updates to

Author: toddbruner

Dockerfile

@@ -8,8 +8,8 @@ RUN mkdir -p /opt/scot4-inbox && mkdir -p /var/log/scot
 COPY . /opt/scot4-inbox
 
 # create user/group for scotinbox
-RUN groupadd scotinbox && \
-    useradd -c "Scot Inbox User" -g "scotinbox" -d /opt/scot4-inbox -M -s /bin/bash scotinbox && \
+RUN groupadd -g 5555 scotinbox && \
+    useradd -c "Scot Inbox User" -g "scotinbox" -u 5555 -d /opt/scot4-inbox -M -s /bin/bash scotinbox && \
     chown -R scotinbox:scotinbox /opt/scot4-inbox && \
     chown -R scotinbox:scotinbox /var/log/scot
 

LICENSE

@@ -0,0 +1,23 @@
+Copyright (2024) Sandia Corporation. Under the terms of Contract DE-AC04-94AL85000, there is a non-exclusive license for use of this work by or on behalf of the U.S. Government. Export of this program may require a license from the United States Government.
+                
+NOTICE:
+
+For five (5) years from 09/01/2024, the United States Government is granted for itself and others acting on its behalf a paid-up, nonexclusive, irrevocable worldwide license in this data to reproduce, prepare derivative works, and perform publicly and display publicly, by or on behalf of the Government. There is provision for the possible extension of the term of this license. Subsequent to that period or any extension granted, the United States Government is granted for itself and others acting on its behalf a paid-up, nonexclusive, irrevocable worldwide license in this data to reproduce, prepare derivative works, distribute copies to the public, perform publicly and display publicly, and to permit others to do so. The specific term of the license can be identified by inquiry made to Sandia Corporation or DOE.
+    
+NEITHER THE UNITED STATES GOVERNMENT, NOR THE UNITED STATES DEPARTMENT OF ENERGY, NOR SANDIA CORPORATION, NOR ANY OF THEIR EMPLOYEES, MAKES ANY WARRANTY, EXPRESS OR IMPLIED, OR ASSUMES ANY LEGAL RESPONSIBILITY FOR THE ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION, APPARATUS, PRODUCT, OR PROCESS DISCLOSED, OR REPRESENTS THAT ITS USE WOULD NOT INFRINGE PRIVATELY OWNED RIGHTS.
+    
+Any licensee of this software has the obligation and responsibility to abide by the applicable export control laws, regulations, and general prohibitions relating to the export of technical data. Failure to obtain an export control license or other authority from the Government may result in criminal liability under U.S. laws.
+
+Copyright [2024] Sandia Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

README.md

@@ -8,3 +8,4 @@ Creates a container to run the SCOT4 inbox processor.  The processor will read I
 This is a convenient way to input data from detection systems, threat intel feeds, and analysts directly into SCOT.
 
 For more information and instructions, consult the main SCOT4 documentaton Repository.
+  https://sandialabs.github.io/scot4-docs/index.html

bin/inbox.pl

@@ -36,7 +36,6 @@ END
 EOF
 
 GetOptions(
-    'config=s'  => \$configfile,
     'test'      => \$test,
     'secrets=s' => \$secrets,
     'msv'       => \$nomsv,
@@ -47,7 +46,6 @@ END
     
     usage: $0
         [--test]                          overwrites peeking to true
-        [--config=/path/to/inbox.conf]    use this file as the configuration file
         [--secrets=/path/to/secrets.conf] use this file for secret storage
         [--msv]                           do not filter msv data
         [--msvlog=/path/to/log]           where to log msv hits
@@ -60,7 +58,6 @@ END
 }
 
 my $opts    = {
-    configfile  => $configfile,
     test        => $test,
     secrets     => $secrets,
     msv         => $msv,

lib/Scot/Inbox/Config.pm

@@ -106,6 +106,7 @@ log4perl.appender.InboxLog.layout.ConversionPattern = %d %7p [%P] %15F{1}: %4L %
         scot_queue      => $ENV{S4INBOX_SCOT_INPUT_QUEUE},
         class           => $ENV{S4INBOX_MAIL_CLIENT_CLASS},
         mboxconfig      => $mboxconf,
+        addsplunksigs   => $ENV{S4INBOX_ADD_SPLUNK_SIGS}, # for disconnected nets
     };
     return $config;
 }

lib/Scot/Inbox/Processor.pm

@@ -335,13 +335,29 @@ sub create_alertgroup ($self, $json) {
                             {filter=>\&Dumper, value=>$response});
                     };
         $self->log->debug("response => ",{filter=>\&Dumper, value=>$rhash});
+
+        $self->upsert_signature($json) if (defined $self->config->{addsplunksigs});
+
         return 1;
     }
     $self->log->error("undefined response from ScotApi!");
 
     return;
 }
 
+sub upsert_signature ($self, $json) {
+    # For a certain disconnected network, there is no dag to pull signatures into SCOT
+    # but the email includes the signature, so "upsert" a signature
+    # XXX
+    # query api to see if signature matches
+    if ($self->scotapi->signature_exists($json->{search})) {
+        $self->log->debug("Signature exists. moving on...");
+        return;
+    }
+
+    $self->scotapi->create_signature($json->{search});
+}
+
 
 sub process_splunk_alert ($self, $msg) {
     $self->log->debug("Processing a splunk generated alert...");

t/msv.t

@@ -0,0 +1,60 @@
+#!/opt/perl/bin/perl
+
+use Test::Most;
+use Data::Dumper::Concise;
+use lib '../lib';
+use Scot::Inbox::Processor; 
+use Scot::Inbox::Config;
+use Scot::Inbox::Log;
+use Storable qw(dclone);
+use feature qw(say);
+
+$ENV{S4INBOX_IMAP_SERVERNAME} = "mail.sandia.gov";
+$ENV{S4INBOX_IMAP_PORT}       = 993;
+$ENV{S4INBOX_IMAP_INBOX}      = 'INBOX';
+$ENV{S4INBOX_IMAP_USERNAME}   = 'scot-alerts';
+$ENV{S4INBOX_IMAP_PASSWORD}   = '';
+$ENV{S4INBOX_SSL_VERIFY}      = 1;
+$ENV{S4INBOX_IMAP_PEEK}       = 1;
+$ENV{S4INBOX_PERMITTED_SENDERS} = '*,tbruner@sandia.gov';
+$ENV{S4INBOX_MSV_FILTER_DEFINITIONS}  = '../etc/msv.defs';
+$ENV{S4INBOX_LOG_LEVEL}       = 'TRACE';
+$ENV{S4INBOX_LOG_FILE}        = './test.log';
+$ENV{S4INBOX_SCOTAPI_INSECURE_SSL}  = 0;
+$ENV{S4INBOX_API_KEY}         = '';
+$ENV{S4INBOX_API_URI_ROOT}    = 'https://scot4-qual/api/v1';
+$ENV{S4INBOX_MSV_DBM_FILE}    = '../var/msgids.dbm';
+$ENV{S4INBOX_MAIL_CLIENT_CLASS} = 'Scot::Inbox::Imap';
+$ENV{S4INBOX_SCOT_INPUT_QUEUE} = 'alertgroup';
+
+my $config  = build_config();
+my $log     = start_logging($config->{log});
+my $proc    = Scot::Inbox::Processor->new(
+    config  => $config,
+    log     => $log,
+);
+
+my $json    = {
+    message_id  => '<1234567@098765>',
+    data        => [
+        { 
+            domain  => 'ct-salsa.ca.sandia.gov',
+            stuff   => 'goes here',
+        },
+        {
+            domain  => 'www.google.com',
+            stuff   => 'dies here',
+        },
+    ],
+};
+my $json2 = dclone($json);
+
+$proc->filter_msv($json);
+
+say Dumper($json);
+
+$proc->filter_msv($json2);
+
+say Dumper($json2);
+
+