Skip to content

Commit

Permalink
Merge pull request #18 from RLakukolja/hotfix-1
Browse files Browse the repository at this point in the history 
Fix sample reputation override example
  • Loading branch information
@RLakukolja
RLakukolja authored Jun 24, 2024
2 parents da746eb + c640d7c commit cb195e7
Showing 1 changed file with 85 additions and 141 deletions.
226 changes: 85 additions & 141 deletions TitaniumCloud/sample_management.ipynb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@
"- **FileUpload** (*TCA-0202-0203 - File Upload*)\n",
"- **FileDownload** (*TCA-0201 - File Download*)\n",
"- **ReanalyzeFile** (*TCA-0205 - Re-Analyze File*)\n",
"- **FileReputation** (*TCA-0101 - File Reputation (single query)*)\n",
"- **FileReputationOverride** (*TCA-0102 - File Reputation Override*)\n",
"- **DeleteFile** (*TCA-0204 - Delete File*)\n",
"\n",
"### Credentials\n",
Expand All @@ -41,16 +43,12 @@
},
{
"cell_type": "code",
"execution_count": 2,
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-24T13:00:18.771975493Z",
"start_time": "2024-06-24T13:00:18.731201662Z"
}
},
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"from ReversingLabs.SDK.ticloud import FileUpload, FileDownload, ReanalyzeFile, DeleteFile"
"from ReversingLabs.SDK.ticloud import FileUpload, FileDownload, ReanalyzeFile, DeleteFile, FileReputationUserOverride, FileReputation, calculate_hash\n",
"from ReversingLabs.SDK.helper import SHA1, SHA256, MD5"
]
},
{
Expand All @@ -66,13 +64,8 @@
},
{
"cell_type": "code",
"execution_count": 3,
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-24T13:00:25.846033807Z",
"start_time": "2024-06-24T13:00:25.842115172Z"
}
},
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"import json\n",
Expand All @@ -99,24 +92,11 @@
},
{
"cell_type": "code",
"execution_count": 4,
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-24T13:01:24.894826465Z",
"start_time": "2024-06-24T13:01:24.346445039Z"
}
},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"200\n"
]
}
],
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"FILE_NAME = \"file_name_placeholder\"\n",
"FILE_NAME = \"README.md\"\n",
"\n",
"file_upload = FileUpload(\n",
" host=\"https://data.reversinglabs.com\",\n",
Expand All @@ -125,10 +105,20 @@
" user_agent=USER_AGENT\n",
")\n",
"\n",
"with open(FILE_NAME, \"rb\") as sample:\n",
" sample_md5 = calculate_hash(data_input=sample, hashing_algorithm=MD5)\n",
" sample.seek(0)\n",
" sample_sha1 = calculate_hash(data_input=sample, hashing_algorithm=SHA1)\n",
" sample.seek(0)\n",
" sample_sha256 = calculate_hash(data_input=sample, hashing_algorithm=SHA256)\n",
"\n",
"upload_response = file_upload.upload_sample_from_path(file_path=FILE_NAME)\n",
"\n",
"status_code = upload_response.status_code\n",
"print(status_code)"
"print(status_code)\n",
"print(\"md5\", sample_md5)\n",
"print(\"sha1\", sample_sha1)\n",
"print(\"sha256\", sample_sha256)"
]
},
{
Expand All @@ -154,7 +144,7 @@
"metadata": {},
"outputs": [],
"source": [
"FILE_HASH = \"sha1_hash_placeholder\"\n",
"FILE_HASH = \"8e21cde3f269b7f359eb8903a130ab11e060325069e16c0ba1674c141d6c9d01\"\n",
"\n",
"file_download = FileDownload(\n",
" host=\"https://data.reversinglabs.com\",\n",
Expand Down Expand Up @@ -188,22 +178,9 @@
},
{
"cell_type": "code",
"execution_count": 7,
"metadata": {
"ExecuteTime": {
"end_time": "2024-06-24T13:15:51.128618407Z",
"start_time": "2024-06-24T13:15:51.049367153Z"
}
},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Sample sent for rescanning\n"
]
}
],
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"reanalyze = ReanalyzeFile(\n",
" host=\"https://data.reversinglabs.com\",\n",
Expand All @@ -228,9 +205,9 @@
"`Sample sent for rescanning`\n",
"\n",
"\n",
"### 6. Delete file\n",
"In case we no longer want a file to be present in the cloud and available for analysis or download, we can delete it.\n",
"To delete a file from the TitaniumCloud, we will use the `DeleteFile` class."
"### 6. Sample reputation override\n",
"In case we wish to override the classification provided to a sample by Titanium Cloud we can use the FileReputationUserOverride class to do so.\n",
"But before we do that let's see if our sample already has an override on its classification."
]
},
{
Expand All @@ -239,17 +216,12 @@
"metadata": {},
"outputs": [],
"source": [
"delete_file = DeleteFile(\n",
"file_reputation_override = FileReputationUserOverride(\n",
" host=\"https://data.reversinglabs.com\",\n",
" username=USERNAME,\n",
" password=PASSWORD,\n",
" user_agent=USER_AGENT\n",
")\n",
"\n",
"delete_response = delete_file.delete_samples(sample_hashes=FILE_HASH)\n",
"\n",
"response_text = delete_response.text\n",
"print(response_text)"
")"
]
},
{
Expand All @@ -258,158 +230,126 @@
"collapsed": false
},
"source": [
"Again, we used the same file hash. If our file deletion request was successful, the response text will have a non-empty list called `deleted_hashes`. This list carries the hashes of files that have successfully been deleted with this request."
"We do this by requesting a collection of all sample hashes of a specific hash type.\n",
"In this example we use the SHA256 algorithm.\n",
"We check the first page to see if our sample is present."
]
},
{
"cell_type": "code",
"execution_count": null,
"outputs": [],
"source": [
"file_override_response = file_reputation_override.list_active_overrides(\"sha256\")\n",
"print(file_override_response.text)\n",
"count = len(file_override_response.json()[\"rl\"][\"user_override\"][\"hash_values\"])\n",
"has_more = \"more\" if file_override_response.json()[\"rl\"][\"user_override\"].get(\"has_next\") else \"no more\"\n",
"print(f\"Found {count} samples with overridden classification, there are {has_more} such samples\")\n",
"is_in = \"in\" if file_override_response.text.find(sample_sha256) != -1 else \"not in\"\n",
"print(\"\")\n",
"print(f\"Sample is {is_in} the returned response page\")"
],
"metadata": {
"collapsed": false
}
},
"execution_count": null
},
{
"cell_type": "markdown",
"source": [
"Cleaning up the override classification is easy. We do it using the same method as before."
"Now we will add override the reputation to be malicious.\n",
"We will then retrieve it from TiCloud and see how our change affects the output."
],
"metadata": {
"collapsed": false
}
},
{
"cell_type": "code",
"execution_count": null,
"outputs": [],
"source": [
"cleanup_response = file_reputation_override.override_classification(\n",
" remove_override=[\n",
" {\n",
" \"md5\": sample_md5,\n",
" \"sha1\": sample_sha1,\n",
" \"sha256\": sample_sha256\n",
" }\n",
" ]\n",
"file_reputation_override_response = file_reputation_override.override_classification(\n",
" override_samples=[{\n",
" \"md5\": sample_md5,\n",
" \"sha1\": sample_sha1,\n",
" \"sha256\": sample_sha256,\n",
" \"status\": \"MALICIOUS\"\n",
" }]\n",
")\n",
"print(cleanup_response.status_code)\n",
"print(cleanup_response.text)"
"print(file_reputation_override_response.status_code)\n",
"print(json.dumps(file_reputation_override_response.json(), indent=1))"
],
"metadata": {
"collapsed": false
}
},
"execution_count": null
},
{
"cell_type": "markdown",
"source": [
"### 7. Delete file\n",
"In case we no longer want a file to be present in the cloud and available for analysis or download, we can delete it.\n",
"To delete a file from the TitaniumCloud, we will use the `DeleteFile` class."
"You might need to give TiCloud a moment to propagate the new classification through the system."
],
"metadata": {
"collapsed": false
}
},
{
"cell_type": "code",
"execution_count": null,
"outputs": [],
"source": [
"delete_file = DeleteFile(\n",
"file_reputation = FileReputation(\n",
" host=\"https://data.reversinglabs.com\",\n",
" username=USERNAME,\n",
" password=PASSWORD,\n",
" user_agent=USER_AGENT\n",
" user_agent=USER_AGENT \n",
")\n",
"\n",
"delete_response = delete_file.delete_samples(sample_hashes=FILE_HASH)\n",
"\n",
"response_text = delete_response.text\n",
"print(response_text)"
"reputation_response = file_reputation.get_file_reputation(sample_sha256)\n",
"print(reputation_response.status_code)\n",
"print(json.dumps(reputation_response.json(), indent=1))"
],
"metadata": {
"collapsed": false
}
},
"execution_count": null
},
{
"cell_type": "raw",
"cell_type": "markdown",
"source": [
"Again, we used the same file hash. If our file deletion request was successful, the response text will have a non-empty list called `deleted_hashes`. This list carries the hashes of files that have successfully been deleted with this request."
"Cleaning up the classification override is easy. We do it using the same method as before."
],
"metadata": {
"collapsed": false
}
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"file_override_response = file_reputation_override.list_active_overrides(\"sha256\")\n",
"print(file_override_response.text)\n",
"is_in = \"in\" if file_override_response.text.find(sample_sha256) != -1 else \"not in\"\n",
"print(\"\")\n",
"print(f\"Sample is {is_in} the returned response page\")"
]
},
{
"cell_type": "markdown",
"metadata": {
"collapsed": false
},
"source": [
"Cleaning up the override classification is easy. We do it using the same method as before."
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"cleanup_response = file_reputation_override.override_classification(\n",
" remove_override=[\n",
" {\n",
" \"md5\": sample_md5,\n",
" \"sha1\": sample_sha1,\n",
" \"sha256\": sample_sha256\n",
" }\n",
" ]\n",
" remove_override=[{\n",
" \"md5\": sample_md5,\n",
" \"sha1\": sample_sha1,\n",
" \"sha256\": sample_sha256\n",
" }]\n",
")\n",
"print(cleanup_response.status_code)\n",
"print(cleanup_response.text)"
]
},
{
"cell_type": "markdown",
"source": [],
"print(json.dumps(cleanup_response.json(), indent=1))"
],
"metadata": {
"collapsed": false
}
},
"execution_count": null
},
{
"cell_type": "markdown",
"metadata": {
"collapsed": false
},
"source": [
"### 7. Delete file\n",
"In case we no longer want a file to be present in the cloud and available for analysis or download, we can delete it.\n",
"To delete a file from the TitaniumCloud, we will use the `DeleteFile` class."
]
],
"metadata": {
"collapsed": false
}
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"delete_file = DeleteFile(\n",
Expand All @@ -423,16 +363,20 @@
"\n",
"response_text = delete_response.text\n",
"print(response_text)"
]
},
{
"cell_type": "raw",
],
"metadata": {
"collapsed": false
},
"execution_count": null
},
{
"cell_type": "raw",
"source": [
"Again, we used the same file hash. If our file deletion request was successful, the response text will have a non-empty list called `deleted_hashes`. This list carries the hashes of files that have successfully been deleted with this request."
]
],
"metadata": {
"collapsed": false
}
}
],
"metadata": {
Expand Down

0 comments on commit cb195e7

Please sign in to comment.