{ "info": { "author": "Matthew Wilson", "author_email": "automationator@runbox.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 3 - Alpha", "Intended Audience :: Developers", "License :: OSI Approved :: Apache Software License", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.3", "Programming Language :: Python :: 3.4", "Programming Language :: Python :: 3.5", "Topic :: Software Development :: Build Tools" ], "description": "# sipwhitelist\nPython library that interacts with SIP to build an indicator whitelist system.\n\n## Requirements\n https://pypi.org/project/tld/ 0.9+\n https://github.com/IntegralDefense/pysip\n https://github.com/IntegralDefense/urltools\n\n## SIPWhitelist parameters\n whitelist_tags: Required. List of indicator tags to build your whitelist.\n sip: Required. PySIP connection.\n\n## Example Usage\nCreating a SIPWhitelist object will look something like this:\n\n import pysip\n from sipwhitelist import SIPWhitelist\n\n sip = pysip.Client('localhost:4443', '11111111-1111-1111-1111-111111111111', verify=False)\n w = SIPWhitelist(['whitelist:e2w'], sip)\n\n## Functionality\nWhen you create the SIPWhitelist object, you must specify the \"whitelist_tags\" attribute. This is a list of tags you want include when searching the Deprecated indicators in SIP to build the whitelist.\n\nFor example, if you want the domain \"google.com\" to be whitelisted, two conditions must be met in SIP:\n\n1. The indicator must be set to Deprecated in SIP.\n2. The indicator must have one of the tags you specified in the \"whitelist_tags\" attribute when you created the SIPWhitelist object. The example above uses the \"whitelist:e2w\" tag.\n\nWhen these two criteria are met, SIPWhitelist will include that indicator in its whitelist.\n\n### value_in_indicator vs. indicator_in_value\nMost of the public functions available in the SIPWhitelist class provide both a \"value_in_indicator\" and an \"indicator_in_value\" boolean parameter. These parameters allow you to mirror the functionality of how SIP indicator matching is performed as though they are wildcard/substring values.\n\nIf you are checking if \"thing\" is whitelisted, these parameters mean:\n* **value_in_indicator**: If the \"thing\" string exists in a whitelisted indicator, \"thing\" is considered to be whitelisted.\n\n * This is set to **True** when we want the whitelisted indicators to match against less specific \"thing\" values. Think file paths, for example. If we whitelisted the path \"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Office\\something.tmp\", and one of the sandbox reports showed a dropped file but listed the path as \"AppData\\Roaming\\Microsoft\\Office\\something.tmp\", then presumably we would want to consider this path whitelisted as well.\n\n* **indicator_in_value**: If a whitelisted indicator exists in \"thing\", then \"thing\" is considered to be whitelisted.\n\n * This is set to **True** when we want less specific whitelisted indicators to match against \"thing\" values. Again, think about file paths. We can't realistically whitelist every combination of file paths, but we know that certain paths are almost always benign, such as any path containing the whitelisted string \"Microsoft\\CryptnetUrlCache\\\".\n\n### Default Behavior\nThe behavior of the following public functions in the SIPWhitelist class have been customized to the best default behavior for our events and [Event Sentry](https://github.com/IntegralDefense/eventsentry).\n\nMost of the functions outlined below check to see if the given value is invalid.\n* **Example**: If you check if the domain name \"google.local\" is whitelisted, it will return True since \".local\" is not a valid top-level domain.\n\nThere is a caching system built-in, so if you check the same value twice, it will return faster whether it was cached as whitelisted or non-whitelisted.\n\n**is_md5_whitelisted(md5)**\n\n Checks whitelisted indicators: Hash - MD5\n Returns: True/False if the \"md5\" string is whitelisted or the md5 is invalid\n\n**is_sha1_whitelisted(sha1)**\n\n Checks whitelisted indicators: Hash - SHA1\n Returns: True/False if the \"sha1\" string is whitelisted or the sha1 is invalid\n\n**is_sha256_whitelisted(sha256)**\n\n Checks whitelisted indicators: Hash - SHA256\n Returns: True/False if the \"sha256\" string is whitelisted or the sha256 is invalid\n\n**is_sha512_whitelisted(sha512)**\n\n Checks whitelisted indicators: Hash - SHA512\n Returns: True/False if the \"sha512\" string is whitelisted or the sha512 is invalid\n\n**is_ssdeep_whitelisted(ssdeep)**\n\n Checks whitelisted indicators: Hash - SSDEEP\n Returns: True/False if the \"ssdeep\" string is whitelisted\n\n**is_file_name_whitelisted(name, value_in_indicator=False, indicator_in_value=True)**\n\n Checks whitelisted indicators: Windows - FileName\n Returns: True/False if the \"name\" string is whitelisted\n\nExample: If \"~WRS\" is whitelisted, then:\n* \"~WRS{ab90d-fade840abc-9e9da}\" is whitelisted.\n* \"WRS\" is NOT whitelisted.\n\n**is_file_path_whitelisted(path, value_in_indicator=True, indicator_in_value=True)**\n\n Checks whitelisted indicators: Windows - FilePath\n Returns: True/False if the \"path\" string is whitelisted\n\nExample: If \"AppData/Local/Microsoft\" is whitelisted, then:\n\n* \"Local/Microsoft\" is whitelisted (even though this is not a valid path)\n* \"C:/Users/Dude/AppData/Local/Microsoft/something.tmp\" is whitelisted.\n* \"C:/Users/Dude/AppData/Local/malicious.exe\" is NOT whitelisted.\n\n**is_email_subject_whitelisted(subject, value_in_indicator=True, indicator_in_value=False)**\n\n Checks whitelisted indicators: Email - Subject\n Returns: True/False if the \"subject\" string is whitelisted\n\nExample: If \"Hi There\" is whitelisted, then:\n\n* \"Hi\" is whitelisted.\n* \"Hi There friend\" is NOT whitelisted.\n\n**is_email_address_whitelisted(address, value_in_indicator=True, indicator_in_value=False)**\n\n Checks whitelisted indicators: Email - Address, WHOIS Registrant Email Address, Email Address From, Email Address Sender\n Returns: True/False if the \"address\" string is whitelisted or the domain is invalid\n\nExample: If \"noreply@microsoft.com\" is whitelisted, then:\n\n* \"reply@microsoft.com\" is whitelisted.\n* \"bad-noreply@microsoft.com\" is NOT whitelisted.\n\n**is_url_whitelisted(u, value_in_indicator=False, indicator_in_value=False)**\n\n Checks whitelisted indicators: URI - URL, Address - ipv4-net, Address - ipv4-addr, URI - Domain Name, URI - Path\n Returns: True/False if the \"u\" string/domain/IP/path is whitelisted or the domain/IP is invalid\n\nExample: If \"http://www.google.com/\" is whitelisted, then:\n\n* \"http://www.google.com/\" is whitelisted.\n* \"http://www.google.com/something.html\" is NOT whitelisted.\n\n**NOTE:** is_url_whitelisted also calls the functions is_uri_path_whitelisted, is_domain_whitelisted, and is_ip_whitelisted.\n\n**is_uri_path_whitelisted(path, relationships=None, value_in_indicator=True, indicator_in_value=True)**\n\n Checks whitelisted indicators: URI - Path, Address - ipv4-addr, URI - Domain Name\n Returns: True/False if the \"path\" string is whitelisted OR if any of the relationships are whitelisted\n\n\"relationships\" is an optional list of values the URI path is related to. For example, if you know the URI path you are checking came from the URL \"http://google.com/index.html\", then one of the relationships might be \"google.com\". In this case, if the URI - Domain Name indicator \"google.com\" was whitelisted, then this URI - Path indicator would also be whitelisted.\n\nExample: If \".css\" is whitelisted, then:\n\n* \"https://randomsite.com/style.css\" is whitelisted.\n\nExample: If \"/social/signin/\" is whitelisted, then:\n\n* \"/social\" is whitelisted.\n\n**is_domain_whitelisted(domain, value_in_indicator=False, indicator_in_value=True)**\n\n Checks whitelisted indicators: URI - Domain Name\n Returns: True/False if the \"domain\" string is whitelisted or the domain is invalid\n\nExample: If \"blog.google.com\" is whitelisted, then:\n\n* \"http://blog.google.com\" is whitelisted.\n* \"google.com\" is NOT whitelisted.\n\n**is_ip_whitelisted(ip, value_in_indicator=False, indicator_in_value=False)**\n\n Checks whitelisted indicators: Address - ipv4-net, Address - ipv4-addr, Email Originating IP, Email X-Originating IP\n Returns: True/False if the \"ip\" string is whitelisted or the ip is invalid (including private addresses)\n\nExample: If \"100.0.0.0/8\" is whitelisted, then:\n\n* \"100.1.8.37\" is whitelisted.\n\n\n", "description_content_type": "text/markdown", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/IntegralDefense/sipwhitelist", "keywords": "sipwhitelist", "license": "Apache 2.0", "maintainer": "", "maintainer_email": "", "name": "sipwhitelist", "package_url": "https://pypi.org/project/sipwhitelist/", "platform": "", "project_url": "https://pypi.org/project/sipwhitelist/", "project_urls": { "Homepage": "https://github.com/IntegralDefense/sipwhitelist" }, "release_url": "https://pypi.org/project/sipwhitelist/0.1.1/", "requires_dist": [ "urlfinderlib" ], "requires_python": "", "summary": "Library that interacts with SIP to build an indicator whitelist system.", "version": "0.1.1" }, "last_serial": 5272650, "releases": { "0.1.0": [ { "comment_text": "", "digests": { "md5": "46760ec94071aefc31127e1ed049fec4", "sha256": "8feec1c97c112431f7f1f95b8b661d1bc0b41548ddf1e1928dccd5d723fc6c75" }, "downloads": -1, "filename": "sipwhitelist-0.1.0-py3-none-any.whl", "has_sig": false, "md5_digest": "46760ec94071aefc31127e1ed049fec4", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 11487, "upload_time": "2019-05-15T13:52:55", "url": "https://files.pythonhosted.org/packages/8d/15/633e056a36860c8682eefeff9a162b424cc0a72896be911c3f37e674b43c/sipwhitelist-0.1.0-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "689e2d4177d6fe5bc587231d6d9882a5", "sha256": "43f69ca07e0a5704e4d980757d3e10338466adeaa96f81e17211acebc2e592a9" }, "downloads": -1, "filename": "sipwhitelist-0.1.0.tar.gz", "has_sig": false, "md5_digest": "689e2d4177d6fe5bc587231d6d9882a5", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8523, "upload_time": "2019-05-15T13:52:57", "url": "https://files.pythonhosted.org/packages/b5/b5/e9fbe54eb52414a8d24e23b01f6b5d2257be3a457561c2463281258c394c/sipwhitelist-0.1.0.tar.gz" } ], "0.1.1": [ { "comment_text": "", "digests": { "md5": "ddefb32d29ba330c876b82148223377b", "sha256": "9678634c7d480d62fa75e2cdf80f475a74fe1997e5332a27d868707508dbeb33" }, "downloads": -1, "filename": "sipwhitelist-0.1.1-py3-none-any.whl", "has_sig": false, "md5_digest": "ddefb32d29ba330c876b82148223377b", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 11485, "upload_time": "2019-05-15T13:54:38", "url": "https://files.pythonhosted.org/packages/04/13/b934713ad3145029a9753e5fd6e831e5505ec0b75b39732e863c7a7c37dc/sipwhitelist-0.1.1-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "4edae9a1d49919f84aadddc9317f44e6", "sha256": "19d2f8e513fab0c46e8a0dad2948a7f96c184f1869c5ccbf4e5737223f53d840" }, "downloads": -1, "filename": "sipwhitelist-0.1.1.tar.gz", "has_sig": false, "md5_digest": "4edae9a1d49919f84aadddc9317f44e6", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8531, "upload_time": "2019-05-15T13:54:39", "url": "https://files.pythonhosted.org/packages/c8/3a/c6590c3521d236b31f610d9109882fcb651dd6fe0a48b75a16c16772b1a9/sipwhitelist-0.1.1.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "ddefb32d29ba330c876b82148223377b", "sha256": "9678634c7d480d62fa75e2cdf80f475a74fe1997e5332a27d868707508dbeb33" }, "downloads": -1, "filename": "sipwhitelist-0.1.1-py3-none-any.whl", "has_sig": false, "md5_digest": "ddefb32d29ba330c876b82148223377b", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 11485, "upload_time": "2019-05-15T13:54:38", "url": "https://files.pythonhosted.org/packages/04/13/b934713ad3145029a9753e5fd6e831e5505ec0b75b39732e863c7a7c37dc/sipwhitelist-0.1.1-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "4edae9a1d49919f84aadddc9317f44e6", "sha256": "19d2f8e513fab0c46e8a0dad2948a7f96c184f1869c5ccbf4e5737223f53d840" }, "downloads": -1, "filename": "sipwhitelist-0.1.1.tar.gz", "has_sig": false, "md5_digest": "4edae9a1d49919f84aadddc9317f44e6", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8531, "upload_time": "2019-05-15T13:54:39", "url": "https://files.pythonhosted.org/packages/c8/3a/c6590c3521d236b31f610d9109882fcb651dd6fe0a48b75a16c16772b1a9/sipwhitelist-0.1.1.tar.gz" } ] }