deepsecurity 0.0.13hf1
Sign up to get free protection for your applications and to get access to all the features.
- data/.gitignore +25 -0
- data/.yardopts +4 -0
- data/Gemfile +4 -0
- data/LICENSE +22 -0
- data/README.md +29 -0
- data/Rakefile +2 -0
- data/bin/dsc +186 -0
- data/deepsecurity.gemspec +30 -0
- data/lib/deepsecurity/ds_object.rb +37 -0
- data/lib/deepsecurity/enums.rb +539 -0
- data/lib/deepsecurity/exceptions/authentication_failed_exception.rb +7 -0
- data/lib/deepsecurity/exceptions/authentication_required_exception.rb +6 -0
- data/lib/deepsecurity/manager.rb +223 -0
- data/lib/deepsecurity/screenscraping.rb +149 -0
- data/lib/deepsecurity/transport_object.rb +21 -0
- data/lib/deepsecurity/transport_objects/anti_malware_event.rb +106 -0
- data/lib/deepsecurity/transport_objects/anti_malware_spyware_item.rb +32 -0
- data/lib/deepsecurity/transport_objects/application_type.rb +58 -0
- data/lib/deepsecurity/transport_objects/dpi_rule.rb +113 -0
- data/lib/deepsecurity/transport_objects/host.rb +171 -0
- data/lib/deepsecurity/transport_objects/host_detail.rb +167 -0
- data/lib/deepsecurity/transport_objects/host_filter.rb +62 -0
- data/lib/deepsecurity/transport_objects/host_group.rb +41 -0
- data/lib/deepsecurity/transport_objects/host_interface.rb +42 -0
- data/lib/deepsecurity/transport_objects/id_filter.rb +37 -0
- data/lib/deepsecurity/transport_objects/private/vulnerability.rb +52 -0
- data/lib/deepsecurity/transport_objects/protocol_icmp.rb +13 -0
- data/lib/deepsecurity/transport_objects/protocol_port_based.rb +11 -0
- data/lib/deepsecurity/transport_objects/security_profile.rb +90 -0
- data/lib/deepsecurity/transport_objects/system_event.rb +45 -0
- data/lib/deepsecurity/transport_objects/time_filter.rb +55 -0
- data/lib/deepsecurity/version.rb +3 -0
- data/lib/deepsecurity.rb +58 -0
- data/lib/dsc/anti_malware_event.rb +101 -0
- data/lib/dsc/dsc_object.rb +41 -0
- data/lib/dsc/helper.rb +48 -0
- data/lib/dsc/host_detail.rb +62 -0
- data/lib/dsc.rb +6 -0
- data/lib/dsc_version.rb +3 -0
- data/lib/savon_helper/caching_object.rb +48 -0
- data/lib/savon_helper/mapping_object.rb +421 -0
- data/lib/savon_helper/missing_type_mapping_exception.rb +11 -0
- data/lib/savon_helper/soap_exception.rb +7 -0
- data/lib/savon_helper/type_mappings.rb +218 -0
- data/lib/savon_helper.rb +7 -0
- metadata +188 -0
@@ -0,0 +1,223 @@
|
|
1
|
+
# @author Udo Schneider <Udo.Schneider@homeaddress.de>
|
2
|
+
|
3
|
+
require "savon"
|
4
|
+
require "cache"
|
5
|
+
# require "httpi"
|
6
|
+
require "logger"
|
7
|
+
# require "yaml"
|
8
|
+
|
9
|
+
module DeepSecurity
|
10
|
+
|
11
|
+
LOG_MAPPING = {
|
12
|
+
:debug => Logger::DEBUG,
|
13
|
+
:info => Logger::INFO,
|
14
|
+
:warn => Logger::WARN,
|
15
|
+
:error => Logger::ERROR,
|
16
|
+
:fatal => Logger::FATAL
|
17
|
+
}
|
18
|
+
|
19
|
+
# This class represents the DeepSecurity Manager. It's the entry point for all further actions
|
20
|
+
class Manager <DSObject
|
21
|
+
|
22
|
+
@@current = nil
|
23
|
+
|
24
|
+
def self.current
|
25
|
+
@@current
|
26
|
+
end
|
27
|
+
|
28
|
+
def reset
|
29
|
+
@@current = nil
|
30
|
+
end
|
31
|
+
|
32
|
+
# Obtain a new wrapper around the DeepSecurity Manager SOAP API.
|
33
|
+
def initialize(hostname, port=4119, log_level)
|
34
|
+
@hostname = hostname
|
35
|
+
@port = port
|
36
|
+
super()
|
37
|
+
@client = Savon.client(:wsdl => "https://#{hostname}:#{port}/webservice/Manager?WSDL",
|
38
|
+
:convert_request_keys_to => :none, # or one of [:lower_camelcase, :upcase, :none]
|
39
|
+
:ssl_verify_mode => :none,
|
40
|
+
:logger => logger,
|
41
|
+
:log_level => log_level,
|
42
|
+
:log => (!log_level.nil?))
|
43
|
+
end
|
44
|
+
|
45
|
+
# @!group Request Helper
|
46
|
+
|
47
|
+
# Send an authenticated WebUI Request to the Server for URL +url and return the response body
|
48
|
+
def send_authenticated_http_get(path)
|
49
|
+
logger.debug { "#{self.class}\##{__method__}(#{path.inspect})" }
|
50
|
+
url = "https://#{@hostname}:#{@port}#{path}"
|
51
|
+
request = HTTPI::Request.new(url)
|
52
|
+
request.auth.ssl.verify_mode = :none
|
53
|
+
request.headers = {
|
54
|
+
"Cookie" => "sID=#{@sID}"
|
55
|
+
}
|
56
|
+
request.gzip
|
57
|
+
response = HTTPI.get request
|
58
|
+
response.body
|
59
|
+
end
|
60
|
+
|
61
|
+
# Send an authenticated WebUI Request to the Server for URL +url and return the response body
|
62
|
+
def send_authenticated_http_post(path, body)
|
63
|
+
logger.debug { "#{self.class}\##{__method__}(#{path.inspect})" }
|
64
|
+
url = "https://#{@hostname}:#{@port}#{path}"
|
65
|
+
request = HTTPI::Request.new(url)
|
66
|
+
request.auth.ssl.verify_mode = :none
|
67
|
+
request.headers = {
|
68
|
+
"Cookie" => "sID=#{@sID}",
|
69
|
+
"Content-Type" => "application/x-www-form-urlencoded"
|
70
|
+
}
|
71
|
+
request.gzip
|
72
|
+
request.body = body
|
73
|
+
response = HTTPI.post request
|
74
|
+
response.body
|
75
|
+
end
|
76
|
+
|
77
|
+
# @!endgroup
|
78
|
+
|
79
|
+
# @!group Caching
|
80
|
+
|
81
|
+
def cache
|
82
|
+
@cache ||= Cache.new(nil, nil, 10000, 5*60)
|
83
|
+
end
|
84
|
+
|
85
|
+
# @!endgroup
|
86
|
+
|
87
|
+
public
|
88
|
+
|
89
|
+
# @!group High-Level SOAP Wrapper
|
90
|
+
|
91
|
+
# Retrieves the Manager Web Service API version. Not the same as the Manager version.
|
92
|
+
# @return [Integer] The Web Service API version.
|
93
|
+
def api_version
|
94
|
+
dsm.getApiVersion()
|
95
|
+
end
|
96
|
+
|
97
|
+
# Retrieve the Manager Web Service API version. Not the same as the Manager version.
|
98
|
+
# @return [Time] Manager time as a language localized object.
|
99
|
+
def manager_time
|
100
|
+
dsm.getManagerTime()
|
101
|
+
end
|
102
|
+
|
103
|
+
# Set connection parameters
|
104
|
+
# @param [String] hostname host to connect to
|
105
|
+
# @param [Integer] port port to connect to
|
106
|
+
# @param [LOG_MAPPING] log_level Log Level
|
107
|
+
def self.server(hostname, port=4119, log_level=nil)
|
108
|
+
dsm = self.new(hostname, port, log_level)
|
109
|
+
dsm.logger.level = LOG_MAPPING[log_level] unless log_level.nil?
|
110
|
+
@@current = dsm
|
111
|
+
end
|
112
|
+
|
113
|
+
# Authenticates a user within the given tenant, and returns a session ID for use when calling other methods of Manager. When no longer required, the session should be terminated by calling endSession.
|
114
|
+
# @param [String] tenant
|
115
|
+
# @param [String] username
|
116
|
+
# @param [String] password
|
117
|
+
# @return [Manager] The current manager
|
118
|
+
def connect(tenant, username, password)
|
119
|
+
@sID = tenant.blank? ? authenticate(username, password) : authenticate_tenant(tenant, username, password)
|
120
|
+
dsm
|
121
|
+
rescue Savon::SOAPFault => error
|
122
|
+
raise AuthenticationFailedException.new(error.to_hash[:fault][:detail][:exception_name].to_s)
|
123
|
+
end
|
124
|
+
|
125
|
+
# Ends an authenticated user session. The Web Service client should end the authentication session in all exit cases.
|
126
|
+
# @return [void]
|
127
|
+
def disconnect
|
128
|
+
dsm.end_session() if authenticated?
|
129
|
+
dsm.reset
|
130
|
+
nil
|
131
|
+
end
|
132
|
+
|
133
|
+
# @!endgroup
|
134
|
+
|
135
|
+
# @!group Low-Level SOAP Wrapper
|
136
|
+
|
137
|
+
# Retrieves the Manager Web Service API version. Not the same as the Manager version.
|
138
|
+
#
|
139
|
+
# SYNTAX
|
140
|
+
# int getApiVersion()
|
141
|
+
#
|
142
|
+
# PARAMETERS
|
143
|
+
#
|
144
|
+
# RETURNS
|
145
|
+
# The Web Service API version.
|
146
|
+
def getApiVersion
|
147
|
+
send_soap(:get_api_version).to_i
|
148
|
+
end
|
149
|
+
|
150
|
+
# Retrieve the Manager Web Service API version. Not the same as the Manager version.
|
151
|
+
#
|
152
|
+
# SYNTAX
|
153
|
+
# getManagerTime()
|
154
|
+
#
|
155
|
+
# PARAMETERS
|
156
|
+
#
|
157
|
+
# RETURNS
|
158
|
+
# Manager time as a language localized object. For example, a Java client would return a Calendar object, and a C# client would return a DataTime object.
|
159
|
+
def getManagerTime
|
160
|
+
Time.parse(send_soap(:get_manager_time))
|
161
|
+
end
|
162
|
+
|
163
|
+
# Authenticates a user for and returns a session ID for use when calling other Web Service methods.
|
164
|
+
#
|
165
|
+
# SYNTAX
|
166
|
+
# String authenticate(String username, String password)
|
167
|
+
#
|
168
|
+
# PARAMETERS
|
169
|
+
# username Account username.
|
170
|
+
# password Account password.
|
171
|
+
#
|
172
|
+
# RETURNS
|
173
|
+
# Authenticated user session ID.
|
174
|
+
def authenticate(username, password)
|
175
|
+
send_soap(:authenticate, {:username => username, :password => password}).to_s
|
176
|
+
end
|
177
|
+
|
178
|
+
# Authenticates a user within the given tenant, and returns a session ID for use when calling other methods of Manager. When no longer required, the session should be terminated by calling endSession.
|
179
|
+
#
|
180
|
+
# SYNTAX
|
181
|
+
# String authenticateTenant(String tenantName, String username, String password)
|
182
|
+
#
|
183
|
+
# PARAMETERS
|
184
|
+
# tenantName Tenant Name.
|
185
|
+
# username Account username.
|
186
|
+
# password Account password.
|
187
|
+
#
|
188
|
+
# RETURNS
|
189
|
+
# Authenticated user session ID.
|
190
|
+
def authenticate_tenant(tenantName, username, password)
|
191
|
+
send_soap(:authenticate_tenant, {:tenantName => tenantName, :username => username, :password => password}).to_s
|
192
|
+
end
|
193
|
+
|
194
|
+
# Ends an authenticated user session. The Web Service client should end the authentication session in all exit cases.
|
195
|
+
#
|
196
|
+
# SYNTAX
|
197
|
+
# void endSession(String sID)
|
198
|
+
#
|
199
|
+
# PARAMETERS
|
200
|
+
# sID Authentication session identifier ID.
|
201
|
+
# RETURNS
|
202
|
+
def end_session(sID = dsm.sID)
|
203
|
+
send_soap(:end_session, :sID => sID)
|
204
|
+
end
|
205
|
+
|
206
|
+
# @!endgroup
|
207
|
+
|
208
|
+
# Check if the session has been authenticated.
|
209
|
+
def authenticated?
|
210
|
+
!@sID.nil?
|
211
|
+
end
|
212
|
+
|
213
|
+
def sID
|
214
|
+
raise DeepSecurity::AuthenticationRequiredException unless authenticated?
|
215
|
+
@sID
|
216
|
+
end
|
217
|
+
|
218
|
+
def client
|
219
|
+
@client
|
220
|
+
end
|
221
|
+
|
222
|
+
end
|
223
|
+
end
|
@@ -0,0 +1,149 @@
|
|
1
|
+
# require "hpricot"
|
2
|
+
|
3
|
+
module DeepSecurity
|
4
|
+
class Manager
|
5
|
+
|
6
|
+
private
|
7
|
+
|
8
|
+
# Helper Method: Clean up any HTML remnants (e.g. )
|
9
|
+
def clean_html_string(string)
|
10
|
+
string.
|
11
|
+
inner_text.
|
12
|
+
gsub(/\s+/, " ").
|
13
|
+
strip
|
14
|
+
end
|
15
|
+
|
16
|
+
# Helper Method: Convert header string to camel cased symbol
|
17
|
+
def symbolize_header(string)
|
18
|
+
string.
|
19
|
+
gsub(/::/, '/').
|
20
|
+
gsub(/([A-Z]+)([A-Z][a-z])/, '\1_\2').
|
21
|
+
gsub(/([a-z\d])([A-Z])/, '\1_\2').
|
22
|
+
gsub(/\s+/, "_").
|
23
|
+
tr("-", "_").
|
24
|
+
downcase.
|
25
|
+
to_sym
|
26
|
+
end
|
27
|
+
|
28
|
+
# Fetch the given +action+ with +parameters+. Post the result with settings changed according to +settings+
|
29
|
+
def post_setting(action, parameters, settings)
|
30
|
+
parameters_string = URI.escape(parameters.map { |key, value| "#{key}=#{value}" }.join("&"))
|
31
|
+
path = "/#{action}?#{parameters_string}"
|
32
|
+
body = send_authenticated_http_get(path)
|
33
|
+
|
34
|
+
doc = Hpricot(body)
|
35
|
+
form_values = {}
|
36
|
+
doc.search("input").each do |input|
|
37
|
+
type = input["type"]
|
38
|
+
unless type == "button" || type == "submit"
|
39
|
+
form_values[input['name']] = input['value'] unless input['name'].blank?
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
form_values = form_values.merge(settings)
|
44
|
+
|
45
|
+
action = doc.search("form#mainForm").first["action"]
|
46
|
+
parameters_string = URI.encode_www_form(form_values)
|
47
|
+
path = "/#{action}"
|
48
|
+
send_authenticated_http_post(path, parameters_string)
|
49
|
+
end
|
50
|
+
|
51
|
+
# Enable display of DPI rules "type" for a given host
|
52
|
+
def payload_filters2_show_rules(host_id, type)
|
53
|
+
post_setting("PayloadFilter2s.screen", {
|
54
|
+
"hostID" => host_id,
|
55
|
+
"noSearch" => true,
|
56
|
+
"hideStandardHeader" => true
|
57
|
+
}, {
|
58
|
+
"command" => "CHANGEASSIGNFILTER",
|
59
|
+
"arguments" => type}
|
60
|
+
)
|
61
|
+
end
|
62
|
+
|
63
|
+
# Enable vulnerability columns in DPI rules display
|
64
|
+
def payload_filters2_enable_vulnerability_columns
|
65
|
+
|
66
|
+
action = "AddRemoveColumns.screen"
|
67
|
+
parameters = {
|
68
|
+
:screenSettingKey => "payloadFilter2s.",
|
69
|
+
:columnDisplayNames => %w[ payloadFilter2s.column.cve payloadFilter2s.column.secunia payloadFilter2s.column.bugtraq payloadFilter2s.column.ms ].join(","),
|
70
|
+
:columnAdminSettingNames => %w[ summaryCVE summarySECUNIA summaryBUGTRAQ summaryMS ].join(",")
|
71
|
+
}
|
72
|
+
settings = {
|
73
|
+
"summaryCVE" => true,
|
74
|
+
"summarySECUNIA" => true,
|
75
|
+
"summaryBUGTRAQ" => true,
|
76
|
+
"summaryMS" => true
|
77
|
+
}
|
78
|
+
|
79
|
+
post_setting(action, parameters, settings)
|
80
|
+
|
81
|
+
end
|
82
|
+
|
83
|
+
# Retrieve DPI rules
|
84
|
+
def payload_filters2(optional_parameters = {})
|
85
|
+
|
86
|
+
num_rules = nil
|
87
|
+
rules = []
|
88
|
+
column_mapping = Hash.new()
|
89
|
+
while num_rules.nil? || rules.count < num_rules
|
90
|
+
|
91
|
+
mainTableViewState = ["",
|
92
|
+
"controlCheck,after=[NONE]",
|
93
|
+
"icon,after=controlCheck",
|
94
|
+
"summaryConnectionType,after=icon",
|
95
|
+
"fullName,after=summaryConnectionType",
|
96
|
+
"summaryPriority,after=fullName",
|
97
|
+
"summarySeverityHTML,after=summaryPriority",
|
98
|
+
"summaryMode,after=summarySeverityHTML",
|
99
|
+
"summaryType,after=summaryMode",
|
100
|
+
"summaryCVE,after=summaryType",
|
101
|
+
"summarySECUNIA,after=summaryCVE",
|
102
|
+
"summaryBUGTRAQ,after=summarySECUNIA",
|
103
|
+
"summaryMS,after=summaryBUGTRAQ",
|
104
|
+
"summaryCvssScore,after=summaryMS",
|
105
|
+
"summaryIssued,after=summaryCvssScore"]
|
106
|
+
|
107
|
+
parameters = {
|
108
|
+
:paging_offset => rules.count
|
109
|
+
}
|
110
|
+
parameters_string = (parameters.merge(optional_parameters).map { |k, v| "#{k}=#{v}" }).join("&")
|
111
|
+
|
112
|
+
path = "/PayloadFilter2s.screen?#{parameters_string}"
|
113
|
+
body = send_authenticated_http_get(path)
|
114
|
+
doc = Hpricot(body)
|
115
|
+
|
116
|
+
if num_rules.nil?
|
117
|
+
num_rules = doc.search("td.paging_text").inner_text.split(/\s+/)[-1]
|
118
|
+
if !num_rules.nil?
|
119
|
+
num_rules = num_rules.scan(/\d/).join.to_i
|
120
|
+
else
|
121
|
+
num_rules = 0
|
122
|
+
end
|
123
|
+
end
|
124
|
+
|
125
|
+
if column_mapping.empty?
|
126
|
+
doc.
|
127
|
+
search("#mainTable_header_table td:not(.datatable_resizer)").
|
128
|
+
map { |each| clean_html_string(each)[0..-2] }.
|
129
|
+
each_with_index { |each, index| column_mapping[each]=index unless each.blank? }
|
130
|
+
end
|
131
|
+
|
132
|
+
doc.search("#mainTable_rows_table tr") do |row|
|
133
|
+
column_cells = row.
|
134
|
+
search("td").
|
135
|
+
map { |each| clean_html_string(each) }
|
136
|
+
rule = Hash.new()
|
137
|
+
column_mapping.each do |k, v|
|
138
|
+
rule[symbolize_header(k)]=column_cells[v]
|
139
|
+
end
|
140
|
+
rules.push(rule)
|
141
|
+
end
|
142
|
+
end
|
143
|
+
rules
|
144
|
+
|
145
|
+
|
146
|
+
end
|
147
|
+
|
148
|
+
end
|
149
|
+
end
|
@@ -0,0 +1,21 @@
|
|
1
|
+
# @author Udo Schneider <Udo.Schneider@homeaddress.de>
|
2
|
+
|
3
|
+
module DeepSecurity
|
4
|
+
|
5
|
+
# @abstract
|
6
|
+
# Transport objects are modeled after Deep Security Manager web interface objects and configuration groups. These
|
7
|
+
# transport objects can be constructed as new or retrieved from the Manager by calling the appropriate web method.
|
8
|
+
#
|
9
|
+
# A Web Service definition may declare object classes that inherit properties from other base object classes, so only
|
10
|
+
# the relevant object classes are covered in this section. If during development, you encounter any WSDL-defined
|
11
|
+
# object classes that are not documented, they are likely inherited base object classes or response object classes
|
12
|
+
# that are not directly used by any Web Methods and do not have any direct value.
|
13
|
+
#
|
14
|
+
# @note
|
15
|
+
# It defines it's own DSL to specify attributes, caching and operation. This allows you to completely hide the
|
16
|
+
# type-conversion needed by Savon behind a regular Ruby object.
|
17
|
+
class TransportObject < DSObject
|
18
|
+
|
19
|
+
end
|
20
|
+
|
21
|
+
end
|
@@ -0,0 +1,106 @@
|
|
1
|
+
# @author Udo Schneider <Udo.Schneider@homeaddress.de>
|
2
|
+
|
3
|
+
module DeepSecurity
|
4
|
+
|
5
|
+
# Represents an Anti-Malware event
|
6
|
+
class AntiMalwareEvent < TransportObject
|
7
|
+
|
8
|
+
attr_integer_accessor :anti_malware_config_id,
|
9
|
+
'The ID of the Anti-Malware configuration this event corresponds to'
|
10
|
+
attr_integer_accessor :anti_malware_event_id,
|
11
|
+
'The ID of the event'
|
12
|
+
attr_datetime_accessor :end_time,
|
13
|
+
'Endtime of this event if it was repeated multiple times (not currently used)'
|
14
|
+
attr_integer_accessor :error_code,
|
15
|
+
'The VSAPI error code indicates the reason of the actions of failure'
|
16
|
+
attr_integer_accessor :host_id,
|
17
|
+
'The host ID this event corresponds to'
|
18
|
+
attr_string_accessor :infected_file_path,
|
19
|
+
'The infected file full path'
|
20
|
+
attr_string_accessor :infection_source,
|
21
|
+
'The source computer of the infection'
|
22
|
+
attr_datetime_accessor :log_date,
|
23
|
+
'The time this event occured'
|
24
|
+
attr_string_accessor :malware_name,
|
25
|
+
'The name of the malware'
|
26
|
+
attr_enum_accessor :malware_type,
|
27
|
+
EnumMalwareType,
|
28
|
+
'The type of the malware'
|
29
|
+
attr_integer_accessor :protocol,
|
30
|
+
'The protocols: Local Files(0), Network shared folder(1), etc. However currently the Agent only support local files'
|
31
|
+
attr_integer_accessor :quarantine_record_id,
|
32
|
+
'The ID of the quarantined file, if a file was quarantined as a result of this event.'
|
33
|
+
attr_integer_accessor :scan_result_action1,
|
34
|
+
'The first action performed'
|
35
|
+
attr_integer_accessor :scan_result_action2,
|
36
|
+
'The second action performed'
|
37
|
+
attr_enum_accessor :scan_type,
|
38
|
+
EnumAntiMalwareScanType,
|
39
|
+
'Type of scan this event was captured under'
|
40
|
+
array_object_accessor :spyware_items,
|
41
|
+
AntiMalwareSpywareItem,
|
42
|
+
'An array of spyware items associated with this event'
|
43
|
+
attr_datetime_accessor :start_time,
|
44
|
+
'Starttime of this event if it was repeated multiple times (not currently used)'
|
45
|
+
attr_string_accessor :tags,
|
46
|
+
'Any tags associated with this event'
|
47
|
+
attr_integer_accessor :scan_action1
|
48
|
+
attr_integer_accessor :scan_action2
|
49
|
+
attr_string_accessor :summary_scan_result
|
50
|
+
|
51
|
+
|
52
|
+
hint_object_accessor :host,
|
53
|
+
Host,
|
54
|
+
'The host this event corresponds to'
|
55
|
+
|
56
|
+
|
57
|
+
# cache_by_aspect :id, :name
|
58
|
+
|
59
|
+
# @!group High-Level SOAP Wrapper
|
60
|
+
|
61
|
+
# Return all AntiMalware events matching the filter
|
62
|
+
# @param [TimeFilter] time_filter
|
63
|
+
# @param [HostFilter] host_filter
|
64
|
+
# @param [IDFilter] event_id_filter
|
65
|
+
# @return [Array<AntiMalwareEvent>]
|
66
|
+
def self.find_all(time_filter, host_filter, event_id_filter)
|
67
|
+
dsm.antiMalwareEventRetrieve(time_filter, host_filter, event_id_filter)
|
68
|
+
end
|
69
|
+
|
70
|
+
def host
|
71
|
+
Host.find_by_id(host_id)
|
72
|
+
end
|
73
|
+
# @!endgroup
|
74
|
+
|
75
|
+
end
|
76
|
+
|
77
|
+
class Manager
|
78
|
+
|
79
|
+
# @!group Low-Level SOAP Wrapper
|
80
|
+
|
81
|
+
# Retrieves the AntiMalware events specified by the time and host filter.
|
82
|
+
#
|
83
|
+
# SYNTAX
|
84
|
+
# public AntiMalwareEventListTransport antiMalwareEventRetrieve(TimeFilterTransport timeFilter HostFilterTransport hostFilter, IDFilterTransport eventIdFilter, String sID)
|
85
|
+
#
|
86
|
+
# PARAMETERS
|
87
|
+
# timeFilter Restricts the retrieved events by time.
|
88
|
+
# hostFilter Restricts the retrieved events by host, group, or security profile.
|
89
|
+
# eventIdFilter Restricts the retrieved events by event id.
|
90
|
+
# sID Authentication session identifier ID.
|
91
|
+
#
|
92
|
+
# RETURNS
|
93
|
+
# AntiMalwareEventListTransport object.
|
94
|
+
def antiMalwareEventRetrieve(timeFilter, hostFilter, eventIdFilter, sID = dsm.sID)
|
95
|
+
request_array(:anti_malware_event_retrieve, AntiMalwareEvent, :anti_malware_events,
|
96
|
+
:timeFilter => timeFilter.to_savon_data,
|
97
|
+
:hostFilter => hostFilter.to_savon_data,
|
98
|
+
:eventIdFilter => eventIdFilter.to_savon_data,
|
99
|
+
:sID => sID)
|
100
|
+
end
|
101
|
+
|
102
|
+
# @!endgroup
|
103
|
+
|
104
|
+
end
|
105
|
+
|
106
|
+
end
|
@@ -0,0 +1,32 @@
|
|
1
|
+
module DeepSecurity
|
2
|
+
|
3
|
+
class AntiMalwareSpywareItem < TransportObject
|
4
|
+
|
5
|
+
# Represents an Anti-Malware spyware event and contains all properties that belong to the event.
|
6
|
+
|
7
|
+
attr_integer_accessor :anti_malware_quarantined_file_id,
|
8
|
+
"If a file was quarantined as a result of the event, this will contain the ID of the quarantined file"
|
9
|
+
attr_integer_accessor :anti_malware_spyware_item_id,
|
10
|
+
"If a this event was the result of spyware, this will point at the ID of the spyware item"
|
11
|
+
attr_integer_accessor :host_id,
|
12
|
+
"The host ID this event corresponds to"
|
13
|
+
attr_string_accessor :object_info,
|
14
|
+
"File-path, registry key, process name...etc"
|
15
|
+
attr_integer_accessor :object_type,
|
16
|
+
"Type identifier for Process, Cookies, File System, System Registry, Shortcut Link, Host File, Other"
|
17
|
+
attr_integer_accessor :risk_level,
|
18
|
+
"Risk level gauge Very Low (0), Low (25), Medium(50), High(75), Very High(100)"
|
19
|
+
attr_integer_accessor :scan_action,
|
20
|
+
"Scan Action: The action taken upon each spyware items: Pass (1), Delete (2), Quarantined (3), Clean (4), Deny Access (5)"
|
21
|
+
attr_integer_accessor :scan_result_action,
|
22
|
+
"Represent whether the action is successful (0) or failed (Error Code)"
|
23
|
+
attr_integer_accessor :spyware_type,
|
24
|
+
"Type identifier for Adware, Cookie, Dialer, Keylogger, Trojan, Worm, Downloader, et"
|
25
|
+
|
26
|
+
|
27
|
+
# cache_by_aspect :id, :name
|
28
|
+
|
29
|
+
|
30
|
+
end
|
31
|
+
|
32
|
+
end
|
@@ -0,0 +1,58 @@
|
|
1
|
+
module DeepSecurity
|
2
|
+
|
3
|
+
# Represents an Application Type that reflects some network attributes to which DPI rules are assigned. The DPI engine
|
4
|
+
# will determine if a DPI rule should apply to a connection based on the assigned Application Type network attributes.
|
5
|
+
class ApplicationType < TransportObject
|
6
|
+
|
7
|
+
attr_integer_accessor :id,
|
8
|
+
"ApplicationTypeTransport ID"
|
9
|
+
attr_string_accessor :description,
|
10
|
+
"ApplicationTypeTransport description"
|
11
|
+
attr_string_accessor :name,
|
12
|
+
"ApplicationTypeTransport name"
|
13
|
+
attr_string_accessor :tbuid,
|
14
|
+
"Internal TBUID of a Trend Micro issued Application Type"
|
15
|
+
attr_enum_accessor :direction,
|
16
|
+
EnumDirection,
|
17
|
+
'The initial direction of the connection which this ApplicationTypeTransport would apply, e.g., INCOMING, OUTGOING. Depending on whether the application type is a server or client, the initial direction of the connection to inspect would either be INCOMING for a server, or OUTGOING for a client. E.g. Inspection of "Web Server Common" Application Type for a connection stream on TCP port 80 would be initially an INCOMING direction because incoming Web Server connections should be inspected'
|
18
|
+
attr_boolean_accessor :ignore_recommendations,
|
19
|
+
"Whether the Recommendation Engine should ignore this rule"
|
20
|
+
attr_object_accessor :protocol_icmp,
|
21
|
+
ProtocolICMP,
|
22
|
+
"ApplicationTypeTransport protocol ICMP type"
|
23
|
+
attr_object_accessor :protocol_port_based,
|
24
|
+
ProtocolPortBased,
|
25
|
+
'ApplicationTypeTransport protocol Port type'
|
26
|
+
attr_enum_accessor :protocol_type,
|
27
|
+
EnumApplicationTypeProtocolType,
|
28
|
+
'ApplicationTypeTransport protocol Application type, e.g., UCMP, TCP, UDP, TCP_UDP'
|
29
|
+
attr_boolean_accessor :authoritative,
|
30
|
+
'Whether the rule is an internal read only Trend Micro rule'
|
31
|
+
|
32
|
+
cache_by_aspect :id, :name
|
33
|
+
|
34
|
+
end
|
35
|
+
|
36
|
+
class Manager
|
37
|
+
|
38
|
+
def application_types
|
39
|
+
cache.fetch(ApplicationType.cache_key(:all, :all)) do
|
40
|
+
request_array("application_type_retrieve_all", ApplicationType)
|
41
|
+
end
|
42
|
+
end
|
43
|
+
|
44
|
+
def application_type(id)
|
45
|
+
cache.fetch(ApplicationType.cache_key(:id, id)) do
|
46
|
+
request_object("application_type_retrieve", ApplicationType, {:id => id})
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
def application_type_by_name(name)
|
51
|
+
cache.fetch(ApplicationType.cache_key(:name, name)) do
|
52
|
+
request_object("application_type_retrieve_by_name", ApplicationType, {:name => name})
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
56
|
+
end
|
57
|
+
|
58
|
+
end
|