Created
October 4, 2018 23:34
-
-
Save chrissmith-mcafee/c5b8d3e9f1c535b19e03f90cb5fd8c98 to your computer and use it in GitHub Desktop.
This Node-RED flow invokes the TIE DXL service to retrieve the reputation of a certificate (as identified by hashes).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "id": "e6aa430b.c2db4", | |
| "type": "tab", | |
| "label": "TIE Get Certificate Reputation Example", | |
| "disabled": false, | |
| "info": "This sample invokes the TIE DXL service to retrieve the reputation of a\r\ncertificate (as identified by hashes). The response to the TIE request is\r\nprinted to the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A TIE service is available on the DXL fabric.\r\n\r\n### Setup\r\n\r\n* Edit the `Specify hash request parameters` node and modify the `msg.sha1`\r\n rule with the hash of the certificate and the `msg.publicKeySha1` rule with\r\n the hash of the public key that you want to use for the lookup. Note that\r\n the `msg.publicKeySha1` property is optional so this value can be set to an\r\n empty string or the property may be removed entirely if the public key is\r\n not known.\r\n\r\n* To deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\r\n with the word `connected` should appear under the\r\n `Get reputation from TIE` node.\r\n\r\n### Running\r\n\r\nTo exercise the flow, double-click the button on the left side of the \r\n`Start flow` node.\r\n\r\n### Output\r\n\r\nThe output in the Node-RED `debug` tab should appear similar to the following:\r\n\r\n```\r\n? { 2: object, 4: object }\r\n```\r\n\r\nClick on the right arrow buttons to expand the contents of the object. The\r\ncontent should look similar to the following:\r\n\r\n```\r\n? object\r\n ? 2: object\r\n ? attributes: object\r\n 2108821: \"94\"\r\n 2109077: \"1454912619\"\r\n 2117524: \"0\"\r\n 2120596: \"0\"\r\n createDate: 1476318514\r\n providerId: 2\r\n trustLevel: 99\r\n ? 4: object\r\n ? attributes: object\r\n 2109333: \"12\"\r\n 2109589: \"1476318514\"\r\n 2139285: \"7318349394477075\r\n createDate: 1476318514\r\n providerId: 4\r\n trustLevel: 0\r\n```\r\n\r\nThe `key` for each entry in the object corresponds to a particular `provider` of\r\nthe associated `reputation`. The list of certificate reputation providers can\r\nbe found in the\r\n[CertProvider documentation](https://opendxl.github.io/opendxl-tie-client-javascript/jsdoc/module-CertProvider.html)\r\nin the TIE JavaScript client SDK.\r\n\r\nThe McAfee Global Threat Intelligence (GTI) service is identified in the results\r\nas `providerId: 2`. The trust level associated with the GTI response\r\n(`trustLevel: 99`) indicates that the certificate is known good.\r\n\r\nSee the \r\n[TrustLevel documentation](https://opendxl.github.io/opendxl-tie-client-javascript/jsdoc/module-TrustLevel.html)\r\nin the TIE JavaScript client SDK for the list of standard trust levels.\r\n\r\n### Details\r\n\r\nThe flow exercises the nodes below.\r\n\r\n#### Start flow\r\n\r\nThis is an `inject` input node which starts the flow.\r\n\r\n#### Set hash request parameters\r\n\r\nThis is a `change` node which sets the hash of the certificate to the\r\n`msg.sha1` property and the hash of the associated public key to the\r\n`msg.publicKeySha1` property. The `Get reputation from TIE` node uses the\r\n`sha1` and `publicKeySha1` properties when constructing the parameters for the\r\nTIE first references request. \r\n\r\n#### Get reputation from TIE\r\n\r\nThis is a `tie get certificate reputation` node. This node connects to\r\nthe DXL fabric and sends a DXL `Request` message to the TIE service to lookup\r\ncertificate reputation information.\r\n\r\nThe request message also includes the `sha1` and `publicKeySha1` properties set\r\nby the `Set hash request parameters` node.\r\n\r\nThe `Return` property is set to \"a parsed JSON object\" to indicate that the\r\npayload for the response should be added to the output message as a JavaScript\r\nobject decoded from JSON.\r\n\r\n#### Output first references\r\n\r\nThis is a `debug` output node. This node outputs the `payload` set on\r\nthe message by the `Get reputation from TIE` node. The output should\r\ninclude information for reputation data for the certificate." | |
| }, | |
| { | |
| "id": "a148f5e2.763d88", | |
| "type": "dxl-tie-get-certificate-reputation", | |
| "z": "e6aa430b.c2db4", | |
| "name": "Get reputation from TIE", | |
| "client": "2ed0ce07.039942", | |
| "returnType": "obj", | |
| "x": 330, | |
| "y": 200, | |
| "wires": [ | |
| [ | |
| "14798663.f923fa" | |
| ] | |
| ] | |
| }, | |
| { | |
| "id": "14798663.f923fa", | |
| "type": "debug", | |
| "z": "e6aa430b.c2db4", | |
| "name": "Debug: Output reputation", | |
| "active": true, | |
| "tosidebar": true, | |
| "console": false, | |
| "tostatus": false, | |
| "complete": "payload", | |
| "x": 590, | |
| "y": 200, | |
| "wires": [] | |
| }, | |
| { | |
| "id": "caeea8f4.abe3c8", | |
| "type": "inject", | |
| "z": "e6aa430b.c2db4", | |
| "name": "Start flow", | |
| "topic": "", | |
| "payload": "", | |
| "payloadType": "str", | |
| "repeat": "", | |
| "crontab": "", | |
| "once": false, | |
| "onceDelay": 0.1, | |
| "x": 100, | |
| "y": 40, | |
| "wires": [ | |
| [ | |
| "44a5cb23.7a8ad4" | |
| ] | |
| ] | |
| }, | |
| { | |
| "id": "44a5cb23.7a8ad4", | |
| "type": "change", | |
| "z": "e6aa430b.c2db4", | |
| "name": "Set hash request parameters", | |
| "rules": [ | |
| { | |
| "t": "set", | |
| "p": "sha1", | |
| "pt": "msg", | |
| "to": "6eae26db8c13182a7947982991b4321732cc3de2", | |
| "tot": "str" | |
| }, | |
| { | |
| "t": "set", | |
| "p": "publicKeySha1", | |
| "pt": "msg", | |
| "to": "3b87a2d6f39770160364b79a152fcc73bae27adf", | |
| "tot": "str" | |
| } | |
| ], | |
| "action": "", | |
| "property": "", | |
| "from": "", | |
| "to": "", | |
| "reg": false, | |
| "x": 240, | |
| "y": 120, | |
| "wires": [ | |
| [ | |
| "a148f5e2.763d88" | |
| ] | |
| ] | |
| }, | |
| { | |
| "id": "5aaa4a15.cfe6b4", | |
| "type": "comment", | |
| "z": "e6aa430b.c2db4", | |
| "name": "Supply the cert hashes in the 'Specify hash request parameters' node", | |
| "info": "", | |
| "x": 460, | |
| "y": 60, | |
| "wires": [] | |
| }, | |
| { | |
| "id": "2ed0ce07.039942", | |
| "type": "dxl-client", | |
| "z": "", | |
| "configFile": "/data/dxl/dxlclient.config", | |
| "name": "", | |
| "keepAliveInterval": "1800", | |
| "reconnectDelay": "1" | |
| } | |
| ] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment