Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
This Node-RED flow invokes the TIE DXL service to retrieve the reputation of a certificate (as identified by hashes).
[
{
"id": "e6aa430b.c2db4",
"type": "tab",
"label": "TIE Get Certificate Reputation Example",
"disabled": false,
"info": "This sample invokes the TIE DXL service to retrieve the reputation of a\r\ncertificate (as identified by hashes). The response to the TIE request is\r\nprinted to the Node-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A TIE service is available on the DXL fabric.\r\n\r\n### Setup\r\n\r\n* Edit the `Specify hash request parameters` node and modify the `msg.sha1`\r\n rule with the hash of the certificate and the `msg.publicKeySha1` rule with\r\n the hash of the public key that you want to use for the lookup. Note that\r\n the `msg.publicKeySha1` property is optional so this value can be set to an\r\n empty string or the property may be removed entirely if the public key is\r\n not known.\r\n\r\n* To deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\r\n with the word `connected` should appear under the\r\n `Get reputation from TIE` node.\r\n\r\n### Running\r\n\r\nTo exercise the flow, double-click the button on the left side of the \r\n`Start flow` node.\r\n\r\n### Output\r\n\r\nThe output in the Node-RED `debug` tab should appear similar to the following:\r\n\r\n```\r\n? { 2: object, 4: object }\r\n```\r\n\r\nClick on the right arrow buttons to expand the contents of the object. The\r\ncontent should look similar to the following:\r\n\r\n```\r\n? object\r\n ? 2: object\r\n ? attributes: object\r\n 2108821: \"94\"\r\n 2109077: \"1454912619\"\r\n 2117524: \"0\"\r\n 2120596: \"0\"\r\n createDate: 1476318514\r\n providerId: 2\r\n trustLevel: 99\r\n ? 4: object\r\n ? attributes: object\r\n 2109333: \"12\"\r\n 2109589: \"1476318514\"\r\n 2139285: \"7318349394477075\r\n createDate: 1476318514\r\n providerId: 4\r\n trustLevel: 0\r\n```\r\n\r\nThe `key` for each entry in the object corresponds to a particular `provider` of\r\nthe associated `reputation`. The list of certificate reputation providers can\r\nbe found in the\r\n[CertProvider documentation](https://opendxl.github.io/opendxl-tie-client-javascript/jsdoc/module-CertProvider.html)\r\nin the TIE JavaScript client SDK.\r\n\r\nThe McAfee Global Threat Intelligence (GTI) service is identified in the results\r\nas `providerId: 2`. The trust level associated with the GTI response\r\n(`trustLevel: 99`) indicates that the certificate is known good.\r\n\r\nSee the \r\n[TrustLevel documentation](https://opendxl.github.io/opendxl-tie-client-javascript/jsdoc/module-TrustLevel.html)\r\nin the TIE JavaScript client SDK for the list of standard trust levels.\r\n\r\n### Details\r\n\r\nThe flow exercises the nodes below.\r\n\r\n#### Start flow\r\n\r\nThis is an `inject` input node which starts the flow.\r\n\r\n#### Set hash request parameters\r\n\r\nThis is a `change` node which sets the hash of the certificate to the\r\n`msg.sha1` property and the hash of the associated public key to the\r\n`msg.publicKeySha1` property. The `Get reputation from TIE` node uses the\r\n`sha1` and `publicKeySha1` properties when constructing the parameters for the\r\nTIE first references request. \r\n\r\n#### Get reputation from TIE\r\n\r\nThis is a `tie get certificate reputation` node. This node connects to\r\nthe DXL fabric and sends a DXL `Request` message to the TIE service to lookup\r\ncertificate reputation information.\r\n\r\nThe request message also includes the `sha1` and `publicKeySha1` properties set\r\nby the `Set hash request parameters` node.\r\n\r\nThe `Return` property is set to \"a parsed JSON object\" to indicate that the\r\npayload for the response should be added to the output message as a JavaScript\r\nobject decoded from JSON.\r\n\r\n#### Output first references\r\n\r\nThis is a `debug` output node. This node outputs the `payload` set on\r\nthe message by the `Get reputation from TIE` node. The output should\r\ninclude information for reputation data for the certificate."
},
{
"id": "a148f5e2.763d88",
"type": "dxl-tie-get-certificate-reputation",
"z": "e6aa430b.c2db4",
"name": "Get reputation from TIE",
"client": "2ed0ce07.039942",
"returnType": "obj",
"x": 330,
"y": 200,
"wires": [
[
"14798663.f923fa"
]
]
},
{
"id": "14798663.f923fa",
"type": "debug",
"z": "e6aa430b.c2db4",
"name": "Debug: Output reputation",
"active": true,
"tosidebar": true,
"console": false,
"tostatus": false,
"complete": "payload",
"x": 590,
"y": 200,
"wires": []
},
{
"id": "caeea8f4.abe3c8",
"type": "inject",
"z": "e6aa430b.c2db4",
"name": "Start flow",
"topic": "",
"payload": "",
"payloadType": "str",
"repeat": "",
"crontab": "",
"once": false,
"onceDelay": 0.1,
"x": 100,
"y": 40,
"wires": [
[
"44a5cb23.7a8ad4"
]
]
},
{
"id": "44a5cb23.7a8ad4",
"type": "change",
"z": "e6aa430b.c2db4",
"name": "Set hash request parameters",
"rules": [
{
"t": "set",
"p": "sha1",
"pt": "msg",
"to": "6eae26db8c13182a7947982991b4321732cc3de2",
"tot": "str"
},
{
"t": "set",
"p": "publicKeySha1",
"pt": "msg",
"to": "3b87a2d6f39770160364b79a152fcc73bae27adf",
"tot": "str"
}
],
"action": "",
"property": "",
"from": "",
"to": "",
"reg": false,
"x": 240,
"y": 120,
"wires": [
[
"a148f5e2.763d88"
]
]
},
{
"id": "5aaa4a15.cfe6b4",
"type": "comment",
"z": "e6aa430b.c2db4",
"name": "Supply the cert hashes in the 'Specify hash request parameters' node",
"info": "",
"x": 460,
"y": 60,
"wires": []
},
{
"id": "2ed0ce07.039942",
"type": "dxl-client",
"z": "",
"configFile": "/data/dxl/dxlclient.config",
"name": "",
"keepAliveInterval": "1800",
"reconnectDelay": "1"
}
]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment