cert-polska / mwdblib Goto Github PK
View Code? Open in Web Editor NEWClient library for the mwdb service by CERT Polska.
Home Page: https://mwdblib.readthedocs.io/en/latest/
License: MIT License
Client library for the mwdb service by CERT Polska.
Home Page: https://mwdblib.readthedocs.io/en/latest/
License: MIT License
Confirmation printed to stdout interferes with mwdb fetch <id> -
which prints output to stdout.
We need to rework that part a bit
Currently, every CLI command performs /auth/login
request if password was stored using mwdb login
command.
It would be nice to securely store session token for multiple password-authenticated CLI invocations.
Might be a nice addition to have the docs website in the sidebar of this reposiotry.
not a problem of this PR, but not a fan of manually listing (and checking) many options. Maybe in the future consider click.Choice (found this by googling: pallets/click#605)
Originally posted by @msm-code in #43 (comment)
/usr/local/lib/python3.8/dist-packages/beautifultable/utils.py:136: FutureWarning: 'max_width' has been deprecated in 'v1.0.0' and will be removed in 'v1.2.0'. Use 'maxwidth' instead.
warnings.warn(message, FutureWarning)
Storing the API key with mwdb login
command silently fails:
[user@shell]$ mwdb login -a "<valid api key>"
[user@shell]$ mwdb search "name:file.exe"
Error: Not authenticated. Use `mwdb login` first to set credentials.
Aborted!
First half of the issue lies in how store_credentials
method of APIClientOptions
class validates its arguments. The method will silently fail if self.username
is not set. This is likely due to keyring's set_password
method requiring some username to store any secret, even an API key.
The second half is in the login command handler (login_command
in mwdb/cli/login.py
). This function incorrectly calls set_api_key
as a member of the mwdb
object rather than its member api
(which is an APIClient
instance). However even if it correctly invokes set_api_key
, the API key won't be stored due to the aforementioned issue in store_credentials
. Thus login_credentials
has to ensure that the username is set prior to storing the API key.
Add support for CERT-Polska/mwdb-core#755 to improve listing time (useful for statistics evaluation)
In some keyring implementations, it's really difficult to keep keyring opened for a longer time and not being asked for keyring password periodically.
We should provide an optional way to store credentials directly in ~/.mwdb
file e.g. via additional mwdb login
flag
Additionally check upload time if current object was not uploaded before the last object.
Interrupt fetching next objects and show warning in that case.
Current behavior
Currently we don't store API url so it must be provided to all of the commands. It's not very convenient for self-hosted Malwarecage instances.
$ mwdb --api-url http://127.0.0.1/api/ login
Username: admin
Password:
results in ~/.mwdb
contents:
[mwdb]
username = admin
Expected behavior
$ mwdb login http://127.0.0.1/api/
Username: admin
Password:
$ cat ~/.mwdb
[mwdb]
username = admin
api_url = http://127.0.0.1/api/
Additional TODO: Change in documentation needed.
https://github.com/CERT-Polska/mwdblib/blob/master/src/api.py#L130-L133
Current API uses multipart/form-data
only for file upload. Additional options are passed via options
field instead of json
(https://github.com/CERT-Polska/mwdblib/blob/master/src/core.py#L579)
Authenticating using mwdb = MWDB()
from python should honor the ~/.mwdb
config file, like it does with the CLI.
Code reference:
https://github.com/CERT-Polska/mwdblib/blob/master/src/cli/authenticator.py#L15
mwdb get $REDACTED_HASH
Please enter password for encrypted keyring:
/home/bonus/.local/lib/python3.9/site-packages/beautifultable/utils.py:125: FutureWarning: 'BeautifulTable.append_row' has been deprecated in 'v1.0.0' and will be removed in 'v1.2.0'. Use 'BTRowCollection.append' instead.
warnings.warn(message, FutureWarning)
/home/bonus/.local/lib/python3.9/site-packages/beautifultable/utils.py:125: FutureWarning: 'BeautifulTable.get_string' has been deprecated in 'v1.0.0' and will be removed in 'v1.2.0'. Use 'str' instead.
warnings.warn(message, FutureWarning)
File name: Mozi.m.elf
File size: 11.6 kB
File type: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
When searching using mwdblib against my local instance of mwdb, mwdblib throws this error.
When using the search params 'tag:mirai' on the public cert.pl instance, it works just fine.
from mwdblib import MWDB
from configparser import ConfigParser
config = ConfigParser()
config.read('mwdb.ini')
mwdb = MWDB(api=config.get('mwdb', 'url'), api_key=config.get('mwdb', 'api'))
results = mwdb.search_files('tag:plugx')
for r in results:
print(r.sha256)
---------------------------------------------------------------------------
AttributeError Traceback (most recent call last)
<ipython-input-56-f6c20a1a115a> in <module>
----> 1 for r in results:
2 print(r.sha256)
~/venv/lib/python3.8/site-packages/mwdblib/core.py in _recent(self, object_type, query)
103 params["query"] = query
104 # 'object', 'file', 'config' or 'blob'?
--> 105 result = self.api.get(object_type.URL_TYPE, params=params)
106 key = object_type.URL_TYPE + "s"
107 if key not in result or len(result[key]) == 0:
AttributeError: 'str' object has no attribute 'get'
Thoughts? Python version issue maybe...?
Currently it's not possible to remove comments from samples, even though it's possible to add them with add_comment()
.
There are functions to remove tags and attributes, and it would be helpful if it's also possible to remove comments.
Comments already have a unique ID associated with them which could be used as the parameter to a new remove_comment()
function.
I have not checked if mwdb-core needs support for this or if a DELETE request is already handled.
Feature Category
Describe the problem
New attribute api for integration with objects has been introduced in mwdb-core in mwdblib there is legacy version of it.
Furthermore JSON attributes was introduced so we need to expand attributes in mwdblib.
Describe the solution you'd like
Implementation steps
Being able to query specific objects could be pretty useful.
Current workaround is probably to get all available objects and then do the filtering which is a lot less convenient and efficient.
Usage example:
for config in mwdb.listen_for_configs(query="family:danabot"):
print(config.cfg)
Removing stored samples from mwdb Web UI is already possible in few clicks, yet the functionality is not available though any API endpoint. It would be a valuable addition, considering the automation / scripting functionality offered by mwdblib.
On the one hand, it could be integrated as an additional method within mwdblib.file.MWDBFile
, for single delete operation, or in addition, introduce a "bulk" delete function consuming results from, e.g MWDB.recent_files(), etc.
There is an undocumented -o short
option:
mwdblib
$ mwdb search "meta.karton2:12117120-fdc0-4f4d-9798-738b17450e51" -oshort
b5f0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa60
But the docs are silent about it:
-o, --output TEXT Format attributes separated by commas. Supported
values: nocolor, nopager, nohuman
It is nicer and easier to navigate :)
One of use-cases found during some code review:
def remove_attribute(sample: mwdblib.MWDBFile, key: str, value: Any = None) -> None:
for attribute in sample.attributes[key]:
if value is None or attribute.value == value:
sample.remove_attribute(attribute.id)
Code above is wrong but shows expected usage of new API.
get_attributes_detailed
exposes identifiers, but attributes are not grouped by key. In addition, it would be nice to have them in named tuples (accessible by getattr, .value
) instead of regular dicts with ["value"]
syntax to access the value
Getting this error when running a query using the mwdb cli tool:
File "/home/name/venv_mwdb/lib/python3.9/site-packages/mwdblib/cli/formatters/tabular.py", line 34, in format_table
term_width, term_height = click.get_terminal_size()
AttributeError: module 'click' has no attribute 'get_terminal_size'
Should this be os.get_terminal_size()
instead of click.get_terminal_size()
? https://github.com/CERT-Polska/mwdblib/blob/master/mwdblib/cli/formatters/tabular.py#L20
I encountered that requirements.txt is not covering all dependencies for mwdblib to work.
Missing dependencies:
Error encountered in attached file hardtimes.txt
mwdb = Malwarecage(api_key=MWDB_TOKEN)
Traceback (most recent call last):
File "/home/[redacted]/lib/python3.5/site-packages/mwdblib/api.py", line 79, in set_api_key
self.logged_user = json.loads(base64.b64decode(self.api_key.split(".")[1] + "=="))["login"]
File "/usr/lib/python3.5/json/__init__.py", line 312, in loads
s.__class__.__name__))
TypeError: the JSON object must be str, not 'bytes'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/[redacted]/lib/python3.5/site-packages/mwdblib/core.py", line 51, in __init__
self.api = api or MalwarecageAPI(**api_options)
File "/home/[redacted]/lib/python3.5/site-packages/mwdblib/api.py", line 64, in __init__
self.set_api_key(api_key)
File "/home/[redacted]/lib/python3.5/site-packages/mwdblib/api.py", line 81, in set_api_key
raise InvalidCredentialsError("Invalid API key format. Verify whether actual token is provided "
mwdblib.exc.InvalidCredentialsError: Invalid API key format. Verify whether actual token is provided instead of its UUID.
Probably related with https://docs.python.org/3/library/json.html#json.loads
Changed in version 3.6: s can now be of type bytes or bytearray. The input encoding should be UTF-8, UTF-16 or UTF-32.
https://pypi.org/project/mwdblib/
The author of this package has not provided a project description
So we need to fill it in!
Provide -o json
option which prints data into JSON format, which can be used for further processing (e.g. piped to jq
)
It seems functools.wraps
is missing
In [16]: file.remove_attribute
Out[16]: functools.partial(<bound method APIClient.requires.<locals>.VersionDependentMethod.__call__ of <mwdblib.api.api.APIClient.requires.<locals>.VersionDependentMethod object at 0x7f4c1dc3e4a0>>, <mwdblib.file.MWDBFile object at 0x7f4c1ecaec20>)
In [17]: file.remove_attribute.__doc__
Out[17]: 'partial(func, *args, **keywords) - new function with partial application\n of the given arguments and keywords.\n'
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.