🎉 Initial commit

Author: evict

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "ansible"]
+	path = ansible
+	url = [email protected]:toucan-project/deploy-scripts.git

CA/enrolled-hosts

@@ -0,0 +1,14 @@
+take CA
+mkdir certs crl newcerts private
+cp /dev/null index.txt
+openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 1825 -config openssl.cnf
+openssl req -nodes -new -x509 -keyout serverkey.pem -out serverreq.pem -days 730 -config openssl.cnf
+openssl x509 -x509toreq -in serverreq.pem -signkey serverkey.pem -out tmp.pem
+openssl ca -config openssl.cnf -policy policy_anything -out servercert.pem -infiles tmp.pem
+cp index.txt index.txt.attr
+openssl ca -config openssl.cnf -policy policy_anything -out servercert.pem -infiles tmp.pem
+rm tmp.pem
+openssl req -nodes -new -x509 -keyout clientkey.pem -out clientreq.pem -days 730 -config openssl.cnf
+openssl x509 -x509toreq -in clientreq.pem -signkey clientkey.pem -out tmp.pem
+openssl ca -config openssl.cnf -policy policy_anything -out clientcert.pem -infiles tmp.pem
+

CA/managed_certificates/generate_ca.sh

@@ -0,0 +1,147 @@
+HOME			= .
+
+oid_section		= new_oids
+
+[ new_oids ]
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir	    	= .	# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several certs with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem# The private key
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+default_days	= 730			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= default		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= supplied
+stateOrProvinceName	= supplied
+organizationName	= supplied
+commonName		= supplied
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= supplied
+stateOrProvinceName	= supplied
+localityName		= supplied
+organizationName	= supplied
+commonName		= supplied
+
+####################################################################
+[ req ]
+default_bits		= 4096
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+basicConstraints=CA:FALSE
+nsComment			= "OpenSSL Generated Certificate"
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = critical,CA:true
+
+[ crl_ext ]
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+basicConstraints=CA:FALSE
+nsComment			= "OpenSSL Generated Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1	# the default TSA section
+
+[ tsa_config1 ]
+dir		= /etc/ssl		# TSA root directory
+serial		= $dir/tsaserial	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/cacert.pem	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest  = sha256			# Signing digest to use. (Optional)
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)
+ess_cert_id_alg		= sha1	# algorithm to compute certificate
+				# identifier (optional, default: sha1)

CA/managed_certificates/openssl.cnf

@@ -0,0 +1,21 @@
+# TOUCAN
+<!-- vim-markdown-toc GitLab -->
+
+* [Prequisities](#prequisities)
+* [Installation](#installation)
+
+<!-- vim-markdown-toc -->
+
+## Prequisities
+There are two machines required for this to work.
+
+1. Canary machine, with an HTTP server and SMB.
+2. Alert machine, has DNS and `syslog-ng` listeners.
+
+The canary machine pushes logs to the alert machine, and in case of an event coming from a canary document,
+sends an alert to a predefined user.
+
+It is recommended to use Ubuntu 19.xx as server OS. 
+
+## Installation
+[coming soon]

README.md

@@ -0,0 +1,2 @@
+from sys import path
+path.insert(0, '../')

ansible

@@ -0,0 +1,147 @@
+from django.urls import reverse
+from django.http import Http404
+from django.conf.urls import url
+from django.contrib import admin
+from django.utils.html import format_html
+from django.shortcuts import render_to_response
+
+from requests import post
+
+from manage_api.admin import admin_site
+from manage_api.models import ExternalAPISetting
+
+from alert_api.models import MimiAlertItem, SampleItem, CanaryAlertItem
+
+
+class MimiAlertItemAdmin(admin.ModelAdmin):
+
+    readonly_fields = ["target", "source", "stack", "accessMask",
+                       "sha1", "md5", "date", "pid", "sid", "machinename",
+                       "virustotal_actions"]
+    list_display = ['date', 'machinename', 'target', 'source']
+    list_filter = ['machinename', 'source']
+
+    def has_add_permission(self, request, obj=None):
+        return False
+
+    def has_delete_permission(self, request, obj=None):
+        return False
+
+    def has_change_permission(self, request, obj=None):
+        return False
+
+    def get_urls(self):
+        urls = super().get_urls()
+        custom_urls = [
+            url(
+                r'^(?P<md5>.+)/check/$',
+                self.admin_site.admin_view(self.process_md5),
+                name='process-md5',
+            ),
+            url(
+                r'^(?P<sha1>.+)/check/$',
+                self.admin_site.admin_view(self.process_sha1),
+                name='process-sha1',
+            ),
+        ]
+        return custom_urls + urls
+
+    def process_md5(self, request, md5, *args, **kwargs):
+        return self.process_action(
+            request=request,
+            hash=md5,
+            action_title='MD5',
+        )
+
+    def process_sha1(self, request, sha1, *args, **kwargs):
+        return self.process_action(
+            request=request,
+            hash=sha1,
+            action_title='SHA1',
+        )
+
+    def virustotal_actions(self, obj):
+        return format_html(
+            '<a class="button" href="{}">MD5</a>&nbsp;'
+            '<a class="button" href="{}">SHA1</a>',
+            reverse('admin:process-md5', args=[obj.md5]),
+            reverse('admin:process-sha1', args=[obj.sha1]),
+        )
+
+    def process_action(self, request, hash, action_title):
+
+        args = {}
+        args.update(request)
+
+        item = ExternalAPISetting.get_api_item_by_name('virustotal')
+        vt_key = item.api_key
+
+        params = {'apikey': vt_key, 'resource': hash}
+        response = post('https://www.virustotal.com/vtapi/v2/file/rescan',
+                        params=params)
+
+        if response.status_code != 200:
+            raise Http404('Could not obtain report, invalid response '
+                          'from remote site.')
+
+        response = response.json()
+        report = response.get('permalink', False)
+
+        if not report:
+            raise Http404({'error': f"no report for {hash}"})
+
+        response = post('https://www.virustotal.com/vtapi/v2/file/report',
+                        params=params)
+
+        # Sort dictionary by value: True
+        response_dict = sorted(response.json()['scans'].items(),
+                               key=lambda x: x[1]['detected'], reverse=True)
+        args['contents'] = response_dict
+        args['hash'] = hash
+        args['report'] = report
+
+        return render_to_response('virustotal_report_template.html', args)
+
+
+class SampleItemAdmin(admin.ModelAdmin):
+
+    list_display = ['md5', 'related_alert_items']
+    fields = ['md5', 'related_alert_items', 'download_sample']
+
+    def has_add_permission(self, request, obj=None):
+        return False
+
+    def has_delete_permission(self, request, obj=None):
+        return True
+
+    def has_change_permission(self, request, obj=None):
+        return False
+
+    def related_alert_items(self, obj):
+        items = SampleItem.get_related_alert_items_as_url(obj.md5)
+        return format_html(items)
+
+    def download_sample(self, obj):
+        return format_html(
+            '<a class="button" href="{}">Sample</a>',
+            reverse('download-sample', args=[obj.md5]))
+
+
+class CanaryAlertItemAdmin(admin.ModelAdmin):
+
+    list_display = ['date', 'identifier', 'canary_type', 'location']
+    list_filter = ['identifier']
+
+    def has_add_permission(self, request, obj=None):
+        return False
+
+    def has_delete_permission(self, request, obj=None):
+        return True
+
+    def has_change_permission(self, request, obj=None):
+        return False
+
+
+admin_site.register(SampleItem, SampleItemAdmin)
+admin_site.register(MimiAlertItem, MimiAlertItemAdmin)
+admin_site.register(CanaryAlertItem, CanaryAlertItemAdmin)

django/__init__.py

@@ -0,0 +1,5 @@
+from django.apps import AppConfig
+
+
+class SysmonapiConfig(AppConfig):
+    name = 'sysmonAPI'