deepsecurity 0.0.13hf1

data/lib/deepsecurity/manager.rb

@@ -0,0 +1,223 @@
+# @author Udo Schneider <Udo.Schneider@homeaddress.de>
+
+require "savon"
+require "cache"
+# require "httpi"
+require "logger"
+# require "yaml"
+
+module DeepSecurity
+
+  LOG_MAPPING = {
+      :debug => Logger::DEBUG,
+      :info => Logger::INFO,
+      :warn => Logger::WARN,
+      :error => Logger::ERROR,
+      :fatal => Logger::FATAL
+  }
+
+  # This class  represents the DeepSecurity Manager. It's the entry point for all further actions
+  class Manager <DSObject
+
+    @@current = nil
+
+    def self.current
+      @@current
+    end
+
+    def reset
+      @@current = nil
+    end
+
+    # Obtain a new wrapper around the DeepSecurity Manager SOAP API.
+    def initialize(hostname, port=4119, log_level)
+      @hostname = hostname
+      @port = port
+      super()
+      @client = Savon.client(:wsdl => "https://#{hostname}:#{port}/webservice/Manager?WSDL",
+                             :convert_request_keys_to => :none, # or one of [:lower_camelcase, :upcase, :none]
+                             :ssl_verify_mode => :none,
+                             :logger => logger,
+                             :log_level => log_level,
+                             :log => (!log_level.nil?))
+    end
+
+    # @!group Request Helper
+
+    # Send an authenticated WebUI Request to the Server for URL +url and return the response body
+    def send_authenticated_http_get(path)
+      logger.debug { "#{self.class}\##{__method__}(#{path.inspect})" }
+      url = "https://#{@hostname}:#{@port}#{path}"
+      request = HTTPI::Request.new(url)
+      request.auth.ssl.verify_mode = :none
+      request.headers = {
+          "Cookie" => "sID=#{@sID}"
+      }
+      request.gzip
+      response = HTTPI.get request
+      response.body
+    end
+
+    # Send an authenticated WebUI Request to the Server for URL +url and return the response body
+    def send_authenticated_http_post(path, body)
+      logger.debug { "#{self.class}\##{__method__}(#{path.inspect})" }
+      url = "https://#{@hostname}:#{@port}#{path}"
+      request = HTTPI::Request.new(url)
+      request.auth.ssl.verify_mode = :none
+      request.headers = {
+          "Cookie" => "sID=#{@sID}",
+          "Content-Type" => "application/x-www-form-urlencoded"
+      }
+      request.gzip
+      request.body = body
+      response = HTTPI.post request
+      response.body
+    end
+
+    # @!endgroup
+
+    # @!group Caching
+
+    def cache
+      @cache ||= Cache.new(nil, nil, 10000, 5*60)
+    end
+
+    # @!endgroup
+
+    public
+
+    # @!group High-Level SOAP Wrapper
+
+    # Retrieves the Manager Web Service API version. Not the same as the Manager version.
+    # @return [Integer] The Web Service API version.
+    def api_version
+      dsm.getApiVersion()
+    end
+
+    # Retrieve the Manager Web Service API version. Not the same as the Manager version.
+    # @return [Time] Manager time as a language localized object.
+    def manager_time
+      dsm.getManagerTime()
+    end
+
+    # Set connection parameters
+    # @param [String] hostname host to connect to
+    # @param [Integer] port port to connect to
+    # @param [LOG_MAPPING] log_level Log Level
+    def self.server(hostname, port=4119, log_level=nil)
+      dsm = self.new(hostname, port, log_level)
+      dsm.logger.level = LOG_MAPPING[log_level] unless log_level.nil?
+      @@current = dsm
+    end
+
+    # Authenticates a user within the given tenant, and returns a session ID for use when calling other methods of Manager. When no longer required, the session should be terminated by calling endSession.
+    # @param [String] tenant
+    # @param [String] username
+    # @param [String] password
+    # @return [Manager] The current manager
+    def connect(tenant, username, password)
+      @sID = tenant.blank? ? authenticate(username, password) : authenticate_tenant(tenant, username, password)
+      dsm
+    rescue Savon::SOAPFault => error
+      raise AuthenticationFailedException.new(error.to_hash[:fault][:detail][:exception_name].to_s)
+    end
+
+    # Ends an authenticated user session. The Web Service client should end the authentication session in all exit cases.
+    # @return [void]
+    def disconnect
+      dsm.end_session() if authenticated?
+      dsm.reset
+      nil
+    end
+
+    # @!endgroup
+
+    # @!group Low-Level SOAP Wrapper
+
+    # Retrieves the Manager Web Service API version. Not the same as the Manager version.
+    #
+    # SYNTAX
+    #   int getApiVersion()
+    #
+    # PARAMETERS
+    #
+    # RETURNS
+    #   The Web Service API version.
+    def getApiVersion
+      send_soap(:get_api_version).to_i
+    end
+
+    # Retrieve the Manager Web Service API version. Not the same as the Manager version.
+    #
+    # SYNTAX
+    #   getManagerTime()
+    #
+    # PARAMETERS
+    #
+    # RETURNS
+    #   Manager time as a language localized object. For example, a Java client would return a Calendar object, and a C# client would return a DataTime object.
+    def getManagerTime
+      Time.parse(send_soap(:get_manager_time))
+    end
+
+    # Authenticates a user for and returns a session ID for use when calling other Web Service methods.
+    #
+    # SYNTAX
+    #   String authenticate(String username, String password)
+    #
+    # PARAMETERS
+    #   username Account username.
+    #   password Account password.
+    #
+    # RETURNS
+    #   Authenticated user session ID.
+    def authenticate(username, password)
+      send_soap(:authenticate, {:username => username, :password => password}).to_s
+    end
+
+    # Authenticates a user within the given tenant, and returns a session ID for use when calling other methods of Manager. When no longer required, the session should be terminated by calling endSession.
+    #
+    # SYNTAX
+    #   String authenticateTenant(String tenantName, String username, String password)
+    #
+    # PARAMETERS
+    #   tenantName Tenant Name.
+    #   username Account username.
+    #   password Account password.
+    #
+    # RETURNS
+    #   Authenticated user session ID.
+    def authenticate_tenant(tenantName, username, password)
+      send_soap(:authenticate_tenant, {:tenantName => tenantName, :username => username, :password => password}).to_s
+    end
+
+    # Ends an authenticated user session. The Web Service client should end the authentication session in all exit cases.
+    #
+    # SYNTAX
+    #   void endSession(String sID)
+    #
+    # PARAMETERS
+    #   sID Authentication session identifier ID.
+    # RETURNS
+    def end_session(sID = dsm.sID)
+      send_soap(:end_session, :sID => sID)
+    end
+
+    # @!endgroup
+
+    # Check if the session has been authenticated.
+    def authenticated?
+      !@sID.nil?
+    end
+
+    def sID
+      raise DeepSecurity::AuthenticationRequiredException unless authenticated?
+      @sID
+    end
+
+    def client
+      @client
+    end
+
+  end
+end

data/lib/deepsecurity/screenscraping.rb

@@ -0,0 +1,149 @@
+# require "hpricot"
+
+module DeepSecurity
+  class Manager
+
+    private
+
+    # Helper Method: Clean up any HTML remnants (e.g.  )
+    def clean_html_string(string)
+      string.
+          inner_text.
+          gsub(/\s+/, " ").
+          strip
+    end
+
+    # Helper Method: Convert header string to camel cased symbol
+    def symbolize_header(string)
+      string.
+          gsub(/::/, '/').
+          gsub(/([A-Z]+)([A-Z][a-z])/, '\1_\2').
+          gsub(/([a-z\d])([A-Z])/, '\1_\2').
+          gsub(/\s+/, "_").
+          tr("-", "_").
+          downcase.
+          to_sym
+    end
+
+    # Fetch the given +action+ with +parameters+. Post the result with settings changed according to +settings+
+    def post_setting(action, parameters, settings)
+      parameters_string = URI.escape(parameters.map { |key, value| "#{key}=#{value}" }.join("&"))
+      path = "/#{action}?#{parameters_string}"
+      body = send_authenticated_http_get(path)
+
+      doc = Hpricot(body)
+      form_values = {}
+      doc.search("input").each do |input|
+        type = input["type"]
+        unless type == "button" || type == "submit"
+          form_values[input['name']] = input['value'] unless input['name'].blank?
+        end
+      end
+
+      form_values = form_values.merge(settings)
+
+      action = doc.search("form#mainForm").first["action"]
+      parameters_string = URI.encode_www_form(form_values)
+      path = "/#{action}"
+      send_authenticated_http_post(path, parameters_string)
+    end
+
+    # Enable display of DPI rules "type" for a given host
+    def payload_filters2_show_rules(host_id, type)
+      post_setting("PayloadFilter2s.screen", {
+          "hostID" => host_id,
+          "noSearch" => true,
+          "hideStandardHeader" => true
+      }, {
+                       "command" => "CHANGEASSIGNFILTER",
+                       "arguments" => type}
+      )
+    end
+
+    # Enable vulnerability columns in DPI rules display
+    def payload_filters2_enable_vulnerability_columns
+
+      action = "AddRemoveColumns.screen"
+      parameters = {
+          :screenSettingKey => "payloadFilter2s.",
+          :columnDisplayNames => %w[ payloadFilter2s.column.cve payloadFilter2s.column.secunia payloadFilter2s.column.bugtraq payloadFilter2s.column.ms ].join(","),
+          :columnAdminSettingNames => %w[ summaryCVE summarySECUNIA summaryBUGTRAQ summaryMS ].join(",")
+      }
+      settings = {
+          "summaryCVE" => true,
+          "summarySECUNIA" => true,
+          "summaryBUGTRAQ" => true,
+          "summaryMS" => true
+      }
+
+      post_setting(action, parameters, settings)
+
+    end
+
+    # Retrieve DPI rules
+    def payload_filters2(optional_parameters = {})
+
+      num_rules = nil
+      rules = []
+      column_mapping = Hash.new()
+      while num_rules.nil? || rules.count < num_rules
+
+        mainTableViewState = ["",
+                              "controlCheck,after=[NONE]",
+                              "icon,after=controlCheck",
+                              "summaryConnectionType,after=icon",
+                              "fullName,after=summaryConnectionType",
+                              "summaryPriority,after=fullName",
+                              "summarySeverityHTML,after=summaryPriority",
+                              "summaryMode,after=summarySeverityHTML",
+                              "summaryType,after=summaryMode",
+                              "summaryCVE,after=summaryType",
+                              "summarySECUNIA,after=summaryCVE",
+                              "summaryBUGTRAQ,after=summarySECUNIA",
+                              "summaryMS,after=summaryBUGTRAQ",
+                              "summaryCvssScore,after=summaryMS",
+                              "summaryIssued,after=summaryCvssScore"]
+
+        parameters = {
+            :paging_offset => rules.count
+        }
+        parameters_string = (parameters.merge(optional_parameters).map { |k, v| "#{k}=#{v}" }).join("&")
+
+        path = "/PayloadFilter2s.screen?#{parameters_string}"
+        body = send_authenticated_http_get(path)
+        doc = Hpricot(body)
+
+        if num_rules.nil?
+          num_rules = doc.search("td.paging_text").inner_text.split(/\s+/)[-1]
+          if !num_rules.nil?
+            num_rules = num_rules.scan(/\d/).join.to_i
+          else
+            num_rules = 0
+          end
+        end
+
+        if column_mapping.empty?
+          doc.
+              search("#mainTable_header_table td:not(.datatable_resizer)").
+              map { |each| clean_html_string(each)[0..-2] }.
+              each_with_index { |each, index| column_mapping[each]=index unless each.blank? }
+        end
+
+        doc.search("#mainTable_rows_table tr") do |row|
+          column_cells = row.
+              search("td").
+              map { |each| clean_html_string(each) }
+          rule = Hash.new()
+          column_mapping.each do |k, v|
+            rule[symbolize_header(k)]=column_cells[v]
+          end
+          rules.push(rule)
+        end
+      end
+      rules
+
+
+    end
+
+  end
+end

data/lib/deepsecurity/transport_object.rb

@@ -0,0 +1,21 @@
+# @author Udo Schneider <Udo.Schneider@homeaddress.de>
+
+module DeepSecurity
+
+  # @abstract
+  # Transport objects are modeled after Deep Security Manager web interface objects and configuration groups. These
+  # transport objects can be constructed as new or retrieved from the Manager by calling the appropriate web method.
+  #
+  # A Web Service definition may declare object classes that inherit properties from other base object classes, so only
+  # the relevant object classes are covered in this section. If during development, you encounter any WSDL-defined
+  # object classes that are not documented, they are likely inherited base object classes or response object classes
+  # that are not directly used by any Web Methods and do not have any direct value.
+  #
+  # @note
+  #   It defines it's own DSL to specify attributes, caching and operation. This allows you to completely hide the
+  #   type-conversion needed by Savon behind a regular Ruby object.
+  class TransportObject < DSObject
+
+  end
+
+end

data/lib/deepsecurity/transport_objects/anti_malware_event.rb

@@ -0,0 +1,106 @@
+# @author Udo Schneider <Udo.Schneider@homeaddress.de>
+
+module DeepSecurity
+
+  # Represents an Anti-Malware event
+  class AntiMalwareEvent < TransportObject
+
+    attr_integer_accessor :anti_malware_config_id,
+                          'The ID of the Anti-Malware configuration this event corresponds to'
+    attr_integer_accessor :anti_malware_event_id,
+                          'The ID of the event'
+    attr_datetime_accessor :end_time,
+                           'Endtime of this event if it was repeated multiple times (not currently used)'
+    attr_integer_accessor :error_code,
+                          'The VSAPI error code indicates the reason of the actions of failure'
+    attr_integer_accessor :host_id,
+                          'The host ID this event corresponds to'
+    attr_string_accessor :infected_file_path,
+                         'The infected file full path'
+    attr_string_accessor :infection_source,
+                         'The source computer of the infection'
+    attr_datetime_accessor :log_date,
+                           'The time this event occured'
+    attr_string_accessor :malware_name,
+                         'The name of the malware'
+    attr_enum_accessor :malware_type,
+                       EnumMalwareType,
+                       'The type of the malware'
+    attr_integer_accessor :protocol,
+                          'The protocols: Local Files(0), Network shared folder(1), etc. However currently the Agent only support local files'
+    attr_integer_accessor :quarantine_record_id,
+                          'The ID of the quarantined file, if a file was quarantined as a result of this event.'
+    attr_integer_accessor :scan_result_action1,
+                          'The first action performed'
+    attr_integer_accessor :scan_result_action2,
+                          'The second action performed'
+    attr_enum_accessor :scan_type,
+                       EnumAntiMalwareScanType,
+                       'Type of scan this event was captured under'
+    array_object_accessor :spyware_items,
+                          AntiMalwareSpywareItem,
+                          'An array of spyware items associated with this event'
+    attr_datetime_accessor :start_time,
+                           'Starttime of this event if it was repeated multiple times (not currently used)'
+    attr_string_accessor :tags,
+                         'Any tags associated with this event'
+    attr_integer_accessor :scan_action1
+    attr_integer_accessor :scan_action2
+    attr_string_accessor :summary_scan_result
+
+
+    hint_object_accessor :host,
+                          Host,
+                          'The host this event corresponds to'
+
+
+    # cache_by_aspect :id, :name
+
+    # @!group High-Level SOAP Wrapper
+
+    # Return all AntiMalware events matching the filter
+    # @param [TimeFilter] time_filter
+    # @param [HostFilter] host_filter
+    # @param [IDFilter] event_id_filter
+    # @return [Array<AntiMalwareEvent>]
+    def self.find_all(time_filter, host_filter, event_id_filter)
+      dsm.antiMalwareEventRetrieve(time_filter, host_filter, event_id_filter)
+    end
+
+    def host
+      Host.find_by_id(host_id)
+    end
+    # @!endgroup
+
+  end
+
+  class Manager
+
+    # @!group Low-Level SOAP Wrapper
+
+    # Retrieves the AntiMalware events specified by the time and host filter.
+    #
+    # SYNTAX
+    #   public AntiMalwareEventListTransport antiMalwareEventRetrieve(TimeFilterTransport timeFilter HostFilterTransport hostFilter, IDFilterTransport eventIdFilter, String sID)
+    #
+    # PARAMETERS
+    #   timeFilter Restricts the retrieved events by time.
+    #   hostFilter Restricts the retrieved events by host, group, or security profile.
+    #   eventIdFilter Restricts the retrieved events by event id.
+    #   sID Authentication session identifier ID.
+    #
+    # RETURNS
+    #   AntiMalwareEventListTransport object.
+    def antiMalwareEventRetrieve(timeFilter, hostFilter, eventIdFilter, sID = dsm.sID)
+      request_array(:anti_malware_event_retrieve, AntiMalwareEvent, :anti_malware_events,
+                    :timeFilter => timeFilter.to_savon_data,
+                    :hostFilter => hostFilter.to_savon_data,
+                    :eventIdFilter => eventIdFilter.to_savon_data,
+                    :sID => sID)
+    end
+
+    # @!endgroup
+
+  end
+
+end

data/lib/deepsecurity/transport_objects/anti_malware_spyware_item.rb

@@ -0,0 +1,32 @@
+module DeepSecurity
+
+  class AntiMalwareSpywareItem < TransportObject
+
+    # Represents an Anti-Malware spyware event and contains all properties that belong to the event.
+
+    attr_integer_accessor :anti_malware_quarantined_file_id,
+                          "If a file was quarantined as a result of the event, this will contain the ID of the quarantined file"
+    attr_integer_accessor :anti_malware_spyware_item_id,
+                          "If a this event was the result of spyware, this will point at the ID of the spyware item"
+    attr_integer_accessor :host_id,
+                          "The host ID this event corresponds to"
+    attr_string_accessor :object_info,
+                         "File-path, registry key, process name...etc"
+    attr_integer_accessor :object_type,
+                          "Type identifier for Process, Cookies, File System, System Registry, Shortcut Link, Host File, Other"
+    attr_integer_accessor :risk_level,
+                          "Risk level gauge Very Low (0), Low (25), Medium(50), High(75), Very High(100)"
+    attr_integer_accessor :scan_action,
+                           "Scan Action: The action taken upon each spyware items: Pass (1), Delete (2), Quarantined (3), Clean (4), Deny Access (5)"
+    attr_integer_accessor :scan_result_action,
+                          "Represent whether the action is successful (0) or failed (Error Code)"
+    attr_integer_accessor :spyware_type,
+                          "Type identifier for Adware, Cookie, Dialer, Keylogger, Trojan, Worm, Downloader, et"
+
+
+    # cache_by_aspect :id, :name
+
+
+  end
+
+end

data/lib/deepsecurity/transport_objects/application_type.rb

@@ -0,0 +1,58 @@
+module DeepSecurity
+
+  # Represents an Application Type that reflects some network attributes to which DPI rules are assigned. The DPI engine
+  # will determine if a DPI rule should apply to a connection based on the assigned Application Type network attributes.
+  class ApplicationType < TransportObject
+
+    attr_integer_accessor :id,
+                          "ApplicationTypeTransport ID"
+    attr_string_accessor :description,
+                         "ApplicationTypeTransport description"
+    attr_string_accessor :name,
+                         "ApplicationTypeTransport name"
+    attr_string_accessor :tbuid,
+                         "Internal TBUID of a Trend Micro issued Application Type"
+    attr_enum_accessor :direction,
+                       EnumDirection,
+                       'The initial direction of the connection which this ApplicationTypeTransport would apply, e.g., INCOMING, OUTGOING. Depending on whether the application type is a server or client, the initial direction of the connection to inspect would either be INCOMING for a server, or OUTGOING for a client. E.g. Inspection of "Web Server Common" Application Type for a connection stream on TCP port 80 would be initially an INCOMING direction because incoming Web Server connections should be inspected'
+    attr_boolean_accessor :ignore_recommendations,
+                          "Whether the Recommendation Engine should ignore this rule"
+    attr_object_accessor :protocol_icmp,
+                         ProtocolICMP,
+                         "ApplicationTypeTransport protocol ICMP type"
+    attr_object_accessor :protocol_port_based,
+                         ProtocolPortBased,
+                         'ApplicationTypeTransport protocol Port type'
+    attr_enum_accessor :protocol_type,
+                       EnumApplicationTypeProtocolType,
+                       'ApplicationTypeTransport protocol Application type, e.g., UCMP, TCP, UDP, TCP_UDP'
+    attr_boolean_accessor :authoritative,
+                          'Whether the rule is an internal read only Trend Micro rule'
+
+    cache_by_aspect :id, :name
+
+  end
+
+  class Manager
+
+    def application_types
+      cache.fetch(ApplicationType.cache_key(:all, :all)) do
+        request_array("application_type_retrieve_all", ApplicationType)
+      end
+    end
+
+    def application_type(id)
+      cache.fetch(ApplicationType.cache_key(:id, id)) do
+        request_object("application_type_retrieve", ApplicationType, {:id => id})
+      end
+    end
+
+    def application_type_by_name(name)
+      cache.fetch(ApplicationType.cache_key(:name, name)) do
+        request_object("application_type_retrieve_by_name", ApplicationType, {:name => name})
+      end
+    end
+
+  end
+
+end