new: [functionality] flowintel + multiple entry

Author: DavidCruciani

website/app/__init__.py

@@ -37,6 +37,7 @@ def create_app():
     app.register_blueprint(home_blueprint, url_prefix="/")
     app.register_blueprint(history_blueprint, url_prefix="/")
     app.register_blueprint(account_blueprint, url_prefix="/")
+    csrf.exempt(home_blueprint)
 
     return app
 

website/app/db_class/db.py

@@ -38,7 +38,7 @@ def to_json(self):
             "id": self.id,
             "uuid": self.uuid,
             "modules": json.loads(self.modules_list),
-            "query_enter": self.query_enter,
+            "query_enter": json.loads(self.query_enter),
             "input_query": self.input_query,
             "config_module": json.loads(self.config_module),
             "result": json.loads(self.result),
@@ -51,7 +51,7 @@ def history_json(self):
         json_dict = {
             "uuid": self.uuid,
             "modules": json.loads(self.modules_list),
-            "query": self.query_enter,
+            "query": json.loads(self.query_enter),
             "input": self.input_query,
             "query_date": self.query_date.strftime('%Y-%m-%d %H:%M')
         }

website/app/history/history_core.py

@@ -146,8 +146,8 @@ def util_remove_node_session(node_uuid, parent, parent_path):
         child = parent["children"][i]
         if child["uuid"] == node_uuid:
             del parent_path["children"][i]
-            return
-        elif child["children"]:
+            return True
+        elif "children" in child and child["children"]:
             return util_remove_node_session(node_uuid, child, parent_path["children"][i])
 
 def remove_node_session(node_uuid):
@@ -160,7 +160,9 @@ def remove_node_session(node_uuid):
                 loc = i
                 break
             elif q_value["children"]:
-                return util_remove_node_session(node_uuid, q_value, sess[keys_list[i]])
+                if util_remove_node_session(node_uuid, q_value, sess[keys_list[i]]):
+                    loc = i
+                    break
     if loc:
         del sess[keys_list[i]]
 

website/app/home.py

@@ -1,9 +1,10 @@
+import ast
 import json
-from flask import Blueprint, render_template, request, jsonify, session as sess
+from flask import Blueprint, redirect, render_template, request, jsonify, session as sess
 from flask_login import current_user
 from . import session_class as SessionModel
 from . import home_core as HomeModel
-from .utils.utils import admin_user_active
+from .utils.utils import admin_user_active, FLOWINTEL_URL
 
 home_blueprint = Blueprint(
     'home',
@@ -13,18 +14,35 @@
 )
 
 
-@home_blueprint.route("/")
+@home_blueprint.route("/", methods=["GET", "POST"])
 def home():
+    try:
+        del sess["query"]
+    except:
+        pass
     sess["admin_user"] = bool(admin_user_active())
     if "query" in request.args:
-        return render_template("home.html", query=request.args.get("query"))
+        sess["query"] = ast.literal_eval(request.args.get("query"))
+    if "query" in request.form:
+        sess["query"] = json.loads(request.form.get("query"))
     return render_template("home.html")
 
+@home_blueprint.route("/get_query", methods=['GET', 'POST'])
+def get_query():
+    """Get result from flowintel"""
+    if "query" in sess:
+        return {"query": sess.get("query")}
+    return {"message": "No query"}
+
 @home_blueprint.route("/home/<sid>", methods=["GET", "POST"])
 def home_query(sid):
+    try:
+        del sess["query"]
+    except:
+        pass
     sess["admin_user"] = admin_user_active()
     if "query" in request.args:
-        query = request.args.get("query")
+        sess["query"] = [request.args.get("query")]
         return render_template("home.html", query=query, sid=sid)
     return render_template("404.html")
 
@@ -33,21 +51,28 @@ def query(sid):
     sess["admin_user"] = admin_user_active()
     session = HomeModel.get_session(sid)
     flag=False
+    modules_list = []
     if session:
         flag = True
-        query_loc = session.query_enter
+        query_loc = json.loads(session.query_enter)
+        modules_list = json.loads(session.modules_list)
     else:
         for s in SessionModel.sessions:
             if s.uuid == sid:
                 flag = True
                 query_loc = s.query
                 session=s
+                modules_list = session.modules_list
+    query_str = ", ".join(query_loc)
+    if len(query_str) > 40:
+        query_str = query_str[0:40] + "..."
     if flag:
         return render_template("query.html", 
                                query=query_loc, 
+                               query_str=query_str,
                                sid=sid, 
                                input_query=session.input_query, 
-                               modules=json.loads(session.modules_list), 
+                               modules=modules_list, 
                                query_date=session.query_date.strftime('%Y-%m-%d %H:%M'))
     return render_template("404.html")
 
@@ -60,18 +85,20 @@ def get_query_info(sid):
     flag=False
     if session:
         flag = True
-        query_loc = session.query_enter
+        query_loc = json.loads(session.query_enter)
+        modules_list = json.loads(session.modules_list)
     else:
         for s in SessionModel.sessions:
             if s.uuid == sid:
                 flag = True
                 query_loc = s.query
+                modules_list = s.modules_list
                 session=s
     if flag:
         loc_dict = {
             "query": query_loc,
             "input_query": session.input_query,
-            "modules": json.loads(session.modules_list), 
+            "modules": modules_list, 
             "query_date": session.query_date.strftime('%Y-%m-%d %H:%M')
             }
         return loc_dict
@@ -227,3 +254,9 @@ def change_status():
             return {'message': 'Something went wrong', 'toast_class': "danger-subtle"}, 400
         return {'message': 'Need to pass "module_id"', 'toast_class': "warning-subtle"}, 400
     return {'message': 'Permission denied', 'toast_class': "danger-subtle"}, 403
+
+
+@home_blueprint.route("/flowintel_url")
+def flowintel_url():
+    """send result to flowintel-cm"""
+    return {"url": f"{FLOWINTEL_URL}/analyzer/recieve_result"}, 200

website/app/home_core.py

@@ -163,7 +163,7 @@ def create_new_session_tree(current_session, parent_id):
     loc_json = {
         "uuid": loc_session.uuid,
         "modules": json.loads(loc_session.modules_list),
-        "query": loc_session.query_enter,
+        "query": json.loads(loc_session.query_enter),
         "input": loc_session.input_query,
         "query_date": loc_session.query_date.strftime('%Y-%m-%d %H:%M'),
         "config": json.loads(loc_session.config_module),

website/app/session_class.py

@@ -64,9 +64,12 @@ def config_module_setter(self, request_json, query_as_same, parent_id):
 
     def start(self):
         """Start all worker"""
-        for i in range(len(self.modules_list)):
-            #need the index and the url in each queue item.
-            self.jobs.put((i, self.modules_list[i]))
+        cp = 0
+        for i in self.query:
+            for j in self.modules_list:
+                self.jobs.put((cp, i, j))
+                cp += 1
+        #need the index and the url in each queue item.
         for _ in range(self.thread_count):
             worker = Thread(target=self.process)
             worker.daemon = True
@@ -111,44 +114,44 @@ def process(self):
 
             modules = query_get_module()
             loc_query = {}
+            self.result[work[1]] = dict()
             # If Misp format
             for module in modules:
-                if module["name"] == work[1]:
+                if module["name"] == work[2]:
                     if "format" in module["mispattributes"]:
                         loc_query = {
                             "type": self.input_query,
-                            "value": self.query,
+                            "value": work[1],
                             "uuid": str(uuid.uuid4())
                         }
                     break
 
             loc_config = {}
-            if work[1] in self.config_module:
-                loc_config = self.config_module[work[1]]
+            if work[2] in self.config_module:
+                loc_config = self.config_module[work[2]]
 
             if loc_query:
-                send_to = {"module": work[1], "attribute": loc_query, "config": loc_config}
+                send_to = {"module": work[2], "attribute": loc_query, "config": loc_config}
             else:
-                send_to = {"module": work[1], self.input_query: self.query, "config": loc_config}
+                send_to = {"module": work[2], self.input_query: work[1], "config": loc_config}
             res = query_post_query(send_to)
 
             ## Sort attr in object by ui-priority
-            if "results" in res:
-                if "Object" in res["results"]:
-                    for obj in res["results"]["Object"]:
-                        loc_obj = get_object(obj["name"])
-                        if loc_obj:
-                            for attr in obj["Attribute"]:
-                                attr["ui-priority"] = loc_obj["attributes"][attr["object_relation"]]["ui-priority"]
-                            
-                            # After adding 'ui-priority'
-                            obj["Attribute"].sort(key=lambda x: x["ui-priority"], reverse=True)
+            if res:
+                if "results" in res:
+                    if "Object" in res["results"]:
+                        for obj in res["results"]["Object"]:
+                            loc_obj = get_object(obj["name"])
+                            if loc_obj:
+                                for attr in obj["Attribute"]:
+                                    attr["ui-priority"] = loc_obj["attributes"][attr["object_relation"]]["ui-priority"]
+                                
+                                # After adding 'ui-priority'
+                                obj["Attribute"].sort(key=lambda x: x["ui-priority"], reverse=True)
 
-
-            # print(res)
-            if "error" in res:
+            if res and "error" in res:
                 self.nb_errors += 1
-            self.result[work[1]] = res
+            self.result[work[1]][work[2]] = res
 
             self.jobs.task_done()
         return True
@@ -161,7 +164,7 @@ def save_info(self):
         s = Session_db(
             uuid=str(self.uuid),
             modules_list=json.dumps(self.modules_list),
-            query_enter=self.query,
+            query_enter=json.dumps(self.query),
             input_query=self.input_query,
             config_module=json.dumps(self.config_module),
             result=json.dumps(self.result),

website/app/static/js/history/history_tree_query.js

@@ -6,7 +6,7 @@ export default {
 	},
 
 	template: `
-        <li><a :href="'/query/'+history.uuid" :title="'Attribute: \\n' +history.input+ '\\n\\nModules: \\n' + history.modules">[[history.query]]</a></li>
+        <li v-if="history.query"><a :href="'/query/'+history.uuid" :title="'Attribute: \\n' +history.input+ '\\n\\nModules: \\n' + history.modules">[[history.query.join(", ")]]</a></li>
         <ul>
             <template v-for="child in history.children">
                 <history_view :history="child"></history_view>

website/app/static/js/history/history_view.js

@@ -48,7 +48,7 @@ export default {
 
 			<ul class="list-group list-group-horizontal" style="padding-top: 5px;">
 				<li class="list-group-item">
-					<h5>[[history.query]]</h5>
+					<h5>[[history.query.join(", ")]]</h5>
 				</li>
 				<li class="list-group-item">
 					<h5 style="color: brown"><u>Input Attributes</u></h5>
@@ -69,7 +69,7 @@ export default {
 		<div class="collapse" :id="'collapse'+history.uuid" style="width: 70%; margin-left: 30px">
 			<div class="card card-body">
 				<div class="d-flex w-100 justify-content-between">
-					<h5 class="mb-1">[[history.query]]</h5>
+					<h5 class="mb-1">[[history.query.join(", ")]]</h5>
 					<small><i>[[history.uuid]]</i></small>
 				</div>
 				<p class="mb-1" style="color: green;"><u>Input Attribute</u>:</p>

website/app/static/js/mispParser.js

@@ -10,13 +10,15 @@ function parseMispObject(misp_object, query_url, functionToCall){
                 if(query_url){
                     $query=$("<a>").attr("href", query_url+v.value).text("query").css("margin-left", "10px")
                 }
-                // `_${functionToCall.name}('${v.value}')` refer to 'window._query_as_same = query_as_same' in my vue file
-                $query_same = $("<button>").attr({"onclick": `_${functionToCall.name}('${v.value}')`, 
-                              "title": "Query this value with the same attribute and modules as the main query",
-                              "class": "btn btn-link"
-                            })
-                        .text("query as same")
-                        .css({"margin-left": "10px", "padding": "0", "--bs-btn-border-width": "0"})
+                if(functionToCall){
+                    // `_${functionToCall.name}('${v.value}')` refer to 'window._query_as_same = query_as_same' in my vue file
+                    $query_same = $("<button>").attr({"onclick": `_${functionToCall.name}('${v.value}')`, 
+                                "title": "Query this value with the same attribute and modules as the main query",
+                                "class": "btn btn-link"
+                                })
+                            .text("query as same")
+                            .css({"margin-left": "10px", "padding": "0", "--bs-btn-border-width": "0"})
+                }
             }
 
             $container.append(
@@ -74,12 +76,14 @@ function parseMispAttr(misp_attr, misp_types, key, query_url, query_as_same){
             $query=$("<a>").attr("href", query_url+misp_attr).text("query").css("margin-left", "10px")
         }
         // `_${functionToCall.name}('${misp_attr}')` refer to 'window._query_as_same = query_as_same' in my vue file
-        $query_same = $("<button>").attr({"onclick": `_${query_as_same.name}('${misp_attr}')`, 
-                        "title": "Query this value with the same attribute and modules as the main query",
-                        "class": "btn btn-link"
-                    })
-                .text("query as same")
-                .css({"margin-left": "10px", "padding": "0", "--bs-btn-border-width": "0"})
+        if(query_as_same){
+            $query_same = $("<button>").attr({"onclick": `_${query_as_same.name}('${misp_attr}')`, 
+                            "title": "Query this value with the same attribute and modules as the main query",
+                            "class": "btn btn-link"
+                        })
+                    .text("query as same")
+                    .css({"margin-left": "10px", "padding": "0", "--bs-btn-border-width": "0"})
+        }
     }
 
 

website/app/templates/history.html

@@ -30,7 +30,7 @@ <h1 id="top">History</h1>
             <div class="list-group" style="margin-bottom: 20px;">
                 <a :href="'/query/'+h.uuid" class="list-group-item list-group-item-action">
                     <div class="d-flex w-100 justify-content-between">
-                        <h5 class="mb-1">[[h.query]]</h5>
+                        <h5 class="mb-1">[[h.query.join(", ")]]</h5>
                         <small><i>[[h.uuid]]</i></small>
                     </div>
                     <p class="mb-1" style="color: green;"><u>Input Attribute</u>:</p>

website/app/templates/history_session.html

@@ -24,7 +24,7 @@ <h4># [[key + 1]]</h4>
                 <a style="text-decoration: none; color: black;" data-bs-toggle="collapse" :href="'#collapse'+his.uuid" role="button" aria-expanded="false" :aria-controls="'collapse'+his.uuid">
                     <ul class="list-group list-group-horizontal">
                         <li class="list-group-item">
-                            <h4>[[his.query]]</h4>
+                            <h4>[[his.query.join(", ")]]</h4>
                         </li>
                         <li class="list-group-item">
                             <h5 style="color: brown"><u>Input Attributes</u></h5>
@@ -45,7 +45,7 @@ <h5 style="color: brown"><u>Modules</u></h5>
                 <div class="collapse" :id="'collapse'+his.uuid" style="width: 70%; margin-left:30px">
                     <div class="card card-body">
                         <div class="d-flex w-100 justify-content-between">
-                            <h5 class="mb-1">[[his.query]]</h5>
+                            <h5 class="mb-1">[[his.query.join(", ")]]</h5>
                             <small><i>[[his.uuid]]</i></small>
                         </div>
                         <p class="mb-1" style="color: green;"><u>Input Attribute</u>:</p>