Skip to content
This repository has been archived by the owner on Feb 12, 2024. It is now read-only.

Commit

Permalink
Merge pull request #342 from CybercentreCanada/update/milliseconds
Browse files Browse the repository at this point in the history
Using datetime format that relies on milliseconds
  • Loading branch information
cccs-kevin authored Jun 19, 2023
2 parents 5ff5cfd + eb866ed commit 5417b69
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 39 deletions.
45 changes: 20 additions & 25 deletions cuckoo/cuckoo_result.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@

from assemblyline.common import log as al_log
from assemblyline.common.attack_map import revoke_map
from assemblyline.common.isotime import LOCAL_FMT
from assemblyline.common.isotime import epoch_to_local_with_ms, format_time
from assemblyline.common.net import is_ip_in_network, is_valid_ip
from assemblyline.common.str_utils import safe_str
from assemblyline.odm.base import FULL_URI
Expand Down Expand Up @@ -200,20 +200,19 @@ def process_info(info: Dict[str, Any], routing: str, parent_result_section: Resu
:param so: An instance of the sandbox ontology class
:return: None
"""
start_time = info['started']
end_time = info['ended']

duration = info['duration']
analysis_time = -1 # Default error time
start_time_str = ""
end_time_str = ""
try:
start_time_str = datetime.fromtimestamp(int(start_time)).strftime('%Y-%m-%d %H:%M:%S')
end_time_str = datetime.fromtimestamp(int(end_time)).strftime('%Y-%m-%d %H:%M:%S')
duration_str = datetime.fromtimestamp(int(duration)).strftime('%Hh %Mm %Ss')
analysis_time = duration_str + "\t(" + start_time_str + " to " + end_time_str + ")"
except Exception:
start_time_str = MIN_TIME
end_time_str = MAX_TIME
duration_str = format_time(datetime.fromtimestamp(int(duration)), '%Hh %Mm %Ss')
start_time = epoch_to_local_with_ms(float(info['started']), trunc=3)
end_time = epoch_to_local_with_ms(float(info['ended']), trunc=3)
analysis_time = duration_str + "\t(" + start_time + " to " + end_time + ")"
except Exception as e:
print(e)
log.debug(e)
start_time = MIN_TIME
end_time = MAX_TIME
body = {
'Cuckoo Task ID': info['id'],
'Duration': analysis_time,
Expand All @@ -230,8 +229,8 @@ def process_info(info: Dict[str, Any], routing: str, parent_result_section: Resu
"sandbox_name": so.service_name,
"sandbox_version": info['version'],
"analysis_metadata": {
"start_time": start_time_str,
"end_time": end_time_str,
"start_time": start_time,
"end_time": end_time,
"task_id": info['id'],
},
}
Expand All @@ -243,9 +242,9 @@ def process_info(info: Dict[str, Any], routing: str, parent_result_section: Resu
session=OntologyResults.create_session(),
),
analysis_metadata=Sandbox.AnalysisMetadata(
start_time=start_time_str,
start_time=start_time,
task_id=info['id'],
end_time=end_time_str,
end_time=end_time,
routing=routing,
# To be updated later
machine_metadata=None,
Expand Down Expand Up @@ -349,9 +348,7 @@ def convert_cuckoo_processes(cuckoo_processes: List[Dict[str, Any]],
is_tag_safelisted(command_line, ["dynamic.process.command_line"], safelist):
continue

first_seen = datetime.fromtimestamp(item["first_seen"]).strftime(
LOCAL_FMT
)
first_seen = epoch_to_local_with_ms(item["first_seen"], trunc=3)
if not item.get("guid"):
guid = so.get_guid_by_pid_and_time(item["pid"], first_seen)
else:
Expand Down Expand Up @@ -659,7 +656,7 @@ def process_network(network: Dict[str, Any], parent_result_section: ResultSectio
),
ontology_id=nc_oid,
session=session,
time_observed=datetime.fromtimestamp(network_flow["timestamp"]).strftime(LOCAL_FMT)
time_observed=epoch_to_local_with_ms(network_flow["timestamp"])
)
objectid.assign_guid()
nc = so.create_network_connection(
Expand All @@ -668,11 +665,11 @@ def process_network(network: Dict[str, Any], parent_result_section: ResultSectio
source_port=network_flow["src_port"],
destination_ip=network_flow["dest_ip"],
destination_port=network_flow["dest_port"],
time_observed=datetime.fromtimestamp(network_flow["timestamp"]).strftime(LOCAL_FMT),
time_observed=epoch_to_local_with_ms(network_flow["timestamp"]),
transport_layer_protocol=network_flow["protocol"],
direction=NetworkConnection.OUTBOUND)
nc.update_process(pid=network_flow["pid"], image=process_details.get(
"name"), start_time=datetime.fromtimestamp(network_flow["timestamp"]).strftime(LOCAL_FMT))
"name"), start_time=epoch_to_local_with_ms(network_flow["timestamp"]))
so.add_network_connection(nc)

# We want all key values for all network flows except for timestamps and event_type
Expand Down Expand Up @@ -1235,9 +1232,7 @@ def process_all_events(
extract_iocs_from_text_blob(event.command_line, event_ioc_table)
_ = add_tag(events_section, "dynamic.process.file_name", event.image)
if isinstance(event.objectid.time_observed, float) or isinstance(event.objectid.time_observed, int):
time_observed = datetime.fromtimestamp(event.objectid.time_observed).strftime(
LOCAL_FMT
)
time_observed = epoch_to_local_with_ms(event.objectid.time_observed)
else:
time_observed = event.objectid.time_observed
events_section.add_row(
Expand Down
28 changes: 14 additions & 14 deletions tests/test_cuckoo_result.py
Original file line number Diff line number Diff line change
Expand Up @@ -98,13 +98,13 @@ def test_generate_al_result(api_report, mocker):
"info, correct_body, expected_am",
[({"started": "blah", "ended": "blah", "duration": "blah", "id": 1, "route": "blah", "version": "blah"},
'{"Cuckoo Task ID": 1, "Duration": -1, "Routing": "blah", "Cuckoo Version": "blah"}',
{"routing": "blah", "start_time": "1-01-01 00:00:00", "end_time": "9999-12-31 23:59:59", "task_id": 1}),
{"routing": "blah", "start_time": "1-01-01 00:00:00.000000", "end_time": "9999-12-31 23:59:59.999999", "task_id": 1}),
({"started": "1", "ended": "1", "duration": "1", "id": 1, "route": "blah", "version": "blah"},
'{"Cuckoo Task ID": 1, "Duration": "00h 00m 01s\\t(1970-01-01 00:00:01 to 1970-01-01 00:00:01)", "Routing": "blah", "Cuckoo Version": "blah"}',
{"routing": "blah", "start_time": "1970-01-01 00:00:01", "end_time": "1970-01-01 00:00:01", "task_id": 1}),
'{"Cuckoo Task ID": 1, "Duration": "00h 00m 01s\\t(1970-01-01 00:00:01.000 to 1970-01-01 00:00:01.000)", "Routing": "blah", "Cuckoo Version": "blah"}',
{"routing": "blah", "start_time": "1970-01-01 00:00:01.000", "end_time": "1970-01-01 00:00:01.000", "task_id": 1}),
({"id": 1, "started": "1", "ended": "1", "duration": "1", "route": "blah", "version": "blah"},
'{"Cuckoo Task ID": 1, "Duration": "00h 00m 01s\\t(1970-01-01 00:00:01 to 1970-01-01 00:00:01)", "Routing": "blah", "Cuckoo Version": "blah"}',
{"routing": "blah", "start_time": "1970-01-01 00:00:01", "end_time": "1970-01-01 00:00:01", "task_id": 1}), ])
'{"Cuckoo Task ID": 1, "Duration": "00h 00m 01s\\t(1970-01-01 00:00:01.000 to 1970-01-01 00:00:01.000)", "Routing": "blah", "Cuckoo Version": "blah"}',
{"routing": "blah", "start_time": "1970-01-01 00:00:01.000", "end_time": "1970-01-01 00:00:01.000", "task_id": 1}), ])
def test_process_info(info, correct_body, expected_am):
al_result = ResultSection("blah")
so = OntologyResults(service_name="Cuckoo")
Expand Down Expand Up @@ -188,10 +188,10 @@ def test_get_process_api_sums(apistats, correct_api_sums):
[([{"pid": 0, "process_path": "blah", "command_line": "blah", "ppid": 1,
"guid": "{12345678-1234-5678-1234-567812345678}", "pguid": "{12345678-1234-5678-1234-567812345679}",
"first_seen": 1.0}],
{'start_time': "1970-01-01 00:00:01", 'end_time': "9999-12-31 23:59:59",
{'start_time': "1970-01-01 00:00:01.000", 'end_time': "9999-12-31 23:59:59.999999",
'objectid':
{'guid': '{12345678-1234-5678-1234-567812345678}', 'tag': 'blah', 'treeid': None,
'time_observed': "1970-01-01 00:00:01", 'ontology_id': 'process_2YK9t8RtV7Kuz78PASKGw0', 'service_name': 'Cuckoo',
'time_observed': "1970-01-01 00:00:01.000", 'ontology_id': 'process_2YK9t8RtV7Kuz78PASKGw0', 'service_name': 'Cuckoo',
'processtree': None},
'pobjectid': None,
'pimage': None, 'pcommand_line': None, 'ppid': 1, 'pid': 0, 'image': 'blah', 'command_line': 'blah',
Expand Down Expand Up @@ -225,7 +225,7 @@ def test_convert_cuckoo_processes(processes, correct_event, mocker):
"command_line": "blah",
"ppid": 1,
"guid": "{12345678-1234-5678-1234-567812345678}",
"start_time": "1970-01-01 00:00:01",
"start_time": "1970-01-01 00:00:01.000",
"pguid": "{12345678-1234-5678-1234-567812345678}",
"objectid": OntologyResults.create_objectid(tag="blah", ontology_id="blah", service_name="Cuckoo")
}
Expand All @@ -247,7 +247,7 @@ def test_convert_cuckoo_processes(processes, correct_event, mocker):
"command_line": "blah",
"ppid": 1,
"guid": "{12345678-1234-5678-1234-567812345678}",
"start_time": "1970-01-01 00:00:01",
"start_time": "1970-01-01 00:00:01.000",
"pguid": "{12345678-1234-5678-1234-567812345678}",
"objectid": OntologyResults.create_objectid(tag="blah", ontology_id="blah", service_name="Cuckoo")
}
Expand All @@ -274,7 +274,7 @@ def test_convert_cuckoo_processes(processes, correct_event, mocker):
"command_line": "blah",
"ppid": 1,
"guid": "{12345678-1234-5678-1234-567812345678}",
"start_time": "1970-01-01 00:00:01",
"start_time": "1970-01-01 00:00:01.000",
"pguid": "{12345678-1234-5678-1234-567812345678}",
"objectid": OntologyResults.create_objectid(tag="blah", ontology_id="blah", service_name="Cuckoo")
}
Expand Down Expand Up @@ -681,14 +681,14 @@ def test_process_all_events():
al_result = ResultSection("blah")
p = default_so.create_process(
pid=1, ppid=1, guid="{12345678-1234-5678-1234-567812345679}", command_line="blah blah.com", image="blah",
start_time="1970-01-01 00:00:01", pguid="{12345678-1234-5678-1234-567812345679}",
start_time="1970-01-01 00:00:01.000", pguid="{12345678-1234-5678-1234-567812345679}",
objectid=OntologyResults.create_objectid(tag="blah", ontology_id="blah", service_name="Cuckoo")
)
default_so.add_process(p)
nc = default_so.create_network_connection(
source_port=1, destination_ip="1.1.1.1", source_ip="2.2.2.2", destination_port=1,
transport_layer_protocol="udp", direction="outbound", process=p,
objectid=OntologyResults.create_objectid(tag="blah", ontology_id="blah", service_name="Cuckoo", time_observed="1970-01-01 00:00:02")
objectid=OntologyResults.create_objectid(tag="blah", ontology_id="blah", service_name="Cuckoo", time_observed="1970-01-01 00:00:02.000")
)

default_so.add_network_connection(nc)
Expand All @@ -703,12 +703,12 @@ def test_process_all_events():
correct_result_section.add_row(
TableRow(
**
{"time_observed": "1970-01-01 00:00:01", "process_name": "blah (1)",
{"time_observed": "1970-01-01 00:00:01.000", "process_name": "blah (1)",
"details": {"command_line": "blah blah.com"}}))
correct_result_section.add_row(
TableRow(
**
{"time_observed": "1970-01-01 00:00:02", "process_name": "blah (1)",
{"time_observed": "1970-01-01 00:00:02.000", "process_name": "blah (1)",
"details": {"protocol": "udp", "domain": "blah", "dest_ip": "1.1.1.1", "dest_port": 1}}))

correct_ioc_table = ResultTableSection("Event Log IOCs")
Expand Down

0 comments on commit 5417b69

Please sign in to comment.