# Set connection parameters
|
104
|
+
# @param [String] hostname host to connect to
|
105
|
+
# @param [Integer] port port to connect to
|
106
|
+
# @param [LOG_MAPPING] log_level Log Level
|
107
|
+
def self.server(hostname, port=4119, log_level=nil)
|
108
|
+
dsm = self.new(hostname, port, log_level)
|
109
|
+
dsm.logger.level = LOG_MAPPING[log_level] unless log_level.nil?
|
110
|
+
@@current = dsm
|
111
|
+
end
|
112
|
+
|
113
|
+
# Authenticates a user within the given tenant, and returns a session ID for use when calling other methods of Manager. When no longer required, the session should be terminated by calling endSession.
|
114
|
+
# @param [String] tenant
|
115
|
+
# @param [String] username
|
116
|
+
# @param [String] password
|
117
|
+
# @return [Manager] The current manager
|
118
|
+
def connect(tenant, username, password)
|
119
|
+
@sID = tenant.blank? ? authenticate(username, password) : authenticate_tenant(tenant, username, password)
|
120
|
+
dsm
|
121
|
+
rescue Savon::SOAPFault => error
|
122
|
+
raise AuthenticationFailedException.new(error.to_hash[:fault][:detail][:exception_name].to_s)
|
123
|
+
end
|
124
|
+
|
125
|
+
# Ends an authenticated user session. The Web Service client should end the authentication session in all exit cases.
|
126
|
+
# @return [void]
|
127
|
+
def disconnect
|
128
|
+
dsm.end_session() if authenticated?
|
129
|
+
dsm.reset
|
130
|
+
nil
|
131
|
+
end
|
132
|
+
|
133
|
+
# @!endgroup
|
134
|
+
|
135
|
+
# @!group Low-Level SOAP Wrapper
|
136
|
+
|
137
|
+
# Retrieves the Manager Web Service API version. Not the same as the Manager version.
|
138
|
+
#
|
139
|
+
# SYNTAX
|
140
|
+
# int getApiVersion()
|
141
|
+
#
|
142
|
+
# PARAMETERS
|
143
|
+
#
|
144
|
+
# RETURNS
|
145
|
+
# The Web Service API version.
|
146
|
+
def getApiVersion
|
147
|
+
send_soap(:get_api_version).to_i
|
148
|
+
end
|
149
|
+
|
150
|
+
# Retrieve the Manager Web Service API version. Not the same as the Manager version.
|
151
|
+
#
|
152
|
+
# SYNTAX
|
153
|
+
# getManagerTime()
|
154
|
+
#
|
155
|
+
# PARAMETERS
|
156
|
+
#
|
157
|
+
# RETURNS
|
158
|
+
# Manager time as a language localized object. For example, a Java client would return a Calendar object, and a C# client would return a DataTime object.
|
159
|
+
def getManagerTime
|
160
|
+
Time.parse(send_soap(:get_manager_time))
|
161
|
+
end
|
162
|
+
|
163
|
+
# Authenticates a user for and returns a session ID for use when calling other Web Service methods.
|
164
|
+
#
|
165
|
+
# SYNTAX
|
166
|
+
# String authenticate(String username, String password)
|
167
|
+
#
|
168
|
+
# PARAMETERS
|
169
|
+
# username Account username.
|
170
|
+
# password Account password.
|
171
|
+
#
|
172
|
+
# RETURNS
|
173
|
+
# Authenticated user session ID.
|
174
|
+
def authenticate(username, password)
|
175
|
+
send_soap(:authenticate, {:username => username, :password => password}).to_s
|
176
|
+
end
|
177
|
+
|
178
|
+
# Authenticates a user within the given tenant, and returns a session ID for use when calling other methods of Manager. When no longer required, the session should be terminated by calling endSession.
|
179
|
+
#
|
180
|
+
# SYNTAX
|
181
|
+
# String authenticateTenant(String tenantName, String username, String password)
|
182
|
+
#
|
183
|
+
# PARAMETERS
|
184
|
+
# tenantName Tenant Name.
|
185
|
+
# username Account username.
|
186
|
+
# password Account password.
|
187
|
+
#
|
188
|
+
# RETURNS
|
189
|
+
# Authenticated user session ID.
|
190
|
+
def authenticate_tenant(tenantName, username, password)
|
191
|
+
send_soap(:authenticate_tenant, {:tenantName => tenantName, :username => username, :password => password}).to_s
|
192
|
+
end
|
193
|
+
|
194
|
+
# Ends an authenticated user session. The Web Service client should end the authentication session in all exit cases.
|
195
|
+
#
|
196
|
+
# SYNTAX
|
197
|
+
# void endSession(String sID)
|
198
|
+
#
|
199
|
+
# PARAMETERS
|
200
|
+
# sID Authentication session identifier ID.
|
201
|
+
# RETURNS
|
202
|
+
def end_session(sID = dsm.sID)
|
203
|
+
send_soap(:end_session, :sID => sID)
|
204
|
+
end
|
205
|
+
|
206
|
+
# @!endgroup
|
207
|
+
|
208
|
+
# Check if the session has been authenticated.
|
209
|
+
def authenticated?
|
210
|
+
!@sID.nil?
|
211
|
+
end
|
212
|
+
|
213
|
+
def sID
|
214
|
+
raise DeepSecurity::AuthenticationRequiredException unless authenticated?
|
215
|
+
@sID
|
216
|
+
end
|
217
|
+
|
218
|
+
def client
|
219
|
+
@client
|
220
|
+
end
|
221
|
+
|
222
|
+
end
|
223
|
+
end
|
@@ -0,0 +1,149 @@
|
|
1
|
+
# require "hpricot"
|
2
|
+
|
3
|
+
module DeepSecurity
|
4
|
+
class Manager
|
5
|
+
|
6
|
+
private
|
7
|
+
|
8
|
+
# Helper Method: Clean up any HTML remnants (e.g. )
|
9
|
+
def clean_html_string(string)
|
10
|
+
string.
|
11
|
+
inner_text.
|
12
|
+
gsub(/\s+/, " ").
|
13
|
+
strip
|
14
|
+
end
|
15
|
+
|
16
|
+
# Helper Method: Convert header string to camel cased symbol
|
17
|
+
def symbolize_header(string)
|
18
|
+
string.
|
19
|
+
gsub(/::/, '/').
|
20
|
+
gsub(/([A-Z]+)([A-Z][a-z])/, '\1_\2').
|
21
|
+
gsub(/([a-z\d])([A-Z])/, '\1_\2').
|
22
|
+
gsub(/\s+/, "_").
|
23
|
+
tr("-", "_").
|
24
|
+
downcase.
|
25
|
+
to_sym
|
26
|
+
end
|
27
|
+
|
28
|
+
# Fetch the given +action+ with +parameters+. Post the result with settings changed according to +settings+
|
29
|
+
def post_setting(action, parameters, settings)
|
30
|
+
parameters_string = URI.escape(parameters.map { |key, value| "#{key}=#{value}" }.join("&"))
|
31
|
+
path = "/#{action}?#{parameters_string}"
|
32
|
+
body = send_authenticated_http_get(path)
|
33
|
+
|
34
|
+
doc = Hpricot(body)
|
35
|
+
form_values = {}
|
36
|
+
doc.search("input").each do |input|
|
37
|
+
type = input["type"]
|
38
|
+
unless type == "button" || type == "submit"
|
39
|
+
form_values[input['name']] = input['value'] unless input['name'].blank?
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
form_values = form_values.merge(settings)
|
44
|
+
|
45
|
+
action = doc.search("form#mainForm").first["action"]
|
46
|
+
parameters_string = URI.encode_www_form(form_values)
|
47
|
+
path = "/#{action}"
|
48
|
+
send_authenticated_http_post(path, parameters_string)
|
49
|
+
end
|
50
|
+
|
51
|
+
# Enable display of DPI rules "type" for a given host
|
52
|
+
def payload_filters2_show_rules(host_id, type)
|
53
|
+
post_setting("PayloadFilter2s.screen", {
|
54
|
+
"hostID" => host_id,
|
55
|
+
"noSearch" => true,
|
56
|
+
"hideStandardHeader" => true
|
57
|
+
}, {
|
58
|
+
"command" => "CHANGEASSIGNFILTER",
|
59
|
+
"arguments" => type}
|
60
|
+
)
|
61
|
+
end
|
62
|
+
|
63
|
+
# Enable vulnerability columns in DPI rules display
|
64
|
+
def payload_filters2_enable_vulnerability_columns
|
65
|
+
|
66
|
+
action = "AddRemoveColumns.screen"
|
67
|
+
parameters = {
|
68
|
+
:screenSettingKey => "payloadFilter2s.",
|
69
|
+
:columnDisplayNames => %w[ payloadFilter2s.column.cve payloadFilter2s.column.secunia payloadFilter2s.column.bugtraq payloadFilter2s.column.ms ].join(","),
|
70
|
+
:columnAdminSettingNames => %w[ summaryCVE summarySECUNIA summaryBUGTRAQ summaryMS ].join(",")
|
71
|
+
}
|
72
|
+
settings = {
|
73
|
+
"summaryCVE" => true,
|
74
|
+
"summarySECUNIA" => true,
|
75
|
+
"summaryBUGTRAQ" => true,
|
76
|
+
"summaryMS" => true
|
77
|
+
}
|
78
|
+
|
79
|
+
post_setting(action, parameters, settings)
|
80
|
+
|
81
|
+
end
|
82
|
+
|
83
|
+
# Retrieve DPI rules
|
84
|
+
def payload_filters2(optional_parameters = {})
|
85
|
+
|
86
|
+
num_rules = nil
|
87
|
+
rules = []
|
88
|
+
column_mapping = Hash.new()
|
89
|
+
while num_rules.nil? || rules.count < num_rules
|
90
|
+
|
91
|
+
mainTableViewState = ["",
|
92
|
+
"controlCheck,after=[NONE]",
|
93
|
+
"icon,after=controlCheck",
|
94
|
+
"summaryConnectionType,after=icon",
|
95
|
+
"fullName,after=summaryConnectionType",
|
96
|
+
"summaryPriority,after=fullName",
|
97
|
+
"summarySeverityHTML,after=summaryPriority",
|
98
|
+
"summaryMode,after=summarySeverityHTML",
|
99
|
+
"summaryType,after=summaryMode",
|
100
|
+
"summaryCVE,after=summaryType",
|
101
|
+
"summarySECUNIA,after=summaryCVE",
|
102
|
+
"summaryBUGTRAQ,after=summarySECUNIA",
|
103
|
+
"summaryMS,after=summaryBUGTRAQ",
|
104
|
+
"summaryCvssScore,after=summaryMS",
|
105
|
+
"summaryIssued,after=summaryCvssScore"]
|
106
|
+
|
107
|
+
parameters = {
|
108
|
+
:paging_offset => rules.count
|
109
|
+
}
|
110
|
+
parameters_string = (parameters.merge(optional_parameters).map { |k, v| "#{k}=#{v}" }).join("&")
|
111
|
+
|
112
|
+
path = "/PayloadFilter2s.screen?#{parameters_string}"
|
113
|
+
body = send_authenticated_http_get(path)
|
114
|
+
doc = Hpricot(body)
|
115
|
+
|
116
|
+
if num_rules.nil?
|
117
|
+
num_rules = doc.search("td.paging_text").inner_text.split(/\s+/)[-1]
|
118
|
+
if !num_rules.nil?
|
119
|
+
num_rules = num_rules.scan(/\d/).join.to_i
|
120
|
+
else
|
121
|
+
num_rules = 0
|
122
|
+
end
|
123
|
+
end
|
124
|
+
|
125
|
+
if column_mapping.empty?
|
126
|
+
doc.
|
127
|
+
search("#mainTable_header_table td:not(.datatable_resizer)").
|
128
|
+
map { |each| clean_html_string(each)[0..-2] }.
|
129
|
+
each_with_index { |each, index| column_mapping[each]=index unless each.blank? }
|
130
|
+
end
|
131
|
+
|
132
|
+
doc.search("#mainTable_rows_table tr") do |row|
|
133
|
+
column_cells = row.
|
134
|
+
search("td").
|
135
|
+
map { |each| clean_html_string(each) }
|
136
|
+
rule = Hash.new()
|
137
|
+
column_mapping.each do |k, v|
|
138
|
+
rule[symbolize_header(k)]=column_cells[v]
|
139
|
+
end
|
140
|
+
rules.push(rule)
|
141
|
+
end
|
142
|
+
end
|
143
|
+
rules
|
144
|
+
|
145
|
+
|
146
|
+
end
|
147
|
+
|
148
|
+
end
|
149
|
+
end
|
@@ -0,0 +1,21 @@
|
|
1
|
+
# @author Udo Schneider <Udo.Schneider@homeaddress.de>
|
2
|
+
|
3
|
+
module DeepSecurity
|
4
|
+
|
5
|
+
# @abstract
|
6
|
+
# Transport objects are modeled after Deep Security Manager web interface objects and configuration groups. These
|
7
|
+
# transport objects can be constructed as new or retrieved from the Manager by calling the appropriate web method.
|
8
|
+
#
|
9
|
+
# A Web Service definition may declare object classes that inherit properties from other base object classes, so only
|
10
|
+
# the relevant object classes are covered in this section. If during development, you encounter any WSDL-defined
|
11
|
+
# object classes that are not documented, they are likely inherited base object classes or response object classes
|
12
|
+
# that are not directly used by any Web Methods and do not have any direct value.
|
13
|
+
#
|
14
|
+
# @note
|
15
|
+
# It defines it's own DSL to specify attributes, caching and operation. This allows you to completely hide the
|
16
|
+
# type-conversion needed by Savon behind a regular Ruby object.
|
17
|
+
class TransportObject < DSObject
|
18
|
+
|
19
|
+
end
|
20
|
+
|
21
|
+
end
|
@@ -0,0 +1,106 @@
|
|
1
|
+
# @author Udo Schneider <Udo.Schneider@homeaddress.de>
|
2
|
+
|
3
|
+
module DeepSecurity
|
4
|
+
|
5
|
+
# Represents an Anti-Malware event
|
6
|
+
class AntiMalwareEvent < TransportObject
|
7
|
+
|
8
|
+
attr_integer_accessor :anti_malware_config_id,
|
9
|
+
'The ID of the Anti-Malware configuration this event corresponds to'
|
10
|
+
attr_integer_accessor :anti_malware_event_id,
|
11
|
+
'The ID of the event'
|
12
|
+
attr_datetime_accessor :end_time,
|
13
|
+
'Endtime of this event if it was repeated multiple times (not currently used)'
|
14
|
+
attr_integer_accessor :error_code,
|
15
|
+
'The VSAPI error code indicates the reason of the actions of failure'
|
16
|
+
attr_integer_accessor :host_id,
|
17
|
+
'The host ID this event corresponds to'
|
18
|
+
attr_string_accessor :infected_file_path,
|
19
|
+
'The infected file full path'
|
20
|
+
attr_string_accessor :infection_source,
|
21
|
+
'The source computer of the infection'
|
22
|
+
attr_datetime_accessor :log_date,
|
23
|
+
'The time this event occured'
|
24
|
+
attr_string_accessor :malware_name,
|
25
|
+
'The name of the malware'
|
26
|
+
attr_enum_accessor :malware_type,
|
27
|
+
EnumMalwareType,
|
28
|
+
'The type of the malware'
|
29
|
+
attr_integer_accessor :protocol,
|
30
|
+
'The protocols: Local Files(0), Network shared folder(1), etc. However currently the Agent only support local files'
|
31
|
+
attr_integer_accessor :quarantine_record_id,
|
32
|
+
'The ID of the quarantined file, if a file was quarantined as a result of this event.'
|
33
|
+
attr_integer_accessor :scan_result_action1,
|
34
|
+
'The first action performed'
|
35
|
+
attr_integer_accessor :scan_result_action2,
|
36
|
+
'The second action performed'
|
37
|
+
attr_enum_accessor :scan_type,
|
38
|
+
EnumAntiMalwareScanType,
|
39
|
+
'Type of scan this event was captured under'
|
40
|
+
array_object_accessor :spyware_items,
|
41
|
+
AntiMalwareSpywareItem,
|
42
|
+
'An array of spyware items associated with this event'
|
43
|
+
attr_datetime_accessor :start_time,
|
44
|
+
'Starttime of this event if it was repeated multiple times (not currently used)'
|
45
|
+
attr_string_accessor :tags,
|
46
|
+
'Any tags associated with this event'
|
47
|
+
attr_integer_accessor :scan_action1
|
48
|
+
attr_integer_accessor :scan_action2
|
49
|
+
attr_string_accessor :summary_scan_result
|
50
|
+
|
51
|
+
|
52
|
+
hint_object_accessor :host,
|
53
|
+
Host,
|
54
|
+
'The host this event corresponds to'
|
55
|
+
|
56
|
+
|
57
|
+
# cache_by_aspect :id, :name
|
58
|
+
|
59
|
+
# @!group High-Level SOAP Wrapper
|
60
|
+
|
61
|
+
# Return all AntiMalware events matching the filter
|
62
|
+
# @param [TimeFilter] time_filter
|
63
|
+
# @param [HostFilter] host_filter
|
64
|
+
# @param [IDFilter] event_id_filter
|
65
|
+
# @return [Array<AntiMalwareEvent>]
|
66
|
+
def self.find_all(time_filter, host_filter, event_id_filter)
|
67
|
+
dsm.antiMalwareEventRetrieve(time_filter, host_filter, event_id_filter)
|
68
|
+
end
|
69
|
+
|
70
|
+
def host
|
71
|
+
Host.find_by_id(host_id)
|
72
|
+
end
|
73
|
+
# @!endgroup
|
74
|
+
|
75
|
+
end
|
76
|
+
|
77
|
+
class Manager
|
78
|
+
|
79
|
+
# @!group Low-Level SOAP Wrapper
|
80
|
+
|
81
|
+
# Retrieves the AntiMalware events specified by the time and host filter.
|
82
|
+
#
|
83
|
+
# SYNTAX
|
84
|
+
# public AntiMalwareEventListTransport antiMalwareEventRetrieve(TimeFilterTransport timeFilter HostFilterTransport hostFilter, IDFilterTransport eventIdFilter, String sID)
|
85
|
+
#
|
86
|
+
# PARAMETERS
|
87
|
+
# timeFilter Restricts the retrieved events by time.
|
88
|
+
# hostFilter Restricts the retrieved events by host, group, or security profile.
|
89
|
+
# eventIdFilter Restricts the retrieved events by event id.
|
90
|
+
# sID Authentication session identifier ID.
|
91
|
+
#
|
92
|
+
# RETURNS
|
93
|
+
# AntiMalwareEventListTransport object.
|
94
|
+
def antiMalwareEventRetrieve(timeFilter, hostFilter, eventIdFilter, sID = dsm.sID)
|
95
|
+
request_array(:anti_malware_event_retrieve, AntiMalwareEvent, :anti_malware_events,
|
96
|
+
:timeFilter => timeFilter.to_savon_data,
|
97
|
+
:hostFilter => hostFilter.to_savon_data,
|
98
|
+
:eventIdFilter => eventIdFilter.to_savon_data,
|
99
|
+
:sID => sID)
|
100
|
+
end
|
101
|
+
|
102
|
+
# @!endgroup
|
103
|
+
|
104
|
+
end
|
105
|
+
|
106
|
+
end
|
@@ -0,0 +1,32 @@
|
|
1
|
+
module DeepSecurity
|
2
|
+
|
3
|
+
class AntiMalwareSpywareItem < TransportObject
|
4
|
+
|
5
|
+
# Represents an Anti-Malware spyware event and contains all properties that belong to the event.
|
6
|
+
|
7
|
+
attr_integer_accessor :anti_malware_quarantined_file_id,
|
8
|
+
"If a file was quarantined as a result of the event, this will contain the ID of the quarantined file"
|
9
|
+
attr_integer_accessor :anti_malware_spyware_item_id,
|
10
|
+
"If a this event was the result of spyware, this will point at the ID of the spyware item"
|
11
|
+
attr_integer_accessor :host_id,
|
12
|
+
"The host ID this event corresponds to"
|
13
|
+
attr_string_accessor :object_info,
|
14
|
+
"File-path, registry key, process name...etc"
|
15
|
+
attr_integer_accessor :object_type,
|
16
|
+
"Type identifier for Process, Cookies, File System, System Registry, Shortcut Link, Host File, Other"
|
17
|
+
attr_integer_accessor :risk_level,
|
18
|
+
"Risk level gauge Very Low (0), Low (25), Medium(50), High(75), Very High(100)"
|
19
|
+
attr_integer_accessor :scan_action,
|
20
|
+
"Scan Action: The action taken upon each spyware items: Pass (1), Delete (2), Quarantined (3), Clean (4), Deny Access (5)"
|
21
|
+
attr_integer_accessor :scan_result_action,
|
22
|
+
"Represent whether the action is successful (0) or failed (Error Code)"
|
23
|
+
attr_integer_accessor :spyware_type,
|
24
|
+
"Type identifier for Adware, Cookie, Dialer, Keylogger, Trojan, Worm, Downloader, et"
|
25
|
+
|
26
|
+
|
27
|
+
# cache_by_aspect :id, :name
|
28
|
+
|
29
|
+
|
30
|
+
end
|
31
|
+
|
32
|
+
end
|
@@ -0,0 +1,58 @@
|
|
1
|
+
module DeepSecurity
|
2
|
+
|
3
|
+
# Represents an Application Type that reflects some network attributes to which DPI rules are assigned. The DPI engine
|
4
|
+
# will determine if a DPI rule should apply to a connection based on the assigned Application Type network attributes.
|
5
|
+
class ApplicationType < TransportObject
|
6
|
+
|
7
|
+
attr_integer_accessor :id,
|
8
|
+
"ApplicationTypeTransport ID"
|
9
|
+
attr_string_accessor :description,
|
10
|
+
"ApplicationTypeTransport description"
|
11
|
+
attr_string_accessor :name,
|
12
|
+
"ApplicationTypeTransport name"
|
13
|
+
attr_string_accessor :tbuid,
|
14
|
+
"Internal TBUID of a Trend Micro issued Application Type"
|
15
|
+
attr_enum_accessor :direction,
|
16
|
+
EnumDirection,
|
17
|
+
'The initial direction of the connection which this ApplicationTypeTransport would apply, e.g., INCOMING, OUTGOING. Depending on whether the application type is a server or client, the initial direction of the connection to inspect would either be INCOMING for a server, or OUTGOING for a client. E.g. Inspection of "Web Server Common" Application Type for a connection stream on TCP port 80 would be initially an INCOMING direction because incoming Web Server connections should be inspected'
|
18
|
+
attr_boolean_accessor :ignore_recommendations,
|
19
|
+
"Whether the Recommendation Engine should ignore this rule"
|
20
|
+
attr_object_accessor :protocol_icmp,
|
21
|
+
ProtocolICMP,
|
22
|
+
"ApplicationTypeTransport protocol ICMP type"
|
23
|
+
attr_object_accessor :protocol_port_based,
|
24
|
+
ProtocolPortBased,
|
25
|
+
'ApplicationTypeTransport protocol Port type'
|
26
|
+
attr_enum_accessor :protocol_type,
|
27
|
+
EnumApplicationTypeProtocolType,
|
28
|
+
'ApplicationTypeTransport protocol Application type, e.g., UCMP, TCP, UDP, TCP_UDP'
|
29
|
+
attr_boolean_accessor :authoritative,
|
30
|
+
'Whether the rule is an internal read only Trend Micro rule'
|
31
|
+
|
32
|
+
cache_by_aspect :id, :name
|
33
|
+
|
34
|
+
end
|
35
|
+
|
36
|
+
class Manager
|
37
|
+
|
38
|
+
def application_types
|
39
|
+
cache.fetch(ApplicationType.cache_key(:all, :all)) do
|
40
|
+
request_array("application_type_retrieve_all", ApplicationType)
|
41
|
+
end
|
42
|
+
end
|
43
|
+
|
44
|
+
def application_type(id)
|
45
|
+
cache.fetch(ApplicationType.cache_key(:id, id)) do
|
46
|
+
request_object("application_type_retrieve", ApplicationType, {:id => id})
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
def application_type_by_name(name)
|
51
|
+
cache.fetch(ApplicationType.cache_key(:name, name)) do
|
52
|
+
request_object("application_type_retrieve_by_name", ApplicationType, {:name => name})
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
56
|
+
end
|
57
|
+
|
58
|
+
end
|